Understanding Failover In Network Security Platform - McAfee M-1250 - Network Security Platform Deployment Manual

McAfee® Network Security Platform 6.0 Sensor Deployment Modes

Understanding failover in Network Security Platform

In typical failover configurations, one device is the "Active" device while the other is the
"Standby." As its name implies, the active device performs normal network functions while
the standby monitors, ready to take control should the active device fail.
In Network Security Platform, because both failover Sensors must be ready to process
packets on their monitoring ports at all times, both Sensors are actually active at all times;
neither Sensor is inoperative, or 'standing by' unless the unit has failed. Instead, both
Sensors operate normally.
In Figure Two I-4000s in a High-Availability configuration for example, two Sensors are placed
in-line, connected to each other via cables, and configured to act as a Failover Pair. All
traffic is copied and shared between them in order to maintain state. Sensor A copies the
packets received on its monitoring ports to Sensor B using the interconnection ports and
vice versa. Since both Sensors see all traffic and build state based on it, their state
information is synchronized at all times.
All packets are seen by both Sensors (when both are operational); however, only one
Sensor in the pair raises an alert whenever an attack is detected.
Figure 11: Two I-4000s in a High-Availability configuration
23