Cisco Cisco Firepower Management Center 4000 Release Notes
Version 5.2.0.6
Sourcefire 3D System Release Notes
39
Features Introduced in Previous Versions
persistence. Clustered state sharing is supported for VPN and NAT
configurations.
With state sharing, devices in the cluster allow TCP sessions to continue after
With state sharing, devices in the cluster allow TCP sessions to continue after
failover without having to reevaluate the connection against your access control
rules, even if strict TCP enforcement is enabled.
State sharing also allows the system to transfer the status of allowed connections
State sharing also allows the system to transfer the status of allowed connections
matching unidirectional access control rules during failover. Without state sharing,
if an allowed connection is still active following a failover and the next packet is
seen as a response packet, the system denies the connection. With state
sharing, a midstream pickup matches the existing connection and the connection
continues to be allowed.
Another advantage of state sharing is that while many connections are blocked on
Another advantage of state sharing is that while many connections are blocked on
the first packet based on access control rules or other factors, there are cases
where the system allows some number of packets through before determining
that the connection should be blocked. With state sharing, the system
immediately blocks the connection on the peer device or stack as well.
You can enable state sharing on clustered Series 3 managed devices with a
You can enable state sharing on clustered Series 3 managed devices with a
Control license enabled.
Gateway VPN
You can now configure the Sourcefire 3D System to build secure Virtual Private
Network (VPN) tunnels between virtual routers on Sourcefire managed devices
and a remote device. After the VPN connection is established, the hosts behind
the local gateway can connect to the hosts behind the remote gateway through
the secure VPN tunnel.
The Sourcefire 3D System builds tunnels using the Internet Protocol Security
The Sourcefire 3D System builds tunnels using the Internet Protocol Security
(IPSec) protocol suite. The system uses the IKE protocol to mutually authenticate
the two gateways against each other as well as to negotiate the security
association (SA) for the tunnel. Packets across a VPN tunnel are supported for
association (SA) for the tunnel. Packets across a VPN tunnel are supported for
both the Authentication Header (AH) and Encapsulating Security Payload (ESP)
security protocols.
The system supports three types of VPN deployments: point-to-point, star, and
The system supports three types of VPN deployments: point-to-point, star, and
mesh.
In a point-to-point VPN deployment, two endpoints communicate directly with
In a point-to-point VPN deployment, two endpoints communicate directly with
each other.
In a star VPN deployment, a central endpoint (hub node) establishes a secure
In a star VPN deployment, a central endpoint (hub node) establishes a secure
connection with multiple remote endpoints (leaf nodes). Star deployments
commonly represent a VPN that connects an organization’s main and branch
office locations using secure connections over the Internet or other third-party
network. Star VPN deployments provide all employees with controlled access to
the organization’s network.
In a mesh VPN deployment, all endpoints can communicate with every other
In a mesh VPN deployment, all endpoints can communicate with every other
endpoint by means of an individual VPN tunnel. The mesh deployment offers