Cisco Cisco Firepower Management Center 4000
6-33
FireSIGHT System User Guide
Chapter 6 Managing Devices
Clustering Devices
•
Blocking persistence
Note, however, that enabling state sharing slows system performance.
You must configure and enable HA link interfaces on both devices or the primary stacked devices in the
cluster before you can configure clustered state sharing. 3D8250 devices require a 10G HA link, while
other model devices require a 1G HA link. See
cluster before you can configure clustered state sharing. 3D8250 devices require a 10G HA link, while
other model devices require a 1G HA link. See
for more
information.
Strict TCP Enforcement
When you enable strict TCP enforcement for a domain, the system drops any packets that are out of
order on TCP sessions. For example, the system drops non-SYN packets received on an
un-established connection. With state sharing, devices in the cluster allow TCP sessions to continue
after failover without having to reestablish the connection, even if strict TCP enforcement is
enabled. You can enable strict TCP enforcement on inline sets, virtual routers, and virtual switches.
order on TCP sessions. For example, the system drops non-SYN packets received on an
un-established connection. With state sharing, devices in the cluster allow TCP sessions to continue
after failover without having to reestablish the connection, even if strict TCP enforcement is
enabled. You can enable strict TCP enforcement on inline sets, virtual routers, and virtual switches.
Unidirectional Access Control Rules
If you have configured unidirectional access control rules, network traffic may match a different
access control rule than intended when the system reevaluates a connection midstream after failover.
For example, consider if you have a policy containing the following two access control rules:
access control rule than intended when the system reevaluates a connection midstream after failover.
For example, consider if you have a policy containing the following two access control rules:
Rule 1: Allow from 192.168.1.0/24 to 192.168.2.0/24
Rule 2: Block all
Without state sharing, if an allowed connection from 192.168.1.1 to 192.168.2.1 is still active
following a failover and the next packet is seen as a response packet, the system denies the
connection. With state sharing, a midstream pickup would match the existing connection and
continue to be allowed.
following a failover and the next packet is seen as a response packet, the system denies the
connection. With state sharing, a midstream pickup would match the existing connection and
continue to be allowed.
Blocking Persistence
While many connections are blocked on the first packet based on access control rules or other
factors, there are cases where the system allows some number of packets through before determining
that the connection should be blocked. With state sharing, the system immediately blocks the
connection on the peer device or stack as well.
factors, there are cases where the system allows some number of packets through before determining
that the connection should be blocked. With state sharing, the system immediately blocks the
connection on the peer device or stack as well.
When establishing clustered state sharing, you can configure the following options:
Enabled
Click the check box to enable state sharing. Clear the check box to disable state sharing.
Minimum Flow Lifetime
Specify the minimum time (in milliseconds) for a session before the system sends any
synchronization messages for it. You can use any integer from 0 to 65535. The system does not
synchronize any sessions that have not met the minimum flow lifetime, and the system synchronizes
only when a packet is received for the connection.
synchronization messages for it. You can use any integer from 0 to 65535. The system does not
synchronize any sessions that have not met the minimum flow lifetime, and the system synchronizes
only when a packet is received for the connection.
Minimum Sync. Interval
Specify the minimum time (in milliseconds) between update messages for a session. You can use
any integer from 0 to 65535. The minimum synchronization interval prevents synchronization
messages for a given connection from being sent more frequently than the configured value after the
connection reaches the minimum lifetime.
any integer from 0 to 65535. The minimum synchronization interval prevents synchronization
messages for a given connection from being sent more frequently than the configured value after the
connection reaches the minimum lifetime.
Maximum HTTP URL Length
Specify the maximum characters for the URL the system synchronizes between the clustered
devices. You may use any integer from 0 to 225.
devices. You may use any integer from 0 to 225.