FAQ:  NX Series - High Availability (NX-HA)

Version 12

    This article covers general questions about configuring NX appliances monitored by a CM appliance for high availability.

     

    For more information, please contact your sales team. Partners and Customers can also log in to the FireEye Documentation Portal to access the

    NX Series High Availability Guide, or find more detailed information in the Support Knowledge Base and Support Community.

     

     

     

    What does High Availability mean for the NX?

     

    Two NX Series appliances connected to a CM Series platform can be configured as a high-availability pair for detection redundancy. The NX Series HA pair operates in active-active mode, where both appliances actively monitor the network, ready to receive and process all traffic.

     

    One appliance must have a full NX Series product license. The peer appliance can have either a full product license or a restricted product license. An appliance with a restricted license must be added to an NX Series HA pair within 90 days, or it will lose its detection functionality

     

    The two appliances in the pair communicate with each other continuously over dedicated control and data links.

    • Control link:  exchanges control messages
    • Data link:  replicates the network traffic from the monitoring ports of one appliance to the other appliance
      • Traffic received on the monitoring ports generates active alerts that are aggregated to the CM Series platform and displayed in the Web UI.
      • Traffic received on the data ports generates standby alerts that are not aggregated or displayed. If one appliance fails, detection activity fails over to the peer appliance, which creates all new events and submissions as "active."

     

    The CM Series platform manages the two NX Series appliances as a tightly coupled pair, which is represented as a single virtual appliance. The CM Series platform:

    • creates and manages the HA pair

    • synchronizes the configuration of both appliances in the HA pair

    • aggregates events and generating alerts from both appliances in the HA pair

    • monitors the health of the HA pair

     

     

    How is NX-HA deployed?

     

    NX Series HA must be deployed within a mesh topology in a single-site local area network (LAN).

    • Detection failover:  The two NX Series appliances are connected to each other with two cables. One cable connects the two HA control ports (pether11), which carry HA configuration information. The other cable connects the two HA data ports (pether12), which replicate network traffic from one appliance to the other.
    • Appliance failover:  Malware detection is performed on the network-facing monitor ports. The mesh topology allows traffic to be switched to the other appliance when an appliance failure causes a monitor link to go down.

     

    Because each NX Series appliance replicates its network traffic to the other appliance over the data link, detection over both symmetric and asymmetric routing in a mesh deployment is supported.

     

    The following diagram shows an NX Series HA deployment in a full mesh topology :

     

    aaaa.jpg

     

     

    What is Configuration Replication in NX-HA?

     

    Most of the configuration settings on the two appliances in an NX Series HA pair must be identical, because each appliance must be ready to take over detection activity if the other appliance fails. The CM Series Web UI prevents you from changing such settings on an individual NX Series appliance that is a member of an NX Series HA pair.

    A configuration mismatch could still happen in the following scenarios:

    • You form a new HA pair. A mismatch is possible even if both appliances are new, and you configure them the same way. This is because certain settings are automatically set for an appliance when it is manufactured, and are not the same on every appliance.

    • An NX Series administrator changes settings on one of the NX Series appliances. Changing the configuration of a managed appliance from the appliance instead of from the CM Series platform is generally not recommended, but should be especially avoided in an NX Series HA deployment.

     

    For most settings, the CM Series warns you when there is a mismatch and provides an easy way to synchronize the settings. For a list of the settings that must be identical, and for information about synchronizing mismatched settings.

     

     

    How does the CM aggregate NX-HA alerts?

     

    When an NX Series appliance detects malware, it generates an alert and saves artifacts such as packet captures, binaries, and malware objects.

     

    Standard NX Behavior

    The CM Series platform aggregates alerts from its managed appliances, but does not store the artifacts.

     

    Paired NX-HA Behavior

    For an NX-HA pair, the CM Series platform attributes the aggregated alerts to the pair, not to the individual appliances.

     

    Removing an Appliance from the NX-HA Pair

    If an appliance is removed from the HA pair, the alerts remain on the CM Series platform attributed to the HA pair and are still displayed on the Alerts page You cannot expand these alerts to view their details or click to submit them to a managed AX Series appliance for deeper forensic analysis.

     

    New alerts will be attributed to the individual NX appliance after the appliance is no longer a member of the pair. If you subsequently reconnect the appliance to the same CM Series platform, all alerts (new alerts, and alerts that were generated by this appliance but attributed to the pair) are aggregated to the CM Series platform, and are attributed to the individual appliance.

     

    Deleting the NX-HA Pair from the CM

    If you delete an HA pair, the alerts that were attributed to the pair are no longer displayed on the CM Series Web UI.

     

     

    Does NX-HA failover?

     

    The state of the NX-HA components is monitored continuously and detection failover occurs when specific conditions are met. You can view comprehensive NX Series HA status information from the CM Series platform, and from each appliance in the pair.

     

     

    What Notifications are available in HA ?

     

    NX Series HA events can generate the following types of notifications:

    • Email notifications
    • SNMP traps
    • Log messages saved in local log files or sent to a remote syslog server

    You cannot configure an NX Series appliance both as a member of an HA pair and as a SPAN device, in which it forwards a copy of its network traffic from a mirror port to another analysis device. (For details about the port mirroring features, see the NX Series System Administration Guide.)

     

    What are the conditions for an NX-HA pair?

     

    Both NX Series appliances must be connected to the CM Series platform before you can create an HA pair.

     

    Connection ScenarioConnection Overview
    2 New NX Series AppliancesConnect both appliances to the CM Series platform, then create the HA pair.
    1 NX Series Appliance Connected to a CMConnect a second appliance to the CM Series platform, then create the HA pair.
    Replace an NX Appliance in an HA PairConnect the replacement appliance to the CM Series platform, then create the HA pair.

     

    Both NX appliances must be set up and configured identically in order to create the NX-HA pair.

     

     

    Hardware Requirements

    • Two NX 9450 models, two NX 10450 models, or two NX 10550 models - the appliances must be the same hardware model
    • One CM Series platform to manage the NX Series appliances
    • Cable connection from the HA control port (pether11) on one NX Series appliance to the same port on the other appliance
    • Cable connection from the HA data port (pether12) on one NX Series appliance to the same port on the other appliance

     

    The pether ports are auto MDI-X ports, so you can use a straight-through or crossover cable.

     

     

    Network Requirements

    • Single-site LAN deployment
    • Dedicated HA control port (pether11) to exchange heartbeat messages and configuration information between the two appliances
    • Dedicated HA data port (pether12) to replicate traffic from the monitor ports of one appliance to the other appliance
    • Network deployment capable of switching traffic to the other appliance if the monitor port link on one of the appliances goes down

     

     

    Software Requirements

    • The same major and minor version (Release 7.8.0 or later) of the NX Series software image running on both appliances
    • Release 7.8.0 or later of the CM Series software image running on the CM Series platform that manages the appliances
    • Both NX Series appliances connected to the same CM Series platform
    • The same guest images (profile and version) running on both appliances
    • The same security content version running on both appliances
    • Inline block mode or monitor mode configured the same on both appliances
    • The same policies applied to both appliances, and the same configuration settings for most features on both appliances
    • The same detection-related feature licenses installed on both appliances. For example, both appliances need an IPS license if IPS is enabled on either one
    • The same NX Series edition (Power or classic) on both appliances
    • IPv6 must be enabled on the NX Series appliances

     

     

    Licensing Requirements

     

    Valid licenses must be installed on each NX Series appliance in an NX Series HA pair. One appliance has a full NX Series appliance license. The other appliance can have either a full license, a restricted/stand-by/secondary license.

     

    After a restricted license is installed, a 90-day grace period begins. The appliance with the restricted license must be added to an NX Series HA pair within 90 days. If the secondary appliance is not paired before the grace period ends, detection functionality will be disabled on that appliance until it is added to an HA pair. A notice on the NX Series Dashboard and in the NX Series CLI login message states the number of days left before detection will be disabled. In the following examples, the notice indicates that there are 89 days left in the grace period.