Views:
You can configure settings for Intrinsic, Transparent, and Zero Power High Availability (HA).
Intrinsic HA
Intrinsic HA determines how the device manages traffic on each segment in the event of a system failure. When the system fails, the device goes into fallback mode and either permits or blocks all traffic on each segment, depending on the fallback action setting for the segment.
  • Normal mode configures the device to inspect traffic according to the Threat Suppression Engine (TSE) settings.
  • Fallback mode either permits or blocks all traffic on each segment, depending on the Intrinsic HA fallback action setting for the segment. Any permitted traffic is not inspected.
A lack of reported errors or congestion through the TSE does not guarantee that the components receive correct and error-free traffic. Intrinsic HA monitors for several points of failure and applies failure detection logic against the system.
The device performs the following checks to detect a failed condition and trigger intrinsic HA:
  • Handle non-atomic nature of the data path — Packet pass through each component at different times and rates. The status of each component is determined independently of each other. Intrinsic HA uses sampling to determine health.
  • Check and transmit the inbound receive counters — Each component has receive counters incremented by packets received from the previous component. The component transmits these counters incremented as packets to the next component. These counters are the most accurate and most complicated way of detecting health.
  • Dropped packets exceeds threshold — If too many packets awaiting deep inspection are queued up, packets are dropped. The system checks every five seconds to see if the device drops 90 percent or more of the traffic that goes to Tier 3. If so, the system enters fallback mode. However, this condition is difficult to create because the TSE only sends a fraction of incoming traffic to Tier 3.
  • Low memory — Whether available system memory is too low for proper operations.
Intrinsic HA monitors the device to detect hardware operating system failures and to automatically switch to the fallback mode when a server outage or system failure is detected.
Use the fallback mode to permit or block all traffic according to the fallback settings for each device segment.
Transparent HA
Deploy Transparent HA in a redundant network configuration so that a partner device takes over in the event of system failure. Transparent HA partner devices constantly update each other with their managed streams information (blocked streams, trusted streams, and quarantined hosts). If a system failure occurs, interruptions to network protection are minimized because the partner device does not have to rebuild all of the current managed streams information.
Important
Important
When Transparent HA is enabled, a hijacked partner device or a rogue device that impersonates the IP address of a Transparent HA partner device can communicate with the partner device.
When you configure TPS devices for Transparent HA, keep the following points in mind:
  • With the exception of 2200T devices, TPS devices can be paired in a Transparent HA configuration with an identical model using the identical management port on both devices.
  • You can mix 8200TX and 8400TX devices in a Transparent HA configuration.
  • You can pair 2200T devices only with another 2200T device in a Transparent HA configuration using the dedicated HA port.
  • Transparent HA requires the same TOS version on each Transparent HA device.
  • Transparent HA partners must be able to communicate with each other on TCP port 9591.
  • On a TippingPoint Virtual Threat Protection System (vTPS) security device, Transparent HA is not supported.
After you configure Transparent HA, keep this point in mind:
  • If you plan to change the global timeout interval on the connection table, be sure to update both partner devices. Transparent HA does not synchronize changes to the global timeout interval.
Zero Power HA
Zero Power HA (ZPHA) technology ensures a constant, uninterrupted flow of traffic. During a system outage, ZPHA bypasses the device and provides continuous network traffic.
Note
Note
Be aware that ZPHA technology is not "hitless"; when relays are switched over, you might lose traffic.
Configure ZPHA to determine its state:
  • Bypass mode bypasses the TSE and maintains high availability on any network segments that have ZPHA support. When the device loses power, any network segments that do not have ZPHA support are disconnected.
  • Normal mode inspects traffic according to the TSE settings.
Bypass is available for the IPS as an external modular device or as optional bypass I/O modules on TX Series and TXE Series devices.
TPS device support for ZPHA varies by device:
  • On TippingPoint TX Series and TXE Series devices, optional bypass I/O modules provide high availability for copper and fiber segments.
    Note
    Note
    When you insert a bypass I/O module, by default the I/O module starts up in bypass mode.
  • On a TippingPoint 2200T device, ZPHA support is built-in for copper segments. An external ZPHA module is required to enable ZPHA on SFP and SFP+ segments.
  • ZPHA is built-in for all copper segments for a 440T device.
  • ZPHA is not supported for vTPS.
Related information