Guidelines for deploying IPS engines and Layer 2 Firewalls
There are some general deployment guidelines for IPS engines, Layer 2 Firewalls, and the Security Management Center (SMC).
Naturally, there are valid reasons to make exceptions to these general rules depending on the actual network environment.
| Component | General Guidelines |
|---|---|
| Management Server | Position on a central site where it is physically accessible to the administrators responsible for maintaining its operation. |
| Log Servers | Place the Log Servers centrally and locally on sites as needed based on log data volume and administrative responsibilities. |
| Management Clients | Management Clients can be used from any location that has network access to the Management Server and the Log Servers. |
| IPS engines | Position IPS engines at each location so that traffic in all appropriate networks can be inspected. IPS engines can be clustered. Functionally, the IPS Cluster is equal to a single high-performance IPS engine. Cluster deployments set up heartbeat links between the IPS engines. The heartbeat links allow the devices to track each others’ operating status and agree on the division of work. |
| Layer 2 Firewalls | Position Layer 2 Firewalls at each location so that traffic in all appropriate networks can be inspected. Layer 2 Firewalls can be clustered for high availability. Only one Layer 2 Firewall node in the Layer 2 Firewall Cluster is active at a time. If the active Layer 2 Firewall node goes offline, another Layer 2 Firewall node automatically starts processing traffic. |
| Master NGFW Engines | Position the Master NGFW Engines where Virtual NGFW Engines are needed. For example, at a hosting location for MSSP services or between networks that require strict isolation. Master NGFW Engines can be clustered. A clustered Master NGFW Engine provides scalability and high availability. In a Master NGFW Engine Cluster, the Virtual Resource is active in one Master NGFW Engine at a time. Cluster deployments set up heartbeat links between the engines. The heartbeat links allow the devices to track each others’ operating status, agree on the division of work, and exchange information on traffic. |