Cable connection guidelines for IPS and Layer 2 Firewalls

The cabling of IPS engines and Layer 2 Firewalls depends on the engine type and the installation.

Make sure that all Ethernet cables are correctly rated (CAT 5e or CAT 6 in gigabit networks).

Follow standard cable connections with inline IPS engines and Layer 2 Firewalls:

Use straight cables to connect the IPS engines and Layer 2 Firewalls to external switches.
Use crossover cables to connect the IPS engines and Layer 2 Firewalls to hosts (such as routers or Firewalls).

Note: Fail-open network interface cards support Auto-MDIX, so both crossover and straight cables might work when the IPS engine is online. However, only the correct type of cable allows traffic to flow when the IPS engine is offline and the fail-open network interface card is in bypass state. It is recommended to test the IPS deployment in offline state to make sure that the correct cables are used.

Cable connections for Master NGFW Engines that host Virtual IPS engines or Virtual Layer 2 Firewalls follow the same principles as the connections for inline IPS engines and Layer 2 Firewalls.

Figure: Correct cable types for Single IPS engines and Single Layer 2 Firewalls

Figure: Correct cable types for Serial IPS Clusters

Figure: Correct cable types for Active/Standby Layer 2 Firewall Clusters

Figure: Correct cable types for Serial Virtual IPS Clusters

Figure: Correct cable types for Active/Standby Virtual Layer 2 Firewall Clusters