IPS deployment in IDS mode
One of the options in IDS mode is to use network TAP devices that copy packets for the IPS engines.
In an IPS Cluster, all nodes must receive all packets. The nodes agree over the heartbeat link which node inspects which connections.
Packets can also be duplicated for inspection through a SPAN or mirror port on a switch/router. In an IPS Cluster, each node must be connected to a SPAN or mirror port of its own. Hubs are not recommended, but you can use hubs in configurations where the low performance of a hub is not an issue. For example, in a basic testing environment.
An IPS Cluster can be deployed alongside a Firewall Cluster. In this configuration, the IPS Cluster is in the same broadcast domain as the Firewall.
In a redundant disaster-recovery setup, Firewall Cluster nodes can be far apart. The IPS engines are not clustered in this configuration, but they have identical policies.