Configuring a Fail Strategy for Traffic

A fail strategy must be defined for any situation where the inspection engine is down, then how should the traffic be handled. You can either bypass or block the traffic. By default, the fail strategy is set to Bypass, which means that traffic flow continues even when the Intrusion Prevention engine crashes and fails to inspect the traffic. When Block strategy is selected as the fail strategy, then traffic flow is blocked if it does not go through the inspection.

To configure the fail strategy, complete the following steps:

  1. In the WebUI, select one of the following options:
    • To configure a Branch Gateway group, complete the following steps:
      1. Set the filter to a group containing at least one Branch Gateway.

        The dashboard context for a group is displayed.
      2. Click Gateways.
      3. Click the Config icon to view the Branch Gateway group configuration dashboard.
    • To configure a Branch Gateway, complete the following steps:
      1. Set the filter to Global or a group containing at least one Branch Gateway.
      2. Under Manage, click Devices > Gateways.

        A list of gateways is displayed in the List view.
      3. Click a gateway under Device Name.

        The dashboard context for the gateway is displayed.
  2. Under Manage, click Security > Gateway IDS/IPS.
  3. Click the Config icon to open the Gateway IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network./IPS Intrusion Prevention System. The IPS monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, log the information, attempt to block the activity, and report it. configuration page.
  4. In the General tab, under Inspection, by default, IDS is selected as the mode of inspection.
  5. Configure Fail Strategy:

    1. Select Bypass if you want the traffic flow to continue even when the Intrusion Prevention engine crashes and fails to inspect the traffic.

      A slight disruption in the traffic occurs when AOS detects an engine failure and takes action based on the fail strategy configuration.

    2. Select Block, if you do not want the traffic to flow until the Intrusion Prevention engine inspects the data packets.

      If you select this option, your traffic flow is blocked until the Intrusion Prevention engine starts inspecting the traffic.