Preparing to add IDPS-Supported Gateways

If you are an existing customer who wants to enable and use Gateway IDS/IPS, and do not have HPE Aruba Networking IDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it.-supported gateways, then you need HPE Aruba Networking IDPS-supported gateways and either gateway or SD-Branch security license. For more information on on-boarding and provisioning gateways, see HPE Aruba Networking Central Licenses.

If you are an existing customer who has HPE Aruba Networking IDPS-supported gateways deployed, then you need a gateway or SD-Branch security license to use Gateway IDS/IPS.

Supported Gateways for Gateway IDS/IPS

The following table lists the Branch Gateway, VPNC, and Mobility Gateway models that support Gateway IDS/IPS.

For information regarding the subscriptions or licenses for IDPS-supported gateways, see HPE Aruba Networking Central Licenses Feature Details and HPE Aruba Networking Wireless Operating System 10 Capacity Licenses

Table 1: Supported HPE Aruba Networking Gateways

Platform

Persona

Minimum Supported Software Version

Recommended Software Version

Latest Software Version

HPE Aruba Networking 9004

Branch Gateway

AOS-10.4.1.1 (LSR Long Supported Release. LSR is the release type tag that helps to identify the maintenace schedule of the software version.)

AOS-10.4.1.1 (LSR)

AOS-10.6.0.0 (SSR Short Supported Release. SSR is the release type tag that helps to identify the maintenace schedule of the software version.)

HPE Aruba Networking 9004-LTE Long Term Evolution. LTE is a 4G wireless communication standard that provides high-speed wireless communication for mobile phones and data terminals. See 4G.

Branch Gateway

AOS-10.4.1.1 (LSR)

AOS-10.4.1.1 (LSR)

AOS-10.6.0.0 (SSR)

HPE Aruba Networking 9012

  • Branch Gateway

  • VPNC

AOS-10.4.1.1 (LSR)

AOS-10.4.1.1 (LSR)

AOS-10.6.0.0 (SSR)

HPE Aruba Networking 9114

  • Branch Gateway

  • Mobility Gateway

  • VPNC

AOS-10.6.0.0 (SSR)

AOS-10.6.0.0 (SSR)

AOS-10.6.0.0 (SSR)

HPE Aruba Networking 9240

  • Branch Gateway

  • Mobility Gateway

  • VPNC

AOS-10.6.0.0 (SSR)

AOS-10.6.0.0 (SSR)

AOS-10.6.0.0 (SSR)

HPE Aruba Networking 9106

Branch Gateway

AOS-10.7.1.0 (SSR)

AOS-10.7.1.0 (SSR)

AOS-10.7.1.0 (SSR)

For information about Long Support Release (LSR) and Short Support Release (SSR), see Release Descriptions page on the HPE Networking Support Portal.

Datapath Sessions for IDPS-Supported Gateways

The following table lists the number of data path sessions supported on each gateway model.

Maximum number of concurrent sessions supported vary based on usage pattern and deployment conditions due to resource utilization by various processes on the gateway. High watermark column represents maximum concurrent sessions in an isolated, controlled test environment with only Gateway IDS/IPS feature enabled and used; no other feature was in use.

Table 2: Datapath Sessions Supported on HPE Aruba Networking Gateways

Gateway

Software Version

Supported Sessions

High Water Mark

HPE Aruba Networking 9004

AOS-10.4

65000

65000

AOS-10.5

128000

128000

HPE Aruba Networking 9004-LTE

AOS-10.4

65000

65000

AOS-10.5

128000

128000

HPE Aruba Networking 9012

AOS-10.4

65000

65000

AOS-10.5

128000

128000

HPE Aruba Networking 9114

AOS-10.6

2000000

1800000

AOS-10.7

2000000

1800000

HPE Aruba Networking 9240

AOS-10.6

2000000

1800000

AOS-10.7

4000000

3600000

HPE Aruba Networking 9106

AOS-10.7

2000000

1500000

Gateway Reboot Scenarios

The IDPS-supported gateway reboots in the following scenarios:

  • When you apply the security license to HPE Aruba Networking IDPS-supported gateways on the network, the gateways reboot to enable the traffic inspection engine.
  • When a System IP is assigned to the gateway.
  • When the image on Activate and that on the device are different.
  • When you upgrade the software to the recommended version.

When the gateways reboot, there will be a considerable down time (approximately 4 minutes) in the network. It is a best practice to apply the security license to the existing HPE Aruba Networking IDPS-supported gateways during non-working hours.

Best Practices

The following are some of the best practices for configuring Gateway IDS/IPS and get the IDPS-supported gateways up and running:

  • Ensure that you set up the recommended firmware upgrade at the group level. For more information, see Upgrading the Firmware on Device.
  • Assign the gateway or SD-Branch security subscription before you start to configure the IDPS-supported gateway. For more information, see Assigning Subscription
  • For gateways provisioned using HPE Aruba Networking Activate, ensure that the image on HPE Aruba Networking Activate and that on the device are same. For more information, see Connecting HPE Aruba Networking Gateways to HPE Aruba Networking Central.
  • Follow the given sequence of steps to configure Gateway IDS/IPS on a IDPS-supported gateway:
    1. Upgrade firmware to AOS 8.5.0.0 - 2.3.0.0.
    2. Apply a valid security subscription.
    3. Enable traffic inspection.