prefer security /prefer connectivity

umar7 · ‎2022-12-12

hello support,

may i know the scenario and what kind of scenario we can use prefer security ?

and what kind of scenario we can use prefer connectivity ? what are the benefits if we use both of the parameter?

the_rock · ‎2022-12-12

I assume you are referring to IPS blade setting on the gateway...there is an option there which is by default to prefer connectivity upon cluster failover even if IPS protections cant be guaranteed OR prefer security, which would close connections if IPS protections cant be guaranteed. Now, if you are speaking generally, it really depends who you ask. Of course, in todays world, more than ever before, security is way too important to overlook, but then if you think of connectivity, its literally something most companies require constantly. So, all in all, both are super important, but again, opinions might be split on this one.

umar7 · ‎2022-12-12

hello rock,

thanks for the update ,

correct me if i am wrong

if i select the prefer connectivity , during the failover it simply switch the connection to standby device it ensure there is no connectivity issue failover

if i select the prefer security , during the failover it simply drop the current connection it will not ensure the connectivity right

above i mentioned is correct rock ?

the_rock · ‎2022-12-12

I attached the screenshot for your reference, hope its helpful.

Andy

the_rock · ‎2022-12-13

You sort of got it : - ). So for prefer connectivity, yes, thats correct, IF your cluster is fully functional, then when failover happens, it will work fine if that option is selected. Now, IF prefer security is selected, does not mean current connections will close, ONLY ones for which IPS signatures can not be applied to/guaranteed. Personally, I would leave it to "prefer connectivity", which is default, as lets be honest, you do NOT want people "screaming" at you because their connections are failing : - )

By the way, sk @Chris_Atkinson provided also explains that. I would listen to him, he is EXCELLENT, very smart guy!

Timothy_Hall · ‎2022-12-13

One interesting side effect of "prefer connectivity" is that while the connection will be continued upon ClusterXL failover, it cannot be inspected by streaming (either active or passive) anymore. As a result the connection will be offloaded into the SXL/Accelerated Path on the newly-active member.

This looks very strange when you are watching a high-speed transfer that is subject to streaming inspection and a failover occurs; the speed of the transfer doubles or triples! Interestingly if you fail back over to the original member streaming inspection resumes (assuming the member has not been rebooted or otherwise cleared its state table) and the transfer speed drops back to what it was before. Was definitely a WTF moment when I first saw this effect, as causing a failover would massively speed up big transfers!

New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com

the_rock · ‎2022-12-13

O wow, thanks for that Tim, thats super interesting 👍

umar7 · ‎2022-12-19

hello rock,

may i know pros and cons of the parameter of "prefer security/prefer connectivity" ?

1 ) Resumed for new connections after complete start-up of the IPS service

Is the statement correct as it was mentioned that “New connections are accepted”? This is no different from “Preferred Security” mode.

2)Resumed for new connections after complete start-up of the IPS service

Which mean, new connections are rejected and hence no scanning until the IPS service is completely up and running.

Is the statement also applicable to “Preferred Connectivity” mode?

3)This time suggests the minimum duration over which the in-service IPS will not be able to takeover the operation of the out-of-service IPS to provide network intrusion protection. Comparing to “Preferred Connectivity” mode, it also suggests that the time taken to establish a new connection which was previously lost due to “Preferred Security” mode is almost negligible.

If this understanding is correct, then it is the IPS failover timespan being the real reason behind why “Preferred Security” mode is not recommended by MSI. The measured timing of 3Min 11 Secs indicates the expected duration of connectivity disruption if the “Preferred Security” mode is opted.

We need further clarification from MSI to be more precise in our justification for the “Preferred Security” mode.

Questions to MSI:

Is the measured timing for IPS service startup and failover in the non-production environment representative of that in the production environment?
What is the MTBF (Mean Time Between Failure) for the Checkpoint firewall?

Will there be circumstances where the IPS service fails even if the Checkpoint firewall is healthy? If yes, how frequent

Chris_Atkinson · ‎2022-12-12

sk60160 provides some additional insight further to that provided by Andy.

Alexander_Wilke · ‎2022-12-14

What to use if you are running a 64k Scalable Plattform which is only a "Single" / "Standard" Gateway Object in SmartConsole and you can not select the options? Probably same for Maestro.

However 64k/Maestro may have failovers in the same "Chassis" or from one chassis to another. What will apply?
Prefer connectifity or prefer security?

Timothy_Hall · ‎2022-12-14

The default on SP/Maestro is prefer connectivity. At least in R80.30SP the command was asg_ips_failover_behavior {connectivity | security} and you could check the current state with command g_fw ctl get int fwha_ips_reject_on_failover, 0 is prefer connectivity, 1 is prefer security.

New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com

Alexander_Wilke · ‎2022-12-14

Thanks,

I can confirm "connectivity" at least for 64k and R80.20SP Jumbo HFA Take 331

g_fw ctl get int fwha_ips_reject_on_failover
-*- 10 blades: 1_01 1_02 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 -*-
fwha_ips_reject_on_failover = 0

umar7 · ‎2022-12-19