Choose the appropriate behavior to decide whether to enable
or disable the Inspect HA mirrored ports check
box on the SNORT Configuration tab.
Enable
The SNORT systems running on appliances
in an HA pair inspect packets from mirrored ports. This behavior applies
to pairs running in inline protection or inline simulation mode. This
option increases the possibility of duplicate global responses and SiteProtector™ alerts. However,
this option decreases the chance of the SNORT systems to miss attacks
because the systems analyze all packets, including packets from mirrored
ports.
Disable
The SNORT systems running on appliances
in an HA pair do not inspect packets from mirrored ports. This behavior
applies to pairs running in inline protection or inline simulation
mode. This option minimizes the possibility of duplicate global responses
and SiteProtector alerts.
However, this option limits the ability of the SNORT systems to analyze
all traffic.
Important: When this option is disabled,
it is possible for one of the SNORT systems to miss an attack. Also,
the quarantine rules generated from SNORT events might be out of sync
on the appliances in the HA pair.