Choose the appropriate behavior to decide whether to enable
or disable the Inspect HA mirrored ports check
box on the SNORT Configuration tab.
Enable
The SNORT systems that are running
on appliances in an HA pair inspect packets from mirrored ports. This
behavior applies to pairs that are running in inline protection or
inline simulation mode. This option increases the possibility of duplicate
global responses and SiteProtector™ alerts.
However, this option decreases the chance that SNORT systems miss
attacks because the systems analyze all packets, including packets
from mirrored ports.
Disable
The SNORT systems that are running
on appliances in an HA pair do not inspect packets from mirrored ports.
This behavior applies to pairs that are running in inline protection
or inline simulation mode. This option minimizes the possibility of
duplicate global responses and SiteProtector alerts.
However, this option limits the ability of the SNORT systems to analyze
all traffic.
Important: When this option is disabled,
it is possible for one of the SNORT systems to miss an attack. Also,
the quarantine rules that are generated from SNORT events might be
out of sync on the appliances in the HA pair.