We have been handling cluster of TippingPoint NGFW for quite a while now. These NGFW cluster are configured to function only as inline Intrusion Detection/Prevention System. One thing I want to share is my experiences with the Configuration "Out-of-Sync" issue which pops up every now and then whenever we make changes on the Active device and then "push configuration to peer" to the Passive device.
As observed from my end, these "Out-of-Sync" issue only occurs when I configured the IPS filter exception rules on the Active device. However in general, these are rectified by manually comparing the two devices configuration. Below is my scenario and the steps I have undertaken.
After making changes on the Active NGFW, I manually pushed the configuration via CLI.
As observed from my end, these "Out-of-Sync" issue only occurs when I configured the IPS filter exception rules on the Active device. However in general, these are rectified by manually comparing the two devices configuration. Below is my scenario and the steps I have undertaken.
After making changes on the Active NGFW, I manually pushed the configuration via CLI.
NGFW1{}high-availability push-config
WARNING: The running configuration will be copied to the peer device and then saved on both devices. Continue (y/n)? [n]: y
Pushing configuration ..................................... SUCCESS