Cisco 4100 Firepower Threat Defense. Deploying Active/Standby

I’ll briefly touch on FTD Active/Standby setup as it greatly overlaps with the standard ASA Active/Standby configuration. For any Clustering related configuration check this link. Once both devices are individually added to FMC as described here you will need to create High Availability Pair under Devices > Add… > Add High Availability. Select Continue to proceed to configuration screen.

If there are any inconsistencies you will be alerted.

The next screen is very straight forward and similar to standard ASA fail-over setup. Remember physical fail-over interface was setup prior in Part1. Do not use reserved or Link-local IP addresses (ex. 169.254.x.x) for Failover interface. Stay within  RFC1918 ranges.

Once HA setup is complete all future configuration changes will be applied to the fail-over cluster itself. Select Edit button to make configuration changes and setup interfaces.

Define your interfaces. Since it is a transparent deployment we need to sub-interface physical port-channel into ingress / egress zones and apply Access Control Policy similar to configuration from Cisco 4100 Clustering. Part 3: FMC Configuration post.

This is it. I’ll post further updates later as I get to implement and test configuration in production environment.

 

 

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar