Add a High Availability Pair

When establishing an Active/Standby high-availability pair, you designate one of the devices as primary and the other as secondary. The management center deploys a merged configuration to the paired devices. If there is a conflict, the primary device setting is used.

Note

The failover link and the stateful failover link are in a private IP space and are only used for communication between peers in a high-availability pair. After high availability is established, selected interface links and encryption settings cannot be modified without breaking the high-availability pair and reconfiguring it.

Caution

Creating or breaking a high-availability pair immediately restarts the Snort process on the primary and secondary devices, temporarily interrupting traffic inspection on both devices. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. The system warns you that continuing to create a high-availability pair restarts the Snort process on the primary and secondary devices and allows you to cancel.

Before you begin

Confirm that both devices:

  • Are the same model.

  • Have the same number and type of interfaces.

  • Are in the same domain and group.

  • Have normal health status and are running the same software.

  • Are either in routed or transparent mode.

    Note

    Only routed mode is supported for manager access on a data interface.

  • Have the same NTP configuration. See Time Synchronization.

  • Are fully deployed with no uncommitted changes.

  • Do not have DHCP or PPPoE configured on any interfaces.

  • For manager access on a data interface:

    • Use the same data interface on both devices for manager access.

    • Redundant manager access data interface is not supported.

    • You cannot use DHCP; only a static IP address is supported. Features that rely on DHCP cannot be used, including DDNS and zero-touch provisioning.

    • Have different static IP addresses in the same subnet.

    • Use either IPv4 or IPv6; you cannot set both.

    • Use the same manager configuration (configure manager add command) to ensure that the connectivity is the same.

    • You cannot use the data interface as the failover or state link.

Note

The high availability formation is possible between the two threat defense devices when the certificate available on the primary device is not present on the secondary device. When high availability is formed, the certificate will be synched on the secondary device.

Procedure

Step 1

In the Security Cloud Control navigation bar, click Inventory.

Step 2

Click the Devices tab to locate your device.

Step 3

Click the FTD tab and select the device you want to establish as the primary device.

Step 4

In the Management pane, click High Availability.

Step 5

Enter a display Name for the high-availability pair.

Step 6

Under Device Type, choose Firepower Threat Defense.

Step 7

Choose the Primary Peer device for the high-availability pair.

Step 8

Choose the Secondary Peer device for the high-availability pair.

Note

In the remote deployment, the devices appearing in the Secondary Peer list depend on the active device selected in the Primary Peer list:

  • If the selected primary peer uses a data interface for management, only the data interface managed devices are listed in the secondary peer list.

  • If the data management interface on the primary peer has an IPv4 address configured on it, then the secondary peer lists only the data interface managed devices that have an IPv4 address configured on them. The same rule applies to IPv6-managed devices as well.

  • The data management interface names of primary and secondary devices should be the same. Devices with different interface names will not be listed in the secondary peer list.

Step 9

Click Continue.

Step 10

Under LAN Failover Link, choose an Interface with enough bandwidth to reserve for failover communications.

Note

Only interfaces that do not have a logical name, do not belong to a security zone, and are not used for handling management traffic, will be listed in the Interface drop-down in the Add High Availability Pair dialog.

Step 11

Type any identifying Logical Name.

Step 12

Type a Primary IP address for the failover link on the active unit.

This address should be on an unused subnet. This subnet can be 31-bits (255.255.255.254 or /31) with only two IP addresses.

Note

169.254.1.0/24 and fd00:0:0:*::/64 are internally used subnets and cannot be used for the failover or state links.

Step 13

Optionally, choose Use IPv6 Address.

Step 14

Type a Secondary IP address for the failover link on the standby unit. This IP address must be in the same subnet as the primary IP address.

Step 15

If IPv4 addresses are used, type a Subnet Mask that applies to both the primary and secondary IP addresses.

Step 16

Optionally, under Stateful Failover Link, choose the same Interface, or choose a different interface and enter the high availability configuration information.

This subnet can be 31-bits (255.255.255.254 or /31) with only two IP addresses.

Note

169.254.1.0/24 and fd00:0:0:*::/64 are internally used subnets and cannot be used for the failover or state links.

Step 17

Optionally, choose Enabled and choose the Key Generation method for IPsec Encryption between the failover links.

Step 18

Click OK. This process takes a few minutes as the process synchronizes system data.

After a successful configuration, you can see the FTD High Availability label on the threat defense node on the Security Cloud Control Inventory page. Select the node to see the active and standby devices you configured for high availability

.

What to do next

Back up the devices. You can use the backup to quickly replace the devices when they fail and to restore the high availability service without being delinked from the management center.