Establishing Firewall Management Center High Availability
Establishing high availability can take a significant amount of time, even several hours, depending on the bandwidth between the peers and the number of policies. It also depends on the number of devices registered to the active Firewall Management Center, which need to be synced to the standby Firewall Management Center. You can view the High Availability page to check the status of the high availability peers.
Before you begin
-
Confirm that both the Firewall Management Centers adhere to the high availability system requirements. For more information , see Requirements for Firewall Management Center High Availability.
-
Confirm that you completed the prerequisites for establishing high availability. For more information, see Prerequisites for Firewall Management Center High Availability.
-
In a multidomain deployment, you must be in the Global domain to perform this task.
Procedure
Step 1 | Log into the Firewall Management Center that you want to designate as the secondary. |
Step 2 | Choose , and then choose High Availability. |
Step 3 | Under Role for this Firewall Management Center, choose Secondary. |
Step 4 | Enter the hostname or IP address of the primary Firewall Management Center in the Primary Firewall Management Center Host text box. You can leave this empty if the primary Firewall Management Center does not have an IP address reachable from the peer Firewall Management Center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one Firewall Management Center to enable HA connection. |
Step 5 | Enter a one-time-use registration key in the Registration Key text box. The registration key is any user-defined alphanumeric value up to 37 characters in length. This registration key will be used to register both -the secondary and the primary Firewall Management Centers. |
Step 6 | If you did not specify the primary IP address, or if you do not plan to specify the secondary IP address on the primary Firewall Management Center, then in the Unique NAT ID field, enter a unique alphanumeric ID. See NAT Environments for more information. |
Step 7 | Click Register. |
Step 8 | Using an account with Admin access, log into the Firewall Management Center that you want to designate as the primary. |
Step 9 | Choose , and then choose High Availability. |
Step 10 | Under Role for this Firewall Management Center, choose Primary. |
Step 11 | Enter the hostname or IP address of the secondary Firewall Management Center in the Secondary Firewall Management Center Host text box. You can leave this empty if the secondary Firewall Management Center does not have an IP address reachable from the peer Firewall Management Center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one Firewall Management Center to enable HA connection. |
Step 12 | Enter the same one-time-use registration key in the Registration Key text box you used in step 6. |
Step 13 | If required, enter the same NAT ID that you used in step 7 in the Unique NAT ID text box. |
Step 14 | Click Register. |
What to do next
After establishing the Firewall Management Center high availability pair, devices registered to the active Firewall Management Center are automatically registered to the standby Firewall Management Center.
Note | When a registered device has a NAT IP address, automatic device registration fails and the secondary Firewall Management Center High Availability page lists the device as local, pending. You can then assign a different NAT IP address to the device on the standby Firewall Management Center High Availability page. If automatic registration otherwise fails on the standby Firewall Management Center, but the device appears to be registered to the active Secure Firewall Management Center, see Using CLI to Resolve Device Registration in Firewall Management Center High Availability. |