1.2.3 Ensure 'Failover' is enabled

Information

Enables failover between the security appliance and another security appliance in order to achieve high availability

Rationale:

Enabling failover helps to meet the availability requirement of the security CIA (Confidentiality - Integrity - Availability) triad, ensuring a physical and logical redundancy of firewalls in order to avoid service disruption should the security appliance or its component fails. It requires to identical systems in hardware and software version connected through a failover and a state links.

Solution

Follow the steps below to enable active/standby failover. The commands are run in the system execution space

Step 1: For each appliance, identify the failover link physical interface <failover_interface_physical> and assign it a name <failover_interface_name> and IP address <failover_interface_ip> and subnet mask <failover_interface_mask>. Identify the other device IP address for each appliance as <peer_failover_ip>

Step 2: For each appliance, identify the state link physical interface <state_interface_physical> and assign it a name <state_interface_name> and IP address <state_interface_ip> and subnet mask <state_interface_mask>. Identify the other device IP address for each appliance as <peer_state_ip>

Step 3: Run the following on the Active device to set it as primary node

hostname(config)#failover lan unit primary

Step 4: Run the following on the Standby device to set it as secondary node

hostname(config)#failover lan unit secondary

Step 5: Run the following on both security appliances

hostname(config)#failover lan interface <failover_interface_name> <failover_interface_physical>
hostname(config)#failover interface ip <failover_interface_name> <failover_interface_ip> <failover_interface_mask> standby <peer_failover_ip>
hostname(config)#interface <failover_interface_physical>
hostname(config-if)#no shutdown
hostname(config)#failover link <state_interface_name> <state_interface_physical>
hostname(config)#failover interface ip <state_interface_name> <state_interface_ip> <state_interface_mask> standby <peer_state_ip>
hostname(config)#interface <state_interface_physical>
hostname(config-if)#no shutdown
hostname(config)#failover
hostname(config)#write memory

Default Value:

Disabled by default

See Also

https://workbench.cisecurity.org/files/3246

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|11.1

Plugin: Cisco

Control ID: 891558ba1debd1bec7e4ab9198342200014b1e8999ae2f51805a561541edb5e8