Detections
Analytics

Ensure 'Failover' is enabled

Information

Enables failover between the security appliance and another security appliance in order to achieve high availability

 Rationale:

 Enabling failover helps to meet the availability requirement of the security CIA (Confidentiality - Integrity - Availability) triad, ensuring a physical and logical redundancy of firewalls in order to avoid service disruption should the security appliance or its component fails. It requires to identical systems in hardware and software version connected through a failover and a state links.

Solution

Step 1 Add both devices to the Firepower Management Center according to Add Devices to theFirepower Management Center.
 Step 2 Choose Devices > Device Management.
 Step 3 From the Add drop-down menu, choose Add High Availability.
 Step 4 Enter a display Name for the high availability pair.
 Step 5 Under Device Type, choose Firepower Threat Defense.
 Step 6 Choose the Primary Peer device for the high availability pair.
 Step 7 Choose the Secondary Peer device for the high availability pair.
 Step 8 Click Continue.
 Step 9 Under LAN Failover Link, choose an Interface with enough bandwidth to reserve for failover communications. Only interfaces that do not have a logical name and do not belong to a security zone , will be listed in the Interface drop-down in the Add High Availability Pair dialog.
 Step 10 Type any identifying Logical Name.
 Step 11 Type a Primary IP addressfor the failover link on the active unit. This address should be on an unused subnet.
 169.254.0.0/16 and fd00:0:0:*::/64 are internally used subnets and cannot be used for the failover
 or state links.
 Step 12 Optionally, choose Use IPv6 Address.
 Step 13 Type a Secondary IP address for the failover link on the standby unit. This IP address must be in the same subnet as the primary IP address.
 Step 14 If IPv4 addresses are used, type a Subnet Mask that applies to both the primary and secondary IP addresses.
 Step 15 Optionally, under Stateful Failover Link, choose the same Interface, or choose a different interface and enter the high availability configuration information.
 169.254.0.0/16 and fd00:0:0:*::/64 are internally used subnets and cannot be used for the failover or state links.
 Step 16 Optionally, choose Enabled and choose the Key Generation method for IPsec Encryption between the failover links.
 Step 17 Click OK. This process takes a few minutes as the process synchronizes system data

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-13(5)

Plugin: Cisco_Firepower

Control ID: 83b74d96f2778430a6e76de9ad4b08e2cdfe060436442ff805fbbefae576fb9c