topic Sorry but your concern was: in Network Security

FireSight Redundancy

sultan.ahmed21 — Tue, 12 Mar 2019 13:09:39 GMT

We have Cisco ASA Firewall 5506-X with FirePower. Firesight in installed on a Virtual Machine. There is only one physical machine for the Firesight. In case this machine fails then whole network will be down. There will be no internet access. We are thinking for a second physical machine to host Firesight so that if one them fails the second one can takeover. We are not sure how to achieve this. Any suggestion will be highly appreciated. We are only using virtual machines not any Cisco Firesight appliance.

do you mean the firesight

pieterh — Thu, 13 Oct 2016 10:41:18 GMT

do you mean the firesight management server is installed on a virtual machine?

The firepower module in the 5506-x receives its configuration from the management server, but otherwise it runs independantly.

(of course no updates when management server is down)

what you need is a second 5506-x and configure this as failover pair.

then use firesight management to keep the firesight configuration consistant on both firepower modules in the 5506-x (distribute the policy to both modules)

Firesight Management Server

sultan.ahmed21 — Thu, 13 Oct 2016 11:01:35 GMT

Firesight Management Server is installed on a Virtual Machine. We want redundancy for Firesight Management Server not for ASA 5506-X.

Sorry but your concern was:

pieterh — Thu, 13 Oct 2016 11:12:15 GMT

Sorry but your concern was:

In case this machine fails then whole network will be down. There will be no internet access.

internet access is performed by your firewall, not your management server

That is true. But internet

sultan.ahmed21 — Thu, 13 Oct 2016 11:26:53 GMT

That is true. But internet access is not allowed when Firesight is down. That is the policy. Unfiltered access to internet is not allowed. As soon as Firesight Management Centre is down, internet access is blocked.

ok so a restiction in the

pieterh — Thu, 13 Oct 2016 11:35:42 GMT

ok so a restiction in the policy needs the management server to be available.

the management server can be configured in high-availability configuration see this document you need to validate this for your running version

Sultan,

michaellperrin — Fri, 14 Oct 2016 19:28:54 GMT

Sultan,

The FMC doesn't enforce the policy on the module. The policy sits on the module and all allowing and blocking is done by the module itself.

The only thing you lose when the FMC is down is the ability to manage the module.

I don't know what you mean by unfiltered access to the internet? When the FMC is down the internet access is still going to be filtered.