topic FMC HA deployment and managed FTDs in Network Security

FMC HA deployment and managed FTDs

DavideRanalli76560 — Tue, 23 Feb 2021 16:16:58 GMT

Hi,

4 FTDs in cluster HA Active/Passive should be added to 2 FMCs Active/Passive. FTDs are 4115.

I am perplexed on deployment of standby FMC, if it has to be aware of FTDs or not, I just now that passive FMC don't do any actions as long as active FMC is on line.

Should FTDs be configured to be managed by 2 managers (therefore 2 different IPs)? image below

Or FTDs should be configured to be managed only by the active FMC? Image below

If that's the case, can standby FMC be unaware of FTDs, then active FMC will sink the standby?

On a virtual lab I couldn't configure 2 managers for the FTD, I received error message "This sensor is already managed".

Also since FMC has up 4 mgmt ports available, on the FMC is it wise to use a unique port "one IP" for doing everything (Managing FTDs + HA FMC)?

Thanks

Davide

Re: FMC HA deployment and managed FTDs

TJ-20933766 — Tue, 23 Feb 2021 17:08:59 GMT

Check out this excellent blog on the subject: https://dependencyhell.net/2017-07-10-fmc-ha/

Essentially the FTDs will only be registered to the active FMC but they send events to both the active and standby FMC. The active FMC syncs with the standby FMC so the standby can take over in the event that the primary FMC fails.

As for using multiple interfaces, that depends on how much traffic is being utilized on those links. Unless you have an extra NIC in your server, the interfaces are usually:

CIMC interface (labeled "M")
Serial console port
eth0 (labeled "1")
eth1 (labeled "2")

That means you really only have 2 x 1-Gbps interfaces to work with and you could change one of those interfaces to be the "events only" interface. If you have an additional NIC, you gain two additional 10-Gbps interfaces.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc-1600-2600-4600/hw/guide/install-fmc-1600-2600-4600/overview.html#concept_otx_2ld_4db

Re: FMC HA deployment and managed FTDs

DavideRanalli76560 — Tue, 23 Feb 2021 19:09:48 GMT

Thanks very much Joachims, regarding the 4 interfaces:

CIMC interface (labeled "M")
Serial console port
eth0 (labeled "1")
eth1 (labeled "2")

would the CIMC be the equivalent of OOB (Out Of Band) Interface, whereas eth0 and eth1 are for HA, mgmt and so on?

Re: FMC HA deployment and managed FTDs

TJ-20933766 — Tue, 23 Feb 2021 19:23:04 GMT

The CIMC is for management of the hardware of the server. Status of the RAID controller, hard drive health, fan health, alerts, and so on are found here. You can also use the CIMC to get KVM access to the server. If you have not set it up, you can do so by either:

1. Rebooting the server and entering the CIMC configuration menu (F8 I believe)

2. Connect the CIMC interface to a network that has a DHCP server and web browse to the IP address that the CIMC gets from DHCP. Default credentials are admin / Cisco1234 but if those don't work, you'll have to resort to option 1.

Re: FMC HA deployment and managed FTDs

DavideRanalli76560 — Tue, 23 Feb 2021 21:45:57 GMT

Very much appreciated Joachims, thanks

Davide