https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4664533#M1092455 <P>Thanks for reply Marvin! really appreciate that.&nbsp;</P> <P>I completely understands that all software and policy configuration needs to match but only thing I'm not sure about is how its going to behave when I will failover to standby and break the cluster in order to bring new hardware and switch the traffic over to new hardware without impacting outage.&nbsp;</P> Fri, 05 Aug 2022 18:06:56 GMT noman0058 2022-08-05T18:06:56Z https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4663913#M1092439 <P>Can someone share steps and things to watch out for when replacing of Cisco FTD 4110 to new 4120 in cluster mode.</P> Thu, 04 Aug 2022 19:32:37 GMT https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4663913#M1092439 noman0058 2022-08-04T19:32:37Z https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4664118#M1092442 <P>If you are changing models then you are replacing the entire cluster since all models must be the same in a given cluster.</P> <P>That's quite a significant undertaking and requires careful planning to ensure it goes smoothly. Each member of the new cluster would have to be bootstrapped and joined into the cluster. Software version, patch level, SRU, VDB and Geolocation would all have to be brought up to date. Interfaces to match the old cluster would have to be configured in shutdown mode in preparation for the actual cutover. The various policies (Access Control, NAT, Platform etc.) associated with the existing cluster would also need to be applied to the new cluster.</P> <P>Those are just the highlights off the top of my head. If you aren't working with an experienced field engineer for this, you should be.</P> Fri, 05 Aug 2022 07:59:02 GMT https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4664118#M1092442 Marvin Rhoads 2022-08-05T07:59:02Z https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4664533#M1092455 <P>Thanks for reply Marvin! really appreciate that.&nbsp;</P> <P>I completely understands that all software and policy configuration needs to match but only thing I'm not sure about is how its going to behave when I will failover to standby and break the cluster in order to bring new hardware and switch the traffic over to new hardware without impacting outage.&nbsp;</P> Fri, 05 Aug 2022 18:06:56 GMT https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4664533#M1092455 noman0058 2022-08-05T18:06:56Z https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4664556#M1092456 <P>So from your latest reply it seems you are talking about a high availability pair and not a cluster. In either case, you are essentially taking the existing firewall services completely offline and replacing them with another higher capacity set.</P> <P>There will be a planned outage - that's unavoidable.</P> <P>The primary things external to the firewall to ensure is that the upstream and downstream next hop devices clear their arp caches to account for the old IP addresses now being on new hosts.</P> Fri, 05 Aug 2022 18:35:30 GMT https://community.cisco.com/t5/network-security/replace-cisco-ftd-cluster/m-p/4664556#M1092456 Marvin Rhoads 2022-08-05T18:35:30Z