https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003301#M1108290 <P>SDWAN router need to have static route to active FW IP&nbsp;<BR />the FW IP is swap when fail over and hence always the SDWAN point to active FW&nbsp;<BR />MHM</P> Tue, 23 Jan 2024 10:00:15 GMT MHM Cisco World 2024-01-23T10:00:15Z https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003295#M1108287 <P>Hi,</P><P>We have a greenfield project in which we are implementing FTD.</P><P>Let’s assume I have configured</P><P>Active : 192.168.75.10</P><P>standby : 192.168.75.11</P><P>FTD will connect to the SDWAN cedge devices (HA).</P><P>connectivity is as below:</P><P>SDWAN edge router (HA)—&gt; FTD —&gt; Core Switch —&gt; internal servers</P><P>We will configure static route on firewall to reach SDWAN device.</P><P>And reverse traffic will reach to primary firewall which is 192.168.75.10</P><P>Now my question is during failover when standby firewall will be active. how the reverse traffic will reach to secondary firewall (192.168.75.12)?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Jan 2024 09:51:35 GMT https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003295#M1108287 KayaaKashyap 2024-01-23T09:51:35Z https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003298#M1108289 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1643055">@KayaaKashyap</a> both FTD's (Active/Standby) inside and outside interfaces need to be plugged into a switch and in the same VLAN. Upon failover of the Active (Primary) firewall, the Standby (Secondary) firewall will become active and the firewalls will swap IP addresses. So 192.168.75.10 will be the Active IP address regardless of whether the which firewall is passing traffic.</P> Tue, 23 Jan 2024 09:57:59 GMT https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003298#M1108289 Rob Ingram 2024-01-23T09:57:59Z https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003301#M1108290 <P>SDWAN router need to have static route to active FW IP&nbsp;<BR />the FW IP is swap when fail over and hence always the SDWAN point to active FW&nbsp;<BR />MHM</P> Tue, 23 Jan 2024 10:00:15 GMT https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003301#M1108290 MHM Cisco World 2024-01-23T10:00:15Z https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003302#M1108291 <P>NOTE:- if you run IGP only the active participate in igp, the standby dont have any role.<BR />MHM</P> Tue, 23 Jan 2024 10:01:22 GMT https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003302#M1108291 MHM Cisco World 2024-01-23T10:01:22Z https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003335#M1108293 <P>This is helpful. Many thanks.</P><P>So we can say Primary IP of firewall works as VIP in FTD HA, right?</P><P>Please share if you have supportive document?</P> Tue, 23 Jan 2024 10:39:29 GMT https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003335#M1108293 KayaaKashyap 2024-01-23T10:39:29Z https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003347#M1108295 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1643055">@KayaaKashyap</a> yes, the primary unit IP address can be consider as VIP that will always be available regardless of which unit is active.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RobIngram_0-1706006787414.png" style="width: 684px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/208287i714698515EB0B7ED/image-dimensions/684x76?v=v2" width="684" height="76" role="button" title="RobIngram_0-1706006787414.png" alt="RobIngram_0-1706006787414.png" /></span></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html#ID-2107-000000a8" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/high-availability.html#ID-2107-000000a8</A></P> <P>&nbsp;</P> Tue, 23 Jan 2024 10:47:54 GMT https://community.cisco.com/t5/network-security/ha-on-ftd/m-p/5003347#M1108295 Rob Ingram 2024-01-23T10:47:54Z