topic Re: FTDv-HA different setttings in Network Security

FTDv-HA different setttings

s_SiD_s — Mon, 16 Mar 2026 12:00:35 GMT

Good day!
I have set up FTDv-HA and everything work like a charm.

One thing I have noticed. it is output of show network command on CLI of both FTDv
PRI\Active shows

> show network
===============[ System Information ]===============
Hostname : firepower

---
And Secondary\Standby

> show network

===============[ System Information ]===============
Hostname : FTDv
Domains : netcompz.org

different hostnames and...for the Standby...show Domains, but Primary does not show up...

all the rest output is OK.

how to change hostnames and Domains settings?

On GUI, see attached, names are OK.

Re: FTDv-HA different setttings

Rob Ingram — Mon, 16 Mar 2026 11:56:27 GMT

@s_SiD_s from the CLI of each FTD use the "configure network" command to change the settings. https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp3524022327

Re: FTDv-HA different setttings

s_SiD_s — Mon, 16 Mar 2026 12:26:10 GMT

Great! Thanks!
If you don't mind, I will ask more couple of quiestions)

1. does hostname will be resolved to ftdv1.netcompz.org
and ftdv2.netcompz.org

if we add A and reverse records ro internal DNS server? Or better take names form GUI?

or better to make same names in GUI and CLI?

2. Cannot find information about this string in show network comand. FTDv-Pri has it disabled and FTDv-Sec - enabled.

DNS from router : disabled

Re: FTDv-HA different setttings

Rob Ingram — Mon, 16 Mar 2026 12:36:49 GMT

@s_SiD_s if you add the approprirate entries in your DNS servers, then yes the hostname would be resolved. You just need a friendly/memorable name to resolve in DNS, whether thats the hostname in the CLI or GUI. The names don't necessarily need to be the same name in the CLI and GUI.

Is DNS statically configured on one FTD and not the other?

Re: FTDv-HA different setttings

s_SiD_s — Mon, 16 Mar 2026 13:32:35 GMT

As I remember, both configured statically, as an ip addresses

configure network dns servers

i also notied that there is no static route on FTDv2
like on FTDv1. Interesting, what did I miss... during deploy

Re: FTDv-HA different setttings

s_SiD_s — Mon, 16 Mar 2026 13:45:10 GMT

configure network static-routes ipv4 add management1 10.201.0.0 255.255.0.0 10.201.213.254

by this command I can add static route to FTDv2

as FTDv1
> ping cisco.com
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 72.163.4.185, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 150/154/160 ms
>

and FTDv2

> ping cisco.com
Please use 'CTRL+C' to cancel/abort...

ping cisco.com
^
ERROR: % Invalid Hostname
>

Re: FTDv-HA different setttings

Rob Ingram — Mon, 16 Mar 2026 13:46:07 GMT

@s_SiD_s yes, you shouldn't need a static if you have the default route configured. That static route applies to the mgmt interface not data interfaces.

Re: FTDv-HA different setttings

s_SiD_s — Mon, 16 Mar 2026 13:55:53 GMT

Yes, for mgmg if not accessable for some reason as I have read.
So. FTDv2 cannot resolve

> ping cisco.com Please use 'CTRL+C' to cancel/abort... ping cisco.com ^ ERROR: % Invalid Hostname

but DNS is configured...

also no ping working

> ping 8.8.8.8 Please use 'CTRL+C' to cancel/abort... Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) >

I think this due to FTDv2 does not has IPs configured...no OUTSIDE, no INSIDE ip addresses.
I have read that it is not neccesary as after Pri dies, config migrates to second node, with same IP interfaces setting

Re: FTDv-HA different setttings

Rob Ingram — Mon, 16 Mar 2026 13:56:58 GMT

@s_SiD_s use "ping system cisco.com" which will ping from the mgmt interface.

Re: FTDv-HA different setttings

s_SiD_s — Mon, 16 Mar 2026 14:05:43 GMT

> ping system cisco.com PING cisco.com (72.163.4.185) 56(84) bytes of data. 64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=1 ttl=49 time=154 ms 64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=2 ttl=49 time=153 ms 64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=3 ttl=49 time=153 ms ^C --- cisco.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 153.314/153.583/154.024/0.314 ms

good)

1 question\setting still remains....

DNS from router : enabled

where this has been be configured... O_o

Re: FTDv-HA different setttings

s_SiD_s — Tue, 17 Mar 2026 11:49:41 GMT

I have tested HA by disconnecting OUTSIDE interface on ESXI vm properties.
Failover failed...we forgot to add FTDV2 inside interface to allowed vlan on cisco switch...
but now no errors I see before test HA again and found errors.

So before testing HA need to resolve this issue.

ip addresess PING-able
NAT is working. no health issues.

may be reboot both FTDv? in which order if so?

Re: FTDv-HA different setttings

s_SiD_s — Tue, 17 Mar 2026 12:51:25 GMT

logs on Graylog...
all interfaces UP and connected.
Checked everywhere.

Re: FTDv-HA different setttings

s_SiD_s — Wed, 18 Mar 2026 10:11:16 GMT

I have rebooted both FTDv and all seems to be OK.

test HA was as Pro server went to reload, monitoring intefaces not good as they are ALWAYS in UP state in dSwitch ESXi
one thing to sort out....how auto switch back to Primary FTDv...
i see everything is "green" on dashboard...