topic Cisco Source Fire HA pair in Network Security

Cisco Source Fire HA pair

alex.vue — Tue, 12 Mar 2019 07:30:42 GMT

Hi all,

I have a question in regards to the Cisco SourceFire. I have a pair of ASA5525x setup for HA. My question is does the SourceFire work as a HA pair or do they operate individually? So far it looks as they are operate individually.

Thanks for your help in advance.

-Alex

Individually.

Marvin Rhoads — Fri, 18 Mar 2016 01:07:53 GMT

Individually.

The FirePOWER modules share neither configuration nor connection state on their own. That's in contrast to the base ASAs which share both.

If you use FirePOWER Management Center, you can build policies once and deploy to them both (or as many as you have in your network). State remains per module.

Thank you Marvin for your

alex.vue — Fri, 18 Mar 2016 15:38:46 GMT

Thank you Marvin for your clarification.

As for the management Center (FireSight), I don't see any documentation on HA. Does it not have HA capability? I ask because NCS (Cisco Prime) has the HA capability.

Thanks in advance.

Alex

FirePOWER Management Center

Marvin Rhoads — Fri, 18 Mar 2016 17:51:59 GMT

FirePOWER Management Center high availability (HA) pairing requires like/like hardware and this can only be verified on hardware appliances and not virtual.

As for HA pairing, when FireSIGHT Managers are paired all configuration data is automatically replicated between them, ensuring redundancy from a management perspective. This high-availability or redundancy feature helps ensure continuity of operations. The secondary Cisco FireSIGHT Management Center must be the same model as the primary appliance.

Here is the User Guide section on setting up HA:

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Managing-Devices.html#pgfId-7819313

Thanks again Marvin.

alex.vue — Fri, 18 Mar 2016 17:55:47 GMT

Thanks again Marvin.

Marvin,

alex.vue — Fri, 18 Mar 2016 22:59:40 GMT

Marvin,

I still have my 2 ASAs in the lab along with the FireSight management. I'm afraid to register my FireSight management. My question is if I registered the FireSight management license in my lab, will it be a problem when I bring it into production? What is the best option as far as moving the FireSight into production? Re-deploy the downloaded OVF from Cisco or captured the LAB OS and re-deploy in production? By the way, I am using VMware.

Thanks

@alex.vue@DOC ,

Marvin Rhoads — Sun, 20 Mar 2016 23:30:26 GMT

[@alex.vue@DOC] ,

Re the lab-production question, I wouldn't say there's any one answer that's right for every situation.

The license key that a given FireSIGHT / FirePOWER Management Center uses is derived from a combination of the model type and the VM's MAC address. So if you snapshot or vMotion the VM onto another ESXi host, the MAC address (and thus the license key) generally will transfer with it.

I'm not a VMware expert by any stretch but I know that an ESXi server dynamically generates MAC addresses for its VMs when they're created. If you import them as a fait accompli I believe it lets the MAC address stand as long as there's no conflict with one it already has allocated to another VM.

What license are you using in the lab? You have to have a Management Center license active in order to deploy policies. If you don't have one redeemed yet then it's a moot point. Since the Management Center license is perpetual it is no harm to redeem it as soon as you are ready to use it - in lab or production. If worse came to worse and you blew it up somehow, you could always request it be rehosted by the Cisco licensing team. They're generally OK with that if it's for a legitimate reason.

Marvin,

alex.vue — Mon, 21 Mar 2016 17:28:37 GMT

Marvin,

First of all, thanks for taking your time to reply on this matter.

I dug through Cisco Guide and documentation and found this:

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/virtual-install-guide/FireSIGHT-Virtual-Installation-Guide/V-Intro.html#97125

Guidelines and Limitations

The following limitations exist when deploying virtual Defense Center or devices on VMware:

vMotion is not supported.
Cloning a virtual machine is not supported.
Restoring a virtual machine with a snapshot is not supported.
Restoring a backup is not supported.

So I guess there is no HA capability available for virtual?

Will the configured policies stay on the ASA even if the FireSIGHT virtual appliance fail?

My assumption is FireSIGHT is similar to Cisco Prime Infrastructure where it pushes configs to the managed device?

Thanks,

Alex

They are a bit paranoid about

Marvin Rhoads — Mon, 21 Mar 2016 21:27:35 GMT

They are a bit paranoid about the vMotion/cloning/snapshot issues. I expect that will change going forward but you're correct in citing that as the current official line.

With respect to policies - yes - if the management Center goes away or offline or is otherwise unreachable, all deployed policies remain in place and enforcing rules as configured on the managed devices. Events are stored locally on the sensor (up to its capacity) and then synced to the FMC once it is again reachable.