11-26-2023 06:54 AM - edited 11-26-2023 06:56 AM
Hi guys
I got a couple of inquiries regarding security devices : FPR1150, ASA5525, ASA 9.16 software, FTD software.
- On ASA 9.2, how to remove failover information on the hostname ? Example : gain back ciscoasa# from ciscoasa/pri/actNoFailover#
- FPR-1K Cluster support
- I am migrating a ASA-5525 to FPR-1K both running ASA image. I am aiming to minimize design changes, therefore considering cluster on FPR-1K just like ASA-5525. With Cluster I will have a single virtual device but with HA I will have to make a new IP planning on 2 separate devices and enable failover. From this datasheet, it looks like FPR 1k does not work with Cluster ? https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html Can someone confirm this ? I have to choose between HA (FO and STATE interfaces) and Cluster. ASA-5525 are in cluster. I encounter these errors on FPR-1150, any ideas on how to solve them ?
ciscoasa(config)# cluster group CLUSTER1
ERROR: cluster interface-mode is required to be spanned or individual mode before cluster bootstrap configuration.
ciscoasa(config)# cluster interface-mode spanned
ERROR: Cluster interface-mode can only be changed from the chassis
ciscoasa(config)# sh version | i Hardware|Appliance
Cisco Adaptive Security Appliance Software Version 9.16(2)3
Hardware: FPR-1150, 28740 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (16 cores)
ciscoasa(config)#
- Additionnally, there seems to also be an option to go with the FTD software for the Cluster formation (same datasheet) ... So setup with the local device manager GUI, the old firewalls don't have a lot of ACLs/policies so i think that going from ASA -> FTD can be simple. What are your thoughts on this ?
Thank you ...
11-26-2023 07:06 AM
@Nabari94 you can use the prompt hostname command to change the CLI display.
The ASA guides confirms only the Firepower 3100, 4100 and 9300 hardware supports clustering, not the 1000 or 2100 series hardware. https://www.cisco.com/c/en/us/td/docs/security/asa/asa918/configuration/general/asa-918-general-config.html
If using the FTD image, the Local Device Manager (FDM) does not support clustering regardless of whether the hardware does, you'd require the FMC to manage the FTD.
11-27-2023 08:42 AM
Thanks a lot @Rob Ingram , this is clear... About the FTD image, is there an alternative to go without FMC.
I mean, Firepower 1000 series supports Clustering (Datasheet). Can we go with CLI ? https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp2670545146
Thanks,
Aristide
11-27-2023 09:04 AM
@Nabari94 if using the FTD image you can manage locally via FDM, on-premise using FMC or in the cloud using CDO or cdFMC. Only FMC can manage an FTD cluster assuming the hardware supports clustering. The FPR 1000 series datasheet does not confirm the hardware supports clustering.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide