Re: ASA with FirePOWER

ynrrtr · ‎07-14-2018

Hi guys,

I need a information about asa with firepower. One customer has a two asa and two firepower works in a different location . they want to do HA. İs that possible do that. Or What is the possible option to do ha for example 2 asa ha with one firepower, 2 asa ha with no firepower.

can you guys give information about my question ?

Marvin Rhoads · ‎07-14-2018

To build an ASA HA pair, any installed service modules (e.g., Firepower service module) must be matching.

They can be in different locations but this is seldom seen due to the requirements of extending Layer 2 connectivity between locations which is not usually a good idea.

Also, while the base ASA configurations will synchronize, the Firepower configurations will not. So we usually recommend using Firepower Management Center (FMC) so that you can have a central point of policy definition and deploy if from there.

ynrrtr · ‎07-15-2018

Hı marvin,

End of the day , customer wants to be 2 asa with together in a one place. They have FMC too. they are all service module matching.

It ıs important to use ASA. My idea is ı can do asa with failover and one FMC , is that possible. Or I will shut firepower in asa and only use asa with failover.

Marvin Rhoads · ‎07-15-2018

Sure - the ASA HA pair can run fine with active Firepower service modules.

The ASA high availability configuration is independent from any configuration of the Firepower modules. All that ASA HA cares about is the fact that the service module types are the same and that they are up/up.

A single FMC can manage multiple Firepower modules (assuming it is licensed to do so) and they can be grouped together to keep their configs in sync when deploying changes.

ynrrtr · ‎07-15-2018

Thank you for your help. So I understand that I can do ASA with ha and also ı can add two asa in FMC . I can config both via using FMC.

Marvin Rhoads · ‎07-16-2018

FMC can manage both Firepower modules.

FMC does not manage the ASAs themselves at all.