Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2146
Views
0
Helpful
6
Replies

Best Practice on FMC/FTD as Edge for Production and Backup datacenter

Go to solution
SIMMN
Spotlight
Spotlight

‎01-12-2021 05:45 AM

Let me first explain what I am looking for around this post Title.

 

Say I have a production datacenter using a pair of FTD (managed by local FMC) for Internet Edge security. Now I need to setup a second datacenter for failover/backup (not 100% DR) of critical services. I would deploy a new pair of FTD and local FMC for management in the second datacenter. From operation perspective, I would hope to have the two FMCs "duplicate" each other policy wise but the question is how should/would I keep the policies in-sync between the Prod FMC and FMC in second dc? Just manually configure the same policy twice?

 

I was also thinking about just use one FMC to manage both FTD pairs but there would be dependency between the two datacenters OR single point of failure (from management/operation perspective)...

 

Advise? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-12-2021 06:05 AM - edited ‎01-12-2021 06:13 AM

Hi @SIMMN 

I couple of options I can think of. You could use RESTAPI to import the same settings into both FMCs, or you are not familar with APIs in 6.7 you can import or export objects, so you could import into prod then export and import to DR FMC. Alternatively in CDO you can manage an FMC to an extent, it's possible you could mange both FMCs and share the same objects/configuration between the two.

 

If you used 1 FMC, the FTD's would still operate without comunication to the FMC, you'd obviously not be able to log traffic and you'd not be able to do any cloud lookups (AMP).

 

HTH

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎01-12-2021 06:05 AM - edited ‎01-12-2021 06:13 AM

Hi @SIMMN 

I couple of options I can think of. You could use RESTAPI to import the same settings into both FMCs, or you are not familar with APIs in 6.7 you can import or export objects, so you could import into prod then export and import to DR FMC. Alternatively in CDO you can manage an FMC to an extent, it's possible you could mange both FMCs and share the same objects/configuration between the two.

 

If you used 1 FMC, the FTD's would still operate without comunication to the FMC, you'd obviously not be able to log traffic and you'd not be able to do any cloud lookups (AMP).

 

HTH

0 Helpful

Go to solution
SIMMN
Spotlight
Spotlight
In response to Rob Ingram

‎01-12-2021 06:44 AM

"import or export objects" approach was considered but wonder how big of difference between this and manually configure twice assuming there would be frequent changes in FMC policy/object wise.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to SIMMN

‎01-12-2021 12:23 PM - edited ‎01-12-2021 12:24 PM

I am curious how you would route the public IPs between the two sites so that users can access services that are published to the internet? The ISP would need to be involved to provide some kind of failover for this, or you would need to update global DNS entries.

In any case, Have you considered moving the standby FTD to the backup DC an also place a standby FMC at the backup DC site...(assuming there is L2 connectivity between the two.)

That way if primary DC goes down then there will be automatic failover of both FMC and FTD.  Or is there a policy or situation that is preventing you from doing this?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
SIMMN
Spotlight
Spotlight
In response to Marius Gunnerud

‎01-13-2021 04:55 AM

Regarding the Live applications/services, I should be more specific. Mostly it would the Anyconnect VPN and at this moment there would not be any other app/service published to Internet while running live in this backup DC.

 

Regarding your point about how to route the internet inbound traffic, the only way would be DNS LB or some sort...

 

I prefer not to move the existing secondary FTD into new DC as there might be a chance this new DC would become some level of DR down the road...

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to SIMMN

‎01-13-2021 01:17 PM

Then I would agree with Rob that the best option would be to create an API script that synchronizes the configuration on the active FMC to DC 2 FMC.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
SIMMN
Spotlight
Spotlight
In response to Rob Ingram

‎04-01-2021 06:37 AM

Wonder if there would be any sample RESTAPI that I potentially could reference to make my own replication/synchronization script...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card