cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4777
Views
15
Helpful
12
Replies

Cisco SFR Module HA addressing

Matthew
Level 1
Level 1

I will be implementing a Sourcefire solution within the next couple of weeks and am familiar with the install process on single devices. However, I will be installing the module on an Active/Standby pair. Will each box or SFR installation require it's own unique IP address? I am assuming yes since Firesight will have to manage them separately to maintain duplicate configurations but wanted to verify that is the case.

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - separate management addresses. They are separate devices in FireSIGHT Management Center, each requiring its own licenses.

We typically put them in a device group in FireSIGHT for ease of management. On their own, they know nothing about each other and share no configuration or flow states.

View solution in original post

Upgrading Defense Center / FireSIGHT Management Center has no effect on the managed sensors. They will store all events locally until communications with the managing server are restored at which point they will update and resynchronize their locally stored records to the management server.

All policies will remain in effect and, in the case of FirePOWER service modules on ASAs, they will not go offline and thus traffic will flow uninterrupted (independent of the service-policy settings on the ASA or lack thereof) with all access control inspection etc. policies enforced.

View solution in original post

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes - separate management addresses. They are separate devices in FireSIGHT Management Center, each requiring its own licenses.

We typically put them in a device group in FireSIGHT for ease of management. On their own, they know nothing about each other and share no configuration or flow states.

Thanks, could you also provide insight to the upgrade path and licensing? For example I will be installing 5.4.0 could I apply a 5.4.1.3 upgrade without incremental upgrades? Does licensing between 5.3 and 5.4 differ? And finally, would simply setting my sfr policy on the firewall to "sfr fail-open" allow traffic to still flow during these upgrades?

You're welcome Matthew.

You can move directly from 5.4.0 to 5.4.1.3.

There's no licensing difference between 5.3 and 5.4.

The fail-open policy will allow traffic to continue flowing. If it's an HA pair though, typically (unless you have overridden the default behavior) a service module failure (due to upgrade or any other reason) will trigger a failover event and thus ensure that you not only have uninterrupted traffic flow but also continuous IPS protection.

That would be the case in upgrading the image on the sfr module itself, but in the case of upgrading the FireSight Defense Center would the primary firewall still failover? And if so wouldn't the standby firewall then see the module failed as well which would make fail open or passive mode the only option during that upgrade time frame to allow traffic flow to continue?

Upgrading Defense Center / FireSIGHT Management Center has no effect on the managed sensors. They will store all events locally until communications with the managing server are restored at which point they will update and resynchronize their locally stored records to the management server.

All policies will remain in effect and, in the case of FirePOWER service modules on ASAs, they will not go offline and thus traffic will flow uninterrupted (independent of the service-policy settings on the ASA or lack thereof) with all access control inspection etc. policies enforced.

Perfect, and thanks for the clarification. The documentation does not go too far into how an HA pair is impacted and I don't have a pair of NGFW's or licensing for testing. I'm looking forward to getting more hands on with it over the next few days.

Hi please help me on this,

 

Do I need to configure enterprise network IP add(current running network)  during the installation of SFR module on ASA 5500-x or we can install the SFR image ( system install Http://<HTTP_SERVER>/asasfr-sys-6.4.0-102.pkg) with by default IP add. 

When you are doing a system install of the SFR module, you are required to choose an address during the setup phase that precedes system install. You must configure an address for the module so that it can reach the location where the pkg file is located.

Hi Marvin,

please clear me

I have purchased ssd module for HA pair ASA-5500-x, the device is already in HA Pair, I will implement an SFR module. I would like to know if any downtime is required to achieve this activity. If yes, how many hours of downtime is required, then I should also clarify how many reboots are required.

If you have the ASAs in an Active-Standby HA pair then you can perform the entire upgrade with zero downtime. Two reboots are required (one per ASA).

You can insert the new SSDs into the units while they are running:

https://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html#63882

...but you should reload a unit to ensure the inventory is properly recognized and power on self-test (POST) process completes correctly.

So, start with your unit currently in standby role. Insert the SSD and reload. (reboot #1) Confirm the drive is healthy and recognized ("show inventory").

Then make that unit take over the active role ("failover active"). Failover does not cause downtime.

On the newly standby unit repeat the installation and reload process (reboot #2).

Next image and install the sfr module on both units. I'd suggest imaging them with Firepower 6.6 (assuming you can run that on your FMC as well - if it's an FMCv it will require 28 GB or RAM, up from the previous 8 GB minimum).

Register both units to FMC and put them in a group so their policy is always in sync. Sync them with FMC and each other by deploying a basic policy (no ACP rules to start, balanced security and connectivity (with event logging) default).

Finally modify your ASA class-map, policy-map and service policy to direct traffic through the modules. Verify you are seeing connection events in FMC.

 

hi marvin,
I want to one more clearance that can I install below images or need to follow any up-gradation path

FW-1# show version (current running fw )

Cisco Adaptive Security Appliance Software Version 9.8(4)10
Firepower Extensible Operating System Version 2.2(2.121)
Device Manager Version 7.9(1)
can we configure below image along with above asa version.
asasfr-sys-6.4.0-102.pkg
asasfr-5500x-boot-6.4.0-1.img

You should upgrade your ASDM to 7.12(1) or greater; although it's not strictly required if you are managing the module with FMC.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60529

If you are managing with FMC, then the FMC version must be 6.4.0 or greater.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_7CC9392196754AD38B5250A9183027C8

Review Cisco Networking for a $25 gift card