Solved: Deploy Firepowr 2140 as IPS-Only Mode in HA

Ramkumar1988 · ‎10-06-2018

Is there way to configure the Firepower 2100 as NGIPS in HA. We need to deploy FPR 2140 without making any routing changes in adjacent devices.

I can see the options only for Routed/Transparent Mode .

Marvin Rhoads · ‎10-09-2018

Correct the data plane interfaces don't have IP addresses in your use case.

The failover interfaces can be thought of as control plane. They will send heartbeats and other status along with configuration synchronization between the two appliances.

View solution in original post

Marius Gunnerud · ‎10-06-2018

Have a look at this link for HA configuration for NGIPS firewalls.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.html

--
Please remember to select a correct answer and rate helpful posts

Ramkumar1988 · ‎10-06-2018

Thanks for the update . Am looking for 2140 as IPS-only to introduce in Network with HA

Marius Gunnerud · ‎10-06-2018

The document is for FTD 9000 series but the configuration remains the same for 2140 also.

Here is a link for HA for FTD4100 but as mentioned configuration is the same for 2140.

https://finkotek.com/cisco-4100-firepower-threat-defense-deploying-activestandby/

--
Please remember to select a correct answer and rate helpful posts

prabakar1988 · ‎10-07-2018

Thanks Again ... Its explains about the HA part and am still looking for the options to enable IPS-Only Mode

Marvin Rhoads · ‎10-08-2018

What you are asking about is referred to as an inline pair transparent mode deployment.

Please see the following references for implementation details:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/firepower_device/firepower_7k8k_device/deployment.html#pgfId-1098121

Ramkumar1988 · ‎10-08-2018

Hi Marvin,
Yes .. exactly . This is what i am looking for .Also i worked in 8300 IPS where i am gonna configure the same features in 2100 . Thanks a lot for your response. Is there difference enabling the Inline Mode in Routed/Transparent mode. I guess both Modes will not require any adjacent device configuration . Any specific reason to choose Transparent .

Also HA will be work like a FTD (since we are going to use it only for IPS)

Marvin Rhoads · ‎10-08-2018

The overall firewall can be routed or transparent.

Either way, as noted in the first link I provided: "When you configure an Inline Pair 2 Physical interfaces are internally bridged."

You're correct - they essentially act as a "bump in the wire" with IPS functionality.

Ramkumar1988 · ‎10-08-2018

Thanks again Marvin! Is there any befit by configuring HA as I am going to use full IPS features set .

Marvin Rhoads · ‎10-08-2018

Well HA gives you just that - High Availability.

As of right now we don't have the option of Fail-To-Wire (FTW) interfaces on the 2100 series. So if the single unit fails, your traffic through it will be blocked.

Ramkumar1988 · ‎10-08-2018

Data sheet for 2100 depicts that there is a FTW network module available for this platform . I am checking with Cisco to identify the appropriate modules.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/datasheet-c78-736661.html

Also We will be deploying the Inline mode and will HA really help(will it be monitor the interface modules to initiate the failover ) . I assume we dont need any sync interface between the Pair (as its a NGIPS) and kind of lan based failover.

Marvin Rhoads · ‎10-09-2018

They did announce the FTW interfaces for the Firepower 2100 series but I don't believe they are shipping yet. I just checked the Cisco ordering tool and they don't show up as available in a Firepower 2140 NGFW configuration.

Building an HA pair will still require a failover link between the two appliances.

Ramkumar1988 · ‎10-09-2018

Might be ! I couldn't see any FTW module from FXOS cli..also The failover will be in LINA engine ?

Basically the device data interface will not have any IP address assignment and will be able to monitor/initiate failover ?

Marvin Rhoads · ‎10-09-2018

Correct the data plane interfaces don't have IP addresses in your use case.

The failover interfaces can be thought of as control plane. They will send heartbeats and other status along with configuration synchronization between the two appliances.

Ramkumar1988 · ‎10-14-2018

Thanks Marvin .. I am sorry for the delayed Response ...