Disable interface status alerts on the passive FTD in a failover pair

Chess Norris · ‎09-22-2022

Hello,

We have two FTD 4112 in a failover pair and we receive lots of interface alerts from the passive device. This is of cause expected, but I want to disable those alerts, but only on the passive unit. Is this possible? I created a separate health policy for the secondary FTD, but it seems like I cannot assign a different health policy’s for a device in a failover pair.

Thanks

/Chess

Aref Alsouqi · ‎09-22-2022

Yes that can be done from the health policy, I can't remember the exact option that should be used and I don't have access to an FTP build at the moment, sorry. However, one downside of this is that when a failover happen where now the active device is the secondary, and say something happens to that interface that you disabled the alerts to, you won't be aware of that failure/issue. So my recommendation would be to keep those alerts on to allow you visibility in case the interface should fail if the secondary device should become active.

Chess Norris · ‎09-22-2022

Thanks. Yes, that is a downside that we risk loosing interface alerts if the secondary unit becomes active. However, we should then start getting interface alerts from the primary device instead and that should tell us that someting have happend with the primary device. Anyway, I can't figure out how to only select the secondary device and assign it to a different health policy than the primary device is using. I've attached a picture with the policy I want to assign to the secondary device, but if I select the secondary device, it will automatcly select the primary device as well. This is probably because it's a failover pair, but is there another way to have different health policys assigned to two devices in a failover pair?

/Chess

Aref Alsouqi · ‎09-22-2022

I logged into one of my builds and here is how I had done that. I duplicated the health policy, turned off the "Interface Status" alerts, and then applied this new health policy to the secondary device only. When you click on the apply button (the first from left on the far right next to the policy name) it will allow you to select which device you want to apply the policy to, you don't have to select the HA pair, you can select the device individually.

However as mentioned before, by doing this you will need to turn the "Interface Status" alerts back on if the secondary device should become the active. Because now that this specific policy with the "Interface Status" alerts are off is applied to that secondary device, when that device becomes the active the "Interface Status" alerts won't be generated. You would also need to turn the "Interface Status" alerts off on the new passive device (old primary).

Chess Norris · ‎09-22-2022

That's exactly how I've done it. However, I cannot select a single device. If I select only the passive firewall, the active one will be automatically selected as well.

/Chess

Aref Alsouqi · ‎09-22-2022

Mmm, honestly I can't remember if I had to break the failover HA temporarily to apply that change or not, but now that you said this it makes me feeling that I had to break the HA to do it.

Chess Norris · ‎09-22-2022

Reading the comments on this blog - https://www.lammle.com/post/health-policy-status-cisco-fmc-always-critical/ a suggested workaround is to use the blacklist/exclude option instead. If I use that, I can choose to select only the passive device in the H/A pair but for some reason, the interface status option is not selectable. (See picture)

Aref Alsouqi · ‎09-22-2022

I must have done that through the exclude list then :), tomorrow I'll try to log into one of my customers build where I know I have applied that alert suppression, and if it is done differently than using the excluding list I'll post back here.

Aref Alsouqi · ‎09-22-2022

Chess, actually I had done that through the blacklist/exclude feature, in fact, I also created a post on my blog more than two years ago to show how to do it :). Sorry I couldn't remember this before, I must be getting older :). Here is the post link, please look at the "Blacklist Interface Status alerts on FTDv-03 appliance" section where exactly shows you the steps:

FMC Health Monitor Blacklist | Blue Network Security (bluenetsec.com)

Chess Norris · ‎09-26-2022

I'm not able to exclude interface status alerts (that option is greyed out) Any idea why?

Thanks

/Chess

Aref Alsouqi · ‎09-26-2022

What version are you running on those devices? the behaviour might have changed comparing to the 6.x release. I think the reason why you see that option greyed out is because you are trying to edit the health policy that is applied to both firewalls without excluding any device from that policy. Did you select the passive device and clicked on "Exclude Selected Devices" and you still see that option greyed out?

Chess Norris · ‎09-26-2022

It's version 7.0.1 on both the FMC and FTD. Both devices in the H/A pair are using the same health policy (It's not possible to use separate ones). Here's what I tried: I went to System->Health->Exclude and marked only the secondary/passive appliance and then I pushed the "exclude selected device" button. After that I can exclude most alert types, but not all. Interface status is one of the alerts I cannot choose to exclude.

Chess Norris · ‎09-26-2022

I can see interface alerts only from a few of the interfaces on the passive device. I am not sure why the alerts gets triggered on only those specific interfaces. When I check the events there is actually traffic on all interfaces.

Chess Norris · ‎11-07-2022

I discovered that the option to exclude health modules on the secondary device is available in 7.2. We can now even select individual interfaces to exclude which is great because we only want to exclude the interfaces that are missing a secondary IP address.