cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3821
Views
5
Helpful
4
Replies

Firepower Behaviour When Management Center is Down

Garry S
Level 1
Level 1

Hello,

Over the past couple of months I've had a couple of incidents, once where the FMC was down for a RAM upgrade and another where it lost Internet access.

On both occasions, we lost the ability to browse most websites (we use Firepower as a basic web filter.)

I assume this is to do with the caching of category or reputation results, so if the FMC is down, the sensor does not allow access.

On both occasions, there was no indicator as to what the problem was. During the second incident, the web requests were 'allowed' according to the FMC, but dropped by SFR according to the ASA logs.

What is the correct behaviour in the above scenarios and is there a way for the sensor to fail-open if the FMC stops working correctly? Adding 'fail-open' to the ASA policy only affects sensor failure, but it appears that the sensors are reliant on a working FMC.

Is the only solution to go HA on the FMCs and is it still true that we cannot combine a physical FS1500 with a virtual FMC?

Thanks for your help.

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

A Firepower sensor - whether an ASA module, physical appliance or VM - can enforce policy and continue to operate when its connection to the managing FMC is lost.

I'd recommend opening a TAC case to determine why yours isn't appearing to operate properly. I have deployed a couple dozen of these and they all work just fine while FMC is offline. The only lost functionality would be policy updates and, if the ouotage is extended, possible loss of historical event logs once the local storage is full.

Hi Marvin - thanks for your reply. Your response is exactly what I expected and describes the same behaviour I've experienced when I've implemented Firepower previously.

I don't believe I've ever implemented web filtering using Firepower though (just blocking URLs based on category.) It makes sense to me that the URL/category database is way too large to be cached so an online lookup needs to take place. That's fine. I'd just expect there to be an alert or other log entry when an online URL lookup fails.

I may well raise a TAC case as you suggest, just to get Cisco's official take.

Dear @Marvin Rhoads 
I have a question
We have a situation in our infrastructure. Our engineer woud like to  access an offline server located in DMZ, but this traffic is shown as blocked by Cisco Firepower connection event logs  as deployed in our Internet Edge. However, we created Access Control Policy to allow traffic destined to that server accessed from internet. Also we created a static NAT for that. 

My question is:
Does Firepower show block connection event when the destined machine is offline as located in DMZ. 

 

I need your urgent reply please!

Whether a connection is blocked or not has no dependency on the target host being online or not. It will evaluate the ACP rules based on their order in the policy and make a decision based solely on that.

You can validate using the packet-tracer command from the sensor cli or Advanced Troubleshooting section of the FMC GUI.

Review Cisco Networking for a $25 gift card