cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8734
Views
0
Helpful
13
Replies

FirePower FailOver (ASA5545X)

macfrist38
Level 1
Level 1

Hi All,

 

I have Two ASA5545X with firepower installed, I also have a FireSight to manage both FirePower.

 

My ASAs are in Active/Stanby config and i Need that the firepower also do the same.

 

But when i make failover test with my ASAs, fireSight does not switch the from the primary Fireposer to the secondary one.

 

Thanks to help me solve the issue.

 

regards

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

I'm not sure I understand exactly your issue. FireSIGHT runs externally from the FirePOWER modules. The modules should be part of a device group that has the same policies applied. Each module must be separately licensed and added as a managed device.

Whichever base ASA is Active will be redirecting traffic into its associated module. FireSIGHT Management Center doesn't care if one, the other or both are getting traffic - it will simply report the events and manage policies on both no matter which is seeing traffic from its ASA. It has no concept of switching from an primary to a secondary module.

Hi,

 

Sorry for the late response,

 

I have two ASA 5545X with Firepower, and one Firesight FS750, The ASA are configured as failover Active/standby and I need the firepower do the same. But i dont see how to do that.

All the document i can just tell me that todo failover we have to use FireSight but not how to do that.

 

thanks for your answer.

If a FirePOWER module is active and licensed on a given ASA it will implement the configured policies and report back to its managing FireSIGHT.

The modules have no concept of Active / Standby - they will either see traffic or not on their data plane. If they do, they will inspect it.

You do need to add the modules as separate devices from FireSIGHT and license each one individually. You can put them in a device group so that they get synchronized policy updates.

I have two local managed ASA 5508 in A/P failover configuration, FPR is local managed. how can I get the FPR on the failover machine?

You need to manage FirePOWER on the standby unit as if it were stand alone.

Setup the module (if it isn't already) and point ASDM at it. Then use the FirePOWER configuration functions in ASDM to replicate what you have on the primary unit.

It´s not possible to get on the asdm at the failover FW must I switch it to active?

You can use ASDM on the Secondary-Standby unit as long as you have both:

1. the ASDM image on it and

2. have defined the secondary IP addresses so that it can be reached using an address that's unique to the standby unit.

You don't configure any of the base ASA settings with that ASDM session but the FirePOWER module is OK to setup via that method if all you have is local management (i.e. no FirePOWER Manager).

Of course an ASDM Image is on the secondary and the Failover adress is also defined. When I switch it to active I can get on int. The Failover is not reachable by ASDM and vice versa. May be it could be a browser problem. I will try it with another.

It's not just the failover address you need.

When you setup and ASA HA pair you have the option of setting addresses for the standby unit to use on the production interfaces (e.g., inside, outside etc.). the configuration would look something like this:

interface gi0/1
nameif inside 
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2 

That last line with the "standby" keyword is the one you'd need on an interface that's permitted for http(s) (ASDM) access.

That is exact what I have done.

Hi RHodes,

Same quesitions like, when we are configuring the 5508-x with firepower services HA active/Standby,

We will configure Primary and secondary firewall as normal ASA

Do we have to setup firepower configuration also to Secondary firewall ?

Or justs failover commands are enough in secondary firewall.

Hi,

I have two failover 5508-x firewalls with identical licenses enabled. I would like to know how to create a group to synchronize the IPS settings.

Hi,
I have two failover 5508-x firewalls with identical licenses enabled. I would like to know how to create a group to synchronize the IPS settings.
Review Cisco Networking for a $25 gift card