10-15-2015 03:46 PM - edited 03-10-2019 06:28 AM
Hello all. It is my understanding that the FMC virtual appliances do not offer HA synchronization. If we have 2 virtual appliances - 1 in a production and 1 in a DR data center. How do we configure these? Would we have to manage them separately? Can the same sensors be registered to 2 different FMCs? Is this advisable in this scenario considering that both FMCs may have different configurations? Or are we just restricted to 1 FMC in the virtual appliance scenario?
Thanks,
10-15-2015 09:30 PM
You are restricted to one FMC in the virtual appliance scenario (as of the current software 5.4.x).
VMotion the VM if you need to fail over the the second data center.
03-09-2016 02:54 AM
Hi Marvin,
Bringing up a little bit old subject here, but I find it relevant to my question.
My guess is nothing much has changed with FMC 6.0 and there is still no built-in HA for virtual FMC, but regarding vMotion I found the 5.4.1 deployment guide: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/virtual-install-guide/FireSIGHT-Virtual-Installation-Guide.pdf
Quote:
The following limitations exist when deploying virtual Defense Center or devices on VMware:
As my understanding goes vMotion is not supported as a solution. Can you please comment has this changed in 6.0? What would be the suggested way for some kind of a HA for FMC?
Thanks!
07-10-2017 06:10 AM
I have just come across this thread.
Is high availibility not supported within VM or VM FMC cannot manage two physical firewalls in VM mode?
07-10-2017 08:43 AM
The original question was about HA of the FMC itself. that is not supported with VM FMC form factor.
An FMC can manage multiple physical firewalls up to the limit if its license. (They are licensed in 2- 10- and 25-unit tiers.)
07-10-2017 09:10 AM
many thanks so in a way unless one buys the hardware there is no HA with vmware FMC?
07-10-2017 09:25 AM
You're welcome.
That's correct. You should make sure to take regular backups and have the backup location be remote (i.e. to an ftp, scp or smb destination).
Best practice is to schedule weekly backup jobs (along with rule, VDB and geolocation updates).
07-11-2017 04:27 AM
would it be possible to manage them using two FMC or no?
I guess answer is no but curios as that will mean unless you have Hardware FMC you can't really have any FMC HA/failover
07-11-2017 04:41 AM
No - you cannot manage a given sensor with more than one FMC.
In my 30+ years of IT experience I have never seen an application level clustering or failover system that was more benefit than trouble. (I'm not talking about scalsde-out web type applications with application delivery controllers fronting them.)
It's my general assertion that a well-managed single application instance is more highly available and reliable when you're talking about anything that's designed as a monolithic application.
Rather than lose cycles worrying over FMC's HA or lack thereof I would counsel spending that time on operational processes and remediation of identified security issues.
08-15-2017 01:21 PM
I have a similar question. Trying to upgrade from 5.4.1 to 6.1. I understand that I need to go 5.4.1 > 6.0.0 > 6.0.1 > 6.1 which supports HA. My environment is 2x5516X Active/Standby with the FMC virtualized and the two sensors in ASAs. As I understand I need to break HA to upgrade. The guides I'm following either say go into FMC chose Device Management > Devices then High Availability to see interfaces. I only have two ungrouped sensors, no tab for HA. Furthermore, I've looked at the cli the sensors to run command 'configure failover' but the command isn't supported. It's my understanding that these sensors are in an HA setup but I cannot seem to find to break it. I've removed the sensors in Device Management in FMC and tried upgrading but it fails every time. Do I need to break HA of the actual ASA?
08-15-2017 08:00 PM
ASA Firepower sensors aren't in an HA pair even though the "parent" ASAs are. The sensors have no awareness of each other and essentially operate as independent units.
We typically group them into a device group on the FMC to enable a single policy push to multiple sensors.
FMC HA is for FMC itself. That construct is completely distinct from managed device HA.
07-18-2018 02:44 AM
But in the configuration guide , they mentioned that we cannot back-up an FMC virtual machine. We can only back-up an FMC appliance. is it right ?
03-31-2017 12:44 AM
How about in new version 6.2 ? virtual firesight, can HA ?
03-31-2017 01:30 AM
No it cannot.
Establishing Firepower Management Center High Availability
Smart License
Classic License
Supported Management Centers
Supported Domains
Access
Any
Any
MC1000, MC1500, MC2000, MC2500, MC3500, MC4000, MC4500
Global
Admin
Source:
http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_management_center_high_availability.html?bookSearch=true
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide