Re: FTD High Availability pair with two ISP connections - one at each firewall

AlexPi · ‎08-13-2020

Hello All,

I have scenario that is totally new to me. I have a site with two FTD 2140 configured as and High Availability pair (Active, Standby), over FMC.

The Primary/Active firewall connected to ISP-A and the Secondary/Standby firewall is connected to ISP-B.

Currently, under the High Availability tab the Outside interface has as an Active IP the ISP-A IP, with no Standby IP configured yet and under routing there is a static route on the Outside Interface pointing to the Gateway of ISP-A, with a metric of 1.

In order to bring ISP-B in play, which is connected to the Secondary/Standby firewall, do I simply under High Availability add as a Standby IP the ISP-B IP and under Routing I add another Static Route for the Outside Interface pointing to the Gateway of ISP-B with a higher metric (10)?

Also am I correct in saying that both ISPs need offer the same bandwidth so that the Outside Interface hardware properties are set to the speed needed for both ISPs?

Sorry for the multiple questions but this is a live site that was dropped to me and this is a scenario that I have never come across before!

Thanks!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Rob Ingram · ‎08-13-2020

Hi,
You can't add a standby IP address from a different network. You would have to define another outside interface. Use IP SLA and tracking to monitor the default route and failover to a second default route once the first ISP is down.

No you don't need the same bandwidth.

HTH

AlexPi · ‎10-10-2020

Hello Rob,

It has been a while since my original post and your reply but now we managed to get another ISP!

Ii was connected to the same port as the original, i.e. Primary (live) ISP is on Ethernet1/1 of Firewall A (Active) and the Secondary (new) ISP is on Ethernet 1/1 of Firewall B (Standby). If I go the PAIR Interfaces from the FMC Device Management, I can only see one set of ports, I presume the ones from the active firewall. Is there a way to configure the secondary ISP on the Standby firewall Etherenet 1/1? That should be my other outside interface.

Best regards,

Alex P.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Rob Ingram · ‎10-10-2020

Hi @AlexPi

Each interface as part of an HA pair would be per ISP connection, and would therefore need to be configured in the same network. So Eth1/1 (on both the Active and Standby FTD) would be ISP1 and Eth 1/2-8 (on both Active and Standby FTD) would be for ISP2.

HTH

AlexPi · ‎10-10-2020

Great! Thanks Rob.

I will them put ISP 2 on a different interface than ISP1 and then go fro there with Cisco's config guide.

Thanks so much for the help!
I will update once I have this up, or any other issues...

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------