cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2656
Views
10
Helpful
4
Replies

FTD High Availability pair with two ISP connections - one at each firewall

AlexPi
Level 1
Level 1

Hello All,

 

I have scenario that is totally new to me. I have a site with two FTD 2140 configured as and High Availability pair (Active, Standby), over FMC.

The Primary/Active firewall connected to ISP-A and the Secondary/Standby firewall is connected to ISP-B.

Currently, under the High Availability tab the Outside interface has as an Active IP the ISP-A IP, with no Standby IP configured yet and under routing there is a static route on the Outside Interface pointing to the Gateway of ISP-A, with a metric of 1.

In order to bring ISP-B in play, which is connected to the Secondary/Standby firewall, do I simply under High Availability add as a Standby IP the ISP-B IP and under Routing I add another Static Route for the Outside Interface pointing to the Gateway of ISP-B with a higher metric (10)?

Also am I correct in saying that both ISPs need offer the same bandwidth so that the Outside Interface hardware properties are set to the speed needed for both ISPs?

Sorry for the multiple questions but this is a live site that was dropped to me and this is a scenario that I have never come across before!

 

Thanks!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
4 Replies 4

Hi,
You can't add a standby IP address from a different network. You would have to define another outside interface. Use IP SLA and tracking to monitor the default route and failover to a second default route once the first ISP is down.

No you don't need the same bandwidth.

HTH

Hello Rob,

 

It has been a while since my original post and your reply but now we managed to get another ISP!

Ii was connected to the same port as the original, i.e. Primary (live) ISP is on Ethernet1/1 of Firewall A (Active) and the Secondary (new) ISP is on Ethernet 1/1 of Firewall B (Standby). If I go the PAIR Interfaces from the FMC Device Management, I can only see one set of ports, I presume the ones from the active firewall. Is there a way to configure the secondary ISP on the Standby firewall Etherenet 1/1? That should be my other outside interface.

Best regards,

 

Alex P.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Hi @AlexPi 

Each interface as part of an HA pair would be per ISP connection, and would therefore need to be configured in the same network. So Eth1/1 (on both the Active and Standby FTD) would be ISP1 and Eth 1/2-8 (on both Active and Standby FTD) would be for ISP2.

 

HTH

Great! Thanks Rob.

 

I will them put ISP 2 on a different interface than ISP1 and then go fro there with Cisco's config guide.

Thanks so much for the help!
I will update once I have this up, or any other issues...

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: