11-26-2023 07:42 PM
good evening!
im tasked to move a pair of 4115s in HA (7.0.5) that currently run several s2s vpns, 5 anyconnect portals, ospf, nat, etc to a new FMC.
The ftds are currently being managed by a FMC1000 in version 7.0.5. The new FMC is using 7.2.5 and its currently in production with other 7.2.5 ftd being managed.
Whats the best way to move these 4115s to the new fmc without service interruption?
Do i need to manually replicate all device significant config like routing, interfaces, vpns?
Thanks
Solved! Go to Solution.
11-27-2023 11:53 PM
No disabling on one firewall at a time will allow you to control which firewall is the primary in the new setup and it will allow you a rollback if you need to. No matter what you do the only configuration that will remain on the FTD is the interface configuration (not the interface security zones). All other configuration will need to be reconfigured either via importing and associating the policy (as in ACP policy for example) or manual configuration.
The problem with breaking HA is that the secondary FW will lose its configuration, so if you intend to keep the setup as is with regard to which firewall is primary and which is secondary I suggest to not break the HA setup outright.
As for the screenshot you posted, you will need to remove the manager before breaking the HA on the device CLI. So steps 9 and 10 in my previous post would need to be swapped around. I will edit the post.
11-27-2023 05:50 AM
What model is the new FMC? If the new FMC model is the same as the old FMC you could backup the old FMC and restore that backup on the new FMC (make sure the new FMC is not reachable by the FTDs), then remove the old FMC from the network and then connect the new FMC to the network.
If you do not manage the old FMC or do not have the option to restore the backup from the old FMC and remove the old FMC from the network, you will need to associate the FTDs with the new FMC which will require a bit of configuration. But this is possible with minimal downtime since they are an HA pair.
We can get to the steps once we have more info on the current setup, who manages what, and what can or cannot be removed from the network.
11-27-2023 05:59 AM
11-27-2023 07:39 AM - edited 11-27-2023 11:54 PM
Whatever you do, do not break the HA, when you break HA the standby FTD will lose all configuration and you might have a complete outage until you have it set up again depending on how you move the FTDs. The following is what I would recommend (you may already have performed some of these steps.)
and now you are good to go on the new FMC.
11-27-2023 12:44 PM - edited 11-27-2023 12:53 PM
HI!,
Thanks for the detailed steps. But im kind of lost as to why breaking HA would mean a complete outage. There would still be an active firewall with the original config.
Besides that, on step 7, is there a reason to run a failover previous to disabling HA? Whats the end goal of this?
Lastly, the main difference between this method and the one i mentioned is that instead of breaking HA, disabling it would let me keep the configuration related to interfaces and possibly routing(?) but the rest (VPNs, Qos) I would have to either way do it manually. Is this the right assumpition?
EDIT:
I labbed this on a a pair of 1150s running version 7.2.5 and i get this error when I try to disable HA on a standby unit:
Thanks again
11-27-2023 11:53 PM
No disabling on one firewall at a time will allow you to control which firewall is the primary in the new setup and it will allow you a rollback if you need to. No matter what you do the only configuration that will remain on the FTD is the interface configuration (not the interface security zones). All other configuration will need to be reconfigured either via importing and associating the policy (as in ACP policy for example) or manual configuration.
The problem with breaking HA is that the secondary FW will lose its configuration, so if you intend to keep the setup as is with regard to which firewall is primary and which is secondary I suggest to not break the HA setup outright.
As for the screenshot you posted, you will need to remove the manager before breaking the HA on the device CLI. So steps 9 and 10 in my previous post would need to be swapped around. I will edit the post.
11-28-2023 05:03 AM
Thanks, that clears things up
As a workaround of this (before knowing your plan) i was thinking on reusing the mac addresses of the primary FTD when i failover to the standalone ftd (previous secondary) managed by the new FMC so there would not be any arp issues.
Also, I have no administration of the switches between the firewalls. Would it be ok if i just shut down the interfaces directly from the chassis (except mgmt) when i failover?
I will give this a try in my lab.
11-28-2023 05:25 AM
I have never tried it but I would assume that shutting down the interfaces in the chassis would be OK. The only issue would be, depending on how you are accessing the FTDs, you might lose mgmt access to the FTDs when you are switching over to the newly configured FTD as you will need to remove the secondary FTD from the network before connecting the primary back to the network or you will end up have an IP address conflict / split-brain scenario.
So if you have an out of band access that is not dependent on the FTDs themselves, i.e. mgmt traffic does not pass through the FTDs, you can shutdown the interfaces on the FTD chassis. Otherwise, you would need to be onsite, or have someone onsite to assist you.
11-27-2023 08:15 AM - edited 11-27-2023 12:44 PM
Hi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide