Is Enabling FMC HA Distruptive?

dm2020 · ‎02-24-2025

Hi All,

I have a single FMC 4600 appliance running 7.4.2 that is managing 10 FTDs running various versions between 7.2.8 and 7.4.2. We have purchased a new FMC 4600 appliance that we are planning to put into HA. The new FMC is running the correct software version and all content updates match etc. From what I understand, when FMC HA is enabled the FTDs are updated to register to the new FMC as well as the existing. Is this a ditruptive process for traffic flowing through the firewalls or can this be implemented safely at any time with no service impact?

Aref Alsouqi · ‎02-25-2025

No the traffic passing through the firewalls wouldn't be affected in general however if you are using user ID policies or the firewalls need to rely on the FMC to get a verdict of a file via dynamic integrations with the cloud then it could potentially affect that traffic because when you add a secondary FMC to form the HA both FMCs restart some of their services but nothing would be restarted on the firewalls themselves.

Sheraz.Salim · ‎02-25-2025

Just to add this what @Aref Alsouqi Bear in mind, Both FMC peers are required to be on the same software version, intrusion rule update, vulnerability database, and Lightweight Security Package and also both FMCs require a separate license.

once the FMC-HA syn (database completed) is formed it pushes the secondary FMC ip address to FTD itself therefore nothing to worry. When you login to FTD CLI you will see two FMC primary and secondary.
Here found this document.

please do not forget to rate.