Policy updates during FMC HA sync

josh.green · ‎11-15-2021

Hi all,

I need to reinstate HA between two FMCs after having to rebuild the secondary FMC device.

They manage 18 devices and have a number of access policies, IDS/IPS and NAT configurations etc etc. I'm assuming this is going to take a good few hours to sync and ideally I want to perform this task during the day as opposed to sitting up all night checking periodically..

My question is - can you continue to push policy/config changes from the primary FMC to the managed FTDs while the sync is taking place?

Any articles/references are appreciated.

Thanks,

Josh

balaji.bandi · ‎11-15-2021

is standby FMC in different location or same DC ? or same Lan segment, they do fast replication for sure.

I do not see any reason you can not push policies, (but for consistency, better avoide until both FMC is synched).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

josh.green · ‎11-15-2021

Hi Balaji,

The Standby FMC is in a different DC, so geographically separated.

Yeah I would of thought it would still be possible - just need to identify the risk for doing this change in-hours just in case we have an incident that requires firewall amendments and policy updates. If it can be done then I will be okay to do this during the working day.

Thanks,

Josh

balaji.bandi · ‎11-15-2021

i would do this task on Friday, So By Monday all good you can do changes ( most of the business do not make any changes Friday to until Monday Morning) that give you more time to replication and be stable, rather rush. (Hope this make sense ? and good approach i see here)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help