 
					
				
		
08-04-2022 12:32 PM
Can someone share steps and things to watch out for when replacing of Cisco FTD 4110 to new 4120 in cluster mode.
Solved! Go to Solution.
08-05-2022 11:35 AM
So from your latest reply it seems you are talking about a high availability pair and not a cluster. In either case, you are essentially taking the existing firewall services completely offline and replacing them with another higher capacity set.
There will be a planned outage - that's unavoidable.
The primary things external to the firewall to ensure is that the upstream and downstream next hop devices clear their arp caches to account for the old IP addresses now being on new hosts.
08-05-2022 12:59 AM
If you are changing models then you are replacing the entire cluster since all models must be the same in a given cluster.
That's quite a significant undertaking and requires careful planning to ensure it goes smoothly. Each member of the new cluster would have to be bootstrapped and joined into the cluster. Software version, patch level, SRU, VDB and Geolocation would all have to be brought up to date. Interfaces to match the old cluster would have to be configured in shutdown mode in preparation for the actual cutover. The various policies (Access Control, NAT, Platform etc.) associated with the existing cluster would also need to be applied to the new cluster.
Those are just the highlights off the top of my head. If you aren't working with an experienced field engineer for this, you should be.
08-05-2022 11:06 AM
Thanks for reply Marvin! really appreciate that.
I completely understands that all software and policy configuration needs to match but only thing I'm not sure about is how its going to behave when I will failover to standby and break the cluster in order to bring new hardware and switch the traffic over to new hardware without impacting outage.
08-05-2022 11:35 AM
So from your latest reply it seems you are talking about a high availability pair and not a cluster. In either case, you are essentially taking the existing firewall services completely offline and replacing them with another higher capacity set.
There will be a planned outage - that's unavoidable.
The primary things external to the firewall to ensure is that the upstream and downstream next hop devices clear their arp caches to account for the old IP addresses now being on new hosts.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide