Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
10
Helpful
3
Replies

Replace Cisco FTD cluster

Go to solution
noman0058
Level 1
Level 1

‎08-04-2022 12:32 PM

Can someone share steps and things to watch out for when replacing of Cisco FTD 4110 to new 4120 in cluster mode.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to noman0058

‎08-05-2022 11:35 AM

So from your latest reply it seems you are talking about a high availability pair and not a cluster. In either case, you are essentially taking the existing firewall services completely offline and replacing them with another higher capacity set.

There will be a planned outage - that's unavoidable.

The primary things external to the firewall to ensure is that the upstream and downstream next hop devices clear their arp caches to account for the old IP addresses now being on new hosts.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-05-2022 12:59 AM

If you are changing models then you are replacing the entire cluster since all models must be the same in a given cluster.

That's quite a significant undertaking and requires careful planning to ensure it goes smoothly. Each member of the new cluster would have to be bootstrapped and joined into the cluster. Software version, patch level, SRU, VDB and Geolocation would all have to be brought up to date. Interfaces to match the old cluster would have to be configured in shutdown mode in preparation for the actual cutover. The various policies (Access Control, NAT, Platform etc.) associated with the existing cluster would also need to be applied to the new cluster.

Those are just the highlights off the top of my head. If you aren't working with an experienced field engineer for this, you should be.

Go to solution
noman0058
Level 1
Level 1
In response to Marvin Rhoads

‎08-05-2022 11:06 AM

Thanks for reply Marvin! really appreciate that. 

I completely understands that all software and policy configuration needs to match but only thing I'm not sure about is how its going to behave when I will failover to standby and break the cluster in order to bring new hardware and switch the traffic over to new hardware without impacting outage. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to noman0058

‎08-05-2022 11:35 AM

So from your latest reply it seems you are talking about a high availability pair and not a cluster. In either case, you are essentially taking the existing firewall services completely offline and replacing them with another higher capacity set.

There will be a planned outage - that's unavoidable.

The primary things external to the firewall to ensure is that the upstream and downstream next hop devices clear their arp caches to account for the old IP addresses now being on new hosts.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card