Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
4
Helpful
2
Replies

Basic Questions about Security Contexts on FWSM

pmacdanel
Level 1
Level 1

‎03-14-2006 08:10 AM - edited ‎03-09-2019 02:15 PM

Hello,

We are considering implementing contexts to control access for a number of agencies' traffic we manage. I have some questions about contexts I haven't been able to find clear answers to:

1) In a failover FWSM setup, if one primary context goes down but not the others, does it failover to the secondary module context?

2) Does the context licensing for the secondary FWSM need to be a duplicate of the primary? i.e. do you need 2 seperate licenses for say, 20 contexts?

3) If the module is in single context mode and you convert it to multiple context, what happens to the running config? Are its rulesets, interfaces converted to the admin context? If not, what is the easiest way to move the single context config into a 'working' context that we can then pull rules, interfaces, etc. out of for new context conversions as they are needed?

Thanks for your help!

Labels:
0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎03-14-2006 08:34 AM

1.)

Question: In a failover FWSM setup, if one primary context goes down but not the others, does it failover to the secondary module context?

Answer: Yes and No it depends on the trigger of how much interface failed the failover will occour, But remember you are using Virtual interfaces

VLAN they usually never goes down.

Failover Triggers

The module can fail if one of the following events occurs:

•The module has a hardware failure or a power failure.

•The module has a software failure.

•Too many monitored interfaces fail.

Because the FWSM can have a large number of interfaces, it cannot monitor every interface. Rather, you configure the FWSM to monitor a subset of interfaces. The FWSM fails over when a certain number of monitored interfaces fails; you configure the failure threshold to be an absolute value or a percentage of the total number of monitored interfaces.

See the "Failover Monitoring" section for more information about when a module or interface is considered to be failed.

Reference Using Failover (Version 2.3):

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/failover.htm

2.)

Question: Does the context licensing for the secondary FWSM need to be a duplicate of the primary? i.e. do you need 2 seperate licenses for say, 20 contexts?

Answer: YES, you need 2 times a licence Pack for 20 contextes.

3.)

Question: If the module is in single context mode and you convert it to multiple context, what happens to the running config? Are its rulesets, interfaces converted to the admin context? If not, what is the easiest way to move the single context config into a 'working' context that we can then pull rules, interfaces, etc. out of for new context conversions as they are needed?

Answer: When you convert from single mode to multiple mode, the FWSM converts the running configuration into two files: a new startup.cfg (in Flash) that comprises the system configuration, and admin.cfg (in the disk partition) that comprises the admin context. The original running configuration is saved as old_running.cfg (in disk). The original startup configuration is not saved. The FWSM automatically adds an entry for the admin context to the system configuration with the name "admin."

Reference:http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/context.htm#wp1081764

Note: The Admin context is just to access and manage the FWSM not to use as a Virtual Fireall (PIX) !

SEE: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/context.htm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/index.htm

sincerely

Patrick

pmacdanel
Level 1
Level 1
In response to Patrick Iseli

‎03-14-2006 09:08 AM

Thank you Patrick, that is most helpful. One last question about the conversion - So according to the doc's the old single context config is saved to a file and you can then load that saved config into a new context within the new multi-context space thus restoring the original config but now the FWSM has capablity to use multi-contexts..

0 Helpful
Customers Also Viewed These Support Documents