Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
6
Helpful
6
Replies

FMC disaster recovery situation

Keith Miller
Level 1
Level 1

‎08-24-2017 05:06 AM - edited ‎03-12-2019 04:29 AM

Hello all,

 

As I've previously posted, we are moving away from a pair of active/standby ASA 5510s both here in our corporate DC and at our colo. The way DR works for us is if we have a disaster here, everything would be recovered at the colo using backups (that are sent daily over S2S VPN) from our Avamar/Data Domain. At the time of declaration, our colo provider would then provide us with some public IP addresses and I would need to configure NAT rules on the colo firewalls and also change our external DNS to point to the IP addresses at the colo.

 

Last night as I was reading, it hit me like a ton of bricks. Our FMCv is in here in our corporate DC. If we have a disaster and need to fail over to the colo, the FTD devices at the colo will not be configurable because the communication to the FMCv at corporate would almost certainly be down. I need to do a little more research, but I thought I read that while you can backup the FMC, you cannot just perform a restore of it like you would a typical VM.

 

Any thoughts?

 

Regards,

Keith

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-24-2017 09:52 AM

You could have regular FMC backups that you keep offsite. In the event that you need to recover at DR site, restore them on a VM with equivalent FMC version. Re-IP it per the DR site addressing. Then log into your remote sensors locally and change their manager to the new FMC. Re-deploy policy and you should be back up and running.

Keith Miller
Level 1
Level 1
In response to Marvin Rhoads

‎08-24-2017 09:59 AM

Thanks for the reply Marvin,

 

To have that secondary FMCv at the colo, I'd need another license, correct?

 

Regards,

Keith

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Keith Miller

‎08-24-2017 10:17 AM

Well if it was a warm standby technically yes.

But if it was, say, a snapshot of the active one then I'd arguably say no.

FMC license are right to use (since 6.0) vs. technical enforcement. More important would be the licensing of the managed sensors. I'm not sure how that would act in the event of coming up fresh from a backup having been restored.

Classic licenses depend on the FMC license key which is a concatenation of the model number plus MAC address of the FMC host.

You could rehost any classic sensor licenses to the newly-hot FMC.

Massimo Baschieri
Level 3
Level 3
In response to Marvin Rhoads

‎08-24-2017 07:02 PM

What about moving the entire VM to DR site and changing it's addressing to new ip class?

That, if it works, should preserve licenses in my mind.

Otherwise you can take advantage of the evaluation license, DR usually has a very short life, or there are limitations on the number of activated sensors during the evaluation period? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Massimo Baschieri

‎08-24-2017 08:25 PM - edited ‎08-25-2017 12:57 PM

Moving the entire VM *should* work but I would definitely test it to be sure. If you're doing business continuity planning then testing should be an inherent part of that. :)

 

Evaluation licenses aren't available for classic sessor licenses (e.g., ASA with Firepower and NGIPS running Sourcefire OS)  - only for Smart licenses (FTD).

0 Helpful

Keith Miller
Level 1
Level 1
In response to Marvin Rhoads

‎08-25-2017 04:45 AM

Agreed, I'll definitely be testing this as I gather more information. Just 1 more headache to worry about that I didn't consider when the VAR convinced us to go with the 2110s instead of 5525-Xs.

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents