manualshive.com logo in svg

Cisco FirePOWER 7000, Manual

The Cisco FirePOWER 7000 is a cutting-edge network security appliance designed to protect your digital assets. Ensure maximum efficiency and effectiveness by accessing its comprehensive user manual for free download at our manualshive.com. Gain valuable insights on maximizing the product's potential.

Share
Download
background image

Related Topics

SFRP

Advanced Virtual Switch Settings

Deployment Types and Device High Availability

You determine how to configure 7000 or 8000 Series device high availability depending on your Firepower
System deployment: passive, inline, routed, or switched. You can also deploy your system in multiple roles
at once. Of the four deployment types, only passive deployments require that you configure devices or stacks
using high availability to provide redundancy. You can establish network redundancy for the other deployment
types with or without device high availability. For a brief overview on high availability in each deployment
type, see the sections below.

You can achieve Layer 3 redundancy without using device high availability by using the Cisco Redundancy
Protocol (SFRP). SFRP allows devices to act as redundant gateways for specified IP addresses. With network
redundancy, you configure two devices or stacks to provide identical network connections, ensuring connectivity
for other hosts on the network.

Note

Passive Deployment Redundancy

Passive interfaces are generally connected to tap ports on central switches, which allows them to analyze all
of the traffic flowing across the switch. If multiple devices are connected to the same tap feed, the system
generates events from each of the devices. When configured in a high-availability pair, devices act as either
active or standby, which allows the system to analyze traffic even in the event of a system failure while also
preventing duplicate events.

Inline Deployment Redundancy

Because an inline set has no control over the routing of the packets being passed through it, it must always
be active in a deployment. Therefore, redundancy relies on external systems to route traffic correctly. You
can configure redundant inline sets with or without 7000 or 8000 Series device high availability.

To deploy redundant inline sets, you configure the network topology so that it allows traffic to pass through
only one of the inline sets while preventing circular routing. If one of the inline sets fails, the surrounding
network infrastructure detects the loss of connectivity to the gateway address and adjusts the routes to send
traffic through the redundant set.

Routed Deployment Redundancy

Hosts in an IP network must use a well-known gateway address to send traffic to different networks. Establishing
redundancy in a routed deployment requires that routed interfaces share the gateway addresses so that only
one interface handles traffic for that address at any given time. To accomplish this, you must maintain an
equal number of IP addresses on a virtual router. One interface advertises the address. If that interface goes
down, the standby interface begins advertising the address.

In devices that are not members of a high-availability pair, you use SFRP to establish redundancy by configuring
gateway IP addresses shared between multiple routed interfaces. You can configure SFRP with or without
7000 or 8000 Series device high availability. You can also establish redundancy using dynamic routing such
as OSPF or RIP.

7000 and 8000 Series Device High Availability

4

7000 and 8000 Series Device High Availability

Deployment Types and Device High Availability

Summary of Contents for FirePOWER 7000

Page 1: ...ility State Sharing on page 11 Device High Availability State Sharing Statistics for Troubleshooting on page 14 Separating Device High Availability Pairs on page 17 About 7000 and 8000 Series Device High Availability With 7000 and 8000 Series device high availability you can establish redundancy of networking functionality and configuration data between two peer devices or two peer device stacks Y...

Page 2: ...r 8290 with another 8290 None one or all devices in either stack might have a malware storage pack Do not attempt to install a hard drive that was not supplied by Cisco in your device Installing an unsupported hard drive may damage the device Malware storage pack kits are available for purchase only from Cisco and are for use only with 8000 Series devices Contact Support if you require assistance ...

Page 3: ...hanges to the members of a high availability pair at the same time Deploy either succeeds or fails for both peers The Firepower Management Center deploys to the active device if that succeeds then changes are deployed to the standby When you deploy resource demands may result in a small number of packets dropping without inspection Additionally deploying some configurations restarts the Snort proc...

Page 4: ...ts Inline Deployment Redundancy Because an inline set has no control over the routing of the packets being passed through it it must always be active in a deployment Therefore redundancy relies on external systems to route traffic correctly You can configure redundant inline sets with or without 7000 or 8000 Series device high availability To deploy redundant inline sets you configure the network ...

Page 5: ...pletes the high availability pair and sets it to a normal status After you establish a high availability pair the system treats the peer devices or stacks as a single device on the Device Management page Device high availability pairs display the High Availability icon in the appliance list Any configuration changes you make are synchronized between the paired devices The Device Management page di...

Page 6: ...s in a high availability pair must belong to the same domain Before you begin Confirm that all requirements are met see Device High Availability Requirements on page 2 Procedure Step 1 Choose Devices Device Management Step 2 From the Add drop down menu choose Add High Availability Step 3 Enter a Name Step 4 Under Device Type choose Firepower Step 5 Assign roles for the devices or stacks a Choose t...

Page 7: ...ns on the High Availability page to make changes to the high availability pair configuration as you would a single device configuration Configuring Individual Devices in a High Availability Pair Access Supported Domains Supported Devices Classic License Smart License Admin Network Admin Leaf only 7000 8000 Series Control N A After you establish a 7000 or 8000 Series device high availability pair y...

Page 8: ... 8 Procedure Step 1 Choose Devices Device Management Step 2 Next to the device high availability pair where you want to edit the configuration click the edit icon In a multidomain deployment if you are not in a leaf domain the system prompts you to switch Step 3 Click the Stacks tab Step 4 From the Selected Device drop down list choose the stack you want to modify Step 5 Next to the General sectio...

Page 9: ...modify Step 5 Configure interfaces as you would on an individual device Related Topics Virtual Router Configuration Switching the Active Peer in a Device High Availability Pair Access Supported Domains Supported Devices Classic License Smart License Admin Network Admin Any 7000 8000 Series Control N A After you establish a 7000 or 8000 Series device high availability pair you can manually switch t...

Page 10: ...es Device Management Step 2 Next to the peer you want to place in maintenance mode click the toggle maintenance mode icon Step 3 Click Yes to confirm maintenance mode What to do next When maintenance is complete click the toggle maintenance mode icon again to bring the peer out of maintenance mode Replacing a Device in a Stack in a High Availability Pair Access Supported Domains Supported Devices ...

Page 11: ...t configure and enable HA link interfaces on both devices or the primary stacked devices in the high availability pair before you can configure high availability state sharing Firepower 82xx Family and 83xx Family devices require a 10G HA link while other model devices require a 1G HA link You must disable state sharing before you can modify the HA link interfaces If paired devices fail over the s...

Page 12: ...h state sharing the system immediately blocks the connection on the peer device or stack as well When establishing state sharing for a high availability pair you can configure the following options Enabled Click the check box to enable state sharing Clear the check box to disable state sharing Minimum Flow Lifetime Specify the minimum time in milliseconds for a session before the system sends any ...

Page 13: ...avior for more information Caution Procedure Step 1 Configure HA link interfaces for each device in the device high availability pair see Configuring HA Link Interfaces Step 2 Choose Devices Device Management Step 3 Next to the device high availability pair you want to edit click the edit icon In a multidomain deployment if you are not in a leaf domain the system prompts you to switch Step 4 In th...

Page 14: ...r of packets sent by the peer device During active use the values may not match but should be close Because the number of messages received should be close and incrementing at the same rate as the number of messages sent by the peer the number of packets received should have the same behavior For troubleshooting you should view both the packets received and the messages sent compare the rate of in...

Page 15: ...ent to the peer This data are useful in comparison to the number of messages received During active use the values may not match but should be close The number of bytes received on the peer should be close to but not more than this value Contact Support if the total bytes received is not incrementing at about the same rate as the bytes sent Tx Errors Tx errors are the number of memory allocation f...

Page 16: ...figuration in the State Sharing section of the High Availability page The HA link interface that is being used and its current link state Detailed synchronization statistics for troubleshooting issues The state sharing statistics are primarily counters for different aspects of the high availability synchronization traffic sent and received along with some other error counters In addition you can v...

Page 17: ...rations active in which case the standby peer resumes normal operation The standby peer always loses the configuration of passive interfaces Any peer in maintenance mode resumes normal operation Procedure Step 1 Choose Devices Device Management Step 2 Next to the high availability pair you want to break click the Break HA icon Step 3 Optionally check the check box to remove the interface configura...

Page 18: ...7000 and 8000 Series Device High Availability 18 7000 and 8000 Series Device High Availability Separating Device High Availability Pairs ...

Reviews:

No comments

Related manuals for FirePOWER 7000

Clavister Eagle E20 Getting Started Manual preview
Eagle E20
Brand: Clavister Pages: 76
Juniper SRX5600 Hardware Manual preview
SRX5600
Brand: Juniper Pages: 483
Jøtul JGFW-5 Manual preview
JGFW-5
Brand: Jøtul Pages: 12
Watchguard Firebox V60 Addendum preview
Firebox V60
Brand: Watchguard Pages: 2
Fortinet FortiGate 240D Quick Start Manual preview
FortiGate 240D
Brand: Fortinet Pages: 12
Nexcom DNA 1150 User Manual preview
DNA 1150
Brand: Nexcom Pages: 66
NETGEAR ProSafe FR114P Installation Manual preview
ProSafe FR114P
Brand: NETGEAR Pages: 20
Cisco PIX-515E Quick Start Manual preview
PIX-515E
Brand: Cisco Pages: 42
Cisco Spam Quick Start Manual preview
Spam
Brand: Cisco Pages: 20
H3C SecPath F100-X-G3 Installation Manual preview
SecPath F100-X-G3
Brand: H3C Pages: 71
Fortinet FortiMail-5001A Quick Start Manual preview
FortiMail-5001A
Brand: Fortinet Pages: 2
Fortinet FortiManager-100 Quick Start Manual preview
FortiManager-100
Brand: Fortinet Pages: 2
Fortinet FortiGate FortiGate-5002FB2 Quick Start Manual preview
FortiGate FortiGate-5002FB2
Brand: Fortinet Pages: 2
Fortinet FortiGate ASM-FX2 Quick Start Manual preview
FortiGate ASM-FX2
Brand: Fortinet Pages: 1
Cisco MERAKI MX65 Installation Manual preview
MX65
Brand: Cisco MERAKI Pages: 6
Cisco MERAKI Go GX50 Installation Manual preview
Go GX50
Brand: Cisco MERAKI Pages: 5

Brands by name

Popular brands

Load more brands