background image

having to reestablish the connection, even if strict TCP enforcement is enabled. You can enable strict TCP
enforcement on inline sets, virtual routers, and virtual switches.

Unidirectional Access Control Rules

If you have configured unidirectional access control rules, network traffic may match a different access control
rule than intended when the system reevaluates a connection midstream after failover. For example, consider
if you have a policy containing the following two access control rules:

Rule 1: Allow from 192.168.1.0/24 to 192.168.2.0/24
Rule 2: Block all

Without state sharing, if an allowed connection from 192.168.1.1 to 192.168.2.1 is still active following a
failover and the next packet is seen as a response packet, the system denies the connection. With state sharing,
a midstream pickup would match the existing connection and continue to be allowed.

Blocking Persistence

While many connections are blocked on the first packet based on access control rules or other factors, there
are cases where the system allows some number of packets through before determining that the connection
should be blocked. With state sharing, the system immediately blocks the connection on the peer device or
stack as well.

When establishing state sharing for a high-availability pair, you can configure the following options:

Enabled

Click the check box to enable state sharing. Clear the check box to disable state sharing.

Minimum Flow Lifetime

Specify the minimum time (in milliseconds) for a session before the system sends any synchronization messages
for it. You can use any integer from 0 to 65535. The system does not synchronize any sessions that have not
met the minimum flow lifetime, and the system synchronizes only when a packet is received for the connection.

Minimum Sync. Interval

Specify the minimum time (in milliseconds) between update messages for a session. You can use any integer
from 0 to 65535. The minimum synchronization interval prevents synchronization messages for a given
connection from being sent more frequently than the configured value after the connection reaches the minimum
lifetime.

Maximum HTTP URL Length

Specify the maximum characters for the URL the system synchronizes between the paired devices. You may
use any integer from 0 to 225.

Related Topics

Configuring HA Link Interfaces

7000 and 8000 Series Device High Availability

12

7000 and 8000 Series Device High Availability

Device High Availability State Sharing

Содержание FirePOWER 7000

Страница 1: ...ility State Sharing on page 11 Device High Availability State Sharing Statistics for Troubleshooting on page 14 Separating Device High Availability Pairs on page 17 About 7000 and 8000 Series Device High Availability With 7000 and 8000 Series device high availability you can establish redundancy of networking functionality and configuration data between two peer devices or two peer device stacks Y...

Страница 2: ...r 8290 with another 8290 None one or all devices in either stack might have a malware storage pack Do not attempt to install a hard drive that was not supplied by Cisco in your device Installing an unsupported hard drive may damage the device Malware storage pack kits are available for purchase only from Cisco and are for use only with 8000 Series devices Contact Support if you require assistance ...

Страница 3: ...hanges to the members of a high availability pair at the same time Deploy either succeeds or fails for both peers The Firepower Management Center deploys to the active device if that succeeds then changes are deployed to the standby When you deploy resource demands may result in a small number of packets dropping without inspection Additionally deploying some configurations restarts the Snort proc...

Страница 4: ...ts Inline Deployment Redundancy Because an inline set has no control over the routing of the packets being passed through it it must always be active in a deployment Therefore redundancy relies on external systems to route traffic correctly You can configure redundant inline sets with or without 7000 or 8000 Series device high availability To deploy redundant inline sets you configure the network ...

Страница 5: ...pletes the high availability pair and sets it to a normal status After you establish a high availability pair the system treats the peer devices or stacks as a single device on the Device Management page Device high availability pairs display the High Availability icon in the appliance list Any configuration changes you make are synchronized between the paired devices The Device Management page di...

Страница 6: ...s in a high availability pair must belong to the same domain Before you begin Confirm that all requirements are met see Device High Availability Requirements on page 2 Procedure Step 1 Choose Devices Device Management Step 2 From the Add drop down menu choose Add High Availability Step 3 Enter a Name Step 4 Under Device Type choose Firepower Step 5 Assign roles for the devices or stacks a Choose t...

Страница 7: ...ns on the High Availability page to make changes to the high availability pair configuration as you would a single device configuration Configuring Individual Devices in a High Availability Pair Access Supported Domains Supported Devices Classic License Smart License Admin Network Admin Leaf only 7000 8000 Series Control N A After you establish a 7000 or 8000 Series device high availability pair y...

Страница 8: ... 8 Procedure Step 1 Choose Devices Device Management Step 2 Next to the device high availability pair where you want to edit the configuration click the edit icon In a multidomain deployment if you are not in a leaf domain the system prompts you to switch Step 3 Click the Stacks tab Step 4 From the Selected Device drop down list choose the stack you want to modify Step 5 Next to the General sectio...

Страница 9: ...modify Step 5 Configure interfaces as you would on an individual device Related Topics Virtual Router Configuration Switching the Active Peer in a Device High Availability Pair Access Supported Domains Supported Devices Classic License Smart License Admin Network Admin Any 7000 8000 Series Control N A After you establish a 7000 or 8000 Series device high availability pair you can manually switch t...

Страница 10: ...es Device Management Step 2 Next to the peer you want to place in maintenance mode click the toggle maintenance mode icon Step 3 Click Yes to confirm maintenance mode What to do next When maintenance is complete click the toggle maintenance mode icon again to bring the peer out of maintenance mode Replacing a Device in a Stack in a High Availability Pair Access Supported Domains Supported Devices ...

Страница 11: ...t configure and enable HA link interfaces on both devices or the primary stacked devices in the high availability pair before you can configure high availability state sharing Firepower 82xx Family and 83xx Family devices require a 10G HA link while other model devices require a 1G HA link You must disable state sharing before you can modify the HA link interfaces If paired devices fail over the s...

Страница 12: ...h state sharing the system immediately blocks the connection on the peer device or stack as well When establishing state sharing for a high availability pair you can configure the following options Enabled Click the check box to enable state sharing Clear the check box to disable state sharing Minimum Flow Lifetime Specify the minimum time in milliseconds for a session before the system sends any ...

Страница 13: ...avior for more information Caution Procedure Step 1 Configure HA link interfaces for each device in the device high availability pair see Configuring HA Link Interfaces Step 2 Choose Devices Device Management Step 3 Next to the device high availability pair you want to edit click the edit icon In a multidomain deployment if you are not in a leaf domain the system prompts you to switch Step 4 In th...

Страница 14: ...r of packets sent by the peer device During active use the values may not match but should be close Because the number of messages received should be close and incrementing at the same rate as the number of messages sent by the peer the number of packets received should have the same behavior For troubleshooting you should view both the packets received and the messages sent compare the rate of in...

Страница 15: ...ent to the peer This data are useful in comparison to the number of messages received During active use the values may not match but should be close The number of bytes received on the peer should be close to but not more than this value Contact Support if the total bytes received is not incrementing at about the same rate as the bytes sent Tx Errors Tx errors are the number of memory allocation f...

Страница 16: ...figuration in the State Sharing section of the High Availability page The HA link interface that is being used and its current link state Detailed synchronization statistics for troubleshooting issues The state sharing statistics are primarily counters for different aspects of the high availability synchronization traffic sent and received along with some other error counters In addition you can v...

Страница 17: ...rations active in which case the standby peer resumes normal operation The standby peer always loses the configuration of passive interfaces Any peer in maintenance mode resumes normal operation Procedure Step 1 Choose Devices Device Management Step 2 Next to the high availability pair you want to break click the Break HA icon Step 3 Optionally check the check box to remove the interface configura...

Страница 18: ...7000 and 8000 Series Device High Availability 18 7000 and 8000 Series Device High Availability Separating Device High Availability Pairs ...

Отзывы: