FTD High Availability

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

About High Availability

A high availability (HA), or failover configuration, joins two devices into a primary/secondary setup so that if the primary device fails, the secondary automatically takes over. Configuring high availability, also called failover, requires two identical FTD devices connected to each other through a dedicated failover link and, optionally, a state link. The health of the active unit (hardware, interfaces, software, and environmental status) is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. This helps keep your network operation in case of a device failure or during a maintenance period when the devices are upgrading. See the related articles below for more information.

The units form an active/standby pair, where the primary unit is the active unit and passes traffic. The secondary (standby) unit does not actively pass traffic, but synchronizes configuration and other state information from the active unit. The two units communicate over the failover link to determine the operating status of each unit.

Note: When you opt to accept changes from or deploy to an FTD HA pair, you are communicating with the active device of the HA pair.

Certificate and High Availability Pairs

When you apply a certificate to an HA FTD pair, CDO only applies the certificate to the active device; only upon deploying the active device is the configuration, and the certificate, synchronized with the standby device. If you apply a new certificate to the active device through FDM, the active device and standby device may have two different certificates. This may cause issues in failover or failover history, among other possible issues. The two devices must have the same certificate to function successfully. If you must change the certificate through FDM, then you must deploy changes and synchronize the certificate within the HA pair.

Related Articles: