FTD High Availability

About High Availability

A high availability (HA), or failover configuration, joins two devices into a primary/secondary setup so that if the primary device fails, the secondary automatically takes over. Configuring high availability, also called failover, requires two identical FTD devices connected to each other through a dedicated failover link and, optionally, a state link. The health of the active unit (hardware, interfaces, software, and environmental status) is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs. This helps keep your network operation in case of a device failure or during a maintenance period when the devices are upgrading. See the related articles below for more information. 

The units form an active/standby pair, where the primary unit is the active unit and passes traffic. The secondary (standby) unit does not actively pass traffic, but synchronizes configuration and other state information from the active unit. The two units communicate over the failover link to determine the operating status of each unit.

Note: When you opt to accept changes from or deploy to an FTD HA pair, you are communicating with the active device of the HA pair. This means that configurations and backups are pulled from the active device only. 

Certificate and High Availability Pairs

When you apply a certificate to an HA FTD pair, CDO only applies the certificate to the active device; only upon deploying the active device is the configuration, and the certificate, synchronized with the standby device. If you apply a new certificate to the active device through FDM, the active device and standby device may have two different certificates. This may cause issues in failover or failover history, among other possible issues. The two devices must have the same certificate to function successfully. If you must change the certificate through FDM, then you must deploy changes and synchronize the certificate within the HA pair. 

Onboard Your HA Pair

You can onboard an FTD HA pair that has been established outside of CDO one of two ways; CDO strongly recommends you onboard with a username/password. See Onboard an FTD HA Pair using Username, Password, and IP Address for more information. 

As an alternative onboarding method, you can also onboard an FTD HA pair with a registration token. See Onboard an FTD HA Pair with a Registration Key for more information. 

Related Articles:

• Failover and Stateful Link for FTD High Availability
• FTD High Availability Pair Requirements
• Create a FTD High Availability Pair
• Onboard a FTD High Availability Pair
• FTD High Availability Status Page
• Break FTD High Availability
• FTD High Availability Failover History
• Refresh the FTD High Availability Status
• Force a Failover on a FTD High Availability Pair
• Upgrade a FTD High Availability Pair
• Reading, Discarding, Checking for, and Deploying Configuration Changes
• Accept Configuration Changes from FTD to CDO
• Deploy Configuration Changes from Defense Orchestrator to FTD