Skip to main content

 

 

Cisco Defense Orchestrator

Create a Firepower Threat Defense High Availability Pair

Before you create an FTD HA pair in Defense Orchestrator, you must first onboard two standalone FTD devices that meet the requirements described in Firepower Threat Defense High Availability Pair Requirements

Note: To create an HA pair in CDO, both devices must have management interfaces configured. If the devices have data interfaces configure, you must create the HA pair through the FDM console, and then onboard the pair to CDO. 

Once you create an FTD HA pair, the primary device is active and the secondary device is standby by default. All configuration changes or deployments are made through the primary device and the secondary device remains in standby mode until the primary unit becomes unavailable. 

Note that when you opt to read from or deploy to an FTD HA pair, you are reading from or deploying to the active device of the HA pair. Any changes made to the primary device are transferred over the link between the primary and the secondary device. CDO deploys to and reads only from the primary device; thusly, the Devices & Services page displays a single entry for the pair. Once the deploy occurs, the primary device synchronized any configuration changes to the secondary device. 

Note:  If the HA devices experience an issue during the creation process or the HA pair does not result with a healthy status, you must manually break the HA configuration before you attempt to create the pair again. 

Procedure

Create an HA pair from two standalone FTD devices with the following procedure:

  1. In the navigation bar, click Devices & Services.
  2. Select the FTD device you want to establish as the primary device. 

Note: CDO does not support creating an HA pair with devices configured with DHCP. 

  1. In the Management pane, click High Availability.
  2. Locate the area for the secondary device and click Select Device, then choose a device from the list of eligible devices.
  3. Configure the Failover link.
    1. Click Physical Interface and select an interface from the drop-down menu.
    2. Select the appropriate IP Type
    3. Enter the Primary IP address. 
    4. Enter the Secondary IP address.
    5. Enter the Netmask. By default, this value is 24. 
    6. If applicable, enter a valid IPSec Encryption Key
  4. Configure the Stateful link. If you want to use the same configuration as the failover link, check the The same as Failover Link checkbox. If you want to use a different configuration, use the following procedure:
    1. Click Physical Interface and select an interface from the drop-down menu. Note that both the primary and secondary device must have the same number of physical interfaces.
    2.   Select the appropriate IP Type
    3. Enter the Primary IP address. 
    4. Enter the Secondary IP address.
    5. Enter the Netmask. By default, this value is 24. 
  5. Click Create in the upper right corner of the screen to finish the wizard. CDO immediately redirects you to the High Availability Status page. From this page you can monitor the status of the HA creation. Note that once the HA pair is created, the Devices & Services page displays the pair as a single row. 
  6. Deploy Configuration Changes from Defense Orchestrator to FTD to deploy the new configuration to the active device.

Troubleshooting

One of my devices is in a bad state after creating HA

If one of the devices falls into an unhealthy or failed state during HA creation, break the HA pair and resolve the device's state, then recreate HA. The failover history might help diagnose the issue. 

 

Related Articles: 

  • Was this article helpful?