History for Clustering
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
||
|---|---|---|---|---|---|
| Cluster control link ping tool. |
20240203 |
Any |
You can check to make sure all the cluster nodes can reach each other over the cluster control link by performing a ping. One major cause for the failure of a node to join the cluster is an incorrect cluster control link configuration; for example, the cluster control link MTU may be set higher than the connecting switch MTUs. New/modified screens: > More ( |
||
| Troubleshooting file generation and download available from Device and Cluster pages. |
20240203 |
7.4.1 |
You can generate and download troubleshooting files for each
device on the Device page and also for all cluster nodes on the
Cluster page. For a cluster, you can download all files as a
single compressed file. You can also include cluster logs for
the cluster for cluster nodes. You can alternatively trigger
file generation from the > More ( New/modified screens: |
||
| View CLI output for a device or device cluster. |
20240203 |
Any |
You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output. New/modified screens: |
||
|
Cluster health monitor settings. |
20221213 |
Any |
You can now edit cluster health monitor settings. New/Modified screens:
|
||
|
Cluster health monitor dashboard. |
20221213 |
Any |
You can now view cluster health on the cluster health monitor dashboard. New/Modified screens: System ( |
||
|
Support for 16-node clusters. |
20220609 |
7.2.0 |
You can now configure 16 node clusters for the Firepower 4100/9300. Previously, the maximum was 6 units. New/Modified screens: none. Supported platforms: Firepower 4100/9300 |
||
|
Cluster deployment for firewall changes completes faster. |
20220609 |
7.2.0 |
Cluster deployment for firewall changes now completes faster. New/Modified screens: none. |
||
|
Improved PAT port block allocation for clustering. |
20220609 |
7.0.3 |
The improved PAT port block allocation ensures that the control unit keeps ports in reserve for joining nodes, and proactively reclaims unused ports. To best optimize the allocation, you can set the maximum nodes you plan to have in the cluster using the cluster-member-limit command using FlexConfig. The control unit can then allocate port blocks to the planned number of nodes, and it will not have to reserve ports for extra nodes you don't plan to use. The default is 16 nodes. You can also monitor syslog 747046 to ensure that there are enough ports available for a new node. New/Modified commands: cluster-member-limit (FlexConfig), show nat pool cluster [summary] , show nat pool ip detail |
||
|
Cluster deployment for Snort changes completes faster, and fails faster when there is an event. |
20220609 |
7.0.3 |
Cluster deployment for Snort changes now completes faster. Also, when a cluster has an event that causes a management center deployment to fail, the failure now occurs more quickly. New/Modified screens: none. |
||
|
Improved cluster management. |
20220609 |
7.0.3 |
Management Center has improved cluster management functionality that formerly you could only accomplish using the CLI, including:
New/Modified screens:
Supported platforms: Firepower 4100/9300 |
||
|
Multi-instance clustering. |
20220609 |
7.0.3 |
You can now create a cluster using container instances. On the Firepower 9300, you must include one container instance on each module in the cluster. You cannot add more than one container instance to the cluster per security engine/module. We recommend that you use the same security module or chassis model for each cluster instance. However, you can mix and match container instances on different Firepower 9300 security module types or Firepower 4100 models in the same cluster if required. You cannot mix Firepower 9300 and 4100 instances in the same cluster. New/Modified FXOS commands: set port-type cluster New/modified Firepower Chassis Manager screens:
Supported platforms: threat defense on the Firepower 4100/9300 |
||
|
Configuration sync to data units in parallel. |
20220609 |
7.0.3 |
The control unit now syncs configuration changes with data units in parallel by default. Formerly, synching occurred sequentially. New/Modified screens: none. |
||
|
Messages for cluster join failure or eviction added to show cluster history . |
20220609 |
7.0.3 |
New messages were added to the show cluster history command for when a cluster unit either fails to join the cluster or leaves the cluster. New/Modified commands: show cluster history New/Modified screens: none. |
||
|
Initiator and responder information for Dead Connection Detection (DCD), and DCD support in a cluster. |
20220609 |
7.0.3 |
If you enable Dead Connection Detection (DCD), you can use the show conn detail command to get information about the initiator and responder. Dead Connection Detection allows you to maintain an inactive connection, and the show conn output tells you how often the endpoints have been probed. In addition, DCD is now supported in a cluster. New/Modified commands: show conn (output only). Supported platforms: threat defense on the Firepower 4100/9300 |
||
|
Adding clusters is easier. |
20220609 |
7.0.3 |
You can now add any unit of a cluster to the management center, and the other cluster units are detected automatically. Formerly, you had to add each cluster unit as a separate device, and then group them into a cluster. Adding a cluster unit is also now automatic. Note that you must delete a unit manually. New/Modified screens: > Add drop-down menu > Device > Add Device dialog box > Cluster tab > General area > Cluster Registration Status > Current Cluster Summary link > Cluster Status dialog box Supported platforms: threat defense on the Firepower 4100/9300 |
||
|
Support for site-to-site VPN with clustering as a centralized feature. |
20220609 |
7.0.3 |
You can now configure site-to-site VPN with clustering. Site-to-site VPN is a centralized feature; only the control unit supports VPN connections. Supported platforms: threat defense on the Firepower 4100/9300 |
||
|
Automatically rejoin the cluster after an internal failure. |
20220609 |
7.0.3 |
Formerly, many internal error conditions caused a cluster unit to be removed from the cluster, and you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt to rejoin the cluster automatically at the following intervals: 5 minutes, 10 minutes, and then 20 minutes. Internal failures include: application sync timeout; inconsistent application statuses; and so on. New/Modified command: show cluster info auto-join No modified screens. Supported platforms: threat defense on the Firepower 4100/9300 |
||
|
Clustering on multiple chassis for 6 modules; Firepower 4100 support. |
20220609 |
7.0.3 |
With FXOS 2.1.1, you can now enable clustering on multiple chassis of the Firepower 9300 and 4100. For the Firepower 9300, you can include up to 6 modules. For example, you can use 1 module in 6 chassis, or 2 modules in 3 chassis, or any combination that provides a maximum of 6 modules. For the Firepower 4100, you can include up to 6 chassis.
No modified screens. Supported platforms: threat defense on the Firepower 4100/9300 |
||
|
Clustering on multiple modules with one Firepower 9300 chassis. |
20220609 |
7.0.3 |
You can cluster up to 3 security modules within the Firepower 9300 chassis. All modules in the chassis must belong to the cluster. New/Modified screens:
Supported platforms: threat defense on the Firepower 9300 |
)