Replace a Failed Primary Cloud-Delivered Firewall Management Center (Successful Backup)

Two Cloud-Delivered Firewall Management Centers, FMC1 and FMC2, are part of a high availability pair. FMC1 is the primary and FMC2 is the secondary. This task describes the steps to replace a failed primary Cloud-Delivered Firewall Management Center, FMC1, when data backup from the primary is successful.

Before you begin

Verify that the data backup from the failed primary Cloud-Delivered Firewall Management Center is successful.

Procedure

Step 1

Contact Support to request a replacement for a failed Cloud-Delivered Firewall Management Center - FMC1.

Step 2

When the primary Cloud-Delivered Firewall Management Center - FMC1 fails, access the web interface of the secondary Cloud-Delivered Firewall Management Center - FMC2 and switch peers. For more information, see Switching Peers in the Cloud-Delivered Firewall Management Center High Availability Pair.

This promotes the secondary Cloud-Delivered Firewall Management Center - FMC2 to active.

You can use FMC2 as the active Cloud-Delivered Firewall Management Center until the primary Cloud-Delivered Firewall Management Center - FMC1 is replaced.

Caution

Do not break Cloud-Delivered Firewall Management Center high availability from FMC2, since licenses that were synced to FMC2 from FMC1 (before failure ), will be removed from FMC2 and you will be unable to perform any deploy actions from FMC2.

Step 3

Reimage the replacement Cloud-Delivered Firewall Management Center with the same software version as FMC1.

Step 4

Restore the data backup retrieved from FMC1 to the new Cloud-Delivered Firewall Management Center.

Step 5

Install required Cloud-Delivered Firewall Management Center patches, geolocation database (GeoDB) updates, vulnerability database (VDB) updates and system software updates to match FMC2.

The new Cloud-Delivered Firewall Management Center and FMC2 will now both be active peers, resulting in a high availability split-brain.

Step 6

When the Cloud-Delivered Firewall Management Center web interface prompts you to choose an active appliance, select FMC2 as active.

This syncs the latest configuration from FMC2 to the new Cloud-Delivered Firewall Management Center - FMC1.

Step 7

When the configuration syncs successfully, access the web interface of the secondary Cloud-Delivered Firewall Management Center - FMC2 and switch roles to make the primary Cloud-Delivered Firewall Management Center - FMC1 active. For more information, see Switching Peers in the Cloud-Delivered Firewall Management Center High Availability Pair.

What to do next

High availability has now been re-established and the primary and the secondary Cloud-Delivered Firewall Management Centers will now work as expected.