High Availability (HA):

A high availability (HA), or failover configuration, joins two devices into a primary/secondary
setup so that if the primary device fails, the secondary automatically takes over. Configuring
High Availability, sometimes called Failover, requires two identical FMCs, Firepower Appliances
or Firepower Threat Defense devices that are connected to each other through a dedicated link.
Cisco’s Firepower appliances and Firepower Threat Defense support active/standby failover,
where one unit is the active one that passes traffic. The standby unit doesn’t actively pass
traffic; instead it synchronizes configuration and other state information from the active unit. If
a failover occurs, the active unit will then fail over to the standby unit, which will then become
the active unit. When establishing an Active/Standby High Availability pair, you designate one
of the devices as primary and the other as secondary. The system applies merged configuration
to the paired devices. If there is a conflict, the system applies the configuration from the device
you designated as primary.

Requirements:
The two units in a High Availability configuration must be exactly the same model with the
exact same interfaces. same exact hardware, same code, and same IPS version. Be in the same
firewall mode. In an HA configuration, each Firepower Threat Defense device must have the
same licenses, same model, same type of interfaces, same number of interfaces, same domain
and group, running the same version of software, have normal health status, have the same
NTP configuration, fully deployed with no uncommitted changes and don’t have DHCP or PPPoE
configured on any interface.

Selection of Active:
If a unit boots and detects a peer already running as active, it becomes the standby unit. If a
unit boots & does not detect a peer, it becomes active unit. If both units boot simultaneously,
then the primary unit becomes active unit and the secondary unit becomes the standby unit.

Role of Active/Standby:
The units form an active/standby pair, where the primary unit is the active unit and passes
traffic. The secondary unit does not actively pass traffic, but synchronizes configuration and
other state information from the active unit. The two units communicate over the failover link
to determine the operating status of each unit.

HA Cabling:
Both FTDs should be connected together through dedicated cables for High Availability (HA),
using the same interfaces in both devices. The FTD requires “Failover Link” and “State Link”.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Failover Link:
The failover link is a dedicated connection between the two units. You can use any unused data
physical interfaces as failover link. you cannot select an interface that is currently configured
with name, or one that has subinterfaces. Two units in a failover pair constantly communicate
over a failover link to determine operating status of each unit and to synchronize configuration
changes. The unit state (active or standby), Hello messages (keep-alive), Network link status,
MAC address exchange and Configuration replication and synchronization. You can use an
unused data interface (physical, redundant, or EtherChannel) as the failover link; however, you
cannot specify an interface that is currently configured with a name. Do not use a subinterface
as the failover link. The failover link interface is not configured as a normal networking
interface; it exists for failover communication only. This interface can only be used for the
failover link.

Stateful Link:
The active unit uses the state link to pass connection state information to the standby device.
stateful failover link is used to sync application content between peers. This means that the
standby unit can maintain certain types of connections without impacting the user. This
information helps the standby unit maintain existing connections when a failover occurs. Using
a single link for both the failover and stateful failover links is the best way to conserve
interfaces. However, you must consider a dedicated interface for the state link and failover link,
if you have a large configuration and a high traffic network. You can use a dedicated data
interface for the state link.

Primary/Secondary Roles and Active/Standby Status:

When setting up Active/Standby failover, you configure one unit to be primary and the other to
be secondary. During configuration, the primary unit's policies are synchronized to secondary
unit. At this point, the two units act as a single device for device and policy configuration.
However, for events, dashboards, reports and health monitoring, they continue to display as
separate devices. The main differences between the two units in a failover pair are related to
which unit is active and which unit is standby, namely which IP addresses to use and which unit
actively passes traffic.

Active/Standby Failover Model:

In Active-Standby Failover configuration, primary Firewall is always active. In Active-Standby
Failover configuration, secondary is in standby mode. In this model, only one of the firewalls is
responsible for processing traffic. When the primary Cisco FTD Firewall fails, the secondary
Firewall takes over. Configuration and Stateful network info is synchronized from primary.

Active/Active Failover Model:

The Firepower appliances running FTD there is no Active/Active High Availability (HA).

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

HA Active/Standby Lab Time:

Device Name Configuration

PC1 Docker Configuration ip addr add [Link]/24 dev eth0 ||true
ip route add default via [Link] ||true
cat>/etc/[Link]<<EOF
nameserver [Link]
EOF
PC2 Docker Configuration ip addr add [Link]/24 dev eth0 ||true
ip route add default via [Link]||true
cat>/etc/[Link]<<EOF
nameserver [Link]
EOF
Internet NAT Cloud [Link]
[Link]
[Link]

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Cisco FTD1 Initial Configuration:
After properly, boot Cisco FTD1 it may take 30min or more we see login page with default
admin/Admin123 credentials and EULA to accept:

After accept EULA, configure new password, IPv4 address, mask, gateway, hostname, DNS
servers, domain name, firewall mode - routed or transparent in this case we have routed mode.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Next we need to add managers on Cisco Firepower Threat Defense (FTD).

Cisco FTD2 Initial Configuration:

After properly, boot Cisco FTD2 it may take 30min or more we see login page with default
admin/Admin123 credentials and EULA to accept:

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

After accept EULA, configure new password, IPv4 address, mask, gateway, hostname, DNS
servers, domain name, firewall mode - routed or transparent in this case we have routed mode.

Next we need to add managers on Cisco Firepower Threat Defense (FTD).

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Cisco FMC Initial Configuration:
Login to FMC with default username (admin) and Default password: Admin123

Enter command: # sudo configure-network, enter password: Admin123

Enter "y" key and press enter button.

Enter Management IP address: [Link] & Enter Management netmask: [Link]

Enter default gateway: [Link] and Confirm the settings are correct by pressing "y" and
press enter key and For IPv6 press "n" key.

Enter url [Link] and press the "Proceed to [Link]". Enter

Username (admin) and Password (Admin123) and click on Login button.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Enter New Password: Abc@abc1 and Confirm: Abc@abc1

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Configure Hostname, primary DNS Server, Secondary DNS, NTP etc click Finish.

Click on "start 90-day evaluation period without registration" and click Save button.

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

After basic connectivity (ping from FMC to FTD) we can add FTD1 in FMC: Devices -> Device
Management -> Add-> Add device. ACP-Policy under Access Control Policy - blank policy with
Block all traffic at the end. Enable some license Threat license for IPS features:

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Same Way add second Cisco FTD to Cisco FMC. Devices -> Device Management -> Add-> Add
device. ACP-Policy under Access Control Policy - blank policy with Block all traffic at the end.
Enable some license Threat license for IPS features:

11 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

In order to configure FTD failover, navigate to Devices > Device Management and select Add
High Availability

Give a name for the HA Pair and select the FTD devices which will be functioning as Primary
Peer and Secondary Peer in the HA group.

12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

On the next window, a Warning message will display temporarily traffic interruption. Yes

On the next window, Select the interface which will be used for HA Link. & State Link Populate
the details and click Add.

13 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

A reminder on Interface Monitoring and Health policies will be shown.

Wait for few minutes for the HA configuration to be deployed.

The status of the HA can also be verified from the CLI.

> show high-availability config

Once HA configuration is deployed successfully, the 2 x FTDs will function as Active-Passive pair.

14 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Next step is to configure Interfaces, in order to configure to the interfaces, navigate to Devices
> Device Management, select the appropriate HA group and select Edit go to interfaces.
Next, Specify Name and Tick Enabled for the interface. Select Security Zone from dropdown.

Click on IPV4 tab assign IP address for inside Subnet in this case [Link]/24.

15 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Similarly, for interface G0/1, Specify Name and Tick Enabled for the interface.

Click on IPV4 tab assign IP address for inside Subnet in this case [Link]/24.

16 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Navigate to High Availability and select the Interface Name in this case Inside Interface Edit to
add the standby IP addresses in our case [Link].

Navigate to High Availability and select the Interface Name in this case Outside Interface Edit to
add the standby IP addresses in our case [Link].

17 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Navigate to High Availability > Routing. Click the Routing Tab. Select Static Route from the table
of contents. Click Add Routes. Click the IPv4 radio button depending on the type of static route
that you are adding. Choose the Interface to which this static route applies in this case Outside
interface. In the Available Network list, choose the destination network. To define a default
route, create an object with the address [Link]/0 and select it here. In the Gateway field, enter
or choose the gateway router which is the next hop for this route. You can provide an IP
address or a Networks/Hosts object. Click Ok.

Choose Policies > Access Control, Click New Policy. Enter a unique Name. To add a new rule,
click Add Rule. Enter a Name. Enabled—Specify whether the rule is Enabled. Action—Choose a
rule Action. In Zones tab select Source Zone and Destination Zone.

18 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

In the Networks Tab select Source Networks and set Destination Networks to any.

In Inspection tab from Intrusion Policy select Security Over Connectivity.

In Logging Tab enable Log at Beginning of Connection and Click Add.

19 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Select Devices > NAT. Click New Policy > Threat Defense NAT to create a new policy. Give the
policy a name, optionally assign devices to it, and click Save. Click the Add Rule button to create
a new rule. NAT Rule—Select Auto NAT Rule. Type—Select Dynamic. On the Interface Objects
tab, Source Interface Objects, Destination Interface Objects like security zones.

20 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

On the Translation tab, configure Original Source—The network object that contains the
addresses you are translating. Translated Source—The network object or group that contains
the mapped addresses. Click Save to add the rule.

After you configure the changes, select Save and Deploy.

21 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

Testing and Verification:

Let’s check Inside network PC1 IP address and Default Route.

Let’s try to access any website also to ping any outside Internet IP in this case [Link].

22 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717

From the FMC, switch the failover roles from Primary/Active, Secondary/Standby to
Primary/Standby, Secondary/Active.

Confirm the action on the pop-up window.

You can also verify it in the >show failover history command output: After the verification,
make the Primary Unit Active again.

23 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@[Link] , Mobile: 056 430 3717