Table of Contents
Configuring Failover
Important Note about Deployment Errors and Failover
Configuring PIX Firewall Failover Pairs
Configuring FWSM Failover Pairs
Configuring Failover Settings in Firewall MC
Configuring Failover
Failover allows you to configure two firewall devices so that one will take over operation if the other fails. Failover requires that you purchase a second firewall device (sold as a failover device) that works only as a failover device. You must ensure that both devices have the same version of software, type of activation key, RAM, and amount of Flash memory. When configuring failover pairs using Firewall MC, you must:
1. Enable workflow in Firewall MC.
2. Configure Firewall MC to continue with deployment when errors are detected.
3. Prepare the failover pair.
4. Configure the failover settings in GUI.
5. Generate commands.
6. Bootstrap devices.
7. Publish command sets.
This discussion describes tasks 2 through 6.
 |
Note While you can configure failover with workflow not enabled, you will not be able to access the properly formatted bootstrap information. If you choose not to enable workflow, you must find and remove the comments from the bootstrap settings in the generated commands. You can review all generated commands using Configuration > View Config. |
Important Note about Deployment Errors and Failover
If you are configuring failover, we recommend that you change the Firewall MC Controls setting to continue on error during deployment. To change the Firewall MC setting, select Configuration > MC Settings > Management. Locate the element "On Deployment Error," click the Continue radio button, then click Apply.
We also recommend that you do not select Reboot on deployment error. If you create a failover network environment (using Firewall MC or manually) and enter a random or invalid command on the active failover unit, the command is immediately replicated to the standby unit without your using a write memory command. Such a command also generates an error.
In a non-failover configuration, you could reboot the active unit to restore the device to its previous known working configuration. However, in the failover configuration, when you reboot the active unit, it returns to service in standby mode. The previous standby unit is now active and it pushes the erroneous commands it received from the previous active unit to the new standby unit. As a result, reloading the device does not restore the configuration to its previous condition in a failover scenario. Instead, it has an incomplete configuration.
Selecting the option to continue if deployment errors occur restores the configuration to its previous condition in this environment.
Configuring PIX Firewall Failover Pairs
You can use Firewall MC to manage PIX Firewalls that are configured for failover. By configuring PIX Firewalls for failover, you can protect critical entry points to your network if the first PIX Firewall fails. If the first PIX Firewall fails, the second PIX Firewall takes over the duties of the first.
In a failover configuration, two PIX Firewalls communicate failover information through a failover link. This failover link can be either a LAN-based connection or a serial failover cable that connects the two firewalls. The active firewall handles all network traffic that passes through the failover pair. The standby firewall does not handle network traffic until a failure occurs on the active firewall. When a failure occurs, the standby PIX Firewall assumes the role of the active firewall.
For both types of failover links, the PIX Firewall supports two modes of failover: stateless failover and stateful failover. The default mode is stateless failover.
With stateless failover, when the standby PIX Firewall becomes active it assumes the IP and MAC addresses of the previously active firewall. If you enter show ip address at the command prompt on the active PIX Firewall, you see two sets of System IP Addresses; the first set contains the IP addresses originally assigned to the firewall's interfaces. The second set of IP addresses, called Current IP Addresses, contains the IP addresses obtained from the failed firewall. These are the IP addresses the firewall uses in the running configuration.
The term failover interface refers to any interface that is enabled and has a failover IP address assigned to it. The corresponding interfaces between the failover pair exchange hello messages to determine if the peer is operational. If, after a specified period of time, the standby firewall detects that the active firewall's link does not respond, the standby firewall becomes the active firewall. It assumes the assigned system IP addresses and the previously active firewall (now the standby firewall) assumes the failover IP addresses.
Because network devices see no change in the IP or MAC addresses, ARP entries do not change or time out anywhere on the network. Any open connections, however, are terminated. Those connections must be reestablished before the sessions can continue.
Stateful failover is similar to stateless failover. When the standby PIX Firewall becomes active, it assumes the IP and MAC addresses of the previously active firewall. As in stateless failover, the change in the firewall is not visible to other network devices. However, with stateful failover, connection states are transferred to the standby PIX Firewall. Applications with open connections during failover do not have to reconnect the communication session.
The following information is copied to the standby PIX Firewall when stateful failover is enabled:
- Configuration.
- TCP (except for HTTP) connection table including the timeout information of each connection.
- Translation (xlate) table.
- System clock.
The following information is not copied to the standby PIX Firewall when stateful failover is enabled:
- HTTP connection table.
- User authentication (uauth) table.
- ISAKMP and IPSec SA table.
- ARP table.
- Routing information.
To use Firewall MC to manage PIX Firewalls in a failover configuration, you need to import and define the settings for the active PIX Firewall. You do not need to represent the standby PIX Firewall in the Firewall MC GUI.
Because you do not represent the standby PIX Firewall in the Firewall MC GUI, you cannot distribute command sets directly to it. However, the standby PIX Firewall receives the command set from the active PIX Firewall over the failover link. The active PIX Firewall synchronizes the standby PIX Firewall as it receives each command.
One benefit of the way Firewall MC models two PIX Firewalls in a failover configuration is that you can easily turn a single PIX Firewall configuration into a failover configuration. By adding the standby PIX Firewall to the existing network, physically connecting it to the active PIX Firewall, and making a few modifications to the existing PIX Firewall settings in Firewall MC, you can quickly turn a single PIX Firewall into a failover configuration. Because the standby PIX Firewall receives its command set from the active PIX Firewall, instead of from Firewall MC, you should experience little or no change in the command distribution time.
Configuring a PIX Firewall for Serial Failover
You can use Firewall MC to configure PIX Firewalls to operate in serial failover mode. In failover mode, whenever PIX Firewall hardware or software fails, the firewall transfers all operations to a standby PIX Firewall over a serial failover cable connecting the two firewalls. You can configure the PIX Firewall to transfer state information as well.
Failover mode detects when a network failure occurs or when the PIX Firewall experiences a hardware or software error that prevents it from transferring network packets. In a failover configuration, a second PIX Firewall acts as a standby in the case of such failures and takes over the responsibilities and configuration settings of the active PIX Firewall.
 |
Caution If you are managing firewalls that are configured for failover (serial or LAN), you cannot use the AutoUpdate server with those firewalls. You must deploy directly to the firewalls from Firewall MC. Otherwise, the firewalls will not operate in failover mode. |
To configure a PIX Firewall for serial failover:
| |
Action |
Result |
| Step 1 |
Verify that you have two devices that can be used in a failover configuration.
|
For failover, both PIX Firewalls must be identical:
- Model number.
- Number and type of interfaces in same slot configuration.
- Amount of RAM.
- Flash memory size.
- OS Software version.
- License to operate in failover mode.
-
- The primary firewall must have an unrestricted license.
- The secondary firewall must have either and unrestricted license or a failover license.
- If the primary firewall has a DES/3DES license, the secondary must have one.
|
| Step 2 |
Ensure that you have connected all enabled interfaces between the primary and secondary firewalls.
|
All enabled interfaces are connected to the correct networks.
|
| Step 3 |
Physically connect the standby PIX Firewall to the network and to the active PIX Firewall using the serial failover cable. Ensure that the appropriate end of the serial cable is connected to the corresponding firewall—primary connected to primary and secondary connected to secondary.
|
The physical configuration of the two failover devices is detailed in Configuration Guide for the PIX Firewall, which shipped with your product.
|
| Step 4 |
From the console, bootstrap the primary device with the basic information and the pre-configuration setup commands. See Bootstrapping an Existing PIX Firewall or Bootstrapping a New PIX Firewall.
Note For serial failover, only the primary device should be bootstrapped with a configuration, using the write standby command to synchronize the configuration to the secondary.
|
The primary PIX Firewall is configured to enable Firewall MC to communicate with it over the network.
|
| Step 5 |
From the console connected to the primary firewall, enable each interface that will participate in failover by using the interface ethernet# speed command, then use the write memory command to save your changes.
Note We recommend that you do not use the auto or 1000auto option for the speed argument. You should specify the actual speed of the interface.
Correct
interface ethernet0 10basetx
interface ethernet1 100basetx
Incorrect:
interface ethernet0 auto
interface ethernet1 1000auto
|
The primary firewall has all interfaces enabled. When Firewall MC imports the configuration file from the primary firewall, it can discover the interfaces.
|
| Step 6 |
Ensure that you have assigned IP addresses to all of the enabled interfaces installed in the primary firewall.
|
All enabled interfaces have IP addresses assigned to them.
|
| Step 7 |
From Firewall MC, create an activity and import the configuration files from the PIX Firewall that will be designated as the primary firewall.
Note Do not import the device that will be designated as the secondary firewall. All configuration information on the standby PIX Firewall is received from the active PIX Firewall.
|
The primary firewall is modeled in Firewall MC and the activity is submitted and approved.
|
| Step 8 |
Create an activity and configure the Configuration > Device Settings > Interfaces and Configuration > Device Settings > Failover settings for the primary firewall.
Note Do not enable LAN-based failover.
See Configuring Failover Settings in Firewall MC.
|
The Firewall MC has the basic configuration of the primary firewall (such as which networks it is attached to) and failover is enabled.
|
| Step 9 |
Under Configuration > MC Settings > Deployment, select the Direct to device option on the Deployment control page.
|
Commands that are deployed to the PIX Firewall by Firewall MC will be deployed directly to the device.
|
| Step 10 |
Under Configuration > Device Settings > Config Additions > Ending Commands, enter write standby as the last command.
|
When deployed to the primary firewall (active), this command initiates replication between the two firewalls and forces the active firewall to synchronize its configuration to the standby firewall.
|
| Step 11 |
Generate the command sets for the primary firewall by approving the activity you created in the previous step.
Note Because LAN-based failover is not enabled, no bootstrap commands are generated.
|
Firewall MC generates the commands for the primary firewall.
|
| Step 12 |
Create a job, select the previously approved activity and the primary firewall as the device to deploy, then click Next.
|
The Review Devices page appears, which is the fourth page in the Job Wizard.
|
| Step 13 |
Deploy the generated commands directly to the primary firewall.
|
Because the device that is designated as the primary firewall was not rebooted, it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.
|
| Step 14 |
Reboot the secondary firewall.
Note After you perform this procedure, we recommend that you remove the write standby command from Ending Commands on the active firewall.
|
The secondary firewall returns to service as the standby firewall.
|
|
Bootstrapping a PIX Firewall for LAN-based Failover
For PIX Firewalls running version 6.2 and later, you can configure LAN-based failover. Firewall MC allows you to manage LAN-based failover settings, such as message encryption and authentication using a manual pre-shared key; however, you must bootstrap both firewalls before you can manage these configurations.
|
Caution If you are managing firewalls that are configured for failover (serial or LAN), you cannot use the AutoUpdate server with those firewalls. You must deploy directly to the firewalls from Firewall MC. |
This section presents task flows for the following:
Migrating from Serial to LAN-Based Failover for PIX Firewall
You can use Firewall MC to migrate a failover pair from serial to LAN-based failover. The following procedure steps you through the process required to prepare the firewall pair and configure Firewall MC.
| |
Action |
Result |
| Step 1 |
Using Firewall MC, create an activity and import the configuration files from the active PIX Firewall.
Note Do not import the standby firewall.
|
The active firewall is modeled in Firewall MC and the activity is submitted and approved. For the remainder of this procedure, the active firewall is the primary firewall.
|
| Step 2 |
Create an activity and configure the settings under Configuration > Device Settings > Failover for the primary firewall. Specifically, you must select Enable LAN-based failover and configure the settings under this area.
See Configuring Failover Settings in Firewall MC.
|
The Firewall MC has the basic configuration of the primary firewall (such as which networks it is attached to) as well as the LAN failover connection settings, such as which interface to use as the failover interface.
|
| Step 3 |
Under Configuration > MC Controls > Deployment, select the Direct to device option on the Deployment control page.
|
Commands that are deployed to the PIX Firewall by Firewall MC will be deployed directly to the device.
|
| Step 4 |
Generate the command sets for the primary and secondary firewalls by approving the activity you created in the previous step.
|
Firewall MC generates the commands for the primary and secondary firewalls.
|
| Step 5 |
Create a job, select the previously approved activity and the primary firewall as the device to deploy, then click Next.
|
The Review Devices page appears, which is the fourth page in the Job Wizard. At the bottom of the Review Devices page, the message Warning: Device needs to be manually configured for LAN-based failover! appears.
This message means you must manually prepare both the primary and secondary firewalls with LAN failover-specific bootstrap commands before you can deploy the remaining commands to the primary firewall.
|
| Step 6 |
Disconnect the corresponding interfaces on the LAN failover pair (for example, the corresponding DMZ interfaces on each firewall).
These corresponding interfaces on the two firewalls are designated as the LAN failover link.
|
All enabled interfaces are connected to the correct networks other than the interface to be used in the LAN failover link (these interfaces are not connected).
|
| Step 7 |
To view the commands that must be manually applied to the primary and secondary firewalls, click the manually configured link in Firewall MC.
|
A window lists all failover pairs that require bootstrap configurations.
|
| Step 8 |
From the list of failover pairs, select the appropriate failover pair devices and click View Bootstrap Commands.
|
The Bootstrap Commands page appears. It contains the bootstrap commands for the primary firewall at the top and those for the secondary firewall at the bottom.
|
| Step 9 |
From the console, determine which firewall is active by using the show failover command.
|
The active firewall is the firewall to which you apply the primary bootstrap commands.
|
| Step 10 |
Through a console session to the active firewall, cut and paste the generated bootstrap commands for the primary firewall, then enter the write memory command.
|
The primary firewall is bootstrapped for LAN-based failover.
|
| Step 11 |
Through a console session to the standby firewall, cut and paste the generated bootstrap commands for the secondary firewall, then enter the write memory command.
|
The secondary firewall is bootstrapped for LAN-based failover and will receive its full configuration from the primary firewall when the LAN failover connection is established.
|
| Step 12 |
Connect the interfaces that you will use as your LAN failover link (physical connection).
|
-
|
| Step 13 |
Reboot the secondary firewall. While it is rebooting, disconnect the serial failover cable.
|
The secondary firewall returns to service as the standby firewall and the serial failover cable is disconnected.
|
| Step 14 |
After the secondary firewalls returns to service, deploy the remaining generated commands (non-LAN failover related) directly to the primary firewall.
|
Because the device that is designated as the primary firewall was not rebooted, it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.
|
|
Bootstrapping a LAN-Based Failover Pair of PIX Firewalls
The process of enabling failover includes using CLI-based configuration commands and commands generated by Firewall MC. This procedure describes what tasks must be performed.
After you bootstrap your the failover pair (complete this task flow) the first time, do not focus on generated commands that refer to primary and secondary firewalls. The firewalls are primary and secondary because the PIX Firewalls require this designation initially. If both firewalls are rebooted simultaneously, the primary firewall always assumes the role of the active firewall and the secondary firewall always assumes the role of the standby firewall.
In this task, you force this designation by rebooting the secondary firewall, which is a one-time operation. After the first bootstrap, if you make changes to your LAN failover settings, you must always cut and paste the respective Firewall MC generated configurations directly to the active and standby firewalls from a console session. You can determine which firewall is active or standby by using the show failover command at the console.
| |
Action |
Result |
| Step 1 |
Verify that you have two devices that can be used in a failover configuration.
|
For failover, both PIX Firewalls must be identical:
- Model number.
- Number and type of interfaces in same slot configuration.
- Amount of RAM.
- Flash memory size.
- OS Software version.
- License to operate in failover mode.
-
- The primary firewall must have an unrestricted license.
- The secondary firewall must have either and unrestricted license or a failover license.
- If the primary firewall has a DES/3DES license, the secondary must have one.
|
| Step 2 |
Ensure that you have connected all enabled interfaces between the primary and secondary firewalls, with the exception of the interfaces to be used as the LAN failover link (for example, the corresponding DMZ interfaces on each firewall).
|
All enabled interfaces are connected to the correct networks other than the interface to be used in the LAN failover link (these interfaces are not connected).
|
| Step 3 |
From the console, bootstrap both the primary and secondary devices with the basic information and the pre-configuration setup commands. See Bootstrapping an Existing PIX Firewall or Bootstrapping a New PIX Firewall.
|
The primary and secondary PIX Firewalls are configured to allow Firewall MC to communicate with them over the network.
|
| Step 4 |
From the console connected to the primary firewall, enable each interface that will participate in LAN-based failover using the interface ethernet# speed command, then use the write memory command to save your changes.
Note We recommend that you do not use the auto or 1000auto option for the speed argument. You should specify the actual speed of the interface.
Correct
interface ethernet0 10basetx
interface ethernet1 100basetx
Incorrect:
interface ethernet0 auto
interface ethernet1 1000auto
|
The primary firewall has all interfaces enabled. When Firewall MC imports the configuration file from the primary firewall, it can discover the interfaces.
|
| Step 5 |
Ensure that you have assigned IP addresses to all of the enabled interfaces installed in the primary firewall.
|
All enabled interfaces have IP addresses assigned to them.
|
| Step 6 |
For the LAN failover interface in the secondary firewall, enable it and assign it an IP address that is on the same subnet as the failover interface in the primary firewall.
|
The failover interface on the secondary device is enabled and has an IP address on the same subnet as the failover interface on the primary device.
|
| Step 7 |
Using Firewall MC, create an activity and import the configuration files from the PIX Firewall that will be designated as the primary firewall.
Note Do not import the device that will be designated as the secondary firewall.
|
The primary firewall is modeled in Firewall MC and the activity is submitted and approved.
|
| Step 8 |
Create an activity and configure the Configuration > Device Settings > Interfaces and Configuration > Device Settings > Failover settings for the primary firewall. Specifically, you need to select Enable LAN-based failover and configure the settings under this area.
See Configuring Failover Settings in Firewall MC.
|
Firewall MC has the basic configuration of the primary firewall (such as which networks it is attached to) as well as the LAN failover connection settings, such as which interface to use as the failover interface.
|
| Step 9 |
Under Configuration > MC Settings > Deployment, select the Direct to device option on the Deployment control page.
|
Commands that are deployed to the PIX Firewall by Firewall MC will be deployed directly to the device.
|
| Step 10 |
Generate the command sets for the primary and secondary firewalls by approving the activity you created in the previous step.
|
Firewall MC generates the commands for the primary and secondary firewalls.
|
| Step 11 |
Create a job, select the previously approved activity and the primary firewall as the device to deploy, then click Next.
|
The Review Devices page appears, which is the fourth page in the Job Wizard. At the bottom of the Review Devices page, the message Warning: Device needs to be manually configured for LAN-based failover! appears.
This message means you must manually prepare both the primary and secondary firewalls with LAN failover-specific bootstrap commands before you can deploy the remaining commands to the primary firewall.
|
| Step 12 |
To view the commands that must be manually applied to the primary and secondary firewalls, click the manually configured link.
|
A dialog box appears that lists all failover pairs that require bootstrap configurations.
|
| Step 13 |
From the list of failover pairs, select the appropriate failover pair devices and click View Bootstrap Commands.
|
The Bootstrap Commands dialog box appears. It contains the bootstrap commands for the primary firewall at the top and those for the secondary firewall at the bottom.
|
| Step 14 |
Through a console session to the primary firewall, cut and paste the generated bootstrap commands for this device then enter the write memory command.
|
The primary firewall is bootstrapped for LAN-based failover.
|
| Step 15 |
Through a console session to the secondary firewall, cut and paste the generated bootstrap commands for this device then enter the write memory command.
|
The secondary firewall is bootstrapped for LAN-based failover and will receive its full configuration from the primary firewall when the LAN failover connection is established.
|
| Step 16 |
Connect the interfaces that you will use as your LAN failover link (physical connection).
|
-
|
| Step 17 |
Reboot the secondary firewall.
|
The secondary firewall returns to service as the standby firewall.
|
| Step 18 |
After the secondary firewall returns to service, deploy the remaining generated commands (non-LAN failover related) directly to the primary firewall.
Tip We recommend that you wait a few minutes after the secondary firewall returns to service before deploying the remaining commands. This time allows the firewalls to initialize their failover settings.
|
Because the device that is designated as the primary firewall was not rebooted, it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.
|
|
Configuring FWSM Failover Pairs
FWSM failover pairs differ from PIX Firewalls in that a serial failover is not possible, only LAN failover. Also, you can configure the FWSM failover pairs as either intra-switch or inter-swtich. An intra-switch failover pair is two firewall modules in a single chassis; an inter-switch failover pair has a firewall module in two chassis. In either configuration, both firewall modules must have the same amount of RAM and Flash memory and must be running the same version of software.
To set up failover on a single chassis, install two firewall modules on the same chassis and assign the same firewall VLAN group to both modules.
Figure 18-1 Failover Single Chassis Configuration
To set up failover between two chassis, install a firewall module in each firewall and assign the same firewall VLAN group to both modules
Figure 18-2 Dual-Chassis Failover Configuration
Bootstrapping a LAN-based Failover Pair of FWSMs
You can configure LAN-based failover for FWSMs running version 1.1.2 and later. Firewall MC allows you to manage LAN-based failover settings; however, you must bootstrap both firewall devices before you can manage these configurations.
|
Note FWSM does not have a serial port; it supports only LAN-based failover. |
|
Caution If you are managing firewalls that are configured for failover, you cannot use the AutoUpdate server with those firewalls. You must deploy directly to the firewalls from Firewall MC. |
The process of enabling failover includes using CLI-based configuration commands and commands generated by Firewall MC. This procedure describes what tasks must be performed.
After you bootstrap the failover pair (complete this task flow) the first time, do not focus on generated commands that refer to primary and secondary firewalls. The firewalls are primary and secondary because the FWSM require this designation initially. If both firewalls are rebooted simultaneously, the primary firewall always assumes the role of the active firewall and the secondary firewall always assumes the role of the standby firewall.
In this task, you force this designation by entering the failover active command at the Multilayer Switch Feature Card (MSFC) prompt of the primary firewall, which is a one-time operation.
After the first bootstrap, if you make changes to your LAN failover settings, you must always cut and paste the respective Firewall MC generated configurations directly to the active and standby firewalls from a console session. You can determine which firewall is active or standby by using the show failover command at the console.
| |
Action |
Result |
| Step 1 |
Verify that you have two firewall modules that can be used in a failover configuration.
|
For failover, both FWSMs should have the following in common:
- Model number.
- Amount of RAM.
- Flash memory size.
- Software version.
|
| Step 2 |
From the console, bootstrap both the primary and secondary firewall modules with the basic information and the preconfiguration setup commands. See Bootstrapping an Existing FWSM or Bootstrapping a New FWSM.
|
The primary and secondary FWSMs are configured to allow Firewall MC to communicate with them over the network.
|
| Step 3 |
Ensure that you have assigned IP addresses to all of the enabled interfaces installed in the primary and secondary firewalls.
|
All enabled interfaces have IP addresses assigned to them. The primary firewall has all interfaces enabled, which can be discovered by the Firewall MC on import.
|
| Step 4 |
From the MSFC, telnet to 127.0.0.#, where # is the slot in which the primary FWSM resides, and create a dedicated logical interface (VLAN) for failover communication using the nameif vlan_id if_name security_level command.
Note We recommend that you separate the failover and logical update interfaces into separate links. Packets on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and failover LAN interfaces the same.
|
—
|
| Step 5 |
At the MSFC prompt, add the dedicated logical VLAN to the VLAN group using the firewall vlan-group command.
|
—
|
| Step 6 |
At the MSFC prompt, activate the dedicated VLAN using the VLAN [X] state active command.
|
—
|
| Step 7 |
Using Firewall MC, create an activity and import the configuration files from the FWSM that will be designated as the primary firewall.
Note Do not import the device that will be designated as the secondary firewall.
|
The primary firewall is modeled in Firewall MC and the activity is submitted and approved.
|
| Step 8 |
Create an activity and configure the Configuration > Device Settings > Interfaces and Configuration > Device Settings > Failover settings for the primary firewall. Specifically, you need to select Enable LAN-based failover and configure the settings under this area.
See Configuring Failover Settings in Firewall MC.
|
Firewall MC has the basic configuration of the primary firewall (such as which networks it is attached to) as well as the LAN failover connection settings, such as which interface to use as the failover interface.
|
| Step 9 |
Under Configuration > MC Settings > Deployment, select the Direct to device option on the Deployment control page.
|
Commands that are deployed to the FWSM by Firewall MC will be deployed directly to the device.
|
| Step 10 |
Generate the command sets for the primary and secondary firewalls by approving the activity you created in the previous step.
|
Firewall MC generates the commands for the primary and secondary firewalls.
|
| Step 11 |
Create a job, select the previously approved activity and the primary firewall as the device to deploy, then click Next.
|
The Review Devices page appears, which is the fourth page in the Job Wizard. At the bottom of the Review Devices page, the message Warning: Device needs to be manually configured for LAN-based failover! appears.
This message means you must manually prepare both the primary and secondary firewalls with LAN failover-specific bootstrap commands before you can deploy the remaining commands to the primary firewall.
|
| Step 12 |
To view the commands that must be manually applied to the primary and secondary firewalls, click the manually configured link.
|
A dialog box appears that lists all failover pairs that require bootstrap configurations.
|
| Step 13 |
From the list of failover pairs, select the appropriate failover pair devices and click View Bootstrap Commands.
|
The Bootstrap Commands dialog box appears. It contains the bootstrap commands for the primary firewall at the top and those for the secondary firewall at the bottom.
|
| Step 14 |
From the MSFC, telnet to 127.0.0.#, where # is the slot in which the primary firewall resides, and cut and paste the generated bootstrap commands for it then enter the write memory command.
Note This command is required to ensure that the module comes back online with the failover configuration after a reload (or after a failure recovery).
|
The primary firewall is bootstrapped for LAN-based failover.
|
| Step 15 |
From the MSFC, telnet to 127.0.0.#, where # is the slot in which the secondary firewall resides, and, cut and paste the generated bootstrap commands for this device then enter the write memory command.
|
The secondary module should detect the primary module and then switch to standby. The firewall configuration is synchronized from the active module to the standby module.
The secondary firewall is bootstrapped for LAN-based failover and will receive its full configuration from the primary firewall after you complete this procedure.
|
| Step 16 |
From the MSFC, telnet to 127.0.0.#, where # is the slot in which the primary firewall resides, and enter the failover active command.
|
The primary firewall is forced to become the active firewall, which ensures that the secondary firewall assumes the standby state. This command is required to ensure that the remaining generated commands deployed to the primary firewall are accepted.
|
| Step 17 |
After the secondary firewall returns to service and the primary firewall is forced to the active state, deploy the remaining generated commands (non-LAN failover related) directly to the primary firewall.
Tip We recommend that you wait a few minutes after the secondary firewall returns to service before deploying the remaining commands. This time allows the firewalls to initialize their failover settings.
|
Because the device that is designated as the primary firewall not rebooted, it becomes the active firewall. When the secondary firewall returns to service, it becomes the standby firewall and receives its updated configuration from the active firewall.
|
|
This example shows how to monitor the failover status on the primary and secondary modules:
Configuring Failover Settings in Firewall MC
To configure the failover settings in Firewall MC, select Configuration > Device Settings > Failover. From this page, you can configure three types of failover:
- Serial Failover—(PIX Firewalls only) Configures two firewall devices so that a standby device can take over processing network connections if the primary active device fails. The two devices are connected by a special serial failover cable.
- Stateful failover—Allows the standby device to maintain the state of all connections, except those started by web connections, by maintaining a network connection to a fast interface on the active firewall device dedicated for this purpose.
- LAN-based failover—Configures two firewall devices for failover using a dedicated LAN interface on each unit. See Important Note about Deployment Errors and Failover.
From the Failover page, you can enable, disable, and configure failover, stateful failover, and LAN-based failover.
 |
Tip You can enable logging failover from the Configuration > Device Settings > Logging > Logging Setup page. When selected, this feature enables log messages to be sent to a syslog server from both the primary and secondary units. |
Before You Begin
- Make sure the failover interfaces on the standby unit are on the same subnet as those on the primary unit.
- Make sure interfaces are not configured for auto or 1000auto.
- Make sure all active interfaces are configured with a failover IP address.
- Make sure that workflow is enabled. As of Firewall MC 1.1.2 and later, workflow must be enabled to configure LAN failover. You can enable workflow from the Admin > Workflow Setup page.
|
Note AUS does not support firewall devices that are configured for failover. You should deploy devices configured for failover to a device or to a file. |
Step 1 Select Configuration > Device Settings > Failover.
The Failover page appears.
Step 2 Select the interface to use as your failover interface:
|
Note If you are configuring a PIX Firewall, you must edit each interface to include an IP address. |
a. Select the check box for the interface, then click Edit.
The Edit Failover Interface page appears.
b. Enter the IP address for the interface.
c. Click Next.
The failover summary page appears.
d. Verify the information is correct, then click Finish.
You are returned to the Failover page.
Step 3 Select the Enable failover check box. You must select this check box if you are configuring serial failover, stateful failover, or LAN-based failover.
The Failover Interface table is automatically populated with all enabled interfaces on the firewall device.
|
Note To enable failover, you must ensure that both devices have the same version of software, type of activation key, Flash memory, and RAM. |
Step 4 Enter the failover poll time. Values are 3-15 seconds. Default is 15.
Step 5 To enable stateful failover:
a. Select the Enable stateful failover check box.
b. Select the HTTP Replication check box to enable stateful failover to copy an active HTTP session to a standby PIX Firewall.
c. Select a Fast LAN Link from the list (for example, 100full, 1000sxfull, or 1000full). Stateful, serial failover requires both a dedicated fast LAN link and a failover cable.
Step 6 To enable LAN-based failover:
a. Select the Enable LAN-based failover check box.
b. Select the LAN interface from the list. The wizard displays a list of all interfaces defined at the current scope.
|
Note The primary and secondary units must be bootstrapped with a set of commands for LAN-based failover. Firewall MC generates the bootstrap commands for the standby unit. These bootstrap commands appear as comments when you view the generated configuration file and are displayed separately in the deployment wizard. You must copy and paste the commands into the standby unit configuration file. For more information, see Bootstrappi ng a PIX Firewall for LAN-based Failover. |
c. (PIX only) Enter the shared key used to authenticate and encrypt traffic between firewall devices.
Step 7 Click Apply.
Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.
|
Note If a device is configured with failover enabled at the time of deployment, a warning is displayed when the device is deployed. This warning indicates which devices need to be bootstrapped. |
Failover Setup Field-Level Elements and Descriptions
| Element |
Description |
|
Inherit settings check box
|
When selected, the subgroup or device(s) inherits the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.
Note A grayed-out check box disallows changes at the current scope.
|
|
Enforce/Mandate settings for children check box
|
When selected, settings are at a group level and are inherited by the enclosed subgroup(s) and device(s). Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.
Note A grayed-out check box disallows changes at the current scope.
|
|
Enable failover check box
|
When selected, allows failover interface and IP addresses displayed in table to be selected.
Note To enable failover, you must ensure that both devices have the same software version, activation key type, Flash memory,
and RAM.
|
|
Failover poll time (seconds)
|
Specifies how long failover waits before determining if other devices still available between primary and standby devices over all network interfaces and failover cable. Values are 3-15 seconds. Default
is 15.
|
|
Enable stateful failover check box
|
When selected, enables stateful failover interface.
Note If you enable stateful failover, you must select a fast LAN link from the list, (for example, 100full, 1000full, or 1000sxfull).
|
|
HTTP replication check box
|
Enables stateful failover to copy active HTTP sessions to standby PIX Firewall.
|
|
Fast LAN link list
|
Allows you to select interface with fastest LAN link. A dedicated fast LAN link is required in addition to failover cable to support stateful failover.
|
|
Enable LAN-based failover check box
|
When selected, enables LAN-based failover.
|
|
LAN interface list box
|
List of all interfaces defined at the current scope.
|
|
Shared key
|
Used to encrypt communication between primary and standby devices Value can be any string.
|
|
Interface name
|
Displays name of interface on active firewall device to be used for communication with standby device for failover. When configured for stateful failover, interface is directly connected to standby device.
|
|
IP address
|
IP address used by standby device to communicate with active device. Address must be on same network as system IP address; for example, if system IP address is 192.159.1.3, set failover IP address to 192.159.1.4. The IP address is added from the Edit Failover Interface wizard page.
Tip You can use this IP address with the ping tool to check status of the standby device.
|
|
