Configure Dual ISP on FTD Using FDM

Introduction

This document describes how to configure Dual Internet Service Provider (ISP) failover using Firewall Device Manager (FDM) for Secure Firewall Series.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Basic Routing
• Firewall Device Manager dashboard knowledge

• At least 2 Internet Service Providers connected to the Secure Firewall.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco Secure Firewall running 7.7.X version or higher versions.

• Secure Firewall 3130 with 7.7.0 version.

​The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

Step 1.

Log in to the FDM on the Secure Firewall, and navigate to the interfaces section by selecting the View All Interfaces button.

FDM Main Dashboard

Step 2.

To configure the interface for the Primary ISP connection, start by selecting your desired interface. Selecting the corresponding interface button to proceed. In this example, the interface used is Ethernet1/1.

Interfaces Tab

Step 3.

Configure the interface with the correct parameters for your Primary ISP connection. In this example, the interface is outside_primary.

Configuration of primary ISP interface

Step 4.

Repeat the same process for the secondary ISP interface. In this example, the interface Ethernet1/2 is used.

Configuration of secondary ISP interface

Step 5.

After configuring the two interfaces for the ISPs, the next step is to set up the SLA Monitor for the primary interface.

Navigate to the Objects section by selecting the Objects button located at the top of the menu.

Configured Interfaces

Step 6.

Select on the left column, the SLA Monitors button.

Objects Screen

Step 7.

Create a new SLA Monitor by selecting the Create SLA Monitor button.

SLA Monitor Section

Step 8.

Configure the parameters for the Primary ISP connection.

SLA Object Creation

Step 9.

Once the object was created, the static route for the interfaces must create it. Navigate to the main dashboard by selecting the Device button.

SLA Monitor Created

Step 10.

Navigate to the Routing Section by selecting the View Configuration in the Routing Panel.

Main Dashboard

Step 11.

On the Static Routing tab, create the 2 default static routes for both ISPs. To create a new Static Route select the CREATE STATIC ROUTE button.

Static Routing Section

Step 12.

First, create the Static Route for the Primary ISP. At the end, add the SLA monitor object that was created on last step.

Static Route For Primary ISP

Step 13.

Repeat the last step and create a default route, for the ISP secondary with the proper gateway and different Metric. In this example, it was increased to 200.

Static Route For Secondary ISP

Step 14.

Once both static routes are created, a Security Zone must be created. Navigate to the Objects section by selecting the Objects button on the top.

Static Routes Created

Step 15.

Navigate to the Security Zones section by selecting on the left column the Security Zones button, and then create a new zone by selecting the CREATE SECURITY ZONE button.

Security Zones Section

Step 16.

Create the Outside Security Zone with the both outside interfaces for the ISPs connections.

Security Zone Outside

Step 17.

After the security zone is created, a NAT must be created. Navigate to Policies section by selecting the Policies button on the top.

Security Zones Created

Step 18.

Navigate to the NAT section by selecting the NAT button, and then create a new rule by selecting the CREATE NAT RULE button.

NAT Section

Step 19.

For the ISP failover, the configuration must have 2 routes via outside interfaces. First, for the Primary Outside interface connection to the Primary ISP.

NAT For Primary ISP

Step 20.

Now, a second NAT for the Secondary ISP connection.

Note: For the original address, same network cannot be used. In this example, for the secondary ISP, the Original Address is the object any-ipv4.

NAT For Secondary ISP

Step 21.

After creating both NAT rules, an Access Control Rule must be established to allow outbound traffic. Select the Access Control button.

NAT Rules Created

Step 22.

To create the Access Control Rule, select the CREATE ACCESS RULE button.

Access Control Section

Step 23.

Select the zones and networks desired.

Access Control Rule

Step 24.

Once the Access Control Rule is created, proceed to deploy all changes by selecting the Deploy button on the top.

Access Control Rule Created

Step 25.

Verify the changes and then select the Deploy Now button.

Deployment Verification

Network Diagram

Network Diagram

Verify

> system support diagnostic-cli 
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

SF3130# show ip
System IP Addresses:
Interface   Name            IP address  Subnet mask   Method 
Ethernet1/1 outside_primary 172.16.1.1  255.255.255.0 manual ------------> THE PRIMARY INTERFACE OF THE ISP IS SET
Ethernet1/2 outside_backup  172.16.2.1  255.255.255.0 manual ------------> THE SECONDARY INTERFACE OF THE ISP IS SET
Ethernet1/3 inside          192.168.1.1 255.255.255.0 manual

SF3130# show interface ip brief 
Interface   IP-Address  OK? Method Status Protocol
Ethernet1/1 172.16.1.1  YES manual   up      up -------------------> THE INTERFACE IS UP AND RUNNING
Ethernet1/2 172.16.2.1  YES manual   up      up -------------------> THE INTERFACE IS UP AND RUNNING 
Ethernet1/3 192.168.1.1 YES manual   up      up

SF3130# show route
Gateway of last resort is 172.16.1.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.254, outside_primary ----> THE DEFAULT ROUTE IS CONNECTED THROUGH THE PRIMARY ISP
C  172.16.1.0  255.255.255.0   is directly connected, outside_primary
L  172.16.1.1  255.255.255.255 is directly connected, outside_primary
C  172.16.2.0  255.255.255.0   is directly connected, outside_backup
L  172.16.2.1  255.255.255.255 is directly connected, outside_backup
C  192.168.1.0 255.255.255.0   is directly connected, inside
L  192.168.1.1 255.255.255.255 is directly connected, inside

SF3130# show run route
route outside_primary 0.0.0.0 0.0.0.0 172.16.1.254 1 track 1
route outside_backup  0.0.0.0 0.0.0.0 172.16.2.254 200

SF3130# show sla monitor configuration ---> CHECKING THE SLA MONITOR CONFIGURATION
SA Agent, Infrastructure Engine-II
Entry number: 539523651
Owner: 
Tag: 
Type of operation to perform: echo
Target address: 172.16.1.254
Interface: outside_primary
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 3000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 3
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

SF3130# show sla monitor operational-state 
Entry number: 739848060
Modification time: 01:24:11.029 UTC Thu Jun 12 2025
Number of Octets Used by this Entry: 1840
Number of operations attempted: 0
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Pending
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE ----------------------------> THE ISP PRIMARY IS IN A HEALTHY STATE
Over thresholds occurred: FALSE
Latest RTT (milliseconds) : Unknown
Latest operation return code: Unknown
Latest operation start time: Unknown

AFTERARGBSETHBNDGFSHNDFGSDBFB

SF3130# show interface ip brief 
Interface   IP-Address  OK? Method Status Protocol
Ethernet1/1 172.16.1.1  YES manual  down   down -------------------> THE PRIMARY ISP IS DOWN
Ethernet1/2 172.16.2.1  YES manual   up     up 
Ethernet1/3 192.168.1.1 YES manual   up     up 

SF3130# show route
Gateway of last resort is 172.16.2.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [200/0] via 172.16.2.254, outside_backup ---------> AFTER THE ISP PRIMARY FAILS, INSTANTLY THE ISP BACKUP IS FAILOVER AND IS INSTALL IN THE ROUTING TABLE
C  172.16.2.0 255.255.255.0    is directly connected, outside_backup
L  172.16.2.1 255.255.255.255  is directly connected, outside_backup
C  192.168.1.0 255.255.255.0   is directly connected, inside
L  192.168.1.1 255.255.255.255 is directly connected, inside

SF3130# show sla monitor operational-state
Entry number: 739848060
Modification time: 01:24:11.140 UTC Thu Jun 12 2025
Number of Octets Used by this Entry: 1840
Number of operations attempted: 0
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Pending
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE -------------------------------------> AFTER THE DOWNTIME OF THE PRIMARY ISP THE TIMEOUT IS FLAGGED
Over thresholds occurred: FALSE
Latest RTT (milliseconds) : Unknown
Latest operation return code: Unknown
Latest operation start time: Unknown

SF3130# show route 
Gateway of last resort is 172.16.1.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.254, outside_primary ------------> AFTER A FEW SECONDS ONCE THE PRIMARY INTERFACE IS BACK THE DEFAULT ROUTE INSTALLS AGAIN IN THE ROUTING TABLE
C 172.16.1.0 255.255.255.0    is directly connected, outside_primary
L 172.16.1.1 255.255.255.255  is directly connected, outside_primary
C 172.16.2.0 255.255.255.0    is directly connected, outside_backup
L 172.16.2.1 255.255.255.255  is directly connected, outside_backup
C 192.168.1.0 255.255.255.0   is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside