||Add at least one Data type interface or EtherChannel (also known as a port-channel) before you deploy the cluster.
You can also add data interfaces to the cluster after you deploy it.
For inter-chassis clustering, all data interfaces must be EtherChannels with at least one member interface. Add the same EtherChannels on each chassis.
||Add a Management type interface or EtherChannel.
For inter-chassis clustering, add the same Management interface on each chassis. The management interface is required. Note that this management interface is not the same as the chassis management interface that is used only for chassis management (and that appears at the top of the Interfaces tab as MGMT).
||For inter-chassis clustering, add a member interface to port-channel 48, which is used as the cluster control link.
If you do not include a member interface, then when you deploy the logical device, the Firepower Chassis
Manager assumes that this cluster is an intra-chassis cluster and does not show the Chassis ID field. Add the same member interfaces on each chassis.
Add a Firepower-eventing interface.
This interface is a secondary management interface for Firepower Threat Defense devices. To use this interface, you must configure its IP address and other parameters at the Firepower Threat Defense CLI. For example, you can separate management traffic from events (such as web events). See the configure network commands in the Firepower Threat Defense command reference.
For inter-chassis clustering, add the same eventing interface on each chassis.
||Choose Logical Devices to open the Logical Devices page.
The Logical Devices page shows a list of configured logical devices on the chassis. If no logical devices have been configured, a message stating so is shown instead.
||Click Add Device to open the Add Device dialog box.
If you have an existing logical device, you are prompted to remove the device and add a new one. All configuration on the device(s) will be replaced by the new information.
||For the Device Name, provide a name for the logical device. This name is used by the Firepower 4100/9300 chassis supervisor to configure clustering/management settings and to assign interfaces; it is not the cluster name used in the logical device configuration. |
||For the Template, choose Cisco Firepower Threat Defense. |
||For the Image Version, choose the Firepower Threat Defense software version. Make sure this version is compatible with your FXOS version and with the Firepower Management
||For the Device Mode, click the Cluster radio button. |
||Click the Create New Cluster radio button. |
If you have any standalone devices configured, you are prompted to replace them with a new cluster. You see the Provisioning -
device name window.
All interfaces are assigned to the cluster by default. Hardware Bypass-capable ports are shown with the following icon: . If you do not assign both interfaces in a Hardware Bypass pair, you see a warning message to make sure your assignment is intentional. You do not need to use the Hardware Bypass feature, so you can assign single interfaces if you prefer. Hardware Bypass ports are not supported in inter-chassis clustering because they are not supported as EtherChannel members.
||Click the device icon in the center of the screen.
The Cisco Firepower Threat Defense Configuration dialog box appears.
||On the Cluster Information tab, complete the following: |
- In the Chassis ID field, enter a chassis ID. Each chassis in the cluster must use a unique ID.
- In the Site ID field, for inter-site clustering, enter the site ID for this chassis between 1 and 8. This feature is only configurable using the Firepower Management
Center FlexConfig feature.
- In the Cluster Key field, configure an authentication key for control traffic on the cluster control link.
The shared secret is an ASCII string from 1 to 63 characters. The shared secret is used to generate the key. This option does not affect datapath traffic, including connection state update and forwarded packets, which are always sent in the clear.
- Set the Cluster Group Name, which is the cluster group name in the logical device configuration.
The name must be an ASCII string from 1 to 38 characters.
- Select the management interface to use with the logical device from the Management Interface drop-down list.
If you assign a Hardware Bypass-capable interface as the Management interface, you see a warning message to make sure your assignment is intentional.
||On the Settings tab, complete the following: |
- In the Registration Key field, enter the key to be shared between the Firepower Management Center and the cluster members during registration.
- In the Password field, enter a password for the admin user on the cluster.
- In the Firepower Management Center IP field, enter the IP address of the managing Firepower Management Center.
- In the Search Domains field, enter a comma-separated list of search domains for the management network.
- From the Firewall Mode drop-down list, choose Transparent or Routed.
- In the DNS Servers field, enter a comma-separated list of DNS servers that the Firepower Threat Defense device should use on the management network.
- In the Fully Qualified Hostname field, enter a fully qualified name for the Firepower Threat Defense device.
- From the Eventing Interface drop-down list, choose the interface on which Firepower events should be sent. If not specified, the management interface will be used.
To specify a separate interface to use for Firepower events, you must configure an interface as a firepower-eventing interface. If you assign a Hardware Bypass-capable interface as the Eventing interface, you see a warning message to make sure your assignment is intentional.
||On the Interface Information tab, configure a management IP address for each security module in the cluster. Select the type of address from the Address Type drop-down list and then complete the following for each security module.
You must set the IP address for all 3 module slots in a chassis, even if you do not have a module installed. If you do not configure all 3 modules, the cluster will not come up.
- In the Management IP field, configure an IP address.
Specify an IP address on the same network for each module.
- Enter a Network Mask or Prefix Length.
- Enter a Network Gateway address.
||On the Agreement tab, read and accept the end user license agreement (EULA). |
||Click OK to close the Cisco Firepower Threat Defense Configuration dialog box. |
The Firepower 4100/9300 chassis supervisor deploys the cluster by downloading the specified software version and pushing the cluster bootstrap configuration and management interface settings to each security module.
||For inter-chassis clustering, add the next chassis to the cluster: |
- On the first chassis Firepower Chassis
Manager, click the Show Cluster Details icon at the top right; copy the displayed cluster configuration.
- Connect to the Firepower Chassis
Manager on the next chassis, and add a logical device according to this procedure.
- Choose Join an Existing Cluster.
- Click the Copy config check box, and click OK. If you uncheck this check box, you must manually enter the settings to match the first chassis configuration.
- In the Copy Cluster Details box, paste in the cluster configuration from the first chassis, and click OK.
- Click the device icon in the center of the screen. The cluster information is mostly pre-filled, but you must change the following settings:
Chassis ID—Enter a unique chassis ID.
Site ID—For inter-site clustering, enter the site ID for this chassis between 1 and 8. This feature is only configurable using the Firepower Management
Center FlexConfig feature.
Cluster Key—(Not prefilled) Enter the same cluster key.
Management IP—Change the management address for each module to be a unique IP address on the same network as the other cluster members.
- Click Save.
||Add each unit separately to the Firepower Management
Center using the management IP addresses, and then group them into a cluster at the web interface.
All cluster units must be in a successfully-formed cluster on FXOS prior to adding them to Firepower Management