本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本文件說明如何設定和確認 FPR9300 的 Firepower Threat Defense (FTD) 高可用性 (HA)(作用中/待命容錯移轉)。
本文件沒有特定需求。
本文中的資訊係根據以下軟體和硬體版本:
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
註:在搭載FTD的FPR9300裝置上,您只能設定機箱間HA。HA 組態中的兩個裝置必須符合本文件提及的條件。
工作需求:
確認兩台FTD裝置均符合備註要求,且均可設定為HA裝置。
解決方案:
步驟 1.連線到FPR9300管理IP並驗證模組硬體。
確認 FPR9300-1 硬體。
KSEC-FPR9K-1-A# show server inventory Server Equipped PID Equipped VID Equipped Serial (SN) Slot Status Ackd Memory (MB) Ackd Cores ------- ------------ ------------ -------------------- ---------------- ---------------- ---------- 1/1 FPR9K-SM-36 V01 FLM19216KK6 Equipped 262144 36 1/2 FPR9K-SM-36 V01 FLM19206H71 Equipped 262144 36 1/3 FPR9K-SM-36 V01 FLM19206H7T Equipped 262144 36 KSEC-FPR9K-1-A#
確認 FPR9300-2 硬體。
KSEC-FPR9K-2-A# show server inventory Server Equipped PID Equipped VID Equipped Serial (SN) Slot Status Ackd Memory (MB) Ackd Cores ------- ------------ ------------ -------------------- ---------------- ---------------- ---------- 1/1 FPR9K-SM-36 V01 FLM19206H9T Equipped 262144 36 1/2 FPR9K-SM-36 V01 FLM19216KAX Equipped 262144 36 1/3 FPR9K-SM-36 V01 FLM19267A63 Equipped 262144 36 KSEC-FPR9K-2-A#
步驟 2.登入到FPR9300-1 Chassis Manager並導航至Logical Devices。
如圖所示,驗證軟體的版本、數量和介面型別。
FPR9300-1
FPR9300-2
工作需求:
按照此圖表設定作用中/待命容錯移轉 (HA)。
解決方案:
兩個 FTD 裝置已在 FMC 註冊,如圖所示。
步驟 1.若要設定FTD容錯移轉,請導覽至Devices > Device Management,然後選擇Add High Availability,如下圖所示。
步驟 2.輸入Primary Peer和Secondary Peer,然後選擇Continue,如下圖所示。
警告:確保選擇正確的裝置作為主要裝置。所選主裝置上的所有配置都將複製到所選輔助FTD裝置。通過複製,可以替換輔助裝置上的當前配置。
若要在 2 個 FTD 裝置之間建立 HA,必須符合下列條件:
註:在FTD裝置和FMC GUI上都必須檢查此問題,因為FTD具有相同的模式的情況已存在,但FMC不會反映此情況。
firepower# show chassis-management-url https://KSEC-FPR9K-1.cisco.com:443//
註:在6.3後FTD中,使用命令show chassis detail。
firepower# show chassis detail Chassis URL : https://KSEC-FPR4100-1:443// Chassis IP : 192.0.2.1 Chassis Serial Number : JMX12345678 Security Module : 1
如果兩個機箱的名稱相同,請使用下列命令變更其中一個機箱的名稱:
KSEC-FPR9K-1-A# scope system KSEC-FPR9K-1-A /system # set name FPR9K-1new Warning: System name modification changes FC zone name and redeploys them non-disruptively KSEC-FPR9K-1-A /system* # commit-buffer FPR9K-1-A /system # exit FPR9K-1new-A#
變更機箱名稱後,請從 FMC 取消註冊 FTD,然後再重新註冊。接著,繼續建立 HA 配對。
步驟 3.配置HA並宣告鏈路設定。
依照您的情況,狀態連結的設定與高可用性相同。
選擇Add,並等待幾分鐘,以便部署HA配對,如下圖所示。
步驟 4.配置資料介面(主和備用IP地址)
在FMC GUI中選擇HA Edit,如下圖所示。
步驟 5.如圖所示配置介面設定。
乙太網路 1/5 介面。
乙太網路 1/6 介面。
步驟 6.導覽至High Availability,然後選擇Interface Name Edit以新增備用IP地址,如下圖所示。
步驟 7.對於Inside介面,如下圖所示。
步驟 8.對Outside介面執行相同操作。
步驟 9.確認如圖所示的結果。
步驟 10.停留在高可用性頁籤上,並配置虛擬MAC地址,如下圖所示。
步驟 11.如圖所示。
步驟 12.對Outside介面執行相同操作。
步驟 13.確認如圖所示的結果。
步驟 14.設定變更後,選擇Save和Deploy。
工作需求:
透過 FMC GUI 和 FTD CLI 確認 FTD HA 設定和已啟用的授權。
解決方案:
步驟 1.導覽至Summary,然後檢查HA設定和已啟用的授權,如下圖所示。
步驟 2.在FTD CLISH CLI中,執行以下命令:
> show high-availability config Failover On Failover unit Primary Failover LAN Interface: fover_link Ethernet1/4 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 1041 maximum MAC Address Move Notification Interval not set failover replication http Version: Ours 9.6(1), Mate 9.6(1) Serial Number: Ours FLM19267A63, Mate FLM19206H7T Last Failover at: 18:32:38 EEST Jul 21 2016 This host: Primary - Active Active time: 3505 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(1)) status (Up Sys) Interface diagnostic (0.0.0.0): Normal (Waiting) slot 1: snort rev (1.0) status (up) slot 2: diskstatus rev (1.0) status (up) Other host: Secondary - Standby Ready Active time: 172 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(1)) status (Up Sys) Interface diagnostic (0.0.0.0): Normal (Waiting) slot 1: snort rev (1.0) status (up) slot 2: diskstatus rev (1.0) status (up) Stateful Failover Logical Update Statistics Link : fover_link Ethernet1/4 (up) Stateful Obj xmit xerr rcv rerr General 417 0 416 0 sys cmd 416 0 416 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 0 0 0 0 UDP conn 0 0 0 0 ARP tbl 0 0 0 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 0 0 0 0 VPN IKEv1 SA 0 0 0 0 VPN IKEv1 P2 0 0 0 0 VPN IKEv2 SA 0 0 0 0 VPN IKEv2 P2 0 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 SIP Session 0 0 0 0 SIP Tx 0 0 0 0 SIP Pinhole 0 0 0 0 Route Session 0 0 0 0 Router ID 0 0 0 0 User-Identity 1 0 0 0 CTS SGTNAME 0 0 0 0 CTS PAC 0 0 0 0 TrustSec-SXP 0 0 0 0 IPv6 Route 0 0 0 0 STS Table 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 10 416 Xmit Q: 0 11 2118 >
步驟 3.在輔助裝置上執行相同操作。
步驟 4.從LINA CLI執行show failover state命令:
firepower# show failover state State Last Failure Reason Date/Time This host - Primary Active None Other host - Secondary Standby Ready Comm Failure 18:32:56 EEST Jul 21 2016 ====Configuration State=== Sync Done ====Communication State=== Mac set firepower#
步驟 5.從主裝置(LINA CLI)驗證設定:
firepower# show running-config failover failover failover lan unit primary failover lan interface fover_link Ethernet1/4 failover replication http failover mac address Ethernet1/5 aaaa.bbbb.1111 aaaa.bbbb.2222 failover mac address Ethernet1/6 aaaa.bbbb.3333 aaaa.bbbb.4444 failover link fover_link Ethernet1/4 failover interface ip fover_link 10.10.1.1 255.255.255.0 standby 10.10.1.2 firepower# firepower# show running-config interface ! interface Ethernet1/2 management-only nameif diagnostic security-level 0 no ip address ! interface Ethernet1/4 description LAN/STATE Failover Interface ! interface Ethernet1/5 nameif Inside security-level 0 ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11 ! interface Ethernet1/6 nameif Outside security-level 0 ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11 firepower#
工作需求:
在 FMC 中,將容錯移轉角色從「主要/作用中」、「次要/待命」切換成「主要/待命」、「次要/作用中」
解決方案:
步驟 1.選擇圖示,如下圖所示。
步驟 2.確認彈出視窗上的操作,如下圖所示。
步驟 3.確認如圖所示的結果。
在 LINA CLI 中,您可以看到已在主要/作用中裝置上執行 no failover active 命令:
Jul 22 2016 10:39:26: %ASA-5-111008: User 'enable_15' executed the 'no failover active' command. Jul 22 2016 10:39:26: %ASA-5-111010: User 'enable_15', running 'N/A' from IP 0.0.0.0, executed 'no failover active'
您亦可在 show failover history 命令輸出中進行確認:
firepower# show failover history ========================================================================== From State To State Reason 10:39:26 EEST Jul 22 2016 Active Standby Ready Set by the config command
步驟 4.驗證後,使主裝置再次處於活動狀態。
工作需求:
在 FMC 中分割容錯移轉配對。
解決方案:
步驟 1.選擇圖示,如下圖所示。
步驟 2.檢查通知,如下圖所示。
步驟 3.請注意如下圖所示的消息。
步驟 4.從FMC GUI驗證結果,如下圖所示。
在執行 HA 分割之前和之後,主要裝置上的 show running-config:
執行 HA 分割之前 |
執行 HA 分割之後 |
firepower# sh run :已儲存 : :序列號:FLM19267A63 :硬體:FPR9K-SM-36、135839 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心) : NGFW版本10.1.1 ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 ! interface Ethernet1/2 僅管理 nameif diagnostic 安全級別0 no ip address ! interface Ethernet1/4 說明LAN/STATE故障切換介面 ! interface Ethernet1/5 nameif Inside 安全級別0 ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11 ! interface Ethernet1/6 nameif Outside 安全級別0 ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11 ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1 access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp-options range 9 255 allow urgent-flag allow ! 無尋呼機 logging enable 日誌記錄時間戳 日誌記錄備用 logging buffer-size 100000 logging buffered debugging logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 mtu diagnostic 1500 mtu Inside 1500 mtu Outside 1500 容錯移轉 failover lan unit primary failover lan interface forver_link Ethernet1/4 故障切換複製http 故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222 故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444 failover link forver_link Ethernet1/4 故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2 icmp無法連線速率限制1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group CSM_FW_ACL_ global 超時xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 aaa proxy-limit disable no snmp-server location no snmp-server contact no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 ssh strichthostkeycheck ssh超時5 ssh key-exchange group dh-group1-sha1 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:933c594fc0264082edc0f24bad358031 :結束 firepower# |
firepower# sh run :已儲存 : :序列號:FLM19267A63 :硬體:FPR9K-SM-36、135839 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心) : NGFW版本10.1.1 ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 ! interface Ethernet1/2 僅管理 nameif diagnostic 安全級別0 no ip address ! interface Ethernet1/4 no nameif 無安全級別 no ip address ! interface Ethernet1/5 nameif Inside 安全級別0 ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11 ! interface Ethernet1/6 nameif Outside 安全級別0 ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11 ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1 access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp-options range 9 255 allow urgent-flag allow ! 無尋呼機 logging enable 日誌記錄時間戳 日誌記錄備用 logging buffer-size 100000 logging buffered debugging logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 mtu diagnostic 1500 mtu Inside 1500 mtu Outside 1500 無故障切換 no monitor-interface service-module icmp無法連線速率限制1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group CSM_FW_ACL_ global 超時xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 aaa proxy-limit disable no snmp-server location no snmp-server contact no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 ssh strichthostkeycheck ssh超時5 ssh key-exchange group dh-group1-sha1 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:fb6f5c369dee730b9125650517dbb059 :結束 firepower# |
在HA中斷之前和之後在輔助裝置上顯示running-config,如下表所示。
執行 HA 分割之前 |
執行 HA 分割之後 |
firepower# sh run :已儲存 : :序列號:FLM19206H7T :硬體:FPR9K-SM-36、135841 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心) : NGFW版本10.1.1 ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 ! interface Ethernet1/2 僅管理 nameif diagnostic 安全級別0 no ip address ! interface Ethernet1/4 說明LAN/STATE故障切換介面 ! interface Ethernet1/5 nameif Inside 安全級別0 ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11 ! interface Ethernet1/6 nameif Outside 安全級別0 ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11 ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1 access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp-options range 9 255 allow urgent-flag allow ! 無尋呼機 logging enable 日誌記錄時間戳 日誌記錄備用 logging buffer-size 100000 logging buffered debugging logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 mtu diagnostic 1500 mtu Inside 1500 mtu Outside 1500 容錯移轉 故障轉移lan裝置輔助 failover lan interface forver_link Ethernet1/4 故障切換複製http 故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222 故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444 failover link forver_link Ethernet1/4 故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2 icmp無法連線速率限制1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group CSM_FW_ACL_ global 超時xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa proxy-limit disable no snmp-server location no snmp-server contact no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 ssh strichthostkeycheck ssh超時5 ssh key-exchange group dh-group1-sha1 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:e648f92dd7ef47ee611f2aaa5c6cbd84 :結束 firepower# |
firepower# sh run :已儲存 : :序列號:FLM19206H7T :硬體:FPR9K-SM-36、135841 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心) : NGFW版本10.1.1 ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 ! interface Ethernet1/2 僅管理 nameif diagnostic 安全級別0 no ip address ! interface Ethernet1/4 關機 no nameif 無安全級別 no ip address ! interface Ethernet1/5 關機 no nameif 無安全級別 no ip address ! interface Ethernet1/6 關機 no nameif 無安全級別 no ip address ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1 access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp-options range 9 255 allow urgent-flag allow ! 無尋呼機 no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 mtu diagnostic 1500 無故障切換 no monitor-interface service-module icmp無法連線速率限制1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group CSM_FW_ACL_ global 超時xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 aaa proxy-limit disable no snmp-server location no snmp-server contact no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 ssh strichthostkeycheck ssh超時5 ssh key-exchange group dh-group1-sha1 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:08ed87194e9f5cd9149fab3c0e9cefc3 :結束 firepower# |
HA 分割的主要注意事項:
主裝置 |
輔助裝置 |
會移除所有容錯移轉組態. 備用IP地址保留。 |
會移除所有組態. |
步驟 5.完成此任務後,重新建立HA配對。
工作需求:
在 FMC 中停用容錯移轉配對。
解決方案:
步驟 1.選擇圖示,如下圖所示。
步驟 2.如圖所示檢查通知並進行確認。
步驟 3.刪除HA後,兩台裝置都會從FMC中註銷(移除)。
LINA CLI 傳回的 show running-config 結果,如下表所示:
主裝置 |
輔助裝置 |
firepower# sh run :已儲存 : :序列號:FLM19267A63 :硬體:FPR9K-SM-36、135839 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心) : NGFW版本10.1.1 ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 ! interface Ethernet1/2 僅管理 nameif diagnostic 安全級別0 no ip address ! interface Ethernet1/4 說明LAN/STATE故障切換介面 ! interface Ethernet1/5 nameif Inside 安全級別0 ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11 ! interface Ethernet1/6 nameif Outside 安全級別0 ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11 ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1 access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp-options range 9 255 allow urgent-flag allow ! 無尋呼機 logging enable 日誌記錄時間戳 日誌記錄備用 logging buffer-size 100000 logging buffered debugging logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 mtu diagnostic 1500 mtu Inside 1500 mtu Outside 1500 容錯移轉 failover lan unit primary failover lan interface forver_link Ethernet1/4 故障切換複製http 故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222 故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444 failover link forver_link Ethernet1/4 故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2 icmp無法連線速率限制1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group CSM_FW_ACL_ global 超時xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 aaa proxy-limit disable no snmp-server location no snmp-server contact no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 ssh strichthostkeycheck ssh超時5 ssh key-exchange group dh-group1-sha1 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:933c594fc0264082edc0f24bad358031 :結束 firepower# |
firepower# sh run :已儲存 : :序列號:FLM19206H7T :硬體:FPR9K-SM-36、135841 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心) : NGFW版本10.1.1 ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 ! interface Ethernet1/2 僅管理 nameif diagnostic 安全級別0 no ip address ! interface Ethernet1/4 說明LAN/STATE故障切換介面 ! interface Ethernet1/5 nameif Inside 安全級別0 ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11 ! interface Ethernet1/6 nameif Outside 安全級別0 ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11 ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1 access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp-options range 9 255 allow urgent-flag allow ! 無尋呼機 logging enable 日誌記錄時間戳 日誌記錄備用 logging buffer-size 100000 logging buffered debugging logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 mtu diagnostic 1500 mtu Inside 1500 mtu Outside 1500 容錯移轉 故障轉移lan裝置輔助 failover lan interface forver_link Ethernet1/4 故障切換複製http 故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222 故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444 failover link forver_link Ethernet1/4 故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2 icmp無法連線速率限制1 -size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group CSM_FW_ACL_ global 超時xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa proxy-limit disable no snmp-server location no snmp-server contact no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 ssh strichthostkeycheck ssh超時5 ssh key-exchange group dh-group1-sha1 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:e648f92dd7ef47ee611f2aaa5c6cbd84 :結束 firepower# |
步驟 4.兩台FTD裝置均未從FMC註冊:
> show managers No managers configured.
FMC 中「停用 HA 」選項的主要注意事項:
主裝置 |
輔助裝置 |
會從 FMC 中移除裝置。 不會從 FTD 裝置移除任何組態. |
會從 FMC 中移除裝置。 不會從 FTD 裝置移除任何組態. |
步驟 5.運行此命令以從FTD裝置刪除故障切換配置:
> configure high-availability disable High-availability will be disabled. Do you really want to continue? Please enter 'YES' or 'NO': yes Successfully disabled high-availability.
註:必須在兩個裝置上運行命令
結果是:
主裝置 |
輔助裝置 |
> show failover Failover Off |
> show failover > |
主要 |
次要 |
firepower# show run ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! interface GigabitEthernet1/1 nameif outside cts manual(cts手冊) propagate sgt preserve-untag 策略靜態sgt disabled trusted 安全級別0 ip address 10.1.1.1 255.255.255.0 < — 刪除了備用IP ! interface GigabitEthernet1/2 nameif inside cts manual(cts手冊) propagate sgt preserve-untag 策略靜態sgt disabled trusted 安全級別0 ip address 192.168.1.1 255.255.255.0 < — 刪除了備用IP ! interface GigabitEthernet1/3 說明LAN故障切換介面 ! interface GigabitEthernet1/4 description STATE Failover Interface ! interface GigabitEthernet1/5 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/6 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/7 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/8 關機 no nameif 無安全級別 no ip address ! 介面管理1/1 僅管理 nameif diagnostic cts manual(cts手冊) propagate sgt preserve-untag 策略靜態sgt disabled trusted 安全級別0 no ip address ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any any eq 3544 rule-id 9998 access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD_HA - Default/1 access-list CSM_FW_ACL_ remark rule-id 268435456: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435456 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp選項範圍9 18 allow tcp-options range 20 255 allow tcp選項md5 clear urgent-flag allow ! 無尋呼機 logging enable 日誌記錄時間戳 logging buffered debugging logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710005 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 1500以外的mtu mtu inside 1500 mtu diagnostic 1500 無故障切換 icmp無法連線速率限制1 burst-size 1 no asdm history enable access-group CSM_FW_ACL_ global 00社群*****體版本2c no snmp-server location no snmp-server contact snmp-server community ***** service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 no tcp-inspection policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp 檢查esmtp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:768a03e90b9d3539773b9d7af66b3452 |
firepower# show run ! hostname firepower 使能密碼8Ry2YjIyt7RRXU24已加密 姓名 arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! interface GigabitEthernet1/1 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/2 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/3 說明LAN故障切換介面 ! interface GigabitEthernet1/4 description STATE Failover Interface ! interface GigabitEthernet1/5 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/6 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/7 關機 no nameif 無安全級別 no ip address ! interface GigabitEthernet1/8 關機 no nameif 無安全級別 no ip address ! 介面管理1/1 僅管理 nameif diagnostic cts manual(cts手冊) propagate sgt preserve-untag 策略靜態sgt disabled trusted 安全級別0 no ip address ! ftp mode passive ngips conn-match vlan-id access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any any eq 3544 rule-id 9998 access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD_HA - Default/1 access-list CSM_FW_ACL_ remark rule-id 268435456: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435456 ! tcp-map UM_STATIC_TCP_MAP tcp-options range 6 7 allow tcp選項範圍9 18 allow tcp-options range 20 255 allow tcp選項md5 clear urgent-flag allow ! 無尋呼機 logging enable 日誌記錄時間戳 logging buffered debugging logging flash-minimum-free 1024 logging flash-maximum-allocation 3076 no logging message 106015 no logging message 313001 no logging message 313008 no logging message 106023 no logging message 710005 no logging message 710003 no logging message 106100 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302018 no logging message 302017 no logging message 302016 no logging message 302021 no logging message 302020 1500以外的mtu mtu inside 1500 mtu diagnostic 1500 無故障切換 故障轉移lan裝置輔助 failover lan interface OVER GigabitEthernet1/3 故障切換複製http failover link STATE GigabitEthernet1/4 故障切換介面IP OVER 10.10.1.1 255.255.255.0備用10.10.1.2 故障切換介面ip狀態10.10.2.1 255.255.255.0備用10.10.2.2 icmp無法連線速率限制1 burst-size 1 no asdm history enable access-group CSM_FW_ACL_ global 超時xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 user-identity default-domain LOCAL aaa proxy-limit disable snmp-server host outside 192.168.1.100 community ***** version 2c no snmp-server location no snmp-server contact snmp-server community ***** service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet超時5 控制檯超時0 dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map 引數 message-length maximum client auto 消息長度最大值512 no tcp-inspection policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP 引數 eool操作允許 nop action allow router-alert action allow policy-map global_policy class inspection_default 檢查dns預設_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp 檢查esmtp inspect sqlnet inspect skinny inspect sunrpc 檢查xdmcp 檢查sip 檢查netbios inspect tftp inspect icmp inspect icmp error 檢查dcerpc inspect ip-options UM_STATIC_IP_OPTIONS_MAP class class-default set connection advanced-options UM_STATIC_TCP_MAP ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 無活動 目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService 目的地址電郵callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group環境 定期(每月)訂閱警報組清單 定期(每月)配置subscribe-to-alert-group 訂閱警報組遙測資料每日定期 Cryptochecksum:ac9b8f401e18491fee653f4cfe0ce18f |
透過 FTD CLI 使用「停用 HA」的主要注意事項:
主裝置 |
輔助裝置 |
故障切換配置和備用IP超時轉換3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:00:30 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 aaa proxy-limit disable 已刪除192.168.1.1外部的snmp-server主機。 |
|
步驟 6.完成任務後,將裝置註冊到FMC並啟用HA配對。
工作需求:
透過 FTD CLISH CLI 暫停 HA
解決方案:
步驟 1.在主FTD上,執行命令並確認(輸入YES)。
> configure high-availability suspend Please ensure that no deployment operation is in progress before suspending high-availability. Please enter 'YES' to continue if there is no deployment operation in progress and 'NO' if you wish to abort: YES Successfully suspended high-availability.
步驟 2.驗證主裝置上的更改:
> show high-availability config Failover Off Failover unit Primary Failover LAN Interface: fover_link Ethernet1/4 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 1041 maximum MAC Address Move Notification Interval not set failover replication http
步驟 3.輔助裝置上的結果:
> show high-availability config Failover Off (pseudo-Standby) Failover unit Secondary Failover LAN Interface: fover_link Ethernet1/4 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 1041 maximum MAC Address Move Notification Interval not set failover replication http
步驟 4.在主裝置上恢復HA:
> configure high-availability resume Successfully resumed high-availablity. > . No Active mate detected !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Beginning configuration replication: Sending to mate. End Configuration Replication to mate >
> show high-availability config Failover On Failover unit Primary Failover LAN Interface: fover_link Ethernet1/4 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 1041 maximum MAC Address Move Notification Interval not set failover replication http
步驟 5.恢復HA後輔助裝置上的結果:
> .. Detected an Active mate Beginning configuration replication from mate. WARNING: Failover is enabled but standby IP address is not configured for this interface. WARNING: Failover is enabled but standby IP address is not configured for this interface. End configuration replication from mate. >
> show high-availability config Failover On Failover unit Secondary Failover LAN Interface: fover_link Ethernet1/4 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 1041 maximum MAC Address Move Notification Interval not set failover replication http >
複製配置後,是立即(逐行)儲存還是複製結束時儲存?
在複寫結束時。 證據就是在 debug fover sync 命令輸出的結尾,會顯示組態/命令複寫:
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1506 remark rule-id 268442578: L7 RULE: ACP_Rule_500 cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1507 advanced permit tcp object-group group_10 eq 48894 object-group group_10 eq 23470 vlan eq 1392 rule-id 268442578 cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1508 remark rule-id 268442078: ACCESS POLICY: mzafeiro_500 - Default cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1509 remark rule-id 268442078: L4 RULE: DEFAULT ACTION RULE ... cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ advanced permit tcp object-group group_2 eq 32881 object-group group_433 eq 39084 vlan eq 1693 rule-id 268442076 cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268442077: ACCESS POLICY: mzafeiro_ACP1500 - Mandatory cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268442077: L7 RULE: ACP_Rule_1500 cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ advanced permit tcp object-group group_6 eq 8988 object-group group_311 eq 32433 vlan eq 619 rule-id 268442077 cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268440577: ACCESS POLICY: mzafeiro_ACP1500 - Default cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268440577: L4 RULE: DEFAULT ACTION RULE cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268442078 event-log flow-start cli_xml_server: frep_write_cmd: Cmd: crypto isakmp nat-traversal cli_xml_server: frep_write_cmd: Cmd: no object-group network group_311 cli_xml_server: frep_write_cmd: Cmd: no object-group network group_433 cli_xml_server: frep_write_cmd: Cmd: no object-group network group_6 cli_xml_server: frep_write_cmd: Cmd: no object-group network group_2 cli_xml_server: frep_write_cmd: Cmd: write memory <--
如果裝置處於偽備用狀態(禁用故障轉移),然後您重新載入該裝置,而另一裝置已啟用故障轉移,並且處於活動狀態,將會發生什麼情況?
您最終會處於主用/主用情形(儘管從技術上講,這是主用/故障切換關閉)。具體地說,就是裝置啟動後,容錯移轉便會停用,但裝置會使用與作用中裝置相同的 IP。因此,您實際上會有:
如果手動禁用故障切換(配置高可用性掛起),然後重新載入裝置,故障切換配置會發生什麼情況?
禁用故障切換時,它不是永久更改(除非您決定顯式執行此操作,否則不會儲存在startup-config中)。您可以用兩種不同的方法重新啟動/重新載入裝置,但第二種方法必須小心:
案例1.從CLISH重新啟動
透過 CLISH 重新啟動不會要求確認。 因此,組態變更不會儲存在啟動組態中:
> configure high-availability suspend Please ensure that no deployment operation is in progress before suspending high-availability. Please enter 'YES' to continue if there is no deployment operation in progress and 'NO' if you wish to abort: YES Successfully suspended high-availability.
running-config已禁用故障轉移。在這種情況下,裝置處於「待機」狀態,並按照預期進入偽待機狀態,以避免出現「主用/主用」情況:
firepower# show failover | include Failover Failover Off (pseudo-Standby) Failover unit Secondary Failover LAN Interface: FOVER Ethernet1/1 (up)
startup-config仍然啟用故障轉移:
firepower# show startup | include failover failover failover lan unit secondary failover lan interface FOVER Ethernet1/1 failover replication http failover link FOVER Ethernet1/1 failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2 failover ipsec pre-shared-key *****
透過 CLISH 重新啟動裝置(reboot 命令):
> reboot This command will reboot the system. Continue? Please enter 'YES' or 'NO': YES Broadcast message from root@ Threat Defense System: CMD=-stop, CSP-ID=cisco-ftd.6.2.2.81__ftd_001_JMX2119L05CYRIBVX1, FLAG='' Cisco FTD stopping ...
裝置啟動後,容錯移轉便會啟用,因此裝置會進入容錯移轉交涉階段並嘗試偵測遠端對等:
User enable_1 logged in to firepower Logins over the last 1 days: 1. Failed logins since the last login: 0. Type help or '?' for a list of available commands. firepower> . Detected an Active mate
案例2.從LINA CLI重新啟動
透過 LINA 重新啟動(reload 命令)會要求確認。因此,如果您選擇Y(是),配置更改將儲存到startup-config:
firepower# reload System config has been modified. Save? [Y]es/[N]o: Y <-- Be careful. This will disable the failover in the startup-config Cryptochecksum: 31857237 8658f618 3234be7c 854d583a 8781 bytes copied in 0.940 secs Proceed with reload? [confirm] firepower# show startup | include failover no failover failover lan unit secondary failover lan interface FOVER Ethernet1/1 failover replication http failover link FOVER Ethernet1/1 failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2 failover ipsec pre-shared-key *****
裝置啟動後,容錯移轉便會停用:
firepower# show failover | include Fail Failover Off Failover unit Secondary Failover LAN Interface: FOVER Ethernet1/1 (up)
註:要避免此情況,請確保系統提示您時,不要將更改儲存到startup-config。
導航Cisco Firepower 4100/9300 FXOS文檔
Cisco Firepower威脅防禦(FTD):下一代防火牆(NGFW)、下一代入侵防禦系統(NGIPS)和高級惡意軟體防護(AMP)的配置和故障排除最佳實踐
修訂 | 發佈日期 | 意見 |
---|---|---|
3.0 |
07-Aug-2023 |
更新的SEO、樣式要求和格式。 |
2.0 |
04-Aug-2022 |
文章針對格式、樣式要求、機器翻譯、德語和語法進行了更新。 |
1.0 |
29-Sep-2021 |
初始版本 |