在 Firepower 設備上設定 FTD 高可用性

已更新: 2023 年 8 月 7 日
文件 ID:212699

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本文件說明如何設定和確認 FPR9300 的 Firepower Threat Defense (FTD) 高可用性 (HA)(作用中/待命容錯移轉)。

    必要條件

    需求

    本文件沒有特定需求。

    採用元件

    本文中的資訊係根據以下軟體和硬體版本:

    • 2 個 Cisco Firepower 9300 安全設備 - FXOS SW 2.0(1.23)
    • FTD版本10.10.1.1(內部版本1023)
    • Firepower Management Center (FMC) - SW 10.10.1.1(組建 1023)

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    :在搭載FTD的FPR9300裝置上,您只能設定機箱間HA。HA 組態中的兩個裝置必須符合本文件提及的條件。

    任務1.驗證條件

    工作需求:

    確認兩台FTD裝置均符合備註要求,且均可設定為HA裝置。

    解決方案:

    步驟 1.連線到FPR9300管理IP並驗證模組硬體。

    確認 FPR9300-1 硬體。

    KSEC-FPR9K-1-A# show server inventory
Server Equipped PID Equipped VID Equipped Serial (SN) Slot Status      Ackd Memory (MB) Ackd Cores
------- ------------ ------------ -------------------- ---------------- ---------------- ----------
1/1     FPR9K-SM-36  V01          FLM19216KK6          Equipped                   262144         36
1/2     FPR9K-SM-36  V01          FLM19206H71          Equipped                   262144         36
1/3     FPR9K-SM-36  V01          FLM19206H7T          Equipped                   262144         36
KSEC-FPR9K-1-A#

    確認 FPR9300-2 硬體。

    KSEC-FPR9K-2-A# show server inventory
Server  Equipped PID Equipped VID Equipped Serial (SN) Slot Status      Ackd Memory (MB) Ackd Cores
------- ------------ ------------ -------------------- ---------------- ---------------- ----------
1/1     FPR9K-SM-36  V01          FLM19206H9T          Equipped                   262144         36
1/2     FPR9K-SM-36  V01          FLM19216KAX          Equipped                   262144         36
1/3     FPR9K-SM-36  V01          FLM19267A63          Equipped                   262144         36
KSEC-FPR9K-2-A#

    步驟 2.登入到FPR9300-1 Chassis Manager並導航至Logical Devices

    如圖所示,驗證軟體的版本、數量和介面型別。

    FPR9300-1

    FTD High Availability on Firepower - 9300-1 Logical Devices - Software Version, Number and Type of Interfaces

    FPR9300-2

    FTD High Availability on Firepower - 9300-2 Logical Devices - Software Version, Number and Type of Interfaces

    任務2.在FPR9300上配置FTD HA

    工作需求:

    按照此圖表設定作用中/待命容錯移轉 (HA)。

    FTD High Availability on Firepower - FTD HA on FPR9300 Topology

    解決方案:

    兩個 FTD 裝置已在 FMC 註冊,如圖所示。

    FTD High Availability on Firepower - FTD Devices Registered on the FMC

    步驟 1.若要設定FTD容錯移轉,請導覽至Devices > Device Management,然後選擇Add High Availability,如下圖所示。

    FTD High Availability on Firepower - Configure FTD Failover

    步驟 2.輸入Primary PeerSecondary Peer,然後選擇Continue,如下圖所示。

    FTD High Availability on Firepower - Add High Availability Pair

    警告:確保選擇正確的裝置作為主要裝置。所選主裝置上的所有配置都將複製到所選輔助FTD裝置。通過複製,可以替換輔助裝置上的當前配置。

    狀況

    若要在 2 個 FTD 裝置之間建立 HA,必須符合下列條件:

    • 型號相同
    • 相同版本 — 這適用於FXOS和FTD — 主要(第一個數字)、次要(第二個數字)和維護(第三個數字)必須相等。
    • 介面數目相同
    • 介面類型相同
    • 兩台裝置作為FMC中同一組/域的一部分。
    • 具有相同的網路時間協定(NTP)配置。
    • 完全部署在FMC上,無未提交的更改。
    • 處於相同的防火牆模式:路由或透明。
    note-icon

    :在FTD裝置和FMC GUI上都必須檢查此問題,因為FTD具有相同的模式的情況已存在,但FMC不會反映此情況。

    • 任何介面均未配置DHCP/乙太網點對點協議(PPPoE)。
    • 兩個機箱的主機名[完全限定域名(FQDN)]不同。若要檢查機箱主機名稱,請導覽至FTD CLI,然後執行以下命令:
    firepower# show chassis-management-url

https://KSEC-FPR9K-1.cisco.com:443//

    :在6.3後FTD中,使用命令show chassis detail

    firepower# show chassis detail
Chassis URL              : https://KSEC-FPR4100-1:443//
Chassis IP               : 192.0.2.1
Chassis Serial Number    : JMX12345678
Security Module          : 1

    如果兩個機箱的名稱相同,請使用下列命令變更其中一個機箱的名稱:  

    KSEC-FPR9K-1-A# scope system
KSEC-FPR9K-1-A /system # set name FPR9K-1new
Warning: System name modification changes FC zone name and redeploys them non-disruptively
KSEC-FPR9K-1-A /system* # commit-buffer
FPR9K-1-A /system # exit
FPR9K-1new-A#

    變更機箱名稱後,請從 FMC 取消註冊 FTD,然後再重新註冊。接著,繼續建立 HA 配對。

    步驟 3.配置HA並宣告鏈路設定。

    依照您的情況,狀態連結的設定與高可用性相同。

    選擇Add,並等待幾分鐘,以便部署HA配對,如下圖所示。

    FTD High Availability on Firepower - Add High Availability Link, State Link, and IPsec Encryption

    步驟 4.配置資料介面(主和備用IP地址)

    在FMC GUI中選擇HA Edit,如下圖所示。

    FTD High Availability on Firepower - Choose FTD to Edit

    步驟 5.如圖所示配置介面設定。

    乙太網路 1/5 介面。

    FTD High Availability on Firepower - Edit Physical Interface - Ethernet 1/5

    乙太網路 1/6 介面。

    FTD High Availability on Firepower - Edit Physical Interface - Ethernet 1/6

    步驟 6.導覽至High Availability,然後選擇Interface Name Edit以新增備用IP地址,如下圖所示。

    FTD High Availability on Firepower - Edit Standby IP Addresses

    步驟 7.對於Inside介面,如下圖所示。

    FTD High Availability on Firepower - Edit Standby IP Address - Inside Interface

    步驟 8.對Outside介面執行相同操作。

    步驟 9.確認如圖所示的結果。

    FTD High Availability on Firepower - Monitored Interfaces Showing Standby IP Addresses

    步驟 10.停留在高可用性頁籤上,並配置虛擬MAC地址,如下圖所示。

    FTD High Availability on Firepower - Configure Virtual MAC Addresses

    步驟 11.如圖所示。

    FTD High Availability on Firepower - Add Interface MAC Address

    步驟 12.對Outside介面執行相同操作。

    步驟 13.確認如圖所示的結果。

    FTD High Availability on Firepower - Interface MAC Addresses Verification

    步驟 14.設定變更後,選擇SaveDeploy

    任務3.驗證FTD HA和許可證

    工作需求:

    透過 FMC GUI 和 FTD CLI 確認 FTD HA 設定和已啟用的授權。

    解決方案:

    步驟 1.導覽至Summary,然後檢查HA設定和已啟用的授權,如下圖所示。

    FTD High Availability on Firepower - Verify High Availability Settings and Enabled Licenses

    步驟 2.在FTD CLISH CLI中,執行以下命令:

    > show high-availability config
Failover On
Failover unit Primary
Failover LAN Interface: fover_link Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(1), Mate 9.6(1)
Serial Number: Ours FLM19267A63, Mate FLM19206H7T
Last Failover at: 18:32:38 EEST Jul 21 2016
	This host: Primary - Active
		Active time: 3505 (sec)
		slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(1)) status (Up Sys)
		  Interface diagnostic (0.0.0.0): Normal (Waiting)
		slot 1: snort rev (1.0)  status (up)
		slot 2: diskstatus rev (1.0)  status (up)
	Other host: Secondary - Standby Ready
		Active time: 172 (sec)
		slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.6(1)) status (Up Sys)
		  Interface diagnostic (0.0.0.0): Normal (Waiting)
		slot 1: snort rev (1.0)  status (up)
		slot 2: diskstatus rev (1.0)  status (up)

Stateful Failover Logical Update Statistics
	Link : fover_link Ethernet1/4 (up)
	Stateful Obj 	xmit       xerr       rcv        rerr
	General		417        0          416        0
	sys cmd  	416        0          416        0
	up time  	0          0          0          0
	RPC services  	0          0          0          0
	TCP conn 	0          0          0          0
	UDP conn 	0          0          0          0
	ARP tbl  	0          0          0          0
	Xlate_Timeout  	0          0          0          0
	IPv6 ND tbl  	0          0          0          0
	VPN IKEv1 SA 	0          0          0          0
	VPN IKEv1 P2 	0          0          0          0
	VPN IKEv2 SA 	0          0          0          0
	VPN IKEv2 P2 	0          0          0          0
	VPN CTCP upd 	0          0          0          0
	VPN SDI upd 	0          0          0          0
	VPN DHCP upd 	0          0          0          0
	SIP Session 	0          0          0          0
	SIP Tx 	0          0          0          0
	SIP Pinhole 	0          0          0          0
	Route Session 	0          0          0          0
	Router ID 	0          0          0          0
	User-Identity 	1          0          0          0
	CTS SGTNAME 	0          0          0          0
	CTS PAC 	0          0          0          0
	TrustSec-SXP 	0          0          0          0
	IPv6 Route 	0          0          0          0
	STS Table 	0          0          0          0

	Logical Update Queue Information
	 	 	Cur 	Max 	Total
	Recv Q: 	0 	10 	416
	Xmit Q: 	0 	11 	2118

>

    步驟 3.在輔助裝置上執行相同操作。

    步驟 4.從LINA CLI執行show failover state命令:

    firepower# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         None
Other host -   Secondary
               Standby Ready  Comm Failure             18:32:56 EEST Jul 21 2016

====Configuration State===
	Sync Done
====Communication State===
	Mac set

firepower#

    步驟 5.從主裝置(LINA CLI)驗證設定:

    firepower# show running-config failover
failover
failover lan unit primary
failover lan interface fover_link Ethernet1/4
failover replication http
failover mac address Ethernet1/5 aaaa.bbbb.1111 aaaa.bbbb.2222
failover mac address Ethernet1/6 aaaa.bbbb.3333 aaaa.bbbb.4444
failover link fover_link Ethernet1/4
failover interface ip fover_link 10.10.1.1 255.255.255.0 standby 10.10.1.2
firepower#

firepower# show running-config interface
!
interface Ethernet1/2
 management-only
 nameif diagnostic
 security-level 0
 no ip address
!
interface Ethernet1/4
 description LAN/STATE Failover Interface
!
interface Ethernet1/5
 nameif Inside
 security-level 0
 ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11
!
interface Ethernet1/6
 nameif Outside
 security-level 0
 ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11
firepower#

    任務4.切換故障切換角色

    工作需求:

    在 FMC 中,將容錯移轉角色從「主要/作用中」、「次要/待命」切換成「主要/待命」、「次要/作用中」

    解決方案:

    步驟 1.選擇圖示,如下圖所示。

    FTD High Availability on Firepower - Switch Failover Roles

    步驟 2.確認彈出視窗上的操作,如下圖所示。

    FTD High Availability on Firepower - Switch Failover Roles Confirmation

    步驟 3.確認如圖所示的結果。

    FTD High Availability on Firepower - Switch Failover Roles Verification

    在 LINA CLI 中,您可以看到已在主要/作用中裝置上執行 no failover active 命令:

    Jul 22 2016 10:39:26: %ASA-5-111008: User 'enable_15' executed the 'no failover active' command.
Jul 22 2016 10:39:26: %ASA-5-111010: User 'enable_15', running 'N/A' from IP 0.0.0.0, executed 'no failover active'

    您亦可在 show failover history 命令輸出中進行確認:

    firepower# show failover history
==========================================================================
From State                 To State                   Reason
10:39:26 EEST Jul 22 2016
Active                     Standby Ready              Set by the config command

    步驟 4.驗證後,使主裝置再次處於活動狀態。

    任務5.中斷HA配對

    工作需求:

    在 FMC 中分割容錯移轉配對。

    解決方案:

    步驟 1.選擇圖示,如下圖所示。

    FTD High Availability on Firepower - Break the Failover Pair

    步驟 2.檢查通知,如下圖所示。

    FTD High Availability on Firepower - Break the Failover Pair Confirmation

    步驟 3.請注意如下圖所示的消息。

    FTD High Availability on Firepower - Break the Failover Pair Message

    步驟 4.從FMC GUI驗證結果,如下圖所示。

    FTD High Availability on Firepower - Break the Failover Pair Verification

    在執行 HA 分割之前和之後,主要裝置上的 show running-config

    執行 HA 分割之前

    執行 HA 分割之後

    firepower# sh run

    :已儲存

    :

    :序列號:FLM19267A63

    :硬體:FPR9K-SM-36、135839 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心)

    :

    NGFW版本10.1.1

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    !

    interface Ethernet1/2

    僅管理

    nameif diagnostic

    安全級別0

    no ip address

    !

    interface Ethernet1/4

    說明LAN/STATE故障切換介面

    !

    interface Ethernet1/5

    nameif Inside

    安全級別0

    ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11

    !

    interface Ethernet1/6

    nameif Outside

    安全級別0

    ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1

    access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP

    access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both

    access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

    !

    tcp-map UM_STATIC_TCP_MAP

    tcp-options range 6 7 allow

    tcp-options range 9 255 allow

    urgent-flag allow

    !

    無尋呼機

    logging enable

    日誌記錄時間戳

    日誌記錄備用

    logging buffer-size 100000

    logging buffered debugging

    logging flash-minimum-free 1024

    logging flash-maximum-allocation 3076

    mtu diagnostic 1500

    mtu Inside 1500

    mtu Outside 1500

    容錯移轉

    failover lan unit primary

    failover lan interface forver_link Ethernet1/4

    故障切換複製http

    故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222

    故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444

    failover link forver_link Ethernet1/4

    故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2

    icmp無法連線速率限制1 burst-size 1

    no asdm history enable

    arp timeout 14400

    no arp permit-nonconnected

    access-group CSM_FW_ACL_ global

    超時xlate 3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    aaa proxy-limit disable

    no snmp-server location

    no snmp-server contact

    no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    ssh strichthostkeycheck

    ssh超時5

    ssh key-exchange group dh-group1-sha1

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    引數

    message-length maximum client auto

    消息長度最大值512

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    引數

    eool操作允許

    nop action allow

    router-alert action allow

    policy-map global_policy

    class inspection_default

    檢查dns預設_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    檢查xdmcp

    檢查sip

    檢查netbios

    inspect tftp

    inspect icmp

    inspect icmp error

    檢查dcerpc

    inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    class class-default

    set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

    profile CiscoTAC-1

    無活動

    目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

    目的地址電郵callhome@cisco.com

    destination transport-method http

    subscribe-to-alert-group diagnostic

    subscribe-to-alert-group環境

    定期(每月)訂閱警報組清單

    定期(每月)配置subscribe-to-alert-group

    訂閱警報組遙測資料每日定期

    Cryptochecksum:933c594fc0264082edc0f24bad358031

    :結束

    firepower#

    firepower# sh run

    :已儲存

    :

    :序列號:FLM19267A63

    :硬體:FPR9K-SM-36、135839 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心)

    :

    NGFW版本10.1.1

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    !

    interface Ethernet1/2

    僅管理

    nameif diagnostic

    安全級別0

    no ip address

    !

    interface Ethernet1/4

    no nameif

    無安全級別

    no ip address

    !

    interface Ethernet1/5

    nameif Inside

    安全級別0

    ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11

    !

    interface Ethernet1/6

    nameif Outside

    安全級別0

    ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1

    access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP

    access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both

    access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

    !

    tcp-map UM_STATIC_TCP_MAP

    tcp-options range 6 7 allow

    tcp-options range 9 255 allow

    urgent-flag allow

    !

    無尋呼機

    logging enable

    日誌記錄時間戳

    日誌記錄備用

    logging buffer-size 100000

    logging buffered debugging

    logging flash-minimum-free 1024

    logging flash-maximum-allocation 3076

    mtu diagnostic 1500

    mtu Inside 1500

    mtu Outside 1500

    無故障切換

    no monitor-interface service-module

    icmp無法連線速率限制1 burst-size 1

    no asdm history enable

    arp timeout 14400

    no arp permit-nonconnected

    access-group CSM_FW_ACL_ global

    超時xlate 3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    aaa proxy-limit disable

    no snmp-server location

    no snmp-server contact

    no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    ssh strichthostkeycheck

    ssh超時5

    ssh key-exchange group dh-group1-sha1

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    引數

    message-length maximum client auto

    消息長度最大值512

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    引數

    eool操作允許

    nop action allow

    router-alert action allow

    policy-map global_policy

    class inspection_default

    檢查dns預設_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    檢查xdmcp

    檢查sip

    檢查netbios

    inspect tftp

    inspect icmp

    inspect icmp error

    檢查dcerpc

    inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    class class-default

    set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

    profile CiscoTAC-1

    無活動

    目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

    目的地址電郵callhome@cisco.com

    destination transport-method http

    subscribe-to-alert-group diagnostic

    subscribe-to-alert-group環境

    定期(每月)訂閱警報組清單

    定期(每月)配置subscribe-to-alert-group

    訂閱警報組遙測資料每日定期

    Cryptochecksum:fb6f5c369dee730b9125650517dbb059

    :結束

    firepower#

    在HA中斷之前和之後在輔助裝置上顯示running-config,如下表所示。

    執行 HA 分割之前

    執行 HA 分割之後

    firepower# sh run

    :已儲存

    :

    :序列號:FLM19206H7T

    :硬體:FPR9K-SM-36、135841 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心)

    :

    NGFW版本10.1.1

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    !

    interface Ethernet1/2

    僅管理

    nameif diagnostic

    安全級別0

    no ip address

    !

    interface Ethernet1/4

    說明LAN/STATE故障切換介面

    !

    interface Ethernet1/5

    nameif Inside

    安全級別0

    ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11

    !

    interface Ethernet1/6

    nameif Outside

    安全級別0

    ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1

    access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP

    access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both

    access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

    !

    tcp-map UM_STATIC_TCP_MAP

    tcp-options range 6 7 allow

    tcp-options range 9 255 allow

    urgent-flag allow

    !

    無尋呼機

    logging enable

    日誌記錄時間戳

    日誌記錄備用

    logging buffer-size 100000

    logging buffered debugging

    logging flash-minimum-free 1024

    logging flash-maximum-allocation 3076

    mtu diagnostic 1500

    mtu Inside 1500

    mtu Outside 1500

    容錯移轉

    故障轉移lan裝置輔助

    failover lan interface forver_link Ethernet1/4

    故障切換複製http

    故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222

    故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444

    failover link forver_link Ethernet1/4

    故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2

    icmp無法連線速率限制1 burst-size 1

    no asdm history enable

    arp timeout 14400

    no arp permit-nonconnected

    access-group CSM_FW_ACL_ global

    超時xlate 3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    user-identity default-domain LOCAL

    aaa proxy-limit disable

    no snmp-server location

    no snmp-server contact

    no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    ssh strichthostkeycheck

    ssh超時5

    ssh key-exchange group dh-group1-sha1

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    引數

    message-length maximum client auto

    消息長度最大值512

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    引數

    eool操作允許

    nop action allow

    router-alert action allow

    policy-map global_policy

    class inspection_default

    檢查dns預設_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    檢查xdmcp

    檢查sip

    檢查netbios

    inspect tftp

    inspect icmp

    inspect icmp error

    檢查dcerpc

    inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    class class-default

    set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

    profile CiscoTAC-1

    無活動

    目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

    目的地址電郵callhome@cisco.com

    destination transport-method http

    subscribe-to-alert-group diagnostic

    subscribe-to-alert-group環境

    定期(每月)訂閱警報組清單

    定期(每月)配置subscribe-to-alert-group

    訂閱警報組遙測資料每日定期

    Cryptochecksum:e648f92dd7ef47ee611f2aaa5c6cbd84

    :結束

    firepower#

    firepower# sh run

    :已儲存

    :

    :序列號:FLM19206H7T

    :硬體:FPR9K-SM-36、135841 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心)

    :

    NGFW版本10.1.1

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    !

    interface Ethernet1/2

    僅管理

    nameif diagnostic

    安全級別0

    no ip address

    !

    interface Ethernet1/4

    關機

    no nameif

    無安全級別

    no ip address

    !

    interface Ethernet1/5

    關機

    no nameif

    無安全級別

    no ip address

    !

    interface Ethernet1/6

    關機

    no nameif

    無安全級別

    no ip address

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1

    access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP

    access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both

    access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

    !

    tcp-map UM_STATIC_TCP_MAP

    tcp-options range 6 7 allow

    tcp-options range 9 255 allow

    urgent-flag allow

    !

    無尋呼機

    no logging message 106015

    no logging message 313001

    no logging message 313008

    no logging message 106023

    no logging message 710003

    no logging message 106100

    no logging message 302015

    no logging message 302014

    no logging message 302013

    no logging message 302018

    no logging message 302017

    no logging message 302016

    no logging message 302021

    no logging message 302020

    mtu diagnostic 1500

    無故障切換

    no monitor-interface service-module

    icmp無法連線速率限制1 burst-size 1

    no asdm history enable

    arp timeout 14400

    no arp permit-nonconnected

    access-group CSM_FW_ACL_ global

    超時xlate 3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    aaa proxy-limit disable

    no snmp-server location

    no snmp-server contact

    no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    ssh strichthostkeycheck

    ssh超時5

    ssh key-exchange group dh-group1-sha1

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    引數

    message-length maximum client auto

    消息長度最大值512

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    引數

    eool操作允許

    nop action allow

    router-alert action allow

    policy-map global_policy

    class inspection_default

    檢查dns預設_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    檢查xdmcp

    檢查sip

    檢查netbios

    inspect tftp

    inspect icmp

    inspect icmp error

    檢查dcerpc

    inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    class class-default

    set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

    profile CiscoTAC-1

    無活動

    目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

    目的地址電郵callhome@cisco.com

    destination transport-method http

    subscribe-to-alert-group diagnostic

    subscribe-to-alert-group環境

    定期(每月)訂閱警報組清單

    定期(每月)配置subscribe-to-alert-group

    訂閱警報組遙測資料每日定期

    Cryptochecksum:08ed87194e9f5cd9149fab3c0e9cefc3

    :結束

    firepower#

    HA 分割的主要注意事項:

    主裝置

    輔助裝置

    會移除所有容錯移轉組態.

    備用IP地址保留。

    會移除所有組態.

    步驟 5.完成此任務後,重新建立HA配對。

    任務6.停用HA配對

    工作需求:

    在 FMC 中停用容錯移轉配對。

    解決方案:

    步驟 1.選擇圖示,如下圖所示。

    FTD High Availability on Firepower - Disable the Failover Pair

    步驟 2.如圖所示檢查通知並進行確認。

    FTD High Availability on Firepower - Disable the Failover Pair Confirmation

    步驟 3.刪除HA後,兩台裝置都會從FMC中註銷(移除)。

    LINA CLI 傳回的 show running-config 結果,如下表所示:

    主裝置

    輔助裝置

    firepower# sh run

    :已儲存

    :

    :序列號:FLM19267A63

    :硬體:FPR9K-SM-36、135839 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心)

    :

    NGFW版本10.1.1

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    !

    interface Ethernet1/2

    僅管理

    nameif diagnostic

    安全級別0

    no ip address

    !

    interface Ethernet1/4

    說明LAN/STATE故障切換介面

    !

    interface Ethernet1/5

    nameif Inside

    安全級別0

    ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11

    !

    interface Ethernet1/6

    nameif Outside

    安全級別0

    ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1

    access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP

    access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both

    access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

    !

    tcp-map UM_STATIC_TCP_MAP

    tcp-options range 6 7 allow

    tcp-options range 9 255 allow

    urgent-flag allow

    !

    無尋呼機

    logging enable

    日誌記錄時間戳

    日誌記錄備用

    logging buffer-size 100000

    logging buffered debugging

    logging flash-minimum-free 1024

    logging flash-maximum-allocation 3076

    mtu diagnostic 1500

    mtu Inside 1500

    mtu Outside 1500

    容錯移轉

    failover lan unit primary

    failover lan interface forver_link Ethernet1/4

    故障切換複製http

    故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222

    故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444

    failover link forver_link Ethernet1/4

    故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2

    icmp無法連線速率限制1 burst-size 1

    no asdm history enable

    arp timeout 14400

    no arp permit-nonconnected

    access-group CSM_FW_ACL_ global

    超時xlate 3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    aaa proxy-limit disable

    no snmp-server location

    no snmp-server contact

    no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    ssh strichthostkeycheck

    ssh超時5

    ssh key-exchange group dh-group1-sha1

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    引數

    message-length maximum client auto

    消息長度最大值512

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    引數

    eool操作允許

    nop action allow

    router-alert action allow

    policy-map global_policy

    class inspection_default

    檢查dns預設_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    檢查xdmcp

    檢查sip

    檢查netbios

    inspect tftp

    inspect icmp

    inspect icmp error

    檢查dcerpc

    inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    class class-default

    set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

    profile CiscoTAC-1

    無活動

    目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

    目的地址電郵callhome@cisco.com

    destination transport-method http

    subscribe-to-alert-group diagnostic

    subscribe-to-alert-group環境

    定期(每月)訂閱警報組清單

    定期(每月)配置subscribe-to-alert-group

    訂閱警報組遙測資料每日定期

    Cryptochecksum:933c594fc0264082edc0f24bad358031

    :結束

    firepower#

    firepower# sh run

    :已儲存

    :

    :序列號:FLM19206H7T

    :硬體:FPR9K-SM-36、135841 MB RAM、CPU Xeon E5系列2294 MHz、2個CPU(72個核心)

    :

    NGFW版本10.1.1

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    !

    interface Ethernet1/2

    僅管理

    nameif diagnostic

    安全級別0

    no ip address

    !

    interface Ethernet1/4

    說明LAN/STATE故障切換介面

    !

    interface Ethernet1/5

    nameif Inside

    安全級別0

    ip address 192.168.75.10 255.255.255.0 standby 192.168.75.11

    !

    interface Ethernet1/6

    nameif Outside

    安全級別0

    ip address 192.168.76.10 255.255.255.0 standby 192.168.76.11

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 268447744: ACCESS POLICY: FTD9300 - Mandatory/1

    access-list CSM_FW_ACL_ remark rule-id 268447744: L4 RULE: Allow_ICMP

    access-list CSM_FW_ACL_ advanced permit icmp any any rule-id 268447744 event-log both

    access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: FTD9300 - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268441600: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

    !

    tcp-map UM_STATIC_TCP_MAP

    tcp-options range 6 7 allow

    tcp-options range 9 255 allow

    urgent-flag allow

    !

    無尋呼機

    logging enable

    日誌記錄時間戳

    日誌記錄備用

    logging buffer-size 100000

    logging buffered debugging

    logging flash-minimum-free 1024

    logging flash-maximum-allocation 3076

    mtu diagnostic 1500

    mtu Inside 1500

    mtu Outside 1500

    容錯移轉

    故障轉移lan裝置輔助

    failover lan interface forver_link Ethernet1/4

    故障切換複製http

    故障轉移mac address Ethernet1/5 aaaa.bbb.1111 aaaa.bbb.2222

    故障轉移mac地址Ethernet1/6 aaaa.bbb.3333 aaaa.bbb.4444

    failover link forver_link Ethernet1/4

    故障切換介面ip forver_link 10.10.1.1 255.255.255.0備用10.10.1.2

    icmp無法連線速率限制1 -size 1

    no asdm history enable

    arp timeout 14400

    no arp permit-nonconnected

    access-group CSM_FW_ACL_ global

    超時xlate 3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    user-identity default-domain LOCAL

    aaa proxy-limit disable

    no snmp-server location

    no snmp-server contact

    no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    ssh strichthostkeycheck

    ssh超時5

    ssh key-exchange group dh-group1-sha1

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    引數

    message-length maximum client auto

    消息長度最大值512

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    引數

    eool操作允許

    nop action allow

    router-alert action allow

    policy-map global_policy

    class inspection_default

    檢查dns預設_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    檢查xdmcp

    檢查sip

    檢查netbios

    inspect tftp

    inspect icmp

    inspect icmp error

    檢查dcerpc

    inspect ip-options UM_STATIC_IP_OPTIONS_MAP

    class class-default

    set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

    profile CiscoTAC-1

    無活動

    目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

    目的地址電郵callhome@cisco.com

    destination transport-method http

    subscribe-to-alert-group diagnostic

    subscribe-to-alert-group環境

    定期(每月)訂閱警報組清單

    定期(每月)配置subscribe-to-alert-group

    訂閱警報組遙測資料每日定期

    Cryptochecksum:e648f92dd7ef47ee611f2aaa5c6cbd84

    :結束

    firepower#

    步驟 4.兩台FTD裝置均未從FMC註冊:

    > show managers
No managers configured.

    FMC 中「停用 HA 」選項的主要注意事項:

    主裝置

    輔助裝置

    會從 FMC 中移除裝置。

    不會從 FTD 裝置移除任何組態.

    會從 FMC 中移除裝置。

    不會從 FTD 裝置移除任何組態.

    步驟 5.運行此命令以從FTD裝置刪除故障切換配置:

    > configure high-availability disable
High-availability will be disabled. Do you really want to continue?
Please enter 'YES' or 'NO': yes
Successfully disabled high-availability.

    :必須在兩個裝置上運行命令

    結果是:

    主裝置

    輔助裝置

    > show failover

    Failover Off
    Failover unit Secondary
    Failover LAN Interface: not Configured
    Reconnect timeout 0:00:00
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 2 of 1041 maximum
    MAC Address Move Notification Interval not set
    >

    > show failover
    Failover Off (pseudo-Standby)
    Failover unit Secondary
    Failover LAN Interface: FOVER Ethernet1/3.205 (up)
    Reconnect timeout 0:00:00
    Unit Poll frequency 1 seconds, holdtime 15 seconds
    Interface Poll frequency 5 seconds, holdtime 25 seconds
    Interface Policy 1
    Monitored Interfaces 0 of 1041 maximum
    MAC Address Move Notification Interval not set
    failover replication http

    >

    主要

    次要

    firepower# show run

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    arp timeout 14400

    no arp permit-nonconnected

    arp rate-limit 16384

    !

    interface GigabitEthernet1/1

     nameif outside

     cts manual(cts手冊)

      propagate sgt preserve-untag

      策略靜態sgt disabled trusted

     安全級別0

     ip address 10.1.1.1 255.255.255.0 < — 刪除了備用IP

    !

    interface GigabitEthernet1/2

     nameif inside

     cts manual(cts手冊)

      propagate sgt preserve-untag

      策略靜態sgt disabled trusted

     安全級別0

     ip address 192.168.1.1 255.255.255.0 < — 刪除了備用IP

    !

    interface GigabitEthernet1/3

     說明LAN故障切換介面

    !

    interface GigabitEthernet1/4

     description STATE Failover Interface

    !

    interface GigabitEthernet1/5

     關機

     no nameif

     無安全級別

     no ip address

    !

    interface GigabitEthernet1/6

     關機

     no nameif

     無安全級別

     no ip address

    !

    interface GigabitEthernet1/7

     關機

     no nameif

     無安全級別

     no ip address

    !

    interface GigabitEthernet1/8

     關機

     no nameif

     無安全級別

     no ip address

    !

    介面管理1/1

     僅管理

     nameif diagnostic

     cts manual(cts手冊)

      propagate sgt preserve-untag

      策略靜態sgt disabled trusted

     安全級別0

     no ip address

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy

    access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998

    access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998

    access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998

    access-list CSM_FW_ACL_ advanced permit udp any any eq 3544 rule-id 9998

    access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD_HA - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268435456: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435456

    !

    tcp-map UM_STATIC_TCP_MAP

      tcp-options range 6 7 allow

      tcp選項範圍9 18 allow

      tcp-options range 20 255 allow

      tcp選項md5 clear

      urgent-flag allow

    !

    無尋呼機

    logging enable

    日誌記錄時間戳

    logging buffered debugging

    logging flash-minimum-free 1024

    logging flash-maximum-allocation 3076

    no logging message 106015

    no logging message 313001

    no logging message 313008

    no logging message 106023

    no logging message 710005

    no logging message 710003

    no logging message 106100

    no logging message 302015

    no logging message 302014

    no logging message 302013

    no logging message 302018

    no logging message 302017

    no logging message 302016

    no logging message 302021

    no logging message 302020

    1500以外的mtu

    mtu inside 1500

    mtu diagnostic 1500

    無故障切換

    icmp無法連線速率限制1 burst-size 1

    no asdm history enable

    access-group CSM_FW_ACL_ global

    00社群*****體版本2c

    no snmp-server location

    no snmp-server contact

    snmp-server community *****

    service sw-reset-button

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

     match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

     引數

      message-length maximum client auto

      消息長度最大值512

      no tcp-inspection

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

     引數

      eool操作允許

      nop action allow

      router-alert action allow

    policy-map global_policy

     class inspection_default

      檢查dns預設_dns_map

      inspect ftp

      inspect h323 h225

      inspect h323 ras

      inspect rsh

      inspect rtsp

      檢查esmtp

      inspect sqlnet

      inspect skinny

      inspect sunrpc

      檢查xdmcp

      檢查sip

    檢查netbios

      inspect tftp

      inspect icmp

      inspect icmp error

      檢查dcerpc

      inspect ip-options UM_STATIC_IP_OPTIONS_MAP

     class class-default

      set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

     profile CiscoTAC-1

      無活動

      目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

      目的地址電郵callhome@cisco.com

      destination transport-method http

      subscribe-to-alert-group diagnostic

      subscribe-to-alert-group環境

      定期(每月)訂閱警報組清單

      定期(每月)配置subscribe-to-alert-group

      訂閱警報組遙測資料每日定期

    Cryptochecksum:768a03e90b9d3539773b9d7af66b3452

    firepower# show run

    !

    hostname firepower

    使能密碼8Ry2YjIyt7RRXU24已加密

    姓名

    arp timeout 14400

    no arp permit-nonconnected

    arp rate-limit 16384

    !

    interface GigabitEthernet1/1

     關機

     no nameif

     無安全級別

     no ip address

    !

    interface GigabitEthernet1/2

     關機

     no nameif

     無安全級別

     no ip address

    !

    interface GigabitEthernet1/3

     說明LAN故障切換介面

    !

    interface GigabitEthernet1/4

     description STATE Failover Interface

    !

    interface GigabitEthernet1/5

     關機

     no nameif

     無安全級別

     no ip address

    !

    interface GigabitEthernet1/6

     關機

     no nameif

    無安全級別

     no ip address

    !

    interface GigabitEthernet1/7

     關機

     no nameif

     無安全級別

     no ip address

    !

    interface GigabitEthernet1/8

     關機

     no nameif

     無安全級別

     no ip address

    !

    介面管理1/1

     僅管理

     nameif diagnostic

    cts manual(cts手冊)

      propagate sgt preserve-untag

      策略靜態sgt disabled trusted

     安全級別0

     no ip address

    !

    ftp mode passive

    ngips conn-match vlan-id

    access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy

    access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998

    access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998

    access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998

    access-list CSM_FW_ACL_ advanced permit udp any any eq 3544 rule-id 9998

    access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD_HA - Default/1

    access-list CSM_FW_ACL_ remark rule-id 268435456: L4 RULE: DEFAULT ACTION RULE

    access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435456

    !

    tcp-map UM_STATIC_TCP_MAP

      tcp-options range 6 7 allow

      tcp選項範圍9 18 allow

      tcp-options range 20 255 allow

      tcp選項md5 clear

      urgent-flag allow

    !

    無尋呼機

    logging enable

    日誌記錄時間戳

    logging buffered debugging

    logging flash-minimum-free 1024

    logging flash-maximum-allocation 3076

    no logging message 106015

    no logging message 313001

    no logging message 313008

    no logging message 106023

    no logging message 710005

    no logging message 710003

    no logging message 106100

    no logging message 302015

    no logging message 302014

    no logging message 302013

    no logging message 302018

    no logging message 302017

    no logging message 302016

    no logging message 302021

    no logging message 302020

    1500以外的mtu

    mtu inside 1500

    mtu diagnostic 1500

    無故障切換

    故障轉移lan裝置輔助

    failover lan interface OVER GigabitEthernet1/3

    故障切換複製http

    failover link STATE GigabitEthernet1/4

    故障切換介面IP OVER 10.10.1.1 255.255.255.0備用10.10.1.2

    故障切換介面ip狀態10.10.2.1 255.255.255.0備用10.10.2.2

    icmp無法連線速率限制1 burst-size 1

    no asdm history enable

    access-group CSM_FW_ACL_ global

    超時xlate 3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    timeout conn-holddown 0:00:15

    user-identity default-domain LOCAL

    aaa proxy-limit disable

    snmp-server host outside 192.168.1.100 community ***** version 2c

    no snmp-server location

    no snmp-server contact

    snmp-server community *****

    service sw-reset-button

    crypto ipsec security-association pmtu-aging infinite

    crypto ca trustpool policy

    telnet超時5

    控制檯超時0

    dynamic-access-policy-record DfltAccessPolicy

    !

    class-map inspection_default

     match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

     引數

      message-length maximum client auto

      消息長度最大值512

    no tcp-inspection

    policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

     引數

      eool操作允許

      nop action allow

      router-alert action allow

    policy-map global_policy

     class inspection_default

      檢查dns預設_dns_map

      inspect ftp

      inspect h323 h225

      inspect h323 ras

      inspect rsh

      inspect rtsp

      檢查esmtp

      inspect sqlnet

      inspect skinny

      inspect sunrpc

      檢查xdmcp

      檢查sip

      檢查netbios

      inspect tftp

      inspect icmp

      inspect icmp error

      檢查dcerpc

      inspect ip-options UM_STATIC_IP_OPTIONS_MAP

     class class-default

      set connection advanced-options UM_STATIC_TCP_MAP

    !

    service-policy global_policy global

    prompt hostname context

    call-home

     profile CiscoTAC-1

      無活動

      目的地址http https://tools.cisco.com/its/service/oddce/services/DDCEService

    目的地址電郵callhome@cisco.com

      destination transport-method http

      subscribe-to-alert-group diagnostic

      subscribe-to-alert-group環境

      定期(每月)訂閱警報組清單

      定期(每月)配置subscribe-to-alert-group

      訂閱警報組遙測資料每日定期

    Cryptochecksum:ac9b8f401e18491fee653f4cfe0ce18f

    透過 FTD CLI 使用「停用 HA」的主要注意事項:

    主裝置

    輔助裝置

    故障切換配置和備用IP超時轉換3:00:00

    timeout pat-xlate 0:00:30

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout sip-temporary-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:00:30

    timeout floating-conn 0:00:00

    timeout conn-holddown 0:00:15

    aaa proxy-limit disable

    已刪除192.168.1.1外部的snmp-server主機。
    • 會移除介面組態.
    • 裝置會進入虛擬待命模式.

    步驟 6.完成任務後,將裝置註冊到FMC並啟用HA配對。

    任務7.掛起HA

    工作需求:

    透過 FTD CLISH CLI 暫停 HA

    解決方案:

    步驟 1.在主FTD上,執行命令並確認(輸入YES)。

    > configure high-availability suspend
Please ensure that no deployment operation is in progress before suspending high-availability.
Please enter 'YES' to continue if there is no deployment operation in progress and 'NO' if you wish to abort: YES
Successfully suspended high-availability.

    步驟 2.驗證主裝置上的更改:

    > show high-availability config
Failover Off
Failover unit Primary
Failover LAN Interface: fover_link Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http

    步驟 3.輔助裝置上的結果:

    > show high-availability config
Failover Off (pseudo-Standby)
Failover unit Secondary
Failover LAN Interface: fover_link Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http 

    步驟 4.在主裝置上恢復HA:

    > configure high-availability resume
Successfully resumed high-availablity.

> .

	No Active mate detected
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

> 
    > show high-availability config
Failover On
Failover unit Primary
Failover LAN Interface: fover_link Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http

    步驟 5.恢復HA後輔助裝置上的結果:

    > ..

	Detected an Active mate
Beginning configuration replication from mate.


WARNING: Failover is enabled but standby IP address is not configured for this interface.
WARNING: Failover is enabled but standby IP address is not configured for this interface.
End configuration replication from mate.

>
    > show high-availability config
Failover On
Failover unit Secondary
Failover LAN Interface: fover_link Ethernet1/4 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 1 of 1041 maximum
MAC Address Move Notification Interval not set
failover replication http
>

    常見問題 (FAQ)


    複製配置後,是立即(逐行)儲存還是複製結束時儲存?
    在複寫結束時。 證據就是在 debug fover sync 命令輸出的結尾,會顯示組態/命令複寫:

    cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1506 remark rule-id 268442578: L7 RULE: ACP_Rule_500
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1507 advanced permit tcp object-group group_10 eq 48894 object-group group_10 eq 23470 vlan eq 1392 rule-id 268442578
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1508 remark rule-id 268442078: ACCESS POLICY: mzafeiro_500 - Default
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ line 1509 remark rule-id 268442078: L4 RULE: DEFAULT ACTION RULE
...
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ advanced permit tcp object-group group_2 eq 32881 object-group group_433 eq 39084 vlan eq 1693 rule-id 268442076
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268442077: ACCESS POLICY: mzafeiro_ACP1500 - Mandatory
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268442077: L7 RULE: ACP_Rule_1500
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ advanced permit tcp object-group group_6 eq 8988 object-group group_311 eq 32433 vlan eq 619 rule-id 268442077
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268440577: ACCESS POLICY: mzafeiro_ACP1500 - Default
cli_xml_server: frep_write_cmd: Cmd: no access-list CSM_FW_ACL_ line 1510 remark rule-id 268440577: L4 RULE: DEFAULT ACTION RULE
cli_xml_server: frep_write_cmd: Cmd: access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268442078 event-log flow-start
cli_xml_server: frep_write_cmd: Cmd: crypto isakmp nat-traversal
cli_xml_server: frep_write_cmd: Cmd: no object-group network group_311
cli_xml_server: frep_write_cmd: Cmd: no object-group network group_433
cli_xml_server: frep_write_cmd: Cmd: no object-group network group_6
cli_xml_server: frep_write_cmd: Cmd: no object-group network group_2
cli_xml_server: frep_write_cmd: Cmd: write memory <--


    如果裝置處於偽備用狀態(禁用故障轉移),然後您重新載入該裝置,而另一裝置已啟用故障轉移,並且處於活動狀態,將會發生什麼情況?
    您最終會處於主用/主用情形(儘管從技術上講,這是主用/故障切換關閉)。具體地說,就是裝置啟動後,容錯移轉便會停用,但裝置會使用與作用中裝置相同的 IP。因此,您實際上會有:

    • Unit-1:活動
    • Unit-2:故障切換關閉。裝置使用與Unit-1相同的資料IP,但使用不同的MAC地址。


    如果手動禁用故障切換(配置高可用性掛起),然後重新載入裝置,故障切換配置會發生什麼情況?
    禁用故障切換時,它不是永久更改(除非您決定顯式執行此操作,否則不會儲存在startup-config中)。您可以用兩種不同的方法重新啟動/重新載入裝置,但第二種方法必須小心:

    案例1.從CLISH重新啟動

    透過 CLISH 重新啟動不會要求確認。 因此,組態變更不會儲存在啟動組態中:

    > configure high-availability suspend
Please ensure that no deployment operation is in progress before suspending high-availability.
Please enter 'YES' to continue if there is no deployment operation in progress and 'NO' if you wish to abort: YES
Successfully suspended high-availability.

    running-config已禁用故障轉移。在這種情況下,裝置處於「待機」狀態,並按照預期進入偽待機狀態,以避免出現「主用/主用」情況:

    firepower# show failover | include Failover
Failover Off (pseudo-Standby)
Failover unit Secondary
Failover LAN Interface: FOVER Ethernet1/1 (up)


    startup-config仍然啟用故障轉移:

    firepower# show startup | include failover
failover
failover lan unit secondary
failover lan interface FOVER Ethernet1/1
failover replication http
failover link FOVER Ethernet1/1
failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2
failover ipsec pre-shared-key *****

    透過 CLISH 重新啟動裝置(reboot 命令):

    > reboot
This command will reboot the system.  Continue?
Please enter 'YES' or 'NO': YES

Broadcast message from root@
Threat Defense System: CMD=-stop, CSP-ID=cisco-ftd.6.2.2.81__ftd_001_JMX2119L05CYRIBVX1, FLAG=''
Cisco FTD stopping ...

    裝置啟動後,容錯移轉便會啟用,因此裝置會進入容錯移轉交涉階段並嘗試偵測遠端對等:

    User enable_1 logged in to firepower
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
firepower> .

        Detected an Active mate


    案例2.從LINA CLI重新啟動
    透過 LINA 重新啟動(reload 命令)會要求確認。因此,如果您選擇Y(是),配置更改將儲存到startup-config:

    firepower# reload
System config has been modified. Save? [Y]es/[N]o: Y <-- Be careful. This will disable the failover in the startup-config

Cryptochecksum: 31857237 8658f618 3234be7c 854d583a

8781 bytes copied in 0.940 secs
Proceed with reload? [confirm]
firepower# show startup | include failover
no failover
failover lan unit secondary
failover lan interface FOVER Ethernet1/1
failover replication http
failover link FOVER Ethernet1/1
failover interface ip FOVER 192.0.2.1 255.255.255.0 standby 192.0.2.2
failover ipsec pre-shared-key *****

    裝置啟動後,容錯移轉便會停用:

    firepower# show failover | include Fail
Failover Off
Failover unit Secondary
Failover LAN Interface: FOVER Ethernet1/1 (up)

    :要避免此情況,請確保系統提示您時,不要將更改儲存到startup-config。

    相關資訊

    • 您可以在下列位置找到所有 Cisco Firepower Management Center 版本的組態設定指南:

    導航思科安全防火牆威脅防禦文檔

    • 您可以在下列位置找到所有 FXOS 機箱管理員版本和 CLI 的組態設定指南:

    導航Cisco Firepower 4100/9300 FXOS文檔

    • 思科全球技術協助中心(TAC)強烈建議使用以下視覺指南,以瞭解有關Cisco Firepower下一代安全技術的深入實用知識:

    Cisco Firepower威脅防禦(FTD):下一代防火牆(NGFW)、下一代入侵防禦系統(NGIPS)和高級惡意軟體防護(AMP)的配置和故障排除最佳實踐

    • 有關Firepower技術的所有配置和故障排除技術說明

    思科安全防火牆管理中心

    修訂記錄

    修訂 發佈日期 意見
    3.0
    07-Aug-2023
    更新的SEO、樣式要求和格式。
    2.0
    04-Aug-2022
    文章針對格式、樣式要求、機器翻譯、德語和語法進行了更新。
    1.0
    29-Sep-2021
    初始版本
    TAC Authored

    由思科工程師貢獻

    • Olha Yakovenko
      Cisco TAC Engineer
    • Mikis Zafeiroudis
      Cisco TAC Engineer
    • John Long
      Cisco TAC Engineer

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您