Cisco Firepower FTD HA 配置文档

Cisco Firepower Threat Defense 简称 Cisco FTD

Cisco Firepower Threat Defense Virtual 简称 Cisco FTDv

FirePOWER 与 Firepower:

FirePOWER 表示 Cisco 收购的以前的 Sourcefire 产品,比如 ASA-5500-X 上 的 FirePOWER 服务。

Firepower 是指收购后发布的的硬件和软件,包括 Firepower 硬件设备和 Firepower Threat Defense(FTD)软件。

Firepower 硬件运行 FXOS(Firepower eXtensible Operating System)和 FTD 软件。

FDM、FTD CLI 和 FMC

FDM:Firepower Device Management,Firepower 内置 Web 界面管理工具。在 4100 和 9300 系列硬件上 Web 界面叫做 Firepower Chassis Manager。 FTD CLI:Firepower Threat Defense Command Line,系统内置的命令行,也就是 shell。 FMC:Firepower Management Center,防火墙管理中心,集中管理工具,Web 界面,可以是物理设备或者虚机。 

Firepower 系统基于 Linux kernel。

Cisco Fire Linux OS v6.7.0 (build 62)
Cisco Firepower Threat Defense for VMWare v6.7.0 (build 65)

show version
-----------------[ ftdv.sysin.org ]-----------------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.7.0 (Build 65)
UUID : 04f149官方文档(英文)。

High Availability for Firepower Threat Defense

Configure FTD High Availability on Firepower Appliances
2. 创建 HA 的条件

总结:相同的硬件型号和软件配置(软件版本和许可相同,不支持有 DHCP 和 PPPoE 的接口配置),不同的主机名

Are the same model. Same version (this applies to FXOS and to FTD - (major (first number), minor (second number), and maintenance (third number) must be equal)) Have the same number and type of interfaces. Are in the same domain and group. Have normal health status and are running the same software. Are either in routed or transparent mode. Have the same NTP configuration. See Configure NTP Time Synchronization for Threat Defense. Are fully deployed with no uncommitted changes. Do not have DHCP or PPPoE configured in any of their interfaces. Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis. 
  1. 网线连接

指定一个接口作为 Failover Link,可选指定一个接口作为 Stateful Failover Link(可以共用 Failover Link 接口),两台相同接口网线直连。

提示:应该使用相同的接口号,比如两台设备都使用 GigabitEthernet0/6 作为 Failover Link。 
  1. 配置过程

通过 FDM 配置:

确保两个接口主机名不同  Device > System Setting > Hostname  指定 HA 接口  本例分别使用 GigabitEthernet0/6 和 GigabitEthernet0/7  分别在两个节点启用接口(Device > Interfaces)  启用 HA  主节点: 

Deivce > High Availability,CONFIGURATION

选择 Primary Device

选择 Failover Link 接口为 GigabitEthernet0/6

IPv4 Primary IP: 192.168.10.1,Secondary IP: 192.168.10.2,Netmask: 255.255.255.0 (IP 仅用于节点间通信,与物理环境 IP 不冲突即可)

选择 Stateful Failover Link 接口为 GigabitEthernet0/7

IPv4 Primary IP: 192.168.11.1,Secondary IP: 192.168.11.2,Netmask: 255.255.255.0 (IP 仅用于节点间通信,与物理环境 IP 不冲突即可)

IPSec Encryption Key (可选配置) ,这里是新设备尚未配置,忽略

点击 ”Activate HA“,提示配置已经复制到剪贴板

FAILOVER LINK CONFIGURATION

Interface: GigabitEthernet0/6
Primary IP: 192.168.10.1/255.255.255.0
Secondary IP: 192.168.10.2/255.255.255.0

STATEFUL FAILOVER LINK CONFIGURATION

Interface: GigabitEthernet0/7
Primary IP: 192.168.11.1/255.255.255.0
Secondary IP: 192.168.11.2/255.255.255.0

备节点 

Deivce > High Availability,CONFIGURATION

选择 Secondary Device,点击 ”PASTE FROM CLIPBOARD“,粘贴上述配置,将自动选择接口和填充 IP,点击”Activate HA“

配置完成后,High Availability 页面出现设备状态:

Primary Device.

Current Device Mode: Active Peer:

  • 查看 HA 状态

    FDM

  • Devices > Device Management

    FTD CLI 

    show high-availability config

    show failover state

    #主设备

    show running-config failover
    failover
    failover lan unit primary
    failover lan interface failover-link GigabitEthernet0/6
    failover replication http
    failover link stateful-failover-link GigabitEthernet0/7
    failover interface ip failover-link 192.168.10.1 255.255.255.0 standby 192.168.10.2
    failover interface ip stateful-failover-link 192.168.11.1 255.255.255.0 standby 192.168.11.2

    #备设备

    show running-config failover
    failover
    failover lan unit secondary
    failover lan interface failover-link GigabitEthernet0/6
    failover replication http
    failover link stateful-failover-link GigabitEthernet0/7
    failover interface ip failover-link 192.168.10.1 255.255.255.0 standby 192.168.10.2
    failover interface ip stateful-failover-link 192.168.11.1 255.255.255.0 standby 192.168.11.2

    1. 切换 Failover

      FDM

    Device > High Availability,点击右侧的齿轮图标,Switch Mode

    FTD CLI 

    failover
    active Make this system to be the active unit of the failover pair
    exec Execute command on the designated unit
    reload-standby Force standby unit to reboot
    reset Force a unit or failover group to an unfailed state

    切换主备

    failover reset

    版权声明:玥玥 发表于 2021-08-10 21:11:15。
    转载请注明:Cisco Firepower FTD HA 配置文档 | 女黑客导航