Cisco Cisco Firepower Management Center 4000

Page of 1844
 
6-9
FireSIGHT System User Guide
 
Chapter 6      Managing Devices
  Configuring High Availability
Primary and Secondary Defense Center Requirements
You must designate one Defense Center as the primary Defense Center and one as the secondary. When 
appliances switch from Active to Inactive (and vice versa), they retain their original primary and 
secondary designations.
Regardless of their designations as primary and secondary, both Defense Centers can be configured with 
policies, rules, managed devices, and so on before you set up high availability.
To avoid confusion, start with the secondary Defense Center in its original state. That is, you have not 
created or modified any policies, nor created any new rules, nor have you previously managed any 
devices with it. To make sure the secondary Defense Center is in its original state, restore it to factory 
defaults. Note that this also deletes event and configuration data from the Defense Center. For more 
information, see the FireSIGHT System Installation Guide.
Note
You cannot configure a recurring task schedule on the inactive Defense Center. You must recreate the 
recurring task schedule on a newly activated Defense Center when it changes from Inactive to Active.
Version Requirements
Both Defense Centers must be running the same software and rule update version. Additionally, this 
software version must be the same or newer than the software version of managed devices.
Communication Requirements
By default, paired Defense Centers use port 8305/tcp for communications. You can change the port as 
described in 
The two Defense Centers do not need to be on the same network segment, but each of the Defense 
Centers must be able to communicate with the other and with the devices they share. That is, the primary 
Defense Center must be able to contact the secondary Defense Center at the IP address on the secondary 
Defense Center’s own management interface, and vice versa. In addition, each Defense Center must be 
able to contact the devices it manages or the devices must be able to contact the Defense Center.
Setting Up High Availability
License: 
Any
Supported Defense Centers: 
DC1000, DC1500, DC3000, DC3500
To use high availability, you must designate one Defense Center as the primary and another Defense 
Center of the same model as the secondary. For information about editing the remote management 
communications between the two appliances, see 
.
Caution
Cisco recommends that you change configurations only on the primary Defense Center and that you use 
your secondary Defense Center as a backup.
Before you configure high availability, make sure you synchronize time settings between the Defense 
Centers you want to link. For details on setting time, see 
.
Depending upon the number of policies and custom standard text rules they have, it may take up to 10 
minutes before all the rules and policies appear on both Defense Centers. You can view the High 
Availability page to check the status of the link between the two Defense Centers. You can also monitor 
the Task Status to see when the process completes. See