Cisco Cisco FirePOWER Appliance 7010
6-5
FireSIGHT System User Guide
Chapter 6 Managing Devices
Configuring High Availability
•
explains how to check the status of
your linked Defense Centers and how to change the roles of the Defense Center if the primary
Defense Center fails.
Defense Center fails.
•
explains how to permanently
remove the link between linked Defense Centers.
•
explains how to pause
communications between linked Defense Centers.
•
explains how to restart
communications between linked Defense Centers.
Using High Availability
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC3000, DC3500
DC1500s and DC3500s support high availability configurations; DC750s and the virtual Defense
Centers do not. Cisco strongly recommends that both Defense Centers in a high availability pair be the
same model. Do not attempt to set up high availability between a Defense Center 1500 and a Defense
Center 3500.
Centers do not. Cisco strongly recommends that both Defense Centers in a high availability pair be the
same model. Do not attempt to set up high availability between a Defense Center 1500 and a Defense
Center 3500.
Although Defense Centers in high availability mode are designated primary and secondary, you can
make policy or other changes to either Defense Center. However, Cisco recommends that you change
configurations only on the primary Defense Center and that you keep your secondary Defense Center as
a backup.
make policy or other changes to either Defense Center. However, Cisco recommends that you change
configurations only on the primary Defense Center and that you keep your secondary Defense Center as
a backup.
Defense Centers periodically update each other on changes to their configurations, and any change you
make to one Defense Center should be applied on the other Defense Center within ten minutes. (Each
Defense Center has a five-minute synchronization cycle, but the cycles themselves could be out of
synchronization by as much as five minutes, so changes appear within two five-minute cycles.) During
this ten-minute window, configurations may appear differently on the Defense Centers.
make to one Defense Center should be applied on the other Defense Center within ten minutes. (Each
Defense Center has a five-minute synchronization cycle, but the cycles themselves could be out of
synchronization by as much as five minutes, so changes appear within two five-minute cycles.) During
this ten-minute window, configurations may appear differently on the Defense Centers.
For example, if you create a policy on your primary Defense Center and apply it to a device that is also
managed by your secondary Defense Center, the device could contact the secondary Defense Center
before the Defense Centers contact each other. Because the device has a policy applied to it that the
secondary Defense Center does not recognize, the secondary Defense Center displays a new policy with
the name “unknown” until the Defense Centers synchronize.
managed by your secondary Defense Center, the device could contact the secondary Defense Center
before the Defense Centers contact each other. Because the device has a policy applied to it that the
secondary Defense Center does not recognize, the secondary Defense Center displays a new policy with
the name “unknown” until the Defense Centers synchronize.
Also, if you make conflicting policy or other changes to both Defense Centers within the same window
between Defense Centers syncs, the last change you make takes precedence, regardless of the
designations of the Defense Center as primary and secondary.
between Defense Centers syncs, the last change you make takes precedence, regardless of the
designations of the Defense Center as primary and secondary.
Before you establish a high availability pair, note the following prerequisites:
•
Make sure both Defense Centers have a user account named
admin
with Administrator privileges.
These accounts must use the same password.
•
Make sure that other than the
admin
account, the two Defense Centers do not have user accounts
with identical user names. Remove or rename one of the duplicate user accounts before you establish
high availability.
high availability.
Note that Defense Centers configured as a high availability pair do not need to be on the same trusted
management network, nor do they have to be in the same geographic location.
management network, nor do they have to be in the same geographic location.