Cisco Cisco Firepower Management Center 2000
6-9
FireSIGHT System User Guide
Chapter 6 Managing Devices
Configuring High Availability
Primary and Secondary Defense Center Requirements
You must designate one Defense Center as the primary Defense Center and one as the secondary. When
appliances switch from Active to Inactive (and vice versa), they retain their original primary and
secondary designations.
appliances switch from Active to Inactive (and vice versa), they retain their original primary and
secondary designations.
Regardless of their designations as primary and secondary, both Defense Centers can be configured with
policies, rules, managed devices, and so on before you set up high availability.
policies, rules, managed devices, and so on before you set up high availability.
To avoid confusion, start with the secondary Defense Center in its original state. That is, you have not
created or modified any policies, nor created any new rules, nor have you previously managed any
devices with it. To make sure the secondary Defense Center is in its original state, restore it to factory
defaults. Note that this also deletes event and configuration data from the Defense Center. For more
information, see the FireSIGHT System Installation Guide.
created or modified any policies, nor created any new rules, nor have you previously managed any
devices with it. To make sure the secondary Defense Center is in its original state, restore it to factory
defaults. Note that this also deletes event and configuration data from the Defense Center. For more
information, see the FireSIGHT System Installation Guide.
Note
You cannot configure a recurring task schedule on the inactive Defense Center. You must recreate the
recurring task schedule on a newly activated Defense Center when it changes from Inactive to Active.
recurring task schedule on a newly activated Defense Center when it changes from Inactive to Active.
Version Requirements
Both Defense Centers must be running the same software and rule update version. Additionally, this
software version must be the same or newer than the software version of managed devices.
software version must be the same or newer than the software version of managed devices.
Communication Requirements
By default, paired Defense Centers use port 8305/tcp for communications. You can change the port as
described in
described in
The two Defense Centers do not need to be on the same network segment, but each of the Defense
Centers must be able to communicate with the other and with the devices they share. That is, the primary
Defense Center must be able to contact the secondary Defense Center at the IP address on the secondary
Defense Center’s own management interface, and vice versa. In addition, each Defense Center must be
able to contact the devices it manages or the devices must be able to contact the Defense Center.
Centers must be able to communicate with the other and with the devices they share. That is, the primary
Defense Center must be able to contact the secondary Defense Center at the IP address on the secondary
Defense Center’s own management interface, and vice versa. In addition, each Defense Center must be
able to contact the devices it manages or the devices must be able to contact the Defense Center.
Setting Up High Availability
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC3000, DC3500
To use high availability, you must designate one Defense Center as the primary and another Defense
Center of the same model as the secondary. For information about editing the remote management
communications between the two appliances, see
Center of the same model as the secondary. For information about editing the remote management
communications between the two appliances, see
.
Caution
Cisco recommends that you change configurations only on the primary Defense Center and that you use
your secondary Defense Center as a backup.
your secondary Defense Center as a backup.
Before you configure high availability, make sure you synchronize time settings between the Defense
Centers you want to link. For details on setting time, see
Centers you want to link. For details on setting time, see
.
Depending upon the number of policies and custom standard text rules they have, it may take up to 10
minutes before all the rules and policies appear on both Defense Centers. You can view the High
Availability page to check the status of the link between the two Defense Centers. You can also monitor
the Task Status to see when the process completes. See
minutes before all the rules and policies appear on both Defense Centers. You can view the High
Availability page to check the status of the link between the two Defense Centers. You can also monitor
the Task Status to see when the process completes. See