Cisco Cisco Firepower Management Center 2000 Manuale Tecnico
fails, you can monitor your network without interruption through the other Defense Center.
High availability Features
HA synchronization is bi-directional which means even though there is a designated primary
and secondary device, changes added on any one of the devices are replicated to the other.
and secondary device, changes added on any one of the devices are replicated to the other.
●
HA does not require the devices to be directly connected. The HA connection can be done
over a switch but this connection needs to be in the same broadcast domain.
over a switch but this connection needs to be in the same broadcast domain.
●
HA devices communicate over their management IP at port 8305.
●
HA synchronization time for a device is five minutes, which means that after every five
minutes a device attempts to synchronize its configuration with its peer. Since the time
required for synchronization is specific to devices, cumulatively, the synchronization time can
be maximized to ten minutes.
minutes a device attempts to synchronize its configuration with its peer. Since the time
required for synchronization is specific to devices, cumulatively, the synchronization time can
be maximized to ten minutes.
●
If a reimage is required for a specific HA peer it is recommended to break the HA and then
reimage.
reimage.
●
If you plan to upgrade the HA cluster it is not necessary to break the HA .When you upgrade
from version 5.3.0 to 5.4.0, upgrade the devices one by one and once they are upgraded
perform a synchronization task on primary Defense Center.
from version 5.3.0 to 5.4.0, upgrade the devices one by one and once they are upgraded
perform a synchronization task on primary Defense Center.
●
The presence of an access policy with the same name on both the DCs create two Access
control Policies of the same name. One policy is configured locally and the other is
synchronized from the peer DC.
control Policies of the same name. One policy is configured locally and the other is
synchronized from the peer DC.
●
Note: You cannot add a target or apply this policy because it throws up an error, which
states that there is already a policy with the same name.
states that there is already a policy with the same name.
Licenses are not synchronized between DC peers, therefore, they are required to be added
separately to the DCs.
separately to the DCs.
●
All managed devices are added only to one DC. The configuration is synchronized between
the peer DCs.
the peer DCs.
●
Managed devices send logs to both the DCs.
●
DCs synchronize latest actions. For example, if you delete a user from DC-1, the other peer
DC-2 does not synchronize user configuration to DC-1. It synchronizes the delete action and
the user is lost from both DC-1 & DC-2.
DC-2 does not synchronize user configuration to DC-1. It synchronizes the delete action and
the user is lost from both DC-1 & DC-2.
●
Configuration shared bidirectionally between peers
HA DCs synchronizes policies bi-directionally. These configurations are synced bidirectionally
between peers. You can also view most of these configurations with the path defined right next to
it:
between peers. You can also view most of these configurations with the path defined right next to
it: