Cisco Firepower FTD HA 配置文档

Posted 高级网络工程师

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Cisco Firepower FTD HA 配置文档相关的知识,希望对你有一定的参考价值。

Cisco Firepower Threat Defense 简称 Cisco FTD

Cisco Firepower Threat Defense Virtual 简称 Cisco FTDv

FirePOWER 与 Firepower:

FirePOWER 表示 Cisco 收购的以前的 Sourcefire 产品,比如 ASA-5500-X 上 的 FirePOWER 服务。

Firepower 是指收购后发布的的硬件和软件,包括 Firepower 硬件设备和 Firepower Threat Defense(FTD)软件。

Firepower 硬件运行 FXOS(Firepower eXtensible Operating System)和 FTD 软件。

FDM、FTD CLI 和 FMC

FDM:Firepower Device Management,Firepower 内置 Web 界面管理工具。在 4100 和 9300 系列硬件上 Web 界面叫做 Firepower Chassis Manager。
FTD CLI:Firepower Threat Defense Command Line,系统内置的命令行,也就是 shell。
FMC:Firepower Management Center,防火墙管理中心,集中管理工具,Web 界面,可以是物理设备或者虚机。

Firepower 系统基于 Linux kernel。

Cisco Fire Linux OS v6.7.0 (build 62)
Cisco Firepower Threat Defense for VMWare v6.7.0 (build 65)

show version
-----------------[ ftdv.sysin.org ]-----------------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.7.0 (Build 65)
UUID : 04f149c2-b88a-11eb-b23f-b33c620f26d7
VDB version : 338


expert
admin@ftdv:~$ uname -a
Linux ftdv.sysin.org 4.18.45-yocto-standard #1 SMP Wed Oct 21 20:56:12 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
admin@ftdv:~$

  1. Firepower 高可用性和扩展简介

高可用性(故障转移)

配置高可用性(也称为故障转移)需要两个相同的 Firepower 威胁防御设备通过专用的故障转移链路以及状态链路相互连接。 Firepower 威胁防御支持主动/备用故障转移,其中一个单元是活动单元并通过流量。备用单元不会主动传递流量,但会同步活动单元的配置和其他状态信息。发生故障转移时,活动单元将故障转移到备用单元,然后备用单元变为活动状态。

群集

Firepower 群集,可以将多个设备组成一个逻辑单元,接口通过 EtherChannels (或者称为 port channels) 实现扩展。群集仅适用于 Firepower 4100/9300 Chassis,详见官方文档。

本文描述 High Availability 配置过程,细节可以参看以下官方文档(英文)。

High Availability for Firepower Threat Defense

Configure FTD High Availability on Firepower Appliances
2. 创建 HA 的条件

总结:相同的硬件型号和软件配置(软件版本和许可相同,不支持有 DHCP 和 PPPoE 的接口配置),不同的主机名

Are the same model.
Same version (this applies to FXOS and to FTD - (major (first number), minor (second number), and maintenance (third number) must be equal))
Have the same number and type of interfaces.
Are in the same domain and group.
Have normal health status and are running the same software.
Are either in routed or transparent mode.
Have the same NTP configuration. See Configure NTP Time Synchronization for Threat Defense.
Are fully deployed with no uncommitted changes.
Do not have DHCP or PPPoE configured in any of their interfaces.
Different hostname (Fully Qualified Domain Name (FQDN)) for both chassis.
  1. 网线连接

指定一个接口作为 Failover Link,可选指定一个接口作为 Stateful Failover Link(可以共用 Failover Link 接口),两台相同接口网线直连。

提示:应该使用相同的接口号,比如两台设备都使用 GigabitEthernet0/6 作为 Failover Link。
  1. 配置过程

通过 FDM 配置:

确保两个接口主机名不同

Device > System Setting > Hostname

指定 HA 接口

本例分别使用 GigabitEthernet0/6 和 GigabitEthernet0/7

分别在两个节点启用接口(Device > Interfaces)

启用 HA

主节点:

Deivce > High Availability,CONFIGURATION

选择 Primary Device

选择 Failover Link 接口为 GigabitEthernet0/6

IPv4 Primary IP: 192.168.10.1,Secondary IP: 192.168.10.2,Netmask: 255.255.255.0 (IP 仅用于节点间通信,与物理环境 IP 不冲突即可)

选择 Stateful Failover Link 接口为 GigabitEthernet0/7

IPv4 Primary IP: 192.168.11.1,Secondary IP: 192.168.11.2,Netmask: 255.255.255.0 (IP 仅用于节点间通信,与物理环境 IP 不冲突即可)

IPSec Encryption Key (可选配置) ,这里是新设备尚未配置,忽略

点击 ”Activate HA“,提示配置已经复制到剪贴板

FAILOVER LINK CONFIGURATION

Interface: GigabitEthernet0/6
Primary IP: 192.168.10.1/255.255.255.0
Secondary IP: 192.168.10.2/255.255.255.0

STATEFUL FAILOVER LINK CONFIGURATION

Interface: GigabitEthernet0/7
Primary IP: 192.168.11.1/255.255.255.0
Secondary IP: 192.168.11.2/255.255.255.0

备节点

Deivce > High Availability,CONFIGURATION

选择 Secondary Device,点击 ”PASTE FROM CLIPBOARD“,粘贴上述配置,将自动选择接口和填充 IP,点击”Activate HA“

配置完成后,High Availability 页面出现设备状态:

Primary Device.

Current Device Mode: Active Peer: Syncing

Secondary Device Current Device Mode: Standby Peer: Active

此时在 Secondary Device 上操作,会退出登录,出现 Server busy 画面,稍后重新登录,提示如下:

This device is part of a high availability (HA) pair and is currently in standby state. With few exceptions, you cannot edit the configuration for this device.
To make any changes, please log into the active unit. Learn More

  1. 查看 HA 状态

    FDM

Devices > Device Management

FTD CLI

show high-availability config

show failover state

#主设备

show running-config failover
failover
failover lan unit primary
failover lan interface failover-link GigabitEthernet0/6
failover replication http
failover link stateful-failover-link GigabitEthernet0/7
failover interface ip failover-link 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip stateful-failover-link 192.168.11.1 255.255.255.0 standby 192.168.11.2

#备设备

show running-config failover
failover
failover lan unit secondary
failover lan interface failover-link GigabitEthernet0/6
failover replication http
failover link stateful-failover-link GigabitEthernet0/7
failover interface ip failover-link 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip stateful-failover-link 192.168.11.1 255.255.255.0 standby 192.168.11.2

  1. 切换 Failover

    FDM

Device > High Availability,点击右侧的齿轮图标,Switch Mode

FTD CLI

failover
active Make this system to be the active unit of the failover pair
exec Execute command on the designated unit
reload-standby Force standby unit to reboot
reset Force a unit or failover group to an unfailed state

切换主备

failover reset

以上是关于Cisco Firepower FTD HA 配置文档的主要内容,如果未能解决你的问题,请参考以下文章

Cisco ASA Firepower ASDM登录出错ERR_SSL_VERSION_OR_CIP

EVE-NG之Cisco FirePower 系统

CVE-2021-40116|CVE-2021-34783等——Cicso多个安全漏洞

Cisco 修复云服务平台重大漏洞

Cisco   HSRP 双机配置

Cisco防火墙HA实例