Cisco FTD HA Cluster
Cisco Firepower Threat Defense (FTD) failover cluster, configured in Firepower Management Center (FMC), is a setup where multiple FTD devices are grouped to provide high availability and redundancy. In this configuration, one device acts as the primary, actively handling traffic, while the other(s) serve as standby units, ready to take over in case of a failure. This setup ensures continuous network security operations without interruptions, enhancing reliability and performance.
Active-Standby
Here on FMC we have registered 2 FTD Firewalls running in standalone mode
To create a HA Cluster, select Add » High Availability, then select the peers
Then configure the HA & State links, which in this case we will be using the same link
And that’s pretty much it, now we have the HA Cluster up and configured
Now the Primary node will actively synchronizing configuration to the Secondary node which is in standby mode, which shows below where FTD2 now has the same interface configuration as FTD1
Failing Over
To test the failover, lets simulate a network failure by disconnecting the Primary’s Uplink and Downlink interfaces
An health warning pops up informing there’s an interface failure on Primary Node and the Secondary has taken the Active role
It shows that FTD2 now is active and FTD1 is in failed state
We can also go to CLI and run “show failover status” to see the cluster status
Looking at the traffic logs, we can see the traffic is now handled by FTD2
And there’s no significant impact felt on the client side when the cluster is failing over
On System » Monitoring, we can see the detailed health issue thats currently going on in the cluster
Switching Back
Now if we restore the network connectivity on FTD1, it will change the state from Failed to Standby
To force the FTD1 to take the active role, run command “failover active”
And now the active role has been given back to FTD1
