Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

Published byPosy Sparks Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

2 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 8.2 Configure PIX Security Appliance Failover Module 8 – PIX Security Appliance Contexts, Failover, and Management

3 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-3 Understanding Failover

4 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-4  Hardware failover –Connections are dropped. –Client applications must reconnect. –Provides hardware redundancy. –Provided by serial or LAN-based failover link.  Stateful failover –TCP connections remain active. –No client applications need to reconnect. –Provides redundancy and stateful connection. –Provided by stateful link. Internet Hardware and Stateful Failover

5 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-5 Hardware failover protects the network should the primary go offline.  Active/Standby: Only one unit can be actively processing traffic while the other is a hot standby Secondary: Standby Primary: Failed Secondary: Active Failover: Active/Standby Primary: Active Failover: Active/Standby Internet Hardware Failover: Active/Standby

6 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-6 Hardware failover protects the network should the primary go offline.  Active/Active: Both units can process traffic and serve as backup units. Secondary: Primary: Contexts Active/StandbyStandby/Active Primary: Failed/StandbyActive/Active Secondary: Internet Hardware Failover: Active/Active 12121212

7 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-7 The primary and secondary security appliances must be identical in the following requirements:  Same model number and hardware configurations  Same software versions* (prior to version 7.0)  Same operating mode  Same features (DES or 3DES)  Same amount of Flash memory and RAM  Proper licensing* Secondary: Active Failover: Active/Standby Primary: Standby Internet Primary : Failed/Standby Secondary: Active/Active Contexts Internet Failover Requirements 1212

8 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-8 Failover Interface Test  Link up/down test: Testing the network interface card itself  Network activity test: Testing received network activity  ARP test: Reading the security appliance ARP cache for the 10 most recently acquired entries  Broadcast ping test: Sending out a broadcast ping request

9 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-9 Types of Failover Links LAN-Based Stateful PIX Security Appliance Secondary Security Appliance Primary Security Appliance 192.168.0.0 /24.1e0 10.0.0.0 /24 e1.11 Cable-Based (PIX Security Appliance only) LAN-Based e2 e3 Stateful Link Internet Cable-Based

10 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-10 Serial Cable-Based Failover Configuration

11 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-11 10.0.1.1 Serial Cable: Active/Standby Failover 192.168.1.2 Primary: Active Security Appliance Primary: Failed Security Appliance 10.0.1.7192.168.1.7 192.168.1.210.0.1.1 10.0.1.7 192.168.1.7 Secondary: Active Security Appliance Secondary: Standby Security Appliance Failover Serial Cable Serial Cable Internet

12 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-12 Overview of Configuring Failover with a Failover Serial Cable Complete the following tasks to configure failover with a failover serial cable:  Attach the security appliance network interface cables.  Connect the failover cable between the primary and secondary firewalls.  Configure the primary firewall for failover and save the configuration to flash memory.  Power on the secondary firewall.

13 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-13 show failover Command: Secondary Security Appliance Not Connected fw1# show failover Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 2 of 250 maximum Version: Ours 7.2(1), Mate Unknown Last Failover at: 13:21:38 UTC Dec 10 2006 This host: Primary - Active Active time: 200 (sec) Interface outside (192.168.1.2): Normal (Waiting) Interface inside (10.0.1.1): Normal (Waiting) Other host: Secondary – Not detected Active time: 0 (sec) Interface outside (192.168.1.7): Unknown (Waiting) Interface inside (10.0.1.7): Unknown (Waiting) Stateful Failover Logical Update Statistics Link : Unconfigured

14 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-14 Configuration Replication Configuration replication occurs:  When the standby firewall completes its initial bootup  As commands are entered on the active firewall  By entering the write standby command Primary Security Appliance Secondary Security Appliance Internet Replication

15 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-15 show failover Command Detected an active mate Beginning configuration replication to mate. End configuration replication to mate. fw1# show failover Failover On Failover unit Primary Failover LAN Interface: N/A - Serial-based failover enabled Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 13:21:38 UTC Dec 10 2006 This host: Primary - Active Active time: 320 (sec) Interface outside (192.168.1.2): Normal Interface inside (10.0.1.1): Normal Other host: Secondary – Standby Ready Active time: 0 (sec) Interface outside (192.168.1.7): Normal Interface inside (10.0.1.7): Normal Stateful Failover Logical Update Statistics Link : Unconfigured

16 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-16 Force Control Back fw2(config)# failover active  Forces control of the connection back to the unit you are accessing failover active firewall(config)# Primary: Standby Active fw1 Secondary: Active Standby fw2 192.168.1.010.0.1.0 Internet

17 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-17 Active/Standby LAN-Based Failover Configuration

18 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-18 LAN-Based Failover Overview LAN-based failover:  Provides long-distance failover functionality  Uses an Ethernet cable rather than the serial failover cable  Requires a dedicated LAN interface, but the same interface can be used for stateful failover  Enables you to use a dedicated switch, hub, or VLAN, or a crossover cable to connect the two security appliances  Uses message encryption and authentication to secure failover transmissions

19 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-19 LAN-Based Failover Configuration Overview Complete the following tasks to configure LAN-based failover: 1.Install a LAN-based failover connection between primary and secondary security appliances. 2.Configure the primary security appliance. 3.Configure the primary security appliance for stateful failover. 4.Save the primary security appliance configuration to flash memory. 5.Power on the secondary security appliance. 6.Configure the secondary security appliance with the minimum failover LAN command set. 7.Save the secondary security appliance configuration to flash memory. 8.Connect the secondary unit LAN failover interface to the network. 9.Reboot the secondary security appliance.

20 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-20 Cabling LAN Failover Primary Security Appliance g0/0 Secondary Security Appliance 192.168.1.010.0.1.0 g0/1 g0/0 g0/1 g0/2 LAN Failover Internet

21 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-21 asa1(config)# interface GigabitEthernet0/2 asa1(config-if)# no shut asa1(config)# failover lan interface LANFAIL GigabitEthernet0/2 asa1(config)# failover interface ip LANFAIL 172.17.1.1 255.255.255.0 standby 172.17.1.7 asa1(config)# failover lan unit primary asa1(config)# failover key 1234567 asa1(config)# failover Secondary Security Appliance Primary Security Appliance asa1.7 192.168.1.0 10.0.1.0.1.2.7 172.17.1.0.1.7 asa2 Internet Configuring LAN Failover: Primary

22 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-22 failover link if_name [phy_if] ciscoasa(config)# asa1(config)# failover link LANFAIL  Specifies the name of the dedicated interface used for stateful failover Primary Security Appliance asa1.2 asa2 Secondary Security Appliance 192.168.1.0 10.0.1.0.1.2 Stateful failover g0/2 Internet Stateful Failover

23 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-23 asa2(config)# interface GigabitEthernet0/2 asa2(config-if)# no shut asa2(config)# failover lan interface LANFAIL GigabitEthernet0/2 asa2(config)# failover interface ip LANFAIL 172.17.1.1 255.255.255.0 standby 172.17.1.7 asa2(config)# failover lan unit secondary asa2(config)# failover key 1234567 asa2(config)# failover Primary asa1.2 Secondary asa2 192.168.1.0 10.0.1.0.1.2 172.17.1.0.1.7 Internet Configuring LAN Failover: Secondary

24 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-24 Primary Security Appliance asa1 Secondary Security Appliance asa2 Internet Beginning configuration replication sending to mate. End configuration replication to mate. Replication to Secondary

25 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-25 show failover Command with LAN-Based Failover asa2(config)# show failover Failover On Failover unit Secondary Failover LAN Interface: LANFAIL GigabitEthernet0/2 (up) Unit Poll frequency 500 milliseconds, holdtime 6 seconds Interface Poll frequency 600 milliseconds, holdtime 15 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 7.2(1), Mate 7.2(1) Last Failover at: 18:03:38 UTC Dec 12 2006 This host: Secondary – Standby Ready Active time: 0 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside (192.168.1.7): Normal (Waiting) Interface inside (10.0.1.7): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)IPS, 5.0(2)S152.0 Up Other host: Primary – Active Active time: 3795 (sec) slot 0: ASA5520 hw/sw rev (1.0/7.2(1)) status (Up Sys) Interface outside (192.168.1.2): Normal (Waiting) Interface inside (10.0.1.1): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)IPS, 5.0(2)S152.0 Up...

26 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-26 failover mac address mif_name act_mac stn_mac ciscoasa(config)# asa1(config)# failover mac address GigabitEthernet0/0 00a0.c989.e481 00a0.c969.c7f1 asa1(config)# failover mac address GigabitEthernet0/1 00a0.c976.cde5 00a0.c922.9176  Enables you to configure a virtual MAC address for a security appliance failover pair Primary Security Appliance asa1.2 192.168.1.0 10.0.1.0.1.2 Inside MAC address Act - 00a0.c976.cde5 Stby - 00a0.c922.9176 Outside MAC address Act - 00a0.c989.e481 Stby - 00a0.c969.c7f1 Internet failover mac address Command

27 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-27 Active/Active Failover Configuration

28 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-28 Active/Active Failover Active/active failover requires the use of contexts. For example, you could have two security appliances with two contexts each.  CTX1  CTX2 In normal conditions, each appliance has one active and one standby context.  The active context processes traffic.  The standby context is located in the peer security appliance. CTX1- Active CTX2- Standby CTX1- Standby CTX2- Active g0/0g0/3 g0/1 m0/0 g0/2 g0/0g0/3 g0/1 m0/0 g0/2 Traffic Unit B Active/Standby Unit A Active/Standby Internet 1212

29 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-29 Under failed conditions, Unit A determines that the outside interface on CTX1 has failed.  CTX1 is placed in a failed state.  Unit A has one failed and one standby context. CTX1 on Unit B becomes active.  Unit B has two active contexts.  Both active contexts pass traffic. Failover can be context-based or unit-based. Active/Active Failover (Cont.) Unit B: Active/Active CTX2- Standby CTX2- Active Traffic Unit B Active/Active Unit A Failed/Standby CTX1- Failed g0/0 g0/3 g0/1 m0/0 g0/2 g0/0g0/3 g0/1 m0/0 g0/2 CTX1- Active Internet 1212

30 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-30 Summary

31 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-31 Summary  In order for failover to work, a pair of security appliances must be identical in several respects, including platform type and model, number and types of interfaces, amount of flash memory, and amount of RAM.  When failover occurs, the security appliance unit type (primary or secondary) does not change; however, the role (active or standby) of the unit does change. In multiple context mode, the role of the context changes.  With stateful failover, connection status is tracked and relayed between security appliances; therefore, connections remain active.  With active/standby failover, only one security appliance actively processes user traffic while the other unit acts as a hot standby and is prepared to take over if the active unit fails.

32 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-32 Summary (Cont.)  With active/active failover, both units can actively process firewall traffic while serving as a back up for their peer unit.  Active/active failover is only available to security appliances in multiple context mode.  The configuration of the primary security appliance is replicated to the secondary security appliance during configuration replication.  Commands entered within a security context are replicated from the unit on which the security context appears in the active state to the peer unit.

33 © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-33

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
LAN Segmentation Virtual LAN (VLAN).

LAN Segmentation Virtual LAN (VLAN).
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Troubleshooting Working at a Small-to-Medium Business or ISP – Chapter 9.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Troubleshooting Working at a Small-to-Medium Business or ISP – Chapter 9.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.

Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.
SIS - Security Lab Introductory Session University of Pittsburgh 2006.

SIS - Security Lab Introductory Session University of Pittsburgh 2006.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0—5-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Module Summary  Ethernet cables and segments can span only a limited physical distance,

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Module Summary  Ethernet cables and segments can span only a limited physical distance,
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:

ASA 5500 series adaptive security appliances Has replaced Cisco’s PIX firewalls since 2008 Security services Source:
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs
1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.

1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.

Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Networking Features Upon completion of this module, you should be able to: Discuss and configure VNX networking features This module continues the discussion.

Networking Features Upon completion of this module, you should be able to: Discuss and configure VNX networking features This module continues the discussion.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.

Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.

Similar presentations

Ads by Google