Details
Enables failover between the security appliance and another security appliance in order to achieve high availability
Rationale:
Enabling failover helps to meet the availability requirement of the security CIA (Confidentiality – Integrity – Availability) triad, ensuring a physical and logical redundancy of firewalls in order to avoid service disruption should the security appliance or its component fails. It requires to identical systems in hardware and software version connected through a failover and a state links.
Solution
Follow the steps below to enable active/standby failover. The commands are run in the system execution space
* Step 1: For each appliance, identify the failover link physical interface
HOSTNAME(CONFIG)#FAILOVER LAN UNIT PRIMARY
* Step 4: Run the following on the Standby device to set it as secondary node
HOSTNAME(CONFIG)#FAILOVER LAN UNIT SECONDARY
* Step 5: Run the following on both security appliances
HOSTNAME(CONFIG)# FAILOVER LAN INTERFACE _
HOSTNAME(CONFIG)#FAILOVER INTERFACE IP _
HOSTNAME(CONFIG)#INTERFACE _
HOSTNAME(CONFIG-IF)#NO SHUTDOWN
HOSTNAME(CONFIG)#FAILOVER LINK _
HOSTNAME(CONFIG)#failover interface ip _
HOSTNAME(CONFIG)#INTERFACE _
HOSTNAME(CONFIG-IF)#NO SHUTDOWN
hostname(config)# failover
HOSTNAME(CONFIG)# WRITE MEMORY
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.