Details
Enables failover between the security appliance and another security appliance in order to achieve high availability
Rationale:
Enabling failover helps to meet the availability requirement of the security CIA (Confidentiality – Integrity – Availability) triad, ensuring a physical and logical redundancy of firewalls in order to avoid service disruption should the security appliance or its component fails. It requires to identical systems in hardware and software version connected through a failover and a state links.
Solution
Follow the steps below to enable active/standby failover. The commands are run in the system execution space
Step 1: For each appliance, identify the failover link physical interface Step 2: For each appliance, identify the state link physical interface Step 3: Run the following on the Active device to set it as primary node hostname(config)#failover lan unit primary Step 4: Run the following on the Standby device to set it as secondary node hostname(config)#failover lan unit secondary Step 5: Run the following on both security appliances hostname(config)#failover lan interface Default Value: Disabled by default The following resource is also helpful. This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.
hostname(config)#failover interface ip
hostname(config-if)#no shutdown
hostname(config)#failover link
hostname(config)#failover interface ip
hostname(config-if)#no shutdown
hostname(config)#failover
hostname(config)#write memorySupportive Information
References
Source