Secure Firewall - High Availability

High Availability (HA) ensures uninterrupted security operations by pairing two Secure Firewall appliances into an active/standby cluster. This post walks through the configuration process in Cisco Secure Firewall Management Center (FMC), providing a reliable method to maintain seamless traffic inspection and failover capabilities.

Step 1: Add Devices to FMC

Before forming the HA pair, add both devices individually to the FMC:

Navigate to Devices > Device Management.
Click Add > Device and register each firewall independently.
Once both devices are added, return to Device Management and select Add > High Availability.

Step 2: Define the HA Pair

Provide a name for the HA pair.
Select Primary Device for the HA pair from the dropdown.
Choose Secondary Peer next from the dropdown.
Click Continue.

Step 3: Configure HA and Stateful Links

You will be prompted to configure two essential links:

High Availability Link: Used for synchronization and health monitoring.
State Link: Used to sync application content, such as connection states and inspected flows.

Specify the following for both links:

Interface – Physical interface(s) for the high availability and state links. You can use the same or two interfaces for this.
Logical name – This will be the nameif of the interface
IP addressing – The IP addresses for the High Availability and State Links for both the primary and secondary devices.
Subnet mask – Subject mask of the IP address of the links.
Enable IPsec encryption – This is an optional setting. It will encrypt the messages between the two devices.
Click Add to establish the HA pair.

Step 4: Monitor HA Status

Once configured, the devices begin forming the HA pair. The HA status becomes visible in Device Management, showing one device as Active and the other as Standby.

Step 5: Configure Monitored Interfaces and Standby IPs

After deployment:

Edit the HA pair.
Navigate to the High Availability tab.
You’ll see a summary of HA links and monitored interfaces.

Click the pencil icon next to an interface to define:

- Standby IPv4 address
- Active/Standby IPv6 addresses (optional)

This ensures failover continuity for each monitored interface.

Step 6: Set Failover Criteria

Scroll to the Failover Trigger Criteria section to define:

Failure limit (e.g., failover if 1 or more interfaces go down)
Polling timers (Peer Poll Time, Hold Time, Interface Hold Time)

You can also configure MAC address tracking if needed.

Step 7: Verify in the Summary Tab

The Summary tab provides an overview of the HA status, including:

Active/Standby roles
Licensing
Feature support (Malware, URL Filtering, Threat, etc.)

Summary

Ensure both devices run the same software version and have matching licenses.
All configuration changes must be made on the Primary device in an HA pair.
Only interfaces with both active and standby IPs can be monitored for failover.

By following these steps, your Cisco Secure Firewall deployment will be resilient against failure, delivering continuous security enforcement without manual intervention.

Secure Firewall – High Availability

About the Author: Katherine McNamara

Secure Firewall – Network Discovery: Creating policies, Custom Fingerprinting, Custom Network Topology, and more

Secure Firewall – URL Filtering

Secure Firewall – Prefilter Policy

Secure Firewall Device Administration – Part 4: Platform Settings, Multicast Routing, QoS, uRPF, and Fragmentation