High Availability

Location in GUI: Devices » Device Management » High Availability

Diagram

Classes

devices (fmc.domains)

Name	Type	Constraint	Mandatory	Default Value
ha_pairs	List	`[ha_pairs]`	No

ha_pairs (fmc.domains.devices)

Name	Type	Constraint	Mandatory	Default Value
name	String		Yes
primary_device	String		Yes
secondary_device	String		Yes
ha_link_logical_name	String		Yes
ha_link_interface_name	String		Yes
ha_link_primary_ip	IP		Yes
ha_link_secondary_ip	IP		Yes
ha_link_netmask	IP		Yes
state_link_use_same_as_ha	Boolean	`true`, `false`	Yes
action	Choice	`SWITCH`	No
encryption_enabled	Boolean	`true`, `false`	No	`false`
encryption_key	String		No
encryption_key_generation_scheme	Choice	`AUTO`, `CUSTOM`	No
failed_interfaces_limit	Integer	min: `1`, max: `211`	No	`1`
failed_interfaces_percent	Integer	min: `1`, max: `100`	No
ha_link_use_ipv6	Boolean	`true`, `false`	No	`false`
interface_hold_time	Integer	min: `25`, max: `75`	No
interface_poll_time	Integer	min: `1`, max: `999`	No
interface_poll_time_unit	Choice	`SEC`, `MSEC`	No
peer_hold_time	Integer	min: `3`, max: `999`	No
peer_hold_time_unit	Choice	`SEC`, `MSEC`	No
peer_poll_time	Integer	min: `1`, max: `999`	No
peer_poll_time_unit	Choice	`SEC`, `MSEC`	No
state_link_interface_name	String		No
state_link_logical_name	String		No
state_link_netmask	String		No
state_link_primary_ip	IP		No
state_link_secondary_ip	IP		No
state_link_use_ipv6	Boolean	`true`, `false`	No	`false`
interfaces	List	`[interfaces]`	No

interfaces (fmc.domains.devices.ha_pairs)

Name	Type	Constraint	Mandatory
interface_logical_name	String		Yes
monitor_interface	Boolean	`true`, `false`	Yes
ipv4_standby_address	IP		No

Examples

Prerequisites:

As any new configuration will be made to the primary device, it is important to note the deploy: true value should present on the primary and deploy: false should be present on the secondary for Terraform to manage the deployment of changes from the FMC to the firewalls. If deploy: false is set for all devices, changes will need to be manually deployed after they have been sent to the FMC.

Interface configuration is performed after HA configuration, so interfaces under the vrf: key are only required on the primary. Secondary IP address information is configured via the ha_pairs: block shown below.

fmc:
  domains:
    - name: Global
      policies:
        access_control_policies:
          - name: MyAccessPolicyName2
            default_action: BLOCK
      devices:
        devices:
          - name: MyDeviceName1
            host: 10.1.120.203
            access_control_policy: MyAccessPolicyName2
            registration_key: cisco123
            deploy: true
            licenses:
            - ESSENTIALS
            - IPS
            performance_tier: FTDv5
            vrfs:
              - name: Global
                physical_interfaces:
                  - name: "GigabitEthernet0/1"
                  - name: "GigabitEthernet0/2"
                    ipv4_static_address: 10.62.159.201
                    ipv4_static_netmask: 24
                    logical_name: INSIDE
          - name: MyDeviceName2
            host: 10.62.158.216
            registration_key: cisco123
            access_control_policy: MyAccessPolicyName2
            deploy: false
            licenses:
            - ESSENTIALS
            - IPS
            performance_tier: FTDv5

High Availability:

fmc:
  domains:
    - name: Global
      devices:
        ha_pairs:
          - name: MyHAName1
            primary_device: MyDeviceName1
            secondary_device: MyDeviceName2
            ha_link_logical_name: failover
            ha_link_interface_name: GigabitEthernet0/1
            ha_link_primary_ip: 10.10.4.1
            ha_link_secondary_ip: 10.10.4.2
            ha_link_netmask: 255.255.255.248
            state_link_use_same_as_ha: true
            interfaces:
              - interface_logical_name: INSIDE
                ipv4_standby_address: 10.62.159.202
                monitor_interface: true