High Availability
Location in GUI: Devices » Device Management » High Availability
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”devices (fmc.domains)
Section titled “devices (fmc.domains)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ha_pairs | List | [ha_pairs] | No |
ha_pairs (fmc.domains.devices)
Section titled “ha_pairs (fmc.domains.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| primary_device | String | Yes | ||
| secondary_device | String | Yes | ||
| ha_link_logical_name | String | Yes | ||
| ha_link_interface_name | String | Yes | ||
| ha_link_primary_ip | IP | Yes | ||
| ha_link_secondary_ip | IP | Yes | ||
| ha_link_netmask | IP | Yes | ||
| state_link_use_same_as_ha | Boolean | true, false | Yes | |
| action | Choice | SWITCH | No | |
| encryption_enabled | Boolean | true, false | No | false |
| encryption_key | String | No | ||
| encryption_key_generation_scheme | Choice | AUTO, CUSTOM | No | |
| failed_interfaces_limit | Integer | min: 1, max: 211 | No | 1 |
| failed_interfaces_percent | Integer | min: 1, max: 100 | No | |
| ha_link_use_ipv6 | Boolean | true, false | No | false |
| interface_hold_time | Integer | min: 25, max: 75 | No | |
| interface_poll_time | Integer | min: 1, max: 999 | No | |
| interface_poll_time_unit | Choice | SEC, MSEC | No | |
| peer_hold_time | Integer | min: 3, max: 999 | No | |
| peer_hold_time_unit | Choice | SEC, MSEC | No | |
| peer_poll_time | Integer | min: 1, max: 999 | No | |
| peer_poll_time_unit | Choice | SEC, MSEC | No | |
| state_link_interface_name | String | No | ||
| state_link_logical_name | String | No | ||
| state_link_netmask | String | No | ||
| state_link_primary_ip | IP | No | ||
| state_link_secondary_ip | IP | No | ||
| state_link_use_ipv6 | Boolean | true, false | No | false |
Examples
Section titled “Examples”Prerequisites:
As any new configuration will be made to the primary device, it is important to note the deploy: true value should present on the primary and deploy: false should be present on the secondary for Terraform to manage the deployment of changes from the FMC to the firewalls. If deploy: false is set for all devices, changes will need to be manually deployed after they have been sent to the FMC.
Interface configuration is done on the primary device under interface configuration section. Please note that:
- it is mandatory to configure
monitor_interfaceandipv4_standby_addressfor standby IP to be configured - it is mandatory to configure both
ha_active_mac_addressandha_standby_mac_addressfor this configuration to take effect
fmc: domains: - name: Global policies: access_control_policies: - name: MyAccessPolicyName2 default_action: BLOCK devices: devices: - name: MyDeviceName1 host: 10.1.120.203 access_control_policy: MyAccessPolicyName2 registration_key: cisco123 deploy: true licenses: - ESSENTIALS - IPS performance_tier: FTDv5 vrfs: - name: Global physical_interfaces: - name: "GigabitEthernet0/1" - name: "GigabitEthernet0/2" ipv4_static_address: 10.62.159.201 ipv4_static_netmask: 24 logical_name: INSIDE - name: MyDeviceName2 host: 10.62.158.216 registration_key: cisco123 access_control_policy: MyAccessPolicyName2 deploy: false licenses: - ESSENTIALS - IPS performance_tier: FTDv5High Availability:
fmc: domains: - name: Global devices: ha_pairs: - name: MyHAName1 primary_device: MyDeviceName1 secondary_device: MyDeviceName2 ha_link_logical_name: failover ha_link_interface_name: GigabitEthernet0/1 ha_link_primary_ip: 10.10.4.1 ha_link_secondary_ip: 10.10.4.2 ha_link_netmask: 255.255.255.248 state_link_use_same_as_ha: true
# Merge High Availability interface configuration with regular interface configuration devices: - name: MyDeviceName1 vrfs: - name: Global physical_interfaces: - name: "GigabitEthernet0/2" ipv4_standby_address: 10.62.159.202 monitor_interface: true ha_active_mac_address: c460.15e4.0edd ha_standby_mac_address: c460.15e4.0ed0