© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 13 Failover

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Define the primary, secondary, active, and standby PIX Firewalls. Describe how failover works. Identify the failover interface tests. Define failover, LAN-based failover, and stateful failover. Configure stateful failover. Configure LAN-based stateful failover.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Understanding Failover

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Secondary PIX Firewall Primary PIX Firewall Failover cable Failover The primary and secondary units must: Be the same model number. Have identical software versions and activation key types. Have the same amount of Flash memory and RAM. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Secondary PIX Firewall (standby/active) (failover IP/system IP) Primary PIX Firewall (active/standby) (system IP/failover IP) /24.1e0.2 e /24 e1.1 e IP Addresses for Failover Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuration Replication Configuration replication occurs: When the standby firewall completes its initial bootup. As commands are entered on the active firewall. By entering the write standby command.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Failover and Stateful Failover Failover –Connections are dropped. –Client applications must reconnect. –Provides redundancy. Stateful failover –TCP connections remain active. –No client applications need to reconnect. –Provides redundancy and stateful connection.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Failover Interface Test Link Up/Down testTesting the NIC itself. Network Activity testTesting received network activity. ARP testReading the PIX Firewalls ARP cache for the ten most recently acquired entries. Broadcast Ping testSending out a broadcast ping request.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Serial Failover Configuration

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Overview of Configuring Failover with a Failover Serial Cable Complete the following tasks to configure failover with a failover serial cable: For each interface you plan to use, attach a network cable from the primary firewall interface to its corresponding interface on the secondary firewall. Connect the failover cable between the primary and secondary firewalls. Configure the primary firewall for failover and save the configuration to Flash memory. Power on the secondary firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Cabling the Firewalls Stateful Failover link DMZ e0 e1 e2 e3 e1 e2 For each interface you plan to use, attach a network cable from the primary firewall interface to its corresponding interface on the secondary firewall. Secondary PIX FirewallPrimary PIX Firewall Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Connecting the Failover Cable Failover cable Stateful Failover link DMZ e0 e1 e2 e3 e1 e2 Connect the failover cable between the primary and secondary firewalls. Secondary PIX Firewall Primary PIX Firewall Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Step 3Configuring the Primary PIX Firewall Complete the following steps to configure the primary firewall: Assign names and security levels to each interface you plan to use. Specify a speed for each interface you plan to use. Assign an IP address to each interface you plan to use. Set the PIX Firewall clock. Set the MTU size. (This is optional for stateful failover.) Enable failover. Assign a failover IP address for each interface. Specify the name of a dedicated stateful failover interface. (This is optional for stateful failover.) Set the failover poll time. Use the write memory command to save the configuration to Flash memory.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the Primary PIX Firewall (Cont.) failover link [stateful_if_name] pixfirewall(config)# failover ip address if_name ip_address pixfirewall(config)# failover [active] pixfirewall(config)# pixfirewall(config)# failover Pixfirewall(config)# failover ip address MYFAILOVER pixfirewall(config)# failover link MYFAILOVER Pixfirewall(config)# failover poll 10 Enables failover between the active and standby PIX Firewalls. Creates an IP address for the standby PIX Firewall. Enables stateful failover. Specifies how long failover waits before sending special failover hello packets between the primary and secondary firewalls. pixfirewall(config)# failover poll seconds

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Step 4Powering on the Secondary Firewall Failover cable Stateful failover link DMZ e0 e1 e2 e3 e1 e2 Secondary PIX Firewall Primary PIX Firewall Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Failover Commands failover reset pixfirewall(config)# write standby Enables the stateful replication of HTTP sessions. Stores configuration to the failover standby firewall. pixfirewall(config)# failover replicate http pixfirewall(config)# Forces both firewalls back to an unfailed state.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA failover mac address Command failover mac address mif_name act_mac stn_mac pixfirewall(config)# pixfirewall(config)# failover ip address outside pixfirewall(config)# failover ip address inside pixfirewall(config)# failover ip address dmz pixfirewall(config)# failover ip address MYFAILOVER pixfirewall(config)# failover mac address outside 00a0.c989.e481 00a0.c969.c7f1 pixfirewall(config)# failover mac address inside 00a0.c976.cde5 00a0.c pixfirewall(config)# failover mac address dmz 00a0.c969.87c8 00a0.c918.95d8 pixfirewall(config)# failover mac address MYFAILOVER 00a0.c959.e341 00a0.c696.c7g2 Enables you to configure a virtual MAC address for a PIX Firewall failover pair.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA show failover Command pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 3 seconds This host: Primary - Active Active time: 360 (sec) Interface intf5 ( ): Shut Down Interface intf4 ( ): Shut Down Interface MYFAILOVER ( ): Normal Interface dmz ( ): Normal Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Standby Active time: 0 (sec) Interface intf5 ( ): Link Down Interface intf4 ( ): Link Down Interface MYFAILOVER ( ): Normal Interface dmz ( ): Normal Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : MYFAILOVER pixfirewall(config)# show failover Failover On Cable status: Normal Reconnect timeout 0:00:00 Poll frequency 3 seconds This host: Primary – Standby (Failed) Active time: 0 (sec) Interface intf5 ( ): Shut Down Interface intf4 ( ): Shut Down Interface MYFAILOVER ( ): Normal (Waiting) Interface dmz ( ): Normal (Waiting) Interface outside ( ): Normal (Waiting) Interface inside ( ): Failed (Waiting) Other host: Secondary - Active Active time: 150 (sec) Interface intf5 ( ): Link Down Interface intf4 ( ): Link Down Interface MYFAILOVER ( ): Normal (Waiting) Interface dmz ( ): Normal (Waiting) Interface outside ( ): Normal (Waiting) Interface inside ( ): Normal (Waiting) Stateful Failover Logical Update Statistics Link : MYFAILOVER Before failoverAfter failover

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Configuration

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Overview LAN-based failover: Provides long-distance failover functionality. Uses an Ethernet cable rather than the serial failover cable. Requires a dedicated LAN interface, but the same interface can be used for stateful failover. Requires a dedicated switch, hub, or VLAN. Uses message encryption and authentication to secure failover transmissions.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA LAN-Based Failover Configuration Overview Complete the following tasks to configure LAN-based failover: Verify that any switch port that connects to a PIX Firewall interface is configured to support LAN-based failover. Attach network cables except for the failover LAN interface. Configure the primary PIX Firewall. Save the primary firewalls configuration to Flash memory. Power on the secondary firewall. Configure the secondary PIX Firewall with the minimum failover LAN command set. Save the secondary firewalls configuration to Flash memory. Connect the LAN failover interface to the network. Reload the secondary firewall.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Steps 1 and 2Preparing Switches and Cables LAN-based failover cables DMZ e0 e1 e2 e3 e1 e2 Secondary PIX FirewallPrimary PIX Firewall All interfaces except the LAN-based failover interface are connected Switch Portfast on Trunking off Channelling off Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Steps 3 and 4Preparing the Primary PIX Firewall failover lan enable pixfirewall(config)# failover lan key key_secret pixfirewall(config)# Specifies the LAN-based failover interface. Enables encryption and authentication of LAN-based failover messages between PIX Firewalls. failover lan unit primary | secondary pixfirewall(config)# Designates a PIX Firewall as the primary or secondary firewall. failover lan interface if_name pixfirewall(config)# Enables LAN-based failover.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Steps 5, 6, and 7Preparing the Secondary PIX Firewall pixfirewall(config)# nameif ethernet3 MYFAILOVER security55 pixfirewall(config)# interface ethernet3 100full pixfirewall(config)# ip address MYFAILOVER pixfirewall(config)# failover ip address MYFAILOVER pixfirewall(config)# failover lan unit secondary pixfirewall(config)# failover lan interface MYFAILOVER pixfirewall(config)# failover lan key pixfirewall(config)# failover lan enable

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Steps 8 and 9Connecting the Interfaces and Reloading the Secondary Firewall LAN-based failover cables DMZ e0 e1 e2 e3 e1 e2 Secondary PIX Firewall Primary PIX Firewall All interfaces are connected. Internet

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA show failover Command with LAN- Based Failover pixfirewall(config)# show failover Failover On Cable status: Unknown Reconnect timeout 0:00:00 Poll frequency 15 seconds This host: Primary - Standby Active time: 255 (sec) Interface outside ( ): Normal Interface inside ( ): Normal Other host: Secondary - Active Active time: (sec) Interface outside ( ): Normal Interface inside ( ): Normal Stateful Failover Logical Update Statistics Link : Unconfigured. Lan Based Failover is Active interface MYFAILOVER ( ): Normal, peer( ):Normal

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary The primary and secondary PIX Firewalls are the two firewalls used for failover. The primary PIX Firewall is usually active, while the secondary PIX Firewall is usually standby, but during failover the primary PIX Firewall goes on standby while the secondary becomes active. The configuration of the primary PIX Firewall is replicated to the secondary PIX Firewall during configuration replication.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary (cont.) During failover connections are dropped, while during stateful failover connections remain active. There are four interface tests to ensure that the PIX Firewalls are running: –Link Up and Down test –Network Activity test –ARP test –Broadcast Ping test LAN-based failover enables you to use Ethernet cabling with a dedicated hub, switch or VLAN for long-distance failover.

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2003, Cisco Systems, Inc. All rights reserved. CSPFA P.0 Lab Visual Objective Primary PIX Firewall Secondary PIX Firewall 10.0.P.0 RTS RBB Web FTP Web/FTP CSACS Student PC Remote: 10.1.P.11 Local: 10.0.P P P