Cisco PIX Upgrade-Workshop PixOS 7 http://security-planet.de 22 March, 2007
Agenda Basics Access-Control Inspections Transparent Firewalls Virtual Firewalls Failover VPNs
Failover Sec. 7 P. 393 Active/Standby PixOS v6 PixOS v7 Active/Active
Failover - Active/Standby PixOS v6 interface ethernet5 100full nameif ethernet5 FAILOVER security1 ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.0.1.1 255.255.255.0 ip address FAILOVER 172.17.1.1 255.255.255.0 failover ip address outside 192.168.1.2 failover ip address inside 10.0.1.2 failover ip address FAILOVER 172.17.1.2 failover failover poll 3 failover link FAILOVER failover lan unit primary failover lan interface FAILOVER failover lan key supersecret failover lan enable
Failover - Active/Standby PixOS v7 interface Ethernet0 nameif outside security-level 0 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 interface Ethernet1 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2 interface Ethernet5 description LAN/STATE Failover Interface speed 100 duplex full
Failover - Active/Standby PixOS v7 failover failover lan unit primary failover lan interface FAILOVER Ethernet5 failover lan enable failover polltime unit 3 holdtime 9 failover polltime interface 3 failover key supersecret failover link FAILOVER Ethernet5 failover interface ip FAILOVER 172.17.1.1 255.255.255.0 standby 172.17.1.2 monitor-interface outside monitor-interface inside no monitor-interface dmz failover interface-policy 2
Failover - Active/Standby On PixOS 7 the following state-information are passed to the standby-unit: NAT translation table. TCP connection states. UDP connection states. The ARP table. The Layer 2 bridge table (when running in transparent firewall mode). The HTTP connection states (if HTTP replication is enabled). The ISAKMP and IPSec SA table. GTP PDP connection database.
Failover - Active/Standby As in v6, the following information are not passed to the standby unit: The user authentication (uauth) table. The routing tables. State information for Security Service Modules (only ASA). DHCP server address leases.
In PixOS 7 failover can be configured as Active/Active both firewalls transmit traffic Both firewalls need an unrestricted license, or 1*unrestricted and 1* FO-AA The failover-concept remains the same as Active/Standby, so only two firewalls are allowed in a failover-bundle The load is not automatically shared between the firewalls it s done as in a multi-group HSRP-Configuration firewall-contexts are used as Groups
Example: Two contexts share the load. One is the admin-context, the other one is a usercontext. E0 is the shared outside-interface. E1 is split in subinterfaces for two groups; each of them works with one subinterface. E2 is the stateful-link. We are using cable-based failover.
The Pix has to be configured for multiple-context-mode: mode multiple
The system-context is configured: the interfaces: interface Ethernet0 description Outside-Interface interface Ethernet1 description Trunk-Inside-Interface interface Ethernet1.10 description Inside-Interface Admin-Context vlan 10 interface Ethernet1.20 description Inside-Interface Context1 vlan 20 interface Ethernet2 description STATE Failover Interface
The system-context is configured: the failover-settings: failover failover link folink Ethernet2 failover interface ip folink 172.17.1.1 255.255.255.0 standby 172.17.1.2
The system-context is configured: two failover-groups: failover group 1 primary preempt failover group 2 secondary
The admin-context is created: this context works with failover-group 1 admin-context admin context admin description admin allocate-interface Ethernet0 allocate-interface Ethernet1.10 config-url flash:admin.cfg join-failover-group 1
The user-context is created: this context works with failover-group 2 context context1 description context1 allocate-interface Ethernet0 allocate-interface Ethernet1.20 config-url flash:/context1.cfg join-failover-group 2
The admin-context is configured: changeto context admin interface Ethernet0 nameif outside security-level 0 ip address 192.168.1.11 255.255.255.0 standby 192.168.1.12 interface Ethernet1.10 nameif inside security-level 100 ip address 10.0.10.1 255.255.255.0 standby 10.0.10.2 monitor-interface outside monitor-interface inside
The user-context is configured: changeto context context1 interface Ethernet0 nameif outside security-level 0 ip address 192.168.1.21 255.255.255.0 standby 192.168.1.22 interface Ethernet1.20 nameif inside security-level 100 ip address 10.0.20.1 255.255.255.0 standby 10.0.20.2 monitor-interface outside monitor-interface inside
Failover misc. prompt can now show on which FW you are: act/pix# sh run prompt prompt state hostname Subsecond Failover (v7.2): 800ms when active unit loses power or stops normal operation 500ms when interface link down on active unit