Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
7
Replies

Configuration Synchronization with Remote firewall

mohsin.khan
Level 3
Level 3

‎11-29-2007 11:08 PM - edited ‎02-21-2020 01:48 AM

Hi,

I have 2 pairs of pri/sec firewalls placed at remote locations. Each pair is working in a failover mode, that is, SITE-1-FW1 is being synchronized with SITE-1-FW2, and same is the case with SITE-2 firewalls.

Now, i am planning to upgrade SITE-2 firewalls, and for that i need to make sure that both pairs (on SITE-1 and SITE-2) should have up-to-date config. SO that i will route my traffic to SITE-1, will upgrade firewalls on SITE-2, and then will do the same for SITE-1. My question is, who can i automate this synchronization process, on firewalls placed at remote location.

0 Helpful
7 Replies 7

mohsin.khan
Level 3
Level 3

‎09-11-2008 12:09 AM

Help needed

0 Helpful

andrew.prince
Level 10
Level 10
In response to mohsin.khan

‎09-11-2008 03:40 AM

Can you be more specific on your requirements?

0 Helpful

mohsin.khan
Level 3
Level 3
In response to andrew.prince

‎09-11-2008 06:27 PM

is it possible to update the ACLs of site-1 FW pair, on the site-2 FW pair automatically? I mean whenever someone adds/edit an ACL on site-1-FW pair, site-2-FW pair may automatically get updated?

0 Helpful

andrew.prince
Level 10
Level 10
In response to mohsin.khan

‎09-11-2008 11:00 PM

In a word - no. The lan failover-syncronisation is between 2 firewalls in either active/standby or active/active, locally.

I would find it very strange to find any network where the same IP addresses were being used in 2 seperate locations.

Anyway - what you are asking, cannot be done.

HTH>

0 Helpful

mohsin.khan
Level 3
Level 3
In response to andrew.prince

‎09-13-2008 05:10 AM

Same IP address scheme was advised by cisco advanced services team, and so far we are good with this without any problem, except this.

what about Cisco Security Manager? I heard using CSM, same security poilcy can be implemented accross multiple security devices on regular intervals, however i am still not sure if that is true...

0 Helpful

andrew.prince
Level 10
Level 10
In response to mohsin.khan

‎09-13-2008 05:18 AM

Are you running the sites as active/active - if you are, how are you geting around the asymetric routing issues?

I do not know anything about the CSM - perhaps you should post a question in the MARS section.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to mohsin.khan

‎09-14-2008 02:18 AM

Yes Mohsin there are two ways to do it, either manually or by using a configuration management tool like Cisco CSM. You can definitely make a 'Policy' in CSM and push it to multiple devices.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card