PIX525 Ver.7 Active-Active Failover Sample Config

donmorales · ‎01-28-2006

Does anyone have a sample config of an Active-Active Failover firewall showing failover config as well as how the physical interfaces are configured in the contexts?

varakantam · ‎01-29-2006

Following are smaple configurations for an Active/Active configuration and where they should be configured

Primary Unit System space

a) Create failover configuration

failover

failover lan unit primary

failover lan interface faillink Vlan4002

failover polltime unit msec 900 holdtime 3

failover polltime interface 5

failover replication http

failover link statelink Vlan4003

failover interface ip faillink 1.1.1.1 255.255.255.0 standby 1.1.1.2

failover interface ip statelink 2.2.2.1 255.255.255.0 standby 2.2.2.2

failover group 1

preempt 300

replication http

polltime interface 5

failover group 2

secondary

replication http

interface-policy 40%

b) Create Contexts and allocate interfaces to context and make then part of one of the 2 failover groups

context TCTX19

description context TCTX19

allocate-interface Vlan3072-Vlan3075

allocate-interface Vlan3152-Vlan3155

config-url disk:/TCTX19.cfg

join-failover-group 1

context TCTX20

description context TCTX20

allocate-interface Vlan3076-Vlan3079

allocate-interface Vlan3156-Vlan3159

config-url disk:/TCTX20.cfg

join-failover-group 2

c) Interface configuration within the contexts

interface Vlan2000

description Interface for VLAN2000

nameif DMZ1_VLAN2000

security-level 80

ip address 172.1.0.1 255.255.252.0 standby 172.1.0.2

maksure you use a standby IP in the same segment as active ip.

d) Standby unit congiuration

failover

failover lan unit secondary

failover lan interface faillink Vlan4002

failover interface ip faillink 1.1.1.1 255.255.255.0 standby 1.1.1.2

That should do the magic :)