Overview

This section shows how to perform advanced operations for FTD High Availability using the REST API.

Understanding High Availability

High availability (HA) consists of setting up two Firepower Threat Defense (FTD) sensors to monitor traffic. HA helps keep the network operational even if one firewall fails. If one device fails, the other can take over. HA supports the Active/Standby model, where only one device is actually managing and inspecting traffic at any given time. FTD HA utilizes dedicated data links to share configuration, health, and state information (connections and traffic) between the devices.

HA Roles and States

Devices in an HA pair are configured as the primary or secondary role. They are assigned once and never change. The Primary device provides the initial configuration to be synced when the HA pair is formed. When first joined, the Primary becomes active by default. The Primary data interface IP and MAC addresses are used on whichever device is active.

HA devices may report a variety of different HA states. In a healthy HA pair, one of the devices will be active, and other will be standby. These states can be exchanged at any time, either by manual action, or when the active device fails.

Licensing Considerations

Each device in the HA pair must have its own license. Both devices must have the same base license, either evaluation or registered, and belong to the same Cisco Smart Software Manager account. This will ensure that export compliance matches on both smart licenses. If registered, the same Cisco Services Exchange regions must be selected. License entitlements need not match; the system will request any missing entitlements on the non-compliant devices. Even if this fails, the pair will remain operational. A strong crypto license is not required to use the IPsec shared key between the active and standby devices.

Cloud Entitlement Considerations

Both devices must have the same Cisco Defense Orchestrator registration status. For Cisco Success Network and Cisco Threat Response, either both devices must be enabled or just the secondary. If just the secondary is enabled, it will be disabled after HA join. Web Analytics status need not match; entitlement will follow the active devices. When registering for a license, the Cisco Success Network enrollment status should be selected manually on each device.

More Information

For more information about configuring FTD devices, see Cisco Installation and Configuration Guides

How to Read the HTTP Request/Response Examples

FTD devices in the examples are given names like ftd.example, and ftd.primary.example. Replace these values with your local device name (or IP address) and port. The request examples use Curl, and include an ACCESS_TOKEN authorization parameter. Replace this value with your OAUTH access token for the FTD device. For more information on how to obtain an access token, see Authenticating Your REST API Client Using OAUTH

curl -H 'Accept: application/json'  -H "Authorization: Bearer ACCESS_TOKEN"  https://ftd.primary.example/api/fdm/latest/devices/default/operational/ha/status/default

curl -H 'Accept: application/json'  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NjU3NDQ3NDAsInN1YiI6ImFkbWluIiwianRpIjoiYTI0YjEyNDUtYmUyZi0xMWU5LThmMWEtZDUwMjlmODQ4MTNlIiwibmJmIjoxNTY1NzQ0NzQwLCJleHAiOjE1NjU3NDY1NDAsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTU2NTc0NzE0MDcwOCwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsInVzZXJVdWlkIjoiMWU5OTFjMGItYmUxMi0xMWU5LTgyZWEtYTlhYzhmYmRmOTJjIiwidXNlclJvbGUiOiJST0xFX0FETUlOIiwib3JpZ2luIjoicGFzc3dvcmQiLCJ1c2VybmFtZSI6ImFkbWluIn0.nFqng6tlU-fB2NAJ0Kcrbc5u1c0aCntt0nGEeJRkjUU"  https://192.168.0.1:4443/api/fdm/latest/devices/default/operational/ha/status/default

Responses often include a "self" link that references the device device ip and port. In actual use, you will see the device address, not a value like "ftd.primary.example".

{
  "nodeRole": "HA_PRIMARY",
  "nodeState": "HA_ACTIVE_NODE",
  "peerNodeState": "HA_FAILED_NODE",
  "configStatus": "UNKNOWN",
  "haHealthStatus": "CRITICAL",
  "id": "default",
  "type": "hastatus",
  "links": {
    "self": "https://ftd.primary.example/api/fdm/latest/devices/default/operational/ha/status/default"
  }
}

{
  "nodeRole": "HA_PRIMARY",
  "nodeState": "HA_ACTIVE_NODE",
  "peerNodeState": "HA_FAILED_NODE",
  "configStatus": "UNKNOWN",
  "haHealthStatus": "CRITICAL",
  "id": "default",
  "type": "hastatus",
  "links": {
    "self": "https://192.168.0.1:4443/api/fdm/latest/devices/default/operational/ha/status/default"
  }
}