Firewall Replication

Question

If I have two datacenter sites that are considered redundant to each other. Is it possible to sync firewall configuration from the primary to the backup? What is the best way to keep both firewalls updated at the same time?

If so, what is required?

Equipment used:

Main DC
- Two Cisco ASA's running 8.2.5
Remote DC
- Two Cisco ASA's running 8.6

The link between the two DC's is a a L2 link connecting both DC cores. The ASA's connects to each core.

You've tagged this as "cisco-asa" - are you using ASA's in your datacenters? The answer is going to be dependent on which firewalls you're using as well as the version of software and licensed features running on them. Please include this information in your question. — John Jensen, Jun 04 '13 at 22:37
How far apart are the Data Centers in question? Keep in mind that you should try to keep your latency under 10ms for best failover performance — Mike Pennington, Jun 04 '13 at 22:44
Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. — Ron Maupin, Jan 03 '21 at 05:20

score 4 · Answer 1 · answered Jun 05 '13 at 07:51

4

We have a similar setup but with two sets of 8.2(5) and we have used an in-house script to detect config changes to the primary pair, change the necessary details to make it connectable in the second DC and push the config to the second firewall pair and finally reboot.

This only works for us because the second FW pair is completely passive whilst a failover isn't active.

All the script basically does is pull the active config, run a regex to replace the management details with those of the second pair, a regex to replace the SNMP, hostname etc. Once done it TFTP's the config to the second pair and initiates a reboot.

answered Jun 05 '13 at 07:51

David Rothera

2,798
15
20

If you want I can upload it to github or something for reference. – David Rothera Jun 05 '13 at 07:52
Script solutions are probably the best you can do to keep four firewalls in some rough stage of configuration sync... although this is architecturally limited to an active/standby DC scenario – Mike Pennington Jun 05 '13 at 07:54
That would be great! Or email dannyvanzee@gmail.com – user1477 Jun 05 '13 at 15:24
Can I ask why you have the FWs reboot after config changes? Why wouldn't moving it to running config work? – bigmstone Jun 05 '13 at 15:44
We've always done it as some of the changes can't easily be carried out when just over-writing the running-config. – David Rothera Jun 05 '13 at 16:24
Just for reference, I recently saw a 9.2.1 presentation with inter-site clustering. While not specifically for this use case, it is useful for active/active site firewalls. – cpt_fink Jul 03 '14 at 03:21

Firewall Replication

1 Answers1