本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本文檔介紹Firepower高可用性和可擴充性配置、防火牆模式以及例項部署型別的驗證。
高可用性和可擴充性配置、防火牆模式和例項部署型別的驗證步驟顯示在使用者介面(UI)、命令列介面(CLI)、透過REST-API查詢、SNMP以及故障排除檔案中。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
本文中的資訊係根據以下軟體和硬體版本:
高可用性是指故障切換配置。高可用性或故障切換設定將兩台裝置連線在一起,這樣,如果其中一台裝置發生故障,另一台裝置可以接管。
可擴充性是指群集配置。透過叢集組態,您可以將多個FTD節點組成單一邏輯裝置。集群提供單個裝置(管理、整合到網路)的所有便利性,以及多個裝置增加的吞吐量和冗餘。
在本文檔中,這些表達式可互換使用:
在某些情況下,無法驗證高可用性和可擴充性配置或狀態。例如,FTD獨立組態沒有驗證命令。獨立、容錯移轉和叢集配置模式是互斥的。如果裝置沒有故障轉移和群集配置,則它被視為在獨立模式下運行。
使用以下選項可驗證FMC高可用性組態和狀態:
按照以下步驟驗證FMC UI上的FMC高可用性配置和狀態:
1. 選擇系統>整合>高可用性:
2. 檢查FMC的角色。在這種情況下,高可用性未配置,並且FMC在獨立配置中運行:
如果配置了高可用性,將顯示本地和遠端角色:
按照以下步驟驗證FMC CLI上的FMC高可用性配置和狀態:
1. 透過SSH或控制檯連線訪問FMC。
2. 運行expert命令,然後運行sudo su命令:
> expert admin@fmc1:~$ sudo su Password: Last login: Sat May 21 21:18:52 UTC 2022 on pts/0 fmc1:/Volume/home/admin#
3. 運行troubleshoot_HADC.pl命令並選擇選項1 Show HA Info Of FMC。如果未配置高可用性,則顯示此輸出:
fmc1:/Volume/home/admin# troubleshoot_HADC.pl
**************** Troubleshooting Utility ************** 1 Show HA Info Of FMC 2 Execute Sybase DBPing 3 Show Arbiter Status 4 Check Peer Connectivity 5 Print Messages of AQ Task 6 Show FMC HA Operations History (ASC order) 7 Dump To File: FMC HA Operations History (ASC order) 8 Last Successful Periodic Sync Time (When it completed) 9 Print HA Status Messages 10 Compare active and standby device list 11 Check manager status of standby missing devices 12 Check critical PM processes details 13 Help 0 Exit ************************************************************** Enter choice: 1 HA Enabled: No
如果配置了高可用性,則顯示此輸出:
fmc1:/Volume/home/admin# troubleshoot_HADC.pl **************** Troubleshooting Utility ************** 1 Show HA Info Of FMC
2 Execute Sybase DBPing
3 Show Arbiter Status
4 Check Peer Connectivity
5 Print Messages of AQ Task
6 Show FMC HA Operations History (ASC order)
7 Dump To File: FMC HA Operations History (ASC order)
8 Help
0 Exit **************************************************************
Enter choice: 1 HA Enabled: Yes This FMC Role In HA: Active - Primary
Status out put: vmsDbEngine (system,gui) - Running 29061
In vmsDbEngineStatus(): vmsDbEngine process is running at /usr/local/sf/lib/perl/5.24.4/SF/Synchronize/HADC.pm line 3471.
Sybase Process: Running (vmsDbEngine, theSybase PM Process is Running)
Sybase Database Connectivity: Accepting DB Connections.
Sybase Database Name: csm_primary
Sybase Role: Active
注意:在高可用性配置中,FMC角色可以具有主要或輔助角色,以及活動或備用狀態。
按照以下步驟透過FMC REST-API驗證FMC高可用性和可擴充性配置和狀態。使用REST-API客戶端。本示例中使用curl:
1. 請求身份驗證令牌:
# curl -s -k -v -X POST 'https://192.0.2.1/api/fmc_platform/v1/auth/generatetoken' -H 'Authentication: Basic' -u 'admin:Cisco123' | grep -i X-auth-access-token
... < X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb
2. 使用此查詢中的令牌查詢全局域的UUID:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_platform/v1/info/domain' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
{ "items": [
{
"name": "Global",
"type": "Domain",
"uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f"
},
{
"name": "Global/LAB2",
"type": "Domain",
"uuid": "84cc4afe-02bc-b80a-4b09-000000000000"
},
{
"name": "Global/TEST1",
"type": "Domain",
"uuid": "ef0cf3e9-bb07-8f66-5c4e-000000000001"
},
{
"name": "Global/TEST2",
"type": "Domain",
"uuid": "341a8f03-f831-c364-b751-000000000001"
}
],
"links": {
"self": "https://192.0.2.1/api/fmc_platform/v1/info/domain?offset=0&limit=25"
},
"paging": {
"count": 4,
"limit": 25,
"offset": 0,
"pages": 1
}
}
附註:零件 | 命令字串的python -m json.tool用於以JSON樣式設定輸出格式,並且是可選的。
3. 在此查詢中使用全局域UUID:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/integration/fmchastatuses' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
如果未配置高可用性,則顯示此輸出:
{ "links": {}, "paging": { "count": 0, "limit": 0, "offset": 0, "pages": 0 } }
如果配置了高可用性,則顯示此輸出:
{
"items": [
{
"fmcPrimary": {
"ipAddress": "192.0.2.1",
"role": "Active",
"uuid": "de7bfc10-13b5-11ec-afaf-a0f8cf9ccb46"
},
"fmcSecondary": {
"ipAddress": "192.0.2.2",
"role": "Standby",
"uuid": "a2de9750-4635-11ec-b56d-201c961a3600"
},
"haStatusMessages": [
"Healthy"
],
"id": "de7bfc10-13b5-11ec-afaf-a0f8cf9ccb46",
"overallStatus": "GOOD",
"syncStatus": "GOOD",
"type": "FMCHAStatus"
}
],
"links": {
"self": "https://192.0.2.1/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/integration/fmchastatuses?offset=0&limit=25"
},
"paging": {
"count": 1,
"limit": 25,
"offset": 0,
"pages": 1
}
}
按照以下步驟驗證FMC故障排除檔案中的FMC高可用性配置和狀態:
1. 打開故障排除檔案,然後導航到資料夾<filename>.tar/results-<date>—xxxxxx/command-output
2. 打開檔案usr-local-sf-bin-troubleshoot_HADC.pl -a.output:
如果未配置高可用性,則顯示此輸出:
# pwd
/var/tmp/results-05-06-2022--199172/command-outputs
# cat "usr-local-sf-bin-troubleshoot_HADC.pl -a.output"
Output of /usr/local/sf/bin/troubleshoot_HADC.pl -a:
$VAR1 = [
'Mirror Server => csmEng',
{
'rcode' => 0,
'stderr' => undef,
'stdout' => 'SQL Anywhere Server Ping Utility Version 17.0.10.5745
Type Property Value
--------- ---------------- ------------------------------
Database MirrorRole NULL
Database MirrorState NULL
Database PartnerState NULL
Database ArbiterState NULL
Server ServerName csmEng
Ping database successful.
'
}
];
(system,gui) - Waiting
HA Enabled: No
Sybase Database Name: csmEng
Arbiter Not Running On This FMC.
Not In HA
如果配置了高可用性,則顯示此輸出:
# pwd /var/tmp/results-05-06-2022--199172/command-outputs
# cat "usr-local-sf-bin-troubleshoot_HADC.pl -a.output" Output of /usr/local/sf/bin/troubleshoot_HADC.pl -a: Status out put: vmsDbEngine (system,gui) - Running 9399 In vmsDbEngineStatus(): vmsDbEngine process is running at /usr/local/sf/lib/perl/5.24.4/SF/Synchronize/HADC.pm line 3471. $VAR1 = [ 'Mirror Server => csm_primary', { 'stderr' => undef, 'stdout' => 'SQL Anywhere Server Ping Utility Version 17.0.10.5745 Type Property Value --------- ---------------- ------------------------------ Database MirrorRole primary Database MirrorState synchronizing Database PartnerState connected Database ArbiterState connected Server ServerName csm_primary Ping database successful. ', 'rcode' => 0 } ]; (system,gui) - Running 8185 ...
HA Enabled: Yes
This FMC Role In HA: Active - Primary
Sybase Process: Running (vmsDbEngine, theSybase PM Process is Running)
Sybase Database Connectivity: Accepting DB Connections.
Sybase Database Name: csm_primary
Sybase Role: Active
Sybase Database Name: csm_primary
Arbiter Running On This FMC.
Peer Is Connected
FDM高可用性組態和狀態可以使用下列選項進行驗證:
若要驗證FDM UI上的FDM高可用性組態和狀態,請在首頁面上勾選「高可用性」。如果未配置高可用性,則未配置高可用性值:
如果配置了高可用性,將顯示本地和遠端對等裝置故障切換配置和角色:
請依照下列步驟透過FDM REST-API要求驗證FDM高可用性組態和狀態。使用REST-API客戶端。本示例中使用curl:
1. 請求身份驗證令牌:
# curl -k -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "grant_type": "password", "username": "admin", "password": "Cisco123" }' 'https://192.0.2.3/api/fdm/latest/fdm/token'
{
"access_token":
"eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NTMyMDg1MjgsInN1YiI6ImFkbWluIiwianRpIjoiMjI1YWRhZWMtZDlhYS0xMWVjLWE5MmEtMjk4YjRjZTUxNmJjIiwibmJmIjoxNjUzMjA4NTI4LCJleHAiOjE2NTMyMTAzMjgsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTY1MzIxMDkyODU2OSwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsInVzZXJVdWlkIjoiYTNmZDA3ZjMtZDgxZS0xMWVjLWE5MmEtYzk5N2UxNDcyNTM0IiwidXNlclJvbGUiOiJST0xFX0FETUlOIiwib3JpZ2luIjoicGFzc3dvcmQiLCJ1c2VybmFtZSI6ImFkbWluIn0.ai3LUbnsLOJTN6exKOANsEG5qTD6L-ANd_1V6TbFe6M",
"expires_in": 1800,
"refresh_expires_in": 2400,
"refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NTIzOTQxNjksInN1YiI6ImFkbWluIiwianRpIjoiMGU0NGIxYzQtZDI0Mi0xMWVjLTk4ZWMtYTllOTlkZGMwN2Y0IiwibmJmIjoxNjUyMzk0MTY5LCJleHAiOjE2NTIzOTY1NjksImFjY2Vzc1Rva2VuRXhwaXJlc0F0IjoxNjUyMzk1OTY5MDcwLCJyZWZyZXNoQ291bnQiOi0xLCJ0b2tlblR5cGUiOiJKV1RfUmVmcmVzaCIsInVzZXJVdWlkIjoiYTU3ZGVmMjgtY2M3MC0xMWVjLTk4ZWMtZjk4ODExNjNjZWIwIiwidXNlclJvbGUiOiJST0xFX0FETUlOIiwib3JpZ2luIjoicGFzc3dvcmQiLCJ1c2VybmFtZSI6ImFkbWluIn0.Avga0-isDjQB527d3QWZQb7AS4a9ea5wlbYUn-A9aPw",
"token_type": "Bearer"
}
2. 若要驗證高可用性組態,請在此查詢中使用存取權杖值:
# curl -s -k -X GET -H 'Accept: application/json' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NTMyMDg1MjgsInN1YiI6ImFkbWluIiwianRpIjoiMjI1YWRhZWMtZDlhYS0xMWVjLWE5MmEtMjk4YjRjZTUxNmJjIiwibmJmIjoxNjUzMjA4NTI4LCJleHAiOjE2NTMyMTAzMjgsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTY1MzIxMDkyODU2OSwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsInVzZXJVdWlkIjoiYTNmZDA3ZjMtZDgxZS0xMWVjLWE5MmEtYzk5N2UxNDcyNTM0IiwidXNlclJvbGUiOiJST0xFX0FETUlOIiwib3JpZ2luIjoicGFzc3dvcmQiLCJ1c2VybmFtZSI6ImFkbWluIn0.ai3LUbnsLOJTN6exKOANsEG5qTD6L-ANd_1V6TbFe6M' 'https://192.0.2.3/api/fdm/v6/devices/default/ha/configurations'
如果未配置高可用性,則顯示此輸出:
{
"items": [
{
"version": "issgb3rw2lixf",
"name": "HA",
"nodeRole": null,
"failoverInterface": null,
"failoverName": null,
"primaryFailoverIPv4": null,
"secondaryFailoverIPv4": null,
"primaryFailoverIPv6": null,
"secondaryFailoverIPv6": null,
"statefulFailoverInterface": null,
"statefulFailoverName": null,
"primaryStatefulFailoverIPv4": null,
"secondaryStatefulFailoverIPv4": null,
"primaryStatefulFailoverIPv6": null,
"secondaryStatefulFailoverIPv6": null,
"sharedKey": null,
"id": "76ha83ga-c872-11f2-8be8-8e45bb1943c0",
"type": "haconfiguration",
"links": {
"self": "https://192.0.2.2/api/fdm/v6/devices/default/ha/configurations/76ha83ga-c872-11f2-8be8-8e45bb1943c0"
}
}
],
"paging": {
"prev": [],
"next": [],
"limit": 10,
"offset": 0,
"count": 1,
"pages": 0
}
}
如果配置了高可用性,則顯示此輸出:
{
"items": [
{
"version": "issgb3rw2lixf",
"name": "HA",
"nodeRole": "HA_PRIMARY",
"failoverInterface": {
"version": "ezzafxo5ccti3",
"name": "",
"hardwareName": "Ethernet1/1",
"id": "8d6c41df-3e5f-465b-8e5a-d336b282f93f",
"type": "physicalinterface"
},
...
3. 若要核對高可用性狀態,請使用此查詢:
# curl -s -k -X GET -H 'Accept: application/json' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NTMyMDg1MjgsInN1YiI6ImFkbWluIiwianRpIjoiMjI1YWRhZWMtZDlhYS0xMWVjLWE5MmEtMjk4YjRjZTUxNmJjIiwibmJmIjoxNjUzMjA4NTI4LCJleHAiOjE2NTMyMTAzMjgsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTY1MzIxMDkyODU2OSwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsInVzZXJVdWlkIjoiYTNmZDA3ZjMtZDgxZS0xMWVjLWE5MmEtYzk5N2UxNDcyNTM0IiwidXNlclJvbGUiOiJST0xFX0FETUlOIiwib3JpZ2luIjoicGFzc3dvcmQiLCJ1c2VybmFtZSI6ImFkbWluIn0.ai3LUbnsLOJTN6exKOANsEG5qTD6L-ANd_1V6TbFe6M' 'https://192.0.2.3/api/fdm/v6/devices/default/operational/ha/status/default'
如果未配置高可用性,則顯示此輸出:
{
"nodeRole" : null,
"nodeState" : "SINGLE_NODE",
"peerNodeState" : "HA_UNKNOWN_NODE",
"configStatus" : "UNKNOWN",
"haHealthStatus" : "HEALTHY",
"disabledReason" : "",
"disabledTimestamp" : null,
"id" : "default",
"type" : "hastatus",
"links" : {
"self" : "https://192.0.2.3/api/fdm/v6/devices/default/operational/ha/status/default"
}
}
如果配置了高可用性,則顯示此輸出:
{
"nodeRole": "HA_PRIMARY",
"nodeState": "HA_ACTIVE_NODE",
"peerNodeState": "HA_STANDBY_NODE",
"configStatus": "IN_SYNC",
"haHealthStatus": "HEALTHY",
"disabledReason": "",
"disabledTimestamp": "",
"id": "default",
"type": "hastatus",
"links": {
"self": "https://192.0.2.3/api/fdm/v6/devices/default/operational/ha/status/default"
}
}
請遵循一節中的步驟。
請遵循一節中的步驟。
請遵循一節中的步驟。
使用以下選項可驗證FTD高可用性及可擴充性組態和狀態:
按照以下步驟驗證FTD CLI上的FTD高可用性及可擴充性組態和狀態:
1. 根據平台和部署模式,使用以下選項訪問FTD CLI:
connect module <x> [console|telnet],其中x是插槽ID,然後connect ftd [instance],其中例項僅與多例項部署相關
2. 要驗證FTD故障切換配置和狀態,請在CLI上運行show running-config failover和show failover state命令。
如果未配置故障切換,則顯示此輸出:
> show running-config failover
no failover
> show failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State==
如果配置了故障切換,則顯示此輸出:
> show running-config failover
failover failover lan unit primary failover lan interface failover-link Ethernet1/1 failover replication http failover link failover-link Ethernet1/1 failover interface ip failover-link 10.30.34.2 255.255.255.0 standby 10.30.34.3
> show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 09:21:50 UTC May 22 2022
====Configuration State===
Sync Done
====Communication State===
Mac set
3. 要驗證FTD集群配置和狀態,請在CLI上運行show running-config cluster和show cluster info命令。
如果未配置集群,則顯示此輸出:
> show running-config cluster
> show cluster info
Clustering is not configured
如果已配置集群,則顯示此輸出:
> show running-config cluster cluster group ftd_cluster1 key ***** local-unit unit-1-1 cluster-interface Port-channel48.204 ip 10.173.1.1 255.255.0.0 priority 9 health-check holdtime 3 health-check data-interface auto-rejoin 3 5 2 health-check cluster-interface auto-rejoin unlimited 5 1 health-check system auto-rejoin 3 5 2 health-check monitor-interface debounce-time 500 site-id 1 no unit join-acceleration enable > show cluster info Cluster ftd_cluster1: On Interface mode: spanned Cluster Member Limit : 16 This is "unit-1-1" in state MASTER ID : 0 Site ID : 1 Version : 9.17(1) Serial No.: FLM1949C5RR6HE CCL IP : 10.173.1.1 CCL MAC : 0015.c500.018f Module : FPR4K-SM-24 Resource : 20 cores / 44018 MB RAM Last join : 13:53:52 UTC May 20 2022 Last leave: N/A Other members in the cluster: Unit "unit-2-1" in state SLAVE ID : 1 Site ID : 1 Version : 9.17(1) Serial No.: FLM2108V9YG7S1 CCL IP : 10.173.2.1 CCL MAC : 0015.c500.028f Module : FPR4K-SM-24 Resource : 20 cores / 44018 MB RAM Last join : 14:02:46 UTC May 20 2022 Last leave: 14:02:31 UTC May 20 2022
附註:來源與控制角色相同。
按照以下步驟透過SNMP驗證FTD高可用性及可擴充性組態和狀態:
如果未配置故障切換,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.5 .1.3.6.1.4.1.9.9.147.1.2.1.1.1 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.4 = STRING: "Failover LAN Interface" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.6 = STRING: "Primary unit" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.7 = STRING: "Secondary unit (this device)" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.4 = INTEGER: 3 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.6 = INTEGER: 3 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.7 = INTEGER: 3 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.4 = STRING: "not Configured" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.6 = STRING: "Failover Off" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.7 = STRING: "Failover Off"
如果配置了故障切換,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.5 .1.3.6.1.4.1.9.9.147.1.2.1.1.1 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.4 = STRING: "Failover LAN Interface" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.6 = STRING: "Primary unit (this device)" <-- This device is primary SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.7 = STRING: "Secondary unit" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.4 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.6 = INTEGER: 9 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.7 = INTEGER: 10 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.4 = STRING: "fover Ethernet1/2" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.6 = STRING: "Active unit" <-- Primary device is active SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.7 = STRING: "Standby unit"
3. 要驗證集群配置和狀態,請輪詢OID 1.3.6.1.4.1.9.9.491.1.8.1。
如果未配置集群,則顯示此輸出:
# snmpwalk -v2c -c cisco123 192.0.2.5 .1.3.6.1.4.1.9.9.491.1.8.1
SNMPv2-SMI::enterprises.9.9.491.1.8.1.1.0 = INTEGER: 0
如果已配置但未啟用集群,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.7 .1.3.6.1.4.1.9.9.491.1.8.1 .1.3.6.1.4.1.9.9.491.1.8.1.1.0 = INTEGER: 0 <-- Cluster status, disabled .1.3.6.1.4.1.9.9.491.1.8.1.2.0 = INTEGER: 1 .1.3.6.1.4.1.9.9.491.1.8.1.3.0 = INTEGER: 0 <-- Cluster unit state, disabled .1.3.6.1.4.1.9.9.491.1.8.1.4.0 = INTEGER: 11 .1.3.6.1.4.1.9.9.491.1.8.1.5.0 = STRING: "ftd_cluster1" <-- Cluster group name .1.3.6.1.4.1.9.9.491.1.8.1.6.0 = STRING: "unit-1-1" <-- Cluster unit name
.1.3.6.1.4.1.9.9.491.1.8.1.7.0 = INTEGER: 0 <-- Cluster unit ID
.1.3.6.1.4.1.9.9.491.1.8.1.8.0 = INTEGER: 1 <-- Cluster side ID
...
如果叢集已設定、啟用並在作業中啟動,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.7 .1.3.6.1.4.1.9.9.491.1.8.1 .1.3.6.1.4.1.9.9.491.1.8.1.1.0 = INTEGER: 1 <-- Cluster status, enabled .1.3.6.1.4.1.9.9.491.1.8.1.2.0 = INTEGER: 1
.1.3.6.1.4.1.9.9.491.1.8.1.3.0 = INTEGER: 16 <-- Cluster unit state, control unit .1.3.6.1.4.1.9.9.491.1.8.1.4.0 = INTEGER: 10 .1.3.6.1.4.1.9.9.491.1.8.1.5.0 = STRING: "ftd_cluster1" <-- Cluster group name .1.3.6.1.4.1.9.9.491.1.8.1.6.0 = STRING: "unit-1-1" <-- Cluster unit name .1.3.6.1.4.1.9.9.491.1.8.1.7.0 = INTEGER: 0 <-- Cluster unit ID .1.3.6.1.4.1.9.9.491.1.8.1.8.0 = INTEGER: 1 <-- Cluster side ID
...
有關OID描述的詳細資訊,請參閱CISCO-UNIFIED-FIREWALL-MIB。
請依照以下步驟,驗證FTD疑難排解檔案中的FTD高可用性及可擴充性組態和狀態:
1. 打開故障排除檔案,然後導航到資料夾<filename>-troubleshoot .tar/results-<date>—xxxxxx/command-output。
2. 打開檔案usr-local-sf-bin-sfcli.pl show_tech_support asa_lina_cli_util.output:
# pwd
/ngfw/var/common/results-05-22-2022--102758/command-outputs
# cat 'usr-local-sf-bin-sfcli.pl show_tech_support asa_lina_cli_util.output'
3. 要驗證故障切換配置和狀態,請檢查顯示故障切換部分。
如果未配置故障切換,則顯示此輸出:
------------------ show failover ------------------ Failover Off Failover unit Secondary Failover LAN Interface: not Configured Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 1292 maximum MAC Address Move Notification Interval not set
如果配置了故障切換,則顯示此輸出:
------------------ show failover ------------------ Failover On Failover unit Primary Failover LAN Interface: fover Ethernet1/2 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 1291 maximum MAC Address Move Notification Interval not set failover replication http Version: Ours 9.17(1), Mate 9.17(1) Serial Number: Ours FLM2006EN9UR93, Mate FLM2006EQFWAGG Last Failover at: 13:45:46 UTC May 20 2022 This host: Primary - Active Active time: 161681 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.17(1)) status (Up Sys) Interface diagnostic (0.0.0.0): Normal (Waiting) slot 1: snort rev (1.0) status (up) slot 2: diskstatus rev (1.0) status (up) Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.17(1)) status (Up Sys) Interface diagnostic (0.0.0.0): Normal (Waiting) slot 1: snort rev (1.0) status (up) slot 2: diskstatus rev (1.0) status (up)…
4. 要驗證FTD集群配置和狀態,請檢查show cluster info部分。
如果未配置集群,則顯示此輸出:
------------------ show cluster info ------------------
Clustering is not configured
如果已配置並啟用集群,則顯示此輸出:
------------------ show cluster info ------------------ Cluster ftd_cluster1: On Interface mode: spanned Cluster Member Limit : 16 This is "unit-1-1" in state MASTER ID : 0 Site ID : 1 Version : 9.17(1) Serial No.: FLM1949C5RR6HE CCL IP : 10.173.1.1 CCL MAC : 0015.c500.018f Module : FPR4K-SM-24 Resource : 20 cores / 44018 MB RAM Last join : 13:53:52 UTC May 20 2022 Last leave: N/A Other members in the cluster: Unit "unit-2-1" in state SLAVE ID : 1 Site ID : 1 Version : 9.17(1) Serial No.: FLM2108V9YG7S1 CCL IP : 10.173.2.1 CCL MAC : 0015.c500.028f Module : FPR4K-SM-24 Resource : 20 cores / 44018 MB RAM Last join : 14:02:46 UTC May 20 2022 Last leave: 14:02:31 UTC May 20 2022
按照以下步驟驗證FMC UI上的FTD高可用性及可擴充性組態和狀態:
1. 選擇Devices > Device Management:
2. 要驗證FTD高可用性及可擴充性配置,請檢查標籤High Availability或Cluster。如果兩者都不存在,則FTD會在獨立組態中執行:
3. 若要驗證FTD高可用性及可擴充性狀態,請勾選括弧中的單位角色。如果角色不存在,且FTD不屬於叢集或容錯移轉的一部分,則FTD會在獨立組態中執行:
註:在集群的情況下,僅顯示控制單元的角色。
在這些輸出中,ftd_ha_1、ftd_ha_2、ftd_standalone、ftd_ha、ftc_cluster1是使用者可設定的裝置名稱。這些名稱並非指實際的高可用性和可擴充性配置或狀態。
按照以下步驟,透過FMC REST-API驗證FTD高可用性及可擴充性組態和狀態。使用REST-API客戶端。本示例中使用curl:
# curl -s -k -v -X POST 'https://192.0.2.1/api/fmc_platform/v1/auth/generatetoken' -H 'Authentication: Basic' -u 'admin:Cisco123' | grep -i X-auth-access-token
< X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb
2. 辨識包含裝置的域。在大多數REST API查詢中,domain引數是必需的。使用此查詢中的令牌檢索域清單:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_platform/v1/info/domain' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
{
"items":
[
{
"name": "Global",
"type": "Domain",
"uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f"
},
{
"name": "Global/LAB2",
"type": "Domain",
"uuid": "84cc4afe-02bc-b80a-4b09-000000000000"
},
...
3. 使用域UUID查詢特定devicerecords和特定裝置UUID:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
{
"items": [
{
"id": "796eb8f8-d83b-11ec-941d-b9083eb612d8",
"links": {
"self": "https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords/796eb8f8-d83b-11ec-941d-b9083eb612d8"
},
"name": "ftd_ha_1",
"type": "Device"
},
...
4. 要驗證故障切換配置,請使用此查詢步驟3中的域UUID和裝置/容器UUID:
# curl -s -k -X GET 'https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords/796eb8f8-d83b-11ec-941d-b9083eb612d8' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool ...
"containerDetails": { "id": "eec3ddfc-d842-11ec-a15e-986001c83f2f", "name": "ftd_ha", "type": "DeviceHAPair" },
...
5. 要驗證故障切換狀態,請在此查詢中使用步驟4中的域UUID和DeviceHAPair UUID:
# curl -s -k -X GET 'https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devicehapairs/ftddevicehapairs/eec3ddfc-d842-11ec-a15e-986001c83f2f' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool ...
"primaryStatus": { "currentStatus": "Active", "device": { "id": "796eb8f8-d83b-11ec-941d-b9083eb612d8", "keepLocalEvents": false, "name": "ftd_ha_1" } }, "secondaryStatus": { "currentStatus": "Standby", "device": { "id": "e60ca6d0-d83d-11ec-b407-cdc91a553663", "keepLocalEvents": false, "name": "ftd_ha_2" } }
...
6. 要驗證集群配置,請在此查詢中使用步驟3中的域UUID和裝置/容器UUID:
# curl -s -k -X GET 'https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords/3344bc4a-d842-11ec-a995-817e361f7ea5' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool ...
"containerDetails": { "id": "8e6188c2-d844-11ec-bdd1-6e8d3e226370", "links": { "self": "https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/deviceclusters/ftddevicecluster/8e6188c2-d844-11ec-bdd1-6e8d3e226370" }, "name": "ftd_cluster1", "type": "DeviceCluster" }, ...
# curl -s -k -X GET 'https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/deviceclusters/ftddevicecluster/8e6188c2-d844-11ec-bdd1-6e8d3e226370' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool { "controlDevice": { "deviceDetails": { "id": "3344bc4a-d842-11ec-a995-817e361f7ea5", "name": "10.62.148.188", "type": "Device" } }, "dataDevices": [ { "deviceDetails": { "id": "a7ba63cc-d842-11ec-be51-f3efcd7cd5e5", "name": "10.62.148.191", "type": "Device" } } ], "id": "8e6188c2-d844-11ec-bdd1-6e8d3e226370", "name": "ftd_cluster1", "type": "DeviceCluster" }
請遵循一節中的步驟。
請遵循一節中的步驟。
FCM UI在平台模式下適用於Firepower 4100/9300和帶ASA的Firepower 2100。
請依照以下步驟,驗證FCM UI上的FTD高可用性及可擴充性狀態:
1. 要驗證FTD故障切換狀態,請檢查「邏輯裝置」頁上的HA-ROLE屬性值:
注意:邏輯裝置識別符號旁邊的獨立標籤是指機箱邏輯裝置配置,而不是FTD故障切換配置。
2. 若要確認FTD叢集組態和狀態,請檢查「邏輯裝置」頁面上的叢集標籤和CLUSTER-ROLE屬性值:
Firepower 4100/9300上提供了FXOS CLI上的FTD高可用性和可擴充性配置及狀態驗證。
按照以下步驟驗證FXOS CLI上的FTD高可用性及可擴充性組態和狀態:
1. 建立與機箱的控制檯或SSH連線。
2. 若要確認FTD高可用性狀態,請執行scope ssa命令,然後執行scope slot <x>以切換到執行FTD的特定插槽,並執行show app-instance expand 命令:
firepower # scope ssa firepower /ssa # scope slot 1 firepower /ssa/slot # show app-instance expand Application Instance: App Name: ftd Identifier: ftd1 Admin State: Enabled Oper State: Online Running Version: 7.1.0.90 Startup Version: 7.1.0.90 Deploy Type: Container Turbo Mode: No Profile Name: RP20 Cluster State: Not Applicable Cluster Role: None App Attribute: App Attribute Key Value ----------------- ----- firepower-mgmt-ip 192.0.2.5 ha-lan-intf Ethernet1/2 ha-link-intf Ethernet1/2 ha-role active mgmt-url https://192.0.2.1/ uuid 796eb8f8-d83b-11ec-941d-b9083eb612d8 ...
3. 為了驗證FTD集群配置和狀態,請運行scope ssa命令、運行show logical-device <name> detail expand命令(其中的name是邏輯裝置名稱)和show app-instance命令。檢查特定插槽的輸出:
firepower # scope ssa firepower /ssa # show logical-device ftd_cluster1 detail expand Logical Device: Name: ftd_cluster1 Description: Slot ID: 1 Mode: Clustered Oper State: Ok Template Name: ftd Error Msg: Switch Configuration Status: Ok Sync Data External Port Link State with FTD: Disabled Current Task: … firepower /ssa # show app-instance App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------ ftd ftd_cluster1 1 Enabled Online 7.1.0.90 7.1.0.90 Container No RP20 In Cluster Master
Firepower 4100/9300支援FXOS REST-API。
按照以下步驟,透過FXOS REST-API要求驗證FTD高可用性及可擴充性組態和狀態。使用REST-API客戶端。本示例中使用curl:
1. 請求身份驗證令牌:
# curl -k -X POST -H 'USERNAME: admin' -H 'PASSWORD: Cisco123' 'https://192.0.2.100/api/login' { "refreshPeriod": "0", "token": "3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d" }
2. 若要驗證FTD容錯移轉狀態,請在此查詢中使用權杖和插槽ID:
# curl -s -k -X GET -H 'Accept: application/json' -H 'token: 3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d' 'https://192.0.2.100/api/slot/1/app-inst' ...
{ "smAppInstance": [ { "adminState": "enabled", "appDn": "sec-svc/app-ftd-7.1.0.90", "appInstId": "ftd_001_JAD201200R43VLP1G3", "appName": "ftd", "clearLogData": "available", "clusterOperationalState": "not-applicable", "clusterRole": "none", "currentJobProgress": "100", "currentJobState": "succeeded", "currentJobType": "start", "deployType": "container", "dn": "slot/1/app-inst/ftd-ftd1", "errorMsg": "", "eventMsg": "", "executeCmd": "ok", "externallyUpgraded": "no", "fsmDescr": "", "fsmProgr": "100", "fsmRmtInvErrCode": "none", "fsmRmtInvErrDescr": "", "fsmRmtInvRslt": "", "fsmStageDescr": "", "fsmStatus": "nop", "fsmTry": "0", "hotfix": "", "identifier": "ftd1", "operationalState": "online", "reasonForDebundle": "", "resourceProfileName": "RP20", "runningVersion": "7.1.0.90", "smAppAttribute": [ { "key": "firepower-mgmt-ip", "rn": "app-attribute-firepower-mgmt-ip", "urllink": "https://192.0.2.100/api/slot/1/app/inst/ftd-ftd1/app/attribute-firepower-mgmt-ip", "value": "192.0.2.5" }, { "key": "ha-link-intf", "rn": "app-attribute-ha-link-intf", "urllink": "https://192.0.2.100/api/slot/1/app/inst/ftd-ftd1/app/attribute-ha-link-intf", "value": "Ethernet1/2" }, { "key": "ha-lan-intf", "rn": "app-attribute-ha-lan-intf", "urllink": "https://192.0.2.100/api/slot/1/app/inst/ftd-ftd1/app/attribute-ha-lan-intf", "value": "Ethernet1/2" }, { "key": "mgmt-url", "rn": "app-attribute-mgmt-url", "urllink": "https://192.0.2.100/api/slot/1/app/inst/ftd-ftd1/app/attribute-mgmt-url", "value": "https://192.0.2.1/" }, { "key": "ha-role", "rn": "app-attribute-ha-role", "urllink": "https://192.0.2.100/api/slot/1/app/inst/ftd-ftd1/app/attribute-ha-role", "value": "active" }, { "key": "uuid", "rn": "app-attribute-uuid", "urllink": "https://192.0.2.100/api/slot/1/app/inst/ftd-ftd1/app/attribute-uuid", "value": "796eb8f8-d83b-11ec-941d-b9083eb612d8" } ],
...
# curl -s -k -X GET -H 'Accept: application/json' -H 'token: 3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d' 'https://192.0.2.102/api/ld/ftd_cluster1' { "smLogicalDevice": [ { "description": "", "dn": "ld/ftd_cluster1", "errorMsg": "", "fsmDescr": "", "fsmProgr": "100", "fsmRmtInvErrCode": "none", "fsmRmtInvErrDescr": "", "fsmRmtInvRslt": "", "fsmStageDescr": "", "fsmStatus": "nop", "fsmTaskBits": "", "fsmTry": "0", "ldMode": "clustered", "linkStateSync": "disabled", "name": "ftd_cluster1", "operationalState": "ok",
"slotId": "1", "smClusterBootstrap": [ { "cclNetwork": "10.173.0.0", "chassisId": "1", "gatewayv4": "0.0.0.0", "gatewayv6": "::", "key": "", "mode": "spanned-etherchannel", "name": "ftd_cluster1", "netmaskv4": "0.0.0.0", "poolEndv4": "0.0.0.0", "poolEndv6": "::", "poolStartv4": "0.0.0.0", "poolStartv6": "::", "prefixLength": "", "rn": "cluster-bootstrap", "siteId": "1", "supportCclSubnet": "supported", "updateTimestamp": "2022-05-20T13:38:21.872", "urllink": "https://192.0.2.101/api/ld/ftd_cluster1/cluster-bootstrap", "virtualIPv4": "0.0.0.0", "virtualIPv6": "::" } ], ...
4. 若要驗證FTD叢集狀態,請使用以下查詢:
# curl -s -k -X GET -H 'Accept: application/json' -H 'token: 3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d' 'https://192.0.2.102/api/slot/1/app-inst' { "smAppInstance": [ { "adminState": "enabled", "appDn": "sec-svc/app-ftd-7.1.0.90", "appInstId": "ftd_001_JAD19500BABIYA3OO58", "appName": "ftd", "clearLogData": "available", "clusterOperationalState": "in-cluster", "clusterRole": "master", "currentJobProgress": "100", "currentJobState": "succeeded", "currentJobType": "start", "deployType": "container", "dn": "slot/1/app-inst/ftd-ftd_cluster1", "errorMsg": "", "eventMsg": "", "executeCmd": "ok", "externallyUpgraded": "no", "fsmDescr": "", "fsmProgr": "100", "fsmRmtInvErrCode": "none", "fsmRmtInvErrDescr": "", "fsmRmtInvRslt": "", "fsmStageDescr": "", "fsmStatus": "nop", "fsmTry": "0", "hotfix": "", "identifier": "ftd_cluster1", "operationalState": "online", "reasonForDebundle": "", "resourceProfileName": "RP20", "runningVersion": "7.1.0.90", ...
FTD高可用性及可擴充性組態和狀態可在Firepower 4100/9300機箱show-tech檔案中驗證。
按照以下步驟驗證FXOS機箱show-tech檔案中的高可用性和可擴充性配置和狀態:
對於早期版本,請在FPRM_A_TechSupport.tar.gz/FPRM_A_TechSupport.tar中打開檔案sam_techsupportinfo。
2. 要驗證故障切換狀態,請在show slot expand detail部分中檢查特定插槽下的ha-role屬性值:
# pwd
/var/tmp/20220313201802_F241-01-11-FPR-2_BC1_all/FPRM_A_TechSupport/
# cat sam_techsupportinfo
...
`show slot expand detail` Slot: Slot ID: 1 Log Level: Info Admin State: Ok Oper State: Online Disk Format State: Ok Disk Format Status: 100% Clear Log Data: Available Error Msg: Application Instance: App Name: ftd Identifier: ftd1 Admin State: Enabled Oper State: Online Running Version: 7.1.0.90 Startup Version: 7.1.0.90 Deploy Type: Container Turbo Mode: No Profile Name: RP20 Hotfixes: Externally Upgraded: No Cluster State: Not Applicable Cluster Role: None Current Job Type: Start Current Job Progress: 100 Current Job State: Succeeded Clear Log Data: Available Error Msg: Current Task: App Attribute: App Attribute Key: firepower-mgmt-ip Value: 10.62.148.89 App Attribute Key: ha-lan-intf Value: Ethernet1/2 App Attribute Key: ha-link-intf Value: Ethernet1/2 App Attribute Key: ha-role Value: active App Attribute Key: mgmt-url Value: https://10.62.184.21/
3. 為了驗證FTD叢集組態,請在show logical-device detail expand 一節中檢查特定插槽下的Mode屬性值:
`show logical-device detail expand` Logical Device: Name: ftd_cluster1 Description: Slot ID: 1 Mode: Clustered Oper State: Ok Template Name: ftd Error Msg: Switch Configuration Status: Ok Sync Data External Port Link State with FTD: Disabled Current Task: Cluster Bootstrap: Name of the cluster: ftd_cluster1 Mode: Spanned Etherchannel Chassis Id: 1 Site Id: 1 Key: Cluster Virtual IP: 0.0.0.0 IPv4 Netmask: 0.0.0.0 IPv4 Gateway: 0.0.0.0 Pool Start IPv4 Address: 0.0.0.0 Pool End IPv4 Address: 0.0.0.0 Cluster Virtual IPv6 Address: :: IPv6 Prefix Length: IPv6 Gateway: :: Pool Start IPv6 Address: :: Pool End IPv6 Address: :: Last Updated Timestamp: 2022-05-20T13:38:21.872 Cluster Control Link Network: 10.173.0.0 ...
4. 為了驗證FTD集群狀態,請在show slot expand detail 部分中檢查特定插槽下的集群狀態和集群角色屬性值:
`show slot expand detail` Slot: Slot ID: 1 Log Level: Info Admin State: Ok Oper State: Online Disk Format State: Ok Disk Format Status: Clear Log Data: Available Error Msg: Application Instance: App Name: ftd Identifier: ftd_cluster1 Admin State: Enabled Oper State: Online Running Version: 7.1.0.90 Startup Version: 7.1.0.90 Deploy Type: Native Turbo Mode: No Profile Name: Hotfixes: Externally Upgraded: No Cluster State: In Cluster Cluster Role: Master Current Job Type: Start Current Job Progress: 100 Current Job State: Succeeded Clear Log Data: Available Error Msg: Current Task:
可以使用以下選項驗證ASA高可用性和可擴充性配置和狀態:
按照以下步驟驗證ASA CLI上的ASA高可用性和可擴充性配置:
connect module <x> [console|telnet],其中x是插槽ID,然後連線asa
2. 要驗證ASA故障切換配置和狀態,請在ASA CLI上運行show running-config failover和show failover state命令。
如果未配置故障切換,則顯示此輸出:
asa# show running-config failover
no failover
asa# show failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State==
如果配置了故障切換,則顯示此輸出:
asa# show running-config failover
failover failover lan unit primary failover lan interface failover-link Ethernet1/1 failover replication http failover link failover-link Ethernet1/1 failover interface ip failover-link 10.30.35.2 255.255.255.0 standby 10.30.35.3
# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 19:42:22 UTC May 21 2022
====Configuration State===
Sync Done
====Communication State===
Mac set
3. 要驗證ASA集群配置和狀態,請在CLI上運行show running-config cluster和show cluster info命令。
如果未配置集群,則顯示此輸出:
asa# show running-config cluster
asa# show cluster info
Clustering is not configured
如果已配置集群,則顯示此輸出:
asa# show running-config cluster cluster group asa_cluster1 key ***** local-unit unit-1-1 cluster-interface Port-channel48.205 ip 10.174.1.1 255.255.0.0 priority 9 health-check holdtime 3 health-check data-interface auto-rejoin 3 5 2 health-check cluster-interface auto-rejoin unlimited 5 1 health-check system auto-rejoin 3 5 2 health-check monitor-interface debounce-time 500 site-id 1 no unit join-acceleration enable asa# show cluster info Cluster asa_cluster1: On Interface mode: spanned Cluster Member Limit : 16 This is "unit-1-1" in state MASTER ID : 0 Site ID : 1 Version : 9.17(1) Serial No.: FLM2949C5232IT CCL IP : 10.174.1.1 CCL MAC : 0015.c500.018f Module : FPR4K-SM-24 ...
按照以下步驟透過SNMP驗證ASA高可用性和可擴充性配置:
如果未配置故障切換,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.10 .1.3.6.1.4.1.9.9.147.1.2.1.1.1 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.4 = STRING: "Failover LAN Interface" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.6 = STRING: "Primary unit" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.7 = STRING: "Secondary unit (this device)" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.4 = INTEGER: 3 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.6 = INTEGER: 3 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.7 = INTEGER: 3 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.4 = STRING: "not Configured" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.6 = STRING: "Failover Off" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.7 = STRING: "Failover Off"
如果配置了故障切換,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.10 .1.3.6.1.4.1.9.9.147.1.2.1.1.1 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.4 = STRING: "Failover LAN Interface" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.6 = STRING: "Primary unit (this device)" <-- This device is primary SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.2.7 = STRING: "Secondary unit" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.4 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.6 = INTEGER: 9 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.3.7 = INTEGER: 10 SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.4 = STRING: "fover Ethernet1/2" SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.6 = STRING: "Active unit" <-- Primary device is active SNMPv2-SMI::enterprises.9.9.147.1.2.1.1.1.4.7 = STRING: "Standby unit"
3. 要驗證集群配置和狀態,請輪詢OID 1.3.6.1.4.1.9.9.491.1.8.1。
如果未配置集群,則顯示此輸出:
# snmpwalk -v2c -c cisco123 192.0.2.12 .1.3.6.1.4.1.9.9.491.1.8.1
SNMPv2-SMI::enterprises.9.9.491.1.8.1.1.0 = INTEGER: 0
如果已配置但未啟用集群,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.12 .1.3.6.1.4.1.9.9.491.1.8.1 .1.3.6.1.4.1.9.9.491.1.8.1.1.0 = INTEGER: 0 <-- Cluster status, disabled .1.3.6.1.4.1.9.9.491.1.8.1.2.0 = INTEGER: 1 .1.3.6.1.4.1.9.9.491.1.8.1.3.0 = INTEGER: 0 <-- Cluster unit state, disabled .1.3.6.1.4.1.9.9.491.1.8.1.4.0 = INTEGER: 11 .1.3.6.1.4.1.9.9.491.1.8.1.5.0 = STRING: "asa_cluster1" <-- Cluster group name .1.3.6.1.4.1.9.9.491.1.8.1.6.0 = STRING: "unit-1-1" <-- Cluster unit name
.1.3.6.1.4.1.9.9.491.1.8.1.7.0 = INTEGER: 0 <-- Cluster unit ID
.1.3.6.1.4.1.9.9.491.1.8.1.8.0 = INTEGER: 1 <-- Cluster side ID
...
如果叢集已設定、啟用並在作業中啟動,則顯示此輸出:
# snmpwalk -v2c -c cisco123 -On 192.0.2.12 .1.3.6.1.4.1.9.9.491.1.8.1 .1.3.6.1.4.1.9.9.491.1.8.1.1.0 = INTEGER: 1 <-- Cluster status, enabled .1.3.6.1.4.1.9.9.491.1.8.1.2.0 = INTEGER: 1
.1.3.6.1.4.1.9.9.491.1.8.1.3.0 = INTEGER: 16 <-- Cluster unit state, control unit .1.3.6.1.4.1.9.9.491.1.8.1.4.0 = INTEGER: 10 .1.3.6.1.4.1.9.9.491.1.8.1.5.0 = STRING: "asa_cluster1" <-- Cluster group name .1.3.6.1.4.1.9.9.491.1.8.1.6.0 = STRING: "unit-1-1" <-- Cluster unit name .1.3.6.1.4.1.9.9.491.1.8.1.7.0 = INTEGER: 0 <-- Cluster unit ID .1.3.6.1.4.1.9.9.491.1.8.1.8.0 = INTEGER: 1 <-- Cluster side ID
...
有關OID描述的詳細資訊,請參閱CISCO-UNIFIED-FIREWALL-MIB。
1. 要驗證ASA故障切換配置和狀態,請檢查show failover部分。
如果未配置故障切換,則顯示此輸出:
------------------ show failover ------------------ Failover Off Failover unit Secondary Failover LAN Interface: not Configured Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 1292 maximum MAC Address Move Notification Interval not set
如果配置了故障切換,則顯示此輸出:
------------------ show failover ------------------ Failover On Failover unit Primary Failover LAN Interface: fover Ethernet1/2 (up) Reconnect timeout 0:00:00 Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 1 of 1291 maximum MAC Address Move Notification Interval not set failover replication http Version: Ours 9.17(1), Mate 9.17(1) Serial Number: Ours FLM2006EN9AB11, Mate FLM2006EQZY02 Last Failover at: 13:45:46 UTC May 20 2022 This host: Primary - Active Active time: 161681 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.17(1)) status (Up Sys) Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: UCSB-B200-M3-U hw/sw rev (0.0/9.17(1)) status (Up Sys) ...
2. 要驗證集群配置和狀態,請檢查顯示集群資訊部分。
如果未配置集群,則顯示此輸出:
------------------ show cluster info ------------------
Clustering is not configured
如果已配置並啟用集群,則顯示此輸出:
------------------ show cluster info ------------------ Cluster asa_cluster1: On
Interface mode: spanned
Cluster Member Limit : 16
This is "unit-1-1" in state MASTER
ID : 0
Site ID : 1
Version : 9.17(1)
Serial No.: FLM2949C5232IT
CCL IP : 10.174.1.1
CCL MAC : 0015.c500.018f
Module : FPR4K-SM-24
...
請遵循一節中的步驟。
請遵循一節中的步驟。
請遵循一節中的步驟。
請遵循一節中的步驟。
防火牆模式是指路由或透明防火牆配置。
使用以下選項可驗證FTD防火牆模式:
注意:FDM不支援透明模式。
按照以下步驟驗證FTD CLI上的FTD防火牆模式:
1. 根據平台和部署模式,使用以下選項訪問FTD CLI:
connect module <x> [console|telnet],其中x是插槽ID,然後
連線ftd [執行處理],其中執行處理僅與多執行處理部署相關。
2. 要驗證防火牆模式,請在CLI上運行show firewall命令:
> show firewall Firewall mode: Transparent
執行以下步驟驗證FTD疑難排解檔案中的FTD防火牆模式:
1. 打開故障排除檔案,然後導航到資料夾<filename>-troubleshoot .tar/results-<date>—xxxxxx/command-output。
2. 打開檔案usr-local-sf-bin-sfcli.pl show_tech_support asa_lina_cli_util.output:
# pwd
/ngfw/var/common/results-05-22-2022--102758/command-outputs
# cat 'usr-local-sf-bin-sfcli.pl show_tech_support asa_lina_cli_util.output'
3. 若要驗證FTD防火牆模式,請檢查show firewall 一節:
------------------ show firewall ------------------ Firewall mode: Transparent
按照以下步驟驗證FMC UI上的FTD防火牆模式:
1. 選擇Devices > Device Management:
2. 檢查標籤Routed或Transparent:
按照以下步驟透過FMC REST-API驗證FTD防火牆模式。使用REST-API客戶端。本示例中使用curl:
# curl -s -k -v -X POST 'https://192.0.2.1/api/fmc_platform/v1/auth/generatetoken' -H 'Authentication: Basic' -u 'admin:Cisco123' | grep -i X-auth-access-token
< X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb
2. 辨識包含裝置的域。在大多數REST API查詢中,domain引數是必需的。使用此查詢中的令牌檢索域清單:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_platform/v1/info/domain' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
{
"items":
[
{
"name": "Global",
"type": "Domain",
"uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f"
},
{
"name": "Global/LAB2",
"type": "Domain",
"uuid": "84cc4afe-02bc-b80a-4b09-000000000000"
},
...
3. 使用域UUID查詢特定devicerecords和特定裝置UUID:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
{
"items": [
{
"id": "796eb8f8-d83b-11ec-941d-b9083eb612d8",
"links": {
"self": "https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords/796eb8f8-d83b-11ec-941d-b9083eb612d8"
},
"name": "ftd_ha_1",
"type": "Device"
},
...
4. 在此查詢中使用步驟3中的域UUID和裝置/容器UUID,並檢查ftdMode的值:
# curl -s -k -X 'GET' 'https://192.0.2.1./api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords/796eb8f8-d83b-11ec-941d-b9083eb612d8' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
... { "accessPolicy": { "id": "00505691-3a23-0ed3-0006-536940224514", "name": "acp1", "type": "AccessPolicy" }, "advanced": { "enableOGS": false }, "description": "NOT SUPPORTED", "ftdMode": "ROUTED", ...
可以在Firepower 4100/9300上驗證FTD的防火牆模式。
按照以下步驟驗證FCM UI上的FTD防火牆模式:
1. 在「邏輯裝置」頁面上編輯邏輯裝置:
2. 按一下應用程式圖示,並在設定頁籤中選中防火牆模式:
可以在Firepower 4100/9300上驗證FTD的防火牆模式。
按照以下步驟驗證FXOS CLI上的FTD防火牆模式:
firepower# scope ssa firepower /ssa # scope logical-device ftd_cluster1 firepower /ssa/logical-device # show mgmt-bootstrap expand Management Configuration: App Name: ftd Secret Bootstrap Key: Key Value ------------------------- ----- PASSWORD REGISTRATION_KEY IP v4: Slot ID Management Sub Type IP Address Netmask Gateway Last Updated Timestamp ---------- ------------------- --------------- --------------- --------------- ---------------------- 1 Firepower 10.62.148.188 255.255.255.128 10.62.148.129 2022-05-20T13:50:06.238 Bootstrap Key: Key Value ------------------------- ----- DNS_SERVERS 192.0.2.250 FIREPOWER_MANAGER_IP 10.62.184.21 FIREWALL_MODE routed PERMIT_EXPERT_MODE yes SEARCH_DOMAINS cisco.com
...
Firepower 4100/9300支援FXOS REST-API。
按照以下步驟透過FXOS REST-API要求驗證FTD防火牆模式。使用REST-API客戶端。本示例中使用curl:
# curl -k -X POST -H 'USERNAME: admin' -H 'PASSWORD: Cisco123' https://192.0.2.100/api/ld/ftd_cluster1 { "refreshPeriod": "0", "token": "3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d" }
2. 在此查詢中使用邏輯裝置識別符號,並檢查FIREWALL_MODE鍵的值:
# curl -s -k -X GET -H 'Accept: application/json' -H 'token: 3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d' https://192.0.2.100/api/ld/ftd_cluster1
... { "key": "FIREWALL_MODE", "rn": "key-FIREWALL_MODE", "updateTimestamp": "2022-05-20T13:28:37.093", "urllink": "https://192.0.2.100/api/ld/ftd_cluster1/mgmt-bootstrap/ftd/key/FIREWALL_MODE", "value": "routed" }, ...
FTD的防火牆模式可在Firepower 4100/9300的show-tech檔案中驗證。
按照以下步驟驗證FXOS機箱show-tech檔案中的FTD防火牆模式:
對於早期版本,請打開FPRM_A_TechSupport.tar.gz/ FPRM_A_TechSupport.tar中的檔案sam_techsupportinfo。
# pwd
/var/tmp/20220313201802_F241-01-11-FPR-2_BC1_all/FPRM_A_TechSupport/
# cat sam_techsupportinfo
...
`show logical-device detail expand`
Logical Device: Name: ftd_cluster1 Description: Slot ID: 1 Mode: Clustered Oper State: Ok Template Name: ftd Error Msg: Switch Configuration Status: Ok Sync Data External Port Link State with FTD: Disabled Current Task: ... Bootstrap Key: Key: DNS_SERVERS Value: 192.0.2.250 Last Updated Timestamp: 2022-05-20T13:28:37.093 Key: FIREPOWER_MANAGER_IP Value: 10.62.184.21 Last Updated Timestamp: 2022-05-20T13:28:37.093 Key: FIREWALL_MODE Value: routed Last Updated Timestamp: 2022-05-20T13:28:37.093 ...
可以使用以下選項驗證ASA防火牆模式:
按照以下步驟驗證ASA CLI上的ASA防火牆模式:
connect module <x> [console|telnet],其中x是插槽ID,然後連線asa
2. 在CLI上運行show firewall命令:
asa# show firewall Firewall mode: Routed
要驗證ASA防火牆模式,請檢查show firewall部分:
------------------ show firewall ------------------
Firewall mode: Routed
請遵循一節中的步驟。
請遵循一節中的步驟。
請遵循一節中的步驟。
請遵循一節中的步驟。
應用程式執行個體部署型別有兩種:
只有Firepower 4100/9300上的FTD支援容器模式執行個體組態。
可以使用以下選項驗證例項部署型別:
按照以下步驟在FTD CLI上驗證FTD執行處理部署型別:
connect module <x> [console|telnet],其中x是插槽ID,然後connect ftd [instance],其中例項僅與多例項部署相關。
> show version system -------------------[ firepower ]-------------------- Model : Cisco Firepower 4120 Threat Defense (76) Version 7.1.0 (Build 90) UUID : 3344bc4a-d842-11ec-a995-817e361f7ea5 VDB version : 346 ---------------------------------------------------- Cisco Adaptive Security Appliance Software Version 9.17(1) SSP Operating System Version 2.11(1.154) Compiled on Tue 30-Nov-21 18:38 GMT by builders System image file is "disk0:/fxos-lfbff-k8.2.11.1.154.SPA" Config file at boot was "startup-config" firepower up 2 days 19 hours Start-up time 3 secs SSP Slot Number: 1 (Container) …
執行以下步驟,驗證FTD疑難排解檔案中的FTD執行處理部署型別:
# pwd
/ngfw/var/common/results-05-22-2022--102758/command-outputs
# cat 'usr-local-sf-bin-sfcli.pl show_tech_support asa_lina_cli_util.output'
-------------------[ firepower ]-------------------- Model : Cisco Firepower 4120 Threat Defense (76) Version 7.1.0 (Build 90) UUID : 3344bc4a-d842-11ec-a995-817e361f7ea5 VDB version : 346 ---------------------------------------------------- Cisco Adaptive Security Appliance Software Version 9.17(1) SSP Operating System Version 2.11(1.154) Compiled on Tue 30-Nov-21 18:38 GMT by builders System image file is "disk0:/fxos-lfbff-k8.2.11.1.154.SPA" Config file at boot was "startup-config" firepower up 2 days 19 hours Start-up time 3 secs SSP Slot Number: 1 (Container) …
按照以下步驟驗證FMC UI上的FTD例項部署型別:
按照以下步驟,透過FMC REST-API驗證FTD執行處理部署型別。使用REST-API客戶端。本示例中使用curl:
# curl -s -k -v -X POST 'https://192.0.2.1/api/fmc_platform/v1/auth/generatetoken' -H 'Authentication: Basic' -u 'admin:Cisco123' | grep -i X-auth-access-token
< X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb
2. 辨識包含裝置的域。在大多數REST API查詢中,domain引數是必需的。使用此查詢中的令牌檢索域清單:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_platform/v1/info/domain' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
{
"items":
[
{
"name": "Global",
"type": "Domain",
"uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f"
},
{
"name": "Global/LAB2",
"type": "Domain",
"uuid": "84cc4afe-02bc-b80a-4b09-000000000000"
},
...
3. 使用域UUID查詢特定devicerecords和特定裝置UUID:
# curl -s -k -X 'GET' 'https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
{
"items": [
{
"id": "796eb8f8-d83b-11ec-941d-b9083eb612d8",
"links": {
"self": "https://192.0.2.1/api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords/796eb8f8-d83b-11ec-941d-b9083eb612d8"
},
"name": "ftd_ha_1",
"type": "Device"
},
...
4. 使用此查詢中步驟3中的域UUID和裝置/容器UUID,並檢查isMultiInstance的值:
# curl -s -k -X 'GET' 'https://192.0.2.1./api/fmc_config/v1/domain/84cc4afe-02bc-b80a-4b09-000000000000/devices/devicerecords/796eb8f8-d83b-11ec-941d-b9083eb612d8' -H 'accept: application/json' -H 'X-auth-access-token: 5d817ef7-f12f-4dae-b0c0-cd742d3bd2eb' | python -m json.tool
...
"name": "ftd_cluster1",
"isMultiInstance": true, ...
若要驗證FTD執行處理部署型別,請檢查邏輯裝置中的資源設定檔屬性值。如果值不空白,則FTD會以容器模式執行:
按照以下步驟在FXOS CLI上驗證FTD執行處理部署型別:
firepower # scope ssa
firepower /ssa # show app-instance App Name Identifier Slot ID Admin State Oper State Running Version Startup Version Deploy Type Turbo Mode Profile Name Cluster State Cluster Role ---------- ---------- ---------- ----------- ---------------- --------------- --------------- ----------- ---------- ------------ --------------- ------------ ftd ftd_cluster1 1 Enabled Online 7.1.0.90 7.1.0.90 Container No RP20 In Cluster Master
依照以下步驟,透過FXOS REST-API要求驗證FTD執行處理部署型別。使用REST-API客戶端。本示例中使用curl:
# curl -k -X POST -H 'USERNAME: admin' -H 'PASSWORD: Cisco123' 'https://10.62.148.88/api/login' { "refreshPeriod": "0", "token": "3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d" }
2. 指定此查詢中的令牌、插槽ID,並檢查deployType的值:
# curl -s -k -X GET -H 'Accept: application/json' -H 'token: 3dba916cdfb850c204b306a138cde9659ba997da4453cdc0c37ffb888816c94d' https://192.0.2.100/api/slot/1/app-inst
… { "smAppInstance": [ { "adminState": "enabled", "appDn": "sec-svc/app-ftd-7.1.0.90", "appInstId": "ftd_001_JAD201200R43VLP1G3", "appName": "ftd", "clearLogData": "available", "clusterOperationalState": "not-applicable", "clusterRole": "none", "currentJobProgress": "100", "currentJobState": "succeeded", "currentJobType": "start", "deployType": "container",
...
按照以下步驟驗證FXOS機箱show-tech檔案中的FTD防火牆模式:
對於早期版本,請打開FPRM_A_TechSupport.tar.gz/ FPRM_A_TechSupport.tar中的檔案sam_techsupportinfo。
# pwd
/var/tmp/20220313201802_F241-01-11-FPR-2_BC1_all/FPRM_A_TechSupport/
# cat sam_techsupportinfo
...
`show slot expand detail` Slot: Slot ID: 1 Log Level: Info Admin State: Ok Oper State: Online Disk Format State: Ok Disk Format Status: 100% Clear Log Data: Available Error Msg: Application Instance: App Name: ftd Identifier: ftd_cluster1 Admin State: Enabled Oper State: Online Running Version: 7.1.0.90 Startup Version: 7.1.0.90 Deploy Type: Container
ASA支援單情景模式和多情景模式。FTD不支援多內容模式。
可以使用下列選項來驗證前後關聯型別:
按照以下步驟驗證ASA CLI上的ASA情景模式:
connect module <x> [console|telnet],其中x是插槽ID,然後連線asa
2. 在CLI上運行show mode命令:
ASA# show mode
Security context mode: multiple
ASA# show mode
Security context mode: single
按照以下步驟驗證ASA show-tech檔案中的ASA情景模式:
1. 檢查show-tech檔案中的show context detail部分。在這種情況下,由於存在多個上下文,因此上下文模式是多上下文:
------------------ show context detail ------------------ Context "system", is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: Ethernet1/1, Ethernet1/10, Ethernet1/11, Ethernet1/12, Ethernet1/13, Ethernet1/14, Ethernet1/15, Ethernet1/16, Ethernet1/2, Ethernet1/3, Ethernet1/4, Ethernet1/5, Ethernet1/6, Ethernet1/7, Ethernet1/8, Ethernet1/9, Ethernet2/1, Ethernet2/2, Ethernet2/3, Ethernet2/4, Ethernet2/5, Ethernet2/6, Ethernet2/7, Ethernet2/8, Internal-Data0/1, Internal-Data1/1, Management1/1 Class: default, Flags: 0x00000819, ID: 0 Context "admin", has been created Config URL: disk0:/admin.cfg Real Interfaces: Ethernet1/1, Ethernet1/2, Management1/1 Mapped Interfaces: Ethernet1/1, Ethernet1/2, Management1/1 Real IPS Sensors: Mapped IPS Sensors: Class: default, Flags: 0x00000813, ID: 1 Context "null", is a system resource Config URL: ... null ... Real Interfaces: Mapped Interfaces: Real IPS Sensors: Mapped IPS Sensors: Class: default, Flags: 0x00000809, ID: 507
具備ASA的Firepower 2100可以在以下模式之一中運行:
平台模式-在FXOS中配置基本操作引數和硬體介面設定。這些設定包括介面管理狀態更改、EtherChannel配置、NTP、映像管理等。FCM Web介面或FXOS CLI可用於FXOS配置。
裝置模式(預設) -裝置模式允許使用者配置ASA中的所有策略。FXOS CLI僅提供高級命令。
使用以下選項可驗證具有ASA的Firepower 2100模式:
按照以下步驟在ASA CLI上使用ASA驗證Firepower 2100模式:
1. 使用telnet/SSH訪問Firepower 2100上的ASA。
2. 在CLI上運行show fxos mode命令:
ciscoasa(config)# show fxos mode
Mode is currently set to plaftorm
裝置模式:
ciscoasa(config)# show fxos mode
Mode is currently set to appliance
注意:在多上下文模式下,show fxos mode 命令可在系統或管理上下文中使用。
按照以下步驟在FXOS CLI上使用ASA驗證Firepower 2100模式:
1. 使用telnet/SSH訪問Firepower 2100上的ASA。
2. 運行connect fxos命令:
ciscoasa/admin(config)# connect fxos
Configuring session.
.
Connecting to FXOS.
...
Connected to FXOS. Escape character sequence is 'CTRL-^X'.
注意:在多上下文模式下,connect fxos命令在管理上下文中可用。
3. 運行show fxos-mode命令:
firepower-2140# show fxos mode
Mode is currently set to plaftorm
裝置模式:
firepower-2140#show fxos mode
Mode is currently set to appliance
按照以下步驟在FXOS機箱的show-tech檔案中驗證具有ASA的Firepower 2100模式:
1. 打開<name>_FPRM.tar.gz/<name>_FPRM.tar中的檔案tech_support_brief
2. 檢查「show fxos-mode」部分:
# pwd
/var/tmp/fp2k-1_FPRM/
# cat tech_support_brief
...
`show fxos-mode`
Mode is currently set to platform
裝置模式:
# pwd
/var/tmp/fp2k-1_FPRM/
# cat tech_support_brief
...
`show fxos-mode`
Mode is currently set to appliance
思科漏洞ID CSCwb94424 ENH:增加用於FMC HA配置驗證的CLISH命令
思科漏洞ID CSCvn31622 ENH:增加FXOS SNMP OID以輪詢邏輯裝置和應用例項配置
思科錯誤ID CSCwb97767 ENH:新增OID以驗證FTD執行處理部署型別
思科漏洞ID CSCwb97772 ENH:在Firepower 2100上的ASA的show-tech中包括「show fxos mode」的輸出
沒有用於透明防火牆模式驗證的思科漏洞ID CSCwb97751 OID 1.3.6.1.4.1.9.9.491.1.6.1.1
修訂 | 發佈日期 | 意見 |
---|---|---|
2.0 |
08-Aug-2024 |
在替代文字上重新格式化、標點符號和字首大寫。 |
1.0 |
26-May-2022 |
初始版本 |