An organization is configuring a new Cisco Firepower High Availability deployment. Which action must be taken to ensure that failover is as seamless as possible to end users?
A.
Set the same FQDN for both chassis.
B.
Set up a virtual failover MAC address between chassis.
C.
Load the same software version on both chassis.
General Prerequisites for Firepower High Availability
1.Two Identical Units
For FMC HA, you need two FMCs (either hardware or virtual) with identical specifications and licensing capacity.
2.The units must run the same software version (e.g., FTD 7.1 or FMC 7.0).
Same Software Version: Both units must be on the same software version to ensure compatibility and proper synchronization.
3. Each unit requires its own Smart License entitlement. For FTD, this means two Base licenses plus any additional feature licenses (e.g., Threat, Malware, URL Filtering) must match on both units.
4. A dedicated high-speed link for HA communication (failover link) is required between the two units.
5. No Pending Changes: Both units must be fully deployed from the FMC with no uncommitted configuration changes before establishing HA.
Only B
Omit previous comment. Answer is B
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense-virtual/222235-configure-virtual-mac-addresses-for-ftd.html#:~:text=Virtual%20MAC%20addresses%20allow%20the%20primary%20and%20secondary%20FTD%20to%20maintain%C2%A0consistent%20MAC%20addresses%20which%20prevents%20certain%20traffic%20disruptions.
While dedicated failover state link can be benefic if there is a lot of traffic handled by the FTD, the lack of a Virtual MAC address can create disruptions on a failover event.
"Configuring virtual MAC addresses on an FTD HA pair is beneficial to the availability of a network. Virtual MAC addresses allow the primary and secondary FTD to maintain consistent MAC addresses which prevents certain traffic disruptions."
https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense-virtual/222235-configure-virtual-mac-addresses-for-ftd.html
This is why, I will go on B
It is most likely answer (D). The questions relates/emphasizes to "failover is as seamless as possible to end users", which is done via stateful links to sync the TCP session state/connection table among both firewalls.
States are propagated via FOVER link in the absence of a dedicated link. A better design is to separate the datapath from the state path but while you have state without a dedicated link, you won't have MAC consistency without a Virtual MAC configured
To ensure that failover is as seamless as possible to end users when configuring a new Cisco Firepower High Availability deployment, the organization must D. Use a dedicated stateful link between chassis. Configuring high availability, also called failover, requires two identical Firepower Threat Defense devices connected to each other through a dedicated failover link and, optionally, a state link1. The system uses the state link to pass connection state information to the standby device, so that if a failover occurs, user connections are preserved2. Is there anything else you would like to know?
The right answer is B. Why not D ? Because the question states "dedicated" state link. You do not need dedicated state link, you can use failover link for that, but the vMAC will help tp transition from Active FW to Passive, because MAC will stay the same, in the case where you hawe 2 mac's, the switch would have to flap, and FMC does not do graceful ARP. This is documented in Whitepaper
yeah I got your point, Q did not state that there is any failover / stateful link. I assume that there is only failover link between Active/Passive at this moment, and ask what feature we need to have additionally for seamless failover. Thus stateful link (it can be used same failover link), my choice is D.
D. Use a dedicated stateful link between chassis.
Using a dedicated stateful link between chassis ensures that the failover is as seamless as possible to end users. A dedicated stateful link allows the two Firepower chassis to synchronize connection state information in real-time, which ensures that network traffic is not interrupted during a failover event. In contrast, a virtual failover MAC address, loading the same software version, and setting the same FQDN are important for ensuring a successful failover, but they do not directly impact end-user experience.
D is correct - setting up a Stateful Failover Link in addition to the Failover Link preserves the state information for existing sessions.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.300-710 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Initial14
Highly Voted 1 year, 7 months agod0980cc
1 month, 3 weeks agod0980cc
1 month, 3 weeks agod0980cc
3 weeks agoSilexis
Most Recent 3 months agoMB2222
6 months, 2 weeks agoSilexis
3 months agoachille5
6 months, 2 weeks agogwb
7 months, 3 weeks agopr0fectus
1 year agoaaInman
1 year, 2 months agoInitial14
1 year, 7 months agogwb
7 months, 1 week agotanri04
1 year, 7 months agoMevijil
1 year, 9 months ago