Configure High Availability on FMC

Firepower Management Center (FMC) High Availability (HA) provides critical redundancy for security management infrastructure by pairing two FMC appliances to work together in an active-standby configuration. In an FMC HA setup, one unit operates as the primary (active) management center handling all administrative tasks and device communications, while the secondary unit remains in standby mode, ready to take over seamlessly if the primary fails. This configuration eliminates single points of failure in your security management infrastructure and ensures continuous security policy enforcement even during management center outages.

In this blog post, we'll explain how to configure HA on FMC.

Pre-Configuration Requirements

Version compatibility: Before beginning the migration process, several compatibility checks and preparation steps are essential.

• Software Version Alignment: Both FMC peers must be running identical software versions, including intrusion rule updates, vulnerability databases, and Lightweight Security Packages. Version mismatches will prevent HA configuration from completing successfully.  To verify the version of this content, navigate to System > Configuration > Content Updates.
• Hardware Compatibility: Ensure both FMC units have the same capacity and hardware specifications. Mismatched hardware platforms cannot establish HA relationships.
• Licensing Requirements: Each FMC requires separate licensing. When FMC HA is configured in virtual or cloud environments, each registered FTD device consumes an additional FMC Device license.

Configure Secondary FMC

The HA configuration process begins with the unit that will serve as the secondary (standby) FMC (in Dark theme).

Navigate to HA Configuration: Go to Integration > Other Integrations > High Availability to access the HA setup options.  Choose "Secondary" to designate this unit as the standby FMC in the HA pair.

Configure Primary Peer Information: Enter the management IP address and connection details for the FMC unit that will serve as the primary. Generate and record the registration key, as this will be required when configuring the primary FMC.  After completing the registration process, confirm that the secondary FMC status shows as "Pending Registration" while waiting for the primary FMC configuration to complete.

Configure Primary FMC

With the secondary FMC configured and waiting, the primary FMC (in Light theme) configuration completes the HA relationship establishment.

Navigate to HA Configuration: Follow the same navigation path: Integration > Other Integrations > High Availability.  Choose "Primary" to designate this unit as the active FMC in the HA pair.

Configure Secondary Peer Information: Enter the management IP address and connection details for the secondary FMC. Use the same registration key generated during the secondary FMC configuration.

Important Configuration Warning:  After FMC HA is established, the secondary unit will lose all existing device configurations, policies, and settings as they are replaced with synchronized data from the primary.

Verification and Monitoring

Once both units are configured, automatic synchronization begins between the primary and secondary FMCs. During this process, expect to see status indicators showing "Failed" and "Temporarily Degraded" - this is normal while the systems establish their HA relationship. 

Verify Successful Setup: Once synchronization completes, confirm both FMCs show "Status: Healthy" and "Synchronization: OK" in the High Availability interface. Verify that all managed devices appear correctly on both units with identical configurations.

The FMCs will continue synchronizing automatically - regular synchronization activity is normal. Monitor HA status regularly and address any failures promptly. Plan maintenance activities considering HA impact, and maintain regular backup procedures for both units.

Conclusion

Implementing FMC High Availability provides essential redundancy for security management infrastructure, ensuring continuous policy enforcement and device management even during primary system failures. The configuration process, while requiring careful attention to prerequisites and proper sequencing, establishes a robust foundation for enterprise security management.

By following this structured approach and ensuring all compatibility requirements are met, you can successfully deploy FMC HA that maintains your organization's security posture while providing the redundancy necessary for business-critical environments.

Remember that the initial synchronization process may take considerable time depending on your environment's complexity, so plan appropriate maintenance windows and allow sufficient time for complete HA establishment and verification.

Please reach out with any questions/comments you might have.