How to Force a Manual Failover on a Cisco ASA via Command Line

Forcing a manual failover via command line can be done in two different ways.

######################################

On the active firewall you can do the following:


CiscoASA# no failover active

-----------------------------------------------------------------------------

On the standby firewall you can do the following:

CiscoASA# failover active

#######################################

Personally I prefer force the failover from the standby unit.

How to Create a Subinterface on a Cisco ASA

If you need to create a subinterface on an ASA  you will need the following information:


1. Identify which interface is going to be used on the firewall
2. Identify which subinterface ID is going to be used. Vaild IDs are 1 through 4294967293
3. Identify which VLAN ID is going to be used, I would recommend using the same VLAN ID as the subinterface ID however only IDs support for VLANS are 1 through 4094
4. (Optional) identify a nameif for the interface
4a If required identify a security level
4b. If required identify IP address and mask.




Here is an example of creating a subinterface ID 990 with vlan 990 and it is also a named interface so access list could be binded to the interface




ASA(config)# interface GigabitEthernet0/1.990
ASA(config-subif)# description Subinterface Vlan 990
ASA(config-subif)#   vlan 990
ASA1(config-subif)#   nameif VLAN990
INFO: Security level for "VLAN990" set to 0 by default.
ASA(config-subif)#   security-level 50
ASA(config-subif)#   ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
ASA(config-subif)# no shutdown
ASA(config-subif)# exit

How to compare firewall policies between two IBM Proventia M

If you have to RMA an IBM Proventia M firewall and move the policy from one firewall to another one there is a simple test you can perform to make sure the policy on the new RMA firewall is the same as the old one. Once you have applied the snapshot to the new RMA firewall. Run the following command on both firewalls:

[root@proventiaM root]# cd /etc/crm/policies/cml/NetworkProtector/fwm/
[root@proventiaM fwm]# ls -la
total 92
drwxr-xr-x 2 root root 4096 Aug 8 2009 .
drwxr-xr-x 39 root root 4096 Mar 12 2008 ..
-rw-r--r-- 1 root root 27778 Aug 8 2009 npfwm1_0.xml
-rw-r--r---1 root root 16131 Mar 12 2008 npfwm1_0.xml.bak
-rw-r--r-- 1 root root 4908 May 15 2007 npfwm2_0_0.xml
-rw-r--r-- 1 root root 9335 May 15 2007 npfwm3_0_0.xml
-rw-r--r-- 1 root root 11702 May 15 2007 npfwm4_0_0.xml
-rw-r--r-- 1 root root 8169 May 15 2007 npfwm4_1_0.xml

[root@proventiaM fwm]# md5sum npfwm1_0.xml
06e78c571413e8f78fe0db58a0f070b7 npfwm1_0.xml

or simply:


md5sum /etc/crm/policies/cml/NetworkProtector/fwm/npfwm1_0.xml


This gives you the checksum value of the firewall policy file which is npfwm1_0.xml and is a lot quicker than having to compare the policy line by line especially if you have a large policy.

How to tell if a Proventia M is in HA mode via SSH

If you need to check if an ISS / IBM Proventia M is in High Availability mode or which firewall is primary or secondary check the following via ssh:

cat /etc/sysconfig/ham

The output will be, no such file, primary, or secondary.


[root@proventiaM root]# cat /etc/sysconfig/ham
cat: /etc/sysconfig/ham: No such file or directory <-------- Means NOT part of an HA cluster


[root@proventiaM root]# cat /etc/sysconfig/ham
HAOASTATE=primary <-------------Means this devices is currently the primary firewall in cluster


[root@proventiaM root]# cat /etc/sysconfig/ham
HAOASTATE=secondary <-------------Means this devices is currently the secondary firewall in cluster

Cisco ASA Renaming Access List

Save yourself some time and rename your access-list instead of having to recreate them all!

On Cisco ASA version 8.0(2) and above you can rename an access-list:

access-list OLD_NAME rename NEW_NAME

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html#wp1554657