Hardware and Software Requirements | CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)

Providing firewall failover capabilities involves several basic hardware and software requirements. The firewalls must have the following:

Same PIX firewall hardware models
Same amount of RAM memory
Same amount of flash memory
Same type and number of interfaces
Special serial cable (optional)
Same version of software
Same activation keys for DES or 3DES

When configuring for failover, firewall models need to be exactly the same all the way down to their memory sizes.

Hardware

The PIX firewalls need to have the same hardware models for failover to work properly, but failover support is not available on all models. The 501, 506, and 506E do not support failover functionality; only the 515 and above models do.

Software

Software on the two firewalls also needs to be the same version number; otherwise , failover might not work properly.

Every model of the PIX firewall, including the 501, uses the same software ”activation keys just enable extra features within the software. However, you still cannot use failover on the lower models.

Licensing

Activations keys also need to be installed to enable the failover functionality of the software. Cisco has several licensing features for failover, as listed in Table 11.1.

Table 11.1. Licenses

License	Description
UR	The unrestricted license must be used on the primary (active) firewall and can optionally be used on the secondary (standby) firewall.
FO	The failover license is used for secondary standby modes only.
R	The restricted license cannot be used for either the primary or secondary firewall.

Now that you have seen the various licenses available, Table 11.2 displays the possible primary and secondary licensing combinations.

Table 11.2. Licensing Combinations

	Primary (Active)	Secondary (Standby)
Combination 1	UR	UR
Combination 2	UR	FO

The PIX does not have separate software for failover protection. Only activation keys are necessary to enable the features.