DX NetOps

I have Cisco ASA firewall pairs running as active/standby, they are in standard single mode HA pairs. 

I wants an alarm whenever there is any fail-over between them. Is there any option to monitor this via watch or trap or any other way ?

Spectrum version - 10.3

Hi Rahul,

If they are modelled in Spectrum as HSRP devices then you can opt to

actively poll HSRP status and not jusy hope for a trap.

I'm away at the moment; Support can walk you through this.

Glenn Weavind

On Mon, 13 May 2019, 12:42 Rahul.Rawat, <

Hello Glenn,

Thanks for reply...

CiscoHSRPapp model type is not present on my firewalls, so this is not helpful for me.

Is there any way to model firewalls as HSRP devices ?

Rahul Rawat

Perhaps this might be of help.

https://docops.ca.com/ca-spectrum/10-2-3/en/managing-network/cisco-device-management/cisco-asa-adaptive-security-appliance-devices-failover

No this link is not helpful in my case,  I already tried this but not working in my environment.

Hi Rahul,

Open the MIB tools, navigate to CISCO-FIREWALL-MIB.

There you will find the following attributes: cfwHardwareStatusValue and cfwHardwareInformation.

Whenever the Primary Unit status value change from 9 (Active) that means that the FO has happened. You can set up a Watch to get that, but you need the correct Instances.

Regards,

Zacchi

I set up a watch < on CiscoFirewallApp Model > on attribute cfwHardwareStatusValue for instance 6 with threshold violated if value not equal to 9.

This watch will generate alert whenever value of primary unit change from active to standby/any other value.

Watch consists of the following parameters: 

Name: Cisco_FW_Failover

Data Type: Integer

Expression: cfwHardwareStatusValue.# (including .# - Because attribute is a list type)

Instance: 6

Properties

Default Activation: Active

Evaluate: By Polling

Poll Interval: 200 Sec

Threshold

Threshold violated if value != 9

Threshold reset if value ==9