1. Use FTD outside data interface
Note: This feature requires Firepower version 6.7 or later, only started to support HA from 7.4.
FMC needs a public IP, or use DONTRESOLVE on FTD when add manager, firewall rule is needed from FMC to FTD on TCP/8305, both direction if FMC has a static NATed public IP. no IPS inspection. On PA, it is identified as ssl application, so should use service any instead of Application Default.
1.1 boot FTD, configure management interface IP
1.2 configure network management-data-interface
> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]: internet
IP address (manual / dhcp) [dhcp]: manual
IPv4/IPv6 address: 10.10.6.7
Netmask/IPv6 Prefix: 255.255.255.0
Default Gateway: 10.10.6.1
Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220
DDNS server update URL [none]:
...........
or
configure network management-data-interface ipv4 manual 10.10.6.8 255.255.255.0 default-gw 10.10.6.1 interface e1/1
1.3 Add manager
When FMC doesn't have static NATed public IP
configure manager add DONTRESOLVE Cisco123 nat456
When FMC has a static NATed public IP
configure manager add x.x.x.x Cisco123
1.4 FTD in HA mode
register both FTD using outside interface, the create HA in FMC.
when failover occurs, in FMC, the unit IPs still show pre-failover outside IP address, in CLI, they switched properly.
====FDM -Managing FTD from the Outside Interface ====
https://docs.defenseorchestrator.com/Configuration_Guides/Onboard_Devices_and_Services/Onboard_Firepower_Threat_Defense_Devices/0150_Managing_a_Firepower_Threat_Defense_Device_from_the_Outside_Interface_while_using_an_On-Premise_SDC
============
Change remote FTD public IP
no re-registration is required, follow these steps:
1. on FMC
Edit device, Device tab > Management,
1.1 Chane Manager Access Interface to "Data Interface"
1.2 Change "Remote Host Address" to remote FTD Outside interface IP
2. Enable Manager Access on outside interface
When deploy policy, may see this:
click "View details", review and Acknowledge it.
management port configuration is still needed, which is used to forward the management traffic to data interface using tap_nlp interface.
=======reference============
Comments
Post a Comment