Firepower Deploy remote FTD

on

 1. Use FTD outside data interface

Note: This feature requires Firepower version 6.7 or later, only started to support HA from 7.4
FMC needs a public IP, or use DONTRESOLVE on FTD when add manager,  firewall rule is needed from FMC to FTD on TCP/8305, both direction if FMC has a static NATed public IP.  no IPS inspection. On PA, it is identified as ssl application, so should use service any instead of Application Default.

1.1 boot FTD, configure management interface IP 

1.2 configure network management-data-interface

> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]: internet
IP address (manual / dhcp) [dhcp]: manual
IPv4/IPv6 address: 10.10.6.7
Netmask/IPv6 Prefix: 255.255.255.0
Default Gateway: 10.10.6.1
Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220
DDNS server update URL [none]:
...........

or 
configure network management-data-interface ipv4 manual 10.10.6.8 255.255.255.0 default-gw 10.10.6.1 interface e1/1

1.3 Add manager

      When FMC doesn't have static NATed public IP
      configure manager add DONTRESOLVE Cisco123 nat456

      When FMC has a static NATed public IP
      configure manager add x.x.x.x Cisco123

1.4 FTD in HA mode

     register both FTD using outside interface, the create HA in FMC.
     when failover occurs, in FMC, the unit IPs still show pre-failover outside IP address, in CLI, they switched properly.


====FDM -Managing FTD from the Outside Interface ====

https://docs.defenseorchestrator.com/Configuration_Guides/Onboard_Devices_and_Services/Onboard_Firepower_Threat_Defense_Devices/0150_Managing_a_Firepower_Threat_Defense_Device_from_the_Outside_Interface_while_using_an_On-Premise_SDC


============

Change remote FTD public IP

no re-registration is required, follow these steps:

1. on FTD

configure network management-data-interface ipv4 manual 10.10.6.8 255.255.255.0 default-gw 10.10.6.1 interface e1/1


2. on FMC

Edit device,  Device tab > Management, edit to change "Remote Host Address"

change outside IP and default GW to match FW settings.


When deploy policy, may see this:


click "View details", review and Acknowledge it.



=======reference============

Configure Manager Access on FTD from Management to Data Interface

Configure Manager Access on FTD from Management to Data Interface - Cisco

Comments

Post a Comment