Firepower Deploy remote FTD

on

 1. Use FTD outside data interface

Note: This feature requires Firepower version 6.7 or later, only started to support HA from 7.4
FMC needs a public IP, or use DONTRESOLVE on FTD when add manager,  firewall rule is needed from FMC to FTD on TCP/8305, both direction if FMC has a static NATed public IP.  no IPS inspection. On PA, it is identified as ssl application, so should use service any instead of Application Default.

1.1 boot FTD, configure management interface IP 

1.2 configure network management-data-interface

> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]: internet
IP address (manual / dhcp) [dhcp]: manual
IPv4/IPv6 address: 10.10.6.7
Netmask/IPv6 Prefix: 255.255.255.0
Default Gateway: 10.10.6.1
Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220
DDNS server update URL [none]:
...........

or 
configure network management-data-interface ipv4 manual 10.10.6.8 255.255.255.0 default-gw 10.10.6.1 interface e1/1

1.3 Add manager

      When FMC doesn't have static NATed public IP
      configure manager add DONTRESOLVE Cisco123 nat456

      When FMC has a static NATed public IP
      configure manager add x.x.x.x Cisco123

1.4 FTD in HA mode

     register both FTD using outside interface, the create HA in FMC.
     when failover occurs, in FMC, the unit IPs still show pre-failover outside IP address, in CLI, they switched properly.


====FDM -Managing FTD from the Outside Interface ====

https://docs.defenseorchestrator.com/Configuration_Guides/Onboard_Devices_and_Services/Onboard_Firepower_Threat_Defense_Devices/0150_Managing_a_Firepower_Threat_Defense_Device_from_the_Outside_Interface_while_using_an_On-Premise_SDC


============

Change remote FTD public IP

no re-registration is required, follow these steps:


1. on FMC

Edit device,  Device tab > Management

1.1 Chane Manager Access Interface to "Data Interface"

1.2 Change "Remote Host Address" to remote FTD Outside interface IP



2. Enable Manager Access on outside interface


When deploy policy, may see this:


click "View details", review and Acknowledge it.


management port configuration is still needed, which is used to forward the management traffic to data interface using tap_nlp interface.



=======reference============

Configure Manager Access on FTD from Management to Data Interface

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222145-configure-manager-access-on-ftd-from-man.html

Comments

Post a Comment