topic Re: Policy Based Routing on FTD (route-map) managed by FDM in Network Security

Policy Based Routing on FTD (route-map) managed by FDM

INFOTECH.jw — Tue, 24 Nov 2020 08:02:11 GMT

Hello Community,

on an FPR-1010 device (Version FTD 6.6.1), managed by FDM I want to do a simple static load distribution by using policy based routing.

On CISCO ASA it is easy like this example:

interface Vlan1
 nameif inside
 policy-route route-map ROUTEMAP-INET2-OUT

object-group service g-TCP-PORTS-INET2 tcp
 port-object eq www
 port-object eq https

access-list ROUTEMAP-ACL-INET2-OUT extended permit tcp any any object-group g-TCP-PORTS-DSL
access-list ROUTEMAP-ACL-INET2-OUT extended permit <WHATEVER-YOU-WANT-TO-SEND-VIA-INET2>

route-map ROUTEMAP-INET2-OUT permit 10
 match ip address ROUTEMAP-ACL-INET2-OUT
 set ip next-hop <IP-ADDRESS-OF-INET2-GATEWAY>

Implementing this on a FPR-1010 I have to use Smart CLI as explained in https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-route-maps.html

But I'm unable to configure next-hop (last line of code above)! As I saw the manual is only related to BGP Routing.

Any ideas to implement it without an FMC appliance?

Thanks for all input.

Re: Policy Based Routing on FTD (route-map) managed by FDM

Mohammed al Baqari — Tue, 24 Nov 2020 09:32:28 GMT

Hi,

I don't think you have other options. Either FMC GUI or FlexConfig.

*** please remember to rate useful posts

Re: Policy Based Routing on FTD (route-map) managed by FDM

milanjovanovic82 — Thu, 22 Apr 2021 13:27:08 GMT

Hello,

Flex config object doesn't give possibility to use route-map command it says

Blacklisted cli error.

Is there any other way to resolve this with FTD 6.6.1

Re: Policy Based Routing on FTD (route-map) managed by FDM

AlexeyFokanov31798 — Fri, 02 Jul 2021 12:54:49 GMT

how did you solve the problem?

Re: Policy Based Routing on FTD (route-map) managed by FDM

sparkf1 — Mon, 04 Oct 2021 17:20:27 GMT

"set ip next-hop" can be configured by using Smart CLI as the screenshot below.

I found that anything you can do in FMC, actually you can do it in FDM as well. FDM doesn't provide a GUI for all configurations, but basically you can do it by using "API Explorer".

For example, FDM doens't provide a way defining "set interface" command in route-map object, but you can do it by editing "route-map" object with the following code from "API Explorer". How do you know "id", "type", "version" and "name" of a interface? check Interface object from "API Explorer" you will get the answer.

{

"version": "dqxzjs2lg2tlc",

"name": "routemap01",

"description": null,

"entries": [

{

"sequence": 10,

"action": "PERMIT",

"interfaces": [

{

"id": "8d6c41df-3e5f-465b-8e5a-d336b282f93f",

"type": "physicalinterface",

"version": "mz2ho36wazdnw",

"name": "outside"

}

Re: Policy Based Routing on FTD (route-map) managed by FDM

sparkf1 — Mon, 04 Oct 2021 17:23:22 GMT

You can define route-map with "API Explorer" from FDM.

Re: Policy Based Routing on FTD (route-map) managed by FDM

engineer467 — Thu, 08 Sep 2022 17:43:32 GMT

How do we attach this route-map to an interface?

Thanks

Re: Policy Based Routing on FTD (route-map) managed by FDM

rschlayer — Fri, 09 Sep 2022 06:04:30 GMT

I believe it is only possible via FlexConfig using the command

policy-route route-map YOUR-ROUTEMAP-NAME

BR
Rick

Re: Policy Based Routing on FTD (route-map) managed by FDM

engineer467 — Fri, 09 Sep 2022 14:50:39 GMT

Thanks for the reply.

To attach it to inside interface, i think it will be-

interface Ethxx

policy-route route-map YOUR-ROUTEMAP-NAME

But I am afraid to test it in a live environment 😕