topic Re: Setting up FTD on 4110: Management and failover interfaces setup in Network Security

Setting up FTD on 4110: Management and failover interfaces setup

ABaker94985 — Tue, 22 Jun 2021 20:31:23 GMT

We are in the process of deploying an FTD on a 4110. We have access to the web interface of the firewall chassis manager and the fxos via ssh. I uploaded FTD-6.6.4 onto the appliance, and I'm trying to create a logical FTD device. There is the one management interface and four 10Gbps interfaces. I've selected Native instance type and Standalone usage. Here is what I can't figure out as I read through the Cisco documentation:

1) The management interfaces for FCM doesn't appear to be usable by the FTD, but there is no way I want to use a 10 Gbps interface. Is there a way to use the management interface for the chassis? There isn't an option to select this when creating a logical device.

2) We're wanting to use HA, but again I don't want to use a dedicated 10 Gbps module for failover and stateful. Is it possible to use a subinterface of one of the data interfaces?

Thank you.

Re: Setting up FTD on 4110: Management and failover interfaces setup

Chakshu Piplani — Wed, 23 Jun 2021 06:55:48 GMT

1) You will need to use an interface from the network module as a mgmt interface for communication with FMC/using it for mgmt as FDM. 6.7 does have a feature to use data interface for mgmt, but it can be used only for standalone units and not for HA.

2) You can use an unused, but enabled, data interface (physical) as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface can only be used for the failover link (and also for the state link). You cannot use a management interface or a subinterface for failover.

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-ha.html#concept_ud1_j2b_d3b

HTH

Regards,

Chakshu

Do rate helpful posts !

Re: Setting up FTD on 4110: Management and failover interfaces setup

Marvin Rhoads — Wed, 23 Jun 2021 08:28:04 GMT

Like @Chakshu Piplani noted, you always have to allocate at least two of the physical data interfaces on a 4100 series (or 9300 series) HA pair:

(1) FTD management and

(2) failover

The "GE Mgmt" interface is only for chassis management. While you can get to the ftd cli through it, it requires some commands post-login and thus is not generally usable for system operations - only for manual troubleshooting in a pinch.

That's true up through the (current) latest 7.0 release.