topic Re: Help disabling FTD HA Encryption in Network Security

Help disabling FTD HA Encryption

Jordan-s — Tue, 04 Jan 2022 22:21:45 GMT

Hi all,

I moved to a new job couple months ago, and they are using CISCO FTD's. I am a PaloAlto guy and still learning about FTDs, and to be honest I am not a big fan of FTDs as they are not flexible and stable as Palos. Anyways, whoever built those FTDs they configured IPsec encryption on the HA link, and of course there is a bug causing FWs to get out of Sync due to the encryption on the HA link and the only way to fix the issue is to remove the encryption. I am using FMC to mange those FTDs. From reading about FTD HA configuration, seems the only way to disable the encryption is by deleting the HA group from FMC GUI and create a new one with encryption disabled. Not sure if that's the case, but would love to hear from FMC/FTD experts on how to solve this issue with minimum impact? is there a CLI command where I can execute from FMC and be done with it(I hope there is)

Thanks.

Re: Help disabling FTD HA Encryption

Marvin Rhoads — Wed, 05 Jan 2022 07:35:35 GMT

As you've surmised, "the only way to disable the encryption is by deleting the HA group from FMC GUI and create a new one with encryption disabled".

There's no cli-based method and it will be a disruptive change. That said, it is otherwise relatively straightforward

Re: Help disabling FTD HA Encryption

Jordan-s — Wed, 05 Jan 2022 13:53:54 GMT

Thanks for confirming Marvin. I really wish if CISCO adds CLI as an a configuration option to the FTDs, where we can show run, copy the script, modify it and update the configs without the need to touch GUI. Especially if the change involves big FW modifications.

Re: Help disabling FTD HA Encryption

Marvin Rhoads — Wed, 05 Jan 2022 14:00:59 GMT

For that, "api is the new cli".

But good luck as a newbie with the API. You will find some good examples online but API capabilities are not yet equal what you can do from FMC (by a long shot).