topic FTD1120 diagnostic port IP configuration in Network Security

FTD1120 diagnostic port IP configuration

tato386 — Mon, 11 Apr 2022 14:24:54 GMT

I am currently managing an FTD from FMC using an IP address that is linked to the FTD's management port. This is confirmed because if I physically remove the network cable from the port I lose connectivity to the FTD. However, on the FMC device management screen the port does not show as having an IP and is configured for DHCP? Should I add the management IP in there or leave things alone? Is this an expected behavior/configuration?

Thanks,

Diego

Re: FTD1120 diagnostic port IP configuration

balaji.bandi — Mon, 11 Apr 2022 14:39:40 GMT

we are not sure, is this FMC Virtual or Physical ?

as Long as FTD able to reach FMC that means working...

So the question is , if the Manangment port not configured, how are these commnunicating ?

Re: FTD1120 diagnostic port IP configuration

tato386 — Mon, 11 Apr 2022 15:04:06 GMT

Hello BB,

The FTD is physical and yes, all is working. I am running traffic thru it, I have NAT and ACP rules, I can see connection events, push policies, etc.

But according to the FMC device management you would think it should not be because the diag int does not have an IP and is not enabled for management. See attached pics

Re: FTD1120 diagnostic port IP configuration

Rob Ingram — Mon, 11 Apr 2022 15:13:39 GMT

@tato386 Leave things alone unless you need to use the diagnostics interface, it's optional.

The Diagnostic logical interface can be configured along with the rest of the data interfaces on the Devices > Device Management > Interfaces screen. Using the Diagnostic interface is optional (see the routed and transparent mode deployments for scenarios). The Diagnostic interface only allows management traffic, and does not allow through traffic. It does not support SSH; you can SSH to data interfaces or to the Management interface only. The Diagnostic interface is useful for SNMP or syslog monitoring.

The Management interface is separate from the other interfaces on the device. If you change the IP address at the CLI after you add it to the Firepower Management Center, you can match the IP address in the Firepower Management Center in the Devices > Device Management > Devices > Management area.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/interface_overview_for_firepower_threat_defense.html

Re: FTD1120 diagnostic port IP configuration

balaji.bandi — Mon, 11 Apr 2022 15:46:45 GMT

that is diag interface, there is nothing to worry - leave it as it is..you are good now.

Re: FTD1120 diagnostic port IP configuration

tato386 — Tue, 12 Apr 2022 18:55:28 GMT

I guess the name "diagnostic" threw me off. Now I realize this is same as ASA/SFR whereby the ASA's management interface is shared with SFR but configured separately.

Thank you!