https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4696968#M1093863 <P>Hi, Marvin.</P><P>Will Cisco support FMC4500 to have multiple NICs / IPs to manage different FTDs? I am thinking to put an extra FMC NIC (eth1) to have an IP address in the same subnet as FTD's management interface, so this connection won't be lost and I can use FMC (eth1) to change ACP of the FTD when FMC eth0 is lost network connectivity. Thanks.</P><P>Leo</P> Fri, 30 Sep 2022 20:12:22 GMT a12288 2022-09-30T20:12:22Z https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4693270#M1093647 <P>We have a need to manually change FTD Access Control Policy assignment via CLI in the event of maintenance or outage. Our FTD is being managed by FMC however our FMC is not on out-of-bound network but rather hosted in the inside zone data plane.</P><P>We would need to SSH to FTD and switch FTD ACP to a permit any-any like ACP via CLI (while FMC is unreachable) in order to let&nbsp; certain traffics passing though FTD, and switch back to production ACP afterwards. Is it possible? Thanks.</P><P>Leo</P> Sun, 25 Sep 2022 04:43:27 GMT https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4693270#M1093647 a12288 2022-09-25T04:43:27Z https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4693975#M1093672 <P>As far as I know, what you are asking is not possible. On an FTD device that is registered to an FMC manager, only the managing FMC can change the ACP.</P> Mon, 26 Sep 2022 17:37:06 GMT https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4693975#M1093672 Marvin Rhoads 2022-09-26T17:37:06Z https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4694845#M1093700 <P>Since I am able to use LinaConfigTool to modify routing table so I am hoping there is something similar to modify ACP, in the event of&nbsp; FTD lost access to FMC.</P> Tue, 27 Sep 2022 16:54:01 GMT https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4694845#M1093700 a12288 2022-09-27T16:54:01Z https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4695251#M1093721 <P>There is a new feature in 7.2 that may help with your use case. It is as follows:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD> <P class="p">Auto rollback of a deployment that causes a loss of management connectivity.</P> </TD> <TD> <P class="p">You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and the threat defense to go down. Previously, you could only manually rollback a configuration using the <SPAN class="ph synph"><SPAN class="keyword kwd">configure policy rollback</SPAN> </SPAN> command.</P> <P class="p">New/modified screens:</P> <UL class="ul"> <LI class="li"> <P class="p"><SPAN class="ph uicontrol">Devices &gt; Device Management &gt; Device &gt; Deployment Settings</SPAN></P> </LI> <LI class="li"> <P class="p"><SPAN class="ph uicontrol">Deploy &gt; Advanced Deploy &gt; Preview</SPAN></P> </LI> <LI class="li"> <P class="p"><SPAN class="ph uicontrol">Deploy &gt; Deployment History &gt; Preview</SPAN></P> </LI> </UL> <P class="p">For more information, see <A class="xref" href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/get-started-device-management.html" target="_blank" rel="noopener">Device Management</A> in the device configuration guide.</P> </TD> </TR> </TBODY> </TABLE> Wed, 28 Sep 2022 09:16:00 GMT https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4695251#M1093721 Marvin Rhoads 2022-09-28T09:16:00Z https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4696968#M1093863 <P>Hi, Marvin.</P><P>Will Cisco support FMC4500 to have multiple NICs / IPs to manage different FTDs? I am thinking to put an extra FMC NIC (eth1) to have an IP address in the same subnet as FTD's management interface, so this connection won't be lost and I can use FMC (eth1) to change ACP of the FTD when FMC eth0 is lost network connectivity. Thanks.</P><P>Leo</P> Fri, 30 Sep 2022 20:12:22 GMT https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4696968#M1093863 a12288 2022-09-30T20:12:22Z https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4697161#M1093878 <P>You can (and always have been able to) use the second (or third etc.) NIC in an FMC to manage devices. It comes down to the routing for that NIC and managed devices. As long as that is working as desired in the underlying OS (Linux) then the FMC application will use the best route to reach the managed devices. You need to be sure to understand it from the device side as you add the manager by its IP address and that must be the same as the NIC of the FMC that will be used for that device.</P> Sun, 02 Oct 2022 03:08:59 GMT https://community.cisco.com/t5/network-security/change-fmc-managed-ftd-access-control-policy-assignment-via-cli/m-p/4697161#M1093878 Marvin Rhoads 2022-10-02T03:08:59Z