topic Re: Same IP range for FTD Mgmt and data interface in Network Security

Same IP range for FTD Mgmt and data interface

Dodzi — Mon, 03 Feb 2025 04:32:36 GMT

Hi all,

Does anyone foresee any issues in configuring the same range of IP addresses on the management interface and one of the data interfaces?

We have a complex setup here, and we believe this could ease it up a bit.

Thanks,
Dodzi

Re: Same IP range for FTD Mgmt and data interface

Sheraz.Salim — Mon, 03 Feb 2025 09:34:49 GMT

The management interface is typically used for administrative tasks and should ideally be isolated from user or data traffic for security reasons. Sharing an IP range with a data interface may expose the management interface to unintended risks unless strict access control policies are implemented. A very similar question has already asked here in this community Here is the link and This one too

Instead of using the same IP range, consider using a separate subnet for the management interface while leveraging a data interface for FMC communication if needed.

Re: Same IP range for FTD Mgmt and data interface

Aref Alsouqi — Mon, 03 Feb 2025 17:57:54 GMT

I agree with @Sheraz.Salim, the management ports should be configured on a separate subnet, and even better in a proper out-of-band network, but I also understand that sometimes we need to adapt to certain requirements. If you have to have the management interfaces of your FTDs in the same segment as one of the data interfaces then at the very least you should configure the "Secure Shell" restriction in the FMC platform settings applied to that FTD. This will at least restrict the SSH accesses to that firewall allowing only the defined IP addresses/subnet. If you are managing that firewall via FDM then you would need to do the same from the "Management Access" tab.