FTDv/NGFWv in AWS BVI issue

scott.owen@zii.aero — Fri, 21 Feb 2020 16:58:22 GMT

Hi,

I've deployed an FTDv/NGFWv in an AWS VPC, changed the firewall mode to transparent, and registered it to an FMCv. I've attached two additional network interfaces to the FTDv in the same subnet "192.168.1.0/24". Now when I try to create a BVI interface and enter 192.168.1.0/24 into the IPv4 configuration I get an error "Invalid value of IPv4 address or subnet or network overlap". No matter what network range I try to put in 192.168.1.0/32 or 192.168.0.0/24 (the management interface network) I get the same error and cannot create the BVI interface.

Note: Per instructional videos I have disabled AWS's Source and Destination check on the attached network interfaces and the EC2 instnaces of FTDv and FMCv.

Here's the current IPv4 network config and interface statistics.

show network
===============[ System Information ]===============
Hostname : mgt-rts-ftdv1
DNS Servers : 8.8.8.8
8.8.4.4
Management port : 8305
IPv4 Default route
Gateway : 192.168.0.1

======================[ eth0 ]======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 0E:D4:6A:88:83:DE
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.0.12
Netmask : 255.255.255.0
Broadcast : 192.168.0.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

> show interface
Interface GigabitEthernet0/0 "", is administratively down, line protocol is up
Hardware is ixgbevf, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0ee7.7b8d.7c4a, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Interface GigabitEthernet0/1 "", is administratively down, line protocol is up
Hardware is ixgbevf, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0e02.3d4e.d6fa, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Interface Management0/0 "diagnostic", is up, line protocol is up
Hardware is en_vtun rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is unsupported
MAC address 0eb1.f241.99e4, MTU 1500
IP address unassigned
211 packets input, 12216 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (0/0)
output queue (blocks free curr/low): hardware (0/0)
Traffic Statistics for "diagnostic":
211 packets input, 9262 bytes
0 packets output, 0 bytes
16 packets dropped
1 minute input rate 0 pkts/sec, 2 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 2 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets

Best regards,

Scott Owen

Re: FTDv/NGFWv in AWS BVI issue

scott.owen@zii.aero — Fri, 22 Mar 2019 21:39:31 GMT

I found out from our vendor that FTDv/NGFWv in transparent mode is not supported in AWS.

Re: FTDv/NGFWv in AWS BVI issue

WilliamJacobson — Sun, 24 Mar 2019 12:10:10 GMT

Thank you Scot!

topic FTDv/NGFWv in AWS BVI issue in Network Security

FTDv/NGFWv in AWS BVI issue

Re: FTDv/NGFWv in AWS BVI issue

Re: FTDv/NGFWv in AWS BVI issue