It's been 2 years since this request was submitted. How long does it take to merely un-blacklist a command for FTD?
My workaround: Deploy a Raspberry Pi to provide specific DNS servers through DHCP to the VLAN where the Cisco Next-Generation Firewall 1140 cannot.
To be blunt and honest, FMC is not ideal for many customers who deploy remotely managed firewalls, and to inject my own opinion, it's horrid to even look at and requires connectivity to the end-device over the Internet or through VPN/WAN. Local configuration is still a widely accepted and utilized method of management. Hence, customers still have a choice to stay with ASA code. That said, Cisco is missing a major success opportunity by not supporting a 1:1 configuration compatibility with ASA, and refusing to make even FDM easier to work with.
This isn't a bug. It's bad judgement.
You can't even do this in FlexConfig, which is unfortunate. Why bringing DHCP flexibility back to the smaller FirePower devices with any sense of urgency is really beyond me. Whoever decided to remove DHCP options, DNS per pool, and DHCP on sub-interfaces didn't seem to think this function through. It's quite debilitating now, to say the very least.
Here is my hack for this issue.
In expert mode and sudo su:
(Just paste your version of this command into the sudo CLI, and the FTD is updated instantly.)
LinaConfigTool "dhcpd dns 184.108.40.206 220.127.116.11 interface [interface]"
...where the interface attribute places the DNS server into the correct pool.
This is not a perpetual change, unfortunately. You must re-apply this command every time you deploy changes to the device, because the deployment code overwrites what was there as if it's updating a file and pushing the file into the running-config.
I'm currently having to do this for multiple offices now, and the Network Engineers that see this are just as baffled as I am why this was ripped out! I'd honestly feel better about manually (or automating through Ansible), editing .conf files than using FDM, and even less, FMC.
"simplicity doesn't always solve the problem"
I just got hold of my first Firepower 1010 after using PIXs and ASAs for many years. Finding out that the CLI has been ripped out from the device had me concerned from the outset.
We have multiple different networks sat behind our firewalls sometimes on different domains requiring different DNS servers. It seems very odd that something as fundamental as specifying custom DNS servers for a particular subnet is not possible. Also what is the point of being able to add mutiple DNS server groups if you are not able to individually apply these to interfaces.
Disappointed so far, and hope I find a way to overcome some of these shortfalls. Thanks for your suggested solutions, but they each come with their own headaches. I want to manage this all from the one device without any fuss. Looks like FTD is going to fall well short of the mark for me. Worse still with the 5506-X (of which we have many) now end of life on face value I can't see this is being an appropriate replacement. Obviously you can run the Firepower 1010 with the ASA code but then you lose Firepower. What a backwards step.
Has it been confirmed whether this is achievable in FMC? i.e. is this limitation only present in FDM and not newer versions of FMC.
I'm currently (finally Cisco figured out how to finish my access) piloting CDO (Cisco Defense Orchestrator), which has a more Meraki approach/feel, and I'm impressed Cisco took the architecture of Meraki to heart here. The FirePower device "calls home" like a Meraki device does (although ASA should have this functionality built-in as well, they don't), and you can then configure the firewall. You can even configure the FirePower locally and import it into CDO, along with the entire config, automatically (I've not 100% verified yet) It's not perfect, yet, as there are some very basic opportunities Cisco really missed the boat on, such as the device itself being smart when it is orphaned from CDO after fouling up a change like changing the external interface from DHCP to static and forgetting the default route.
It does NOT offer separate DNS servers per interface, however! I'm just sad that Cisco leaves out this critical, very basic feature.
That said, CDO should be free. If Cisco charges for CDO management, they're missing a real opportunity! Include CDO with Tech Support like Meraki does! Don't make it a separate purchase, please! Meraki were real game-changers. Who's idea it was to buy the Meraki company single-handily saved Cisco from losing this incredible market-share. Time will tell if Cisco truly makes the best use of Meraki's concepts! But make it free with SmartNet!
We have been considering CDO too. That will now depend on whether these new devices are fit for our puposes or not. I see that the 5508-X and 5516-x are not end of life yet, but I suppose it will only be a matter of time. There does still seem to be a commitment to the ASA code moving forward but if you can't run Firepower on the device at the same time it kind of defeats the object.
LinaConfigTool "dhcpd dns 18.104.22.168 22.214.171.124 interface [interface]"
command persist through reboots? It is so frustrating to know that the options are there under the hood but can't actually be used in a meaningful way.
Yes, I believe Cisco fails to exhibit the concepts between ASA w/FirePower vs. FTD/NGFW. The problem is that Cisco never takes the time to really and thoroughly illustrate the differences between the two and the evolution. Back when WebSense was introduced I think too many people (myself included) didn't fully understand how this worked.
Cisco can't simply upgrade the CPU/mother-board hardware in an ASA. It's a massive change to them, because the CPU/MB hardware in the ASA's is rather old. Cisco is like Acura/Honda in that they don't seem to adopt new hardware unless it has been thoroughly tried out by the rest of the industry. It helps with reliability, at least.
That said, NGFW w/FTD are decisively lower throughput than a FirePower device running ASA code only. Much of this I attribute to the IPS (Snort) being slow, likely due to Cisco using low-end PC hardware to run it, and database query type systems like this really need a lot of power.
CDO looks nice, but is cripplingly slow in my tests. Same for FDM and FMC. There's no way I can work on any type of Production issue at this speed using what Cisco has developed today. ASA w/ASDM and CLI are still blazingly fast in comparison, and I may be forced to stick with those in order to work faster. CDO hardly even recognizes changes that need to be deployed for at least 15-20 seconds, and perhaps even a browser refresh.
6.6.0 FTD code and dhcpd dns is still black-listed. What gives??
I tested the Meraki MX64 recently as an alternative to the new FTD devices. No issues setting up different DHCP/DNS options on the Meraki device. Vastly reduced feature set on the Merakis comapred to the ASA but seeing as the new FTDs seem to be feature limited we are seriously looking at the Merakis now. No need for FMC and a decent management portal.
Yes, Meraki does support this. Unfortunately, yes, Meraki is very limited in other ways. Ironic.