FTDv in Azure, FDM managed and Indentity source access

amitev · ‎12-12-2020

Hi Everyone,

Having some problems with FTDv in particular which interface FTDv will use to access the Identity servers - ISE, MS RADIUS etc.

Standard FTDv deployment in Azure, 4 interfaces, mgmt (public IP), diag, in and out (public IP as well). Site to site with on-prem FW and all Identity services are located on-prem through the tunnel.

No luck accessing any of the on-prem Identity services through the tunnel, so my best guess is that it uses mgmt interface for these tasks, but in this case mgmt is a dead end, it goes to Internet. Also tried some fancy Azure routing that was working on older FTDv versions but obviously not on 6.7.0-65.

So, pretty much stuck now and any idea will be much appreciated.

amitev · ‎12-13-2020

I found my solution. It is actually the old one.

New route table on the mgmt subnet, with a new route to the network where the identity services are with next hop the internal interface of the FTDv and voila.

In some cases, both mgmt and the internal subnet have to be associated with this new route table.

ameliascotts80938 · ‎01-15-2021

You cannot use both the FDM and FMC to manage an FTD installed in a firepower 2100. Once the FDM On-Box management is enabled on the firepower 2100 FTD, it won't be possible to use an FMC to manage the FTD, unless you disable the local management and re-configure the management to use an FMC. On the other hand, register the FTD to an FMC disables the FDM On-Box management service on the FTD.

https://www.cisco.com/c/en/us/support/docs/security/firepower-2100-series/213519-configure-fdm-firepower-device-manageme.html