03-18-2018 03:12 AM - edited 02-21-2020 07:31 AM
Hi Team,
I need support on configuring NGFW 2100 Appliance best practice.
What I have in my back is FTD 2210 Appliance with AMP,URL,IPS.IDS license & FMC VM.
But currently our current firewall (fortigate) going to expire in coming days & VM for FMC not prepared yet. What management want to deploy the appliance without waiting for FMC in service.
So big thought in my mind after lot of reading it confguses me. As we deployed many firewall ASA 5500-x series through ASDM and later connect with FMC.
So what would be best practice to deploy or migrate current one without FMC and add the same post 1 month when VM get ready.
What would be the best way to deploy via FDM/FCM/ASDM. ?
Please shower some light on it. Its urgent.
Solved! Go to Solution.
03-18-2018 11:00 PM
Changing an FTD device from local FDM management to remote FMC management clears all of the policies on that device. As long as you are OK with that impact then your can switch from one to the other. Only after you have re-deployed new policies from FMC to replace the ones previously configured via FDM will your firewall being doing what it was ding before. Any historical reporting (ONLY available from FMC) will begin from that moment onwards.
1. As noted above.
2. FDM cannot create or configure HA pairs of FTD devices.
3. Yes - as I noted in an earlier reply.
4. ISP load balancing isn't practical on any FTD scenario except for some rudimentary policy-based routing. PBR is generally ineffective for incoming traffic and only marginally useful for outgoing traffic (in my opinion).
If you're a Cisco integrator have you availed yourself of ANY training options available for partners? If you're not a partner have you tried any of the publicly available training? (courses, Cisco Live presnetations, books etc.)
03-18-2018 04:00 AM
A 2100 series with FTD image can be managed via FDM (local manager) or FMC (remote manager).
If you start with FDM and then later change to FMC the configuration will be wiped out and you must recreate everything in FMC. You cannot export from FDM and import into FMC.
You would also need to release your Smart licenses from FDM and then register them via FMC.
ASDM is not an option for FTD devices of any type.
03-18-2018 06:25 AM
03-18-2018 07:49 AM
1. Have you looked at the Quick Start guides on the product support page? There is one for both FDM and FMC management here:
2. FDM gives you most (but not all) of the firewall features including the ones you mentioned. Some more advanced things like etherchannels, FlexConfigs, historical reporting are not included in FDM. (ss of the current release 6.2.2)
3. Yes.
4. One or the other (FDM or FMC) but not both.
5. If you use FDM for a given device it cannot also connect to FMC (even if you only want that for reporting). It is only one or the other. NEVER both.
03-18-2018 09:20 AM
03-18-2018 11:00 PM
Changing an FTD device from local FDM management to remote FMC management clears all of the policies on that device. As long as you are OK with that impact then your can switch from one to the other. Only after you have re-deployed new policies from FMC to replace the ones previously configured via FDM will your firewall being doing what it was ding before. Any historical reporting (ONLY available from FMC) will begin from that moment onwards.
1. As noted above.
2. FDM cannot create or configure HA pairs of FTD devices.
3. Yes - as I noted in an earlier reply.
4. ISP load balancing isn't practical on any FTD scenario except for some rudimentary policy-based routing. PBR is generally ineffective for incoming traffic and only marginally useful for outgoing traffic (in my opinion).
If you're a Cisco integrator have you availed yourself of ANY training options available for partners? If you're not a partner have you tried any of the publicly available training? (courses, Cisco Live presnetations, books etc.)
03-22-2018 07:42 PM
03-22-2018 08:14 PM
ECMP is not supported across multiple interfaces.
See the configuration guide here for confirmation:
03-23-2018 11:15 AM
03-23-2018 11:21 PM
You could NAT your MPLS connection that goes to the "outside" data port and then put the management interface in the "inside" network. It's a bit tricky though since you need connectivity to the FMC first to put the NAT policy in place.
I posted the following in a similar thread several months back and it may be useful for this conversation as well:
Essentially you are left with four options:
• As of version 6.1 of the FTD software, there is an on box manager called the Firepower Device Manager. However, it is only available for physical appliances. This means that any virtual FTD devices won’t be able to use the Firepower Device Manager and are only configurable via the FMC. Additionally, even if you used the Firepower Device Manager, once you have the FTD device configured and you wanted to “switch over” to having it managed by the FMC all its data plane configuration is wiped out in preparation for the FMC to push a new configuration down. So the use of the Firepower Device Manager should only be used when you want to manage each remote/branch location in a decentralized fashion.
• Have a router at the remote/branch location already configured with a VPN/MPLS link to the HQ LAN so that the FTD’s management interface can have an internal IP address yet still have a data path to the FMC prior to configuring the data plane.
• Put the FTD’s Management NIC on the public facing side of the network with a public IP.
• Pre-configure the FTD’s Data Interfaces, Routing, and Policies while it is connected to a LAN that gives IP access to the FMC. Either via a staging/lab environment that can emulate the remote/branch location’s network design. This option is most dangerous of all because once this FTD is installed at the remote/branch location its data path to its management interface is through itself. This means that a misconfiguration of the data plane could sever the management NIC’s access to the FMC, thus severing your ability to undo the configuration change!
11-27-2018 07:53 AM
Hello,
I am replying to an old thread so hopefully this works.
If we change from a 2110 Firepower that was locally managed by a FDM to a centrally managed one by FMC, do we lose only the policies/objects or do we lose all configuration? (interface, routing, SSL VPN, etc)?
Thx!
11-27-2018 08:00 AM
11-27-2018 08:05 AM
That stinks...but good to know. Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: