Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2821
Views
25
Helpful
12
Replies

Firepower 2100 series best management configuration way ( FMC/ASDM/FDM)

Go to solution
animesh.mishra
Level 1
Level 1

‎03-18-2018 03:12 AM - edited ‎02-21-2020 07:31 AM

Hi Team, 

 

I need support on configuring NGFW 2100 Appliance best practice. 

What I have in my back is FTD 2210 Appliance with AMP,URL,IPS.IDS license & FMC VM. 

But currently our current firewall (fortigate) going to expire in coming days & VM for FMC not prepared yet. What management want to deploy the appliance without waiting for FMC in service. 

 

So big thought in my mind after lot of reading it confguses me. As we deployed many firewall ASA 5500-x series through ASDM and later connect with FMC. 

 

So what would be best practice to deploy or migrate current one without FMC and add the same post 1 month when VM get ready. 

 

What would be the best way to deploy via FDM/FCM/ASDM. ?  

 

Please shower some light on it. Its urgent. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to animesh.mishra

‎03-18-2018 11:00 PM

Changing an FTD device from local FDM management to remote FMC management clears all of the policies on that device. As long as you are OK with that impact then your can switch from one to the other. Only after you have re-deployed new policies from FMC to replace the ones previously configured via FDM will your firewall being doing what it was ding before. Any historical reporting (ONLY available from FMC) will begin from that moment onwards.

 

1. As noted above.

2. FDM cannot create or configure HA pairs of FTD devices.

3. Yes - as I noted in an earlier reply.

4. ISP load balancing isn't practical on any FTD scenario except for some rudimentary policy-based routing. PBR is generally ineffective for incoming traffic and only marginally useful for outgoing traffic (in my opinion).

 

If you're a Cisco integrator have you availed yourself of ANY training options available for partners? If you're not a partner have you tried any of the publicly available training? (courses, Cisco Live presnetations, books etc.)

View solution in original post

12 Replies 12

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-18-2018 04:00 AM

A 2100 series with FTD image can be managed via FDM (local manager) or FMC (remote manager).

 

If you start with FDM and then later change to FMC the configuration will be wiped out and you must recreate everything in FMC. You cannot export from FDM and import into FMC.

 

You would also need to release your Smart licenses from FDM and then register them via FMC.

 

ASDM is not an option for FTD devices of any type.

0 Helpful

Go to solution
animesh.mishra
Level 1
Level 1
In response to Marvin Rhoads

‎03-18-2018 06:25 AM

Hi Marvin,
Many Thanks for reply.
1. But what about initial configuration ? From which FDM/FMC I have to do so ? Do we have any guide on that ?
2. Limitations of FDM, do we get all features via FMC like SSL VPN, AMP, URL, IPS/IDS, AVC etc.
3. We are planning to setup FMC at other location far from appliance which will connect over MPLS. Is it work ?
4. Interface settings , Routing Settings, Services all be done by at once by any of FMC or FDM. ?
5. Can we do configuration & administration via remote location on FDM and reporting through FMC ? Is possible.

Lots of configuration If you have guide on that please share.

Thanks
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to animesh.mishra

‎03-18-2018 07:49 AM

1. Have you looked at the Quick Start guides on the product support page? There is one for both FDM and FMC management here:

 

https://www.cisco.com/c/en/us/support/security/firepower-2100-series/products-installation-guides-list.html

 

2. FDM gives you most (but not all) of the firewall features including the ones you mentioned. Some more advanced things like etherchannels, FlexConfigs, historical reporting are not included in FDM. (ss of the current release 6.2.2)

 

3. Yes.

 

4. One or the other (FDM or FMC) but not both.

 

5. If you use FDM for a given device it cannot also connect to FMC (even if you only want that for reporting). It is only one or the other. NEVER both.

Go to solution
animesh.mishra
Level 1
Level 1
In response to Marvin Rhoads

‎03-18-2018 09:20 AM

Many Thanks Mr. Marvin, !!
I agree and accept as solution on above starting four points. But not understand point no.5. If we want to configure FTD by FDM for initially/administration/operation perspective, then how come I m not able to use FMC for reporting as per your point ?

Few more clarification on subject please enlighten.

1. If we taken approval from management to use FDM as we have limitations to implement FMC then what will happen with what we have procured the FMC-VM version?
2. If we use FDM post clearance of above point as we don't have any other option, can we do configuration for HA - A/A or A/P ?
3.can we do Remote SSL VPN for clients ?
4. If we use FDM post clearance of above point as we don't have any other option, can we do load balancing over two different ISP ILL Links ?

Thanks Again!!
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to animesh.mishra

‎03-18-2018 11:00 PM

Changing an FTD device from local FDM management to remote FMC management clears all of the policies on that device. As long as you are OK with that impact then your can switch from one to the other. Only after you have re-deployed new policies from FMC to replace the ones previously configured via FDM will your firewall being doing what it was ding before. Any historical reporting (ONLY available from FMC) will begin from that moment onwards.

 

1. As noted above.

2. FDM cannot create or configure HA pairs of FTD devices.

3. Yes - as I noted in an earlier reply.

4. ISP load balancing isn't practical on any FTD scenario except for some rudimentary policy-based routing. PBR is generally ineffective for incoming traffic and only marginally useful for outgoing traffic (in my opinion).

 

If you're a Cisco integrator have you availed yourself of ANY training options available for partners? If you're not a partner have you tried any of the publicly available training? (courses, Cisco Live presnetations, books etc.)

Go to solution
animesh.mishra
Level 1
Level 1
In response to Marvin Rhoads

‎03-22-2018 07:42 PM

Hi Marvin,
I have one doubt regarding solution, If we have two ISP ILL/MPLS link terminated on FTD 2100 series NGFW, can we do load balancing on equal cost and static floating routes can be done via FMC and FDM or not ?
0 Helpful

Go to solution
animesh.mishra
Level 1
Level 1
In response to Marvin Rhoads

‎03-23-2018 11:15 AM

Thanks Marvin,

Can you please help on me one scenrio.
Lets assume a I have Data Center some where I have installed FTD-2100. In there I have terminated L2-MPLS links and FMC is in other location connected same MPLS.

Where should I put the Management Interface cable for communication with FMC over MPLS ?
1. Can I use NAT from MPLS Interface terminated on Data-Port to Management Port Connectivity ?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to animesh.mishra

‎03-23-2018 11:21 PM

You could NAT your MPLS connection that goes to the "outside" data port and then put the management interface in the "inside" network. It's a bit tricky though since you need connectivity to the FMC first to put the NAT policy in place.

 

I posted the following in a similar thread several months back and it may be useful for this conversation as well:

 

Essentially you are left with four options:

 

• As of version 6.1 of the FTD software, there is an on box manager called the Firepower Device Manager. However, it is only available for physical appliances. This means that any virtual FTD devices won’t be able to use the Firepower Device Manager and are only configurable via the FMC. Additionally, even if you used the Firepower Device Manager, once you have the FTD device configured and you wanted to “switch over” to having it managed by the FMC all its data plane configuration is wiped out in preparation for the FMC to push a new configuration down. So the use of the Firepower Device Manager should only be used when you want to manage each remote/branch location in a decentralized fashion.

 

• Have a router at the remote/branch location already configured with a VPN/MPLS link to the HQ LAN so that the FTD’s management interface can have an internal IP address yet still have a data path to the FMC prior to configuring the data plane.

 

• Put the FTD’s Management NIC on the public facing side of the network with a public IP.

 

• Pre-configure the FTD’s Data Interfaces, Routing, and Policies while it is connected to a LAN that gives IP access to the FMC. Either via a staging/lab environment that can emulate the remote/branch location’s network design. This option is most dangerous of all because once this FTD is installed at the remote/branch location its data path to its management interface is through itself. This means that a misconfiguration of the data plane could sever the management NIC’s access to the FMC, thus severing your ability to undo the configuration change!

Go to solution
ledzepp817
Level 1
Level 1
In response to Marvin Rhoads

‎11-27-2018 07:53 AM

Hello,

 

I am replying to an old thread so hopefully this works.

 

If we change from a 2110 Firepower that was locally managed by a FDM to a centrally managed one by FMC, do we lose only the policies/objects or do we lose all configuration? (interface, routing, SSL VPN, etc)?

 

Thx!

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to ledzepp817

‎11-27-2018 08:00 AM

You will loose all the configuration. Once register to FMC you need to configure interface, routing, policy & vpn configuration via FMC.

HTH
Abheesh

Go to solution
ledzepp817
Level 1
Level 1
In response to Abheesh Kumar

‎11-27-2018 08:05 AM

That stinks...but good to know.  Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card