cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6653
Views
45
Helpful
25
Replies
Hall of Fame Master

Re: FMC to remote FTD deployment

You cannot configure NAT via cli (ssh session - never use telnet).

 

If you configure via local manager (FDM) and then change to remote manager (FMC), the configuration is lost.

Beginner

Re: FMC to remote FTD deployment

Has this issue been "fixed" or addressed in newer versions of code (like anytime after 6.4?).  Curious as I will be running up against this as well.

Beginner

Re: FMC to remote FTD deployment

Did you attempt this as of yet and if so, which method did you use?  I have the same scenario and I wanted to see if one method is better than the others.  On top of what you have listed, my FTD in the remote site is the device that is doing the VPN for the networks behind it, so I can't/won't be relying on MPLS or some other VPN device for reachability. 

Beginner

Re: FMC to remote FTD deployment

I'm still in the process of trying to get the FMC to talk to our 2110s, but we used public IP's on the FTD2110 management ports. The latest FTD patch (6.2.2.2) is supposed to allow you to lock down access to the mgmt, but upgrading to it breaks the access between FMC and FTD.


Re: FMC to remote FTD deployment

Simply stated, you cannot do the same process with FTD as we can with ASA/FirePower which sucks.  To do so either requires tricky setup, which is dangerous if you have problems down the road at your remote site, or requires more hardware.  Maybe this is by design now.  Either way you cannot simply add a locally managed FTD to a FMC at your main site.  I know that the features parity are not the same yet, but I sure hope this is resolved down the road.

 

https://supportforums.cisco.com/t5/firesight-system-3d-system/ftd-registering-to-fmc-scenario/td-p/2998213

 

Beginner

Re: FMC to remote FTD deployment

Beginner

Re: FMC to remote FTD deployment

While I agree that this article does provide a way to deploy the remote firewalls, I do not suggest using this method. This puts your mgmt. interface behind the firewall you are trying to manage and can cause serious issues if you make a mistake in your deployment, rendering you "dead in the water" until you can get console access to reverse your errors. I highly suggest using a public IP on the mgmt port independent of the outside interface and locking down the access on mgmt. This will require the site to have 2 free public IPs, otherwise I would not recommend using these firewalls for remote deployments.


Beginner

Re: FMC to remote FTD deployment

Any further traction on how to's on this?  We are looking to encrypt this connection via IPSec.  Running a ASA code with an SFR module is not an option and we will look at other vendors.  

Hall of Fame Master

Re: FMC to remote FTD deployment

Note that the connection between and FTD device and the managing FMC is already encrypted (TLS running over tcp/8305).

 

If you do a packet capture on the flow you will see it does an SSL/TLS handshake and uses the respective certificates from FMC and the FTD device to setup a secure channel for management and eventing.

 

Highlighted
Beginner

Re: FMC to remote FTD deployment

Very true. I've setup many networks where the FMC and FTD are located in separate continents. Whilst the FP Management/Event Comms are encrypted, stick to security by design and use an MPLS or VPN between the two networks.

Participant

Re: FMC to remote FTD deployment

Losing sleep over this problem too.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.