Solved: FTDv w/FDM smart licensing question

west33637 · ‎08-05-2019

Hello all. I have a client who requires an air-gap FTDv deployment. They are using FDM for management. This client cannot use a satellite server, they don't want any communication over the Internet. I know that software version 6.3 provides an air-gap solution using Specific License reservation, but I only see documentation of this with an FMC deployment.

Can the Firepower Device Manager do this Specific License reservation deployment? Or does it need an Internet connection? What are my options in an air-gapped environment that does not use an FMC for management?

Thanks,

Marvin Rhoads · ‎08-05-2019

As far as I know, using an explicitly defined proxy server is not currently supported. A transparent one should work.

View solution in original post

Marvin Rhoads · ‎08-05-2019

Firepower Device Manager (as of the current 6.4.0.3) continues to require either direct Internet access ~~or a Satellite server~~ for Smart Licensing of the FTD device.

I've not heard of plans to change this in the short term. So, for now, FMC management with Specific License Reservation is the only option once the 90-day evaluation license expires.

(edit - as of 2020-02-05 a satellite server is not supported with FDM)

nwsplus10 · ‎08-05-2019

oops

west33637 · ‎08-05-2019

Can they access through a proxy server? Thanks?

Marvin Rhoads · ‎08-05-2019

As far as I know, using an explicitly defined proxy server is not currently supported. A transparent one should work.

tilo.harder · ‎02-04-2020

Hello Marvin,

You stated "Firepower Device Manager (as of the current 6.4.0.3) continues to require either direct Internet access or a Satellite server for Smart Licensing of the FTD device."

Where in FDM can you register with a Satellite?

Marvin Rhoads · ‎02-05-2020

I apologize - I was mistaken earlier.

I recently confirmed with Cisco that Satellite server smart licensing is NOT currently an option when you use FDM management (as of 6.5.0.2 / February 2020). I've suggested that they consider adding the feature but I'm just one voice. If it's important to you, please provide the feedback via your Cisco account manager or partner.

jimmycher · ‎04-04-2020

I've worked on many programs that are air-gapped, and once inside the secured network, devices can never be brought out, (without an act of God). It should be pretty simple to get a FDM on-prem license, but it's taken me weeks to get it figure out (still haven't). The fact that FDM uses "management" port in completly seperate contexts makes everything that much harder. Logically splitting the physical management port is totally asinine. If you have the chance, use the ASA, and stay away from FirePower devices.

Peter Koltl · ‎12-11-2019

How to register FDM to a satellite server?