Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
979
Views
5
Helpful
3
Replies

two FirePOWER modules on ASA failover mode managed by FMC

Go to solution
tigertiger9161
Level 1
Level 1

‎08-14-2019 09:51 AM - edited ‎02-21-2020 09:24 AM

Hi everyone,

I have two ASA firewalls 5525 with firepower modules. first box has the firepower module installed and it's added to the FMC.  second box (a second ASA 5525 with firepower module) we just received to make both boxes in failover mode. second box is not installed/configured yet. first FirePOWER module already has its management IP, which is used to be managed by FMC. However, when I install the second FirePOWER module on second ASA, should i give it a different IP on same subnet as first FirePOWER, or same IP as first one? also, on the FMC, the two FirePOWER modules will/should appear as two independent FirePOWER modules or they will appear as one FirePOWER module configured with same management IP, since they are installed on two ASAs in failover mode?

please advise.

Thanks.  

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-14-2019 07:46 PM

The Firepower service module on the second ASA operates completely independently. As such, it requires its own unique IP address, registration to FMC and licenses.

You can group the two modules in FMC for purposes of policy management but, other than that, they have no knowledge of each other's existence. The concepts of configuration synchronization that apply to the parent ASAs' configs does not apply to Firepower.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tigertiger9161

‎08-14-2019 08:44 PM

It needs to be changed in both locations.

On FMC it tells the manager how to communicate to the sensor.

On the module it assigns the address on the underlying Linux operating system.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-14-2019 07:46 PM

The Firepower service module on the second ASA operates completely independently. As such, it requires its own unique IP address, registration to FMC and licenses.

You can group the two modules in FMC for purposes of policy management but, other than that, they have no knowledge of each other's existence. The concepts of configuration synchronization that apply to the parent ASAs' configs does not apply to Firepower.

Go to solution
tigertiger9161
Level 1
Level 1
In response to Marvin Rhoads

‎08-14-2019 08:14 PM

If I want to change the management IP of the firepower module which is managed by the FMC, should I changed it from inside the CLI of the firepower module or from inside the FMC management interface? Which method is recommended and best practice? Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tigertiger9161

‎08-14-2019 08:44 PM

It needs to be changed in both locations.

On FMC it tells the manager how to communicate to the sensor.

On the module it assigns the address on the underlying Linux operating system.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card