cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
233
Views
5
Helpful
3
Replies
Beginner

two FirePOWER modules on ASA failover mode managed by FMC

Hi everyone,

I have two ASA firewalls 5525 with firepower modules. first box has the firepower module installed and it's added to the FMC.  second box (a second ASA 5525 with firepower module) we just received to make both boxes in failover mode. second box is not installed/configured yet. first FirePOWER module already has its management IP, which is used to be managed by FMC. However, when I install the second FirePOWER module on second ASA, should i give it a different IP on same subnet as first FirePOWER, or same IP as first one? also, on the FMC, the two FirePOWER modules will/should appear as two independent FirePOWER modules or they will appear as one FirePOWER module configured with same management IP, since they are installed on two ASAs in failover mode?

please advise.

Thanks.  

 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Master

Re: two FirePOWER modules on ASA failover mode managed by FMC

The Firepower service module on the second ASA operates completely independently. As such, it requires its own unique IP address, registration to FMC and licenses.

You can group the two modules in FMC for purposes of policy management but, other than that, they have no knowledge of each other's existence. The concepts of configuration synchronization that apply to the parent ASAs' configs does not apply to Firepower.

Highlighted
Hall of Fame Master

Re: two FirePOWER modules on ASA failover mode managed by FMC

It needs to be changed in both locations.

On FMC it tells the manager how to communicate to the sensor.

On the module it assigns the address on the underlying Linux operating system.

3 REPLIES 3
Hall of Fame Master

Re: two FirePOWER modules on ASA failover mode managed by FMC

The Firepower service module on the second ASA operates completely independently. As such, it requires its own unique IP address, registration to FMC and licenses.

You can group the two modules in FMC for purposes of policy management but, other than that, they have no knowledge of each other's existence. The concepts of configuration synchronization that apply to the parent ASAs' configs does not apply to Firepower.

Beginner

Re: two FirePOWER modules on ASA failover mode managed by FMC

If I want to change the management IP of the firepower module which is managed by the FMC, should I changed it from inside the CLI of the firepower module or from inside the FMC management interface? Which method is recommended and best practice? Thanks

Highlighted
Hall of Fame Master

Re: two FirePOWER modules on ASA failover mode managed by FMC

It needs to be changed in both locations.

On FMC it tells the manager how to communicate to the sensor.

On the module it assigns the address on the underlying Linux operating system.