Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
10
Helpful
5
Replies

Change FMC managed FTD Access Control Policy assignment via CLI

a12288
Level 3
Level 3

‎09-24-2022 09:43 PM

We have a need to manually change FTD Access Control Policy assignment via CLI in the event of maintenance or outage. Our FTD is being managed by FMC however our FMC is not on out-of-bound network but rather hosted in the inside zone data plane.

We would need to SSH to FTD and switch FTD ACP to a permit any-any like ACP via CLI (while FMC is unreachable) in order to let  certain traffics passing though FTD, and switch back to production ACP afterwards. Is it possible? Thanks.

Leo

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-26-2022 10:37 AM

As far as I know, what you are asking is not possible. On an FTD device that is registered to an FMC manager, only the managing FMC can change the ACP.

0 Helpful

a12288
Level 3
Level 3
In response to Marvin Rhoads

‎09-27-2022 09:54 AM

Since I am able to use LinaConfigTool to modify routing table so I am hoping there is something similar to modify ACP, in the event of  FTD lost access to FMC.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-28-2022 02:16 AM

There is a new feature in 7.2 that may help with your use case. It is as follows:

Auto rollback of a deployment that causes a loss of management connectivity.

You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and the threat defense to go down. Previously, you could only manually rollback a configuration using the configure policy rollback command.

New/modified screens:

  • Devices > Device Management > Device > Deployment Settings

  • Deploy > Advanced Deploy > Preview

  • Deploy > Deployment History > Preview

For more information, see Device Management in the device configuration guide.

a12288
Level 3
Level 3
In response to Marvin Rhoads

‎09-30-2022 01:12 PM

Hi, Marvin.

Will Cisco support FMC4500 to have multiple NICs / IPs to manage different FTDs? I am thinking to put an extra FMC NIC (eth1) to have an IP address in the same subnet as FTD's management interface, so this connection won't be lost and I can use FMC (eth1) to change ACP of the FTD when FMC eth0 is lost network connectivity. Thanks.

Leo

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to a12288

‎10-01-2022 08:08 PM

You can (and always have been able to) use the second (or third etc.) NIC in an FMC to manage devices. It comes down to the routing for that NIC and managed devices. As long as that is working as desired in the underlying OS (Linux) then the FMC application will use the best route to reach the managed devices. You need to be sure to understand it from the device side as you add the manager by its IP address and that must be the same as the NIC of the FMC that will be used for that device.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card