09-24-2022 09:43 PM
We have a need to manually change FTD Access Control Policy assignment via CLI in the event of maintenance or outage. Our FTD is being managed by FMC however our FMC is not on out-of-bound network but rather hosted in the inside zone data plane.
We would need to SSH to FTD and switch FTD ACP to a permit any-any like ACP via CLI (while FMC is unreachable) in order to let certain traffics passing though FTD, and switch back to production ACP afterwards. Is it possible? Thanks.
Leo
09-26-2022 10:37 AM
As far as I know, what you are asking is not possible. On an FTD device that is registered to an FMC manager, only the managing FMC can change the ACP.
09-27-2022 09:54 AM
Since I am able to use LinaConfigTool to modify routing table so I am hoping there is something similar to modify ACP, in the event of FTD lost access to FMC.
09-28-2022 02:16 AM
There is a new feature in 7.2 that may help with your use case. It is as follows:
Auto rollback of a deployment that causes a loss of management connectivity. |
You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and the threat defense to go down. Previously, you could only manually rollback a configuration using the configure policy rollback command. New/modified screens:
For more information, see Device Management in the device configuration guide. |
09-30-2022 01:12 PM
Hi, Marvin.
Will Cisco support FMC4500 to have multiple NICs / IPs to manage different FTDs? I am thinking to put an extra FMC NIC (eth1) to have an IP address in the same subnet as FTD's management interface, so this connection won't be lost and I can use FMC (eth1) to change ACP of the FTD when FMC eth0 is lost network connectivity. Thanks.
Leo
10-01-2022 08:08 PM
You can (and always have been able to) use the second (or third etc.) NIC in an FMC to manage devices. It comes down to the routing for that NIC and managed devices. As long as that is working as desired in the underlying OS (Linux) then the FMC application will use the best route to reach the managed devices. You need to be sure to understand it from the device side as you add the manager by its IP address and that must be the same as the NIC of the FMC that will be used for that device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide