CISCO FTD & FMC

fmugambi · ‎02-20-2024

Hello Guys,

Is it possible to have ftd managed or have two managers, fmc that is? say one in DCA and another in DCB?

If yes, how does one make manager fmc primary over the other ,and invoke either to be master depending on need-basis?

Thanks.

Aref Alsouqi · ‎02-20-2024

No you can't, the FTD can only be managed by a single FMC at any given time, I don't believe this has changed with any of the latest releases. However, technically speaking you can register the FTD to two FMC, but the thing is that as soon as you register the FTD with the second FMC, the first FMC will mark the FTD as disabled because the FTD won't send any heartbeats to the previous FMC anymore. Take a look at this post of mine where you can see this in actions:

Can an FMC register an FTD that is already registered with another one? (bluenetsec.com)

fmugambi · ‎02-20-2024

Okay, at the point you registering FTD between the FMCs, is there loss in configuration of the FTD?

And do you need to add the managers command for each FMC on the FTD CLI?

Aref Alsouqi · ‎02-20-2024

Please note that the post I shared above is just to prove the behaviour when you try to register an FTD with another FMC while it is already registered with an FMC. However, it is not the way how you should deal with your scenario. In your case you should change the manager IP from the FTD to switch to the new FMC. The new FMC should have the policies and settings including certificates etc that will be then applied/associated to/with the FTD.

Usually I create a full backup from the old FMC, and then we restore it on the new FMC using the "sf-migration.pl" tool. Also, if the new FMC could have the same IP as the old one, that would save you having to change the manager's IP on the FTD. Whether if you leave the same IP on the new FMC or if you have to change it on the FTD to reflect the new one, the FTD shouldn't lose any of its configs.

fmugambi · ‎02-20-2024

what if say fmc in dca in vlan 110, can i bring up the same fmc on dcb vlan 120, then change ip on ftds to map to fmc vlan 120 on dcb and vice-versa? or how can i achieve HA of fmc for the FTD?

Aref Alsouqi · ‎02-20-2024

Are these two FMCs configured in HA or are they two separate standalone FMCs? As long as the FTD can reach that FMC IP, regardless of the VLAN it should work.

fmugambi · ‎02-20-2024

Two separate FMCs.

Is it practical to have 2 fmcs in HA but on different vlans? say on in dca at vlan 110 and at dcb at vlan 120?

Aref Alsouqi · ‎02-20-2024

Two FMCs in an HA pair do not have to be on the same management subnet nor geo location, for instance you can have one in the US in management subnet A and the peer in the UK in management subnet B.

Take a look at this guide please:

Firepower Management Center Administration Guide, 7.1 - High Availability [Cisco Secure Firewall Management Center] - Cisco

fmugambi · ‎02-20-2024

noted.

quick one, say have achieved HA for FMCs, the fmcs are in different subnets so different IPs ofcourse in this context. meaning the "show managers" in ftd have say fmc in dca. if this fmc goes down, ideally, you make fmc b active, correct?

secondly, you as well need to login to individual ftds and map their manager to the new fmc in dcb, correct?

or is there a seamless non-manual way for the ftds to change managers between the fmcs in HA?

Thanks in advance.

Marius Gunnerud · ‎02-21-2024

When you register an FTD with FMCs that are in an HA setup, you register the FTD with the primary/active FMC and then the FTD will automatically be registered with the secondary/standby FTD. This means that if the primary FTD fails you will need to promote the secondary to active but since the FTDs are already registered with the secondary no further action is needed.

Have a read through THIS document for a better understanding of FMC HA.

--
Please remember to select a correct answer and rate helpful posts