cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2703
Views
0
Helpful
7
Replies

connection firepower 1120 to firepower management center

kapydan88
Level 4
Level 4

Hello for everybody.

 

Is this correct, that i should to use only management interface on this device to add this device to firepower management center? Or i can do this via data interface. 

And next question - can i register this device in smart account before before adding or i can do it after this action? I need to add only vpn license to this fp 1120.

1 Accepted Solution

Accepted Solutions

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Only the management interface. It needs to reach FMC on tcp/8305 (and vice versa - traffic is initiated by both ends for different reasons).

When managing with FMC, the Smart licensing is handled there. FMC registers to your smart account and requests the licenses that you have assigned (in FMC device management) to the device(s).

 

I have gradually come to this conclusion. Twice I tried to add firepower to fmc via the data interface (ethernet 2 and ethernet 3), but both times firepower was reset to completely zero settings and i had to connect to it via console cable and configure it from the beginning.

 

If i want to add i should make following commands

 

from fp1120 side

> configure manager
add Configure managing Defense Center
delete Remove managing Defense Center
local Configure local manager

> configure manager add 10.14.10.20
Alpha-numeric between 2 and 36 chars registration key

> configure manager add 10.14.10.20 Cisco123

If you enabled any feature licenses, you must disable them in Firepower Device Manager before deleting the local manager.
Otherwise, those licenses remain assigned to the device in Cisco Smart Software Manager.
Do you want to continue[yes/no]:yes

 

from fmc side - see scr

host - ip mgmt fp1120

key - Cisco123 (same for both sides)

smart license - vpn only (if i understood correctly, i can add it via fmc after registration)

 

 

That's correct.

Thanks, it works. But after adding fp to fmc all settings were reset to zero, even interfaces ip.

 

> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Ethernet1/1 unassigned YES unset admin down down
Ethernet1/2 unassigned YES unset admin down down
Ethernet1/3 unassigned YES unset admin down down
Ethernet1/4 unassigned YES unset admin down down
Ethernet1/5 unassigned YES unset admin down down
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset admin down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset admin down down
Internal-Control1/1 unassigned YES unset up up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unassigned YES unset up up
Management1/1 unassigned YES unset up up
>

 

Yes - that's expected behavior.

Once you change to FMC management any configuration items (expect the management interface settings) made using FDM are erased.

Thanks for answer.

And i have the last question - how i can change time zone for current device in fmc? In the fmc itself, I changed the time in the user settings - use the preferred time zone and create policy for ntp for fp1120, but time zone is still utc 0.

It looks, like a can do it only via cli

 

ls -l /usr/share/zoneinfo/Etc or Utc, but there isnt UTC+3 Moscow time in these directories...

The FMC appliance itself uses the configured timezone globally in the GUI (as you noted). You can also set what's seen per user in the GUI under User > Settings as I believe you have found as well.

Managed devices (FTD, Firepower service modules, classic Firepower appliances) and the FMC OS all use UTC. This was explained in the following discussion from a while back:

https://community.cisco.com/t5/network-security/ftd-2100-ntp-timezone-issue/td-p/3371929

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: