Hello for everybody.
Is this correct, that i should to use only management interface on this device to add this device to firepower management center? Or i can do this via data interface.
And next question - can i register this device in smart account before before adding or i can do it after this action? I need to add only vpn license to this fp 1120.
Solved! Go to Solution.
Only the management interface. It needs to reach FMC on tcp/8305 (and vice versa - traffic is initiated by both ends for different reasons).
When managing with FMC, the Smart licensing is handled there. FMC registers to your smart account and requests the licenses that you have assigned (in FMC device management) to the device(s).
I have gradually come to this conclusion. Twice I tried to add firepower to fmc via the data interface (ethernet 2 and ethernet 3), but both times firepower was reset to completely zero settings and i had to connect to it via console cable and configure it from the beginning.
If i want to add i should make following commands
from fp1120 side
> configure manager
add Configure managing Defense Center
delete Remove managing Defense Center
local Configure local manager
> configure manager add 10.14.10.20
Alpha-numeric between 2 and 36 chars registration key
> configure manager add 10.14.10.20 Cisco123
If you enabled any feature licenses, you must disable them in Firepower Device Manager before deleting the local manager.
Otherwise, those licenses remain assigned to the device in Cisco Smart Software Manager.
Do you want to continue[yes/no]:yes
from fmc side - see scr
host - ip mgmt fp1120
key - Cisco123 (same for both sides)
smart license - vpn only (if i understood correctly, i can add it via fmc after registration)
Thanks, it works. But after adding fp to fmc all settings were reset to zero, even interfaces ip.
> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Ethernet1/1 unassigned YES unset admin down down
Ethernet1/2 unassigned YES unset admin down down
Ethernet1/3 unassigned YES unset admin down down
Ethernet1/4 unassigned YES unset admin down down
Ethernet1/5 unassigned YES unset admin down down
Ethernet1/6 unassigned YES unset admin down down
Ethernet1/7 unassigned YES unset admin down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 unassigned YES unset admin down down
Ethernet1/12 unassigned YES unset admin down down
Internal-Control1/1 unassigned YES unset up up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unassigned YES unset up up
Management1/1 unassigned YES unset up up
Yes - that's expected behavior.
Once you change to FMC management any configuration items (expect the management interface settings) made using FDM are erased.
Thanks for answer.
And i have the last question - how i can change time zone for current device in fmc? In the fmc itself, I changed the time in the user settings - use the preferred time zone and create policy for ntp for fp1120, but time zone is still utc 0.
It looks, like a can do it only via cli
ls -l /usr/share/zoneinfo/Etc or Utc, but there isnt UTC+3 Moscow time in these directories...
The FMC appliance itself uses the configured timezone globally in the GUI (as you noted). You can also set what's seen per user in the GUI under User > Settings as I believe you have found as well.
Managed devices (FTD, Firepower service modules, classic Firepower appliances) and the FMC OS all use UTC. This was explained in the following discussion from a while back: