Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8011
Views
30
Helpful
8
Replies

Direct SSH to FTD inside of Firepower 9300 Appliance

Go to solution
Ji-Won Park
Level 1
Level 1

‎10-24-2017 10:19 AM - edited ‎02-21-2020 06:33 AM

Hi,

I am testing some features using Firepower 9300 appliance. Is there a way to bypass FCM management and connect FTD directly through SSH? I can reach the FTD interface IP address, but cannot pass the authentication page. 

Please help!

Thanks

 

2 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ji-Won Park

‎10-26-2017 06:26 AM

Have you assigned the FTD logical device a separate physical interface designated as management type (vs. the default data type)? If you do that you can most definitely log into the FTD logical device directly as that is the whole purpose of such an interface.

 

The primary purpose of the chassis management interface is to access and manage the hardware chassis (FX-OS). You can indeed navigate to a Security Module and the logical device on it once you log into the chassis but that will always be a layer or two of abstraction removed from the physical interface.

 

If you have Safari books, there is an excellent explanation of this in the new (rough cuts only so far) book "Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP)" by Nazmul Rajib. It is due to be published next month (November 2017).

 

 

View solution in original post

8 Replies 8

Go to solution
mikael.lahtela
Level 4
Level 4

‎10-24-2017 12:30 PM

Hi,

This might work for you, configuration under "Restricting access".
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200868-Configuring-Firepower-Threat-Defense-FT.html

It will give you ssh access to specified interface from defined network.

br, Micke

Go to solution
Ji-Won Park
Level 1
Level 1
In response to mikael.lahtela

‎10-25-2017 11:12 AM

As mentioned, I could always reach FTD's data interfaces; I just don't know and how I can pass the authentication. I tried admin/Sourcefire, admin/Admin123 but none of them work. It makes me think that I can only get to FTD CLI through FCM management and execute 'connect ftd'.

 

The reason I need to land on FTD CLI directly is that I have a software that needs to land on FTD CLI to get some data. 

 

Let me know if there's anyone went through the similar setup.

 

Thanks

Go to solution
mikael.lahtela
Level 4
Level 4
In response to Ji-Won Park

‎10-25-2017 01:43 PM

Tested this again on a 4100 and you might be right.
The only options for med was to login in fxos or "Firepower module>" but still needed to use connect ftd to access clish.

br, Micke

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mikael.lahtela

‎10-25-2017 07:11 PM

The recommended method is to assign a physical interface from the chassis to the FTD logical device for management. 

0 Helpful

Go to solution
Ji-Won Park
Level 1
Level 1
In response to Marvin Rhoads

‎10-26-2017 05:08 AM

Hi Marvin,

Physical interfaces have been already assigned to Firepower. However, Firepower has its own management IP addresses and FTD also has its own. When connecting to FTD, I have to go to the Firepower management CLI and connect to FTD, my question is is there a way to connect to FTD directly; Not is there a way to connect to management of Firepower. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ji-Won Park

‎10-26-2017 06:26 AM

Have you assigned the FTD logical device a separate physical interface designated as management type (vs. the default data type)? If you do that you can most definitely log into the FTD logical device directly as that is the whole purpose of such an interface.

 

The primary purpose of the chassis management interface is to access and manage the hardware chassis (FX-OS). You can indeed navigate to a Security Module and the logical device on it once you log into the chassis but that will always be a layer or two of abstraction removed from the physical interface.

 

If you have Safari books, there is an excellent explanation of this in the new (rough cuts only so far) book "Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP)" by Nazmul Rajib. It is due to be published next month (November 2017).

 

 

Go to solution
Ji-Won Park
Level 1
Level 1
In response to mikael.lahtela

‎10-26-2017 05:06 AM

I don't think there is a way to bypass Firepower management cli when connecting FTD. I haven't been able to find a way... 

0 Helpful

Go to solution
Emerson Rodrigues
Level 1
Level 1
In response to Ji-Won Park

‎06-04-2018 11:32 AM

Hi, I know this is an old thread, i hit the same issue and found information bellow.

You need to configure LDAP for access, local users are not allowed by default.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html#anc9

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card