10-24-2017 10:19 AM - edited 02-21-2020 06:33 AM
Hi,
I am testing some features using Firepower 9300 appliance. Is there a way to bypass FCM management and connect FTD directly through SSH? I can reach the FTD interface IP address, but cannot pass the authentication page.
Please help!
Thanks
Solved! Go to Solution.
10-26-2017 06:26 AM
Have you assigned the FTD logical device a separate physical interface designated as management type (vs. the default data type)? If you do that you can most definitely log into the FTD logical device directly as that is the whole purpose of such an interface.
The primary purpose of the chassis management interface is to access and manage the hardware chassis (FX-OS). You can indeed navigate to a Security Module and the logical device on it once you log into the chassis but that will always be a layer or two of abstraction removed from the physical interface.
If you have Safari books, there is an excellent explanation of this in the new (rough cuts only so far) book "Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP)" by Nazmul Rajib. It is due to be published next month (November 2017).
10-24-2017 12:30 PM
10-25-2017 11:12 AM
As mentioned, I could always reach FTD's data interfaces; I just don't know and how I can pass the authentication. I tried admin/Sourcefire, admin/Admin123 but none of them work. It makes me think that I can only get to FTD CLI through FCM management and execute 'connect ftd'.
The reason I need to land on FTD CLI directly is that I have a software that needs to land on FTD CLI to get some data.
Let me know if there's anyone went through the similar setup.
Thanks
10-25-2017 01:43 PM
10-25-2017 07:11 PM
The recommended method is to assign a physical interface from the chassis to the FTD logical device for management.
10-26-2017 05:08 AM
Hi Marvin,
Physical interfaces have been already assigned to Firepower. However, Firepower has its own management IP addresses and FTD also has its own. When connecting to FTD, I have to go to the Firepower management CLI and connect to FTD, my question is is there a way to connect to FTD directly; Not is there a way to connect to management of Firepower.
10-26-2017 06:26 AM
Have you assigned the FTD logical device a separate physical interface designated as management type (vs. the default data type)? If you do that you can most definitely log into the FTD logical device directly as that is the whole purpose of such an interface.
The primary purpose of the chassis management interface is to access and manage the hardware chassis (FX-OS). You can indeed navigate to a Security Module and the logical device on it once you log into the chassis but that will always be a layer or two of abstraction removed from the physical interface.
If you have Safari books, there is an excellent explanation of this in the new (rough cuts only so far) book "Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP)" by Nazmul Rajib. It is due to be published next month (November 2017).
10-26-2017 05:06 AM
I don't think there is a way to bypass Firepower management cli when connecting FTD. I haven't been able to find a way...
06-04-2018 11:32 AM
Hi, I know this is an old thread, i hit the same issue and found information bellow.
You need to configure LDAP for access, local users are not allowed by default.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide