cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21203
Views
43
Helpful
26
Replies

Firepower FMC and FTD Deployment Issues:

Qamar Islam
Level 1
Level 1

Dear Experts;

I Installed and configured the FMC with FTD, I just have some issues regarding this deployment.

Deployment Senario:

I configured the two passive interfaces (eth1, eth2) on the FTD server and Span the Email traffic on eth1 and Web traffic on eth2. FTD analyze the web traffic in eth2 but i need to verified email traffic coming in or not. As my knowledge the FTD has customized Linux OS. how I can verified that.?

On the FMC health status, It shows that the URL filtering download failure error. How can i fix it and how can i check the direct connectivity in FTD.

your support required.

Thanks

26 Replies 26

Hi Marvin,

Thanks for your support boss,

Deployment scenario is on TRANSPARENT MODE.

I just placed the FTD in between the WEB-Gateway and Core-Switch. The traffic coming from web-gateway to FTD and then goes to Core-switch and Vice versa.

Web-gateway----FTD----Core-switch

As the I just have the OVA file of FTD and i installed in ESXI and bind virtually 3 interfaces with it. I bind 1 management with the FTD management and other two used for inline traffic coming from one interface to the other.

Inside to outside:

One interface defined as INSIDE.

Second Interface Defined as Outside.

Now i just implemented the below configuration to get traffic from Inside interface and analyzed it and transferred it to the next hop.

Kindly find an attached Snap-shots, I never get an ip-address of any interface inside or outside.

Is my configuration is correct or any further changed kindly share please.

I just transferred traffic in FTD but the traffic not coming out from the outside interface.

Steps by steps snap-shots attached.

Support needed boss.

I recommend you open a TAC case.

It is most likely some aspect of your Access Control Policy that is blocking traffic - a default action is often the cuase for such behavior.

Thanks for your kind support.

Regards:

Qamar

Hi Marvin,

I web traffic analysis topology is given below:

Firewall            <->       Web gateway(WCCP)   <->       FTD (inline Transparent mode)              <->                   Core Switch      <->      users

FMC and FTD virtualized.

Boss above is the topology of inline transparent mode deployment. Last night activity i just deployed the FTD virtual in between the web gateway and core switch. It worked fine and blocking and analysis works at all night but today morning at peak time when user connected to their network. After 3 hours the browsing is chocked. then i took back it to their production network.your suggestions required. Is their any limitations about the events connections with licenses or then above scenario any other possible troubleshooting required?

Kindly suggest please.

Hello Marvin,

Greetings!

Need your support. I have a firepower 4120 security appliance and now i tried to configure it and register it with the FMC. Can i operates FTD 4120 appliance in inline transparent mode. if yes! then what are the configuration i choose for the inline transparent mode in Firepower chassis management and which interfaces are used for web traffic and which are used for the emails traffic and how to configure the interfaces for inline transparent mode.

Dear below are the some points thats i configured in 4120:

  • I switched on the appliance and set the managemnet ip address through console cable.
  • Second in GUI opens the Firepower Chassis Manager, Checked their compatibility version with the FX-OS and FTD. and then go to interfaces and configure the interfaces of the network module -1 of the 4120 appliance. 1 interface for management and others are used for the Data.
  • Third assign the data interfaces to the logical device. Go to logical devices and assign the data interfaces to the device.
  • Now move FTD to FMC.

Is these above steps are correct for the configuration of inline transparent mode. I defined the interfaces settings on ROUTE to TRANSPARENT mode. Furthermore i will mapping all the data interfaces in FMC after the registration of the Device.

The attached document shows the configuration steps. Note on the step-7 inline transparent mode configuration needed?

The dropdown box for "Firewall Mode" should ahve the option of setting the mode to "Transparent".

Hello Marvin,

Thanks for your reply..

All defined configrations are correct one?

Is it compulsory  to define one management interface in network module one for the inline transparent mode.?

I just little elaborate my question, I am asking about the interfaces of the Firepower Chassis Manager interfaces tab in network module 1. we need to defined one management port in it?

Yes - since you have an FTD logical device it requires a dedicated management port assigned exclusively to it. If it were an ASA logical device, that would be optional.

The FTD management port is in addition to the built-in chassis management interface.

So in total:

a. One built-in chassis management port (MGMT on the GUI). Used only for FirePOWER Chassis management (GUI or cli).

b. One assigned logical device management port (from a network module). Used primarily for communication (device registration, policy deployment and events) between FTD and FMC. Generally a 1 Gbps SFP is plenty for this - no need to use a 10 Gbps SFP+ unless you have lots of spare 10 Gbps ports downstream  and some inexpensive twinax cables.

c. Two (or more) assigned data ports (e.g. inside and outside, also from a network module or modules). Your inspected traffic flows via these ports.

Note that if there are only two data ports, they should definitely be the same speed. Your screen shot shows one at 1 Gbps and the other at 10 Gbps.

Hi Marvin,
Yes- You are right about the data port speed. Kindly correct me, if i am wrong i some steps.
Out of the Box security appliance 4120 appliance has 3 SFP and appliance have one network module-1. I am little confused where i used these three SFP's as deployment scenario i just need 3 pairs of data ports and my deployment mode is INLINE Transparent mode. 1 pair of data ports used for the WEB traffic analysis and the other two pairs used for the Email traffic analysis.
Let me give you the summary of my deployment for better understanding of me.
  1. Appliance 4120 with FX-OS version 2.0(1.35)
  2. FTD installed in it version 6.0.1.1213
  3. FMC virtual version  6.1
1)- I installed the FTD logical device in FCM and configure 1 management port from the Network module-1. the other 7 ports i used for data and their speed is 10 Gbps. While configuration of the FTD, I used FW mode TRANSPARENT and on the second last point where they asked me about the fully qualified host name, It must be enter in the DNS to resolve the host name from ip address? If i doesn't enter in DNS and i entered in <hostname.domain> is it working or not?
2)- I Register the FTD in FMC and then further configuration done. In the FMC Device management tab under interfaces, I separated the interfaces for web and email traffic. 
Example: Below are the configuration that i done separately for each pair of data ports:
Interfaces
E1/2
E1/3
Name
Inside
Outside
Security Zone
Inside zone
outside Zone
Inline-set name
Inline-pair-1
Inline set-MTU
1500
Fail Safe
Enabled
Propagate Link State
Enabled
Is my configuration are correct for the Inline-Transparent mode?
Below is the topology for traffic coming in and out. for WEB traffic
Firewall            <->       Web gateway(WCCP)   <->       FTD (inline Transparent mode)              <->                   Core Switch      <->      users
For an Email Flows:
Email flow
Firewall            ->         Secure Email Gateway              ->         FTD (inline Transparent mode)               ->                     Core Switch      ->         MS Exchange
As this is very critical project for me. Your kind suggestions needed.
Thanks

The setup you have described looks correct.

Since you have emphasized its criticiality, I would recommend you contact your reseller SE to engage professional services or open a TAC case to vaildate any concerns about its proper operation.

Connection events file attached

For service-impacting production issues you should be opening a TAC case via phone and identifying it as P2 severity. 

It appears you exhausted some limit of the FTD device.

Do you have a network discovery policy setup and have you defined $HOME_NET and $EXTERNAL_NET variables defined? Doing so will make sure you aren't trying to discover the entire Internet and thus exhausting the FirePOWER host license limit.

Review Cisco Networking for a $25 gift card