Solved: Re: Firepower IP interface changes

bigkeoni64 · ‎07-01-2022

Hello

I have an Active/Passive setup on a couple of Firepower's and my ISP provider is pulling the rug out from underneath me and taking back their CIDR block. As a result, I have acquired a new ISP and have a new CIDR block.

Will the Firepower allow me to change the IP addresses of the interfaces without tearing down the security rules, policies, and objects?

If so, then maybe I prebuild different physical interfaces and add those new interfaces to the groups and migrate the cables to the new physical interfaces?

Thank you for you assistance in advance.

Sheraz.Salim · ‎07-01-2022

Will the Firepower allow me to change the IP addresses of the interfaces without tearing down the security rules, policies, and objects?

Correct. You can change your public ip addresses. There will be on impact (no wipe off of your security rules,policies and objects). this applies to on both either ASA and FTDs.

If so, then maybe I prebuild different physical interfaces and add those new interfaces to the groups and migrate the cables to the new physical interfaces?

This approach is handy if you want to minimise the downtime and brining in the new ISP interface as backup connection. but as said above earlier change of ip address would not wipe your interface configuartion off.

all you need to remember is once the public ip address change and if you doing NAT (static NATTING) in that case your client outside world connecting to inside/dmz resource have to use the new public ip address. example if you have anyconnect using on firewall you have to update the DNS records etc.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎07-03-2022

@Marius Gunnerud as long as the Interface IP address/es is in question and if only IP address change is required on the interested Interface/s, In that case there is no issue with security zone/s. The firewall FTD will not give/show any error. with only IP address change of the Interface (I assume the OP will keep the security zone name as it is prior to the change of IP address) the deployment shall be sucessfull without any issue. Hence OP requrie to clear the arp enteries on the upstream router/switch once the IP address changes are applied onthe firewall.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎07-01-2022

Will the Firepower allow me to change the IP addresses of the interfaces without tearing down the security rules, policies, and objects?

Correct. You can change your public ip addresses. There will be on impact (no wipe off of your security rules,policies and objects). this applies to on both either ASA and FTDs.

If so, then maybe I prebuild different physical interfaces and add those new interfaces to the groups and migrate the cables to the new physical interfaces?

This approach is handy if you want to minimise the downtime and brining in the new ISP interface as backup connection. but as said above earlier change of ip address would not wipe your interface configuartion off.

all you need to remember is once the public ip address change and if you doing NAT (static NATTING) in that case your client outside world connecting to inside/dmz resource have to use the new public ip address. example if you have anyconnect using on firewall you have to update the DNS records etc.

please do not forget to rate.

Marius Gunnerud · ‎07-02-2022

Will the Firepower allow me to change the IP addresses of the interfaces without tearing down the security rules, policies, and objects?

Your rules will not be removed, but they will show an error until another interface is placed within the zone you are using for the rules.

If so, then maybe I prebuild different physical interfaces and add those new interfaces to the groups and migrate the cables to the new physical interfaces?

This is just a matter of replacing the interface in the security zone. If you are able to have these two ISPs connected in parallel then you should not see much down time (other than perhaps waiting for DNS changes to propagate globally). If not, then you will have down time while moving the cables to the new ISP router, and waiting for the deploy to complete (you could start the deploy as you start moving cables).

Now if you have also received new subnets for your servers you will also need to reconfigure those NAT rules, but if you have purchased the public IPs, it is just a matter for the ISP re-routing the IPs to your new interface IP.

--
Please remember to select a correct answer and rate helpful posts

Sheraz.Salim · ‎07-03-2022

@Marius Gunnerud as long as the Interface IP address/es is in question and if only IP address change is required on the interested Interface/s, In that case there is no issue with security zone/s. The firewall FTD will not give/show any error. with only IP address change of the Interface (I assume the OP will keep the security zone name as it is prior to the change of IP address) the deployment shall be sucessfull without any issue. Hence OP requrie to clear the arp enteries on the upstream router/switch once the IP address changes are applied onthe firewall.

please do not forget to rate.

Marius Gunnerud · ‎07-03-2022

@Sheraz.Salim If you read my answer, I state that an error will be seen when the interface is removed from the security zone. Now if you replace the interface right away you would probably not notice the error.

--
Please remember to select a correct answer and rate helpful posts

bigkeoni64 · ‎07-05-2022

Turns out that my customer has only ONE IP interface configured on the Firepower 1120 and there is a Fatpipe SD-WAN load balancer in front of the Firepower. I'll just configure another interface on the Fatpipe appliance and then change the IP address of the Firepower to the new public IP as well as the DNS entries since they do use Anyconnect. Thanks everyone.