FMC, Firepower Chassis & FTD IP addressd and Passwords

S891 · ‎12-01-2022

Hi ,

I have a client Prod network with the following setup:

1. 2 x virtual FMCs (Active/Standby)

2. A Pair of Firepower 4115 with multiple FTDs (Active/Stadby)

3. Single Firepower 2100 with one FTD

I have been tasked to make sure the network management is configured for all devices and also have to change passwords.

vFMCs:

There is one management IP addresses for each vFMCs. I use them for accessing via GUI and SSH. Are these the only two IP addresses? I saw that the password can be changed via GUI (System > Users) OR via CLI (Sudo passwd admin). Is this the same thing if I do one or the other or do I need to do both? Is there any other password for vFMCs?

Pair of 4115s:

There is one management IP addresses for each Firepower Device. This is the IP of Firepower Chassis Manager . I am monitoring this IP on the Management tool. There are separate IP addresses for each FTD. Do I need to montor each FTD as well using its IP?

Is there any other IP need to be managed/configured for Firepower 4115?

I also need to change passwords for all this. To my understanding, I can change password for Firepower Chassis Manager using GUI (System> User management>..). Do I need to change CLI password for this separately as well? When I login to it I go directly to enable mode. Does it mean it has both user and enable mode with password access.

I also need to change FTD password? Is the FTD password same as FXOS password or different? Are there different mode passwords as well like enable mode password? Do the password update syncs between primary and standby FTDs?

Firepower 2100:

I only see one IP address for 2100. I think it may be different from 4100. But I am confused as I believe it should have Firepower Chassis Manager IP and FTD IP separately. I have read that once it is integrated with the FMC you can not access Firpower Chassis Manager. May be that IP is now no longer reachable and only FTD IP is available. How do I monitor both 2100 chassis and FTD with separate IPs like 4100.

How about passwords for this? Is it only FTD/FXOS one password I need to manage?

I know this is long post but I will appreciate your help!

Marvin Rhoads · ‎12-02-2022

For FMC, the web and cli admin passwords are synced at initial setup. When you change it subsequently, you would need to change both locations using the methods you noted already. Other accounts are possible for the web UI if you have created them in FMC. Non-admin cli accounts are only possible with external authentication types (i.e., AD).

Firepower appliances running FTD and using chassis manager (4100 series and 9300 series) will have separate and non-synchronized admin users for the chassis (set via fxos cli or the FCM GUI) and the FTD logical device(s). The FTD instances have only the admin user and those passwords are not synced between devices in an HA pair (or cluster).

Other Firepower appliances (1000 series, 2100 series, 3100 series and FTDv) don't have a separate fxos admin password. The FTD admin cli user password covers both FTD and the (mostly hidden) fxos. You monitor those devices using only the single management address.

S891 · ‎12-02-2022

Hello Marvin,

Really appreciate your response! You're a guru. Here I summarize what I have understood.

1. For the vFMCs I need to update both GUI and CLI password for the Admin account separately. The password is synchronized between two FMCs.

2. For the Firepower 4100 Chassis Manager I can change the password using GUI (System>User Management>Edit User>Password) or FXOS cli method (either one will work). These passwords are not synced in a cluster so each unit will have to be done separately.

3. For the FTD devices running on Firepower 4100 chassis , the password can changed via Firepower (FXOS) Chassis Manager OR the CLI. If doing via GUI (Firepower Chassis Manager > Devices> Edit option for the FTD). Each FTD device will ahve to be done separately and on both Primary and Standby FCM as they don't sunchronize.

I read somewhere that there is a restart required at FXOS level. Does it mean switching the active/standby Unit and restarting them after password change?

4. For the FTD running on 2100 chassis there is only one password for FXOS chassis and FTD - it is applied on FTD. I need to use the cli. The single password will cover both the Chassis and the FTD.

Marvin Rhoads · ‎12-02-2022

@S891

1. The FMC passwords are not synced between HA members.

2. Correct

3. I don't recall having to restart the few times I've changed an fxos password. If you do it from the cli you have to "commit" the change.

4. Correct.