01-29-2018 12:27 PM - edited 02-21-2020 07:13 AM
Hello,
We are getting ready to deploy FP2130s with FMC. If the FMC is unavailable, how are changes made (especially in emergencies)? Looking at the getting started guide (https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/ftd-fmc-2100-qsg.html) it looks like you disable local management.
01-29-2018 01:57 PM
Hi,
It is always advised to have the FMC in HA as well. FMC and FDM the local manager are completely different both in terms of GUI and policy constructs and granularity. If your FMC is down and you still need to manage or push any new policies you are limited.
the only way to do it via Cli and delete the manager and enabling the local manager. This will delete your configurations and you will have to re-license the device using smart licensing. You cannot import FMC configs into FDM and neither you can simultaneously manage FTD via FMC and FDM.
Vaibhav
01-30-2018 06:55 AM
Like Vaibhav said.
In practical terms you never want to switch from FMC to local management unless you are doing a wipe out and restart from scratch sort of exercise.
If your FMC is virtual, HA might make sense in a smaller deployment as they are quite reasonably priced. For larger deployments, HA FMC physical appliances can easily run over US$100k and are usually only considered by the larger customers with the budget and operational requirements for such a system.
03-23-2018 05:42 PM
Try not to have an emergency in your firewall/sensor at the same time as you're having an emergency with your FMC :-) There's very very seldom a good reason to reconfigure your firewall when it can't reach the manager (maybe a DDOS or something.)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: