Solved: FTD 1010 Management Interface vs Diagnostic interface

Lee Dress · ‎06-03-2021

I'm trying to get started on doing the SNMP configurations on the Firepower 1010 devices running 6.7.0.2 OS

I noticed in one thread that someone had to modify the address of the diagnostic interface to get it to work.

My diagnostic interface has no IP Address, but my management interface (which I believe uses the diagnostic interface) has an IP Address of 192.168.13.2

My questions is, what happens to the "management" interface if I add an IP Address on the diagnostic interface?

I don't want to lose connectivity to the device as it is not at my site. it's connected to my site via a vpn tunnel.

Marvin Rhoads · ‎06-03-2021

Yes the addresses of Management and Diagnostic interfaces must be unique and on the same subnet. I like to think of them as sort of like hosts on a hypervisor with a single network interface (without trunking).

Site-to-site VPNs on FMC are pretty easy to setup.Let us know if you have specific questions about that.

Deploying remote branch devices could be challenging historically. There are some improvements with 6.7 that help in that regard. You might want to review this video for some details and a demonstration:

https://www.youtube.com/watch?v=F3Ma6TnXKXw

View solution in original post

Marvin Rhoads · ‎06-03-2021

You can have addresses configured for both Management (required) and Diagnostic (optional) at the same time.

As you noted, that's required to access certain information on a Firepower device such SNMP querying Cisco SNMP MIBs. It's also used if you need to export Netflow and a few other things.

Assuming you're using FMC it's not hard to setup. With FDM and 6.7+ it is quite challenging.

Lee Dress · ‎06-03-2021

Is it safe to assume they need to be unique addresses?

I'm not using FMC. I haven't figured out how to get the VPN Tunnels working in there.

My FMC is internal, so it's challenging to figure out how to get them built.

My main site is still an ASA 5516-x which I'm planning to replace with a FPR 2100

Marvin Rhoads · ‎06-03-2021

Yes the addresses of Management and Diagnostic interfaces must be unique and on the same subnet. I like to think of them as sort of like hosts on a hypervisor with a single network interface (without trunking).

Site-to-site VPNs on FMC are pretty easy to setup.Let us know if you have specific questions about that.

Deploying remote branch devices could be challenging historically. There are some improvements with 6.7 that help in that regard. You might want to review this video for some details and a demonstration:

https://www.youtube.com/watch?v=F3Ma6TnXKXw

Lee Dress · ‎06-03-2021

Thanks for the help.

Lee Dress · ‎06-03-2021

one last thing. My FMC is on 6.6.4. should I upgrade it to 6.7.0.2?

Marvin Rhoads · ‎06-03-2021

I'd only upgrade your FMC to 6.7.0.2 if you plan to manage 6.7 devices - generally due to needing a particular feature now rather than waiting. 6.7 is a short term release which won't be maintained for a long time. 6.6.4 is more mature and serves most customers well who are on it. It is the current "Gold Star" Firepower release.

7.0 is where a lot of additional features come in; but it was released just last week (May 2021). It is an extra long term release and will be around for years to come. I'd wait until it's been out for a while, possibly after it's first patch, before adopting it in most production environments.

Lee Dress · ‎06-03-2021

Thank you for all of your help.

Marvin Rhoads · ‎06-04-2021

You're welcome. Please rate useful replies and/or mark your question as answered. It encourages contributors and increases the quality of the community's content.