 
					
				
		
10-17-2022 01:02 PM
So I adopted a Firepower deployment from the predecessor. The current Firepower appliance (4112) has two instances configured, all managed through FMC. I want to remove a physical interface from one instance and then add it to the other. 
I have tried to search through FMC, from the Firepower appliance itself. I've gone into the cli, and entered the scope. I can see the interface through the scope options, but I can't seem to figure out how to change the physical interface configuration. I knew how to do it through the ASA Multi-context mode. But this is nothing like it. I have tried searching online and through Cisco. It may be that I'm just not using the right terminology.
Can someone please help?
Solved! Go to Solution.
10-18-2022 05:47 AM
It is very likely that your TACACS Authorization result is not giving you full admin access to FCM. Check your setup against this reference guide for that aspect: https://www.cisco.com/c/en/us/support/docs/security/firepower-9000-series/212688-firepower-extensible-operating-system-f.html
I can confirm that when you login as local admin to FCM that you can add/remove etc. physical interfaces to logical device instances.
When you have multiple instances, containers is the software method used under the covers to separate the instance. So the terms are somewhat synonymous in this usage.
10-17-2022 01:09 PM
@David Rollins you have to assign the physical interfaces to the instances in FXOS GUI not the FMC. https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html
10-17-2022 04:05 PM
The interface is already added to the instance. I want to remove it. And by FXOS GUI I assume you mean the Firepower device manager? I have tried to modify it from there as well. All editing is greyed out. I assume because the appliance is being managed by FMC.
10-18-2022 12:08 AM
Firepower Chassis Manager is the GUI via which you assign physical interfaces. Open the logical device where it is currently assigned and edit it. Click the interface to remove it. Then open the logical device where you want to move it and add it there. Finally, go into the device configuration pages in FMC and select "sync with device", save and deploy.
Note you also have the option with containers to share a given physical interface between FTD instances.
10-18-2022 05:40 AM
I have tried from the Firepower Chassis Manager GUI. When I go to logical devices, the edit options are greyed out. 
Could it be related to this:
"Container instance—A container instance uses a subset of resources of the security module/engine, so you can install multiple container instances. Multi-instance capability is only supported for the FTD using FMC; it is not supported for the ASA or the FTD using FDM."
Multi-instance capability with container instances is only available for the FTD using FMC.
For FTD container instances, a single FMC must manage all instances on a security module/engine.
I realized late yesterday these instances are running as Containers. Or is that just what instances are. Containers running on the hardware.
Or could it be something related to the authentication method? It is setup to authenticate to TACACS. I worked at an organization, briefly, that had Firepowers. And the only way to manage the physical device was to have a local login. 
10-18-2022 05:47 AM
It is very likely that your TACACS Authorization result is not giving you full admin access to FCM. Check your setup against this reference guide for that aspect: https://www.cisco.com/c/en/us/support/docs/security/firepower-9000-series/212688-firepower-extensible-operating-system-f.html
I can confirm that when you login as local admin to FCM that you can add/remove etc. physical interfaces to logical device instances.
When you have multiple instances, containers is the software method used under the covers to separate the instance. So the terms are somewhat synonymous in this usage.
10-18-2022 06:00 PM
This was it. Thank you. The instructions were based on ISE 2.0. So they were a little off. But it put me on to the right track. The previous admins had tried to enable a Firepower authorization policy, but it was configured incorrectly. And was only granting read-only access. Again, thank you.
10-19-2022 01:47 AM
You're welcome. Thanks for rating and letting us know the problem is resolved.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide