Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1188
Views
0
Helpful
7
Replies

FTD 4112 In Multi Instance Mode - How to add/remove physical interface

Go to solution
David Rollins
Level 1
Level 1

‎10-17-2022 01:02 PM

So I adopted a Firepower deployment from the predecessor. The current Firepower appliance (4112) has two instances configured, all managed through FMC. I want to remove a physical interface from one instance and then add it to the other. 

I have tried to search through FMC, from the Firepower appliance itself. I've gone into the cli, and entered the scope. I can see the interface through the scope options, but I can't seem to figure out how to change the physical interface configuration. I knew how to do it through the ASA Multi-context mode. But this is nothing like it. I have tried searching online and through Cisco. It may be that I'm just not using the right terminology. 

Can someone please help?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to David Rollins

‎10-18-2022 05:47 AM

It is very likely that your TACACS Authorization result is not giving you full admin access to FCM. Check your setup against this reference guide for that aspect: https://www.cisco.com/c/en/us/support/docs/security/firepower-9000-series/212688-firepower-extensible-operating-system-f.html

I can confirm that when you login as local admin to FCM that you can add/remove etc. physical interfaces to logical device instances.

When you have multiple instances, containers is the software method used under the covers to separate the instance. So the terms are somewhat synonymous in this usage.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎10-17-2022 01:09 PM

@David Rollins you have to assign the physical interfaces to the instances in FXOS GUI not the FMC. https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html

 

0 Helpful

Go to solution
David Rollins
Level 1
Level 1
In response to Rob Ingram

‎10-17-2022 04:05 PM

The interface is already added to the instance. I want to remove it. And by FXOS GUI I assume you mean the Firepower device manager? I have tried to modify it from there as well. All editing is greyed out. I assume because the appliance is being managed by FMC.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to David Rollins

‎10-18-2022 12:08 AM

Firepower Chassis Manager is the GUI via which you assign physical interfaces. Open the logical device where it is currently assigned and edit it. Click the interface to remove it. Then open the logical device where you want to move it and add it there. Finally, go into the device configuration pages in FMC and select "sync with device", save and deploy.

Note you also have the option with containers to share a given physical interface between FTD instances.

0 Helpful

Go to solution
David Rollins
Level 1
Level 1
In response to Marvin Rhoads

‎10-18-2022 05:40 AM

I have tried from the Firepower Chassis Manager GUI. When I go to logical devices, the edit options are greyed out. 
Could it be related to this:
"Container instance—A container instance uses a subset of resources of the security module/engine, so you can install multiple container instances. Multi-instance capability is only supported for the FTD using FMC; it is not supported for the ASA or the FTD using FDM."

  • Multi-instance capability with container instances is only available for the FTD using FMC.

  • For FTD container instances, a single FMC must manage all instances on a security module/engine.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos291/cli-guide/b_CLI_ConfigGuide_FXOS_291/logical_devices.html#id_50269

I realized late yesterday these instances are running as Containers. Or is that just what instances are. Containers running on the hardware.
Or could it be something related to the authentication method? It is setup to authenticate to TACACS. I worked at an organization, briefly, that had Firepowers. And the only way to manage the physical device was to have a local login. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to David Rollins

‎10-18-2022 05:47 AM

It is very likely that your TACACS Authorization result is not giving you full admin access to FCM. Check your setup against this reference guide for that aspect: https://www.cisco.com/c/en/us/support/docs/security/firepower-9000-series/212688-firepower-extensible-operating-system-f.html

I can confirm that when you login as local admin to FCM that you can add/remove etc. physical interfaces to logical device instances.

When you have multiple instances, containers is the software method used under the covers to separate the instance. So the terms are somewhat synonymous in this usage.

0 Helpful

Go to solution
David Rollins
Level 1
Level 1
In response to Marvin Rhoads

‎10-18-2022 06:00 PM

This was it. Thank you. The instructions were based on ISE 2.0. So they were a little off. But it put me on to the right track. The previous admins had tried to enable a Firepower authorization policy, but it was configured incorrectly. And was only granting read-only access. Again, thank you.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-19-2022 01:47 AM

You're welcome. Thanks for rating and letting us know the problem is resolved.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card