cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
229
Views
4
Helpful
4
Replies

FTD deployment without FMC

ranga83
Level 1
Level 1

 

Hi Team,

We are conducting a greenfield network deployment, which includes a pair of FPR3110 firewalls that need to be configured as Active/Passive with multi-instances. The network consists of core and access switches acting as Layer 2, with all Layer 3 networks terminating on the firewall. A single port-channel (Po01) will be set up on the firewall side and connected to the core switches (Po01 and Po02), with sub-interfaces created on the firewall's Po01, allocated to the respective firewall instance. The design includes two instances, and both cores will be utilized. The customer will provide a remote FMC in their virtual environment, and WAN connectivity will be established, likely using BGP as the routing protocol.

The challenge I'm facing is how to configure the firewalls for Active/Passive, multi-instance, WAN connectivity, and interface setup without the FMC. Since communication with the FMC is required for most firewall configurations, it’s unclear how to proceed in this initial setup phase without FMC access.

Is it possible to run virtual FMC on my laptop and get the above setup and WAN connectivity done with a remote site, later move the configs to the final remote virtual FMC?

Both FPR3110 and FMCs will be used 7.4v

Viduna Rangana
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Some sort of WAN communications to the remote FMC will be required - either for the firewalls' management interfaces or, optionally, their data interface which can also be used for management. You can do a minimal initial setup using FDM and then in the setup tell it that you are using a remote FMC. At that point the firewalls must be able to reach the FMC.

See Step 5 here: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/getting-started/3100/fmc-remote/csf-3100-ftd-get-start_fmc-remote/m_cable-and-register-the-firewall.html#initial-configuration-device-manager-remote-fmc

If I spin up a temporary virtual FMC locally and build everything using it, then later move the FTDs to a remote virtual FMC once the WAN is ready, is this possible? The end goal is to manage the FTDs via the remote virtual FMC

Viduna Rangana

When you register to an FMC, the FTD considers the UUID (Universal Unique IDentifier) of that FMC. Changing to a different FMC will mean a new UUID and the FTD will get whatever ACP, NAT, platform settings etc. that are defined on that FMC. If you prepare with copies of all those as well as an FMC-based device backup (which would include settings like interfaces, routing etc.) AND have both FMCs with the same version and content updates you can make it work. It's messy though and not for the novice admin. The method mentioned by @Aref Alsouqi is preferable if that's an option for you.

There is a new feature of device templates in 7.6 which may help you as well:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/m_device-management-using-templates.html

I think spinning up a virtual FMC in the greenfield site and then move the FTDs to the remote FMC, however, if possible I personally would recommend staging the FTDs in the site where you have the FMC and then ship them to the green field site. Another option would be to use a temporary 5G connection by allowing the inbound traffic to the remote FMC from the 5G public IP, but I wouldn't go with this option because I believe the 5G providers would use the same public IP for multiple users.

Review Cisco Networking for a $25 gift card