cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
13
Helpful
19
Replies

FTD management with both FMC and CDO

tato386
Level 6
Level 6

I have an on-prem FMC that manages a handful of FTD devices.  All of these devices use private IPs and are not NATed or exposed to the Internet in any way.  The problem is some of the FTD devices are reachable only via IPSec VPN which sometimes gives me a bit of grief and I lose connectivity to the FTDs.   Is it possible to register the FTDs on CDO without removing them from the FMC and sort of co-manage them with both platforms?

TIA,

Diego

1 Accepted Solution

Accepted Solutions

@tato386 I don't see a cloud solution here. Even if you went cdFMC now, you said the FTD's don't have internet access, so they'd be unable to communicate with the cdFMC? I don't believe a local (onprem) Secure Device Connector (which proxies connections to the cloud) is supported on cdFMC.

And besides, why if you lose the IPSec VPN should that cause you grief? Are you using connecting to the mgmt interface which is connected to the LAN and routed over the VPN? You can manage the FTD's from the data (i.e. outside) interface since version 6.7

View solution in original post

19 Replies 19

Hello MHM,

I am not ready to give up my on-prem FMC.  I am looking for a way to manage certain FTD devices using *both* on-prem and CDO platforms.  I want to manage my FTD via on-prem but be able to also manage it from CDO in case of issues with my on-prem FMC.

Rgds,

Diego

I am talking about cloud no on-prem fmc.

Check link again 

Thanks 

MHM

@tato386 If you have an On-Prem FMC you can onboard the FMC to CDO, but it is limited to viewing its managed devices (FTDs), viewing objects associated with the On-Prem Management Center, and cross-launching to the On-Prem FMC GUI.

https://docs.defenseorchestrator.com/t_install-a-cdo-connector-to-support-an-on-premises-sec-using-a-cdo-vm-image.html#!r-preface-managing-fmc-with-cisco-defense-orchestrator.html

 

 

My apologies because I think I've done a poor job of explaining myself.  I would like to have an FTD1140 with two managers.  One being the on-prem FMC and the second being CDO.  I guess I was thinking that by just onboarding the FTD1140 I would be able to manage it but it seems it doesn't work like that.  It looks like I would need to have an FMC in CDO which as Rob mentioned would not be capable of fully managing the FTD.  Looks like the only way to have dual managers is to use local FMC with high availability, but that won't work for me because HA being only a pair would still leave me with potential connectivity issues when using multiple VPN sites.  I guess I'll have to wait for a full featured cloud FMC?

Diego

 

There is cloud-delivered FMC (cdFMC) which gives you most FMC features in a cloud-native instance. That does naturally require Internet access from the managed devices.

What we lose with cdFMC is logging to FMC - if logging is needed it can be done to an on-premise FMC, on-premise data store, syslog server or via a CDO Security Analytics and Logging subscription add-on. Other than that, all of the configuration options are there in the cdFMC instance.

What @Rob Ingram said - only one manager can be the source of configuration for a given device. The option he mentioned is a way of mirroring what you see in the on-prem FMC but it does not allow any configuration changes to be made in CDO.

It is not possible to manage FTD with both FMC and CDO.  Basically CDO is to manage the FTDs that are configured as locally managed, i.e. uses FDM.  So you need to choose one or the other.

If you are having issues with connectivity because of management traffic going over VPN, I would suggest looking into configuring the internet facing interface as a management interface and then manage the FTD from FMC via that data interface.

--
Please remember to select a correct answer and rate helpful posts

But that would mean that I have to expose the FMC with a public IP as well, no?  Doesn't the FTD initiate traffic towards the FMC?

cdFMC does have a public IP address. The communications between cdFMC (or any FMC) and your managed devices is secured with TLS running over tcp/8305 and further restricted to the device and FMC having exchanged a registration key during onboarding so that their respective sftunnel configurations are verified.

@Marvin Rhoads I was referring to my on-prem FMC.  We are not ready for cdFMC yet.  I was trying to not expose any devices to Internet but if FTD is managed via public then it would mean that FMC would need to be public as well which is something I was hoping to avoid but it seems increasingly like due to our aversion to cloud it might be our only option.  

@tato386 I don't see a cloud solution here. Even if you went cdFMC now, you said the FTD's don't have internet access, so they'd be unable to communicate with the cdFMC? I don't believe a local (onprem) Secure Device Connector (which proxies connections to the cloud) is supported on cdFMC.

And besides, why if you lose the IPSec VPN should that cause you grief? Are you using connecting to the mgmt interface which is connected to the LAN and routed over the VPN? You can manage the FTD's from the data (i.e. outside) interface since version 6.7

The reason the VPN causes grief is because all management is done private-to-private over VPN from FMC to data interfaces on FTDs.  We don't use management interface at all.  Most sites have separate device for VPN but some use the FTD for VPN so if a config mistake is deployed which breaks VPN then we have no way to fget in to fix.  I was looking for a "backdoor" via cloud for these sites.

So like you said there doesn't seem to be a simple cloud solution here.  We are not ready to do cdFMC like @MHM Cisco World  and @Marvin Rhoads suggested.

I guess the best option is to put a public IP on the management interface of the problem sites and expose FMC to Internet.  I was hoping to avoid that but I guess it's either that or risk getting disconnected from these sites.

Thanks

Diego

@tato386 Well you can certainly assign an IP address to the mgmt interface and manage the FTD on that. Although there would have to be a huge configuration mistake to lock yourself out to require a backdoor. Mgmt connectivity "to" an FTD is managed separately to "through" traffic, so I'd be suprised if day-to-day modifications of firewall rules would completely lock you out. I've certainly had no problem managing 100s of remote firewall on the data interface over the internet and not had a problem. Although I appreciate your scenario may differ.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: