Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
13
Helpful
19
Replies

FTD management with both FMC and CDO

Go to solution
tato386
Level 6
Level 6

‎06-07-2023 05:59 AM

I have an on-prem FMC that manages a handful of FTD devices.  All of these devices use private IPs and are not NATed or exposed to the Internet in any way.  The problem is some of the FTD devices are reachable only via IPSec VPN which sometimes gives me a bit of grief and I lose connectivity to the FTDs.   Is it possible to register the FTDs on CDO without removing them from the FMC and sort of co-manage them with both platforms?

TIA,

Diego

19 Replies 19

Go to solution
tato386
Level 6
Level 6
In response to Rob Ingram

‎06-07-2023 12:10 PM

So would I want to assign a public routed IP to the physical management interface or simply enable management access for a data interface that already has a public IP ie, "outside Interface"?  I'm a bit reluctant to have the management interface exposed...

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to tato386

‎06-07-2023 12:17 PM - edited ‎06-07-2023 12:19 PM

@tato386 well if you enable management on the data interface which has been configured with a public IP address you have exposed the management functionality on the internet. You are essentially combining the data/management functionality on one interface, rather than having a dedicated mgmt and data interfaces. Communication between the FTD and FMC is secured.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/device_management_basics.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

It's up to you wish option to take, if you have a spare public IP address for each site, then go with that.

Go to solution
tato386
Level 6
Level 6
In response to Rob Ingram

‎06-07-2023 12:56 PM

@Rob Ingram When I edit a data interface I see I have options for allowed management networks but the management interface does not show in FMC.  The FMC does show the diagnostic interface and that guy has allowed management nets option just like the data interface.  Do the management networks configured on the diag interface apply to the management interface?  How do I secure the management interface?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to tato386

‎06-07-2023 01:06 PM

@tato386 the management and diagnostics interfaces are separate interfaces. The management interface IP address and routing is configured via the CLI using the configure network command.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/interface_overview_for_firepower_threat_defense.html#concept_9C4E970171294952B654154256F1A676

For the Management interface, to configure an SSH access list, see the configure ssh-access-list command.

Go to solution
tato386
Level 6
Level 6
In response to Rob Ingram

‎06-07-2023 01:42 PM

excellent.  thank you very much sir, I appreciate it!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card