Hi Marvin, Thank you very much for the quick & easy method to change the FTD IP.  I have a quick query.

Our FTD registered on FMC via hostname (FQDN), in this case, is it sufficient to change the IP address on host record in DNS server and change the IP on FTD without touching the FMC? would FMC detects the new IP with the FQDN? or do I need to follow the above procedure?

If you initially registered the FTD using FQDN, then you should be able to change the IP in the DNS host record without losing connectivity.  You should only have a problem if the FTD can't resolve the name.  I would first test that the FTD can ping the current FQDN just to make sure it's still seeing the FMC by name before changing the record.

-John

I have done the changes by changing the host entry and IP address change on FTD without touching the FMC and It worked well without any issues. But on FMC it's still showing old IP address under devices. However, everything is working as expected.

With this, If we are moving from a FMC deployed in Vsphere to a FMC deployed in Azure, will this still work?

Essentially, we need to move the Vsphere instance into Azure, Based on some other posts and research, (And comments from you) I can possibly fool the migration tool using a command to change the FMC once deployed in Azure to do a migration and then revert. But im wondering if i can simply change the manager IP to now point to the Azure instance?

Will doing this host the config on the units? or will they retain everything? IIRC, from v7 on, the changing of the manager no longer hoses the config on the box?

You are not just changing the FMC or FTD management IP address, you are deploying a new FMC and you need to move the FTD to this new FMC. 

As per today, I am not aware of a "simple method". Here is what I have done in the past: (assuming you're doing it on a FTD HA pair)

- Get the new FMC ready and running 

- Break the FTD HA, pick one FTD and shutdown its data interfaces and de-register it from the FMC

- Get this FTD and register with the new FMC, apply the licenses, policies etc. (interfaces should survive a de-register) 

- On the old FMC go to the FTD and shutdown all interfaces - Execute this task during a change window, you will have a small downtime here.

- On the new FMC enable the interfaces on the FTD (i'd recommend using the same mac-addresses from the old active FTD to avoid arp cache issues) - Execute this task during a change window, you will have a small downtime here.

- Test the traffic, if everything is fine proceed with the de-register of the FTD on the old FMC

- Register the FTD on the new FMC and create an HA pair

- Shutdown the old FMC and tap yourself in the back. 

Note: If you are using certificates for RA-VPN or for ISE I'd recommend you deploy all new. 

Thanks for that. I will give it a look.

We managed to get around the "NEW FMC" thing, by doing a backup a/ restore of the ESX instance, and putting that into the Azure instance. that all worked quite well.

So, as it sits, its a full restore of their prod instance. Just in Azure. we still need to move the FTDs over to it, and im labbing up a scenario where we use a 3rd unit as a stand in to ensure that downtime is virtually non-existent, and covers a fail over situation. I have opened a new thread on this, feel free to give it a look, and comment on my plan here.

https://community.cisco.com/t5/network-security/fmc-deploy-with-missing-ftd/td-p/4885669

jason

Marvin, I have used your 3 step method for standalone FWs before and it work but, does this also work for an HA pair? IOW, just do your step #2 twice with #1 and #3 staying the same?

HA pairs are different. In that case you need to break HA first, re-register the member units individually and then re-form the HA pair. Quite painful but that's the current state of affairs.

One last update.
If you need to change the management IP address from the FMC, but you dont want to lose the configuration on the FTD you need to visit the FMC and go to the FTD device page and disable management of it. Then go to the FTD device and change your IP address. Then go back to the FMC on the same FTD device page you want to change the management IP then enable the management.

Rodrigo nailed it. This is the answer to the OP's question.

1) From FMC, click Devices > Device Management, and edit the FTD

2) Go to Device tab under that device in "Management" section (as in Rodrigo's screenshot) and switch the toggle to "Disable Management"