Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
1
Replies

FTD (NGFW1010) HA branch site - management via FMC

chrisbutleraura
Level 1
Level 1

‎10-06-2022 03:05 PM

Hi community, I'm looking for some guidance...

We're relatively new to FTD devices and in the progress of upgrading from legacy ASA 5008x's that were managed independently.

We have deployed an FMCv and are managing a new HA instance consisting of 2 x 1010 NGFW's.  These devices exist at the same site as the FMC and are connected to FMC via the management interface.

We're now looking to deploy 2 x 1010 NGFW's in HA to each of our branch sites (x3).  I've been trying to determine how to achieve remote management. Having read this, Cisco Firepower 2100 Getting Started Guide - Threat Defense Deployment with a Remote Management Center [Cisco Firepower 2100 Series] - Cisco  it states "High Availability is not supported. You must use the Management interface in this case". 

The issue we have is that the NGFW HA pair will be providing the site-2-site VPN back to the site that hosts the FMC.  Documentation suggests that any configuration apart from interface configuration will be erased as part of the enrolment to FMC.  

I believe we're in the chicken & egg scenario - I need the VPN tunnel up for the 1010's to access the FMC but in doing so, will erase the VPN configuration.

FYI - Pre-configuration isn't really feasible as the FMC is based in the UK.  The branch sites are another UK site, 1 in each of the US & APAC.  I don't even want to consider the issues of exporting devices out of the UK let alone support issues. 

Anyone come across this scenario that can shed some light?

Thanks in advance!

2 people had this problem
0 Helpful
1 Reply 1

sanchezeldorado
Level 1
Level 1

‎12-07-2022 08:56 AM

Hey Chris! I came across your post looking for the same answer. I admit, I'm still a little confused on the best route to go, but if you haven't gotten an answer yet, here's another thread that provides some answers. Like you, my remote sites are far away, and I don't want to screw it up. I only have 1 external IP address, so I believe I'm going to go the route of configuring a site to site VPN, adding ACLs to allow my internal management interface access to both FMCs without NAT. Then the Standby FMC should automatically get management access of the remote firewall. Working for an MSP, cisco's whole approach has been very frustrating and has caused my entire (not insignificant) company to stop using Cisco firewalls with a few exceptions. Good luck!

FMC FTD HA Management - Cloud Delivered FMC does what on prem FMC cant - Cisco Community

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card