cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2123
Views
8
Helpful
5
Replies

FTD to FMC Registration Experience

keithcclark71
Level 3
Level 3

I just wanted to share my experience in registration of FTD to FMC pertaining to FTD deployment to remote sites away from the FMC.

Attempting to stage the FTD on local subnet as FMC means registering the FTD with the FMC using a non routable private IP address. This worked for me and I could apply all my settings to the FTD . If one were to try and remotely deploy to remote location at this point you would lose communication with the FMC and no longer be able to push policy changes. If you were to do show managers while at remote site it would show the private IP address of the FMC you registered to which the FTD would no longer be able to communicate with as it now sits remote. I have not done so yet but I am wondering if I was at site if I could edit the manager to be the public IP address\FQDN hostname of the Firewall public  for which NAT tcp\8305 is verified operational to the FMC? Thoughts here???

How I actually got the registration to work was staging the FTD as much as possible with the FMC on same subnet. I then deleted the FTD from my staged S2S VPN mesh topology so I could delete the device from the FMC leaving behind the necessary ACP and NAT policies. I then went to FTD deleted the manager and configured from console the Management-Data interface to be used frf FMC communications. I then registered doing configure manager add (Public IP of ASA firewall which also NAT tcp\8305 is established) which allowed me to register from remote location. Once It registered I had to remote into the FMC add back to S2S Mesh Topology , reset interface zones then redeploy NAT and now my site clients could get internet and I could now deploy over the Data interface. I soon after realized however that I probaly should register by a FQDN rather than Public IP address of firewall in front of the FMC because if that IP ever changes I assume I will lose ability to manage all my tail site FTD's. I hope this helps someone in some way and brings up better discussion here of what I may have done wrong or how I can stage things easier so that I can send an engineer to tail site have him plug firewall in and it works rather than reregistration

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

When you provision FTD in Local Subnet to configure to check working as expecting ebfore shipt remote location that is possible,

But when the FTD move to remove location, you need to register with FMC again.

Similar thread as below :

https://community.cisco.com/t5/network-security/add-ftd-to-fmc-remotely/m-p/4471043

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

So I do have to re-register once I move to remote location? No way around this?

It seems to me that once at remote location I should be able to configure the management-data interface then edit the manager IP address for which the FTD registered with from the private IP to the FQDN of the outside firewall interface in front of the FMC which is NAT'd tcp\8305. That would be a lot easier than having to re-register. I'm surprised Cisco hasn't allowed for this

It's possible to change the interface for the sftunnel connection between FTD and FMC for management. As soon you want to ship your FTD from staging to the remote location you change manager configuration on FTD to a data-interface (ie "outside interface"), and the Mgmt IP for FTD on FMC to the Public IP on the outside interface of the FTD. 

Take a look at this document https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/device_management_basics.html#Cisco_Task.dita_0cbd837e-6a80-4e05-8734-7a73bcb2c850 

I would suggest to test this workflow in a lab environment before doing it in production.

SamW1
Level 1
Level 1

I just got this working really well in my lab. I have an FMC hosted at North site and 2 FTD's hosted at South site. I was able to just configure the FTD locally using console/ssh and make the outside interface the FMC manager interface. No need to add to local FMC or anything. This was then able to register with the remote FMC and push policies etc. I've added all the screenshots to detail this. 

Well done. Once you are out of lab on production however it becomes a different story especially if you are replacing the tail site firewall as you better know how to get those configs ported over in a hurry to a newly registered FTD. That's why I complete the config before shopping to remote so I can deregister the reregister and push my config already on the FMC to it. Otherwise I'd have to configure everything on the fly NAT, ACP objects etc nice work

Review Cisco Networking for a $25 gift card