Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
15
Helpful
5
Replies

FTD1120 diagnostic port IP configuration

Go to solution
tato386
Level 6
Level 6

‎04-11-2022 07:24 AM

I am currently managing an FTD from FMC using an IP address that is linked to the FTD's management port.  This is confirmed because if I physically remove the network cable from the port I lose connectivity to the FTD.  However, on the FMC device management screen the port does not show as having an IP and is configured for DHCP?  Should I add the management IP in there or leave things alone?  Is this an expected behavior/configuration?

 

Thanks,

Diego 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-11-2022 08:13 AM

@tato386 Leave things alone unless you need to use the diagnostics interface, it's optional.

 

The Diagnostic logical interface can be configured along with the rest of the data interfaces on the Devices > Device Management > Interfaces screen. Using the Diagnostic interface is optional (see the routed and transparent mode deployments for scenarios). The Diagnostic interface only allows management traffic, and does not allow through traffic. It does not support SSH; you can SSH to data interfaces or to the Management interface only. The Diagnostic interface is useful for SNMP or syslog monitoring.

 

The Management interface is separate from the other interfaces on the device. If you change the IP address at the CLI after you add it to the Firepower Management Center, you can match the IP address in the Firepower Management Center in the Devices > Device Management > Devices > Management area.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/interface_overview_for_firepower_threat_defense.html

 

 

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-11-2022 07:39 AM

we are not sure, is this FMC Virtual or Physical ?

 

as Long as FTD able to reach FMC that means working...

 

So the question is , if the Manangment port not configured, how are these commnunicating ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
tato386
Level 6
Level 6
In response to balaji.bandi

‎04-11-2022 08:04 AM

Hello BB,

 

The FTD is physical and yes, all is working.  I am running traffic thru it, I have NAT and ACP rules, I can see connection events, push policies, etc.

 

But according to the FMC device management you would think it should not be because the diag int does not have an IP and is not enabled for management.  See attached pics

Preview file
13 KB
Preview file
28 KB
Preview file
50 KB
Preview file
24 KB
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to tato386

‎04-11-2022 08:46 AM

that is diag interface, there is nothing to worry - leave it as it is..you are good now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎04-11-2022 08:13 AM

@tato386 Leave things alone unless you need to use the diagnostics interface, it's optional.

 

The Diagnostic logical interface can be configured along with the rest of the data interfaces on the Devices > Device Management > Interfaces screen. Using the Diagnostic interface is optional (see the routed and transparent mode deployments for scenarios). The Diagnostic interface only allows management traffic, and does not allow through traffic. It does not support SSH; you can SSH to data interfaces or to the Management interface only. The Diagnostic interface is useful for SNMP or syslog monitoring.

 

The Management interface is separate from the other interfaces on the device. If you change the IP address at the CLI after you add it to the Firepower Management Center, you can match the IP address in the Firepower Management Center in the Devices > Device Management > Devices > Management area.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/interface_overview_for_firepower_threat_defense.html

 

 

Go to solution
tato386
Level 6
Level 6

‎04-12-2022 11:55 AM

I guess the name "diagnostic" threw me off.  Now I realize this is same as ASA/SFR whereby the ASA's management interface is shared with SFR but configured separately.

 

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card