Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1717
Views
0
Helpful
3
Replies

How to Stage new FTD to replace production ASA w/ Firepower

John Hinckley
Level 1
Level 1

‎07-20-2020 02:47 PM - edited ‎07-20-2020 02:49 PM

Hello,

I'm trying to stage an FTD appliance to replace an ASA with Firepower that is currently in production.  The FMC that controls it is also controlling an FTD HA pair.  What is the best way for me to stage the new FTD appliance without disrupting production?

Normally I just stage the FMC and sensor(s) in my lab, backup the customer FMC with Veeam, restore the Veeam backup to customer vmware server, turn down the customer's old FMC (if applicable), connect the new sensor/device (FTD or ASA) and then spin the new FMC up.  However; this will be somewhat difficult because the FMC is running at a colo facility and the FTD is being deployed to a different site about 4 hours away.  This poses a physical problem for me as I can't be on site at the colo facility should anything go wrong with the Veeam FMC restore.  Also, I need to preserve the production FMC configuration so I don't lose the config for the FTD HA pair in production at the colo.  

I have access to both networks remotely but I can't seem to figure out the best way to stage the replacement FTD without breaking production.  

 

Some details:

User site:  5515-X ASA w/ FP (ver 9.8.4)

Colo site:  vmware FMC 6.3.0.x,  FTD 1140 HA pair

The ASA w/ FP is being replaced with an FTD 1140 

 

Anyone have a proven strategy for this kind of scenario? 

Thanks,

John

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-21-2020 07:12 PM

Why not just register the new FTD with the existing FMC? You can change the management address later if you need to do so once you've deployed it on site.

0 Helpful

John Hinckley
Level 1
Level 1
In response to Marvin Rhoads

‎07-22-2020 09:43 AM

Thanks but how would I do this from my staging lab without building a L2L tunnel into the customer network? Also, what happens when you need to add an FTD to an FMC that is currently using classic licensing because the production device you're replacing is an ASA w/ FP? I'm dealing with this problem too but for a different customer. It seems that there is no real clear (Cisco) method for staging FTD devices when they need to be inserted into an existing FP design. Lastly, changing the management IP is not as simple as that. The last time I did that it broke all kinds of stuff on the FTDs when I removed them from management and added them back.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to John Hinckley

‎07-22-2020 11:03 PM

The methods Cisco recommended to us during partner training all involve being able to reach FMC one way or another - being on the same site, having access to FMC via a public IP, or having a site-site VPN that can reach the FMC.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card