09-14-2021 11:48 AM
Greetings,
I have an FTD 1140 that is already configured etc but I need to turn up a new internet connection on one of the other interfaces (fiber hand off so I need SFP) and it needs to become my new edge/outside interface. Is it at all possible to move the related configuration from the old outside ifc (copper) to the new (SFP)? In the past I've had to rebuild almost everything from scratch when this happens.
Both FMC and FTD are running version 6.6.1.
TIA!
-John
Solved! Go to Solution.
09-14-2021 01:31 PM
John-
Everything that you mentioned above (ACL, NAT and VPN) is all based on zones and not individual interface. Thus, all you should not need to do is add your new interface to the appropriate zone, give it its basic config (IP, mask, etc.), and the remove the existing interface that you are re-purposing from that same zone.
Thank you for rating helpful posts!
09-14-2021 12:19 PM
Suggest to take backup first
1. when you move the interface config, you need to move the related config also (or associated rules)
2. if that is part of the zone that should work as expected.
09-14-2021 12:57 PM - edited 09-14-2021 12:59 PM
Thanks but this doesn't really answer my question.
I need to know if there is a way for me to move the related config to the new interface without having to do it manually. By manually, I mean having to migrate all of the individual configurations that are tied to the existing interface, including the SSL and L2L vpn configurations etc. If I have to do it manually then there is no point in exploring this discussion any further because I already know how to do that.
Thanks,
-John
09-14-2021 01:06 PM
Sure - and i do not believe or known myself any mechanism that moves all related config (by automatically as magic) when you move the interface ( or maybe available I have not tested).
09-14-2021 01:20 PM - edited 09-14-2021 01:21 PM
It seems crazy to me that an interface configuration can't be re-homed to another interface. What happens when someone encounters a a situation like mine where they can't use the old interface for their internet handoff? The only option is to rebuild *everything* manually on the new interface? That is absurd.
On an ASA it's stupid easy from manual:
- Turn up new interface
- Edit default route to point at new GW IP
- Edit NAT statements using find/replace with old/new interfaces
- Change ACL, access-group statement to use new interface
- Change crypto map statement to use new interface
- Reenable webvpn on new interface
- Done
I can do all this ^ in about 10 minutes or less. There is no comparable method in FMC that I know of to make these kind of changes in a reasonable amount of time. I feel like we are going backwards.
Thanks,
-J
09-14-2021 01:31 PM
John-
Everything that you mentioned above (ACL, NAT and VPN) is all based on zones and not individual interface. Thus, all you should not need to do is add your new interface to the appropriate zone, give it its basic config (IP, mask, etc.), and the remove the existing interface that you are re-purposing from that same zone.
Thank you for rating helpful posts!
09-14-2021 01:35 PM
Nspasov,
I figured if there was a solution it would involve zones. This is exactly what I was looking for. Thank you so much for saving me a headache!
Cheers,
-John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide