06-06-2023 06:01 AM
Hi Team,
We have got new Cisco Firepower FPR 1120 which is the replacement FTD for our ASA 5545. We need to configure the FTD as same as ASA. ASA do not have any Mgmt interface configured. So we need to manage the LAN interface of FTD as the Mgmt interface. Also we need to manage the FTD locally not via FMC.
What will be our first step. How can we use the Firepower Migration tool for the FTD which is managed locally?
I was going through the link above but that is again for the device managed via FMC.
Is there any link which i go through. Also if i manage the device locally it is managing with the FDM itself right? Also if i am managing locally can i use CLI for any configuration of the device?
Please add some inputs on this. Need to get it done by Thursday please suggest.
Regards,
Sanjay S
Solved! Go to Solution.
06-06-2023 07:42 AM
Post initial configuration you can navigate to System Settings > Management Access > Data Interfaces and permit access on additional data interfaces as required.
06-06-2023 06:06 AM
Migrate tool can not use for migrate from FW mgmt by fdm to FW mgmt by fmc
06-06-2023 06:14 AM
CDO can help you migrate your Adaptive Security Appliance (ASA) to an FDM-managed device. CDO provides the ASA to FDM Migration wizard to help you migrate your ASA's running configuration to an FDM template.
Note:- if you use cdo then ftd will mgmt by fdm only not fmc.
06-06-2023 06:08 AM
@ssan239 if you are using FDM to manage the device locally, then you cannot use the Firepower Migration Tool.
You can use the CDO tool to migrate the ASA configuration to FDM. https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/m_how_to_implement_migration.html
If you need it done by Thursday, it might be quicker to configure the device from scratch.
99.9% of the configuration of the FTD must be performed using the FDM GUI. CLI is primarily used to configure the mgmt interface and diagnostics/troubleshooting.
06-06-2023 06:41 AM
Thank you Rob for the information.
Is there any other way to manage FTD other than FMC and FDM? Based on my understanding there are only 2 way one is via FMC and the other is locally that is nothing but FDM, is my understanding correct?
Also Can i use the LAN interface to manage the FPR1120 as ASA config do not have specific Mgmt interface?
Regards,
Sanjay S
06-06-2023 06:44 AM - edited 06-06-2023 06:46 AM
@ssan239 there are 4 ways:
Local = FDM
Central (On-premise) = FMC
Central (Cloud) = CDO or cdFMC (Cloud delivered FMC)
You can manage the FDM using the dedicated mgmt interface or data (LAN) interface.
06-06-2023 07:36 AM
Getting better understanding now. Thanks Rob.
You can manage the FDM using the dedicated mgmt interface or data (LAN) interface.
Is there any document on how to configure this?
06-06-2023 07:42 AM
Post initial configuration you can navigate to System Settings > Management Access > Data Interfaces and permit access on additional data interfaces as required.
06-06-2023 08:27 AM
Great! looks simple. Thanks alot Rob for the help
06-06-2023 08:47 AM
You can sure use mgmt interface but for data interface for fdm I think you need management only for this interface to connect fdm to fpr.
Just want to notice you
Thanks
MHM
06-06-2023 09:24 AM - edited 06-06-2023 09:29 AM
@MHM Cisco World that's incorrect, this is FDM, it sounds like you are confusing this with ASA with Firepower Module. Not the same thing.
06-06-2023 09:38 AM
I know this FPR and that why I mention he must config management only for data interface use to connect to fdm.
I will be sure check Cisco doc. And share cisco recommends here.
Thanks
MHM
06-06-2023 09:42 AM - edited 06-06-2023 09:44 AM
@MHM Cisco World wrote:
I know this FPR and that why I mention he must config management only for data interface use to connect to fdm.
You do not have to configure management only for a data interface, it's a data interface it can used for management and data (transit) traffic at the same time (as per the example I provided from a live FDM FPR1010 device).
The dedicated management interface does not need to be used at all, if not required - its optional.
06-06-2023 06:47 AM
Using CLI' I will check the available command if you try using CLI.
Thanks
MHM
06-07-2023 04:59 AM
Hi Rob,
I am unsure that we have a CDO tenancy. When i click on initial login hyperlink it is diverting to the below page.
Not really sure where to login to get the migration config for the FTD. We do have Cisco account where we mange the licenses and stuff. Not really sure if the same account we can use? If so where to login for this CDO?
Regards,
Sanjay S
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide