Re: Policy Based Routing on FTD managed by FDM

wcutajar · ‎08-24-2021

Hi, I'm trying to set up PBR (Route Maps) on FTD managed by FDM but I'm finding it impossible, on ASA it would look something like this

access-list ROUTEMAP-ACL1 extended permit tcp object CloudKey1 any

route-map ROUTEMAP1 permit 10
 match ip address ROUTEMAP-ACL1
 set ip next-hop <IP-ADDRESS-OF-ISP2-GATEWAY>

I've added the accesslist and the first line of the route-map command via SmartCLI but I'm stuck on how to create the subsequent commands

If I try to use FlexConfig it says that route-map command is blacklisted CLI

Any ideas?

Jay Ponce · ‎08-24-2021

Please make sure you are running version 6.6 or higher in the FDM and the syntax is the same as ASA.

wcutajar · ‎08-25-2021

I am in fact running version 6.6.4, I managed to partially get it to work using a workaround to configure bgp-set-clause to set the next hop as there is a bug which does not let you configure set clause when creating the Route Map in SmartCLI (I have attached a screenshot on how I've set it up.

After that I created a FlexConfig object to attach the above route map to the interface as per below

With the above I can confirm that it works however I have an issue that I have no failover for PBR, on an ASA I would have used the following commands:

set ip next hop verify-availability 192.168.22.254 track 1

set ip next hop verify-availability 192.168.21.254 track 2

which would have enabled failover for PBR using a SLA monitor.

I was so excited to move from ASA to FTD but it seems that the product has so much less features.

engineer467 · ‎09-08-2022

Hi,

Can you share the steps how you applied this route-map to the interface?

Thanks

merloxuanyuan23 · ‎10-25-2022

Hi there, I got same issue in terms of applying route-map to the interface, have you found solution?

Marius Gunnerud · ‎09-10-2022

Without knowing the steps you are taking to create the route-map, we can only provide information on how a route-map is created using FDM. Check the following link

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-route-maps.html#Cisco_Task_in_List_GUI.dita_bc8a9c84-fe6d-41ff-abbe-8438fe37e35d

--
Please remember to select a correct answer and rate helpful posts

Hisoka · ‎04-11-2024

I have created same PBR route-map in smart CLI. But please could you share how to apply the object to the desired interface?

programmer01001 · ‎06-26-2024

Hi to apply an object to interface do the following:

1. Create FlexConfig object with this template:

interface Ethernetx/x
policy-route route-map <your route-map name>

2. Go to FlexConfig Policy and add your created object to group list. Then deploy.

Hope this helps.

Karsten Iwen · ‎06-26-2024

The more relevant question is why you are running a completely outdated version …

wcutajar · ‎06-28-2024

You realize this post is from 2021 right? We decided to move away from Cisco due to lots of these issues, hopefully they have been sorted with newer releases.

Karsten Iwen · ‎06-28-2024

Well, I obviously did not realize this. Yes, FDM still has shortcomings that are hard to understand. But overall, the platform evolved really well, and in version 7.2+, there is not much missing.

MHM Cisco World · ‎06-28-2024

bad to know that, what issue you face (alot) can you summary it
thanks

MHM