Replace FMC when FTD is in Routed mode and High-availability configuration

JeongJongYoon3334 · ‎06-17-2020

Hi

We are currently using FTD in Routed mode. FTD is being used for firewall purposes.

Currently FTD is composed of high-availability .

1/ If the FMC faults and needs to be replaced, we would like to know the replacement process appropriate for the situation.

We personally built a lab and tested it.

If you remove the pair from the existing FMC and register with the new FMC, all routing settings that were set in the FTD will be deleted.

Is this situation normal?

So is there a way to preserve the routing settings that were previously set on FTD?

Otherwise, I would like to know how to add routing in CLI mode to FTDs

2. Also, when you set up FTD for HA,
The snort process is stopped and service interruption occurs for about 30 to 40 seconds.

Is there a way to avoid this situation when setting up the actual equipment?

thanks.

Marvin Rhoads · ‎06-17-2020

1. More recent versions of FMC allow you to backup and restore FTD devices to the FMC. That will include the routing configuration and all other platform settings. So if you restore the FMC and re-register and restore the device from backup that should work. of course that would require down time and a maintenance window.

2. The Snort process interruption during HA formation is unavoidable (at least as of the current 6.6 software). Creating or breaking a Firepower Threat Defense high availability pair immediately restarts the Snort process on the primary and secondary devices, temporarily interrupting traffic inspection on both devices. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. See Snort Restart Traffic Behavior for more information. The system warns you that continuing to create a high availability pair restarts the Snort process on the primary and secondary devices and allows you to cancel.

The document they reference regarding traffic behavior is this section of the configuration guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/policy_management.html#concept_uc1_gtq_ty

JeongJongYoon3334 · ‎06-18-2020

Hello Marvin

Thank you very much for your reply.

But we have a question.

1. Our FMC is now Virtual FMC.
It will then be changed to Appliance FMC.
In this case, I understand that Backup restore is not possible.
(As far as I know, Backup restore is only possible between identical model equipment.)

In this case, is there any way the FTD can work with the new FMC while maintaining the routing setting?

2. We have set FTD to routed mode, both the top and bottom interfaces have IPs, and FTD works together as a firewall on the network.

In this case, how can I set up Snort Fail open?

If the interface does not have an IP, you can set the Snort Fail open function by setting Inline Sets, which seems impossible to set in the current situation.

3. Is there a way to add routing in the FTD's CLI?

Marius Gunnerud · ‎06-18-2020

As of version 6.5 there is a migration function in FMC allowing you to migrate to other FMCs of equal or higher capacity. For vFMC only VMWare insallations support the migration (migration from KVM and Azure are not supported).

As for the snort interrupt, as Marvin har already mentioned, in routed mode there will be down time.

FMC migration path - https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/about_fmc_model_migration.html

FMC migration guide - https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/migrate_your_fmc.html

FMC release notes for 6.5 - https://www.cisco.com/c/en/us/td/docs/security/firepower/650/relnotes/firepower-release-notes-650/features.html

--
Please remember to select a correct answer and rate helpful posts