03-13-2017 09:49 AM - edited 02-21-2020 06:02 AM
I have a Firepower 4110 appliance running FTD v6.2. I can configure SNMP through the FMC at Devices -> Platform Settings -> SNMP. This allows me to perform SNMP queries to any of the data interfaces of the appliance, if I allow a "host" access to that interface. However, it does not allow me to send my SNMP polling to the management interface. The management interface is simply not in the list of possibilities for me to allow SNMP access to. Why not? The out-of-band management segment is where my SNMP monitoring system is based and SNMP and other management functions is obviously exactly what the management interface exists for. How can I do SNMP monitoring of the FTD to the management IP address?
Solved! Go to Solution.
04-01-2017 03:15 AM
Glad to hear you got it working.I hope in the future cisco will be able to expose the managent interface in a unified way. Still thinking about lina and snort part being seperate for a diverse set of features is kinda daunting if you need stuff like snmp, syslog, etc.
03-24-2017 07:51 AM
Unfortunetly that is not possible at the moment. The management ip address resides within the firepower part of FTD and not within Lina. I am sure cisco will find a solution to this design limitation but at moment you have to use an inband interface (which could also reside in the same segment btw).
03-31-2017 12:51 PM
Just an update on this: I found that kaisero is correct that the management interface resides within the Firepower part of FTD and does not respond to SNMP. However, the diagnostic interface that shares the same physical port does. This interface must be given an address in the "Device Management" settings. If you want it to communicate beyond its local subnet you must set up routing as well. And even though it never shows up in the list of available zones for adding SNMP access to, you can still type it in manually and add it in right below the list of Selected Zones/Interfaces.
04-01-2017 03:15 AM
Glad to hear you got it working.I hope in the future cisco will be able to expose the managent interface in a unified way. Still thinking about lina and snort part being seperate for a diverse set of features is kinda daunting if you need stuff like snmp, syslog, etc.
02-07-2020 10:21 AM - edited 02-07-2020 10:51 AM
Hello All,
I am going through the same problem, Firepower FPR-2130 is integrated with FMC and need to integrate with NMS monitoring for which SNMP configuration has been pushed to Firepower from FMC GUI but those SNMP configuration are not reflecting on firepower CLI.
Second, When login to FPR CLI ...I can't even able to see the management IP anywhere in configuration (This is the same IP which i am using for ssh login into FPR). However on FMC GUI i can see diagnostic interface (without IP address, showing status green).
Additional information , while polling the FPR management IP from NMS server, Same is getting polled and available in monitoring but does'nt contain any information (Eg: FPR actual interfaces which are in use for Data/Traffic flow). on NMS it's only showing some unknown Interface like tap0, tap0.1 , tap100, tun1 etc..which is of no use for us.
> Firepower Version is 6.4.0.7
Referring to this post conversation, if only solution is to assign IP on Diagnostic interface. Can we assign IP from same subnet/ip pool from which management IP belongs to... i prefer to go with solution where we don't require any ACL to execute (sort of out-of-band)..this is to avoid traffic traffic (ACL) "to and from" multiple transit Interfaces/hops in between source and destination.
I searched a lot on this but does'nt found solution to overcome this limitation . considering this as Cisco's limitation & Not Sure if this has been taken care and fixed by Cisco or not in last 03 years..as this post was started and diagnostic interface IP configuration suggestion was proposed during yr-2017.
06-01-2017 08:08 PM
06-02-2017 12:47 AM
I dont think its a good idea to access lina directly since most of the lina commands are already exposed in the clish mode. In case you want to use the diagnostic interface for monitoring (e.g. snmp/logging of lina part) you could assign an ip address to it but just keep in mind that it doesnt have its own vrf so it will be just another inband interface.
08-28-2019 07:39 AM
Hello, I have been trying to do the same thing but unsure what to put in as the Interface, when I added Management it came up with Management Interface needs an IP.
I am new to the firepower architecture I think I have set it up as per statement under devices-device management the FTD has a Management IP set, therefore I can ssh straight into the ftd on this IP address but unsure what I should have as the interface setting in Devices - Platform Settings - snmp hosts
or how do I link the Device Management to the FTD Management interface
02-07-2020 07:31 PM
Hi All,
I am going through the same problem, Firepower FPR-2130 is integrated with FMC and need to integrate with NMS monitoring for which SNMP configuration has been pushed to Firepower from FMC GUI but those SNMP configuration are not reflecting on firepower CLI.
Second, When login to FPR CLI ...I can't even able to see the management IP anywhere in configuration (This is the same IP which i am using for ssh login into FPR). However on FMC GUI i can see diagnostic interface (without IP address, showing status green).
Additional information , while polling the FPR management IP from NMS server, Same is getting polled and available in monitoring but does'nt contain any information (Eg: FPR actual interfaces which are in use for Data/Traffic flow). on NMS it's only showing some unknown Interface like tap0, tap0.1 , tap100, tun1 etc..which is of no use for us.
> Firepower Version is 6.4.0.7
Referring to this post conversation, if only solution is to assign IP on Diagnostic interface. Can we assign IP from same subnet/ip pool from which management IP belongs to... i prefer to go with solution where we don't require any ACL to execute (sort of out-of-band)..this is to avoid traffic traffic (ACL) "to and from" multiple transit Interfaces/hops in between source and destination.
I searched a lot on this but does'nt found solution to overcome this limitation . considering this as Cisco's limitation & Not Sure if this has been taken care and fixed by Cisco or not in last 03 years..as this post was started and diagnostic interface IP configuration suggestion was proposed during yr-2017.
02-08-2020 07:17 PM
You are correct that as of the current Firepower release (6.5.0.2) we still need to assign a separate IP address to the diagnostic interface. That allows the NMS to interact with the LINA code within Firepower which handles SNMP instrumentation of the dataplane. The management interface, while it will respond to SNMP if configured to do so, only handles SNMP instrumentation of the physical appliance as it is based within the FX-OS subsystem.
Expect this to change ca. Firepower 6.7 later this year.
11-08-2019 05:20 AM
02-14-2020 05:03 AM
This solution should be in official documentation. Thank You for this!
02-14-2020 08:02 AM
See this technote for official documentation:
It notes that the diagnostic interface:
02-16-2020 11:29 PM
I did not find anywhere in documentation this part:
"This interface must be given an address in the "Device Management" settings. If you want it to communicate beyond its local subnet you must set up routing as well. And even though it never shows up in the list of available zones for adding SNMP access to, you can still type it in manually and add it in right below the list of Selected Zones/Interfaces."
02-17-2020 04:11 AM
Part of my responses are based on the official documentation where it exists and parts are drawn from years of experience working with the product. For this particular one I also found this other reference useful:
If you want the exact answer to appear in the configuration guide then you can submit feedback in the documents themselves. Most Cisco documentation has a feedback link on the document page.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide