cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18470
Views
30
Helpful
18
Replies
Highlighted
Beginner

SNMP to the FTD managment interface

I have a Firepower 4110 appliance running FTD v6.2.  I can configure SNMP through the FMC at Devices -> Platform Settings -> SNMP.  This allows me to perform SNMP queries to any of the data interfaces of the appliance, if I allow a "host" access to that interface.  However, it does not allow me to send my SNMP polling to the management interface.  The management interface is simply not in the list of possibilities for me to allow SNMP access to.  Why not?  The out-of-band management segment is where my SNMP monitoring system is based and SNMP and other management functions is obviously exactly what the management interface exists for.  How can I do SNMP monitoring of the FTD to the management IP address?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Glad to hear you got it

Glad to hear you got it working.I hope in the future cisco will be able to expose the managent interface in a unified way. Still thinking about lina and snort part being seperate for a diverse set of features is kinda daunting if you need stuff like snmp, syslog, etc.

View solution in original post

18 REPLIES 18
Highlighted
Rising star

Unfortunetly that is not

Unfortunetly that is not possible at the moment. The management ip address resides within the firepower part of FTD and not within Lina. I am sure cisco will find a solution to this design limitation but at moment you have to use an inband interface (which could also reside in the same segment btw).

Highlighted
Beginner

Just an update on this: I

Just an update on this: I found that kaisero is correct that the management interface resides within the Firepower part of FTD and does not respond to SNMP.  However, the diagnostic interface that shares the same physical port does.  This interface must be given an address in the "Device Management" settings.  If you want it to communicate beyond its local subnet you must set up routing as well.  And even though it never shows up in the list of available zones for adding SNMP access to, you can still type it in manually and add it in right below the list of Selected Zones/Interfaces.

Highlighted
Rising star

Glad to hear you got it

Glad to hear you got it working.I hope in the future cisco will be able to expose the managent interface in a unified way. Still thinking about lina and snort part being seperate for a diverse set of features is kinda daunting if you need stuff like snmp, syslog, etc.

View solution in original post

Highlighted
Beginner

Re: Glad to hear you got it

Hello All, 

 

I am going through the same problem, Firepower FPR-2130 is integrated with FMC and need to integrate with NMS monitoring for which SNMP configuration has been pushed to Firepower from FMC GUI but those SNMP configuration are not reflecting on firepower CLI.

 

Second, When login to FPR CLI ...I can't even able to see the management IP anywhere in configuration (This is the same IP which i am using for ssh login into FPR).  However on FMC GUI i can see diagnostic interface (without IP address, showing status green).

 

Additional information , while polling the FPR management IP from NMS server, Same is getting polled and available in monitoring but does'nt contain any information (Eg: FPR actual interfaces which are in use for Data/Traffic flow). on NMS it's only showing some unknown Interface like tap0, tap0.1 , tap100, tun1 etc..which is of no use for us.

 

> Firepower Version is 6.4.0.7

 

Referring to this post conversation, if only solution is to assign IP on Diagnostic interface. Can we assign IP from same subnet/ip pool from which management IP belongs to... i prefer to go with solution where we don't require any ACL to execute (sort of out-of-band)..this is to avoid traffic traffic (ACL) "to and from" multiple transit Interfaces/hops in between source and destination.   

 

I searched a lot on this but does'nt found solution to overcome this limitation . considering this as Cisco's limitation & Not Sure if this has been taken care and fixed by Cisco or not in last 03 years..as this post was started and diagnostic interface IP configuration suggestion was proposed during yr-2017. 

Highlighted

I have attached FTD MGMT acrh

I have attached FTD MGMT acrh for your review.

 I want to know if there is any benefit in assigning an IP to the diagnostic interface ? 

can it be integrated with external ACS server for ASA FTD access ?

let me know if there is any concern in the attached image packet flow

Highlighted
Rising star

I dont think its a good idea

I dont think its a good idea to access lina directly since most of the lina commands are already exposed in the clish mode. In case you want to use the diagnostic interface for monitoring (e.g. snmp/logging of lina part) you could assign an ip address to it but just keep in mind that it doesnt have its own vrf so it will be just another inband interface.

Highlighted
Beginner

Re: Just an update on this: I

Hello, I have been trying to do the same thing but unsure what to put in as the Interface, when I added Management it came up with Management Interface needs an IP.

I am new to the firepower architecture I think I have set it up as per statement under devices-device management the FTD has a Management IP set, therefore I can ssh straight into the ftd on this IP address but unsure what I should have as the interface setting in Devices - Platform Settings - snmp hosts

or how do I link the Device Management to the FTD Management interface

Highlighted
Beginner

Re: Just an update on this: I

Hi All, 

I am going through the same problem, Firepower FPR-2130 is integrated with FMC and need to integrate with NMS monitoring for which SNMP configuration has been pushed to Firepower from FMC GUI but those SNMP configuration are not reflecting on firepower CLI.

 

Second, When login to FPR CLI ...I can't even able to see the management IP anywhere in configuration (This is the same IP which i am using for ssh login into FPR).  However on FMC GUI i can see diagnostic interface (without IP address, showing status green).

 

Additional information , while polling the FPR management IP from NMS server, Same is getting polled and available in monitoring but does'nt contain any information (Eg: FPR actual interfaces which are in use for Data/Traffic flow). on NMS it's only showing some unknown Interface like tap0, tap0.1 , tap100, tun1 etc..which is of no use for us.

 

> Firepower Version is 6.4.0.7

 

Referring to this post conversation, if only solution is to assign IP on Diagnostic interface. Can we assign IP from same subnet/ip pool from which management IP belongs to... i prefer to go with solution where we don't require any ACL to execute (sort of out-of-band)..this is to avoid traffic traffic (ACL) "to and from" multiple transit Interfaces/hops in between source and destination.   

 

I searched a lot on this but does'nt found solution to overcome this limitation . considering this as Cisco's limitation & Not Sure if this has been taken care and fixed by Cisco or not in last 03 years..as this post was started and diagnostic interface IP configuration suggestion was proposed during yr-2017. 

Highlighted
Hall of Fame Guru

Re: Just an update on this: I

You are correct that as of the current Firepower release (6.5.0.2) we still need to assign a separate IP address to the diagnostic interface. That allows the NMS to interact with the LINA code within Firepower which handles SNMP instrumentation of the dataplane. The management interface, while it will respond to SNMP if configured to do so, only handles SNMP instrumentation of the physical appliance as it is based within the FX-OS subsystem.

Expect this to change ca. Firepower 6.7 later this year.

Highlighted
Beginner

Re: Just an update on this: I

I tried to set up an address to diagnostic interface of the same subnet as the management interface..but i am unable to ping it ... ..shudnt it ping from other ips in the same subnet or is there anything else required to be done ?
Highlighted
Beginner

Re: Just an update on this: I

This solution should be in official documentation. Thank You for this!

Highlighted
Hall of Fame Guru

Re: Just an update on this: I

See this technote for official documentation:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html#anc9

It notes that the diagnostic interface:

  • Provides remote access (e.g. SNMP) to ASA engine.
  • Used as a source for LINA-level syslogs, AAA, SNMP etc messages.
Highlighted
Beginner

Re: Just an update on this: I

I did not find anywhere in documentation this part:

"This interface must be given an address in the "Device Management" settings.  If you want it to communicate beyond its local subnet you must set up routing as well.  And even though it never shows up in the list of available zones for adding SNMP access to, you can still type it in manually and add it in right below the list of Selected Zones/Interfaces."

 

Highlighted
Hall of Fame Guru

Re: Just an update on this: I

Part of my responses are based on the official documentation where it exists and parts are drawn from years of experience working with the product. For this particular one I also found this other reference useful:

https://community.cisco.com/t5/security-documents/configuring-nsel-netflow-on-cisco-firepower-threat-defense-ftd/ta-p/3646300

If you want the exact answer to appear in the configuration guide then you can submit feedback in the documents themselves. Most Cisco documentation has a feedback link on the document page.