08-14-2019 09:51 AM - edited 02-21-2020 09:24 AM
Hi everyone,
I have two ASA firewalls 5525 with firepower modules. first box has the firepower module installed and it's added to the FMC. second box (a second ASA 5525 with firepower module) we just received to make both boxes in failover mode. second box is not installed/configured yet. first FirePOWER module already has its management IP, which is used to be managed by FMC. However, when I install the second FirePOWER module on second ASA, should i give it a different IP on same subnet as first FirePOWER, or same IP as first one? also, on the FMC, the two FirePOWER modules will/should appear as two independent FirePOWER modules or they will appear as one FirePOWER module configured with same management IP, since they are installed on two ASAs in failover mode?
please advise.
Thanks.
Solved! Go to Solution.
08-14-2019 07:46 PM
The Firepower service module on the second ASA operates completely independently. As such, it requires its own unique IP address, registration to FMC and licenses.
You can group the two modules in FMC for purposes of policy management but, other than that, they have no knowledge of each other's existence. The concepts of configuration synchronization that apply to the parent ASAs' configs does not apply to Firepower.
08-14-2019 08:44 PM
It needs to be changed in both locations.
On FMC it tells the manager how to communicate to the sensor.
On the module it assigns the address on the underlying Linux operating system.
08-14-2019 07:46 PM
The Firepower service module on the second ASA operates completely independently. As such, it requires its own unique IP address, registration to FMC and licenses.
You can group the two modules in FMC for purposes of policy management but, other than that, they have no knowledge of each other's existence. The concepts of configuration synchronization that apply to the parent ASAs' configs does not apply to Firepower.
08-14-2019 08:14 PM
If I want to change the management IP of the firepower module which is managed by the FMC, should I changed it from inside the CLI of the firepower module or from inside the FMC management interface? Which method is recommended and best practice? Thanks
08-14-2019 08:44 PM
It needs to be changed in both locations.
On FMC it tells the manager how to communicate to the sensor.
On the module it assigns the address on the underlying Linux operating system.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide