cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4256
Views
0
Helpful
8
Replies

What if FTD loses connection to FMC?

InTheJuniverse
Level 1
Level 1

Since there is no way to manage FTD other than through FMC, what if for some reason; say if incorrect configuration is pushed that broke connectivity between FTD and FMC, how do I access FTD? How do I revert configuration?

2 Accepted Solutions

Accepted Solutions

You're welcome. There's currently (as of Firepower 6.5) no way to revert or roll back the configuration from the FTD device.

View solution in original post

Yes - for the most part. There are a few things like URL lookup for non-cached entries that may be affected. Your prefilter and general Access Control Policy rules based on 5-tuples, AppID, SGT, identity etc. as well as associated IPS, SSL File policies etc. will all work just fine.

View solution in original post

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame
Actually FTD has other management options - FDM, CDO and via third party using the APIs. That said, they cannot coexist with FMC management. If you were to push an odd configuration that somehow blocked the communications between FTD and the managing FMC it could be difficult to recover. You could always "configure manager delete" and "configure manager add" to re-register with FMC and then reapply a policy that did not include the incorrect configuration. If you are running a 6.3 or later version and backing up your FTD device using FMC you could also restore to a known good backup. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/backup_and_restore.html#ID-2200-0000016e

Thank you as always, Marvin.

 

There is no way to revert the configuration, right?

You're welcome. There's currently (as of Firepower 6.5) no way to revert or roll back the configuration from the FTD device.

One quick question, after losing connection with FMC, what about the existing policies on the FTD? Will FTD still be able to function with policies already downloaded to the box?

Yes - for the most part. There are a few things like URL lookup for non-cached entries that may be affected. Your prefilter and general Access Control Policy rules based on 5-tuples, AppID, SGT, identity etc. as well as associated IPS, SSL File policies etc. will all work just fine.

Thank you.

ashleybabajee
Level 1
Level 1

Hi @Marvin Rhoads ,

If for any reason we lose connection to FMC and has to change the default action to  " Allow all traffic " , is there any command as such on the FTD cli ?

 

Thanks

No.

You cannot change access control policy or default action for handling traffic from the FTD cli (with or without FMC management).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: