Re: Firepower Thread Defense management via data interface

scottsassin · ‎11-15-2024

I have a pair of firepower 1120s, in an HA pair, that I want to manage via a data interfaces. Presently I have them managed via management interface.

This is for a branch office, that is connected to HQ via IPSec to another pair of FTDs.

I followed the guide online. I enabled management on the outside interface, where the VPN peer is configured, but when I issue the command, “configure network ipv4 manual <IP> <Mask> data-interfaces” on the FTD, I can no longer ping the FMC.

The management IP is within the interesting traffic of the VPN.

MHM Cisco World · ‎11-15-2024

You can not' for HA ypu cannot use data interface for mgmt.

I read this in Cisco doc. Later today I will share you link.

Thanks

MHM

scottsassin · ‎11-15-2024

At the threat defense CLI (preferably from the console port), set the Management interface to use a static IP address and set the gateway to use the data interfaces. For high availability, perform this step on both units.

configure network {ipv4 | ipv6} manual ip_address netmask data-interfaces

ip_address netmask —Although you do not plan to use the Management interface, you must set a static IP address, for example, a private address so that you can set the gateway to data-interfaces (see the next bullet). You cannot use DHCP because the default route, which must be data-interfaces, might be overwritten with one received from the DHCP server.

data-interfaces —This setting forwards management traffic over the backplane so it can be routed through the manager access data interface.