Solved: New Cisco Firepower FPR 1120 Configuration

ssan239 · ‎06-06-2023

Hi Team,

We have got new Cisco Firepower FPR 1120 which is the replacement FTD for our ASA 5545. We need to configure the FTD as same as ASA. ASA do not have any Mgmt interface configured. So we need to manage the LAN interface of FTD as the Mgmt interface. Also we need to manage the FTD locally not via FMC.

What will be our first step. How can we use the Firepower Migration tool for the FTD which is managed locally?

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1100/firepower-1100-gsg/ftd-fmc.html

I was going through the link above but that is again for the device managed via FMC.

Is there any link which i go through. Also if i manage the device locally it is managing with the FDM itself right? Also if i am managing locally can i use CLI for any configuration of the device?

Please add some inputs on this. Need to get it done by Thursday please suggest.

Regards,

Sanjay S

Rob Ingram · ‎06-06-2023

@ssan239

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-get-started.html

Post initial configuration you can navigate to System Settings > Management Access > Data Interfaces and permit access on additional data interfaces as required.

View solution in original post

MHM Cisco World · ‎06-06-2023

Migrate tool can not use for migrate from FW mgmt by fdm to FW mgmt by fmc

MHM Cisco World · ‎06-06-2023

CDO can help you migrate your Adaptive Security Appliance (ASA) to an FDM-managed device. CDO provides the ASA to FDM Migration wizard to help you migrate your ASA's running configuration to an FDM template.

Note:- if you use cdo then ftd will mgmt by fdm only not fmc.

Rob Ingram · ‎06-06-2023

@ssan239 if you are using FDM to manage the device locally, then you cannot use the Firepower Migration Tool.

You can use the CDO tool to migrate the ASA configuration to FDM. https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/m_how_to_implement_migration.html

If you need it done by Thursday, it might be quicker to configure the device from scratch.

99.9% of the configuration of the FTD must be performed using the FDM GUI. CLI is primarily used to configure the mgmt interface and diagnostics/troubleshooting.

ssan239 · ‎06-06-2023

Thank you Rob for the information.

Is there any other way to manage FTD other than FMC and FDM? Based on my understanding there are only 2 way one is via FMC and the other is locally that is nothing but FDM, is my understanding correct?

Also Can i use the LAN interface to manage the FPR1120 as ASA config do not have specific Mgmt interface?

Regards,

Sanjay S

Rob Ingram · ‎06-06-2023

@ssan239 there are 4 ways:

Local = FDM
Central (On-premise) = FMC
Central (Cloud) = CDO or cdFMC (Cloud delivered FMC)

You can manage the FDM using the dedicated mgmt interface or data (LAN) interface.

ssan239 · ‎06-06-2023

Getting better understanding now. Thanks Rob.

You can manage the FDM using the dedicated mgmt interface or data (LAN) interface.

Is there any document on how to configure this?

Rob Ingram · ‎06-06-2023

@ssan239

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-get-started.html

Post initial configuration you can navigate to System Settings > Management Access > Data Interfaces and permit access on additional data interfaces as required.

ssan239 · ‎06-06-2023

Great! looks simple. Thanks alot Rob for the help

MHM Cisco World · ‎06-06-2023

You can sure use mgmt interface but for data interface for fdm I think you need management only for this interface to connect fdm to fpr.

Just want to notice you

Thanks

MHM

Rob Ingram · ‎06-06-2023

@MHM Cisco World that's incorrect, this is FDM, it sounds like you are confusing this with ASA with Firepower Module. Not the same thing.

MHM Cisco World · ‎06-06-2023

I know this FPR and that why I mention he must config management only for data interface use to connect to fdm.

I will be sure check Cisco doc. And share cisco recommends here.

Thanks

MHM

Rob Ingram · ‎06-06-2023

@MHM Cisco World wrote:

I know this FPR and that why I mention he must config management only for data interface use to connect to fdm.

You do not have to configure management only for a data interface, it's a data interface it can used for management and data (transit) traffic at the same time (as per the example I provided from a live FDM FPR1010 device).

The dedicated management interface does not need to be used at all, if not required - its optional.

MHM Cisco World · ‎06-06-2023

Using CLI' I will check the available command if you try using CLI.

Thanks

MHM

ssan239 · ‎06-07-2023

Hi Rob,

I am unsure that we have a CDO tenancy. When i click on initial login hyperlink it is diverting to the below page.

https://docs.defenseorchestrator.com/Welcome_to_Cisco_Defense_Orchestrator/Basics_of_Cisco_Defense_Orchestrator/0010_Initial_Login

Not really sure where to login to get the migration config for the FTD. We do have Cisco account where we mange the licenses and stuff. Not really sure if the same account we can use? If so where to login for this CDO?

Regards,

Sanjay S