Configure Manager Access on FTD from Management to Data Interface

Available Languages

Download Options

  • PDF     (1.5 MB)
    View with Adobe Reader on a variety of devices
Updated:July 18, 2024
Document ID:222145

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the process for modifying the Manager Access on the Firepower Threat Defense (FTD) from a Management to a Data interface.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Firepower Threat Defense
    • Firepower Management Center

    Components Used

    • Firepower Management Center Virtual 7.4.1
    • Firepower Threat Defense Virtual 7.2.5

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Each device includes a single dedicated Management interface for communicating with the FMC. You can optionally configure the device to use a data interface for management instead of the dedicated Management interface, The FMC access on a data interface is useful if you want to manage the Firepower Threat Defense remotely from the outside interface, or you do not have a separate management network. This change has to be performed on the Firepower Management Center (FMC) for FTD managed by FMC.

    The FMC access from a data interface has the a few limitations:

    • You can only enable manager access on one physical, data interface. You cannot use a subinterface or EtherChannel.
    • Routed firewall mode only, using a routed interface.
    • PPPoE is not supported. If your ISP requires PPPoE, you have to put a router with PPPoE support between the Firepower Threat Defense and the WAN modem.
    • You cannot use separate management and event only interfaces.

    Configure

    Proceed with Interface Migration

    note-icon

    Note: It is strongly recommended to have the latest backup of both FTD and FMC before proceeding with any changes.

    1. Navigate to Devices > Device Management page, click Edit for the device you are making changes.

    Navigate to Device Management to Edit

    2. Go to the Device > Management section, and click the link for Manager Access Interface.

    Modify the Management Access Interface

    The Manager Access Interface field displays the existing Management interface. Click the link to select the new interface type, which is the Data Interface option in the Manage device by drop down list and click Save.

    Change the Manager Access Interface from Management to Data

    3. You must now proceed to Enable management access on a data interface, navigate to Devices > Device Management > Interfaces > Edit Physical Interface > Manager Access.

    Enable Management Access on Interface

    note-icon

    Note: (Optional) If you use a secondary interface for redundancy, Enable management access on the interface used for redundancy purpose.

    (Optional) If you use DHCP for the interface, enable the web type DDNS method on the Devices > Device Management > DHCP > DDNS dialog.

    (Optional) Configure DNS in a Platform Settings policy, and apply it to this device at Devices > Platform Settings > DNS.

    4. Make sure the threat defense can route to the management center through the data interface; add a static route if necessary on Devices > Device Management > Routing > Static Route.

    1. Click IPv4or IPv6 depending on the type of static route that you are adding.
    2. Choose the Interface to which this static route applies.
    3. In the Available Network list, choose the destination network.
    4. In the Gateway or IPv6 Gateway field, enter or choose the gateway router which is the next hop for this route.

       (Optional) To monitor route availability, enter or choose the name of an Service Level Agreement (SLA) Monitor object that defines the monitoring policy, in the Route Tracking field.

    Configure Static Route for FTD

    5. Deploy configuration changes. The configuration changes are now deployed over the current Management interface.

    6. At the FTD CLI, set the Management interface to use a static IP address and the gateway to be data-interfaces.

    • configure network {ipv4 | ipv6} manual ip_address netmask data-interfaces

    Configure Management on FTD to Use Data Interface as Gateway

    note-icon

    Note: Although you do not plan to use the Management interface, you must set a static IP address. For example, a private address so that you can set the gateway to data-interfaces. This management is used to forward the management traffic to data interface using tap_nlp interface.

    7. Disable the Management in the Management Center, Click Edit and update the Remote Host Address IP addressand (Optional)Secondary Address for the threat defense in the Devices > Device Management > Device > Management section, and enable the connection.

    Disable FTD Management on FMC

    Enable SSH on Platform Settings

    Enable SSH for the data interface in Platform Settings policy, and apply it to this device at Devices > Platform Settings > SSH Access.Click Add .

    1. The hosts or networks you are allowing to make SSH connections.
    2. Add the zones that contain the interfaces to which to allow SSH connections. For interfaces not in a zone, you can type the interface name into the field Selected Zones/Interfaces list and click Add.
    3. Click OKDeploy the changes

    Configure SSH in Platform Settings

    note-icon

    Note: SSH is not enabled by default on the data interfaces, so if you want to manage the threat defense using SSH, you need to explicitly allow it.

    Verify

    Ensure that the management connection is established over the Data interface.

    Verify from FMC Graphical User Interface (GUI)

    In the management center, check the management connection status on the Devices > Device Management > Device > Management > Manager Access - Configuration Details > Connection Status page.

    Verify the Management Connectivity Status Between FMC and FTD

    Verify from FTD Command Line Interface (CLI)

    At thethreat defenseCLI, enter thesftunnel-status-briefcommand to view the management connection status.

    Command Output of sftunnel-status-brief

    The status shows a successful connection for a data interface, showing the internal tap_nlp interface.

    Troubleshoot

    In the management center, check the management connection status on the Devices > Device Management > Device > Management > Manager Access - Configuration Details > Connection Status page.

    At thethreat defenseCLI, enter thesftunnel-status-briefcommand to view the management connection status. You can also usesftunnel-statusto view more complete information.

    Management Connection Status

    Working Scenario

    Command Output of sftunnel-status-brief Indicating tap_nlp Interface

    Non-Working Scenario

    Command Output of sftunnel-status Connectivity Status

    Validate the Network Information

    At thethreat defenseCLI, view the Management and manager access data interface network settings:

    > show network

    Show Network Output on FTD

    Validate the Manager State

    At the threat defense CLI, check that the management center registration was completed.

      > show managers

    Show Managers Command Output on FTD

    note-icon

    Note: This command does not show the current status of the management connection.

    Validate Network Connectivity

    Ping the Management Center

    At thethreat defenseCLI, use the command to ping themanagement centerfrom the data interfaces:

      >  ping fmc_ip

    Ping to FMC to Verify Connectivity from FMC

    At thethreat defenseCLI, use the command to ping themanagement centerfrom the Management interface, which routes over the backplane to the data interfaces:

      >  ping system fmc_ip

    Ping to FMC to Verify Connectivity from FMC over Management Interface

    Check Interface Status, Statistics, and Packet Count

    At thethreat defenseCLI, see information about the internal backplane interface, nlp_int_tap:

      >  show interface detail

    Interface Stats on FTD

    Validate Route on FTD to Reach FMC

    At thethreat defenseCLI, check that the default route (S*) was added and that internal NAT rules exist for the Management interface (nlp_int_tap).

      > show route

    Validating Route on FTD

      >  show nat

    NAT Config on FTD for Management Traffic

    Check Sftunnel and Connection Statistics

      >  show running-config sftunnel

    Running Config for Sftunnel

    warning-icon

    Warning: Throughout the process of changing manager access, refrain from deleting the manager on the FTD or unregistering/force deleting the FTD from FMC.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    18-Jul-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Saikumar Boinpally
      Security Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products