Configure FDM On-Box Management Service for The Secure Firewall 2100

Available Languages

Download Options

  • PDF     (1.3 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (433.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 30, 2025
Document ID:213519

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure the Secure Firewall Device Management (FDM) On-Box management service for the Secure Firewall 2100 series with FTD installed.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Firewall 2100, FTD software installation
    • Cisco Secure Firewall Threat Defense (FTD) basic configuration and troubleshooting

    Components Used

    The information in this document is based on these software and hardware versions:

    • Cisco Secure Firewall 2100 series
    • Cisco FTD version 6.2.3

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    The main intention of this document is to guide you through the steps required to enable the FDM On-Box management for the Secure Firewall 2100 series.

    You have two options to manage the Secure Firewall Threat Defense (FTD) installed on a secure firewall 2100 series:

    • The Secure Firewall Device Management (FDM) On-Box management
    • The Cisco Secure Firewall Management Center (FMC)

    Note: An FTD installed on a Secure Firewall 2100 cannot be managed simultaneously by both FDM and FMC. Enabling FDM On-Box management on the Secure Firewall 2100 FTD prevents management via FMC, unless local management is disabled and reconfigured for FMC. Conversely, registering the FTD to an FMC automatically disables the FDM On-Box management service on the device.

    Use the Secure Firewall Migration Tool (FMT) to seamlessly migrate the configuration from a locally managed device using FDM to being managed by the FMC, as detailed in the Migrating an FDM Managed device to Cisco Secure Firewall Threat Defense with the Migration tool

    The management interface is divided into 2 logical interfaces, br1 (management0 on 2100/4100/9300 appliances) and diagnostic:

    Management Interface Divided into 2 Logical Interfaces: br1 and Diagnositc

      Management - br1/management0 Management - Diagnostic
    Purpose
    • This interface is used in order to assign the FTD IP that is used for FTD/FMC communication.
    • Terminates the sftunnel between FMC/FTD.
    • Used as a source for rule-based syslogs.
    • Provides SSH and HTTPS access to the FTD box.
    • Provides remote access (for example, SNMP) to ASA engine.
    • Used as a source for LINA-level syslogs, AAA, SNMP and so on messages.
    Mandatory

    Yes, since it is used for FTD/FMC communication (the sftunnel terminates on it).

    No, and it is not recommended to configure it. The recommendation is to use a data interface instead (check the note below).

    Note: The benefit of leaving the IP address off of the diagnostic interface is that you can place the management interface on the same network as any other data interface. If you configure the diagnostic interface, its IP address must be on the same network as the management IP address, and it counts as a regular interface that cannot be on the same network as any other data interfaces. Because the management interface requires internet access for updates, to put the management interface on the same network as an inside FTD interface means you can deploy the FTD with only a switch on the LAN and point the inside interface as the default gateway for the management interface (This just applies when the FTD is deployed in routed mode).

    The FTD can be installed in a secure firewall 2100 appliance. The chassis runs its own operating system called Secure Firewall eXtensible Operating System (FXOS) to control basic operations of the device, while the FTD logical device is installed on a module/blade.

    Note: You can use the FXOS Graphic User Interface (GUI) called Secure Firewall Chassis Manager (FCM) or the FXOS Command Line Interface (CLI) to configure fchassis functions; however the GUI FCM is not available when the FTD is installed on the 2100 series, just the FXOS CLI.

    Secure Firewall  21xx appliance:

    Firepower 21xx Appliance

    Note: On the secure firewall 2100 series, the management interface is shared between the chassis FXOS and the FTD logical device. 

    Configure

    Network Diagram

    The default configuration assumes that certain secure firewall 2100 interfaces are used for the inside and outside networks. Initial configuration is easier to complete if you connect network cables to the interfaces based on these expectations. To cable the secure firewall 2100 series, see the next image.

    Network Diagram - How to Cable the Firepower 2100 Series

    NoteThe image shows a simple topology that uses a Layer 2 switch. Other topologies can be used and your deployment can vary depending on your basic logical network connectivity, ports, addressing, and configuration requirements.

    Configurations

    In order to enable the FDM On-Box management on the secure firewall 2100 series proceed as follows.

    1. Console access into the 2100 chassis and connect to the FTD application.

    firepower# connect ftd
>

    2. Configure the FTD management IP address.

    >configure network ipv4 manual 10.88.243.253 255.255.255.128 10.88.243.1

    3. Configure the management type as local.

    >configure manager local

    4. Configure from which IP addresses/subnets the On-Box management access to the FTD can be allowed.

    >configure https-access-list 0.0.0.0/0

    5. Open a browser and https into the IP address you configured to manage the FTD. This can open the FDM (On-Box) manager.

    Open the FDM On-Box Manager

    6. Log in and use the default secure firewall credentials, username admin, and password Admin123.

    Log in and Use the Default Firepower Credentials

    Verify

    1. Verify the network settings you configured for the FTD with the next command.

    > show network
===============[ System Information ]===============
Hostname                  : firepower
DNS Servers               : 10.67.222.222
                            10.67.220.220
Management port           : 8305
IPv4 Default route
  Gateway                 : 10.88.243.129

==================[ management0 ]===================
State                     : Enabled
Channels                  : Management & Events
Mode                      : Non-Autonegotiation 
MDI/MDIX                  : Auto/MDIX 
MTU                       : 1500
MAC Address               : 00:2C:C8:41:09:80
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 10.88.243.253
Netmask                   : 255.255.255.128
Broadcast                 : 10.88.243.255
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

    2. Verify the management type you configured for the FTD with the next command.

    > show managers 
Managed locally.

    Related Information

    Revision History

    Revision Publish Date Comments
    4.0
    30-Apr-2025
    Recertification
    3.0
    06-Mar-2024
    Updated SEO and Formatting.
    2.0
    16-Jan-2023
    Added Alt Text Updated Title, Introduction, Machine Translation, Style Requirements, SEO, Gerunds and Formatting.
    1.0
    27-Jul-2018
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Christian G Hernandez R
      Technical Consulting Engineer
    • Sergio Ceron Ramirez
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products