FMC and FTD Management Network Administration

This document describes the management connection between the Cisco Firepower Management Center (FMC) and the Cisco Firepower Threat Defense (FTD), management network basics, and how to change network settings, including changing the IP address of the FTD or FMC, or both.

About Device Management Interfaces

Each device includes a single dedicated Management interface for communicating with the FMC.

You can perform initial setup on the management interface, or on the console port.

Management interfaces are also used to communicate with the Smart Licensing server, to download updates, and to perform other management functions.

Management Interfaces on the FMC

The FMC uses the eth0 interface for initial setup, HTTP access for administrators, management of devices, as well as other management functions such as licensing and updates.

You can also configure additional management interfaces on the same network, or on different networks. When the FMC manages large numbers of devices, adding more management interfaces can improve throughput and performance. You can also use these interfaces for all other management functions. You might want to use each management interface for particular functions; for example, you might want to use one interface for HTTP administrator access and another for device management.

For device management, the management interface carries two separate traffic channels: the management traffic channel carries all internal traffic (such as inter-device traffic specific to managing the device), and the event traffic channel carries all event traffic (such as web events). You can optionally configure a separate event-only interface on the FMC to handle event traffic; you can configure only one event interface. Event traffic can use a large amount of bandwidth, so separating event traffic from management traffic can improve the performance of the FMC. For example, you can assign a 10 GigabitEthernet interface to be the event interface, if available, while using 1 GigabitEthernet interfaces for management. You might want to configure an event-only interface on a completely secure, private network while using the regular management interface on a network that includes Internet access, for example. You can also use both management and event interfaces on the same network if the goal is only to take advantage of increased throughput. If you configure an event-only interface on the FMC, you can support devices with separate management and event-only interfaces, but also devices that do not have separate interfaces. For devices with a single combined management/event interface, all traffic goes to the FMC management interface.


Note

All management interfaces support HTTP administrator access as controlled by your Access List configuration. Conversely, you cannot restrict an interface to only HTTP access; management interfaces always support device management (management traffic, event traffic, or both).



Note

Only the eth0 interface supports DHCP IP addressing. Other management interfaces only support static IP addresses.


Management Interfaces on the FTD

Some models include an additional management interface that you can configure for event-only traffic, so you can separate management and event traffic when communicating with the FMC.

When you set up your device, you specify the FMC IP address that you want to connect to. Both management and event traffic go to this address at initial registration. Note: In some situations, the FMC might establish the initial connection on a different management interface; subsequent connections should use the management interface with the specified IP address.

If both the device and the FMC have separate event interfaces, then after they learn about each other's event interfaces during management communication, subsequent event traffic is sent between these interfaces if the network allows. If the event network goes down, then event traffic reverts to the regular management interface. The device uses a separate event interface when possible, but the management interface is always the backup. If you use only one management interface on the managed device, then you cannot send management traffic to the FMC management interface, and then send event traffic to the separate FMC event interface; both FMC and managed device must have separate event interfaces. In this case, both management and event traffic go to the FMC management interface, and the FMC event interface is not used for this device.

Management Interface Support Per FMC Model

See the hardware installation guide for your model for the management interface locations.

See the following table for supported management interfaces on each FMC model.

Table 1. Management Interface Support on the FMC

Model

Management Interfaces

MC750, MC1500, MC3500

eth0 (Default)

eth1

MC2000, MC4000

eth0 (Default)

eth1

eth2

eth3

MC1000

eth0 (Default)

eth1

MC1600 ,MC2500, MC2600, MC4500, MC4600

eth0 (Default)

eth1

eth2

eth3

Firepower Management Center Virtual

eth0 (Default)

Management Interface Support Per Device Model

See the hardware installation guide for your model for the management interface locations.


Note

For the Firepower 4100/9300 chassis, the MGMT interface is for chassis management, not for FTD logical device management. You must configure a separate NIC interface to be of type mgmt (and/or firepower-eventing), and then assign it to the FTD logical device.



Note

For FTD on any chassis, the physical management interface is shared between the Diagnostic logical interface, which is useful for SNMP or syslog, and is configured along with data interfaces in the FMC, and the Management logical interface for FMC communication.


See the following table for supported management interfaces on each managed device model.

Table 2. Management Interface Support on Managed Devices

Model

Management Interface

Optional Event Interface

Firepower Threat Defense on the Firepower 1000

management0

Note 

management0 is the internal name of the Management 1/1 interface.

No Support

Firepower Threat Defense on the Firepower 2100

management0

Note 

management0 is the internal name of the Management 1/1 interface.

No Support

Firepower Threat Defense on the Firepower 4100 and 9300

management0

Note 

management0 is the internal name of this interface, regardless of the physical interface ID.

management1

Note 

management1 is the internal name of this interface, regardless of the physical interface ID.

Firepower Threat Defense on the ASA 5508-X, or 5516-X

br1

Note 

br1 is the internal name of the Management 1/1 interface.

No support

Firepower Threat Defense on the 5525-X through 5555-X

br1

Note 

br1 is the internal name of the Management 0/0 interface.

No support

Firepower Threat Defense on the ISA 3000

br1

Note 

br1 is the internal name of the Management 1/1 interface.

No support

Firepower Threat Defense Virtual

eth0

No support

Network Routes on FMC Management Interfaces

Management interfaces (including event-only interfaces) support only static routes to reach remote networks. When you set up your FMC, the setup process creates a default route to the gateway IP address that you specify. You cannot delete this route; you can only modify the gateway address.

You can configure multiple management interfaces on some platforms. The default route does not include an egress interface, so the interface chosen depends on the gateway address you specify, and which interface's network the gateway belongs to. In the case of multiple interfaces on the default network, the device uses the lower-numbered interface as the egress interface.

At least 1 static route is recommended per management interface to access remote networks, including when multiple interfaces are on the same network.

For example, on the FMC both eth0 and eth1 are on the same network, but you want to manage a different group of devices on each interface. The default gateway is 192.168.45.1. If you want eth1 to manage devices on the remote 10.6.6.0/24 destination network, you can create a static route for 10.6.6.0/24 through eth1 with the same gateway of 192.168.45.1. Traffic to 10.6.6.0/24 will hit this route before it hits the default route, so eth1 will be used as expected.

If you want to use 2 FMC interfaces to manage remote devices that are on the same network, then static routing on the FMC may not scale well, because you need separate static routes per device IP address.

Another example includes separate management and event-only interfaces on both the FMC and the managed device. The event-only interfaces are on a separate network from the management interfaces. In this case, add a static route through the event-only interface for traffic destined for the remote event-only network, and vice versa.

Network Routes on Device Management Interfaces

Management interfaces (including event-only interfaces) support only static routes to reach remote networks. When you set up your managed device, the setup process creates a default route to the gateway IP address that you specify. You cannot delete this route; you can only modify the gateway address.


Note

The routing for management interfaces is completely separate from routing that you configure for data interfaces.


You can configure multiple management interfaces on some platforms (a management interface and an event-only interface). The default route does not include an egress interface, so the interface chosen depends on the gateway address you specify, and which interface's network the gateway belongs to. In the case of multiple interfaces on the default network, the device uses the lower-numbered interface as the egress interface.

At least 1 static route is recommended per management interface to access remote networks, including when multiple interfaces are on the same network.

For example, both management0 and management1 are on the same network, but the FMC management and event interfaces are on different networks. The gateway is 192.168.45.1. If you want management1 to connect to the FMC's event-only interface at 10.6.6.1/24, you can create a static route for 10.6.6.0/24 through management1 with the same gateway of 192.168.45.1. Traffic to 10.6.6.0/24 will hit this route before it hits the default route, so management1 will be used as expected.

Another example includes separate management and event-only interfaces on both the FMC and the managed device. The event-only interfaces are on a separate network from the management interfaces. In this case, add a static route through the event-only interface for traffic destined for the remote event-only network, and vice versa.

NAT Environments

Network address translation (NAT) is a method of transmitting and receiving network traffic through a router that involves reassigning the source or destination IP address. The most common use for NAT is to allow private networks to communicate with the internet. Static NAT performs a 1:1 translation, which does not pose a problem for FMC communication with devices, but port address translation (PAT) is more common. PAT lets you use a single public IP address and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT router.

Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the FMC specifies the device IP address when you add a device, and the device specifies the FMC IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The FMC and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.

For example, you add a device to the FMC, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT ID and the registration key on the FMC; leave the IP address blank. On the device, you specify the FMC IP address, the same NAT ID, and the same registration key. The device registers to the FMC's IP address. At this point, the FMC uses the NAT ID instead of IP address to authenticate the device.

Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT ID to simplify adding many devices to the FMC. On the FMC, specify a unique NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify both the FMC IP address and the NAT ID. Note: The NAT ID must be unique per device.

The following example shows three devices behind a PAT IP address. In this case, specify a unique NAT ID per device on both the FMC and the devices, and specify the FMC IP address on the devices.

Figure 1. NAT ID for Managed Devices Behind PAT
NAT ID for Managed Devices Behind PAT

The following example shows the FMC behind a PAT IP address. In this case, specify a unique NAT ID per device on both the FMC and the devices, and specify the device IP addresses on the FMC.

Figure 2. NAT ID for FMC Behind PAT
NAT ID for FMC Behind PAT

Management and Event Traffic Channel Examples

The following example shows the Firepower Management Center and managed devices using only the default management interfaces.

Figure 3. Single Management Interface on the Firepower Management Center

The following example shows the Firepower Management Center using separate management interfaces for devices; and each managed device using 1 management interface.

Figure 4. Mutliple Management Interfaces on the Firepower Management Center

The following example shows the Firepower Management Center and managed devices using a separate event interface.

Figure 5. Separate Event Interface on the Firepower Management Center and Managed Devices

The following example shows a mix of multiple management interfaces and a separate event interface on the Firepower Management Center and a mix of managed devices using a separate event interface, or using a single management interface.

Figure 6. Mixed Management and Event Interface Usage

Modify FMC Management Interfaces

Modify the management interface settings on the Firepower Management Center. You can optionally enable additional management interfaces or configure an event-only interface.


Caution

Be careful when making changes to the management interface to which you are connected; if you cannot re-connect because of a configuration error, you need to access the FMC console port to re-configure the network settings in the Linux shell. You must contact Cisco TAC to guide you in this operation.



Note

If you change the FMC IP address, then see the following tasks to ensure device management connectivity depending on how you added the device to the FMC:

  • IP addressNo action. If you added the device to the FMC using a reachable device IP address, then the management connection will be reestablished automatically after several minutes even though the IP address identified on the FTD is the old IP address. Note: If you specified a device IP address that is unreachable, then you must contact Cisco TAC, who can advise you how to restore connectivity for your devices.

  • NAT ID onlyContact Cisco TAC. If you added the device using only the NAT ID, then the connection cannot be reestablished. In this case, you must contact Cisco TAC, who can advise you how to restore connectivity for your devices.



Note

In a high availability configuration, when you modify the management IP address of a registered Firepower device from the device CLI or from Firepower Management Center, the secondary Firepower Management Center does not reflect the changes even after an HA synchronization. To ensure that the secondary Firepower Management Center is also updated, switch roles between the two Firepower Management Centers, making the secondary Firepower Management Center as the active unit. Modify the management IP address of the registered Firepower device on the device management page of the now active Firepower Management Center.


Before you begin

  • For information about how device management works, see About Device Management Interfaces.

  • If you use a proxy:

    • Proxies that use NT LAN Manager (NTLM) authentication are not supported.

    • If you use or will use Smart Licensing, the proxy FQDN cannot have more than 64 characters.

Procedure


Step 1

Choose System > Configuration, and then choose Management Interfaces.

Step 2

In the Interfaces area, click Edit next to the interface that you want to configure.

All available interfaces are listed in this section. You cannot add more interfaces.

You can configure the following options on each management interface:

  • Enabled—Enable the management interface. Do not disable the default eth0 management interface. Some processes require the eth0 interface.

  • Channels—Configure an event-only interface; you can configure only one event interface on the FMC. To do so, uncheck the Management Traffic check box, and leave the Event Traffic check box checked. You can optionally disable Event Traffic for the management interface(s). In either case, the device will try to send events to the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel. You cannot disable both event and management channels on an interface.

  • Mode—Specify a link mode. Note that any changes you make to auto-negotiation are ignored for GigabitEthernet interfaces.

  • MDI/MDIX—Set the Auto-MDIX setting.

  • MTU—Set the maximum transmission unit (MTU). The default is 1500. The range within which you can set the MTU can vary depending on the model and interface type.

    Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558.

  • IPv4 Configuration—Set the IPv4 IP address. Choose:

    • Static—Manually enter the IPv4 Management IP address and IPv4 Netmask.

    • DHCP—Set the interface to use DHCP (eth0 only).

    • Disabled—Disable IPv4. Do not disable both IPv4 and IPv6.

  • IPv6 Configuration—Set the IPv6 IP address. Choose:

    • Static—Manually enter the IPv6 Management IP address and IPv6 Prefix Length.

    • DHCP—Set the interface to use DHCPv6 (eth0 only).

    • Router Assigned—Enable stateless autoconfiguration.

    • Disabled—Disable IPv6. Do not disable both IPv4 and IPv6.

    • IPv6 DAD—When you enable IPv6, enable or disable duplicate address detection (DAD). You might want to disable DAD because the use of DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address.

Step 3

In the Routes area, edit a static route by clicking Edit (edit icon), or add a route by clicking Add (add icon). View the route statistics by clicking View (view icon).

You need a static route for each additional interface to reach remote networks. For more information about when new routes are needed, see Network Routes on FMC Management Interfaces.

Note 

For the default route, you can change only the gateway IP address.The egress interface is chosen automatically by matching the specified gateway to the interface's network.

You can configure the following settings for a static route:

  • Destination—Set the destination address of the network to which you want to create a route.

  • Netmask or Prefix Length—Set the netmask (IPv4) or prefix length (IPv6) for the network.

  • Interface—Set the egress management interface.

  • Gateway—Set the gateway IP address.

Step 4

In the Shared Settings area, set network parameters shared by all interfaces.

Note 

If you selected DHCP for the eth0 interface, you cannot manually specify some shared settings derived from the DHCP server.

You can configure the following shared settings:

  • Hostname—Set the FMC hostname. If you change the hostname, reboot the FMC if you want the new hostname reflected in syslog messages. Syslog messages do not reflect a new hostname until after a reboot.

  • Domains—Set the search domain(s) for the FMC, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for example, ping system . The domains are used only on the management interface, or for commands that go through the management interface.

  • Primary DNS Server, Secondary DNS Server, Tertiary DNS Server—Set the DNS servers to be used in order of preference.

  • Remote Management Port—Set the remote management port for communication with managed devices. The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

    Note 

    Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Step 5

In the ICMPv6 area, configure ICMPv6 settings.

  • Allow Sending Echo Reply Packets—Enable or disable Echo Reply packets. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the FMC management interfaces for testing purposes.

  • Allow Sending Destination Unreachable Packets—Enable or disable Destination Unreachable packets. You might want to disable these packets to guard against potential denial of service attacks.

Step 6

In the Proxy area, configure HTTP proxy settings.

The FMC is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest.

See proxy requirements in the prerequisites to this topic.

  1. Check the Enabled check box.

  2. In the HTTP Proxy field, enter the IP address or fully-qualified domain name of your proxy server.

    See requirements in the prerequisites to this topic.

  3. In the Port field, enter a port number.

  4. Supply authentication credentials by choosing Use Proxy Authentication, and then provide a User Name and Password.

Step 7

Click Save.

Step 8

If you change the FMC IP address, then see the following tasks for device management connectivity depending on how you added the device to the FMC.

  • IP addressNo action. If you added the device to the FMC using a reachable device IP address, then the management connection will be reestablished automatically after several minutes even though the IP address identified on the FTD is the old IP address. Note: If you specified a device IP address that is unreachable, then you must contact Cisco TAC, who can advise you how to restore connectivity for your devices.

  • NAT ID onlyContact Cisco TAC. If you added the device using only the NAT ID, then the connection cannot be reestablished. In this case, you must contact Cisco TAC, who can advise you how to restore connectivity for your devices.


Modify FTD Management Interfaces at the CLI

Smart License

Classic License

Supported Devices

Supported Domains

Access

Any

Any

Any

Global only

Admin

Modify the management interface settings on the managed device using the CLI. Many of these settings are ones that you set when you performed the initial setup; this procedure lets you change those settings, and set additional settings such as enabling an event interface if your model supports it, or adding static routes.

For information about the FTD CLI, see Command Reference for Firepower Threat Defense.

The FTD and classic devices use the same commands for management interface configuration. Other commands may differ between the platforms.


Note

When using SSH, be careful when making changes to the management interface; if you cannot re-connect because of a configuration error, you will need to access the device console port.



Note

If you change the device management IP address, then see the following tasks for FMC connectivity depending on how you identified the FMC during initial device setup using the configure manager add command (see Identify a New FMC):

  • IP addressNo action. If you identified the FMC using a reachable IP address, then the management connection will be reestablished automatically after several minutes. We recommend that you also change the device IP address shown in FMC to keep the information in sync; see Update the FTD IP Address in FMC. This action can help the connection reestablish faster. Note: If you specified an unreachable FMC IP address, then see the procedure for NAT ID below.

  • NAT ID onlyManually reestablish the connection. If you identified the FMC using only the NAT ID, then the connection cannot be automatically reestablished. In this case, change the device management IP address in FMC according to Update the FTD IP Address in FMC.



Note

In a high availability configuration, when you modify the management IP address of a registered Firepower device from the device CLI or from Firepower Management Center, the secondary Firepower Management Center does not reflect the changes even after a HA synchronization. To ensure that the secondary Firepower Management Center is also updated, switch roles between the two Firepower Management Centers, making the secondary Firepower Management Center as the active unit. Modify the management IP address of the registered Firepower device on the device management page of the now active Firepower Management Center.


Before you begin

  • For Firepower Threat Defense devices, you can create user accounts that can log into the CLI using the configure user add command.

Procedure


Step 1

Connect to the device CLI, either from the console port or using SSH.

Step 2

Log in with the Admin username and password.

Step 3

Enable an event-only interface (for supported models; see Management Interface Support Per Device Model):

configure network management-interface enable management_interface

configure network management-interface disable-management-channel management_interface

Example:

This example is for a Firepower 4100 or 9300 device; valid interface names differ by device type.


> configure network management-interface enable management1
Configuration updated successfully

> configure network management-interface disable-management-channel management1
Configuration updated successfully

>

The Firepower Management Center event-only interface cannot accept management channel traffic, so you should simply disable the management channel on the device event interface.

You can optionally disable events for the management interface using the configure network management-interface disable-events-channel command. In either case, the device will try to send events on the event-only interface, and if that interface is down, it will send events on the management interface even if you disable the event channel.

You cannot disable both event and management channels on an interface.

Step 4

Configure the network settings of the management interface and/or event interface:

If you do not specify the management_interface argument, then you change the network settings for the default management interface. When configuring an event interface, be sure to specify the management_interface argument. The event interface can be on a separate network from the management interface, or on the same network. If you are connected to the interface you are configuring, you will be disconnected. You can re-connect to the new IP address.

  1. Configure the IPv4 address:

    • Manual configuration:

      configure network ipv4 manual ip_address netmask gateway_ip [management_interface]

      Note that the gateway_ip in this command is only used to create the default route for the primary management interface. If you set the gateway for an event-only interface, then this command ignores the gateway and does not create a default or static route for it. You must create a static route separately using the configure network static-routes command.

      Example:

      
      > configure network ipv4 manual 10.10.10.45 255.255.255.0 management1
      Setting IPv4 network configuration.
      Network settings changed.
      
      >
      
      
    • DHCP (supported on the default management interface only):

      configure network ipv4 dhcp

  2. Configure the IPv6 address:

    • Stateless autoconfiguration:

      configure network ipv6 router [management_interface]

      Example:

      
      > configure network ipv6 router management0
      Setting IPv6 network configuration.
      Network settings changed.
      
      >
      
      
    • Manual configuration:

      configure network ipv6 manual ip6_address ip6_prefix_length [ip6_gateway_ip] [management_interface]

      Note that the ipv6_gateway_ip in this command is only used to create the default route for the primary management interface. If you set the gateway for an event-only interface, then this command ignores the gateway and does not create a default or static route for it. You must create a static route separately using the configure network static-routes command.

      Example:

      
      > configure network ipv6 manual 2001:0DB8:BA98::3210 64 management1
      Setting IPv6 network configuration.
      Network settings changed.
      
      >
      
      
    • DHCPv6 (supported on the default management interface only):

      configure network ipv6 dhcp

Step 5

For IPv6, enable or disable ICMPv6 Echo Replies and Destination Unreachable messages. These messages are enabled by default.

configure network ipv6 destination-unreachable {enable | disable}

configure network ipv6 echo-reply {enable | disable}

You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management interfaces for testing purposes.

Example:


> configure network ipv6 destination-unreachable disable
> configure network ipv6 echo-reply disable

Step 6

(FTD only) Enable a DHCP server on the default management interface to provide IP addresses to connected hosts:

configure network ipv4 dhcp-server-enable start_ip_address end_ip_address

Example:


> configure network ipv4 dhcp-server-enable 10.10.10.200 10.10.10.254
DHCP Server Enabled

>

You can only configure a DHCP server when you set the management interface IP address manually. This command is not supported on the Firepower Threat Defense Virtual. To display the status of the DHCP server, enter show network-dhcp-server:


> show network-dhcp-server
DHCP Server Enabled
10.10.10.200-10.10.10.254

Step 7

Add a static route for the event-only interface if the Firepower Management Center is on a remote network; otherwise, all traffic will match the default route through the management interface.

configure network static-routes {ipv4 | ipv6}add management_interface destination_ip netmask_or_prefix gateway_ip

For the default route, do not use this command; you can only change the default route gateway IP address when you use the configure network ipv4 or ipv6 commands for the default management interface (see step 4).

For information about routing, see Network Routes on Device Management Interfaces.

Example:


> configure network static-routes ipv4 add management1 192.168.6.0 255.255.255.0 10.10.10.1
Configuration updated successfully

> configure network static-routes ipv6 add management1 2001:0DB8:AA89::5110 64 2001:0DB8:BA98::3211
Configuration updated successfully

>

To display static routes, enter show network-static-routes (the default route is not shown):


> show network-static-routes
---------------[ IPv4 Static Routes ]---------------
Interface                 : management1
Destination               : 192.168.6.0
Gateway                   : 10.10.10.1
Netmask                   : 255.255.255.0
[…]

Step 8

Set the hostname:

configure network hostname name

Example:


> configure network hostname farscape1

Syslog messages do not reflect a new hostname until after a reboot.

Step 9

Set the search domains:

configure network dns searchdomains domain_list

Example:


> configure network dns searchdomains example.com,cisco.com

Set the search domain(s) for the device, separated by commas. These domains are added to hostnames when you do not specify a fully-qualified domain name in a command, for example, ping system . The domains are used only on the management interface, or for commands that go through the management interface.

Step 10

Set up to 3 DNS servers, separated by commas:

configure network dns servers dns_ip_list

Example:


> configure network dns servers 10.10.6.5,10.20.89.2,10.80.54.3

Step 11

Set the remote management port for communication with the FMC:

configure network management-interface tcpport number

Example:


> configure network management-interface tcpport 8555

The FMC and managed devices communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.

Note 

Cisco strongly recommends that you keep the default settings for the remote management port, but if the management port conflicts with other communications on your network, you can choose a different port. If you change the management port, you must change it for all devices in your deployment that need to communicate with each other.

Step 12

(FTD only) Set the management or eventing interface MTU. The MTU is 1500 bytes by default.

configure network mtu [bytes] [interface_id]

  • bytes —Sets the MTU in bytes. For the management interface, the value can be between 64 and 1500 if you enable IPv4, and 1280 to 1500 if you enable IPv6. For the eventing interface, the value can be between 64 and 9000 if you enable IPv4, and 1280 to 9000 if you enable IPv6. If you enable both IPv4 and IPv6, then the minimum is 1280. If you do not enter the bytes , you are prompted for a value.

  • interface_id —Specifies the interface ID on which to set the MTU. Use the show network command to see available interface IDs, for example management0, management1, br1, and eth0, depending on the platform. If you do not specify an interface, then the management interface is used.

Example:

> configure network mtu 8192 management1
MTU set successfully to 1500 from 8192 for management1
Refreshing Network Config...
NetworkSettings::refreshNetworkConfig MTU value at start 8192

Interface management1 speed is set to '10000baseT/Full'
NetworkSettings::refreshNetworkConfig MTU value at end 8192
> 

Step 13

Configure an HTTP proxy. The device is configured to directly-connect to the internet on ports TCP/443 (HTTPS) and TCP/80 (HTTP). You can use a proxy server, to which you can authenticate via HTTP Digest. After issuing the command, you are prompted for the HTTP proxy address and port, whether proxy authentication is required, and if it is required, the proxy username, proxy password, and confirmation of the proxy password.

Note 
For proxy password on Cisco Firepower Threat Defense, you can use A-Z, a-z, and 0-9 characters only.

configure network http-proxy

Example:


> configure network http-proxy
Manual proxy configuration
Enter HTTP Proxy address: 10.100.10.10
Enter HTTP Proxy Port: 80
Use Proxy Authentication? (y/n) [n]: Y
Enter Proxy Username: proxyuser
Enter Proxy Password: proxypassword
Confirm Proxy Password: proxypassword

Step 14

If you change the device management IP address, then see the following tasks for FMC connectivity depending on how you identified the FMC during initial device setup using the configure manager add command (see Identify a New FMC):

  • IP addressNo action. If you identified the FMC using a reachable IP address, then the management connection will be reestablished automatically after several minutes. We recommend that you also change the device IP address shown in FMC to keep the information in sync; see Update the FTD IP Address in FMC. This action can help the connection reestablish faster. Note: If you specified an unreachable FMC IP address, then you must manually reestablish the connection using Update the FTD IP Address in FMC.

  • NAT ID onlyManually reestablish the connection. If you identified the FMC using only the NAT ID, then the connection cannot be automatically reestablished. In this case, change the device management IP address in FMC according to Update the FTD IP Address in FMC.


Update the FTD IP Address in FMC

Smart License

Classic License

Supported Devices

Supported Domains

Access

Any

Any

Any

Leaf only

Admin/Network Admin

If you edit the hostname or IP address of a device after you added it to the FMC (using the device’s CLI, for example), you need to use the procedure below to manually update the hostname or IP address on the managing FMC.

Procedure


Step 1

Choose Devices > Device Management.

Step 2

Next to the device where you want to modify management options, click Edit (edit icon).

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click Device, and view the Management area.

Step 4

Disable management temporarily by clicking the Slider (slider enabled).

You are prompted to proceed with disabling management; click Yes.

Disabling management blocks the connection between the Firepower Management Center and the device, but does not delete the device from the Firepower Management Center.

Step 5

Edit the Host IP address or hostname by clicking Edit (edit icon).

In the Management dialog box, modify the name or IP address in the Host field, and click Save.


Change the Manager for the Device

You might need to set or change the manager on a device in the following circumstances:

Reestablish the Management Connection if You Change the FMC IP Address

When you change the FMC IP address, there is not a command on the device to change the FMC IP address to the new address. Reestablishing the management connection depends on how you added the device to the FMC.

Procedure


Depending on how you added the device to the FMC, see the following tasks:

  • IP addressNo action. If you added the device to the FMC using a reachable device IP address, then the management connection will be reestablished automatically after several minutes even though the IP address identified on the FTD is the old IP address. Note: If you specified a device IP address that is unreachable, then you must contact Cisco TAC, who can advise you how to restore connectivity for your devices.

  • NAT ID onlyContact Cisco TAC. If you added the device using only the NAT ID, then the connection cannot be reestablished. In this case, you must contact Cisco TAC, who can advise you how to restore connectivity for your devices.


Identify a New FMC

This procedure shows how to identify a new FMC for the managed device.

Procedure


Step 1

On the old FMC, if present, delete the managed device.

You cannot change the FMC IP address if you have an active connection with an FMC.

Step 2

Connect to the device CLI, for example using SSH.

Step 3

Configure the new FMC.

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE } regkey [nat_id]

  • {hostname | IPv4_address | IPv6_address}—Sets the FMC hostname, IPv4 address, or IPv6 address.

  • DONTRESOLVE —If the FMC is not directly addressable, use DONTRESOLVE instead of a hostname or IP address. If you use DONTRESOLVE , then a nat_id is required. When you add this device to the FMC, make sure that you specify both the device IP address and the nat_id ; one side of the connection needs to specify an IP address, and both sides need to specify the same, unique NAT ID.

  • regkey —Make up a registration key to be shared between the FMC and the device during registration. You can choose any text string for this key between 1 and 37 characters; you will enter the same key on the FMC when you add the FTD.

  • nat_id —Make up an alphanumeric string from 1 to 37 characters used only during the registration process between the FMC and the device when one side does not specify an IP address. This NAT ID is a one-time password used only during registration. Make sure the NAT ID is unique, and not used by any other devices awaiting registration. Specify the same NAT ID on the FMC when you add the FTD.

Example:


> configure manager add DONTRESOLVE abc123 efg456
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

>

Step 4

Add the device to the FMC.


Switch from Firepower Device Manager to FMC

This procedure describes how to change your manager from Firepower Device Manager (FDM), a local device manager, to FMC. You can switch between FDM and FMC without reinstalling the software. You cannot use both FDM and FMC at the same time for the same device. If you change from FDM to FMC, the FTD configuration will be erased, and you will need to start over.


Caution

Changing the manager resets the FTD configuration to the factory default. However, the management bootstrap configuration is maintained.


Procedure


Step 1

In FDM, for High Availability, break the high availability configuration. Ideally, break HA from the active unit.

Step 2

In FDM, unregister the device from the Smart Licensing server.

Step 3

Connect to the device CLI, for example using SSH.

Step 4

Remove the current management setting.

configure manager delete

Caution 

Deleting the local manager resets the FTD configuration to the factory default. However, the management bootstrap configuration is maintained.

Example:


> configure manager delete

If you enabled any feature licenses, you must disable them in 
Firepower Device Manager before deleting the local manager.
Otherwise, those licenses remain assigned to the device in 
Cisco Smart Software Manager.
Do you want to continue[yes/no]:yes

DHCP Server Disabled
> 

Step 5

Configure the new FMC.

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE } regkey [nat_id]

  • {hostname | IPv4_address | IPv6_address}—Sets the FMC hostname, IPv4 address, or IPv6 address.

  • DONTRESOLVE —If the FMC is not directly addressable, use DONTRESOLVE instead of a hostname or IP address. If you use DONTRESOLVE , then a nat_id is required. When you add this device to the FMC, make sure that you specify both the device IP address and the nat_id ; one side of the connection needs to specify an IP address, and both sides need to specify the same, unique NAT ID.

  • regkey —Make up a registration key to be shared between the FMC and the device during registration. You can choose any text string for this key between 1 and 37 characters; you will enter the same key on the FMC when you add the FTD.

  • nat_id —Make up an alphanumeric string from 1 to 37 characters used only during the registration process between the FMC and the device when one side does not specify an IP address. This NAT ID is a one-time password used only during registration. Make sure the NAT ID is unique, and not used by any other devices awaiting registration. Specify the same NAT ID on the FMC when you add the FTD.

Example:


> configure manager add DONTRESOLVE abc123 efg456
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

>

Step 6

Add the device to the FMC.


Switch from FMC to Firepower Device Manager

This procedure describes how to change your manager from FMC to Firepower Device Manager (FDM), a local device manager. You can switch between FDM and FMC without reinstalling the software. You cannot use both FDM and FMC at the same time for the same device. If you change from FMC to FDM, the FTD configuration will be erased, and you will need to start over.


Caution

Changing the manager resets the FTD configuration to the factory default. However, the management bootstrap configuration is maintained.


Procedure


Step 1

In FMC, for High Availability, break the high availability configuration. Ideally, break HA from the active unit.

Step 2

In FMC, delete the managed device.

You cannot change the manager if you have an active connection with an FMC.

Step 3

Connect to the device CLI, for example using SSH.

Step 4

Remove the current management setting.

configure manager delete

Caution 

Deleting the local manager resets the FTD configuration to the factory default. However, the management bootstrap configuration is maintained.

Example:


> configure manager delete

If you enabled any feature licenses, you must disable them in 
Firepower Device Manager before deleting the local manager.
Otherwise, those licenses remain assigned to the device in 
Cisco Smart Software Manager.
Do you want to continue[yes/no]:yes

DHCP Server Disabled
> 

Step 5

Configure the new FMC.

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE } regkey [nat_id]

  • {hostname | IPv4_address | IPv6_address}—Sets the FMC hostname, IPv4 address, or IPv6 address.

  • DONTRESOLVE —If the FMC is not directly addressable, use DONTRESOLVE instead of a hostname or IP address. If you use DONTRESOLVE , then a nat_id is required. When you add this device to the FMC, make sure that you specify both the device IP address and the nat_id ; one side of the connection needs to specify an IP address, and both sides need to specify the same, unique NAT ID.

  • regkey —Make up a registration key to be shared between the FMC and the device during registration. You can choose any text string for this key between 1 and 37 characters; you will enter the same key on the FMC when you add the FTD.

  • nat_id —Make up an alphanumeric string from 1 to 37 characters used only during the registration process between the FMC and the device when one side does not specify an IP address. This NAT ID is a one-time password used only during registration. Make sure the NAT ID is unique, and not used by any other devices awaiting registration. Specify the same NAT ID on the FMC when you add the FTD.

Example:


> configure manager add DONTRESOLVE abc123 efg456
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

>

Step 6

Add the device to the FMC.