管理ネットワークを介してDNSサーバに到達できるようにするには、DNSルックアップとICMP(pingおよびtraceroute)に例外が設定されているため、ユーザは明示的に[Enable DNS Lookup via diagnostic/Management Interface also]を選択する必要があります。この場合、threat defenseはデータを使用し、ルートが見つからない場合は自動的に管理にフォールバックします。
FTD CLI Clish:
> show interface management
Interface Management0/0 "management", is up, line protocol is up
Hardware is en_vtun rev00, DLY 10 usec
Input flow control is unsupported, output flow control is unsupported
MAC address 0050.56b3.f75d, MTU 1500
IP address 203.0.113.130, subnet mask 255.255.255.248
Expert mode on Linux:
root@ftd01:/home/admin# ifconfig
...
tap5: flags=4419 mtu 1500
inet 203.0.113.129 netmask 255.255.255.248 broadcast 203.0.113.135
inet6 fe80::8403:9ff:fefb:6d16 prefixlen 64 scopeid 0x20
inet6 fd00:0:1:1::1 prefixlen 123 scopeid 0x0
プラットフォーム設定でのDNS設定Enable DNS Lookup via diagnostic/Management interface alsoチェックボックスがオンになっている
FTD Lina上の診断インターフェイスの設定
interface Management0/0
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.40.74 255.255.255.0
ftd01# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Management0/0 diagnostic 192.168.40.74 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Management0/0 diagnostic 192.168.40.74 255.255.255.0 manual
ftd01# sh route management-only
Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set
S 10.10.10.10 255.255.255.255 [1/0] via 192.168.40.254, diagnostic
C 192.168.40.0 255.255.255.0 is directly connected, diagnostic
L 192.168.40.74 255.255.255.255 is directly connected, diagnostic
FTD CLI回線でのDNS設定
ftd01# sh run dns
dns domain-lookup diagnostic
DNS server-group DNS_Server_lab
retries 5
timeout 15
name-server 10.10.10.10 diagnostic
domain-name test.lab
DNS server-group DefaultDNS
dns-group DNS_Server_lab
> show interface management
Interface Management0/0 "management", is up, line protocol is up
Hardware is en_vtun rev00, DLY 10 usec
Input flow control is unsupported, output flow control is unsupported
MAC address 0050.56b3.f75d, MTU 1500
IP address 203.0.113.130, subnet mask 255.255.255.248
> show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down up
GigabitEthernet0/1 unassigned YES unset administratively down up
GigabitEthernet0/2 unassigned YES unset administratively down up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Control0/1 unassigned YES unset up up
Internal-Data0/0 unassigned YES unset down up
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 169.254.1.1 YES unset up up
Internal-Data0/2 unassigned YES unset up up
Management0/0 203.0.113.130 YES unset up up
ftd01# sh route management-only
Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set
LINA側のFTD CLIでのDNS設定
ftd01# sh run dns
dns domain-lookup management
DNS server-group DNS_Server_lab
retries 5
timeout 15
name-server 10.10.10.10 management
domain-name test.lab
DNS server-group DefaultDNS
dns-group DNS_Server_lab