Solved: FMC behind un-configured FTD 6.2 appliance

Phillip Simonds · ‎01-29-2017

Good Evening!

I have a virtual 6.2 FMC appliance that I'm building out, and it sits behind an un-configured 5506-X FTD appliance. From everything I'm seeing, you have to use smart licensing - which requires access to Cisco's licensing servers. That'd be fine, but I can't get access to Cisco's licensing servers until the FTD appliance is configured with NAT... and since I can't configure the FTD appliance with NAT until the FMC can reach the licensing servers, I don't see any way to get this up from scratch without pre-deploying the FMC in an environment that has internet access - which is obviously problematic in new deployments.

I guess I could configure the FTD appliance with the onbox manager just to get basic internet connectivity up and running, establish a connection from the FMC to the license server, than blow away the FTD's config and register it with the FMC - but I believe that the FMC needs an active connection to Cisco's licensing server to use smart licensing while the FTD appliance is being added?

So I guess my question is, how do I go about a fresh 6.2 install if the FMC relies on the device it is configuring for internet connectivity?

Marvin Rhoads · ‎01-31-2017

An FTD device will use a 90-day evaluation license in the absence of a valid Smart license.

You should be able to setup he FTD appliance out of the box using the on-box FirePOWER Device Manager (FDM). Put a bare bones inside-outside and dynamic interface NAT config on it. Once you have that then procees to setup your FMC and register it to smart licensing, register your FTD device to FMC and then create all of your policies and complete the configuration.

View solution in original post

Philip D'Ath · ‎01-30-2017

Don't you only need the control licence, which comes with the ASA, to put the basic configuration onto it?

Phillip Simonds · ‎01-30-2017

With the ASA5506 that has firepower servcies I've only needed the control license which comes with the device to add a device to FMC in the past. With FTD it's not letting me add the device like it would with the ASA 5506 w/ firepower services..

Marvin Rhoads · ‎01-31-2017

An FTD device will use a 90-day evaluation license in the absence of a valid Smart license.

You should be able to setup he FTD appliance out of the box using the on-box FirePOWER Device Manager (FDM). Put a bare bones inside-outside and dynamic interface NAT config on it. Once you have that then procees to setup your FMC and register it to smart licensing, register your FTD device to FMC and then create all of your policies and complete the configuration.

Phillip Simonds · ‎01-31-2017

Thanks Marvin! I'll try it and then update.

sujeet11dec · ‎06-04-2017

Marvin

Please help me to understand if we need FMC for management of FTD 6.2 .

Sujeet

Marvin Rhoads · ‎06-04-2017

You can use FirePOWER Device Manager but it has some limitations (can only configure basic features, limited reporting, cannot share objects and policies across multiple devices etc.).

In most use cases FirePOWER Management Center is recommended.

sujeet11dec · ‎06-05-2017

Mr Rhoads

Can you confirm if I have FTD 6.2.0 , can use FMC for its management , If Yes , Please share any cisco document for it .

Marvin Rhoads · ‎06-05-2017

Yes you can - as long as your FMC is also at release 6.2 (or higher).

The compatibility guide confirms it here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_34002

Setup and configuration is covered in the Quick Start Guide and Configuration Guide:

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-guides-list.html

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html