CCIE Security v5 :: Adding Remote FTD Device To The FMC
In this article, I wanted to demonstrate how we can add a Firepower Threat Defence appliance to an FMC located at another site. Let’s take a fictitious scenario to provide some context to why and how we configure the FTD device the way we do.
Currently Synack Corp has one Firepower Management Center (FMC) and Firepower Threat Defence (FTD) appliance located at their HQ site in the UK. More recently the company has expanded and opened a new branch office located in Ireland. They have decided that they will deploy a vFTD to protect their infrastructure and that it should be centrally managed using the current FMC. The devices are currently running version 6.2
We have a few ways listed below in which we can set this new device up, but we also need to bare in mind that we need to establish a connection with the management interface on the remote FTD.
- Using the Firepower device manager is out of the question since this is only used to manage physical devices locally.
- Configure a VPN tunnel between the new branch and the HQ – this means we could have an internal IP address on the remote management interface and we wouldn’t need to consider NAT.
- Make the remote FTD’s management interface public facing. This isn’t recommended best practice but if it is done then at least 2 public IP addresses are required, one for the management and one for the data port and both interfaces need to be added to the outside zone. If the FMC is behind a NAT device we have two options you can do to form a communication path between the FMC and remote device.
- Remote FTD device needs a static IP address that the FMC can reach
- Set up static NAT for communication between the FMC and remote device
- We can also pre-configure the remote FTD in a staged environment. This is considered the most dangerous of them all because the data path to the management interface is through itself. If any misconfigurations occur, the administrator could lose the connection between the FTD and FMC and configurations can not be reversed.
Now that I have mentioned some of the considerations lets get back to our scenario. In this example, I will be using accessing the remote FTD via the public management interface that has a static IP address assigned. Providing we have configured the management interface and verified that we can SSH to the device we will start to provision the device using the following steps.
Enter the following command >configure manager add DONTRESOLVE [key] [NAT_ID] — Where [key] enter your own key, this will be used to add the device to the FMC later so remember it. Where [NAT_ID] enter a unique ID, if you are configuring more than one remote site these will need to be different on each device. The purpose of ‘DONTRESOLVE’ is to tell FTD that we don’t have an IP for the FMC as it is sat behind a NAT’ed device.
Issue the following command on the remote FTD > show managers — the status should show as ‘pending’.
Add Remote FTD to FMC
Return to the FMC and following these steps.
- Go to Device > Device Management and add a device by selecting Add > Add Device in the upper right side if the screen.
- The add devices screen appear and now we enter the relevant information related to the remote FTD appliance.
- Host: Enter the management public IP address for the remote device
- Display name: Enter a meaningful name
- Registration Key: This is the same key entered on the remote FTD, in my case it was cisco123
- Group: Assign the device to any relevant group
- Access Control Policy: Create or assign a pre-existing policy
- Smart Licensing: Select your licenses
- Click the ‘Advanced’ section and enter the unique NAT ID you specified on the FTD, in my case it was 12345
- Click ‘Register’ if you have finished and the FMC will go and find the device (this may take a few minutes).
Verify Device Has Joined FMC
- Head back over to the SSH session of the remote FTD and issue the >show managers command again. If the FMC has successfully found the device you should receive the output as shown in the image below.