How to physically move your Cisco FTD device to another location safely…
In the past when we wanted to move our ASA’s, we just powered them down, moved them, powered them up and readdressed them if needed. No mess no fuss.
Yea, not so much with the new FTD’s. After setting up hundreds of 2100 FTD boxes at a Corp office in Canada, we started moving them to their final home by powering them down, moving them and then powering them up…well, the boxes took about 30+ minutes to come up because they had to run checks, etc…so, let’s not do that again – just in case!
Also, not all configs are pushed out to the FTD device when inserted back into the FMC, so let’s look at that too.
First, here is what you should do instead of just powering down:
From the FTD CLI just type these commands in and you’re set:
> configure manager delete
> shutdown
This command will shutdown the system. Continue?
Please enter ‘YES’ or ‘NO’:
or
> expert
admin@ftd15:~$ sudo
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
admin@ftd15:~$ sudo shutdown -h -P now
The system is going down for system halt NOW!
or
From the Cisco FMC GUI, go to Devices>Device tab and press the Shutdown button (you cannot turn it back on from here!)
After you bring up the FTD device, reconfigure the new IP and configure the manager, you’ll notice that all your configs are no longer present. Most of your Policies are pushed out when the devices comes back into the manager, but here’s what’s not and that you need to do manually:
- Interface Zones
Default Route
Routing
NAT
FlexConfig
Platform
Health Policy
Have a great day!
Todd Lammle
Is this still relevant to newer releases (specifically 6.2.3.3)?
I’m planning to move the VM host that my FMC resides on from my internal network to the dmz and will need to re-address the FMC. Concerned there will be a prolonged outage if I need to manually reconfigure routing etc
So you need to change your IP of the FMC? Remove all devices from the FMC first, then change and get the FMC working, and bring in all devices to the new IP.
there won’t really be an outage as the FTD’s will still be working. They won’t be able to do Malware lookups and AD integration work until you get them back into the manger, but that’s about it.
Question: In expert mode you’re mentioning –
admin@ftd15:~$ sudo shutdown -h -P now
How does it differ from simple ‘sudo shutdown now’ and what’s the impact if using shutdown without -h -P
Thanks!
Hi Ian, it does not differ at all from the shutdown -h -P now command. It just can be completed from the GUI, that’s all.
thanks for posting!
So, how different are steps if the FMC remains the same management console, however the FTD appliance is relocating to a remote location and joining back to the original FMC?
Does this move require FXOS configuration changes on the FTD appliance once it’s joined back to the FMC? What other network changes need to occur?
You don’t have to change the FXOS if you are not changing the management IP of the FMC and FTD device
you can take out the FTD device and put it back in at anytime. It will bring down your network during this time, but I am sure you are aware of that.
I am in planning to move my FMC from one location to another. what steps I need to follow without affecting or deleting FTD policy
Moving it won’t effect the FTD’s. You just need to change the network and possibly add a static route if you need layer 3 connectivity
I have FMC at location “A” and I would like to move that same FMC to location “B” will there be any effect or steps I need to follow?
Also during this process will my FTD able to forward traffic ?
And last thing do I need to remove all devices from FMC first and then I need to add
You’ll need to change the FMC management VLAN address, and add a static route so the FMC knows where the FTD’s are.
The FTD’s will not stop working and DO NOT remove them from the FMC, do NOT!
Thank you for prompt response.
I am planning to perform below steps.
1. Bring FMC to new location (hope meanwhile all FTD’s will work fine along with anyconnect VPN with LDAP authentication)
2. Change IP Address of FMC
3. On FTD
configure manger delete
configure manager add —> new IP address of FMC
and hope no config wipe for FTD’s and everything should start working normal.
Let me know if I miss anything.
once again Thank you.
after you bring the devices in, you need to make sure all policies are applied. check the following:
Interface IPs and Zone configurations
routing
Platform settings
nat
make sure those are all assigned to the devices and you shoudl be good to go
good luck!
Todd
Hey Todd,
I was curious if I needed to do any steps for just moving the Management connections for both the FXOS and the FTD to a different switch in the same environment? The firewalls are all managed by FMC, which resides in the same L2 and L3 domain. The switch we are migrating to also is one RU away from the previous switch.
just make sure the ports are in the same VLAN as they are now, nothing else to worry about here
Hey Todd, what if I move my FTD from one location to another and in both scenarios I’m managing this device with an FMC on a remote location/not directly addresable (the FMC location will remain the same). Do I have to follow the exact same process of de-register the FTD from the FMC with the command “configure manager delete”, and then when I move it, add it back with the same parameters I used before to register it to the FMC? (FMC address, NAT ID, DONTRESOLVE etc…)
And if this is the process, what if I don’t remember the NAT ID for example? Because these parameters should be already set on this remote FMC when I registered this FTD to this FMC for the first time, correct?
Thanks
are you changing the IP address on the management interface? Then yes, you need to delete and add it back in
Do you need a NAT ID? You’d have to find it for the remote location. Its better if you’re not NATing if possible
email me at [email protected] if you need more info
We’re planning to move out FMC pair to new datacentres. My plan is:
1 – Within the FMC, break the high availability pair from the primary FMC and choose ‘Manage registered devices from this console’
2 – Disconnect the secondary FMC from the network. Re-IP it, then shut it down
3 – Move secondary FMC to the new datacentre. Rack, boot up, confirm connectivity
4 – Go to a site where an FTD pair resides. Disconnect all data cables (not mgmt or failover) from the standby FTD
5 – Suspend the HA from the CLI of the primary FTD; configure high-availability suspend
5- On the standby unit, delete the manager and re-add with the new manager (FMC that has moved datacentres Secondary) IP address
6 – Confirm standby firewall is seen in the FMC and push policies if required.
7 – Connect all data cables back into what was the standby firewall.
8 – Disconnect the data cables from the primary firewall. Confirm standby firewall is servicing traffic.
9 – Repeat steps 5 and 6 on the primary firewall
10 – Re-connect the data cables to primary firewall
11 – un-suspend the HA and make it active again
12 – Test
13 – Repeat at all sites hosting FTDs
14 – Repeat steps 2 and 3 on primary FMC once all FTDs have moved to the secondary FMC
15 – Re-introduce the HA between the FMCs.
Before you move the FMCs, id get everything updated, and you do not need to break the pair to do this…upgrade the secondary and then the primary; no need to take cables off, etc…remember, if your FMC goes down, you lose analysis, but you do not bring your network down…the FTD’s going down would be an issue, but not the FMC…