and DDNS server. For more information about the DNS server configuration, see below. In CDO, you
can later make changes to the manager access interface configuration, but make sure you don't make
changes that can prevent the threat defense or CDO from re-establishing the management connection. If
the management connection is disrupted, the threat defense includes the configure policy rollback
command to restore the previous deployment.
• If you configure a DDNS server update URL, the threat defense automatically adds certificates for all
of the major CAs from the Cisco Trusted Root CA bundle so that the threat defense can validate the
DDNS server certificate for the HTTPS connection. The threat defense supports any DDNS server that
uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).
• This command sets the data interface DNS server. The Management DNS server that you set with the
setup script (or using the configure network dns servers command) is used for management traffic.
The data DNS server is used for DDNS (if configured) or for security policies applied to this interface.
On CDO, the data interface DNS servers are configured in the Platform Settings policy that you assign
to this threat defense. When you add the threat defense to CDO, the local setting is maintained, and the
DNS servers are not added to a Platform Settings policy. However, if you later assign a Platform Settings
policy to the threat defense that includes a DNS configuration, then that configuration will overwrite the
local setting. We suggest that you actively configure the DNS Platform Settings to match this setting to
bring CDO and the threat defense into sync.
Also, local DNS servers are only retained by CDO if the DNS servers were discovered at initial registration.
For example, if you registered the device using the Management interface, but then later configure a data
interface using the configure network management-data-interface command, then you must manually
configure all of these settings in CDO, including the DNS servers, to match the threat defense
configuration.
• You can change the management interface after you register the threat defense to CDO, to either the
Management interface or another data interface.
• The FQDN that you set in the setup wizard will be used for this interface.
• You can clear the entire device configuration as part of the command; you might use this option in a
recovery scenario, but we do not suggest you use it for initial setup or normal operation.
• To disable data managemement, enter the configure network management-data-interface disable
command.
Example:
> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:
DDNS server update URL [none]:
https://deanwinchester:pa$$w0rd17@domains.example.com/nic/update?hostname=<h>&myip=<a>
Do you wish to clear all the device configuration before applying ? (y/n) [n]:
Configuration done with option to allow manager access from any network, if you wish to
change the manager access network
use the 'client' option in the command 'configure network management-data-interface'.
Setting IPv4 network configuration.
Network settings changed.
>
Cisco Firepower 1010 Getting Started Guide
139
Threat Defense Deployment with CDO
Perform Initial Configuration Using the CLI
To Next Page
Loading...
Need help?
General
