• Before You Start, on page 49
• End-to-End Procedure, on page 49
• Central Administrator Pre-Configuration, on page 51
• Branch Office Installation, on page 63
• Central Administrator Post-Configuration, on page 64
How Remote Management Works
To allow the management center to manage the threat defense over the internet, you use the outside interface
for management center management instead of the Management interface. Because most remote branch offices
only have a single internet connection, outside management center access makes centralized management
possible.
You can use any data interface for manager access, for example, the inside interface if you have an inside
management center. However, this guide primarily covers outside interface access, because it is the most
likely scenario for remote branch offices.
Note
The Management interface is a special interface configured separately from the threat defense data interfaces,
and it has its own network settings. The Management interface network settings are still used even though
you are enabling manager access on a data interface. All management traffic continues to be sourced from or
destined to the Management interface. When you enable manager access on a data interface, the threat defense
forwards incoming management traffic over the backplane to the Management interface. For outgoing
management traffic, the Management interface forwards the traffic over the backplane to the data interface.
Manager access from a data interface has the following limitations:
• You can only enable manager access on one physical, data interface. You cannot use a subinterface or
EtherChannel.
• This interface cannot be management-only.
• Routed firewall mode only, using a routed interface.
• PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support
between the threat defense and the WAN modem.
• The interface must be in the global VRF only.
• SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the
management center. Because the Management interface gateway will be changed to be the data interfaces,
you also cannot SSH to the Management interface from a remote network unless you add a static route
for the Management interface using the configure network static-routes command.
• High Availability is not supported. You must use the Management interface in this case.
The following figure shows the management center at central headquarters and the threat defense with the
manager access on the outside interface.
Cisco Firepower 1010 Getting Started Guide
48
Threat Defense Deployment with a Remote Management Center
How Remote Management Works
To Next Page
Loading...
Need help?
General