usernames. In this case, an administrator might be able to see this information when working with the
configuration or when using SNMP.
• How Remote Management Works, on page 118
• Before You Start, on page 119
• End-to-End Procedure, on page 120
• Central Administrator Pre-Configuration Using the CLI, on page 121
• Branch Office Installation, on page 126
• Central Administrator Post-Configuration, on page 128
How Remote Management Works
To allow the FMC to manage the FTD over the internet, you use the outside interface for FMC management
instead of the Management interface. Because most remote branch offices only have a single internet connection,
outside FMC access makes centralized management possible.
You can use any data interface for FMC access, for example, the inside interface if you have an inside FMC.
However, this guide primarily covers outside interface access, because it is the most likely scenario for remote
branch offices.
Note
The Management interface is a special interface configured separately from FTD data interfaces, and it has
its own network settings. The Management interface network settings are still used even though you are
enabling FMC access on a data interface. All management traffic continues to be sourced from or destined to
the Management interface. When you enable FMC access on a data interface, the FTD forwards incoming
management traffic over the backplane to the Management interface. For outgoing management traffic, the
Management interface forwards the traffic over the backplane to the data interface.
FMC access from a data interface has the following limitations:
• You can only enable FMC access on one physical, data interface. You cannot use a subinterface or
EtherChannel.
• This interface cannot be management-only.
• Routed firewall mode only, using a routed interface.
• High Availability is not supported. You must use the Management interface in this case.
• PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support
between the FTD and the WAN modem.
• The interface must be in the global VRF only.
• You cannot use separate management and event-only interfaces.
• SSH is not enabled by default for data interfaces, so you will have to enable SSH later using FMC.
Because the Management interface gateway will be changed to be the data interfaces, you also cannot
Cisco Firepower 1100 Getting Started Guide
118
Firepower Threat Defense Deployment with a Remote FMC
How Remote Management Works
To Next Page
Loading...
Need help?
General