Firepower Threat Defense (FTD) is a powerful security solution offered by Cisco to protect networks against various cyber threats. When managing multiple security devices or looking for centralized management, Cisco’s Firepower Management Center (FMC) is the go-to solution. Let’s walk through the step-by-step process of adding FTD devices into FMC for streamlined management and enhanced security control.
Step 1: Verify FTD management interface settings
> show network
===============[ System Information ]===============
Hostname : ftd-02.mylab.local
Domains : mylab.local
DNS Servers : 172.16.1.229
8.8.8.8
Management port : 8305
IPv4 Default route
Gateway : 172.16.1.229
Step 2: Adding FMC as Manager in FTD
> configure manager add 172.16.1.246 SECRETPASSWORD
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.
>
Here SECRETPASSWORD is registration key and take note of it, it s required while adding FTD in FMC.
Step 3: Accessing the Firepower Management Center (FMC)
From FMC dashboard navigate to Devices > Device Management.
Step 4: Navigate to Add Device option in FMC.
Step 4: Add FTD Device detail
The registration key [SECRETPASSWORD] is the one we used previously when we added the FMC as the manager on the FTD appliance. Associating the FTD with an access control policy during the addition process is mandatory. You can create a new access control policy from the Add Device windows if you have not already created one on the FMC.
You might be thinking what the Transfer Packets option is all about!. This option is very important. When it is enabled, it allows the FTD to send any security events metadata and potential packets along with the security events to the FMC that would have been triggered by a security feature. Instead if you disable this option, the FTD will only be sending the security events to the FMC.
You might also be thinking what the Unique NAT ID option is and when we would need to use it! The unique NAT ID is a value that we would use in very specific cases. Think about it as a tag that will be associated to the traffic coming from a device.
For instance, say we have an FTD appliance behind a router with a dynamic public IP address. In this case, we would not be able to rely on the FTD IP address since it would keep changing. To solve this issue the Unique NAT ID feature comes to rescue.
What we need to do in that case is specifying a unique NAT ID value on the FTD when we add the FMC as the manager. Then, on the FMC we just need to fill up that unique NAT ID on the Add Device window. In this case we don’t have to fill up the FTD IP address, we can just leave it blank.
Another use case of Unique NAT ID is when we have multiple FTD appliances behind a unique NAT device. Say for instance we have a couple of FTD appliances behind a router that is NAT’ing all the internal traffic to a single private or public IP. And say we configured both of them to register with the FMC using the traditional method of specifying only the FMC IP address.
In this case the FMC would not be able to distinguish from which FTD appliance the request is coming from. Accordingly, the FMC would not be able to authenticate that FTD device. To resolve this issue, we just need to add a unique NAT ID value on each FTD appliance. That value will be used on the FMC to lookup the initiator FTD. Similar to the above, in this case as well you can just leave the IP address field blank and use the NAT ID value instead.
Step 5: Click Register to start adding the FTD device process
The FMC would take a few minutes before completing the FTD registration. You can check the status by going to the Notifications > Tasks menu on the top right side:
If the FMC should fail deploying the access control policy to the FTD on the first attempt, give it another try by clicking on Deploy button.
Integrating Firepower Threat Defense (FTD) devices into Firepower Management Center (FMC) provides centralized management capabilities, enhancing security control and simplifying administration tasks. By following the step-by-step guide outlined above, you can seamlessly add FTD devices into FMC for streamlined management of your network security infrastructure.
