Scribd
Upload
135 views94 pages

FP 7.1 FTDOnboardingToFMCThroughFDM TOI

The document discusses onboarding an FTD device to be managed by an FMC through an FDM. It provides an overview of the new feature in FP 7.1 to onboard FTD to FMC using FTD REST APIs and the FDM UI. It also covers deployment examples, prerequisites, supported platforms and licensing.

Uploaded by

falcon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
135 views94 pages

FP 7.1 FTDOnboardingToFMCThroughFDM TOI

The document discusses onboarding an FTD device to be managed by an FMC through an FDM. It provides an overview of the new feature in FP 7.1 to onboard FTD to FMC using FTD REST APIs and the FDM UI. It also covers deployment examples, prerequisites, supported platforms and licensing.

Uploaded by

falcon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 94

Cisco Highly Confidential

Do Not Share with Anyone


IFT TOI

FTD onboarding to
FMC through FDM
Firepower 7.1

Sadaf Syed
June 30, 2021
Cisco Highly Confidential

• You will not distribute or show Internal Field Testing or Beta


Testing assets to anyone
• The assets provided as part of this program are for your use
only.
• You understand that this program and its assets is for Cisco
internal employees only. That means no partners or vendors
Note: These trainings and materials were prepared prior to
release information is subject to change on release, and feature
may even be removed.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
‣ Introduction

‣ Feature Details

Agenda ‣ Demo

‣ Software Technology

‣ REST APIs, Syslog, SNMP

‣ Troubleshooting / Diagnostics

‣ References
Introduction
Background – Customer Requirements

• An FTD device can be managed by local manager FDM or offbox


manager, FMC
Requirements • To configure FMC manager, there’s only CLI support, no FTD API
or UI support

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 5
What’s New

• With FP 7.1.0
- FDM UI and FTD REST API
• to onboard to FMC with data plane interface access
Solution • to onboard to FMC with management access

• FDM UI and FTD REST API to setup SFTunnel listener on the data
interface
• FDM UI and FTD REST API to add FMC manager on the device

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 6
Feature Overview
• FTD API (and FDM UI) can be used to onboard with FMC
- Using data interface access for remote branch scenario
- Using management interface access

• Which manager(s): FDM and FTD REST API


How it Works
• Summary of Limitations
- FTD in HA mode cannot be onboarded
- FTD with Universal PLR cannot be onboarded
- FTD with FlexConfig cannot be onboarded because FMC will not sync
this configuration
- FTD can be only managed by one manager at a time, local (FDM) or
FMC

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 7
Deployment Examples
Deployment Examples: Remote Branch
• FTD deployment in a remote branch office
- With single Internet connection
- Only path to headquarters (FMC) is through the data plane (typically the outside
interface)
- Management interface is either unused or on a private internal network
• This onboarding scenario is API substitute of the following command:
- configure network management-data-interface

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 9
Deployment Examples: Management Interface
• FTD deployment is using management interface for FMC access

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 10
Deployment Examples: FTD Outbound
Connectivity
• FTD Outbound Connectivity
- Communication is outbound from the FTD to FMC and requires that FTD can reach
FMC IP

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 11
Deployment Examples: FTD Inbound Connectivity
• FTD Inbound Connectivity
- Communication is inbound from FMC into the FTD and requires that FMC can reach
FTD IP

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 12
Prerequisites,
Supported Platforms,
Licensing
Minimum Supported Software & Hardware
Platforms

Min Suppported Manager Min Suppported Managed


Managed Devices Notes
Version Device Version Required
FMC GUI
FTD's on
FMC/FDM 7.1 FTD 7.1 FDM UI
FPR1000/2100/4100/9300
FTD API
FMC GUI
Virtual FTD for VMware
FMC/FDM 7.1 FTD 7.1 FDM UI
AWS, Azure, KVM
FTD API

Notes
• Devices enrolled with the cloud management will lose access upon registration with FMC
• Nutanix and Hyperflex are not supported

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 14
Licensing
• FTD with following licenses can be onboarded:
- Smart Licensed – registration will be removed after registration with FMC
- Evaluation mode
- Unregistered mode

• FTD with Universal PLR cannot be onboarded and should be deregistered first

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 15
Feature Details
How It Works
• FMC onboarding flow can be executed from:
- FTD REST APIs
- FDM UI
• Flow will use exiting FTD REST APIs to backup and deploy
• A new FTD REST API will
- Add FMC manager on the FTD device
- Start sftunnel
- Poll for FMC communication (on sftunnel)
- When successful local manager will be removed
No

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 17
FDM Walkthrough
FMC Registration Onboarding Flow
FMC Registration UI
POST /devices/default/interfaces/objId
POST /devices/default/mgmtdnssettings/{objId}
POST /devicesettings/default/ddnsservices
Connectivity Configuration POST PUT /devicesettings/default/devicehostname/{objId}

Backup POST /action/backup

FMC Details POST POST /devices/default/fmcregistrationsettings

FDM read only mode only allow following APIs:


Deploy 1. Deployment (POST /operational/deploy)
2. Connection Test (POST /action/connecttest)
3. FMC Registration (POST /action/registerfmc)
4. Cancel FMC Registration (DELETE /devices/default/fmcregistrationsettings/{objId})
Connectivity Test

FMC Registration (POST /action/registerfmc)


Add FMC manager

Poll sf-tunnel sf-tunnel Yes FMC Manager


communication communication FDM shutdown
Connection Success
isConnected() isConnected()

No
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 19
FDM UI Walkthrough
Device -> System Settings -> Management
Center
Management Center can be launched:
• After Easy Setup Wizard
• Or skipping Easy Setup Wizard
• Or on FTD device already managed
by FDM

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 21
Management Center
• When the “Management
Center” is launched,
user will have some
warnings to
acknowledge before
starting the onboarding
flow
• Clicking the Proceed
button will start the
onboarding flow

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 22
Pending Changes Warning

Clicking Continue will


acknowledge following
change
• Existing pending changes
will be deployed
• FDM does not perform
selective deploy
• Only device interface
configuration will be
synced upon FMC
registration

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 23
Management Center: FMC Details section
FMC Details section on the Management Center
screen
• Allows to indicate inbound vs. outbound flow
depending if FMC host is known or not
• Collects details regarding FMC Host,
Registration Key, and NAT ID

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 24
Management Center: Connectivity Configuration

Connectivity Configuration on
Management Center screen
• Allows to update FTD hostname,
DNS Server Group, and FMC
Access Interface

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 25
FMC Access Interface
• Can be only Management Interface
on a FTDv
• Can be either Data Interface or
Management on a hardware
device
• Both IPv4 and IPv6 addresses are
supported

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 26
FMC Access Interface
• Both Static and DHCP types are
supported
• When editing the interface to use
DHCP type, IP address will be
assigned only after deployment

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 27
Connect
• When user clicks Connect in FDM
UI, registration progress is
launched
• Registration progress is shown in a
separate blocking popup from
here on

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 28
Connect
• When user clicks Connect in FDM
UI, registration progress is
launched
• Registration progress is shown in a
separate blocking popup from
here on

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through FDM Page 29
FDM Registration Status
• This is a blocking popup and will
appear until the onboarding
process completes or is canceled
• List progress of all the steps that
FDM UI invokes in the background

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 30
FDM Registration Status
• This is a blocking popup and will
appear until the onboarding
process completes or is canceled
• List progress of all the steps that
FDM UI invokes in the background
• Click on “See configuration
summary” to toggle for
configuration summary providing
FMC details and Connectivity
Configuration

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 31
FDM Registration Status
• This is a blocking popup and will
appear until the onboarding
process completes or is canceled
• List progress of all the steps that
FDM UI invokes in the background
• Click on “See configuration
summary” to toggle for
configuration summary providing
FMC details
• Once FMC manager is added, user
will be prompted to add FTD
device to FMC
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 32
FDM Registration Status
• FDM UI will stay on this step until
FTD device is added in FMC UI
• If user wants to return to FDM UI,
they will have to click “CANCEL
REGISTRATION”
• Upon cancelation trigger
- SFTunnel will be shutdown
- FMC manager will be removed from
the device
- User will have full access to manage
the device via FDM UI

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 33
FMC UI Walkthrough
Add device in FMC UI
• Once FDM adds the FMC
manager, log into FMC and
add device.
• Provide FTD details
including:
- Host
- Registration key
- NAT ID

• Clicking Register button will


initiate FMC to connect to
the FTD device and start the
registration process
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 35
FMC Connection Success
• FDM job will complete with a
successful connection message in
FDM UI
• Device will be moved to offbox
• FDM UI and FTD REST API stack
will be brought down
• Then device will be registered with
FMC

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 36
Managed by FMC
• When device is
registered to FMC, the
FMC Access Interface
will be listed on the
device details page

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 37
What about FDM?
What about FDM?
• An FTD device can be only
managed by one manager at a
> show managers
Type : Manager
Host : 10.10.10.165
given time Registration : Completed

> expert
• Before device is registered with admin@WM1120-9:~$ sudo su
Password:

FMC, it is moved to offbox mode root@WM1120-9:/home/admin# pmtool status | grep tomcat

and FDM UI and FTD API stack is Required by: SFDataCorrelator,expire-


session,TSS_Daemon,snapshot_manager,fpcollect,Syncd,Pruner,ActionQueue

brought down
Scrape,rotate_stats,sfestreamer,tomcat,EventHandler
tomcat (normal) - Waiting
Command:
/ngfw/var/cisco/ngfwWebUi/tomcat/bin/ngfw_onbox_start_tomcat.sh
• After successful registration, FMC PID File: /ngfw/var/sf/run/tomcat.pid
root@WM1120-9:/home/admin#
will manage the device

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 39
How to get back to
FDM
How to Get Back to FDM
To get back to FDM manager use
> show managers
• Type : Manager

the existing CLI commands:


Host : 10.10.10.165
Registration : Completed

- configure manager delete > configure manager delete


> show managers
No managers configured.
- configure manager local
> configure manager local
>
> show managers
Managed locally.

> expert
admin@WM1120-9:~$ sudo su
Password:
root@WM1120-9:/home/admin# pmtool status | grep tomcat
Required by: SFDataCorrelator,expire-
session,TSS_Daemon,snapshot_manager,fpcollect,Syncd,Pruner,Actio
nQueueScrape,rotate_stats,sfestreamer,tomcat,EventHandler
tomcat (normal) - Running 32984
Command:
/ngfw/var/cisco/ngfwWebUi/tomcat/bin/ngfw_onbox_start_tomcat.sh
PID File: /ngfw/var/sf/run/tomcat.pid
root@WM1120-9:/home/admin#

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 41
Demo
The Demo Shows…
• Register with FMC using data-interface:
- Setup outside interface during FDM easy setup wizard
- Setup management access via outside interface
- Route management through outside interface
- Use Management Center to start onboarding with FMC

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 43
Set up outside interface
• Use Easy Setup wizard to set the
outside interface
• This can also be done from Device
-> Interfaces page if Easy Setup
was skipped

FP 7.1 IFT TOI: FTD on-boarding to FMC through FDM Page 44


© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
Management Access
• Setup Management Access through outside interface with both HTTPS, SSH
protocols
- Where: Device -> System Settings -> Management Access

• Deploy

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 45
Data Interfaces as the Gateway
• Set Data Interfaces as the
Gateway
• Where:
- In converged mode (default on 7.1.0
fresh install):
• Device -> Interfaces -> edit
management interface
- In non-converged mode (upgrade
from pre 7.1.0 or manual switch to
non-converged mode):
• Device -> System Settings ->
Management Interface

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through FDM Page 46
Data Interfaces as the Gateway
• Deployment is triggered
immediately
• Device will lose access to FDM UI
via management interface
• FDM UI can be accessed via
outside interface after deployment
is complete

FP 7.1 IFT TOI: FTD on-boarding to FMC through FDM Page 47

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
Launch Device ->
System Settings ->
Management Center

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 48
Provide FMC Details
• Provide FMC details:
- FMC Hostname/IP Address
- FMC Registration Key
- NAT ID
• These settings will be used by
new API:
FMCRegistrationSettings
POST
• POST will be invoked after user
clicks Connect

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 49
Provide Connectivity Configuration
• POST call to change FTD
Hostname will be invoked when
user click Connect
• Select outside interface setup in
initial step, note UI will display the
IP address configured earlier
• If in-line Edit option is used to edit
interface, pending changes will be
created.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through FDM Page 50
Provide Connectivity Configuration
• FMC Access Interface selected will
be used as a reference in new
API:
FMCRegistrationSettings
POST
• Click Connect to start onboarding
process

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 51
FMC Registration Status
• Launched when Connect button
is clicked

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through FDM Page 52
FMC Registration Status
• Registration process is paused
if the browser is closed at this
point
• Registration process will
resume when user logs into
FDM UI again
• The blocking popup conveys
this caution and will appear
until FMC registration process
has been completed or
canceled

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 53
FMC Registration Status
• List progress of following FTD APIs
- POST /action/backup
- POST
/devices/default/fmcregistr
ationsettings
- POST /operational/deploy
- POST /action/connecttest
- POST /action/registerfmc

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 54
FMC Registration Status
• This popup also lists the
- FMC Details
- Connectivity Configuration

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 55
FMC Registration Status
• Indicates when FMC manager is
successfully added on the device
• FMCRegistrationImmediate
job will continue to poll sftunnel
status at this point
• User is informed to add device in
FMC and which point the sftunnel
connection will be successful

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 56
FMC UI
Add device in FMC

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 58
FMC -> Device Details
• Notice FMC Access
Interface is detected as
“Data Interface”

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 59
FMC -> Device Interfaces
• Interface configuration
from FDM is not wiped
when device is moved to
offbox mode
• FMC discovers the
interface configuration

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 60
FMC -> Routing
• FMC also discovers the
static route created by
FDM easy setup wizard

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 61
Software Technology
Software Architectural
Overview
Software Architecture
• No changes to the current Architecture for FTD APIs
• FTD APIs for FMC registration follow existing FTD architecture

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 64
REST APIs, Syslog,
SNMP, Etc.
REST APIs
FTD Device REST API Workflow
• (see diagram at the beginning of FDM Walkthrough section and comments to
screenshots in the Demo section)

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 67
New REST APIs
New ConnectTest APIs
Operation Endpoint Comments

POST /action/connecttest Operational entity with the given


IP address and connection
interface through which the ping
test should be attempted

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 68
New REST APIs
New FMCRegistrationSettings APIs
Operation Endpoint Comments

POST /devices/default/fmcregistrationsettings Create an


FMCRegistrationSettings object
GET /devices/default/fmcregistrationsettings Fetch a list of all
FMCRegistrationSettings objects
GET /devices/default/fmcregistrationsettings Fetch an FMCRegistrationSettings
/{objId} object identified by the given objId
DELETE /devices/default/fmcregistrationsettings Delete an
/{objId} FMCRegistrationSettings object
identified by the given objId

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 69
New REST APIs
New FMCRegistrationImmediate Job APIs
Operation Endpoint Comments

POST /action/registerfmc Start the FMC registrations as a background task

GET /action/registerfmc Fetch all scheduled FMCRegistrationImmediate


jobs
GET /action/registerfmc/{objId} Fetch an FMCRegistrationImmediate jobs object
identified by the given objId

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 70
Related REST APIs
Related APIs
Operation Endpoint Comments

PUT /devices/default/interfaces/{objId} Update an PhysicalInterface


object
PUT /devicesettings/default/devicehostname/{ Update the DeviceHostname object
objId}
POST /devices/default/mgmtdnssettings/{objId} Create a DeviceDNSSettings object

PUT /devices/default/mgmtdnssettings/{objId} Update DeviceDNSSettings object

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 71
Related REST APIs
Related APIs
Operation Endpoint Comments

PUT /devices/default/routing/virtualrouters/ Update StaticRoute object


{parentId}/staticrouteentries
POST /action/backup Start backup job

POST /operational/deploy Start deployment job

GET /jobs/deployments/{objId} Get the status of given deployment job

GET /jobs/jobhistory/{objId} Get the status of given job

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 72
Troubleshooting /
Diagnostics
Overview of
Diagnostics
Overview of Diagnostics

FDM FMC

FTD Device

FTD onboarding to FMC via FDM

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 75
How to Troubleshoot
• All validation errors are reported in the FDM UI and API responses
• Any job failures while registering FMC will be reported in FDM task list and
FDM UI
• Job failures can also be checked using existing job history id
• Additionally, a Troubleshoot file can be requested and downloaded from
FDM device page
• FTD API logs are located at this location on the device
/ngfw/var/log/cisco/ngfw-onbox.log

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 76
System Files Related to the Feature
File Name Purpose

/ngfw/var/cisco/ngfwWebUI/ This flag is created upon FMCRegistrationSettings POST


.remoteBranchDeployment to ensure that LINA configuration is not cleared later when
FMC communication is successful, and device is moved to
offbox mode.
/ngfw/var/cisco/ngfwWebUI/ This flag is created upon FMCRegistrationSettings POST
.preserveCloud when preserve cloud configuration and SSE connectivity
setting is enabled.
When present, device is not unenrolled from cloud when
switching to offbox mode.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 77
How to troubleshoot CLI
• Device Process Status
- show sftunnel interface command can be used after
FMCRegistrationSettings object has been deployed with data interface as
FMC access interface.

> show sftunnel interfaces


Physical Interface Name of the Interface
Ethernet1/1 outside

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 78
How to troubleshoot CLI
• Device Process Status
- FMC manager and registration status can be checked using show managers
command

> show managers > show managers


Host : 10.10.10.165 Type : Manager
Registration Key : **** Host : 10.10.10.165
Registration : pending Registration : Completed
RPC Status :
> >

Registration Pending Status Registration Completed Status

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 79
How to troubleshoot CLI > sftunnel-status

SFTUNNEL Start Time: Tue Jun 22 19:12:29 2021

Device Process Status


Both IPv4 and IPv6 connectivity is supported


Broadcast count = 7
Reserved SSL connections: 0
Management Interfaces: 2
management0 (control events) 10.10.10.166,

- SF Tunnel status can be checked on


tap_nlp (control events) 169.254.1.3,fd00:0:0:1::3

***********************

the device by running sftunnel- **RUN STATUS****10.10.10.165*************


Cipher used = AES256-GCM-SHA384 (strength:256 bits)
ChannelA Connected: Yes, Interface managemen
status. ChannelB Connected: No
Registration: Pending.
IPv4 Connection to peer '10.10.10.165' Start Time: Tue Jun 22 19:35:00 2021 UTC

• This command will return FMC PEER INFO:

registration status and heartbeat send sw_version 7.1.0


sw_build 1237

and receive time when the


Management Interfaces: 1
eth0 (control events) 10.10.10.165,
Peer channel Channel-A is valid type (CONTROL), using 'managemen', connected to '10.10.10.165' via

communication with FMC is active


'10.10.10.166'
Peer channel Channel-B is not valid

TOTAL TRANSMITTED MESSAGES <51> for RPC service


RECEIVED MESSAGES <26> for RPC service
SEND MESSAGES <25> for RPC service
FAILED MESSAGES <0> for RPC service
HALT REQUEST SEND COUNTER <0> for RPC service
STORED MESSAGES for RPC service (service 0/peer 0)
STATE <Process messages> for RPC service
REQUESTED FOR REMOTE <Process messages> for RPC service
REQUESTED FROM REMOTE <Process messages> for RPC service

TOTAL TRANSMITTED MESSAGES <0> for FSTREAM service


RECEIVED MESSAGES <0> for FSTREAM service
SEND MESSAGES <0> for FSTREAM service
FAILED MESSAGES <0> for FSTREAM service

Heartbeat Send Time: Tue Jun 22 19:35:45 2021 UTC


Heartbeat Received Time: Tue Jun 22 19:35:00 2021 UTC

***********************

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 80
Sample Problem with
Troubleshooting
Walkthrough
Problem: FMC fails to register the FTD device
• Use Case
- FDM onboarding job is waiting for FMC connection request but FMC is throwing one of the
following error when the FTD device is added:
• Host 10.10.10.168 is not reachable
• Time on FMC and Device are not in sync. Make sure NTP is configured on both.
• There might be an IPS device between FMC/Device which might be blocking SSL connectivity
between the two. Remove any rule in the IPS device which is blocking SSL connectivity.
• Device and FMC are not listening on same sftunnel Port. Current sftunnel port configured on
FMC is 8305, please ensure Device is also using the same port.
• SSL certificates might have got generated with wrong/future time stamp.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 82
Steps to Troubleshoot FDM
1. Go to FDM UI and check the FMC
hostname/IP and NAT ID if used in the
”FMC Registration Status” popup

2. If these values are correct, then it could be


registration key or manager is not
configured on the FTD device:
- Execute show managers CLI to verify FMC
manager has been added on the FTD device
- If the manager is present, add the FTD device
again in FMC and monitor sftunnel traffic to see if
communication is established.
• Execute sftunnel-status CLI
• pigtail could also be used to monitor FMC
connections failures

3. Cancel Registration in FDM and reattempt

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 83
References
Limitations Details,
Common Problems, &
Workarounds
Limitations of the Implementation for this Release
• On virtual FTD (FTDv), data interface cannot be used as FMC management
access interface
• Before device is registered with FMC, device is moved to offbox:
- FDM UI and FTD Device REST API stack will be shutdown

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 86
IFT / Beta Notes
Objectives for IFT’ers
• Make sure an FTD can be onboarded via management and/or data interface
• Make sure onboarding can be performed from both FDM UI and FTD APIs

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 90
For IFT and Beta Testing
• Summary of logs that should be submitted for IFT / Beta
- Troubleshoot from FDM, when possible
- If a Troubleshoot is not available, then following log files:
• /ngfw/var/log/cisco/ngfw-onbox.log
• /ngfw/var/log/messages
- Output of show manager commands
- FDM backup file generated by the onboarding flow

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 91
Internal Tracking
Information
During the IFT Program, please
log tickets in Jira. Please don't
contact engineering directly.
CDETS Project / Product / Component(s)
(for logging and searching for bugs)

CSC.content-security > ftd-onbox > remote-branch-deployment

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 93
Cisco Highly Confidential

• You will not distribute or show Internal Field Testing or Beta


Testing assets to anyone
• The assets provided as part of this program are for your use
only.
• You understand that this program and its assets is for Cisco
internal employees only. That means no partners or vendors
Note: These trainings and materials were prepared prior to
release information is subject to change on release, and feature
may even be removed.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FP 7.1 IFT TOI: FTD on-boarding to FMC through
FDM Page 95
Everyone is To learn more about Cisco Highly
Confidential, please visit the Data
responsible for Protection page on CEC.
security.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL

You might also like