Security Cloud Control Support for DHCP Addressing of FDM-Managed Devices
What happens if the IP address used by my FDM-managed device changes?
Security Cloud Control has many Adaptive Security Appliance (ASA) and FDM-managed device customers who have onboarded devices using the IP address provided by their service provider using DHCP.
If the IP address of the device for any reason, whether that is a change in the static IP address or a change in the IP address due to DHCP, you can change the IP address that Security Cloud Control uses to connect to the device and then reconnect the device.
The field, expressed concerns regarding the case of branch deployed FDM-managed devices managed by Security Cloud Control, a static IP is required on the outside interface of the FDM-managed device, which, in the view of some SE's, precludes using Security Cloud Control as a management solution when the FDM-managed device has a DHCP address configured for the outside interface.
However, this situation does not impact customers that have VPN tunnels to remote branch firewalls, and we know that a vast majority of customers have Site to Site tunnels from their Branch Offices back to their datacenters. In the case that Site-to -Site VPN is used to connect to the central site from devices, DHCP on the outside interface is not a concern since Security Cloud Control (and any management platform) can connect to the FW via its inside, statically addressed, interface (if so configured). This is a recommended practice and we have Security Cloud Control customers with many (+1000) devices using this deployment mode.
Also, the fact that an interface IP address is being issued via DHCP does not preclude the customer from managing the device using that IP. Again, this is not optimal, but the experience of periodically having to potentially change the IP address in Security Cloud Control has not been seen as a hurdle to customers. This situation is not exclusive to Security Cloud Control and happens with any manager using the outside interface including ASDM, FDM or SSH.