Change the Manager Access Interface from Management to Data

You can manage the threat defense from either the dedicated Management interface, or from a data interface. If you want to change the manager access interface after you added the device to the management center, follow these steps to migrate from the Management interface to a data interface. To migrate the other direction, see Change the Manager Access Interface from Data to Management.

Initiating the manager access migration from Management to data causes the management center to apply a block on deployment to the threat defense. To remove the block, enable manager access on the data interface.

See the following steps to enable manager access on a data interface, and also configure other required settings.

Procedure

Step 1	Initiate the interface migration. On the Devices > Device Management page, click Edit () for the device. Go to the Device > Management section, and click the link for FMC Access Interface. The FMC Access Interface field shows the current Management interface. When you click the link, choose the new interface type, Data Interface, in the Manage device by drop-down list. Click Save. You must now complete the remaining steps in this procedure to enable manager access on the data interface. The Management area now shows FMC Access Interface: Data Interface, and FMC Access Details: Configuration. FMC Access If you click Configuration, the FMC Access - Configuration Details dialog box opens. The FMC Access Mode shows a Deploy pending state.
Step 2	Enable manager access on a data interface on the Devices > Device Management > Interfaces > Edit Physical Interface > FMC Access page. You can enable manager access on one routed data interface. Make sure this interface is fully configured with a name and IP address and that it is enabled.
Step 3	(Optional) If you use DHCP for the interface, enable the web type DDNS method on the Devices > Device Management > DHCP > DDNS page. DDNS ensures the management center can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the FTD's IP address changes.
Step 4	Make sure the threat defense can route to the management center through the data interface; add a static route if necessary on Devices > Device Management > Routing > Static Route.
Step 5	(Optional) Configure DNS in a Platform Settings policy, and apply it to this device at Devices > Platform Settings > DNS. DNS is required if you use DDNS. You may also use DNS for FQDNs in your security policies.
Step 6	(Optional) Enable SSH for the data interface in a Platform Settings policy, and apply it to this device at Devices > Platform Settings > Secure Shell. SSH is not enabled by default on the data interfaces, so if you want to manage the threat defense using SSH, you need to explicitly allow it.
Step 7	The management center will deploy the configuration changes over the current Management interface. After the deployment, the data interface is now ready for use, but the original management connection to Management is still active.
Step 8	At the threat defense CLI (preferably from the console port), set the Management interface to use a static IP address and set the gateway to use the data interfaces. configure network {ipv4 \| ipv6} manual `ip_address netmask` data-interfaces `ip_address netmask` —Although you do not plan to use the Management interface, you must set a static IP address, for example, a private address so that you can set the gateway to data-interfaces (see the next bullet). You cannot use DHCP because the default route, which must be data-interfaces, might be overwritten with one received from the DHCP server. data-interfaces —This setting forwards management traffic over the backplane so it can be routed through the manager access data interface. We recommend that you use the console port instead of an SSH connection because when you change the Management interface network settings, your SSH session will be disconnected.
Step 9	If necessary, re-cable the threat defense so it can reach the management center on the data interface.
Step 10	In the management center, disable the management connection, update the Host IP address for the threat defense in the Devices > Device Management > Device > Management section, and reenable the connection. See Update the Hostname or IP Address in the Management Center. If you used the threat defense hostname or just the NAT ID when you added the threat defense to the management center, you do not need to update the value; however, you need to disable and reenable the management connection to restart the connection.
Step 11	Ensure the management connection is reestablished. In the management center, check the management connection status on the Devices > Device Management > Device > Management > FMC Access - Configuration Details > Connection Status page. At the threat defense CLI, enter the sftunnel-status-brief command to view the management connection status. The following status shows a successful connection for a data interface, showing the internal "tap_nlp" interface. If it takes more than 10 minutes to reestablish the connection, you should troubleshoot the connection. See Troubleshoot Management Connectivity on a Data Interface.