Merge the Management and Diagnostic Interfaces

FTD 7.1 and later supports a merged Management and Diagnostic interface. If you have any configuration using the Diagnostic interface, then the interfaces will not be merged automatically, and you will need to perform the following procedure. This procedure requires you to acknowledge configuration changes, and in some cases, manually fix the configuration.

The Backup/Restore and CDO configuration rollback functions save and restore the merged state, either non-merged or merged. For example, if you merge the interfaces, and then restore an old non-merged configuration, then the restored configuration will be in a non-merged state.

The following table shows the available configuration on the legacy Diagnostic interface, and how the merge is completed.

CDO Merged Management Interface Support

Legacy Diagnostic Interface Configuration

Merge Behavior

Supported on Management?

Interfaces

The "management" interface is now shown in read-only mode on the Interfaces page.

  • IP address

Manual removal required.

The current Management IP address is used instead.

For High Availability and clustering, the Management interface does not support a standby IP address or IP address pool; each unit has its own IP address that is maintained across failovers. Therefore, you cannot use a single management IP address to communicate with the current active/control unit.

Set at the CLI using the configure network ipv4 or configure network ipv6 command.

  • "diagnostic" name

Automatically changed to "management".

Note

No other interfaces can be named "management". You must change the name to proceed with the merge.

Changed to "management".

Static Routes

Manual removal required.

No support.

The Management interface has a separate Linux routing table from the data interfaces. The FTD actually has two "data" routing tables: for data interfaces and for management-only interfaces (which used to include Diagnostic, but also includes any interfaces you set to management-only). Depending on the traffic type, the FTD checks one routing table, and then falls back to the other routing table. This route lookup no longer includes the Diagnostic interface, and does not include the Linux routing table for Management. See Routing Table for Management Traffic for more information.

You can add static routes for the Linux routing table at the CLI using the configure network static-routes command

Note

The default route is set with the configure network ipv4 or configure network ipv6 command.

Dynamic Routing

Manual removal required.

No support.

HTTP server

No change.

No support.

This setting will no longer work on the merged device, but it is not removed from the Platform Settings. Platform Settings can be used for multiple devices, some of which may not yet be merged.

ICMP

No change.

No support.

This setting will no longer work on the merged device, but it is not removed from the Platform Settings. Platform Settings can be used for multiple devices, some of which may not yet be merged.

Syslog Server

Automatically moved to Management interface.

Yes.

The syslog server configuration already has the option to send syslogs out of the Management interface (starting in 6.3). If you had specifically chosen the Diagnostic interface for syslogs, it will be moved to use Management.

Note

If Platform Settings for syslog servers or SNMP hosts specify the Diagnostic interface by name, then you must use separate Platform Settings policies for merged and non-merged devices.

Note

The merged Management interface does not support Secure Syslogs.

SMTP

No change.

No support.

The FTD checks the data routing table only for the SMTP server, so you cannot use the Management interface or any other management-only interfaces. See Routing Table for Management Traffic for more information.

SNMP

Automatically moved to Management interface.

Yes.

The SNMP host configuration already has the option to allow SNMP hosts on the Management interface (starting in 6.3). If you had specifically chosen the Diagnostic interface for SNMP, it will be moved to use Management.

Note

If Platform Settings for syslog servers or SNMP hosts specify the Diagnostic interface by name, then you must use separate Platform Settings policies for merged and non-merged devices.

RADIUS server

Automatically moved to Management interface.

Yes.

If you had specifically chosen the Diagnostic interface, it will be moved to use Management.

Note

If you specified a route lookup to find the source interface, then the FTD will no longer be able to send traffic out of a management-only interface; you must explicitly select Management as the source interface. Other management-only interfaces cannot be used.

AD server

Automatically moved to Management interface.

Yes.

If you had specifically chosen the Diagnostic interface, it will be moved to use Management.

Note

If you specified a route lookup to find the source interface, then the FTD will no longer be able to send traffic out of a management-only interface; you must explicitly select Management as the source interface. Other management-only interfaces cannot be used.

DDNS

Manual removal required.

No support.

DNS server

Automatically moved to Management interface.

Yes.

If you checked the Enable DNS Lookup via diagnostic interface also check box, then it will be moved to use Management. There is a routing lookup change when you do not choose any interfaces or check the Enable DNS Lookup via diagnostic/management interface also check box: the FTD uses the data routing table only, and does not fall back to using the management-only routing table. Therefore, you cannot use a management-only interface for DNS other than the Management interface.

Note

The Management interface also has a separate DNS lookup setting for its management traffic only. Set at the CLI using the configure network dns command.

FlexConfig

Manual removal required.

No support.

Before you begin

  • To view the current mode of the device, enter the show management-interface convergence command at the FTD CLI. The following output shows that the Management interfaces are merged:

    
    > show management-interface convergence
    management-interface convergence
    >
    

    The following output shows that the Management interfaces are not merged:

    
    > show management-interface convergence
    no management-interface convergence
    >
    
  • For High Availability pairs and clusters, perform this task on the active/control unit. The converged configuration will be replicated automatically to the standby/data units.

Procedure


Step 1

Choose Devices > Device Management, and click Edit (edit icon) for your FTD. The Interfaces page is selected by default. .

Step 2

Edit the Diagnostic interface, and remove the IP address.

You cannot complete the merge until after you have removed the Diagnostic IP address.

Step 3

Click Management Interface Merge in the Management Interface action needed area.

The Management Interface Merge dialog box shows all the ocurrences of the Diagnostic interface in the configuration. For any occurrences that require you to manually remove or change the configuration, they will appear with a warning icon. Platform Settings that will no longer work on your device are marked with a caution icon and require your acknowledgement.

Step 4

If you need to manually remove or change any listed configurations, do the following.

  1. Click Cancel to close the Management Interface Merge dialog box.

  2. Navigate to the feature area. You can then delete the item, or choose a data interface instead.

  3. Reopen the Management Interface Merge dialog box.

    There should no longer be any warnings.

Step 5

For each configuration caution, click the box in Do you acknowledge the change? column, and then click Proceed.

After the configuration is merged, you see a success banner:

Step 6

Deploy the new merged configuration.

Caution

After you deploy the merged configuration, you can unmerge the interfaces from CDO; however the Diagnostic interface will have to be reconfigured manually. See Unmerge the Management Interface. Also, if you restore a configuration that is unmerged, or roll back to an unmerged configuration, then the device will revert to that unmerged configuration.

After the merge, the Management interface is shown on the Interfaces page, although it is read-only.

Step 7

After the merge, if you had any external services that communicated with the Diagnostic interface, you need to change their configuration to use the Management interface IP address.

For example:

  • SNMP client

  • RADIUS server��RADIUS servers often verify the IP address for incoming traffic, so you need to change that IP address to the Management address. Moreover, for a High Availability pair, you need to allow both the primary and secondary Management IP addresses; the Diagnostic interface used to support a single "floating" IP address that stayed with the active unit, but Management does not support that functionality.