Merge the Management and Diagnostic Interfaces
FTD 7.1 and later supports a merged Management and Diagnostic interface. If you have any configuration using the Diagnostic interface, then the interfaces will not be merged automatically, and you will need to perform the following procedure. This procedure requires you to acknowledge configuration changes, and in some cases, manually fix the configuration.
The Backup/Restore and CDO configuration rollback functions save and restore the merged state, either non-merged or merged. For example, if you merge the interfaces, and then restore an old non-merged configuration, then the restored configuration will be in a non-merged state.
The following table shows the available configuration on the legacy Diagnostic interface, and how the merge is completed.
Legacy Diagnostic Interface Configuration |
Merge Behavior |
Supported on Management? |
||||
---|---|---|---|---|---|---|
Interfaces |
The "management" interface is now shown in read-only mode on the Interfaces page. |
|||||
|
Manual removal required. |
The current Management IP address is used instead. For High Availability and clustering, the Management interface does not support a standby IP address or IP address pool; each unit has its own IP address that is maintained across failovers. Therefore, you cannot use a single management IP address to communicate with the current active/control unit. Set at the CLI using the configure network ipv4 or configure network ipv6 command. |
||||
|
Automatically changed to "management".
|
Changed to "management". |
||||
Static Routes |
Manual removal required. |
No support. The Management interface has a separate Linux routing table from the data interfaces. The FTD actually has two "data" routing tables: for data interfaces and for management-only interfaces (which used to include Diagnostic, but also includes any interfaces you set to management-only). Depending on the traffic type, the FTD checks one routing table, and then falls back to the other routing table. This route lookup no longer includes the Diagnostic interface, and does not include the Linux routing table for Management. See Routing Table for Management Traffic for more information. You can add static routes for the Linux routing table at the CLI using the configure network static-routes command
|
||||
Dynamic Routing |
Manual removal required. |
No support. |
||||
HTTP server |
No change. |
No support. This setting will no longer work on the merged device, but it is not removed from the Platform Settings. Platform Settings can be used for multiple devices, some of which may not yet be merged. |
||||
ICMP |
No change. |
No support. This setting will no longer work on the merged device, but it is not removed from the Platform Settings. Platform Settings can be used for multiple devices, some of which may not yet be merged. |
||||
Syslog Server |
Automatically moved to Management interface. |
Yes. The syslog server configuration already has the option to send syslogs out of the Management interface (starting in 6.3). If you had specifically chosen the Diagnostic interface for syslogs, it will be moved to use Management.
|
||||
SMTP |
No change. |
No support. The FTD checks the data routing table only for the SMTP server, so you cannot use the Management interface or any other management-only interfaces. See Routing Table for Management Traffic for more information. |
||||
SNMP |
Automatically moved to Management interface. |
Yes. The SNMP host configuration already has the option to allow SNMP hosts on the Management interface (starting in 6.3). If you had specifically chosen the Diagnostic interface for SNMP, it will be moved to use Management.
|
||||
RADIUS server |
Automatically moved to Management interface. |
Yes. If you had specifically chosen the Diagnostic interface, it will be moved to use Management.
|
||||
AD server |
Automatically moved to Management interface. |
Yes. If you had specifically chosen the Diagnostic interface, it will be moved to use Management.
|
||||
DDNS |
Manual removal required. |
No support. |
||||
DNS server |
Automatically moved to Management interface. |
Yes. If you checked the Enable DNS Lookup via diagnostic interface also check box, then it will be moved to use Management. There is a routing lookup change when you do not choose any interfaces or check the Enable DNS Lookup via diagnostic/management interface also check box: the FTD uses the data routing table only, and does not fall back to using the management-only routing table. Therefore, you cannot use a management-only interface for DNS other than the Management interface.
|
||||
FlexConfig |
Manual removal required. |
No support. |
Before you begin
-
To view the current mode of the device, enter the show management-interface convergence command at the FTD CLI. The following output shows that the Management interfaces are merged:
> show management-interface convergence management-interface convergence >
The following output shows that the Management interfaces are not merged:
> show management-interface convergence no management-interface convergence >
-
For High Availability pairs and clusters, perform this task on the active/control unit. The converged configuration will be replicated automatically to the standby/data units.
Procedure
Step 1 | Choose Edit () for your FTD. The Interfaces page is selected by default. . , and click | ||
Step 2 | Edit the Diagnostic interface, and remove the IP address. You cannot complete the merge until after you have removed the Diagnostic IP address. | ||
Step 3 | Click Management Interface Merge in the Management Interface action needed area. The Management Interface Merge dialog box shows all the ocurrences of the Diagnostic interface in the configuration. For any occurrences that require you to manually remove or change the configuration, they will appear with a warning icon. Platform Settings that will no longer work on your device are marked with a caution icon and require your acknowledgement. | ||
Step 4 | If you need to manually remove or change any listed configurations, do the following. | ||
Step 5 | For each configuration caution, click the box in Do you acknowledge the change? column, and then click Proceed. After the configuration is merged, you see a success banner: | ||
Step 6 | Deploy the new merged configuration.
After the merge, the Management interface is shown on the Interfaces page, although it is read-only. | ||
Step 7 | After the merge, if you had any external services that communicated with the Diagnostic interface, you need to change their configuration to use the Management interface IP address. For example:
|