Today I had to re-IP a customers High Availability (HA) pair of Cisco Firepower Thread Defence (FTD) 2110’s which are managed by a Cisco Firepower Management Centre (FMC). Both the FTD’s and the FMC are running version 6.6.1. Although these steps worked for me, I cannot guarantee they will work in other versions!
The FTD’s have independent management IP addresses which the FMC uses to communicate with them via their physical management interfaces. This is typically the IP address that you configure when you setup the FTD for the first time.
In my scenario I was surprised at how easy this was and at how smooth it went, at least compared to the last time I had to do this on some older 5.x release.
- Log into the FMC and go to the Device Management page.
- Edit the HA pair and then go to the Device tab.
- Click on the sliding button to disable the management of the node.
- Ensure you repeat step 3 for the other node in the HA pair, using the drop down menu to select the other peer.
- Once both nodes are unmanaged in the FMC, SSH to them using their local management IP addresses (the ones we’re about to change) and login as admin.
- You should now be at the FTD CLI (the ‘>’ prompt). To change the management interface IP details, type:
configure network ipv4 manual <IP> <Mask> <Gateway>
configure network ipv4 manual 10.5.1.100 255.255.255.0 10.5.1.254
- You will lose your SSH session as the IP on the FTD interface is changed, ensure the other side of the link from the FMC is updated if required (e.g, change of VLANs).
- Wait a moment and then try pinging the new IP’s, you should also try to SSH to them again using their new IP’s as an extra verification step.
- Go back to the FMC and update the management IP address for both nodes and toggle the management option back on using the sliding button.
I had to wait about 5-10 minutes before the FMC was looking green and healthy, and my first deployment afterwards went ahead as normal with no issues.