How to physically move your Cisco FTD device to another location safely…

In the past when we wanted to move our ASA’s, we just powered them down, moved them, powered them up and readdressed them if needed. No mess no fuss.

Yea, not so much with the new FTD’s. After setting up hundreds of 2100 FTD boxes at a Corp office in Canada, we started moving them to their final home by powering them down, moving them and then powering them up…well, the boxes took about 30+ minutes to come up because they had to run checks, etc…so, let’s not do that again – just in case!
Also, not all configs are pushed out to the FTD device when inserted back into the FMC, so let’s look at that too.

First, here is what you should do instead of just powering down:
From the FTD CLI just type these commands in and you’re set:
> configure manager delete
> shutdown
This command will shutdown the system. Continue?
Please enter ‘YES’ or ‘NO’:

or
> expert
admin@ftd15:~$ sudo
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
admin@ftd15:~$ sudo shutdown -h -P now
The system is going down for system halt NOW!

or
From the Cisco FMC GUI, go to Devices>Device tab and press the Shutdown button (you cannot turn it back on from here!)

After you bring up the FTD device, reconfigure the new IP and configure the manager, you’ll notice that all your configs are no longer present. Most of your Policies are pushed out when the devices comes back into the manager, but here’s what’s not and that you need to do manually:

  • Interface Zones
    Default Route
    Routing
    NAT
    FlexConfig
    Platform
    Health Policy

Have a great day!
Todd Lammle

16 Comments

  1. Is this still relevant to newer releases (specifically 6.2.3.3)?
    I’m planning to move the VM host that my FMC resides on from my internal network to the dmz and will need to re-address the FMC. Concerned there will be a prolonged outage if I need to manually reconfigure routing etc

    1. So you need to change your IP of the FMC? Remove all devices from the FMC first, then change and get the FMC working, and bring in all devices to the new IP.
      there won’t really be an outage as the FTD’s will still be working. They won’t be able to do Malware lookups and AD integration work until you get them back into the manger, but that’s about it.

  2. Question: In expert mode you’re mentioning –
    admin@ftd15:~$ sudo shutdown -h -P now

    How does it differ from simple ‘sudo shutdown now’ and what’s the impact if using shutdown without -h -P

    Thanks!

    1. Hi Ian, it does not differ at all from the shutdown -h -P now command. It just can be completed from the GUI, that’s all.
      thanks for posting!

  3. So, how different are steps if the FMC remains the same management console, however the FTD appliance is relocating to a remote location and joining back to the original FMC?

    Does this move require FXOS configuration changes on the FTD appliance once it’s joined back to the FMC? What other network changes need to occur?

    1. You don’t have to change the FXOS if you are not changing the management IP of the FMC and FTD device
      you can take out the FTD device and put it back in at anytime. It will bring down your network during this time, but I am sure you are aware of that.

  4. I am in planning to move my FMC from one location to another. what steps I need to follow without affecting or deleting FTD policy

    1. Moving it won’t effect the FTD’s. You just need to change the network and possibly add a static route if you need layer 3 connectivity

  5. I have FMC at location “A” and I would like to move that same FMC to location “B” will there be any effect or steps I need to follow?
    Also during this process will my FTD able to forward traffic ?
    And last thing do I need to remove all devices from FMC first and then I need to add

  6. You’ll need to change the FMC management VLAN address, and add a static route so the FMC knows where the FTD’s are.
    The FTD’s will not stop working and DO NOT remove them from the FMC, do NOT!

    1. Thank you for prompt response.

      I am planning to perform below steps.

      1. Bring FMC to new location (hope meanwhile all FTD’s will work fine along with anyconnect VPN with LDAP authentication)
      2. Change IP Address of FMC
      3. On FTD
      configure manger delete
      configure manager add —> new IP address of FMC

      and hope no config wipe for FTD’s and everything should start working normal.

      Let me know if I miss anything.

      once again Thank you.

  7. after you bring the devices in, you need to make sure all policies are applied. check the following:
    Interface IPs and Zone configurations
    routing
    Platform settings
    nat
    make sure those are all assigned to the devices and you shoudl be good to go
    good luck!
    Todd

  8. Hey Todd,
    I was curious if I needed to do any steps for just moving the Management connections for both the FXOS and the FTD to a different switch in the same environment? The firewalls are all managed by FMC, which resides in the same L2 and L3 domain. The switch we are migrating to also is one RU away from the previous switch.

  9. Hey Todd, what if I move my FTD from one location to another and in both scenarios I’m managing this device with an FMC on a remote location/not directly addresable (the FMC location will remain the same). Do I have to follow the exact same process of de-register the FTD from the FMC with the command “configure manager delete”, and then when I move it, add it back with the same parameters I used before to register it to the FMC? (FMC address, NAT ID, DONTRESOLVE etc…)

    And if this is the process, what if I don’t remember the NAT ID for example? Because these parameters should be already set on this remote FMC when I registered this FTD to this FMC for the first time, correct?

    Thanks

    1. are you changing the IP address on the management interface? Then yes, you need to delete and add it back in
      Do you need a NAT ID? You’d have to find it for the remote location. Its better if you’re not NATing if possible
      email me at [email protected] if you need more info

Leave a Reply to Rajesh Rangani Cancel reply

Your email address will not be published. Required fields are marked *