Change the Manager Access Interface from Management to Data

You can manage the Firewall Threat Defense from either the dedicated Management interface or from a data interface. If you want to change the manager access interface after you added the device to the Firewall Management Center, follow these steps to migrate from the Management interface to a data interface. To migrate the other direction, see Change the Manager Access Interface from Data to Management.

Initiating the manager access migration from Management to data causes the Firewall Management Center to apply a block on deployment to the Firewall Threat Defense. To remove the block, enable manager access on the data interface.

See the following steps to enable manager access on a data interface and also configure other required settings.

Before you begin

For high-availability pairs, unless stated otherwise, perform all steps only on the active unit. Once the configuration changes are deployed, the standby unit synchronizes configuration and other state information from the active unit.

Procedure

1	Initiate the interface migration. On the Devices > Device Management page, click Edit () for the device. Click Device, and in the Management area, click the link for Manager Access Interface. The Manager Access Interface field shows the current Management interface. When you click the link, choose the new interface type, Data Interface, in the Manage device by drop-down list. *Figure 1: Manager Access Interface* Click OK and then Close. You must now complete the remaining steps in this procedure to enable manager access on the data interface. The Management area now shows Manager Access Interface: Data Interface, and Manager Access Details: Configuration. *Figure 2: Manager Access* If you click Configuration, the Manager Access - Configuration Details dialog box opens. The Manager Access Mode shows a Deploy pending state.
2	Enable manager access on the data interface(s). Click Interfaces, click Edit () for the interface, and then click Manager Access. Check Enable management access and click OK. By default, all networks are allowed, but you can limit access as long as the Firewall Management Center address is allowed. If the manager access interface uses a static IP address, you are reminded to configure routing for it. Click Save on the Interfaces page. See Configure Routed Mode Interfaces for more information about interface settings. You can enable manager access on one routed data interface, plus an optional secondary interface. Make sure these interfaces are fully configured with a name and IP address and that they are enabled. If you use a secondary interface for redundancy, see Configure a Redundant Manager Access Data Interface for additional required configuration.
3	(Optional) If you use DHCP for the interface, enable the web type DDNS method on the Devices > Device Management > DHCP > DDNS page. See Configure Dynamic DNS. DDNS ensures the Firewall Management Center can reach the Firewall Threat Defense at its Fully-Qualified Domain Name (FQDN) if the FTD's IP address changes.
4	Make sure the Firewall Threat Defense can route to the Firewall Management Center through the data interface; add a static route if necessary on Devices > Device Management > Routing > Static Route. See Add a Static Route.
5	(Optional) Configure DNS in a Platform Settings policy, and apply it to this device at Devices > Platform Settings > DNS. See DNS. DNS is required if you use DDNS. You may also use DNS for FQDNs in your security policies.
6	(Optional) Enable SSH for the data interface in a Platform Settings policy, and apply it to this device at Devices > Platform Settings > Secure Shell. See SSH Access. SSH is not enabled by default on the data interfaces, so if you want to manage the Firewall Threat Defense using SSH, you need to explicitly allow it.
7	Deploy configuration changes. You will see a validation error to confirm that you are changing the manager access interface. Check Ignore warnings and deploy again. The Firewall Management Center will deploy the configuration changes over the current Management interface. After the deployment, the data interface is now ready for use, but the original management connection to Management is still active.
8	At the Firewall Threat Defense CLI (preferably from the console port), set the Management interface to use a static IP address and set the gateway to use the data interfaces. For high availability, perform this step on both units. configure network {ipv4 \| ipv6} manual `ip_address netmask` data-interfaces `ip_address netmask` —Although you do not plan to use the Management interface, you must set a static IP address, for example, a private address so that you can set the gateway to data-interfaces (see the next bullet). You cannot use DHCP because the default route, which must be data-interfaces, might be overwritten with one received from the DHCP server. data-interfaces —This setting forwards management traffic over the backplane so it can be routed through the manager access data interface. We recommend that you use the console port instead of an SSH connection because when you change the Management interface network settings, your SSH session will be disconnected.
9	If necessary, re-cable the Firewall Threat Defense so it can reach the Firewall Management Center on the data interface. For high availability, perform this step on both units.
10	In the Cloud-Delivered Firewall Management Center, disable the management connection for the Firewall Threat Defense in the Devices > Device Management page in the Device > Management area, and then reenable the connection.
11	Ensure the management connection is reestablished. In the Device > Management area, click Manager Access Details: Configuration and then click Connection Status. Alternatively, you can check at the Firewall Threat Defense CLI. Enter the sftunnel-status-brief command to view the management connection status. The following status shows a successful connection for a data interface, showing the internal "tap_nlp" interface. *Figure 3: Connection Status* If it takes more than 10 minutes to reestablish the connection, you should troubleshoot the connection. See Troubleshoot Management Connectivity on a Data Interface.

Previous topic Change Both Firewall Management Center and Threat Defense IP Addresses Next topic Change the Manager Access Interface from Data to Management