Skip to main content

 

 

Cisco Defense Orchestrator

Guidelines and Limitations for Firepower Interface Configuration

When you use Cisco Defense Orchestrator (CDO) to configure the device, there are several limitations to interface configuration. If you need any of the following features, you must use Firepower Management Center to configure the device.

  • Routed firewall mode only is supported. You cannot configure transparent firewall mode interfaces.
  • You cannot configure passive or ERSPAN interfaces.
  • You cannot configure interfaces to be inline (in an inline set), or inline tap, for IPS-only processing. IPS-only mode interfaces bypass many firewall checks and only support IPS security policy. In comparison, Firewall mode interfaces subject traffic to firewall functions such as maintaining flows, tracking flow states at both IP and TCP layers, IP defragmentation, and TCP normalization. You can also optionally configure IPS functions for this firewall mode traffic according to your security policy. 
  • You cannot configure EtherChannel or redundant interfaces. You cannot configure PPPoE for IPv4. If the Internet interface is connected to a DSL, cable modem, or other connection to your ISP, and your ISP uses PPPoE to provide your IP address, you must use Firepower Management Center to configure these settings.
  • For the ASA 5515-X, 5525-X, 5545-X, and 5555-X, and the Firepower 2100 series, you can install an optional network module. Cards are only discovered during bootstrap (that is, initial installation or reimage, or when switching between local/remove management). CDO sets the correct defaults for speed and duplex for these interfaces. If you replace an optional card with one that changes the speed/duplex options for the interfaces, without changing the total number of interfaces available, reboot the device so that the system recognizes the correct speed/duplex values for the replaced interfaces. From an SSH or Console session with the device, enter the reboot command. Then, using CDO, edit each physical interface that had capability changes and select valid speed and duplex options, as the system does not automatically correct your original settings. Deploy your changes right away to ensure correct system behavior.

Note: Replacing a card with one that changes the total number of interfaces, or removing interfaces that were referred to by other objects, can result in unexpected problems. If you need to make this kind of change, please first remove all references to the interfaces you will remove, such as security zone membership, VPN connections, and so forth. We also suggest you do a backup prior to making the change.

  • For Firepower Threat Defense Virtual devices, you cannot add or remove interfaces without reinitializing the device. This task can only be performed on the Firepower Device Manager.  However, if you simply replace interfaces with ones that have different speed/duplex capabilities, reboot the device so that the system recognizes the new speed/duplex values. From the CLI console, enter the reboot command. Then, in CDO, edit each interface that had capability changes and select valid speed and duplex options, as the system does not automatically correct your original settings. Deploy your changes right away to ensure correct system behavior.
  • CDO supports the configuration of one bridge group.   
  • At this time, CDO does not identify passive interface mode in the interface table. You will need to open FDM to identify passive interfaces.