About Data Interfaces
You can use either the dedicated management interface or a regular data interface for communication with the device. CDO access on a data interface is useful if you want to manage the FTD remotely from the outside interface, or you do not have a separate management network. CDO supports high availability on the FTD managed remotely from the data interface.
FTD management access from a data interface has the following limitations:
-
You can only enable manager access on one physical, data interface. You cannot use a subinterface or EtherChannel.
-
Routed firewall mode only, using a routed interface.
-
PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support between the FTD and the WAN modem.
-
The interface must be in the global VRF only.
-
SSH is not enabled by default for data interfaces, so you will have to enable SSH later using CDO. Because the management interface gateway will be changed to be the data interfaces, you also cannot SSH to the management interface from a remote network unless you add a static route for the management interface using the configure network static-routes command. For FTDv on Amazon Web Services, a console port is not available, so you should maintain your SSH access to the management interface: add a static route for Management before you continue with your configuration. Alternatively, be sure to finish all CLI configuration (including the configure manager add command) before you configure the data interface.