Using the Threat Defense Data Interface for Management

You can use either the dedicated Management interface or a regular data interface for communication with the management center. Manager access on a data interface is useful if you want to manage the threat defense remotely from the outside interface, or you do not have a separate management network. Moreover, using a data interface lets you configure a redundant secondary interface to take over management functions if the primary interface goes down.

Manager Access Requirements

Manager access from a data interface has the following requirements.

  • You can only enable manager access on a physical, data interface. You cannot use a subinterface or EtherChannel, nor can you create a subinterface on the manager access interface. You can also use the management center to enable manager access on a single secondary interface for redundancy.

  • This interface cannot be management-only.

  • Routed firewall mode only, using a routed interface.

  • PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support between the threat defense and the WAN modem.

  • The interface must be in the global VRF only.

  • SSH is not enabled by default for data interfaces, so you will have to enable SSH later using the management center. Because the Management interface gateway will be changed to be the data interfaces, you also cannot SSH to the Management interface from a remote network unless you add a static route for the Management interface using the configure network static-routes command. For threat defense virtual on Amazon Web Services, a console port is not available, so you should maintain your SSH access to the Management interface: add a static route for Management before you continue with your configuration. Alternatively, be sure to finish all CLI configuration (including the configure manager add command) before you configure the data interface for manager access and you are disconnected.

  • Clustering is not supported. You must use the Management interface in this case.

High Availability Requirements

When using a data interface with device high availability, see the following requirements.

  • Use the same data interface on both devices for manager access.

  • Redundant manager access data interface is not supported.

  • You cannot use DHCP; only a static IP address is supported. Features that rely on DHCP cannot be used, including DDNS and zero-touch provisioning.

  • Have different static IP addresses in the same subnet.

  • Use either IPv4 or IPv6; you cannot set both.

  • Use the same manager configuration (configure manager add command) to ensure that the connectivity is the same.

  • You cannot use the data interface as the failover or state link.