Change the Manager Access Interface from Management to Data

You can manage the threat defense from either the dedicated Management interface, or from a data interface. If you want to change the manager access interface after you added the device to the management center, follow these steps to migrate from the Management interface to a data interface. To migrate the other direction, see Change the Manager Access Interface from Data to Management.

Initiating the manager access migration from Management to data causes the management center to apply a block on deployment to the threat defense. To remove the block, enable manager access on the data interface.

See the following steps to enable manager access on a data interface, and also configure other required settings.

Before you begin

For high-availability pairs, unless stated otherwise, perform all steps only on the active unit. Once the configuration changes are deployed, the standby unit synchronizes configuration and other state information from the active unit.

Procedure

Step 1	Initiate the interface migration. On the Devices > Device Management page, click Edit () for the device. Go to the Device > Management section, and click the link for Manager Access Interface. The Manager Access Interface field shows the current Management interface. When you click the link, choose the new interface type, Data Interface, in the Manage device by drop-down list. Manager Access Interface Click Save. You must now complete the remaining steps in this procedure to enable manager access on the data interface. The Management area now shows Manager Access Interface: Data Interface, and Manager Access Details: Configuration. Manager Access If you click Configuration, the Manager Access - Configuration Details dialog box opens. The Manager Access Mode shows a Deploy pending state.
Step 2	Enable manager access on a data interface on the Devices > Device Management > Interfaces > Edit Physical Interface > Manager Access page. See Configure Routed Mode Interfaces. You can enable manager access on one routed data interface, plus an optional secondary interface. Make sure these interfaces are fully configured with a name and IP address and that they are enabled. If you use a secondary interface for redundancy, see Configure a Redundant Manager Access Data Interface for additional required configuration.
Step 3	(Optional) If you use DHCP for the interface, enable the web type DDNS method on the Devices > Device Management > DHCP > DDNS page. See Configure Dynamic DNS. DDNS ensures the management center can reach the threat defense at its Fully-Qualified Domain Name (FQDN) if the FTD's IP address changes.
Step 4	Make sure the threat defense can route to the management center through the data interface; add a static route if necessary on Devices > Device Management > Routing > Static Route. See Add a Static Route.
Step 5	(Optional) Configure DNS in a Platform Settings policy, and apply it to this device at Devices > Platform Settings > DNS. See DNS. DNS is required if you use DDNS. You may also use DNS for FQDNs in your security policies.
Step 6	(Optional) Enable SSH for the data interface in a Platform Settings policy, and apply it to this device at Devices > Platform Settings > Secure Shell. See SSH Access. SSH is not enabled by default on the data interfaces, so if you want to manage the threat defense using SSH, you need to explicitly allow it.
Step 7	Deploy configuration changes. The management center will deploy the configuration changes over the current Management interface. After the deployment, the data interface is now ready for use, but the original management connection to Management is still active.
Step 8	At the threat defense CLI (preferably from the console port), set the Management interface to use a static IP address and set the gateway to use the data interfaces. For high availability, perform this step on both units. configure network {ipv4 \| ipv6} manual `ip_address netmask` data-interfaces `ip_address netmask` —Although you do not plan to use the Management interface, you must set a static IP address, for example, a private address so that you can set the gateway to data-interfaces (see the next bullet). You cannot use DHCP because the default route, which must be data-interfaces, might be overwritten with one received from the DHCP server. data-interfaces —This setting forwards management traffic over the backplane so it can be routed through the manager access data interface. We recommend that you use the console port instead of an SSH connection because when you change the Management interface network settings, your SSH session will be disconnected.
Step 9	If necessary, re-cable the threat defense so it can reach the management center on the data interface. For high availability, perform this step on both units.
Step 10	In the management center, disable the management connection, update the Remote Host Address IP address and optional Secondary Address for the threat defense in the Devices > Device Management > Device > Management section, and reenable the connection. See Update the Hostname or IP Address in the Management Center. If you used the threat defense hostname or just the NAT ID when you added the threat defense to the management center, you do not need to update the value; however, you need to disable and reenable the management connection to restart the connection.
Step 11	Ensure the management connection is reestablished. In the management center, check the management connection status on the Devices > Device Management > Device > Management > Manager Access - Configuration Details > Connection Status page. At the threat defense CLI, enter the sftunnel-status-brief command to view the management connection status. The following status shows a successful connection for a data interface, showing the internal "tap_nlp" interface. Connection Status If it takes more than 10 minutes to reestablish the connection, you should troubleshoot the connection. See Troubleshoot Management Connectivity on a Data Interface.