When Firepower Management Center Goes Offline

A typical Firepower deployment consists of a management component and a managed device. The management component is known as Firepower Management Center (FMC). The managed device is the NGIPS or NGFW itself and would be leveraging the Firepower or the Firepower Threat Defense (FTD) operating system. Both layers of the topology include provisions for redundant deployments. Firepower Management Center is available in a two-node HA configuration. Firepower Threat Defense, the NGFW managed device, can be either HA or clustered.

One question that often comes up is, “What happens when FMC goes offline?” The general response is traffic continues to flow but the managed device cannot be managed. While this is not a good position to be in, it does provide an opportunity to assess the impact of waiting for a maintenance window (or a replacement).

TL;DR

  • Firepower continues to pass traffic when FMC is offline
  • Events captured on the Firepower device will be passed to the FMC when it is available
  • Event Storage on the managed device is finite, events may be lost during an extended outage
  • Malware Cloud Lookups/Block functionality depends on FMC, plan HA and File Policy accordingly
  • Firepower managed device cannot be managed until FMC is available

I wanted to confirm the expected operation so I built out an FMCv and ASA5525 running FTD. My configuration included a very basic access control policy. Once I tested the configuration, I backed it up and shut down the FMC. In my case, the behavior was exactly as expected. FTD continued to function without any issues. It even captured event data and uploaded them to FMC when service was restored. It is worth noting that on-box memory is a finite resource so events may be lost depending on the number of events during the FMC outage.

FMCConnections

In my case I actually opted to shutdown FMC, spin up a new FMCv instance and perform a restore operation. This entire process was flawless and worked exactly as expected. The one thing to note is that the destination FMC must be the same model, version and must have the current VDB.

One concern that I had following this exercise was if a more complex configuration might behave differently. After doing some additional research, I found that my assessment is the general behavior. The one exception has to do with malware cloud lookup and malware block actions. These are based on the process of FMC reaching out to the cloud to inquire about the disposition of file hashes. This operation cannot happen when Firepower Management Center is down. In other words, an organization’s security, business, and operational needs should drive FMC File Policy and HA configuration requirements.

 

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

 

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design and tagged . Bookmark the permalink.