FTD/FMC/FCM Startup/Shutdown Process - Cisco 4110 NGFW

Preface: I recently encountered an issue when attempting to start an FTD instance from FXOS command line, which sparked my desire to write & share this post.

In this post I want to cover how to properly shutdown/startup Firepower Threat Defense (FTD) instances running on a high availability (HA) pair of Cisco's 4110 NGFW chassis. I will also cover how to shutdown/restart a virtual Firepower Management Center (FMC) from the admin UI perspective.

Let's start with the shutdown process since it is a bit more complex from an options perspective. An overview of how to completely shutdown 4110 NGFW & all of the components is as follows:

  • Shutdown standby (not inline/active) FTD app

  • Shutdown secondary 4110 chassis via Firepower Chassis Manager (FCM)

  • Shutdown primary FTD app

  • Shutdown primary 4110 chassis via FCM

  • Shutdown FMC from FMC admin UI

First, here are three options for shutting down an FTD instance.

1. Shutting down FTD from FXOS command line:

Command overview:

SSH into FXOS command line

#scope ssa
/ssa #scope slot 1
/ssa/slot #show app-instance
/ssa/slot/app-instance #shutdown


2. Shutting down FTD directly from FTD command line:

SSH into the FTD logical device management IP. Issue shutdown:


3. Shutting down FTD app directly from within Firepower Chassis Manager admin UI:

Browse to the chassis manager URL, select Logical Device, disable FTD by clicking the button as circled below:

Note: You can monitor FTD status via the FCM or FMC that manages the FTD device

Once the FTD instance is officially disabled/off/down you can focus on turning the physical chassis off which can be done via FCM admin UI (Logical Devices: Disable FTD app via button in right column that is blue)

Now that FTD running on a chassis is off & the physical unit is powered off here is how you can quickly/safely turn off FMC (System->Configuration->Process: Shutdown Management Center):

Now that I have covered the proper shutdown options/procedures for FTD/FMC/Chassis let's focus on the startup process for the same components. Brief overview:

  • Power on physical chassis

  • Startup FMC VM

  • Startup FTD Instances

  • Ensure Devices are Synced & latest policy is deployed from FMC to the FTD apps

Here are two ways to startup an FTD instance:

1. Via FXOS CLI as follows:

#scope ssa
/ssa #scope slot 1
/ssa/slot #show app-instance
/ssa/slot/app-instance #enable


2. Via FCM admin UI (Logical Devices->Enable instance by clicking button to ensure it powers on):

At this point the FTD app will do its thing & take some time to get started. The FTD status can be monitored in FMC or FCM. If using FCM once things are good the Status will depict green and show as online. If using FMC to verify FTD status (Devices->Device Management).

Power up the FMC VM in VMware.

That wraps this post up. To summarize I covered how to manage (startup/shutdown) FTD/FMC/FCM in relation to Cisco's 4110 platform. Cheers!


Recent Posts

See All

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases: Receipt:

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it