FTD/FMC/FCM Startup/Shutdown Process - Cisco 4110 NGFW

Preface: I recently encountered an issue when attempting to start an FTD instance from FXOS command line, which sparked my desire to write & share this post.


In this post I want to cover how to properly shutdown/startup Firepower Threat Defense (FTD) instances running on a high availability (HA) pair of Cisco's 4110 NGFW chassis. I will also cover how to shutdown/restart a virtual Firepower Management Center (FMC) from the admin UI perspective.


Let's start with the shutdown process since it is a bit more complex from an options perspective. An overview of how to completely shutdown 4110 NGFW & all of the components is as follows:

  • Shutdown standby (not inline/active) FTD app

  • Shutdown secondary 4110 chassis via Firepower Chassis Manager (FCM)

  • Shutdown primary FTD app

  • Shutdown primary 4110 chassis via FCM

  • Shutdown FMC from FMC admin UI

First, here are three options for shutting down an FTD instance.


1. Shutting down FTD from FXOS command line:

Command overview:

SSH into FXOS command line

#scope ssa
/ssa #scope slot 1
/ssa/slot #show app-instance
/ssa/slot/app-instance #shutdown

Example:

2. Shutting down FTD directly from FTD command line:

SSH into the FTD logical device management IP. Issue shutdown:

>shutdown

3. Shutting down FTD app directly from within Firepower Chassis Manager admin UI:

Browse to the chassis manager URL, select Logical Device, disable FTD by clicking the button as circled below:

Note: You can monitor FTD status via the FCM or FMC that manages the FTD device


Once the FTD instance is officially disabled/off/down you can focus on turning the physical chassis off which can be done via FCM admin UI (Logical Devices: Disable FTD app via button in right column that is blue)


Now that FTD running on a chassis is off & the physical unit is powered off here is how you can quickly/safely turn off FMC (System->Configuration->Process: Shutdown Management Center):


Now that I have covered the proper shutdown options/procedures for FTD/FMC/Chassis let's focus on the startup process for the same components. Brief overview:

  • Power on physical chassis

  • Startup FMC VM

  • Startup FTD Instances

  • Ensure Devices are Synced & latest policy is deployed from FMC to the FTD apps

Here are two ways to startup an FTD instance:

1. Via FXOS CLI as follows:

#scope ssa
/ssa #scope slot 1
/ssa/slot #show app-instance
/ssa/slot/app-instance #enable

Example:


2. Via FCM admin UI (Logical Devices->Enable instance by clicking button to ensure it powers on):

At this point the FTD app will do its thing & take some time to get started. The FTD status can be monitored in FMC or FCM. If using FCM once things are good the Status will depict green and show as online. If using FMC to verify FTD status (Devices->Device Management).


Power up the FMC VM in VMware.


That wraps this post up. To summarize I covered how to manage (startup/shutdown) FTD/FMC/FCM in relation to Cisco's 4110 platform. Cheers!

0 comments

Recent Posts

See All

Securing Routing Protocols on FTD

"The What?" - In this post I will be covering how to configure several routing protocols on FTD via FMC, how to secure the protocols, how to verify routing authentication, & how to simply verify that

Configuring FTD Basics with FMC

"The What?" - In this blog I will be covering FTD/FMC basics to include managing FTD instances from FMC & deploying/managing interfaces. First, to see more about FMC/FTD Registration/Communications &