FTD/FMC/FCM Startup/Shutdown Process - Cisco 4110 NGFW

Preface: I recently encountered an issue when attempting to start an FTD instance from FXOS command line, which sparked my desire to write & share this post.


In this post I want to cover how to properly shutdown/startup Firepower Threat Defense (FTD) instances running on a high availability (HA) pair of Cisco's 4110 NGFW chassis. I will also cover how to shutdown/restart a virtual Firepower Management Center (FMC) from the admin UI perspective.


Let's start with the shutdown process since it is a bit more complex from an options perspective. An overview of how to completely shutdown 4110 NGFW & all of the components is as follows:

  • Shutdown standby (not inline/active) FTD app

  • Shutdown secondary 4110 chassis via Firepower Chassis Manager (FCM)

  • Shutdown primary FTD app

  • Shutdown primary 4110 chassis via FCM

  • Shutdown FMC from FMC admin UI

First, here are three options for shutting down an FTD instance.


1. Shutting down FTD from FXOS command line:

Command overview:

SSH into FXOS command line

#scope ssa
/ssa #scope slot 1
/ssa/slot #show app-instance
/ssa/slot/app-instance #shutdown

Example:

2. Shutting down FTD directly from FTD command line:

SSH into the FTD logical device management IP. Issue shutdown:

>shutdown

3. Shutting down FTD app directly from within Firepower Chassis Manager admin UI:

Browse to the chassis manager URL, select Logical Device, disable FTD by clicking the button as circled below:

Note: You can monitor FTD status via the FCM or FMC that manages the FTD device


Once the FTD instance is officially disabled/off/down you can focus on turning the physical chassis off which can be done via FCM admin UI (Logical Devices: Disable FTD app via button in right column that is blue)


Now that FTD running on a chassis is off & the physical unit is powered off here is how you can quickly/safely turn off FMC (System->Configuration->Process: Shutdown Management Center):


Now that I have covered the proper shutdown options/procedures for FTD/FMC/Chassis let's focus on the startup process for the same components. Brief overview:

  • Power on physical chassis

  • Startup FMC VM

  • Startup FTD Instances

  • Ensure Devices are Synced & latest policy is deployed from FMC to the FTD apps

Here are two ways to startup an FTD instance:

1. Via FXOS CLI as follows:

#scope ssa
/ssa #scope slot 1
/ssa/slot #show app-instance
/ssa/slot/app-instance #enable

Example:


2. Via FCM admin UI (Logical Devices->Enable instance by clicking button to ensure it powers on):

At this point the FTD app will do its thing & take some time to get started. The FTD status can be monitored in FMC or FCM. If using FCM once things are good the Status will depict green and show as online. If using FMC to verify FTD status (Devices->Device Management).


Power up the FMC VM in VMware.


That wraps this post up. To summarize I covered how to manage (startup/shutdown) FTD/FMC/FCM in relation to Cisco's 4110 platform. Cheers!

0 comments

Recent Posts

See All

Email Security - Breaking Down DKIM & DMARC

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it

Email Security - Breaking Down SPF

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entai

Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/