Preface: I recently encountered an issue when attempting to start an FTD instance from FXOS command line, which sparked my desire to write & share this post.
In this post I want to cover how to properly shutdown/startup Firepower Threat Defense (FTD) instances running on a high availability (HA) pair of Cisco's 4110 NGFW chassis. I will also cover how to shutdown/restart a virtual Firepower Management Center (FMC) from the admin UI perspective.
Let's start with the shutdown process since it is a bit more complex from an options perspective. An overview of how to completely shutdown 4110 NGFW & all of the components is as follows:
Shutdown standby (not inline/active) FTD app
Shutdown secondary 4110 chassis via Firepower Chassis Manager (FCM)
Shutdown primary FTD app
Shutdown primary 4110 chassis via FCM
Shutdown FMC from FMC admin UI
First, here are three options for shutting down an FTD instance.
1. Shutting down FTD from FXOS command line:
SSH into FXOS command line
#scope ssa /ssa #scope slot 1 /ssa/slot #show app-instance /ssa/slot/app-instance #shutdown
2. Shutting down FTD directly from FTD command line:
SSH into the FTD logical device management IP. Issue shutdown:
3. Shutting down FTD app directly from within Firepower Chassis Manager admin UI:
Browse to the chassis manager URL, select Logical Device, disable FTD by clicking the button as circled below:
Note: You can monitor FTD status via the FCM or FMC that manages the FTD device
Once the FTD instance is officially disabled/off/down you can focus on turning the physical chassis off which can be done via FCM admin UI (Logical Devices: Disable FTD app via button in right column that is blue)
Now that FTD running on a chassis is off & the physical unit is powered off here is how you can quickly/safely turn off FMC (System->Configuration->Process: Shutdown Management Center):
Now that I have covered the proper shutdown options/procedures for FTD/FMC/Chassis let's focus on the startup process for the same components. Brief overview:
Power on physical chassis
Startup FMC VM
Startup FTD Instances
Ensure Devices are Synced & latest policy is deployed from FMC to the FTD apps
Here are two ways to startup an FTD instance:
1. Via FXOS CLI as follows:
#scope ssa /ssa #scope slot 1 /ssa/slot #show app-instance /ssa/slot/app-instance #enable
2. Via FCM admin UI (Logical Devices->Enable instance by clicking button to ensure it powers on):
At this point the FTD app will do its thing & take some time to get started. The FTD status can be monitored in FMC or FCM. If using FCM once things are good the Status will depict green and show as online. If using FMC to verify FTD status (Devices->Device Management).
Power up the FMC VM in VMware.
That wraps this post up. To summarize I covered how to manage (startup/shutdown) FTD/FMC/FCM in relation to Cisco's 4110 platform. Cheers!