Friday, December 6, 2019

PSA: You Can't Configure Firepower NAT Without Loosing Your Connection

We have been blessed with the misfortune of being pushed to buy Firepower devices because of the ASA’s going end of life and I just got confirmation of a “by design” feature that disconnects everyone from the firewall every time a configuration change is made.

We are running FDM 6.4.0.4 and I noticed that every time I modified a NAT rule I was getting complaints that our internet connection would drop which in turn causes our site to site VPNs to fail. When I looked into the console to see what exactly happens after I run a deployment I saw messages about a user called “enable_1” that was issuing a log of “no nat” and “nat” statements which seemed to include ALL of our NAT rules. Since we have an open communication with Cisco technicians as a result of all the tickets we had to open about our Firepower devices I asked him about that and here is what he said:

I know this make look counter intuitive, but the behaviour you are seeing is completely normal and is the way FTD handles the deployment of configuration to LINA (the ASA Backend) The enable_1 user is an internal user and it executes configuration within LINA whenever a Policy Deployment requires it.

Does anyone else find this astonishing that if you buy a Firepower device you can’t configure it without disconnecting all of your customers?



No comments:

Post a Comment