Wednesday, June 23, 2021

CDO, FTD 7.0 and DHCP Relay

Good Morning Folks,

Wondering if anyone has ventured into FTD 7.0 with their CDO Deployments, and how they are handling DHCP Relay if using it?

Currently have a large deployment of FPR1010's that I am upgrading to 6.6.4, but EIGRP broke on a handful of them after the upgrade, prompting the upgrade to 7.0 on the broken ones (quicker than rebuild, which is pretty much the only solution TAC gives right now).

We have the DHCP API Built out using the CDO Macros and understand how to deploy the DHCP Relay changes to the device, but are now running into the issue of how the hell do we pre-stage our DHCP servers on our devices using CDO, so we don't run into 300+ duplicate objects in CDO when creating them locally on each firewall? For reference, CDO will only add an object to your firewall, if it's in use in a policy. Selecting the firewall in CDO, and picking objects then creating the object in CDO doesn't build it on the firewall either, only on CDO.

Since DHCP Relay isn't a firewall policy, we cannot simply specify the object ID we want to use in the API, since that object doesn't exist in the firewall.

Currently my options are: Add my DHCP Servers as network objects into CDO, then add to an existing network object group that exists on all firewalls and do a mass deploy, but that really feels like a bandaid solution to get these objects created on all of my firewalls, and keeping them in a policy they shouldn't be in really isn't a great practice.

Does anyone with CDO experience have any other ideas or suggestions?



No comments:

Post a Comment