Fulfilling Prerequisites
Do you remember the last part of the threat defense installation and initialization process? During the initialization, the threat defense prompts to confirm the firewall mode, and you can select between routed mode and transparent mode (see Example 4-1). If you selected routed mode during the system initialization, you can skip this section and read the section “Configuration of the Routed Interface.”
Example 4-1 Configuring the Firewall Mode During the Initialization
<Output Omitted> . . Manage the device locally? (yes/no) [yes]: no Configure firewall mode? (routed/transparent) [routed]: Configuring firewall mode ... Update policy deployment information - add device configuration - add network discovery - add system policy . . <Output Omitted>
If you selected transparent mode during the system initialization and now you want to reconfigure your threat defense to routed mode, you must unregister the threat defense from the management center. You cannot change the firewall mode when a manager is configured. To verify whether a threat defense is currently registered with the management center, run the show managers command at the threat defense CLI.
Example 4-2 shows that the threat defense is currently registered with a management center with IP address 10.1.1.2.
Example 4-2 Threat Defense Is Currently Registered with a Management Center
> show managers Type : Manager Host : 10.1.1.2 Registration : Completed >
If your threat defense is currently in transparent mode and registered with a management center, you can unregister it by using the management center web interface. To delete registration, go to Devices > Device Management, click the three dots next to threat defense name, and select Delete (see Figure 4-2).
)
FIGURE 4-2 Deleting the Registration of a Threat Defense in Transparent Mode
Example 4-3 shows confirmation that the threat defense is neither registered with the management center nor enabled with its local device manager service.
Example 4-3 Threat Defense Is Not Managed by a Management Center or Built-in Local Manager
> show managers No managers configured. >
Enabling the Routed Firewall Mode
You can change the firewall mode of a threat defense if it is currently not registered with a management center. To configure a threat defense with routed mode, log in to the threat defense CLI and run the configure firewall routed command (see Example 4-4).
Example 4-4 Configuring the Routed Mode
> configure firewall routed This will destroy the current interface configurations, are you sure that you want to proceed? [y/N] y The firewall mode was changed successfully.
After configuring the threat defense to the desired mode, you can determine the status from the CLI. Example 4-5 confirms that the threat defense is in routed mode.
Example 4-5 Verifying the Firewall Deployment Mode
> show firewall Firewall mode: Router >
Alternatively, upon a successful registration, the management center GUI also displays the current firewall deployment mode. You can view it by navigating to Devices > Device Management. Figure 4-3 indicates that the threat defense is configured in routed mode.
)
FIGURE 4-3 Threat Defense Is Deployed in Routed Mode