If you did not swap the management interface (MGT) with the dataplane interface (ethernet 1/1) when deploying the firewall, you can use the CLI to enable the firewall to receive dataplane traffic on the primary interface after launching the firewall.
Swap the management interface before you configure the firewall or define policy rules. If you have already configured the VM-Series firewall, check whether any IP address changes for eth0 and eth1 impact policy rules. Ensure that you have access to the AWS console (management console or CLI) to view the IP address of the eth1 interface. Also, verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface.
Management Interface Swap Using the VM-Series Firewall CLI
Complete Steps 1 through 7 in Launch the VM-Series Firewall in AWS. Before you proceed, verify that the firewall has a minimum of two ENIs (eth0 and eth1). If you launch the firewall with only one ENI, the interface swap command will cause the firewall to boot into maintenance mode.
On the EC2 Dashboard, view the IP address of the eth1 interface and verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface (eth1).
Log in to the VM-Series firewall CLI and enter the following command: set system setting mgmt-interface-swap enable yes
Confirm that you want to swap the interface and use the eth1 dataplane interface as the management interface.
Reboot the firewall for the swap to take effect. Use the following command: request restart system
Verify that the interfaces have been swapped. Use the following command: debug show vm-series interfaces all Phoenix_interface Base-OS_port Base-OS_MAC PCI-ID Driver mgt(interface-swap) eth0 0e:53:96:91:ef:29 0000:00:04.0 ixgbevf Ethernet1/1 eth1 0e:4d:84:5f:7f:4d 0000:00:03.0 ixgbevf

Related Documentation