Best Practices for Routed Mode Configuration
If you want to deploy a threat defense in routed mode, consider the following suggestions:
Do not configure the diagnostic interface with an IP address. This simplifies the network design and reduces configuration overhead. When a diagnostic interface is configured with an IP address, a threat defense treats it like a data interface. When configured in Layer 3 mode, each data interface on a threat defense is required to be on a different network. Therefore, the diagnostic interface (which must be on the same subnet as the logical management interface, br1) and the inside interface must be on two different subnets. To transfer traffic between two different subnetworks, the routing service is required.
Changing the firewall mode wipes out any existing configurations on a threat defense. Therefore, before you change the firewall mode from transparent to routed or vice versa, take note of your threat defense settings for future reference, in case you want to revert the threat defense to the prior state. To view the current threat defense configuration, run the show running-config command in the CLI.
If you just want to change the firewall mode of a threat defense, backing up your security policy configuration is not necessary because the next-generation security policies are defined and stored on the management center. After you configure the security policies, the management center allows you to deploy the same policies to one or more threat defense devices.