https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4103792#M1071051 <P>Firepower appliances all run FXOS. On the higher end models (4100 and 9300 series) it's a separate OS that you interact with via the cli or Firepower Chassis Manager. On the 1100 and 2100 series with FTD it's embedded and it's not generally necessary to interact with it.</P> <P>It's (very loosely) kind of like a hypervisor in that it controls the hardware and the FTD or ASA is a logical device that runs over the abstraction layer provided by FXOS.</P> <P>A Firepower appliance can run ASA software but in that case you don't get any of the IPS or NGFW capability. Most people opt to run FTD which integrates ASA and Firepower capability in a unified image. The ASA subsystem is sometimes referred to as "LINA" while the Firepower bits are "Snort". That's an oversimplification but you will see the terms used nonetheless.</P> <P>When migrating an ASA config to FTD you do have the option of just putting the ASA rules in a prefilter policy with a 1-1 match with the ASA. However I don't recommend that as you are missing out on the L7 deep packet inspection that you get from Snort. I recommend using the Firepower Migration Tool which will transfer the object and ACLs etc. from the ASA config to Firepower's Access Control Policy.</P> <P>To learn more, please see any of the many fine Cisco Live presentations on Firepower or one of the recent books available from Cisco Press.</P> Tue, 16 Jun 2020 02:29:37 GMT Marvin Rhoads 2020-06-16T02:29:37Z https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4103774#M1071047 <P>Dear community,</P><P>I am new to the Firepower appliances and had some questions. Our organization has 4x 2140 Firepower appliances, however they are not currently operational in the network. We are still currently running off of ASA5545X. We would like to migrate away from the ASA's onto the Firepower appliances but I am not sure where to start. The appliances seem to have the Firepower software already installed running version 6.2.2 (Build 81)and are currently imported into an FMC. I had a few questions about these devices:</P><P>&nbsp;</P><P>-Do the 2140's run FXOS? I am unable to see if they are at the moment. From what I understand FXOS is like a hypervisor software that allows FTD software and ASA software to run on these devices?</P><P>-Do these devices run the ASA software? If not, how do you configure classic firewall rules on the device? is the ASA software accessed in a different way than the Firepower software?</P><P>&nbsp;</P><P>I only have experience with the ASA 5545x running the Firepower module, which made the deployment much more straightforward. Any assistance you can provide on how all these software's fit together and how to go about accessing them on the device would be greatly appreciated!&nbsp;</P><P>&nbsp;</P><P>Thanks everyone!</P> Tue, 16 Jun 2020 01:14:24 GMT https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4103774#M1071047 Craddockc 2020-06-16T01:14:24Z https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4103792#M1071051 <P>Firepower appliances all run FXOS. On the higher end models (4100 and 9300 series) it's a separate OS that you interact with via the cli or Firepower Chassis Manager. On the 1100 and 2100 series with FTD it's embedded and it's not generally necessary to interact with it.</P> <P>It's (very loosely) kind of like a hypervisor in that it controls the hardware and the FTD or ASA is a logical device that runs over the abstraction layer provided by FXOS.</P> <P>A Firepower appliance can run ASA software but in that case you don't get any of the IPS or NGFW capability. Most people opt to run FTD which integrates ASA and Firepower capability in a unified image. The ASA subsystem is sometimes referred to as "LINA" while the Firepower bits are "Snort". That's an oversimplification but you will see the terms used nonetheless.</P> <P>When migrating an ASA config to FTD you do have the option of just putting the ASA rules in a prefilter policy with a 1-1 match with the ASA. However I don't recommend that as you are missing out on the L7 deep packet inspection that you get from Snort. I recommend using the Firepower Migration Tool which will transfer the object and ACLs etc. from the ASA config to Firepower's Access Control Policy.</P> <P>To learn more, please see any of the many fine Cisco Live presentations on Firepower or one of the recent books available from Cisco Press.</P> Tue, 16 Jun 2020 02:29:37 GMT https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4103792#M1071051 Marvin Rhoads 2020-06-16T02:29:37Z https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4103810#M1071057 <P>Totally agree with&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;</P> <P>prefer using the migration tool which works fine.&nbsp;<BR />just to add something about this tool, it won’t migrate any dynamic routing if you have any nor the VPN configuration which have to be taken care manually.&nbsp;</P> Tue, 16 Jun 2020 03:02:17 GMT https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4103810#M1071057 Francesco Molino 2020-06-16T03:02:17Z https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104191#M1071094 Marvin/Francesco,<BR /><BR />Thanks so much for your replies. So in my case the FXOS is embedded and I dont really need to mess with it, got it. I am still kind of confused as to how the FTD software works thought. When I SSH into the management interface of the device, it takes me to the CLI of the Firepower software 6.2.2, is this the FTD software? Or just Firepower software? Is there a difference?<BR /><BR />Thank you. Tue, 16 Jun 2020 14:46:01 GMT https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104191#M1071094 Craddockc 2020-06-16T14:46:01Z https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104336#M1071101 <P>Firepower software and FTD are often used interchangeably. That's not exactly correct (i.e the older Firepower 7000 and 8000 series NGIPS run Firepower that's not FTD) but for most purposes it's fine to consider them as the same.</P> Tue, 16 Jun 2020 18:31:11 GMT https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104336#M1071101 Marvin Rhoads 2020-06-16T18:31:11Z https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104356#M1071104 <P>Thank you Marvin. So the only software I should really be interacting with on the 2140 is the FTD software where the "ASA rules" are actually migrated into the Access Control Policy of the FMC?&nbsp;</P><P>&nbsp;</P><P>Thanks.&nbsp;</P> Tue, 16 Jun 2020 19:09:28 GMT https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104356#M1071104 Craddockc 2020-06-16T19:09:28Z https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104554#M1071113 <P>Depending on how you are managing the 2140 appliances you might not even log into the devices at all. If you use a Firepower Management Center (FMC) server, all but the initial setup of the appliances is done on FMC and deployed to the managed devices.</P> <P>If you manage them without FMC then you would login to them directly and use the on-box Firepower Device Manager (FDM) GUI.</P> Wed, 17 Jun 2020 02:56:05 GMT https://community.cisco.com/t5/network-security/firepower-2140-assistance/m-p/4104554#M1071113 Marvin Rhoads 2020-06-17T02:56:05Z