topic Re: Simple FTD Question -- Are instantaneous changes possible? Yes or in Network Security

Simple FTD Question -- Are instantaneous changes possible? Yes or no?

brettp — Mon, 08 Nov 2021 18:15:54 GMT

Because Cisco is phasing out the ASA and moving to FTD, that would be the next logical upgrade in our environment. I have just started to scratch the surface and have been watching videos about FTD Hardware / OS. I learned that you have to make changes and then deploy them. In the videos, it's never instantaneous as was the case on the ASA hardware. It seems to take up to a few minutes for simple changes to take effect (IP address changes, Access Rule changes, etc.) I read on the Cisco website, “We strongly recommend you deploy in a maintenance window or at a time when interruptions will have the least impact” because there can be dropped packets (and not just if/when Snort restarts.) Is that really the case? If I can not make a change on the fly that happens instantly, like updating an ACL, that is an instant deal breaker. Can someone who uses these FTD devices (with FTD OS, not ASA) in the real world answer this? Thanks!

Re: Simple FTD Question -- Are instantaneous changes possible? Yes or

Rob Ingram — Mon, 08 Nov 2021 18:29:45 GMT

@brettp yes that is generally true, you do need to deploy the changes which take a few minutes. However since version 7.0 you do have dynamic objects, which allow you to push changes via API and take effect immediately without having to push policy. More info.

https://www.youtube.com/watch?v=Gt5Yj7MgtG0&t=177s

Re: Simple FTD Question -- Are instantaneous changes possible? Yes or

#Mat — Mon, 08 Nov 2021 19:16:34 GMT

Hello! To add another hint, dropping packets by Snort engine restart is a very particular scenario. I don't know what kind of company do you manage but you rarely perceive the drops, so you shouldn't worry too much because there are different configurations to avoid that behavior.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/policy_management.html#concept_uc1_gtq_ty

Regards.

Re: Simple FTD Question -- Are instantaneous changes possible? Yes or

nspasov — Mon, 08 Nov 2021 20:44:47 GMT

Unlike ASAs (And many traditional network devices) where the configurations are stored in flat text file, FTD uses DBs under the hood. As a result, we will most likely never see configuration changes committed in similar fashion and speed to "wr mem" With that said, we are constantly working on optimizing the deployment mechanisms. Thus, with each new release, the amount of time required to deploy changes is improved.

With regards to your 2nd topic: The deployment window will warn you if the pending changes will cause traffic interruptions. In addition, with the introduction of Snort3 (Firepower Threat Defense v7.0), we have eliminated most cases where snort restart is required.

I hope this helps!

Thank you for rating helpful posts!