topic Re: FTD or ASA OS in Network Security

FTD or ASA OS

stcnetteam — Wed, 13 Dec 2017 08:03:20 GMT

Hey All,

It seems Cisco made decision to go with FTD as only image for NGFW. Is anyone here who alrady implemented FTD across company (not pilot, not single firwall) ?

Re: FTD or ASA OS

pablo.costa — Wed, 13 Dec 2017 16:55:31 GMT

Hi,

We have around 10 implementations with FTD. I can tell you will give you a little pain in the head because there is some features that you need to work hard to delivery everything like customers want.

SSL/TLS decryption is the most trick feature imo. There is no many options to make a exception ( you can not add a external feed list to exclude. ex: office 365 ). You only can use URL categories and others SSL/TLS options to do this and, imo, is not the best way to to this.

FMC 6.2.2.1 is too slow if you comper if others vendor. But is much better now.

I like ASA a lot, working with Firepower about a 2 years need much improve to beat firewalls solutions like paloalto and fortnet. ( its sad but its true )

Btw all implementations was sucessfull. If you need some help we can help you.

Best regards

Pablo Costa

Re: FTD or ASA OS

stcnetteam — Wed, 13 Dec 2017 19:47:23 GMT

Hey Pablo,

Thanks for answer.

What about VPN functionalities. Both S2S VPN and AnyConnect Remote Access (group polices, Dynamic Access Polices, XML profiles)?

Re: FTD or ASA OS

Ryan Wolfe — Fri, 15 Dec 2017 18:17:38 GMT

FTD now supports S2S VPN and RA VPN.

I have also deployed multiple FTDs for multiple customers in production. I have done many S2S VPNs. I have labbed up the AnyConnect RA VPN, as well.

I don't believe Dynamic Access Policies are supported at this time. But, depending on what you're using it for, you may have other options.

If you have specific use cases you want to confirm are available, you probably want to chat with your partner/account team.

Re: FTD or ASA OS

cenriquez — Thu, 08 Feb 2018 07:34:59 GMT

hello

in the anyconnect the FTD have some limitations

Limitations

Currently unsupported on FTD, but available on ASA:

Double AAA Authentication
Dynamic Access Policy
Host Scan
ISE posture
RADIUS CoA
VPN load-balancer
Local authentication (Enhancement: CSCvf92680 )
LDAP attribute map
AnyConnect customization
AnyConnect scripts
AnyConnect localization
Per-app VPN
SCEP proxy
WSA integration
SAML SSO
Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN
AnyConnect modules (NAM, Hostscan, AMP Enabler etc.) – DART is installed by default
TACACS, Kerberos (KCD Authentication and RSA SDI)
Browser Proxy

you can check this guide

AnyConnect Remote Access VPN configuration on FTD - Cisco

Re: FTD or ASA OS

msanclimenti — Thu, 08 Feb 2018 20:05:59 GMT

I have been on a project for the past few months deploying ASA5516s converted to FTDs. The conversion takes about 3 hours. The FTDs are configured in a HA pair with no issues so far. The routing protocol is EIGRP so I had to use Flexconfig. Flexconfig takes a little time to get used to and it has been good. We had an issue with EIGRP authentication and Cisco has released a patch to us to take care of that issue.

With FTDs you do give up CLI configuration and that can slow down the configuration process, especially with the HA pair.