topic The on-box non-ASDM manager in Network Security

Cisco Firewall Device Manager not accessible

EckoForce_1 — Tue, 12 Mar 2019 08:16:23 GMT

I have an upgraded a 5516X

5516X running 9.6(2)

ASDM on 7.6(2)

FirePOWER 6.1.0-330

There is supposed to be this awesome new and most importantly Non-Java based device manager called the Firewall Device Manager that comes included with FirePOWER 6.1. (https://www.youtube.com/watch?v=PW8EnCBafXw) <----youtube video from Cisco about it. You are supposed to navigate to the FirePOWER ip address and it brings you to the FDM landing page. Do I have to turn this on? I know its not as feature rich as the ASDM for configuration BUT its monitoring looks way better.

I still get this error to use ASDM when I go to that page even though I am on FirePOWER 6.1.

Onbox NGFW is managed by ASDM. Please use your ASDM Client or download the client and use your ASA IP address to login.

Any Ideas?

thanks

The on-box non-ASDM manager

Marvin Rhoads — Thu, 15 Sep 2016 02:59:34 GMT

The on-box non-ASDM manager is for FirePOWER Threat Defense (FTD) image only.

This is mentioned in the video - see around 1:50 where she says in "...running FirePOWER Threat Defense software image". The slide that follows highlights that ASDM is (still) used to manage "ASA+ FP Services" .

ASA + FirePOWER Services is NOT FirePOWER Threat Defense. Both are at release 6.1 but they are quite distinct.

Marvin,

EckoForce_1 — Thu, 15 Sep 2016 11:54:49 GMT

Marvin,

So this only something I could access if I used the FirePOWER Management Center? I see you get FirePOWER images on ISR routers so I guess the FTD can connect all these together? Just wondering how one gets the FTD, what do you buy/order/download?

Ahhh I got redirected around

EckoForce_1 — Thu, 15 Sep 2016 12:01:10 GMT

Ahhh I got redirected around searching Cisco's website and see when I tried to download the FTD software it is for a appliance or I guess they have options for AWS or VMWare.

Thanks for the info, I was just hoping that at least for ASA/FP monitoring we could break free from Java and the ASDM. I see we will have to wait for that.....

thanks again

@EckoForce_1 ,

Marvin Rhoads — Thu, 15 Sep 2016 12:58:11 GMT

EckoForce_1 ,

FTD is a new image type for available for all ASA 5500-X series (except 5585-X) and current FX-OS-based FirePOWER series (virtual, 4100 series and 9300) appliances. Here's a detailed guide as to which appliances are compatible:

http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_070E1908889545BDB6CC564676202628

On the ASA platforms it is an alternative to ASA + FirePOWER services. You have to re-image the appliance with FTD software if it wasn't ordered new with FTD pre-installed. Once you have done so, you can manage it either via the new FirePOWER device manager or via an external FirePOWER Management Center.

You can run the FTD image as a basic firewall, albeit currently without all the features of the classic ASA image (no remote access VPN most notably). If you have licensed the FirePOWER features (IPS, URL filtering and/or Malware) you can also configure policies that use those features.

Hope this clears things up a bit.

that does Marvin thanks, if

EckoForce_1 — Thu, 15 Sep 2016 17:49:29 GMT

that does Marvin thanks, if reimage with FTD can I still use the ASDM to configure the Firewall and FirePOWER.

Essentially use FTD for FirePOWER monitoring and use ASDM for ASA and FirePOWER configuration?

When you move to FTD there is

Marvin Rhoads — Thu, 15 Sep 2016 18:02:18 GMT

When you move to FTD there is only one on-box manager available - the FirePOWER Device Manager.

ASDM requires the classic ASA software and that software is no longer present when you have re-imaged the appliance with FTD.

FirePOWER Device Manager manages and monitors all aspects of the unified FTD image.

You also have the option of instead using an external FirePOWER Management Center.

There's also the new Cisco Defense Orchestrator for central management of policies. It does not do in-depth monitoring though like FMC does.

http://www.cisco.com/c/en/us/products/collateral/security/defense-orchestrator/datasheet-c78-736847.html?cachemode=refresh

Thanks for the info Marvin.

EckoForce_1 — Fri, 16 Sep 2016 12:13:45 GMT

Thanks for the info Marvin.

I looked into the CDO but it appeared to be cloud based which is a deal breaker, at least for now anyway its only cloud based.

The FTD only option I think wont work because I thought I saw/read/heard that not ALL the options are there yet, like being able to manage SSL decrypt policies.

Actually after re-watching the videos it appears the routed mode only support will prevent us from going to this until transparent mode is also supported.

You're welcome.

Marvin Rhoads — Fri, 16 Sep 2016 15:07:57 GMT

You're welcome.

Hope this helped clear it up for you.

Marvin,

weisse1 — Fri, 16 Sep 2016 22:05:52 GMT

Marvin,

if using the on-box gui to manage the FTD rather than an external management center can you configure parameters such as site-to-site vpn?

Thanks in advance,

Christian

Not yet. As of FTD software

Marvin Rhoads — Fri, 16 Sep 2016 22:21:49 GMT

Not yet. As of FTD software release 6.1, VPN creation is restricted to FirePOWER Management Center (FMC).

We expect a version 6.2 to have enhancements to what you can do with FirePOWER Device Manager (FDM) but we will have to wait and see if VPN is included.

How to in FMC:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/fpmc-config-guide-v61_chapter_01110100.html#ID-2267-000000c3

How not to in FDM 😞 :

Thanks Marvin

weisse1 — Sun, 18 Sep 2016 23:34:19 GMT

Thanks Marvin