https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4016699#M937275 <P>I haven't seen any specific guides. These whitepapers contain general guidance which you can adapt for the FTD-specific use case:</P> <P><A href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/white-paper-c11-741103.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/white-paper-c11-741103.html</A></P> <P><A href="https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Segmentation-Design-Guide-2018MAY.pdf" target="_blank">https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Segmentation-Design-Guide-2018MAY.pdf</A></P> <P>FTD doesn't support multiple contexts but is does support multiple instances.</P> Thu, 23 Jan 2020 02:54:24 GMT Marvin Rhoads 2020-01-23T02:54:24Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4015688#M937268 <P>Hello,</P><P>&nbsp;</P><P>Do anyone have documentation on how to configure a firepower 4300 FTD as a SDA fusion firewall?</P><P>&nbsp;</P><P>Thanks</P> Fri, 21 Feb 2020 17:51:04 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4015688#M937268 KelvinT 2020-02-21T17:51:04Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4016699#M937275 <P>I haven't seen any specific guides. These whitepapers contain general guidance which you can adapt for the FTD-specific use case:</P> <P><A href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/white-paper-c11-741103.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/white-paper-c11-741103.html</A></P> <P><A href="https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Segmentation-Design-Guide-2018MAY.pdf" target="_blank">https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Segmentation-Design-Guide-2018MAY.pdf</A></P> <P>FTD doesn't support multiple contexts but is does support multiple instances.</P> Thu, 23 Jan 2020 02:54:24 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4016699#M937275 Marvin Rhoads 2020-01-23T02:54:24Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4016719#M937279 <P>Thanks Marvin&nbsp; for your reply.</P><P>&nbsp;</P><P>I have seen the link you provide but it's kinda dated and refers to ASA firewall.&nbsp; As you probably already know FTD has SGT capabilities.</P> Thu, 23 Jan 2020 03:50:49 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4016719#M937279 KelvinT 2020-01-23T03:50:49Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4017962#M937283 <P>Yes the link is dated but the concepts remain the same. If there's an FTD-specific document, I haven't seen it - even in partner training.</P> Fri, 24 Jan 2020 17:03:46 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4017962#M937283 Marvin Rhoads 2020-01-24T17:03:46Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019765#M937288 <P>Thanks Marvin</P> Tue, 28 Jan 2020 19:29:21 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019765#M937288 KelvinT 2020-01-28T19:29:21Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019771#M937290 <P>Oohh....gotcha Marvin!&nbsp; Hmmm...so with&nbsp; Firepower 4150 we can only create 4 instance max.</P><P>&nbsp;</P><P>Okay.&nbsp; Thanks Marvin</P> Tue, 28 Jan 2020 19:39:26 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019771#M937290 KelvinT 2020-01-28T19:39:26Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019793#M937293 <P>Almost correct - 4150 supports 7 instances.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FTD Multi-Instance Scale" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/66063iB360CE65F701F2E0/image-size/large?v=v2&amp;px=999" role="button" title="FTD Multi-Instance Scale.PNG" alt="FTD Multi-Instance Scale" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">FTD Multi-Instance Scale</span></span></P> <P>Although if you can wait until 6.6 you <STRONG>might</STRONG> see multiple VRF support.</P> Tue, 28 Jan 2020 21:30:02 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019793#M937293 Marvin Rhoads 2020-01-28T21:30:02Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019828#M937295 <P>Sorry.&nbsp; I think the number of containers for a 4150 is 7.</P><P>&nbsp;</P><P>Could this be done with using sub-interface on one FTD instead of multiple containers?</P> Tue, 28 Jan 2020 20:42:01 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019828#M937295 KelvinT 2020-01-28T20:42:01Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019867#M937297 <P>Multi-instance, multi-VRF and separate zones are all ways to address the SDA fusion firewall needs. The last one is certainly easiest to implement and can be done via separate physical interfaces or subinterfaces.</P> Tue, 28 Jan 2020 21:24:09 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019867#M937297 Marvin Rhoads 2020-01-28T21:24:09Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019989#M937303 <P>Okay.&nbsp; That response created more questions.&nbsp; hahaha....</P><P>&nbsp;</P><P>1- Can FTD do multi-VRF?&nbsp; I wasn't aware of this?</P><P>2- Will zone create seperate routing tables?&nbsp; Is seperate routing table a requirement for SDA fusion?&nbsp; Hmm.....</P><P>&nbsp;</P><P>Thanks again Marvin</P> Wed, 29 Jan 2020 02:38:39 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4019989#M937303 KelvinT 2020-01-29T02:38:39Z https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4020353#M937308 <P>There's no VRF support as of the current release 6.5.0.2. We might see it in 6.6.</P> <P>Creating zones won't create separate routing tables.</P> <P>Whether or not you need that depends in part on your VN design in SDA. In any case you need to build the inter-VN policy (if any such is required ) and VN(s)-to-rest-of-the-world policies manually in the firewall. Generally you will need some ACLs with SGTs (VN-facing) and some more traditional 5-tuple ACLs (outside world facing).</P> <P>I just confirmed the above at Cisco Live Barcelona this week.&nbsp;</P> Wed, 29 Jan 2020 16:41:25 GMT https://community.cisco.com/t5/network-security/configuring-a-firepower-4300-ftd-as-a-sda-fusion-device/m-p/4020353#M937308 Marvin Rhoads 2020-01-29T16:41:25Z