topic Firepower 2110 management and deployment in Network Security

Firepower 2110 management and deployment

omer14231 — Fri, 21 Feb 2020 15:47:27 GMT

Dear,

We have recently purchased two Firepower 2110 with threat, malware and URL license. Below is the BoQ of the new hardware

Cisco Firepower 2110 Master Bundle
Cisco Firepower 2110 ASA Appliance, 1U
SNTC-8X5XNBD Cisco Firepower 2110 ASA Appliance, 1U
AC Power Cord (UK), C13, BS 1363, 2.5m
Cisco ASA 9.8 Software for Firepower 2100 appliance series
Cisco Firepower 2100 - Add 5 Security Context Licenses
Firepower 2000 Series SSD for FPR-2110/2120
Cisco Firepower 2100 Standard ASA License
Firepower 2000 Series SSD Slot Carrier
Cisco FPR2110 Threat Defense Threat, Malware and URL License
Cisco FPR2110 Threat Defense Threat, Malware and URL 1Y Subs

We will be using it as a perimeter firewall with multiple security context, HA and IPsec VPN, Anyconnect VPN, URL filtering, AMP, IPS etc.

However, we currently do not have FMC license to make these units as HA and to configure security context as the on-box management FDM doesn't support configuring HA and security context. Kindly suggest if FMC is mandatory to configure HA and security context?

Also, we need to deploy this Firepower units as NGFW or NGIPS to achieve the above requirements? and what is the difference between using Firepower as NGFW or NGIPS?

Regards,

Omer

Re: Firepower 2110 management and deployment

Marvin Rhoads — Sun, 20 May 2018 13:21:57 GMT

Somebody advised you incorrectly with that bill of materials. A Firepower 2110 (or any 2100, 5100 or 9300 series Firepower appliance) can run either ASA logical device(s) or FTD logical device(s). That is, NGFW or NGIPS in marketing terms.

If you run an NGFW you get all the ASA features like multi-context, AnyConnect remote access VPN without feature restriction, etc. You do NOT get IPS, URL filtering, and Malware protection. So buying the license for those features on an NGFW is not only unnecessary but also something you will not be able to use at all. Also, you configure the ASA HA pair and their contexts using the traditional ASA methods (cli, ASDM etc.) - NOT FMC. You use FDM deploy the ASA logical devices on the chassis and assign interfaces to it, but once that's done everything else looks 98% like a classic ASA appliance.

If you run an NGIPS you get the integrated FTD image (not all ASA features - most definitely no multi-context and limited AnyConnect features). the following two line items in your list apply ONLY to NGIPS deployments:

Cisco FPR2110 Threat Defense Threat, Malware and URL License
Cisco FPR2110 Threat Defense Threat, Malware and URL 1Y Subs

Re: Firepower 2110 management and deployment

Florin Barhala — Sun, 20 May 2018 13:49:31 GMT

Marvin - how come you know so much about this FTD appliances; you work for Cisco after all?

Re: Firepower 2110 management and deployment

Marvin Rhoads — Sun, 20 May 2018 14:29:11 GMT

I am an independent engineer but do work for a couple of partners. Since I do both pre-sales and post-sales (deployment), I do my best to keep very up to date on all things Cisco security.

Since I've been working with security one way or another for about 35 years and Cisco for 25 years, I pretty much have the basics (and a few of the more advanced topics) figured out by now.

Please rate my earlier reply if it answered your questions.

Re: Firepower 2110 management and deployment

omer14231 — Mon, 21 May 2018 07:32:49 GMT

Hi Marvin Rhoads,

Thanks a lot for the detailed explanation .

But one thing can you please explain . If we want both features ( NGFW +
NGIPS ) like what we use to do with ASA 5585-X by adding sensor to FMC to
utilize both features. So with Firepower 2110 we need to buy two hardware's
for NGFW + NGIPS ? If we use Firepower 2110 as NGFW then we will able to
manage by FDM but we cannot configure security context and HA by using FDM ?

Re: Firepower 2110 management and deployment

Marvin Rhoads — Mon, 21 May 2018 07:46:39 GMT

You're welcome @omer14231.

Until the multi-instance support comes out in FTD, Cisco has been encouraging customers to look at alternatives such as the 2-appliance (or 2 pairs of appliances) solutions such as you mention or possibly re-examining the design to see if an alternative such as zones might meet your requirements. By the way, the 2100 series may not ever have multi-instance support due to its hardware design.

When a 2100 series is running ASA image you only manage the chassis with FDM. All the NGFW features and configuration is done just as if is was a classic ASA.

Re: Firepower 2110 management and deployment

omer14231 — Mon, 21 May 2018 07:57:49 GMT

Thanks Marven.

So from FDM we can configure High Availability ?

Re: Firepower 2110 management and deployment

Marvin Rhoads — Mon, 21 May 2018 08:31:25 GMT

No. FDM cannot currently be used to configure NGIPS (FTD image) HA (as of release 6.2.3). We expect that will be added in 6.3 (ca. Fall 2018). In the interim you would need to use FMC.

NGFW (ASA image) HA is configured, even on Firepower appliance, via ASA cli or ASDM, just like on ASA appliance.

Re: Firepower 2110 management and deployment

omer14231 — Mon, 21 May 2018 09:10:49 GMT

Thank you Marvin.

One last thing can you please what limitations for cisco anyconnect when
running FTD image . Can you please share with me the link of datasheet for
fire power.

Re: Firepower 2110 management and deployment

Marvin Rhoads — Mon, 21 May 2018 11:45:19 GMT

You're welcome.

AnyConnect limitations for FTD (as of the latest 6.2.3):

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Data sheet:

https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/datasheet-c78-736661.html