Thanks for your response

o.adames · ‎05-23-2017

If I get the FTD 4100 appliance with an ASA image, can I still get firepower services?

Does it work similarly as having as ASA5585 with firepower?

Please provide pros/cons for both scenarios if possible.

Thanks in advance

Marvin Rhoads · ‎05-23-2017

No. FTD appliance (whether 4100 or 9300 series) with an ASA logical device (or image) can only have classic ASA features. It CANNOT have the FirePOWER service module.

To get FirePOWER services you need to run the FTD image.

If you need both classic ASA features that are not yet in FTD and new FirePOWER features and require more throughput than a 5555-X gives, then you have to separate the functions onto different platform instances.

So it is most definitely not working similar to how an ASA 5585 with a FirePOWER SSP works.

o.adames · ‎05-24-2017

Thanks for your response Marvin,

I wonder what is Cisco's goal with this segment:

-ASA 5585 has announced EOS/EOL. That's the only ASA that supports 10gig interfaces and offers good performance. Combine with Firepower you get the best of both worlds but again EOS/EOL so no future.

-FTD supports 10gig and has a much better performance but lacks many of the great features from the ASA platform.

-They realized FTD needs an ASA image and make it available for the top FTD appliances (41xx-9xxx), as far as I know they don't have it available in the 21XX FTD appliances yet.

- If you decide FTD with ASA image then you lose Firepower features.

A labyrinth with no way out.

Marvin Rhoads · ‎05-24-2017

It can be challenging, I agree.

SSL VPN (AnyConnect) for FTD was just made available with FTD 6.2.1 on the 2100 series. We expect it across the rest of the line with 6.2.2 next month. That was one big gap. If you need all of the SSL VPN features like clientless posture checking etc., it makes sense in some scenarios to keep that on a separate classic ASA appliance apart for the main perimeter firewall.

The remaining big gap for large deployment is multiple context. That's a longer term raodmap item.

Are there other features you're not seeing in FTD that are important for you?

o.adames · ‎05-24-2017

Anyconnect was a big gap but as you mentioned there are other features that are becoming more popular now along with anyconnect like posture checking (in conjunction with ISE), so that's not available with FTD yet.

Multiple context is another but another one is PBR.

I know FTD has PBR available but only for failover fashion.

In other words, if I have two ISP circuits coming to the same FTD appliance I can use the second only for failover but not for "load-balance".

Please correct me if I'm wrong but even when you use the cli configuration you cannot tie a route-map to the sla so it's not possible to have two ISP circuits active/active.

These are reference of users looking for that feature:

https://supportforums.cisco.com/discussion/13219261/configure-pbr-ip-sla-ftd

FTD:Allow PBR set commands to be configured in route-map

CSCvd44341

The ASA had a long road for that feature to become available and it looks that the FTD goes like that too.

As always, thanks for your on time/on point answers.

FTD 4100 with ASA image