Marvin,

So this only something I could access if I used the FirePOWER Management Center?  I see you get FirePOWER images on ISR routers so I guess the FTD can connect all these together?  Just wondering how one gets the FTD, what do you buy/order/download? 

EckoForce_1  ,

FTD is a new image type for available for all ASA 5500-X series (except 5585-X) and current FX-OS-based FirePOWER series (virtual, 4100 series and 9300) appliances. Here's a detailed guide as to which appliances are compatible:

http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_070E1908889545BDB6CC564676202628

On the ASA platforms it is an alternative to ASA + FirePOWER services. You have to re-image the appliance with FTD software if it wasn't ordered new with FTD pre-installed. Once you have done so, you can manage it either via the new FirePOWER device manager or via an external FirePOWER Management Center.

You can run the FTD image as a basic firewall, albeit currently without all the features of the classic ASA image (no remote access VPN most notably). If you have licensed the FirePOWER features (IPS, URL filtering and/or Malware) you can also configure policies that use those features.

Hope this clears things up a bit.

that does Marvin thanks, if  reimage with FTD can I still use the ASDM to configure the Firewall and FirePOWER.

Essentially use FTD for FirePOWER monitoring and use ASDM for ASA and FirePOWER configuration?

When you move to FTD there is only one on-box manager available - the FirePOWER Device Manager.

ASDM requires the classic ASA software and that software is no longer present when you have re-imaged the appliance with FTD.

FirePOWER Device Manager manages and monitors all aspects of the unified FTD image.

You also have the option of instead using an external FirePOWER Management Center.

There's also the new Cisco Defense Orchestrator for central management of policies. It does not do in-depth monitoring though like FMC does.

http://www.cisco.com/c/en/us/products/collateral/security/defense-orchestrator/datasheet-c78-736847.html?cachemode=refresh

Thanks for the info Marvin.

I looked into the CDO but it appeared to be cloud based which is a deal breaker, at least for now anyway its only cloud based.

The FTD only option I think wont work because I thought I saw/read/heard that not ALL the options are there yet, like being able to manage SSL decrypt policies.

Actually after re-watching the videos it appears the routed mode only support will prevent us from going to this until transparent mode is also supported.

You're welcome.

Hope this helped clear it up for you.

Marvin,

if using the on-box gui to manage the FTD rather than an external management center can you configure parameters such as site-to-site vpn?

Thanks in advance,

Christian

Not yet. As of FTD software release 6.1, VPN creation is restricted to FirePOWER Management Center (FMC).

We expect a version 6.2 to have enhancements to what you can do with FirePOWER Device Manager (FDM) but we will have to wait and see if VPN is included.

How to in FMC:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/fpmc-config-guide-v61_chapter_01110100.html#ID-2267-000000c3

How not to in FDM :( :

Thanks Marvin

Ahhh I got redirected around searching Cisco's website and see when I tried to download the FTD software it is for a appliance or I guess they have options for AWS or VMWare.

Thanks for the info, I was just hoping that at least for ASA/FP monitoring we could break free from Java and the ASDM.  I see we will have to wait for that.....

thanks again