Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3624
Views
0
Helpful
11
Replies

Firepower 2100 FTD or ASA mode?

Steven Williams
Level 4
Level 4

‎10-23-2019 05:55 AM - edited ‎02-21-2020 09:37 AM

I have just received my first set of FP2100s and I am reading some quick start guides and other Cisco documentation and I am trying to understand the FTD mode vs ASA mode and what limitations each has? Also what is the "common" method for deployment. These will be edge firewalls that strictly terminate SSL VPN endpoints and that is it. 

 

0 Helpful
11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

‎10-23-2019 06:16 AM - edited ‎10-23-2019 06:18 AM

If you purchased 2100, Suggest to Install FTD, since you  are not looking old ASA legacy feature and you looking only remote access vpn solution.

 

(personally and eventually Cisco will retire ASA code) - for longer support i go with FTD code.

 

here is the good document FTD - remote access setup.

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

 

you can also see VPN Limitation ASA vs FTD

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-ravpn.html

 

 

The Firepower 2100 Series hardware can run either FTD software or ASA software. Switching between FTD and ASA requires you to reimage the device

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Steven Williams
Level 4
Level 4
In response to balaji.bandi

‎10-23-2019 06:23 AM

Do I need to run FTD version same or lower than my FMC code? I am running 6.2.3 on my FMC and all my SFRs are also running 6.2.3 or 6.2.2
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Steven Williams

‎10-23-2019 06:32 AM

If you like a standard in the organization, (if i were you, i maintain all same version, so each to manage), until i go another version if the features not supporting?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Steven Williams
Level 4
Level 4
In response to balaji.bandi

‎10-23-2019 06:33 AM

I think it's more of a does the FMC at code 6.2.3 manage a FTD at a higher Code level. Some solutions need to have the management tool higher or same as devices it manages.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Steven Williams

‎10-23-2019 06:55 AM

Best Practice, Management needs to be always a high version to manage the device, if the lower version, it can not manage higher version code device, since it was not understood well? make sense?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Steven Williams
Level 4
Level 4
In response to balaji.bandi

‎10-23-2019 07:01 AM

Yes so i should run 2100s at 6.2.3 or update my FMC.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Steven Williams

‎10-23-2019 07:10 AM

Last i have worked FMC Stable one 6.4 , i have seen 6.5 released recently.

 

check the matrix before you upgrade and work with the version you are comfortable ( as long as the feature supports your needs)

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Steven Williams

‎10-23-2019 08:17 AM - edited ‎10-23-2019 08:22 AM

Correct. The FMC version is always higher than the managed device. The FMC will not let you register a device with a higher version than itself.

0 Helpful

simong
Level 1
Level 1

‎10-23-2019 09:47 AM

I have have a pair of FP2110 devices running FTD v6.2.3.x in HA mode for over a year with no issues.  Recently upgraded to 6.4.0.4 and found static PAT to be unsupported (TAC case currently open). 

One point you may wish to consider is SSL HW acceleration which is only available on 2100 series from v6.3.  It may be worthwhile in your use case as SSL RAVPN headends.

 

Also, the FMC has been upgraded to v6.4 for a while now and continues to manage v6.2.3.x FTD sensors.

 

 

Regards,

Simon

0 Helpful

Steven Williams
Level 4
Level 4
In response to simong

‎10-23-2019 10:21 AM

Seems to be for SSL decryption as it pertains to HTTPS, I am just going to be terminating about 7,000 SSL Anyconnect Clients.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Steven Williams

‎10-23-2019 12:54 PM

If you looking 7000+ active session, choose the right model - i have shared other document in the previous post.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card