cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5442
Views
0
Helpful
16
Replies

FirePower 2100 series con FTD

ccz
Level 1
Level 1

Hi. 

 

Please, can you tell me if FirePower 2100 series support 3DES/AES?. Which lincense is necessary?.

 

The FirePower 2100 series will use for firewall, vpn site-to-site, anyconnect vpn and IPS subscription (threat).

 

 For apex anyconnect, the required license is L-AC-APX-LIC=?

 

Rgds.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes, it is supported. Not special license needs to be purchased but you should specify the "K9" Sku during ordering to make sure the free entitlement is coded correctly in the system.

 

The top level SKU you mentioned is the right one to order licenses for AnyConnect Apex. Be sure to tell your reseller to provision them as Smart licenses as FTD devices use smart licensing exclusively.

View solution in original post

16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes, it is supported. Not special license needs to be purchased but you should specify the "K9" Sku during ordering to make sure the free entitlement is coded correctly in the system.

 

The top level SKU you mentioned is the right one to order licenses for AnyConnect Apex. Be sure to tell your reseller to provision them as Smart licenses as FTD devices use smart licensing exclusively.

ccz
Level 1
Level 1

Thank you.

 

Pls another question:

 

The Cisco Firepower 2100 Series appliances with FTD can be deployed  as a Next-Generation Firewall (NGFW) and as a Next-Generation IPS (NGIPS) at the same time?

 

The FirePower 2100 series will use for firewall, vpn site-to-site, anyconnect vpn and IPS subscription (threat).

 

Rgds

The NGFW term is used when the appliance is deployed with the ASA image. NGIPS means it has the Firepower Threat Defense (FTD) image. You must choose one or the other exclusively.

 

FTD has many (but not all) of the features included in an ASA. Notably the AnyConnect remote access VPN has a few caveats which are explained in the configuration guide.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

 

If you were to run the ASA image on a Firepower hardware appliance you would not be able to use any of the IPS, URL Filtering or AMP features. You also gain the ability to add and use fail-to-wire (FTW) interfaces (optional hardware) should that be a requirement in your environment.

I have a confusion.

 

The FirePower 2100 series with FTD, does not support the basic firewall functionalities ?. Example, the firewall functionalities that the old ASA 5520 supports ?. (firewall policies, high availability (dual isp), routing).


The client has an ASA 5520 and wants to switch to a Firepower 2120 for the current functionalities of the ASA 5520 plus the subscription to threat (IPS).

Yes - it supports all of those features.

 

You do require an external Firepower Management Center (VM or hardware appliance) to configure HA and some of the advanced features.

 

Firepower 2120 is quite a step up from ASA 5520. Is there a reason why you aren't considering Firepower 2110? 

Thanks you.

 

The two options are being evaluated (FP 2110 and 2120).

 

FPR2110-BUN Cisco Firepower 2110 Master Bundle
FPR2110-NGFW-K9 Cisco Firepower 2110 NGFW Appliance, 1U
CON-SNTP-FPR21FWN SNTC-24X7X4 Cisco Firepower 2110 NGFW Appliance, 1U
CAB-AC AC Power Cord (North America), C13, NEMA 5-15P, 2.1m
SF-F2K-TD6.2.2-K9 Cisco Firepower Threat Defense software v6.2.2 for FPR2100
FPR2K-SSD100 Firepower 2000 Series SSD for FPR-2110/2120
FPR2K-SSD-BBLKD Firepower 2000 Series SSD Slot Carrier
L-FPR2110T-T= Cisco FPR2110 Threat Defense Threat Protection License
L-FPR2110T-T-3Y Cisco FPR2110 Threat Defense Threat Protection 3Y Subs
   
L-AC-APX-LIC= Cisco AnyConnect Apex Term License, Total Authorized Users
L-AC-APX-3Y-S3 Cisco AnyConnect Apex License, 3YR, 250-499 Users

 

 


It's ok? or is necessary another license?

 

the client require: basic firewall functionalities currently present in the ASA 5520, configure dual ISP, vpn site-to-site, anyconnect vpn and IPS subscription..

That's fine for the appliance and its licenses.

 

As I noted earlier, you need a Firepower Management Center to complete the setup.

Thank you.

 

the FMC is necessary for setup IPS or also for basic firewall funcionalities?

 

 

Rgds.

It's not required for basic IPS and firewall configuration.

 

However a customer would be rightly very unhappy to come across one of the things that cannot be configured without FMC and be told they cannot do what they want with the tens of thousands of dollars in equipment and licenses they have purchased. For that reason alone I always strongly recommend it. A 2-device license is under US$1000 list price.

 

It's required to setup an HA pair,for reporting, for retention of logs beyond near real time, for configuration of Etherchannels, for configuration of Flexconfig, and a number of other various bits. 

Thank you, I understand the advantages of FMC.

 

To configure PBR, do I need FMC?

 

 

Thanks.

Yes - PBR does require FMC.

 

It is a Flexconfig setting and those are only available with FMC.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/flexconfig_policies.html

Dual ISP - PBR is supported only in FMC ? . Is that a feature or it needs to be programmed such way to do PBR ? Please elaborate. 

Yes, configuring PBR requires use of Flexconfig for all FTD platforms as of the current 6.2.2 release. 

 

That will probably change in the future but which release exposes the feature without having to resort to Flexconfig is TBD at this time.

Hi Marvin,

 

i just wanna know, is it possible to buy 2100 series NGIPS and use it just for Firewall (without buy the IPS Subscription)?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: