Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
6
Helpful
6
Replies

FTD 6.0 VPN ..

Go to solution
pankaj.bandewar
Level 1
Level 1

‎07-24-2017 06:55 PM - edited ‎03-12-2019 02:43 AM

Dear Experts,

Am Confused ..Please help me to clear this ..

1.What is Exactly FTD 6.0 ?

2.Does it replaces the images of ASA and Firepower (.pkg & .img) in asa ..?

3.Does it replaces the use of ASDM with Web Gui ?

4.Does it not have support for Any kind of VPN ?

5.If i sell an ASA 5516-x to customer what should i go with ... With FTD or like ASA and Firepower Sw thing ..?

Please help me to get this ...

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-30-2017 10:23 PM

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD. FTD (on all platforms) DOES include IPsec site-site VPN.

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM) web-based GUI . The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

What a given customer is best served by depends on an informed analysis of their current and future requirements as well as their operational environment.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pankaj.bandewar

‎07-30-2017 11:00 PM

You're welcome.

There are no announced (or rumored) plans for Cisco to discontinue the ASA with Firepower service module in the near future.

FTD already has all Firepower features. As far as ASA features, the big ones not currently available are remote access VPN (work in progress - available on 2100 series and will be in next point release of all FTD devices due out soon as the beta program is wrapping up) and multiple context (also work in progress without a projected release date - depending on the use case some features may be able to be implemented currently by using security zones).

There are a number of lesser used features also not present. I'm not sure 100% will ever be refactored for FTD platform as they may not make sense either functionally or economically. I know Cisco is focusing a lot of effort on filling in the feature gap. My guess is it will be at least a year and possibly two before the features are essentially equivalent.

Please mark your question as answered if it has been and rate helpful replies.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-30-2017 10:23 PM

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD. FTD (on all platforms) DOES include IPsec site-site VPN.

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM) web-based GUI . The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

What a given customer is best served by depends on an informed analysis of their current and future requirements as well as their operational environment.

Go to solution
pankaj.bandewar
Level 1
Level 1
In response to Marvin Rhoads

‎07-30-2017 10:52 PM

thank you Sir,

So I near future cisco is going to retire its ASA image with SFR Image (which makes NGFW of toady) with FTD image ..for all firewalls ..?

and the interface will be GUI only or ASDM will be there ?

What do you think how much time it will take for FTD to come up with all ASA feature and Firepower features ...?

awaiting your valuable response....

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pankaj.bandewar

‎07-30-2017 11:00 PM

You're welcome.

There are no announced (or rumored) plans for Cisco to discontinue the ASA with Firepower service module in the near future.

FTD already has all Firepower features. As far as ASA features, the big ones not currently available are remote access VPN (work in progress - available on 2100 series and will be in next point release of all FTD devices due out soon as the beta program is wrapping up) and multiple context (also work in progress without a projected release date - depending on the use case some features may be able to be implemented currently by using security zones).

There are a number of lesser used features also not present. I'm not sure 100% will ever be refactored for FTD platform as they may not make sense either functionally or economically. I know Cisco is focusing a lot of effort on filling in the feature gap. My guess is it will be at least a year and possibly two before the features are essentially equivalent.

Please mark your question as answered if it has been and rate helpful replies.

0 Helpful

Go to solution
pankaj.bandewar
Level 1
Level 1
In response to Marvin Rhoads

‎07-30-2017 11:15 PM

Sure Sir,

Last Query ..

So if I want to sell ASA 5516-x/5525-x-5555-x (which usually my sales team does) and all of the customers require Remote Access VPN .

and when it is available should I go ahead and sell FTD with them or is it still better to go with separate images ..?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pankaj.bandewar

‎07-31-2017 12:15 AM

If remote access VPN is a requirement then you need to look a bit closer.

If the throughput requirements are on the higher end (like what you might traditionally use a 5555-X) then consider the Firepower 2100 series (like 2110 model) with FTD. They are quite attractive cost and throughput-wise and may be a better strategic purchase. Otherwise the ASA 5516-X or 5525-X (with FirePOWER service module) for smaller throughput requirements might make more sense.

If you do go with FTD for remote access VPN, be careful to note the current limitations and make sure those are not affecting your customer's use case. Those limitations are as noted here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Go to solution
pankaj.bandewar
Level 1
Level 1
In response to Marvin Rhoads

‎07-31-2017 05:18 AM

Thank you sir

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card