10-23-2019 04:29 AM - edited 10-23-2019 04:31 AM
Hello All.
I have Cisco 4321 as NAT and GW device for my server. I need and IDS/IPS for security and i need some suggestion for this, can anyone help me please. I'm thinking about buying ASA5516-FTD-K9 or buying UCS E-Series Server Blade and run UTD on that.
Please help thank you.
10-23-2019 04:43 AM
ISR support FTD Modules, you can use Firepower features
the below good FAQ for reference :
https://blog.router-switch.com/2017/08/faq-cisco-firepower-threat-defense-for-isrs/
Otherside if you have the budget, i will buy a separate device (FTD 1XXX or 2XXX depends on network), so there is no dependencies, again depends on user requirement.
10-23-2019 04:50 AM
10-23-2019 05:08 AM
will it support ips and stateful firewall?
The URL i have provided has all the information what is support on ISR
Q: What are the elements of Cisco Firepower Threat Defense for ISR?
A: There are five components:
How about using asa5516 with ftd?
5516-X support FTD.
https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5508X/ftd-fmc-5508x-qsg.html
10-23-2019 05:48 AM - edited 10-23-2019 05:49 AM
The URL i have provided has all the information what is support on ISR
It is support IPS and Stateful Firewall, i'm sorry sir. But i need to check if UCS ready or not in my distributor.
5516-X support FTD
Can i implement FTD before Router? I mean in the edge and router still have wan ip because that way i wouldn't have to change configuration on running Router. And it already had nat forwarding to internet and dmpvn configured to office, it will be a mess if i should reconfigure my running Router.
10-23-2019 05:56 AM
Can i implement FTD before Router?
Yes possible, but this time you need to deploy as transparent mode, some of the advanced features may not get effective while you doing in Transparent Mode.
If you like to deploy in Routed Mode, you need to make necessary design changes to get optimal results.
10-23-2019 06:37 AM
Yes possible, but this time you need to deploy as transparent mode, some of the advanced features may not get effective while you doing in Transparent Mode.
- what advanced features that won't effective if im doing in Transparent Mode
If you like to deploy in Routed Mode, you need to make necessary design changes to get optimal results.
- that would be a mess because this is my current implementation
I forgot to add my router run dmvpn for drc and office
10-23-2019 07:16 AM
Any transparent firewall is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
in use cases where you want to forward all the L2 traffic via FW. ( you have difficulties to change topology in exiting environment and deploy FTD inline.)
un supported features :
1. DHCP relay
2. routing protocol (only static allowed)
3. multicast routing.
4. QoS
5. VPN.
10-23-2019 07:55 AM
10-23-2019 08:28 AM
yes, in that case, the right candidate for you.
you can also contact Local SE to deploy one for you before you buy one..so you are confident enough for asking funds to management or business
10-23-2019 08:52 AM
10-23-2019 09:25 AM
Personally I do not see any downsize, but its dependency (if no other option like a branch, you can do all in one - because single box maintenance.)
If i were you if the budget available i got with a different box.
yes local cisco partner test and buy model, so you know what you buying and tested as per your environment.
10-23-2019 10:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide