Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
15
Helpful
5
Replies

4110 cluster with ASA and FXOS

Go to solution
john.borhek
Level 1
Level 1

‎11-25-2016 04:55 PM - edited ‎03-12-2019 01:35 AM

Hi,

noob here. We have created a functioning ASA cluster on our 4110's, and now we need to install FXOS.

One of the engineers says we have to wipe the entire device in order to install FXOS, and honestly I don't know. I did find this this compatibility guide which indicates FXOS in compatible with ASA Version 9.6(2) (which is what we have installed).

http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

My question: Is this correct and do I authorize the extra hours to wipe and re-configure?

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-26-2016 01:15 AM

Perhaps there's some confusion in terms here.

The 4100 series (and 9300) have FX-OS (FirePOWER eXtensible Operating System) as the operating system for the physical chassis. You cannot have functioning chassis without FX-OS running on it. FX-OS has a cli interface and a GUI. The GUI is FirePOWER Chassis Manager (FCM).

From FCM one deploys logical devices - ASA and FirePOWER Threat Defense (FTD) are the two types of logical devices. The 4100 series supports only a single logical device as it only has a single Security Module (SM). (The 9300 can accommodate up to three.) So on a 4100 series you deploy one or the other logical device type exclusively. You still retain the underlying FX-OS and continue to manage the chassis via FCM in either scenario. Even upgrading FX-OS versions does not require re-imaging the ASA logical device.

If you migrate from an ASA logical device to an FTD logical device, that requires deleting the ASA and re-deploying a new logical device using the FTD code image. The actual deployment is quick - under an hour even if it's your first one (assuming you have had the basic field engineer training or read the fine manual).

Configuration of FTD is akin to an ASA plus a FirePOWER sensor and can be a bit more involved, especially if one if trying to migrate an extensive ASA configuration into the equivalent policies on FTD.

(Edit - updated to reflect FCM nomenclature. There is a separate tool - FirePOWER Device Manager or FDM - used for on-box configuration of ASA appliances running the FTD image only.)

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-26-2016 01:15 AM

Perhaps there's some confusion in terms here.

The 4100 series (and 9300) have FX-OS (FirePOWER eXtensible Operating System) as the operating system for the physical chassis. You cannot have functioning chassis without FX-OS running on it. FX-OS has a cli interface and a GUI. The GUI is FirePOWER Chassis Manager (FCM).

From FCM one deploys logical devices - ASA and FirePOWER Threat Defense (FTD) are the two types of logical devices. The 4100 series supports only a single logical device as it only has a single Security Module (SM). (The 9300 can accommodate up to three.) So on a 4100 series you deploy one or the other logical device type exclusively. You still retain the underlying FX-OS and continue to manage the chassis via FCM in either scenario. Even upgrading FX-OS versions does not require re-imaging the ASA logical device.

If you migrate from an ASA logical device to an FTD logical device, that requires deleting the ASA and re-deploying a new logical device using the FTD code image. The actual deployment is quick - under an hour even if it's your first one (assuming you have had the basic field engineer training or read the fine manual).

Configuration of FTD is akin to an ASA plus a FirePOWER sensor and can be a bit more involved, especially if one if trying to migrate an extensive ASA configuration into the equivalent policies on FTD.

(Edit - updated to reflect FCM nomenclature. There is a separate tool - FirePOWER Device Manager or FDM - used for on-box configuration of ASA appliances running the FTD image only.)

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to Marvin Rhoads

‎11-26-2016 01:15 AM

Good explanation, but you might wanna change Firepower Device Manager (FDM) to Firepower Chassis Manager (FCM).

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Oliver Kaiser

‎11-26-2016 05:22 AM

Servus Oliver!

Good catch - I updated my post with the correction.

0 Helpful

Go to solution
john.borhek
Level 1
Level 1

‎11-26-2016 06:04 AM

Thanks. Clarification helps a lot!

  • On 4100, only one logical device on the chassis: ASA or FTD
  • FTD is roughly equivalent to ASA + FirePOWER Sensor
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to john.borhek

‎11-26-2016 06:06 AM

tl;dr = correct!

You're welcome.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card