hi marvin,

i'll be doing a POC to manage our ASA ACL and inventory. not sure if you've heard of AlgoSec and was wondering if CDO is better?

we got a mix of ASA 5500-X with and without FP modules and will be looking towards FTD/FP boxes in our next HW refresh.

@johnlloyd_13 I've heard of Algosec but never used it.

Generally speaking I'd say CDO is going to be the better solution for a Cisco estate vs. any third party product. Also, Cisco is following an Agile development model with CDO and new features are coming out quite frequently at no additional cost to you.

https://docs.defenseorchestrator.com/Welcome_to_Cisco_Defense_Orchestrator/0010_What's_New_for_Cisco_Defense_Orchestrator

If you have a multivendor environment then perhaps a third party product will be better - it's likely to cost you a LOT more though.

https://www.scmagazine.com/review/algosec-security-management-solution-2/

hi marvin,

thanks for your valuable insight!

i look forward to do some POC or lab up CDO.

CDO looks simple and easy to use as compared to FMC.

Please see the following video showing how we can now do what you're asking (as of release 6.7):

https://www.youtube.com/watch?v=F3Ma6TnXKXw&t=382s

Yes, but only when i manage the FTD device via FMC but i wan't to manage it via FDM. The FP 1010 device will be installed at a remote office and builds up a VPN S2S Tunnel to the main Office. I wan't access the FDM over the VPN tunnel.

Agree, this is a great step forward for Cisco, but I have the same use case where they are being deployed to remote offices and not managed via the FMC. We don't have the need to manage them through our FMC for a home user, and the amount of home users we have would quickly dwarf the capabilities of our virtual FMC.

Our Solution was to buy some Cisco C881-k9's with the PoE mothercard, and just route all traffic back to a site-to-site vpn at our HQ. All the remote user internet traffic goes through our HQ this way, but was a cheap alternative. And we can monitor them all via SNMP.

So you have multiple remote FDM-managed Firepower 1010s that you want to manage via a data interface (inside) that you reach via site-site VPN?

What version are they running? In current versions (6.7 and above) you can enable a data interface to manage the device (even with FDM management only).

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/features.html#Cisco_Generic_Topic.dita_39b645ee-e988-4e0b-9cfb-79c15424f395

FDM Management via data interface

(Cisco would recommend you use CDO to manage them all in this use case.)

Oh interesting, the video had a screen cap that said it only worked with the FMC. I have a 1010 sitting on a shelf I"ll hook up and try that with. But yeah, hit the nail on the head there, remote FDM managed Firepower 1010's we want to manage via the inside interface over a site-to-site VPN.

I already configured that but it dosen't work. The inside interface (vlan10) was not evan pingable, so i configured this command via FlexConfig:

management-access vlan10

After that i was able to ping the inside interface vlan10 via VPN tunnel but FDM access is not working. When i try to open the FDM i can see the https packets incoming in the log but FDM is not reachable.