cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

797
Views
5
Helpful
2
Replies
Highlighted
Beginner

ASA 5506 to FTD or not FTD, the end of all good things

Hello community, 

as rumors go, EOS for the ASA 5506 is within reach. 

If you belong to the group using ASA 5506 with Firepower Services, this will kinda feel like the end of life as we know it. 

At least to anyone firewalling the bejesus out of the ASA.

As we know, for some time now we cannot upgrade the 5506 anymore because it will not run with the firepower services past the 9.8 IOS (i think - at least not to any of the 9.double digits).

I have quite a bunch of these running and everyone is quite happy with it. You have the nice ASA features and the additional firepower services to stop the higher layer threats.

Now we may be forced to upgrade to FP1010 running either FTD or ASA image. And here is where the predicament starts.

I may be wrong, but this is what I ran into.

My installations on the ASA run with BGP and routed VPN (VTI) with multiple WAN connections to multiple sites (and it works like a charm).

From what I can tell, there is no VTI anymore with the FTD image - but maybe I just overlooked it.

To circumvent this, ok, lets install the ASA image - oh but wait, then you cannot run firepower services - wait what? 

(Among other restrictions)

So from what I can tell, the FTD feature set is what like 30% of what the ASA can do? (in particular BGP, NAT, VTI, multiple WAN with VPN failover). So is the ASA IOS really going down the drain? Being forced to FTD with no real console, limited features? Because looking at the usual suspects (Fortinet, Palo Alto, Sophos) they all seem to not have that issue. 

(also, smart license that needs a connection to Cisco? - what about setups where there is no internet permitted - yes they do exist - what will happen if the firewall cannot connect to the licensing center - will it just stop working with the advanced features?

If anyone can share some insight if you have been using FTD for some time, I would like to hear it.

Cause as it stands right now, I will be replacing all 5506 installs (just around 400 or so) with a different vendor.

 

Cheers

 

Markus

 

 

2 REPLIES 2
Highlighted
VIP Advisor

Hi @Michael Braun 

Yes, currently there is not full feature parity between FTD and ASA, but with every new release new features are added to FTD. As of FTD 6.6 VTI's are not supported, however they are coming in FTD 6.7 - which is due late Oct '20 or early Nov '20, so not long to wait.

 

With the FTD's you do get central management for those 400 devices, using either on-prem with FMC or cloud based using CDO.

 

ASA still has a future according to Cisco, reference here.

https://community.cisco.com/t5/security-ccp-discussions/ask-me-anything-network-security-firewall/td-p/4151559

 

If you have no internet connectivity you can run a licensing satelite server

https://community.cisco.com/t5/network-security/ftd-license-for-basic-nat-fw-in-air-gap-enviroment/td-p/3063531

 

HTH

Highlighted

Hi,

alright, thanks for the insight. Still, it took Cisco years for VTI (if it is really coming end '20). How much longer will it be for the rest to be implemented? So we can just hope the ASA will run for a few more years 

As for the smart license, needing to have a connection to the cloud (even if periodic)- that alone will be the deal breaker. If Cisco cannot supply a permanent license system like on the ASA - then bye bye Cisco - 20 years, we had a good run and its not just ASAs, switches - already annoying with forced DNA (another thread) , Wlan (outraging license cost) etc. all will follow.

Quite recently we had a tough time working against HP in the switching area due to DNA excessive cost and no way to NOT buy it. And it does not matter if its a cool feature (that's probably only useful if I fork out another lump sum for centralized management), if the customer does not want it, that is the end of the story. (Yea Cisco switches are better than HP, that's not argued)

Cisco forcing to buy features no one wants, will just lead to partners going elsewhere. Its already evident looking at Gartner that the playing field is changing and Cisco (with firewalls at least) is on the loosing end. (Some customers already went to Palo Alto and I have Sophos and Fortinet pushing in really hard, and every day, defending Cisco gets more difficult.)

Content for Community-Ad