Re: ASA 5506 to FTD or not FTD, the end of all good things

Michael Braun · ‎10-15-2020

Hello community,

as rumors go, EOS for the ASA 5506 is within reach.

If you belong to the group using ASA 5506 with Firepower Services, this will kinda feel like the end of life as we know it.

At least to anyone firewalling the bejesus out of the ASA.

As we know, for some time now we cannot upgrade the 5506 anymore because it will not run with the firepower services past the 9.8 IOS (i think - at least not to any of the 9.double digits).

I have quite a bunch of these running and everyone is quite happy with it. You have the nice ASA features and the additional firepower services to stop the higher layer threats.

Now we may be forced to upgrade to FP1010 running either FTD or ASA image. And here is where the predicament starts.

I may be wrong, but this is what I ran into.

My installations on the ASA run with BGP and routed VPN (VTI) with multiple WAN connections to multiple sites (and it works like a charm).

From what I can tell, there is no VTI anymore with the FTD image - but maybe I just overlooked it.

To circumvent this, ok, lets install the ASA image - oh but wait, then you cannot run firepower services - wait what?

(Among other restrictions)

So from what I can tell, the FTD feature set is what like 30% of what the ASA can do? (in particular BGP, NAT, VTI, multiple WAN with VPN failover). So is the ASA IOS really going down the drain? Being forced to FTD with no real console, limited features? Because looking at the usual suspects (Fortinet, Palo Alto, Sophos) they all seem to not have that issue.

(also, smart license that needs a connection to Cisco? - what about setups where there is no internet permitted - yes they do exist - what will happen if the firewall cannot connect to the licensing center - will it just stop working with the advanced features?

If anyone can share some insight if you have been using FTD for some time, I would like to hear it.

Cause as it stands right now, I will be replacing all 5506 installs (just around 400 or so) with a different vendor.

Cheers

Markus

Rob Ingram · ‎10-15-2020

Hi @Michael Braun

Yes, currently there is not full feature parity between FTD and ASA, but with every new release new features are added to FTD. As of FTD 6.6 VTI's are not supported, however they are coming in FTD 6.7 - which is due late Oct '20 or early Nov '20, so not long to wait.

With the FTD's you do get central management for those 400 devices, using either on-prem with FMC or cloud based using CDO.

ASA still has a future according to Cisco, reference here.

https://community.cisco.com/t5/security-ccp-discussions/ask-me-anything-network-security-firewall/td-p/4151559

If you have no internet connectivity you can run a licensing satelite server

https://community.cisco.com/t5/network-security/ftd-license-for-basic-nat-fw-in-air-gap-enviroment/td-p/3063531

HTH

Michael Braun · ‎10-15-2020

Hi,

alright, thanks for the insight. Still, it took Cisco years for VTI (if it is really coming end '20). How much longer will it be for the rest to be implemented? So we can just hope the ASA will run for a few more years

As for the smart license, needing to have a connection to the cloud (even if periodic)- that alone will be the deal breaker. If Cisco cannot supply a permanent license system like on the ASA - then bye bye Cisco - 20 years, we had a good run and its not just ASAs, switches - already annoying with forced DNA (another thread) , Wlan (outraging license cost) etc. all will follow.

Quite recently we had a tough time working against HP in the switching area due to DNA excessive cost and no way to NOT buy it. And it does not matter if its a cool feature (that's probably only useful if I fork out another lump sum for centralized management), if the customer does not want it, that is the end of the story. (Yea Cisco switches are better than HP, that's not argued)

Cisco forcing to buy features no one wants, will just lead to partners going elsewhere. Its already evident looking at Gartner that the playing field is changing and Cisco (with firewalls at least) is on the loosing end. (Some customers already went to Palo Alto and I have Sophos and Fortinet pushing in really hard, and every day, defending Cisco gets more difficult.)

Michael Braun · ‎12-08-2022

So here we go again, another 2/3 years down the road and we barely move one foot forward.

So I decided to give it another shot - configure a FP1010 - but just because a customer wanted one, because he had such good experience with a ASA.
Booting up the first time, of course it had an old image. Upgrading - oh no, been there before.
So Cisco has still not managed to make it possible to upgrade from one version to another - no - you have to do baby steps.
Upgrade from this version to that version so you can upgrade to the next version.
Each one taking FOREVER, because of a ridicules image size. 1.5GB +/- a few.
In between, crashes, Web Interface not being accessible anymore, plain not wanting to boot, rejecting every PW at the login, among other things.

A couple of days later, we finally arrived at an image that does not crash or loose its config. Woohoo.

Ok, so we configure it stand alone - not with a FMC.

... add another admin user - uhm, where is... what? There can only ne ONE (1) admin? Really???? WHAT IN THE WORLD IS GOING ON!?>!?!
There is absolutely NO reason for that. But oh well....
Lets make the browser window bigger.. wait, what is happening? On my 4k monitor, all I can get is a tiny 1024 display in the middle of the screen??? It does not scale - are you kidding me?
Oh, wait, if I scroll down the object list it has to load? Why can't I see all of them at once? WHAT!?????
Suddenly I feel like I am back 20 years ago, when there was no higher resolution than 1280x.
OMG, Cisco cant be serious. Who is coding this????
Ok, so where can I see of my site2site VPN is up? Ah, I cannot? I have to have (maybe) a FMC 4 that?
At least I can see it via shell, but seriously, what are they thinking?
Alright, lets ignore these facts (that are alone already enough reason to NEVER buy a FP)
Lets hook up our customer with client VPN. - What do you mean I need a license? What happened to the 2 free admin users like on an ASA? Gone you say, ok. Well lets buy one license then..... ah the smallest pack is 25 - uhm ok, just about 2000 bucks- almost a bargain, for a $400 firewall for 1 single user..
Alright lets skip that, lets use IpsecV2 or L2TP.... what do you mean that is not possible?? Just Anyconnect? What? Are you for real?

The list goes on an on. This is THE WORST EVER attempt to combine a firewall with an IDS system into one box.

Lets reboot this thing - 20 minutes later - it seriously takes 15-20 min to boot - yea there is a reason, because FP uses a database for its rule set - and most people know, booting a database is .... time consuming.

WHY WHY WHY ???? What is wrong with you?

After that - the 2 FP1010 left the building and have been replaced with something else.

They will be sold on the BAY, regardless of the loss, lesson learned. No more Cisco FP.

The FMC is not much better. If you have a bunch of 5506s running with FP, you are stuck on v6.6 because if you upgrade past that (it actually wont let you) - you cannot register them in the FMC. There is no reason or excuse except that backdoor to make you buy new FP models. Well guess what Cisco. All ASA's will be replaced with NOT Cisco. (and I haven't even started on the stupid smart license yet - just another push for printing money instead of making a good device/software)

Finally I understand why everyone I know running Cisco ASA, is dropping Cisco altogether - no just firewalls, but the rest of Cisco too - Switching and Wireless.