ASA Deployment 2100 Deployment use cases for Appliance vs Platform mode

NetworkTinker · ‎11-13-2019

Hi, I've got a pair of FPR-2120 (new to me) sitting on my workbench and started to tinker with FXOS as ASA Deployment before opening up the documentation to formally learn more about it.... (I've been working with the 55xx for a while) As a result of the documentation I've come to learn a few new definitions in version 9.13.....

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/asa-appliance.html

To paraphrase you can now run the units in 2 modes as of 9.13!

Platform mode - gives you the full functionality of FXOS (as version prior).
Appliance mode(new) - remove the complexities of initial FXOS setup , and is more like 55xx ASA SW but can access FXOS if needed.

The documentation doesn't really provide any use-cases for one VS the other (nor dose CLI books), and was wondering what the community thinks to choose one over the another.

as I've not used this version HW or SW before,so I'm not aware of any particular software limitations/gotcha learn from experience in deploying these..... at the moment, I see in the doc there not support in for Backup nor AAA in Platform mode,......Ouch

I think my use could go either way as it's for a remote office via internet over IPSEC VPN(managed remotely). where the FXOS management network could sit behind the ASA inside interface off a switch SVI .(effectively routed via ASA to the SVI to reach that network.). at the moment.

Thanks for considering my request.

Marvin Rhoads · ‎11-15-2019

Appliance mode is brand new and more likely to have bugs in the initial release. Personally I'd steer clear of it outside the lab for now.

You noted the obvious differentiators already. If those are important to our operational environment then test it in the lab and consider adopting sooner rather than later. Otherwise sit back with the existing model and let others blaze the trail ahead of you.

zheka_pefti · ‎03-30-2022

I came across this thread while researching on differences between appliance and platform modes of 2100 series firewall. Learned it the hard way that the platform mode is more preferred for the ability to manage the device out of band especially in the situation when data interfaces of the ASA firewall can't be reached. My question is if there's any way to dedicate the serial console to the ASA firewall so that upon connecting to it via the terminal server the user ends up on the ASA but leaving the management interface dedicated to SSH connections to FXOS in either of the modes ?

EthanIsenberg75263 · ‎04-10-2022

when connected via console run the "connect asa" command

firepower-2120#
firepower-2120# connect asa
Attaching to ASA CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

ciscoasa/act/pri>

zheka_pefti · ‎04-10-2022

Thank you, this is not what I asked. I knew about it from the very beginning. My question was about using different physical ports to manage FXOS and ASA

EthanIsenberg75263 · ‎04-10-2022

Just re-read your post and now see what you are asking.

BTW - which mode (platform/appliance) did you end up going with?

zheka_pefti · ‎04-10-2022

It's in the platform mode. The need to manage both devices (FXOS and ASA) independently comes from strict compliance. The client needs to put controls to everything that can be accessed, and being able to manage both of them in the out of band channel.

Marvin Rhoads · ‎04-10-2022

@zheka_pefti as far as I know there is no way to dedicate the physical ports (serial console vs. management) in the way you are asking.

johnlloyd_13 · ‎07-22-2022

hi marvin,

it's already 2022, have you heard/read that ASA in 'appliance mode' still having some bugs?

i'll be deploying FPR 2120 to replace ASA 5500-x and would like to immediately setup and run these devices.

is there an advantage in running 'platform' vs 'appliance' mode other than complete HW control in platform mode?

i don't see myself tinkering the internal HW via FXOS. are all interfaces enabled by default in 'appliance' mode?

Marvin Rhoads · ‎07-25-2022

@johnlloyd_13 i haven't seen any issues with appliance mode; but then again I don't know how widely it's deployed. My customers are almost all running FTD these days (or planning to migrate to it).

jwalters@data-tronics.com · ‎11-15-2023

@Marvin Rhoads my device is in appliance mode. How do I set it for platform mode?

Marvin Rhoads · ‎11-15-2023

jwalters@data-tronics.com you change it from the console as described in this guide:
https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/asa-platform.html#task_jgs_ntw_shb
Short version:

conf t

no fxos mode appliance

wr mem

reload

johnlloyd_13 · ‎11-15-2023

hi,

why do you want to convert the ASA to platform mode?

usually you'll run the ASA in appliance mode (classic ASA mode) so you don't have to configure anything in the FXOS.

Chess Norris · ‎12-09-2023

@Marvin Rhoads I have a customer who run his FPR2100 in platform mode. Now he lost the password to the chassis manager and it looks like we need to reimage it to recover the password. I was wonder if we instead could change to appliance mode? I think we dont need chassis manager access to do this, right?

Will the asa configuration be saved if we change to appliance mode?

What would be the impact of switching appliance mode? Is it only a reload that's required?

One last question. If you are running in platform mode, can you still upgrade the ASA software from the CLI/ASDM or is chassis manager access required?

Thanks

/Chess

Marvin Rhoads · ‎12-10-2023

@Chess Norris

"When you change the mode, the configuration is cleared and you need to reload the system. The default configuration is applied upon reload. "

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/asa-platform.html#task_jgs_ntw_shb

In platform mode, you can still upgrade the ASA from the ASA management cli.