Solved: ASA FirePOWER services vs FTD

tato386 · ‎11-04-2021

Is the SFR module on an 5516X ASA considered an FTD? Reason I ask is that I have FMCv v7.0.1 managing ASA 9.16 devices that have V7.01 Firepower code installed. The option to upgrade to Snort3 seems to be available but documentation says Snort3 is only for FTD. Can I upgrade these devices to Snort3?

Thanks,
Diego

Marvin Rhoads · ‎11-05-2021

Snort is the IPS engine in Firepower - both as part of FTD and Firepower service modules.

Even if your ASA Firepower service module supports version 7.0 (not all do, but the ASA 5516-X does) Snort 3 is only supported on FTD devices (i.e. not ASA with Firepower service module).

(edited to correct my earlier incorrect reply that we could run Snort 3 on a Firepower service module - we CANNOT.)

View solution in original post

Octavian Szolga · ‎11-05-2021

Hi,

FTD is not ASA with Firepower Services.

You do not seem to have FTD.

You manage using FMC your Firepower Services module installed on top of ASA software and hardware.

BR,

Octavian

tato386 · ‎11-05-2021

Yes, I would agree with that. My worry is all the Snort3 documentation I find references only FTD but yet the FMC is giving me the option to upgrade.

Marvin Rhoads · ‎11-05-2021

Snort is the IPS engine in Firepower - both as part of FTD and Firepower service modules.

Even if your ASA Firepower service module supports version 7.0 (not all do, but the ASA 5516-X does) Snort 3 is only supported on FTD devices (i.e. not ASA with Firepower service module).

(edited to correct my earlier incorrect reply that we could run Snort 3 on a Firepower service module - we CANNOT.)

tato386 · ‎11-05-2021

Very glad to hear that. I wish the documentation would specifically mention the ASA FP services platform somewhere to avoid doubt.

Thank you sir.

tato386 · ‎12-14-2021

Marvin,

I finally got a chance to try to upgrade the firepower services module (currently on v7.0.1) to Snort3 and the FMC told me the device was not compatible with snort3. Maybe snort3 is only for ASA hardware that has been re-imaged as FTD device? Should I open a ticket with TAC for further investigation? Thanks

Marvin Rhoads · ‎12-14-2021

@tato386 sorry my earlier response was incorrect. I have since also verified that we cannot run Snort 3 on a Firepower service module.

I've corrected my earlier response. Sorry for the confusion

tato386 · ‎12-14-2021

no worries! I just wanted to make sure I wasn't missing something.

Thanks

patoberli · ‎06-12-2023

Sorry to re-awaken this old thread, but I just discovered that somehow it was possible to run SNORT 3 on a 5516-X:

Surprisingly this even worked, although this ASA just run out of memory.

Marvin Rhoads · ‎06-12-2023

@patoberli the difference is that it is running FTD - not the Firepower service module.

patoberli · ‎06-12-2023

In that specific case it's officially possible to run Snort3? If yes, then I really interpret the release notes differently

Marvin Rhoads · ‎06-14-2023

Yes it is possible with 7.0+ @patoberli. See the release notes here: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

The section heading "Snort 3 for FTD" does not restrict what platform running FTD 7.0 it applies to.

patoberli · ‎06-14-2023

There it indeed isn't stated, unlike here in the configuration guide https://www.cisco.com/c/en/us/td/docs/security/firepower/70/snort3/config-guide/snort3-configuration-guide-v70/overview.html where they state:

Hardware support—Snort 3 is supported only on FTD of version 7.0 and above. Snort 3 is not supported on ASA 5500-X or Firepower 7000 and 8000 series devices.

Or do they mean by "FTD" only the module and not if it's running full "FTD" image? I assume not, based on the wording.

Marvin Rhoads · ‎06-14-2023

I believe the document you cited should read "ASA 5500-X with Firepower service module".

The screen shot posted here earlier (as well as my own experience) shows that to be a documentation error.