cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
41879
Views
55
Helpful
58
Replies

ASA FirePOWER Threat Defense unified image (FTD)

ilukeberry
Level 1
Level 1

Hi

Can someone from Cisco please explain what this image is? And what parts of ASA does include ? Can it do VPN/Anyconnect ?

Is ASA OS getting retired ?

Regards

58 Replies 58

ilukeberry  ,

A migration tool will be offered later this year (ca. summer 2016).

Don't expect full feature parity until sometime in 2017.

Marvin thanks for answer it seems you know more than Cisco employees :D

@Marvin Rhoads

i can not find info about what feature it is going to support/not support?

http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html

also i can not find the software to download it?

https://software.cisco.com/download/release.html?mdfid=286271171&flowid=77243&softwareid=286306337&release=6.0.1&relind=AVAILABLE&rellifecycle=&reltype=latest

Can you provide me with links please?

Regards

Walied

-------------------------------

edit:I just found, links added

Per: http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-55xx-X-qsg.html there are re-image options for many models, but I didn't see the 5585-x.  These are a hefty investment.  Will there be re-image or migration options for these?

On 5585-X FirePOWER runs on seperate blade. So afaik there wont be unified image. 

Correct - there's not currently a unified image for the 5585-X hardware. As of right now that's not supported and it's TBD whether it ever will be.

Generally speaking the new FirePOWER 4100 and 9300 series is a much better fit for the high performance uses cases where the FTD image feature set is desired. That's from both a cost and performance perspective.

The 5585-X should be the platform of choice where the full ASA feature set (remote access VPN, clustering, multiple context etc.) is required, potentially with the (non-unified image) NGIPS features via the SSP blade.

I would expect Cisco will eventually offer Investment Protection Program (IPP) and Technology Migration Program (TMP) options for 5585-X customers if and when they are ready to migrate. (That's just speculation informed by past experience on my part and nothing that's been decided at this point as far as I know.)

I have a few questions.

  1. There is no documentation regarding the path Cisco is taking the ASA, yet the platform seems to be dramatically changing.  Is there a definitive road map for the future of the ASA hardware and software platform?
  2. Is the FTD unified image a different operating system than the ASA OS?
  3. Will the FTD unified image operating system still have the ASA command line with the same configuration and commands we use on the ASA OS?
  4. How long will Cisco maintain ASA OS before we will be required to upgrade to FTD?
  5. I'm assuming FTD will be managed by the FirePower Management Center.  Is this correct?
  6. Will the ASDM continue to be used to manage the traditional ASA firewall features such as ACLs, NAT, IPSec, Routing, etc, or are these features being moved into FTD and to be managed with the FMC?  Is ASDM being replaced?

Thanks.

Hi

>I am not 100% sure about whats the future roadmap for ASA as that is subject to change but FTD is the future.

>FTD unified image is combination of ASA and firepower so ASA OS is same but all the config is supposed to be done from GUI and not CLI. CLI can be used for troubleshooting and same set of commands used in ASA can be run in ASA part of it.

>There is no decision yet on when ASA OS will be discontinued as FTD doesn't yet support all of ASA features so we need to wait and see how things turn out but it will be quite some time.

>Yes FTD will be managed by Firepower management center.

>There will be a release (under roadmap) where ASDM can also manage both ASA and Firepower for few models but its under development. With current release , everything is being done from Firepower management center.

Thanks

>There will be a release (under roadmap) where ASDM can also manage both ASA and Firepower for few models but its under development. With current release , everything is being done from Firepower management center.

Why the heck would you want to manage FTD with old, ugly and JAVA based ASDM ?

This is currently possible with 9.3/9.4 ASA code w/ FirePOWER 6.x stuff.

>Yes FTD will be managed by Firepower management center.

No on-box management ? you need FMC VM/Appliance to manage FTD ?

Hi,

so the image works well, but we have problems with the SMART-Accound. could it be, that a downgrade to the ASASFR image is impossible?

I get the whole time Bad Magic Block errors....

kind regrads

Hello Team,

If you have any issues with the smart account , you need contact the below team.

  • Licensing : +1 919-574-1701

For asa sfr other than downgrade, the reimage is possible. That is reinstalling the module once agian using the following link. Just try to search for keyword reimage  in following link.

Its for the software module

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Let me know if you have a hardware module.

rate if the post helps you.

Regards

Jetsy 

Hi,

I want to ask for Reimage of Firepower Threat Defense on ASA5506-X.

  1. Booting with image ftd-boot-9.6.2.0.cdisk ,I can download it from tftpdnld but doesn't appear boot system >. After download it, appeared as rommon #. Therefore I can't make install the image of ftd-6.1.0-330.pkg.

  2. May I know the License Requirements for Reimage of Firepower Threat Defense.

Thanks.

The .cdisk file is not for your hardware. As noted on the download page for that image, it is "Firepower Threat Defense v6.1.0 boot image for ASA 5512/5515/5525/5545/5555 devices".

The 5506, 5508 an 5516-X platforms require the cryptographically signed boot images. For the 5506, you would find file "ftd-boot-9.6.2.0.lfbff" here: 

https://software.cisco.com/download/release.html?mdfid=286283326&flowid=77251&softwareid=286306337&release=6.0.1.2&relind=AVAILABLE&rellifecycle=&reltype=latest

Is is titled "Firepower Threat Defense boot image v6.1.0 for ASA 5506/5508/5516 devices".

Simply having an ASA does not entitle you to the advanced features of the FTD images. You need to license them using their own licensing structure, which is similar to the FirePOWER modules. There is a Base license (automatically included with new orders), in addition to Threat, Malware and URL Filtering licenses - the latter all term-based licenses that require Cisco Smart Licensing.

There is an FAQ posted here that explains the licensing in more detail:

https://supportforums.cisco.com/discussion/12944426/firepower-threat-defense-smart-licensing-faqs

Hi Marvin,

Thanks you for your kindly help. I can install the image ftd-6.1.0-330.pkg.

Thanks.

You're welcome. Please rate the reply if it helped.

Review Cisco Networking for a $25 gift card