Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1099
Views
0
Helpful
8
Replies
Piotr Kowalczyk
Beginner
Beginner
‎10-06-2021 03:05 AM
‎10-06-2021 03:05 AM

Cisco 1010 QoS with FDM only.

Hi,

I've just got new Cisco 1010 and decided to use Firepower NGFW instead of ASA image, just to learn. All seems fine when using FDM web interface, but it looks quite limited in feature. Unfortunately I can't afford FMC license and I have to set QoS policies, which doesn't seem to be available on FDM. As far as I understand my only option will be CLI (or am I wrong and there is other free tool which I can use)? I've tried to find any documents about this, but all refer to FMC. Could you help please?

0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Expert VIP Expert
VIP Expert
‎10-06-2021 03:15 AM
‎10-06-2021 03:15 AM

@Piotr Kowalczyk 

Yes, you cannot configure QoS natively using the FDM GUI, your only option is potentially to use FlexConfig, where you can use the old ASA CLI commands to deploy to the FTD.

 

Here is an example of the ASA QoS commands.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

 

You'll need to take these commands and deploy using a FlexConfig object/policy to the FTD.

 

Information on using FlexConfig.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-advanced.html#concept_B3DA80CF3E4243CB90179E950335C6E6

View solution in original post

0 Helpful
8 REPLIES 8
Rob Ingram
VIP Expert VIP Expert
VIP Expert
‎10-06-2021 03:15 AM
‎10-06-2021 03:15 AM

@Piotr Kowalczyk 

Yes, you cannot configure QoS natively using the FDM GUI, your only option is potentially to use FlexConfig, where you can use the old ASA CLI commands to deploy to the FTD.

 

Here is an example of the ASA QoS commands.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/82310-qos-voip-vpn.html

 

You'll need to take these commands and deploy using a FlexConfig object/policy to the FTD.

 

Information on using FlexConfig.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-advanced.html#concept_B3DA80CF3E4243CB90179E950335C6E6

0 Helpful
Piotr Kowalczyk
Beginner
Beginner
In response to Rob Ingram
‎10-06-2021 03:58 AM
‎10-06-2021 03:58 AM

Rob, many thanks for your clear reply. This is my first look at Firepower NGFW image, and I'm really surprised. I mean, I've expected this will work like old ASA with some improvements, so configuration can be fully done in cli, but this doesn't seem to be a case anymore and everything has to be done through interface. Am I correct?

0 Helpful
Rob Ingram
VIP Expert VIP Expert
VIP Expert
In response to Piotr Kowalczyk
‎10-06-2021 04:08 AM
‎10-06-2021 04:08 AM

@Piotr Kowalczyk 

Yes, the majority of the configuration has to be defined using the Web GUI. The CLI is used for configuring the management interface settings and troubleshooting.

 

Local management of the FTD using FDM does not have full feature parity with an FTD managed by the FMC nor the old ASA image, yet.

0 Helpful
Piotr Kowalczyk
Beginner
Beginner
In response to Rob Ingram
‎10-06-2021 04:10 AM
‎10-06-2021 04:10 AM

Thank you!

0 Helpful
Piotr Kowalczyk
Beginner
Beginner
In response to Piotr Kowalczyk
‎10-06-2021 09:01 AM
‎10-06-2021 09:01 AM

Unfortunately it looks this is impossible using FlexConfig. Any ides? It wouldn't make any sense that I can't do simple QoS on the firewall...

 

https://community.cisco.com/t5/network-security/ftd-1010-traffic-shaping-minus-fmc/td-p/4176198

0 Helpful
Rob Ingram
VIP Expert VIP Expert
VIP Expert
In response to Piotr Kowalczyk
‎10-06-2021 09:25 AM
‎10-06-2021 09:25 AM

@Piotr Kowalczyk sorry to hear that this won't work with flexconfig, if QoS doesn't work when deployed via Flexconfig then you cannot do it at all (yet). Like I said, unfortunately there still isn't full feature parity yet when using FDM to manage FTD. If QoS is a hard requirement for you then you can re-image the device to use the ASA software, you just don't get the NGFW features.

 

Reimage guide if you wish to reimage.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html

 

0 Helpful
Piotr Kowalczyk
Beginner
Beginner
In response to Rob Ingram
‎10-07-2021 01:14 AM
‎10-07-2021 01:14 AM

Hi Rob,

Thank you for all your help.

As I don't have support contract for this Cisco FTD 1010, could you tell me where I can download upgrade files please?

0 Helpful
Rob Ingram
VIP Expert VIP Expert
VIP Expert
In response to Piotr Kowalczyk
‎10-07-2021 02:15 AM
‎10-07-2021 02:15 AM

@Piotr Kowalczyk 2 options, contact the cisco partner you purchased the hardware from and ask them to provide the ASA image or purchase a support contract.

0 Helpful
Latest Contents
DOT1X IOS commands overview
Created by Meddane on 05-21-2022 03:14 PM
0
0
0
0
Radius server configuration for 802.1X   Server radius test1 Address ipv4 10.1.1.1 Key 1234 ! Server radius test2 Address ipv4 10.1.1.2 Key 1234 ! aaa group server radius TEST-gr  server name test1  server name test2 !      &... view more
Umbrella’s cloud-delivered firewall (CDFW)
Created by Meddane on 05-21-2022 03:04 PM
0
0
0
0
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To... view more
GRE over IPSec Crypto map versus Tunnel Protection (IPsec Pr...
Created by Meddane on 05-21-2022 03:01 PM
0
0
0
0
GRE over IPSec Crypto map   int tunnel 1ip add 172.16.1.1 255.255.255.0tunnel source G0/0tunnel destination 2.2.2.2!access-list 100 permit gre host 1.1.1.1 host 2.2.2.2!crypto ipsec transform-set TS esp-aes esp-sha-hmac!crypto map TESTset peer 2.2.2.... view more
ISE URL Redirection on IOS-XE
Created by Mohsin_Mohamed on 05-20-2022 01:04 PM
0
0
0
0
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is... view more
Network Security All-in-one ASA FTD WSA Umbrella ISE VPN Lay...
Created by Meddane on 05-17-2022 06:18 AM
2
0
2
0
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad