Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35709
Views
71
Helpful
30
Replies

Cisco ASA FTD vs Firepower Software

Go to solution
rjadhav163
Level 1
Level 1

‎05-17-2016 12:19 PM - edited ‎03-12-2019 12:45 AM

Hi

I am confused between Firepower FTD stuff and Firepower Services Software. So following are my questions based on what I understood:

With Firepower Services Software module:

1. You have your normal ASA OS and then you download the Firepower Services Software. Or is the compatible firewall always shipped with the Firepower Services Software pre installed?

2. So ASA will do - Routing, ACLs, NAT, VPN

          Firepower Services Software will do - AVC, URL Filtering, NGIPS and AMP

Is this understanding correct?

3. ASA as well as Firepower Services Software can be managed by ASDM and CLI. But only Firepower Services Software can be managed by Firepower Management Center i.e. only the above mentioned 4 functions of Firepower Services Software can be controlled by Firepower Management Center.

With FTD Image

4. There is only one image on the firewall. Correct?  (I say image because to install FTD I somehow need 2 files: like a *.lfbff file. and a .pkg file. Still confused why)

5. All the functions mentioned above for ASA as well as those provided by Firepower Services Software will be managed ONLY by Firepower Management Center. That means even if I have to add a simple ACE then I need to do it using the Management Center? Correct?

Please Clarify. Everything  with FTD/Firepower is really confusing. :-(

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2016 06:34 PM

1. The ASA is available both with and without the FirePOWER software module pre-installed. It no extra cost to specify it with so we (my company that it and other partners) typically specify it with so that it's already there in case the customer wants to activate it later.

2. That's the overall delineation of functions. The FirePOWER functions do require licensing. AVC is included with the no-cost Control license but NGIPS, URL Filtering and Malware (AMP) are licensed features that must be purchased separately.

3. Correct. (Plus you can also manage ASAs with CSM.)

4. One file, one binary image package.

5. Correct as of 6.0. (Note not all legacy ASA features are currently available in FTD - notably missing are all types of remote access VPN.) Stay tuned for changes to that with the release of 6.1 this summer.

View solution in original post

30 Replies 30

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-17-2016 06:34 PM

1. The ASA is available both with and without the FirePOWER software module pre-installed. It no extra cost to specify it with so we (my company that it and other partners) typically specify it with so that it's already there in case the customer wants to activate it later.

2. That's the overall delineation of functions. The FirePOWER functions do require licensing. AVC is included with the no-cost Control license but NGIPS, URL Filtering and Malware (AMP) are licensed features that must be purchased separately.

3. Correct. (Plus you can also manage ASAs with CSM.)

4. One file, one binary image package.

5. Correct as of 6.0. (Note not all legacy ASA features are currently available in FTD - notably missing are all types of remote access VPN.) Stay tuned for changes to that with the release of 6.1 this summer.

Go to solution
rjadhav163
Level 1
Level 1
In response to Marvin Rhoads

‎05-18-2016 12:22 AM

Thanks Marvin.

Additional Question:

Assume that I have one legacy ASA (like 5525-X) without Firepower Features enabled and another ASA (like 5508-X with Firepower) with Firepower Services Module (that is pre v6.0). And now I want to migrate them to FTD and manage them with Management Center.

What is the best way to migrate objects and ACLs and other settings (ofcourse not VPN as you mentioned) ? Do I have to manually enter everything on the Management Center? 

That would be a pain if you have 100s or 1000s of objects!

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rjadhav163

‎05-18-2016 06:07 AM

The best way would be to wait until 6.1 is out in Summer 2016. There will be a standalone migration tool available then capable of migrating objects and ACLs. Over time that tool will be enhanced and integrated into FMC.

Go to solution
rjadhav163
Level 1
Level 1
In response to Marvin Rhoads

‎05-19-2016 12:06 AM

Thanks Marvin.

Unfortunately cannot wait till that long. Have to migrate the stuff next week. Is there a CLI Interface / Shell that I can use to atleast enter objects into the Management Centre.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rjadhav163

‎05-22-2016 08:07 PM

rjadhav163  

Sorry but there's no such capability at present.

0 Helpful

Go to solution
bernardovr
Level 1
Level 1
In response to Marvin Rhoads

‎08-15-2017 03:59 PM

Hi Marvin,

I have a question of the ASA 5516-X FTD, I want to reimage this device with an ASA IOS, because the costumer want to have the ASA conifguration via CLI. My doubt was, if I reimage this ASA with ASA IOS can I deploy the sfr module and integrate with Firepower Management Center? or we lose the module with capabilities Firepower as you mentioned with the appliance 4110?

Thanks!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to bernardovr

‎08-15-2017 07:25 PM

bernardovr  ,

When you reimage an ASA with FTD to ASA image type, you have a "regular" ASA capable of running the Firepower service module.

Note the license types for FTD vs. Firepower service are different so the device would have to be relicensed for Firepower services. There is no "migration license" or such.

Go to solution
bernardovr
Level 1
Level 1
In response to Marvin Rhoads

‎08-17-2017 09:05 AM

Hi Marvin, 

Thanks for the answer, one question more the relicense has no cost? Or the costumer must buy the license. 

Thanks!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to bernardovr

‎08-17-2017 09:08 AM

You're welcome.

They are different license SKUs with different costs. The new image would need newly purchased licenses. If it is a significant deal size, you may want to speak with the account manager from Cisco for potential relief on the cost.

0 Helpful

Go to solution
anil.kumark
Level 1
Level 1
In response to Marvin Rhoads

‎05-22-2016 07:15 PM

Hi Marvin,

Kindly post any document over the difference of ASA with firepower & FTD. When to choose which one would help us to understand the product better.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to anil.kumark

‎05-22-2016 08:08 PM

[@anil.kumark]  

For now the respective data sheets are the best publicly available source. If you work with your partner or Cisco SE, they can assist with additional information to guide your decision making.

0 Helpful

Go to solution
anil.kumark
Level 1
Level 1
In response to Marvin Rhoads

‎05-24-2016 09:28 PM

Thanks Marvin however I am looking for limitations around the technical implementation of FTD and ASA here,

1. Does the 4100/9300 appliance support running ASA image with firepower service as software just like the ASA X series?

2. Do the 4100/9300 appliance support running ASA or FTD operation with inter & Intra clustering?

3. Do the 4100/9300 appliance support running ASA or FTD image in HA mode (active/standby or active active) in intra and & inter chassis? 

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to anil.kumark

‎09-14-2016 01:43 PM

Hi, Where you able to get the answers? I am supposed to deploy a 4110 but I need it in ASA mode so that we can run similar things as the ASA 5500X. Is this possible?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to PAUL GILBERT ARIAS

‎09-14-2016 07:36 PM

4110 with ASA image supports all base ASA features (stateful firewall, L2L VPN,remote access VPN etc.).

It does not and will not support FirePOWER module.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card