Solved: You can do very little

cisco8887 · ‎07-03-2017

All,

I am configuring a firepower 4410 which has the FXOS 2.0 installed.

One confusion I have is , what is the difference between FXOS and ASA image. When reading the documentation, it is said , it can run as a logical asa or thread defence system which NGFW features available.

If I run it using thread defence mode, can It do routing protocols?

does it also need the firesight/defence center regardless of the logical mode it is running as?

if you run it as asa, can you then enable firepower to have the NGFW features ?

Marvin Rhoads · ‎07-06-2017

You can do very little configuration- or operations-wise from an FTD device console. It's mostly for initial setup or in-depth troubleshooting (the latter primarily under TAC direction for most users).

That applies whether it is a logical device in a Firepower 2100/4100/9300 series chassis, an image on an ASA or an FTDv VM.

View solution in original post

Marvin Rhoads · ‎07-03-2017

FX-OS is for managing the hardware chassis only and deploying logical devices. Think of it as analogous to a hypervisor where you have the choice of two guest OS's (logical devices).

The logical device types:

1. ASA. Supports all of the classic ASA features. It can not and will not ever run a FirePOWER module and thus you cannot have the NGIPS features that you get with a FirePOWER module on ASA hardware. It has no need for and cannot be managed by Firepower Management Center (FMC).

2. Firepower Threat Defense or FTD. This is a unified image that supports many (but not all - most notably no remote access VPN (yet - coming very soon) and no multi-context) of the ASA features plus 100% of the Firepower features. It does support dynamic routing protocols (BGP, OSPF, EIGRP) but not as fully as the ASA does. It requires FMC.

A 4100 series can run only a single logical device at a time; so you need to choose between ASA and FTD. FTD also requires some additional licenses - Threat Defense (mandatory) plus the option URL Filtering and Malware (AMP) licenses.

cisco8887 · ‎07-03-2017

many thanks for this.

If i run it as FTD then will all management be through defense centre?

What happens if the FMC or defense centre becomes unavailable?

Also do you need to download the image from cisco and define whether it is FTD or ASA before being able to do anything useful with it ?

I have configured the FSOX and it seems I can't do anything apart from downloading the software now

Marvin Rhoads · ‎07-03-2017

You're welcome.

You manage the FTD logical device policies and review events, logs etc. from FMC.

The FX-OS Device Manager (FDM) GUI is always the exclusive manager of the chassis (at this time).

In the event that FMC becomes unavailable, all deployed policies remain in effect. Events will be enqueued locally (up to a limit - exact number undocumented - and then kept on a FIFO basis) and will be caught up to the FMC once communications are re-established.

Note "Defense Center" and "FireSIGHT Management Center" are obsolete product names. Since version 6.0, the manager has been known as "Firepower Management Center".

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/relnotes/Firepower_Release_Notes_Version_621/terminology.html

cisco8887 · ‎07-03-2017

sorry could you please elaborate on the line below

"

Events will be enqueued locally (up to a limit - exact number undocumented - and then kept on a FIFO basis) and will be caught up to the FMC once communications are re-established.

"

what is classed as events? if the FMC is down for a week, would you see any operational issues apart from no logging ?

I guess all logging will be done on the FMC.

Marvin Rhoads · ‎07-03-2017

Firepower classes things like connections, security intelligence actions, file (malware) classification, discovery actions etc. all as events. The sensor (or sensors) in a network report all of them back to their managing FMC.

When the FMC is not available the sensors keep enforcing policy, discovering hosts etc. as usual. They will do so indefinitely - however you will have to take it on faith without an FMC as you will not see the information on the FMC console and the local copy is not human-readable (it's stored in some database tables).

You can think of the FMC as logging but it's much more than that. It is where policy is created and deployed. It is where you turn to for retrospective or forensic security analysis (in the absence of an enterprise SIEM (Security Intelligence Event Manager)).

Accordingly you will not be able to make policy changes with out the FMC being online and connected to its managed sensors. Depending on the churn rate of your policies, that may be an operational issue. If my primary security management console were offline for a week I'd class that as an operational issue by itself apart from any secondary effects.

cisco8887 · ‎07-06-2017

many thanks

if one logical device of ftd is setup and one uses the "connect module 1 console"

and then connect ftd, is there much config you can do there without the Firpower management centre?

Marvin Rhoads · ‎07-06-2017

You can do very little configuration- or operations-wise from an FTD device console. It's mostly for initial setup or in-depth troubleshooting (the latter primarily under TAC direction for most users).

That applies whether it is a logical device in a Firepower 2100/4100/9300 series chassis, an image on an ASA or an FTDv VM.

cisco firepower 4410