01-21-2020 01:24 PM - edited 02-21-2020 09:51 AM
Hello,
Do anyone have documentation on how to configure a firepower 4300 FTD as a SDA fusion firewall?
Thanks
Solved! Go to Solution.
01-22-2020 06:52 PM - edited 01-22-2020 06:54 PM
I haven't seen any specific guides. These whitepapers contain general guidance which you can adapt for the FTD-specific use case:
FTD doesn't support multiple contexts but is does support multiple instances.
01-22-2020 06:52 PM - edited 01-22-2020 06:54 PM
I haven't seen any specific guides. These whitepapers contain general guidance which you can adapt for the FTD-specific use case:
FTD doesn't support multiple contexts but is does support multiple instances.
01-22-2020 07:50 PM
Thanks Marvin for your reply.
I have seen the link you provide but it's kinda dated and refers to ASA firewall. As you probably already know FTD has SGT capabilities.
01-24-2020 09:03 AM
Yes the link is dated but the concepts remain the same. If there's an FTD-specific document, I haven't seen it - even in partner training.
01-28-2020 11:29 AM
Thanks Marvin
01-28-2020 11:39 AM
Oohh....gotcha Marvin! Hmmm...so with Firepower 4150 we can only create 4 instance max.
Okay. Thanks Marvin
01-28-2020 12:03 PM - edited 01-28-2020 01:30 PM
Almost correct - 4150 supports 7 instances.
Although if you can wait until 6.6 you might see multiple VRF support.
01-28-2020 12:42 PM
Sorry. I think the number of containers for a 4150 is 7.
Could this be done with using sub-interface on one FTD instead of multiple containers?
01-28-2020 01:24 PM
Multi-instance, multi-VRF and separate zones are all ways to address the SDA fusion firewall needs. The last one is certainly easiest to implement and can be done via separate physical interfaces or subinterfaces.
01-28-2020 06:38 PM
Okay. That response created more questions. hahaha....
1- Can FTD do multi-VRF? I wasn't aware of this?
2- Will zone create seperate routing tables? Is seperate routing table a requirement for SDA fusion? Hmm.....
Thanks again Marvin
01-29-2020 08:41 AM
There's no VRF support as of the current release 6.5.0.2. We might see it in 6.6.
Creating zones won't create separate routing tables.
Whether or not you need that depends in part on your VN design in SDA. In any case you need to build the inter-VN policy (if any such is required ) and VN(s)-to-rest-of-the-world policies manually in the firewall. Generally you will need some ACLs with SGTs (VN-facing) and some more traditional 5-tuple ACLs (outside world facing).
I just confirmed the above at Cisco Live Barcelona this week.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide