Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
5
Helpful
4
Replies

Difference between Firepower FPR2130-NGFW-k9 and FPR2130-ASA-k9

Go to solution
YHam
Level 1
Level 1

‎03-16-2022 11:57 PM

Hello Everyone,

 

I need to purchase a Firepower 2130 firewall and primary use cases are site-to-site VPN, Anyconnect VPN, BGP routing, MFA. I'm confused between FPR2130-NGFW-k9 and FPR2130-ASA-k9 when selecting the part number for the firewall. I have gone through the documentation and it appears that FPR2130-NGFW-k9 can run in both FTD or ASA mode whereas FPR2130-ASA-k9 can run only in ASA mode. I read on some other website that FTD/NGFW doesn't support VPN so I'm confused which model (FPR2130-NGFW-k9 or FPR2130-ASA-k9) I would choose and here are some questions:

If FPR2130-NGFW-k9 with FTD does support site-to-site and Anyconnect VPNs, do I need additional license(s)? I believe I would need a license (e.g. Anyconnect plus L-AS-PLS-P-G) for Anyconnect but not sure about site-to-site VPN. I found a part number FPR2K-ENC-K9 (Cisco Firepower 2100 Strong Encryption (3DES/AES)) that is included in FPR2130-ASA-k9 but I don't see it or similar item for FPR2130-NGFW-k9.


do I need to purchase/deploy a separate management tool such as FMC to manage a single 2130 firewall (if its running FTD) or does firewall come with in-built software (like ASDM for ASA) that I can access through browser and administer the firewall?

I assume both FPR2130-NGFW-k9 and FPR2130-ASA-k9 support BGP routing protocol but looking for confirmation here?

 

If I don't need advance security features such as threat protection, malware protection, URL filtering etc. at the moment, can I exclude their subscriptions (FPR2K-EXCLUDE-SUBS)?

 

Is there a tool like Cisco Feature Navigator where I can check all available feature in different firewall platforms?

Thank you all. I will appreciate the help.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to YHam

‎03-17-2022 03:40 AM

@YHam you don't need a license for Site-to-Site VPN only Remote Access VPN.

 

FDM will support S2S VPN, RAVPN and BGP, use version 7.x.

 

When managing via FDM it doesn't currently support all the features, such as DAP for RAVPN which requires either the FMC or use the ASA software. If you want advanced features you might find FDM lacking, but you could re-image the NGFW version to ASA software if you wanted, but using the ASA software you don't get the threat features, which you aren't planning to use those anyway.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-17-2022 12:48 AM

@YHam if you run the FTD image you will need to purchase a Remote Access VPN license, which is AnyConnect Apex/Plus, for a minimum of 25 users.

 

The FTD can be managed locally via Firepower Device Management (FDM), however it supports less features than if managed via an FMC. You access the FDM via Web browser. Another option is cloud based management via CDO, it also supports less features than if managed by the FMC.

 

BGP is supported.

 

If you do not need the advanced threat licenses then you do not need to purchase, the FTD will come with a base license.

0 Helpful

Go to solution
YHam
Level 1
Level 1
In response to Rob Ingram

‎03-17-2022 03:33 AM

Thank you, Rob. A couple follow-up questions. I will appreciate if you try to clarify

 

"if you run the FTD image you will need to purchase a Remote Access VPN license, which is AnyConnect Apex/Plus, for a minimum of 25 users."
Just to confirm on VPN, does FTD image support site-to-site VPN and do I not need any license?

 

"The FTD can be managed locally via Firepower Device Management (FDM), however it supports less features than if managed via an FMC."

Do you know how features supports look like for basic firewall setup, S2S VPN, anyconnect and BGP? Do you think i will run into issue if plan to manage FTD using FDM only (no FMC or CDO)?

With my specific feature needs (i mentioned above), I'm trying to think of any reason why I should buy FPR2130-ASA-k9 instead of FPR2130-NGFW-k9?

Thanks once again

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to YHam

‎03-17-2022 03:40 AM

@YHam you don't need a license for Site-to-Site VPN only Remote Access VPN.

 

FDM will support S2S VPN, RAVPN and BGP, use version 7.x.

 

When managing via FDM it doesn't currently support all the features, such as DAP for RAVPN which requires either the FMC or use the ASA software. If you want advanced features you might find FDM lacking, but you could re-image the NGFW version to ASA software if you wanted, but using the ASA software you don't get the threat features, which you aren't planning to use those anyway.

0 Helpful

Go to solution
buffkata
Level 1
Level 1

‎03-17-2022 02:35 PM - edited ‎03-17-2022 02:38 PM

If you do not  need any advanced inspection that can be provided by the IPD/IDS functions - go for the ASA mode as it will  support all of your major concerns BGP,s2s and RA VPNs. As FTD most will be supported but you will always hit a bug or something that is not available as Cisco have not fully developed this yet and the whole concept of putting two systems(ASA and Snort)  together is not implemented well (?).  The FMC is also going to add cost to you if you need it. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card