Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16895
Views
24
Helpful
6
Replies

Difference/Clarification between Firepower ASA, FTD and FX-OS and management softwares FMC, FDM and FCM

KimG
Level 1
Level 1

‎04-16-2018 11:47 AM - edited ‎02-21-2020 07:38 AM

Hi,

 

I know the difference between ASA and FTD but how does it relates to FXOS?

 

Does FX-OS only related to 4100/9300? I only have access to Firepower 2100 but is firepower 4100/9300 CLI and Rest API different then FPR 2100?  Why FPR 4100/9300 are managed via Firepower chassis manager (FCM)? Can it be managed via FDM and FMC?

 

I need a single method to pull the configs from all Firepower devices including Virtual Firepower either using CLI or REST. but CLI "Show Running config" is limited to ASA configs. 

Labels:
0 Helpful
6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎04-17-2018 01:40 AM

FX-OS as you mentioned exists in 9300/4100 because they are modular. FX-OS
is used to power the supervisor module. On top of it you have FTD software.
FTD software have the same command set and APIs on all hardware of FTD,
i.e. ASA55XX, 2110, 4100, 9300. This is software dependent and not subject
to hardware (with minimal exceptions).

>From FTD CLISH (>) you can type support system diag which puts you to ASA
CLI of the FTD. From their you can run all ASA exec commands including show
run.

Bogdan Nita
VIP Alumni
VIP Alumni

‎04-17-2018 01:57 AM

FXOS is basically a supervisor, on top of the FXOS you can have either ASA or FTD software running.
All physical interface operations are done by the FXOS.
FMC is a full fetaure management tool for all boxes running FTD.
FDM allows you to configure basic features of the FTD for smaller deployments and it is available for ASA 5500-X platforms.
FDM runs in the web browser and does not require dedicated hardware.

 

The 2100 does not have the full FXOS, but it runs a subset of the FXOS features:
"Firepower 2100 series appliances utilize FXOS only as an underlying operating system that is included in the ASA and Firepower Threat Defense unified image bundles."
https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

 

To retrieve the FXOS configuration I believe you can use: show tech-support fprm.
On the FMC you can export the configuration, not sure if API can be used, but you can check using the api-explorer:
https://fmc_url/api/api-explorer/

 

HTH

Bogdan

Florin Barhala
Level 6
Level 6
In response to Bogdan Nita

‎04-17-2018 05:38 AM

I have to yet to work with FTD, but as first impression Cisco made it complicated !
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Florin Barhala

‎04-18-2018 08:06 AM

It is complicated at first, but at least regarding the number of products/tools it is one of those cases where on paper it sounds more complicated than it is in reality.

0 Helpful

Ahmad Fahim Kakar
Level 1
Level 1

‎01-31-2021 09:05 AM - edited ‎01-31-2021 10:13 AM

It relates to firepower 4100/9300

Supervisor and security modules use multiple independent images•

All images are digitally signed and validated through Secure Boot

Security application images are in Cisco Secure Package (CSP) format

2021-01-31 17_57_31-BRKSEC-3035 - BRKSEC-3035.pdf — Mozilla Firefox.jpg

ASA or FTD could be deployed as Native or Container mode.

-Native application consumes full hardware resources of an entire module

-Firepower 4100 and 9300 support multiple FTD Container instances in FXOS 2.4.1

-Firepower 9300 supports a mix of ASA/FTD application modules in FXOS 2.6.1

 

Zaaf Aba
Level 1
Level 1

‎07-07-2022 09:29 AM

Differences between ASA, FTD, FX-OS are confusing for people which have background in Cisco ASA only
Just sharing this to make it easier to understand.

 

 

For example in our environment we have Cisco ASA5585-SSP-20, FPR-1010 , FPR-1120, FPR-2130
model			type			firmware						                Prompt after ssh login
ASA5585-SSP-20		Cisco ASA 		Cisco Adaptive Security Appliance Software Version 9.1?(?)??		> 
ASA5585-SSP-20		Cisco ASA		Cisco Adaptive Security Appliance Software Version 9.1?(?)??		# (privilige level/enable mode)
FPR-1010		Cisco Firepower		Cisco Adaptive Security Appliance Software Version 9.1?(?)??		> or # depending on level (traditional ASA prompts)
FPR-1120		Cisco Firepower		Cisco Adaptive Security Appliance Software Version 9.1?(?)??		> or # depending on level
FPR-2130		Cisco Firepower		Cisco Firepower 2130 Threat Defense (77) Version 6.6.? (Build ??)       > default FTD Firepower Threat Defense prompt.

 

 

From prompt > which is FTD default prompt, (FTD prompt > is different from ASA's > prompt. On FTD > prompt you can not type enable )
User can either go to
1- ASA console prompt (after typing without single quotes 'system support diagnostic-cli' and hitting enter)
or
2- Firepower console prompt (after typing without single quotes 'expert' and hitting enter)

ASA console prompt will be same as traditional ASA prompt either > or # . User can run Cisco commands e.g show running-config , show version
Firepower prompt will be like NAME-OF-FW:~$ which is a FTD Linux shell. User can run Linux commands e.g tail, cat

 

So points to remember,
ASA hardware runs traditional ASA image and can also run FTD image (with some limitation/difference in installation process on low/midrange models)
Firepower hardware can run ASA image or unified FTD image (Where FTD image/code combines ASA and Firepower code into a single image)

https://www.ciscopress.com/articles/article.asp?p=2916289
https://www.ciscopress.com/articles/article.asp?p=2916289&seqNum=4

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card