Thanks alot for your answer.

Somewhere I read FPRxxxx-ASA-K9 is also NGFW product of cisco and supporting the features like IPS and URL filtering, etc.

You know I am totally confused, you mean FPRxxxx-ASA-K9 is just an ASA like the Cisco old products with no NGFW features?

Is it any document to compare features both of them can support?

Best Regards.

When you run the ASA image on Firepower 2100, 4100 or 9300 series you do not get any of the IPS, URL Filtering or Malware protection (AMP) features.

You do get the higher throughput those appliances offer as well as the physical appliance management via Firepower Chassis Manager and/or FX-OS cli.

For feature comparison, I haven't seen a current one. They did just add remote access SSL VPN on FTD so that's there with some limitations). That was long-awaited. The big one that isn't there yet is multi-context.

the client bought FPR2110-NGPW-K9 what is the process to change to FPR2110-ASA-K9.?, 

The licenses they purchased for NGFW will not be usable. You may be able to get some consideration from Cisco, but it would be a one-off request that would need to go via the Cisco Account Manager for approval.

Other than that, they just need to deploy an ASA logical device vs. FTD on the appliance.

Marvin,

Does that mean that the ASA-K9 PIDs are incapable of running FTD whereas the NGFW-K9 PIDs can run either ASA or FTD?  I've been looking at a Firepower 1010 and trying to understand the difference between FPR1010-ASA-K9 and FPR1010-NGFW-K9.

I've used a Firepower 4115 where within FCM, you could create a logical device running either ASA or FTD. I'm looking for something similar with a Firepower 1010.

Thanks.

The Firepower 1010 PIDs you mentioned are the exact same hardware. The difference is what software image is shipped with them when they come from the factory.

Also when you specify one vs. the other in Cisco's ordering tool it will prompt the person making the order to include the necessary licenses according to what's being ordered - for example, the Threat, URL Filtering and Malware licenses would apply only to the NGFW image.

Is it correct to say that if an ASA-K9 was ordered, you could still run FTD?

In this scenario, you wouldn't have been able to order the URL Filtering license, because that option would only prompt for an NGFW-K9. However, I'm assuming if you decided to run FTD on the ASA-K9, then you could order this license after the original purchase of the hardware and apply it to the ASA-K9. Is that also correct?

Yes you can reimage a Firepower 1000 series appliance running ASA to instead run FTD. However it's a lot easier to just order the desired model in the first place unless there's a well-thought-out plan to run ASA for some period due to extenuating circumstances before switching modes at some later date.

If you do so, you would have to purchase the necessary licenses "a la carte".

For me this jungle of licenses and identical hardware with different images is too complicated, especially with the current transparency and information base. Not at least I don't known if buying a device with such IPS features and licenses would requires subscriptions to services which are causing recurring costs. With the 5505 with recurring costs it was clear, with the licenses however there are already problems. One of my 5505 broke and I installed a spare one.. There was however restriction in the number of VLANs and the spare system was not able to replace the brocken one. An attempt to move the memory card from the brocken one to the spare just resulted in a 30 day license availability.. This is the reason that I have reserves in switching from ASA5505 to Firepower1010. By the way I purchased for the company of a colleagues 5506-X. What a shame the integration of ASA with Firepower with basically two different systems in the same box. FOR CONCLUDING: Better information about what you get with which option and what this means in term of recurring costs would be HIGHLY APPRECIATED..