Solved: Re: FirePower 1120 FMC vs FDM

vtxchris · ‎12-03-2019

I am migrating a customer from an ASA 5505 to a FirePower 1120 with IPS and AMP services. I have a few questions about the onboard device manager vs the management center. The ASA config is not terribly complicated - it has a single static route for Internet access, a couple static translations from the outside for the email server and such, a client access VPN and a single site-to-site VPN. I don't think there's too much more to it. Here's what I'd like to know; any insight would be greatly appreciated:

1 - I'd like to migrate the existing ASA config using the migration tool, but I understand that will only work with FMC. But I've seen some information that leads me to believe FMC won't support the 1120 - is this correct? Can I only use FDM with the 1120?

2 - I have also seen some info referencing limitations with FDM, such as not supporting site-to-site VPNs or QoS, which would be a problem for me. Is this correct, or does FDM support those things?

What would be your suggestions for the best way to get the new device configured? Thanks in advance,

Chris

Marvin Rhoads · ‎12-03-2019

If you use the downloadable migration tool then, yes, it requires FMC.

However you can manage locally with FDM and add Cisco Defense Orchestrator (CDO) the cloud-based management tool. It has an ASA-FTD migration tool built-in. You could even use it on a trial only basis and do only the migration. If you like it, keep the service active and pay for it (not very costly for a single device).

Both FMC and FDM will manage the Firepower 1120. FMC would need to be at least release 6.4.0.3. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60525

FDM (and CDO) can do site-site VPNs just fine (see below). QoS isn't supported in the FDM (or CDO) GUI but you should be able to do a Flexconfig for your QoS policy and deploy that way.

FDM Site-to-site VPN Wizard

View solution in original post

Marvin Rhoads · ‎12-03-2019

If you use the downloadable migration tool then, yes, it requires FMC.

However you can manage locally with FDM and add Cisco Defense Orchestrator (CDO) the cloud-based management tool. It has an ASA-FTD migration tool built-in. You could even use it on a trial only basis and do only the migration. If you like it, keep the service active and pay for it (not very costly for a single device).

Both FMC and FDM will manage the Firepower 1120. FMC would need to be at least release 6.4.0.3. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60525

FDM (and CDO) can do site-site VPNs just fine (see below). QoS isn't supported in the FDM (or CDO) GUI but you should be able to do a Flexconfig for your QoS policy and deploy that way.

FDM Site-to-site VPN Wizard

vtxchris · ‎12-04-2019

Thanks Marvin, the CDO definitely looks interesting. I can try to get a trial set up, but even if that doesn't work it looks to be about $150/yr - that's certainly not a huge cost. So if I'm reading this migration document correctly (Migrating ASA to Firepower Threat Defense Using Cisco Defense Orchestrator - Getting Started [Cisco Adaptive Security Appliance (ASA) Software] - Cisco), CDO should be used to migrate the ASA if I want to manage the 1120 via FDM, and the Firepower Migration Tool should be used if I want to manage it via FMC. I think, since it's a single firewall site without a terribly complex config, and since you showed I can still recreate my site-to-site VPN, that I'd be better off managing it with the device manager - do you agree? Or is there a compelling reason I would use FMC instead?

Also, if I use CDO to migrate the config and manage the 1120 with FDM, can I assume there won't be any difficulties down the road should I stop using CDO? I can just let it go and manage the 1120 full time with the device manager?

Thanks

Chris

Marvin Rhoads · ‎12-04-2019

Correct.

CDO/FDM is more netops-oriented. FMC is more secops/ SOC-oriented.

FMC does have more advanced security analysis features and a few advanced configuration can only be done with it (but that list is shrinking with every release).

CDO can co-exist with or be entirely replaced by FDM without any loss of configuration.

vtxchris · ‎12-05-2019

Sounds good, I'm going to start playing around with device manager while I wait for a CDO trial. Thanks Marvin, you've been a great help!

Chris

netajay09071 · ‎06-21-2020

Hi Marvin,

Can we configure sub-interface, port channel and HA using FDM.

Rob Ingram · ‎06-21-2020

@netajay09071

Yes, Etherchannel, Sub Interfaces and HA is supported using FDM. Here is the 6.5 guides:-

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-interfaces.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-ha.html

HTH

netajay09071 · ‎06-22-2020

Thanks Rob,

I have 6.4 firmware on the box. Will it work or i have to upgrade to 6.5.

Thanks

Ajay

Rob Ingram · ‎06-22-2020

Etherchannel is not supported on FDM 6.4, it was first introduced in 6.5.

Reference:- https://www.cisco.com/c/en/us/td/docs/security/firepower/650/relnotes/firepower-release-notes-650/features.html

So if you require that feature you will need to upgrade

netajay09071 · ‎06-24-2020

Thanks ROB, Got that.

I was not able to find the upgrade steps through FDM.

I found many docs to upgrade the FMC and checks before upgrade.

Seems easy in FDM to go in update section, then to upload and upgrade but fear if device doesn't comes up.

Marvin Rhoads · ‎06-24-2020

The upgrade is indeed that easy. If the image is bad or incompatible it will tell you and abandon the upgrade before starting.

If the failure is more subtle and happens along the way, it will have the same log files in /var/log/sf that it would if it were FMC-managed and upgraded from the FMC.

netajay09071 · ‎06-25-2020

Thanks Marvin,

That was helpful.

I have management network but it was an inside port of ASA acting as gateway for all management address of inside network devices. Basically it was just a data interface acting as gateway for management network.

In FDM, I have configured management IP under device-system settings-management interface and have connected management port on management vlan. How can i move this management interface to data port where the same management IP will be used for licensing and updates from cloud and will also serve as gateway for internal management network.

Also I am not able to see the add subinterface button under interface.

Also do we have any CLI reference for basic configurations.

Thanks in advance.

netajay09071 · ‎07-09-2020

Hi Team,

Thanks for your inputs that I am able to do the setup, now only one thing remaining is that the remote network at my peer end of sts tunnel are not able to communicate to my local network. The other way is working after I created the Nat rules by keeping source and destinations same in original and translated packet configs.

The access rules defined for the access are from inside interfaces to outside interfaces.

In palo alto we do define access rules for incoming traffic as well with source as vpn zone.

Here tried with reverse nat rules and reverse access rules too with source as outside and destination zone as inside...still not working.

Any expert comment for this?

Rob Ingram · ‎07-09-2020

Hi,

You would need to define access rules from inside to outside AND from outside to inside to permit traffic over the VPN tunnel.

You would normally configure your NAT Exemption rule as such:

nat (INSIDE,OUTSIDE) source static LAN LAN destination static REMOTE-NETWORK REMOTE-NETWORK no-proxy-arp

If that is what you had configured please provide screenshots and run packet-tracer from the CLI and provide the output.

HTH