10-23-2019 05:55 AM - edited 02-21-2020 09:37 AM
I have just received my first set of FP2100s and I am reading some quick start guides and other Cisco documentation and I am trying to understand the FTD mode vs ASA mode and what limitations each has? Also what is the "common" method for deployment. These will be edge firewalls that strictly terminate SSL VPN endpoints and that is it.
10-23-2019 06:16 AM - edited 10-23-2019 06:18 AM
If you purchased 2100, Suggest to Install FTD, since you are not looking old ASA legacy feature and you looking only remote access vpn solution.
(personally and eventually Cisco will retire ASA code) - for longer support i go with FTD code.
here is the good document FTD - remote access setup.
you can also see VPN Limitation ASA vs FTD
The Firepower 2100 Series hardware can run either FTD software or ASA software. Switching between FTD and ASA requires you to reimage the device
10-23-2019 06:23 AM
10-23-2019 06:32 AM
If you like a standard in the organization, (if i were you, i maintain all same version, so each to manage), until i go another version if the features not supporting?
10-23-2019 06:33 AM
10-23-2019 06:55 AM
Best Practice, Management needs to be always a high version to manage the device, if the lower version, it can not manage higher version code device, since it was not understood well? make sense?
10-23-2019 07:01 AM
10-23-2019 07:10 AM
Last i have worked FMC Stable one 6.4 , i have seen 6.5 released recently.
check the matrix before you upgrade and work with the version you are comfortable ( as long as the feature supports your needs)
10-23-2019 08:17 AM - edited 10-23-2019 08:22 AM
Correct. The FMC version is always higher than the managed device. The FMC will not let you register a device with a higher version than itself.
10-23-2019 09:47 AM
I have have a pair of FP2110 devices running FTD v6.2.3.x in HA mode for over a year with no issues. Recently upgraded to 6.4.0.4 and found static PAT to be unsupported (TAC case currently open).
One point you may wish to consider is SSL HW acceleration which is only available on 2100 series from v6.3. It may be worthwhile in your use case as SSL RAVPN headends.
Also, the FMC has been upgraded to v6.4 for a while now and continues to manage v6.2.3.x FTD sensors.
Regards,
Simon
10-23-2019 10:21 AM
10-23-2019 12:54 PM
If you looking 7000+ active session, choose the right model - i have shared other document in the previous post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide