12-18-2017 05:15 AM - edited 02-21-2020 06:58 AM
Hi.
Please, can you tell me if FirePower 2100 series support 3DES/AES?. Which lincense is necessary?.
The FirePower 2100 series will use for firewall, vpn site-to-site, anyconnect vpn and IPS subscription (threat).
For apex anyconnect, the required license is L-AC-APX-LIC=?
Rgds.
Solved! Go to Solution.
12-18-2017 05:51 AM
Yes, it is supported. Not special license needs to be purchased but you should specify the "K9" Sku during ordering to make sure the free entitlement is coded correctly in the system.
The top level SKU you mentioned is the right one to order licenses for AnyConnect Apex. Be sure to tell your reseller to provision them as Smart licenses as FTD devices use smart licensing exclusively.
12-18-2017 05:51 AM
Yes, it is supported. Not special license needs to be purchased but you should specify the "K9" Sku during ordering to make sure the free entitlement is coded correctly in the system.
The top level SKU you mentioned is the right one to order licenses for AnyConnect Apex. Be sure to tell your reseller to provision them as Smart licenses as FTD devices use smart licensing exclusively.
12-18-2017 06:02 AM
Thank you.
Pls another question:
The Cisco Firepower 2100 Series appliances with FTD can be deployed as a Next-Generation Firewall (NGFW) and as a Next-Generation IPS (NGIPS) at the same time?
The FirePower 2100 series will use for firewall, vpn site-to-site, anyconnect vpn and IPS subscription (threat).
Rgds
12-18-2017 06:08 AM
The NGFW term is used when the appliance is deployed with the ASA image. NGIPS means it has the Firepower Threat Defense (FTD) image. You must choose one or the other exclusively.
FTD has many (but not all) of the features included in an ASA. Notably the AnyConnect remote access VPN has a few caveats which are explained in the configuration guide.
If you were to run the ASA image on a Firepower hardware appliance you would not be able to use any of the IPS, URL Filtering or AMP features. You also gain the ability to add and use fail-to-wire (FTW) interfaces (optional hardware) should that be a requirement in your environment.
12-18-2017 06:26 AM
I have a confusion.
The FirePower 2100 series with FTD, does not support the basic firewall functionalities ?. Example, the firewall functionalities that the old ASA 5520 supports ?. (firewall policies, high availability (dual isp), routing).
The client has an ASA 5520 and wants to switch to a Firepower 2120 for the current functionalities of the ASA 5520 plus the subscription to threat (IPS).
12-18-2017 06:31 AM
Yes - it supports all of those features.
You do require an external Firepower Management Center (VM or hardware appliance) to configure HA and some of the advanced features.
Firepower 2120 is quite a step up from ASA 5520. Is there a reason why you aren't considering Firepower 2110?
12-18-2017 06:41 AM
Thanks you.
The two options are being evaluated (FP 2110 and 2120).
FPR2110-BUN | Cisco Firepower 2110 Master Bundle |
FPR2110-NGFW-K9 | Cisco Firepower 2110 NGFW Appliance, 1U |
CON-SNTP-FPR21FWN | SNTC-24X7X4 Cisco Firepower 2110 NGFW Appliance, 1U |
CAB-AC | AC Power Cord (North America), C13, NEMA 5-15P, 2.1m |
SF-F2K-TD6.2.2-K9 | Cisco Firepower Threat Defense software v6.2.2 for FPR2100 |
FPR2K-SSD100 | Firepower 2000 Series SSD for FPR-2110/2120 |
FPR2K-SSD-BBLKD | Firepower 2000 Series SSD Slot Carrier |
L-FPR2110T-T= | Cisco FPR2110 Threat Defense Threat Protection License |
L-FPR2110T-T-3Y | Cisco FPR2110 Threat Defense Threat Protection 3Y Subs |
L-AC-APX-LIC= | Cisco AnyConnect Apex Term License, Total Authorized Users |
L-AC-APX-3Y-S3 | Cisco AnyConnect Apex License, 3YR, 250-499 Users |
It's ok? or is necessary another license?
the client require: basic firewall functionalities currently present in the ASA 5520, configure dual ISP, vpn site-to-site, anyconnect vpn and IPS subscription..
12-18-2017 07:02 AM
That's fine for the appliance and its licenses.
As I noted earlier, you need a Firepower Management Center to complete the setup.
12-18-2017 07:08 AM
Thank you.
the FMC is necessary for setup IPS or also for basic firewall funcionalities?
Rgds.
12-18-2017 07:30 AM
It's not required for basic IPS and firewall configuration.
However a customer would be rightly very unhappy to come across one of the things that cannot be configured without FMC and be told they cannot do what they want with the tens of thousands of dollars in equipment and licenses they have purchased. For that reason alone I always strongly recommend it. A 2-device license is under US$1000 list price.
It's required to setup an HA pair,for reporting, for retention of logs beyond near real time, for configuration of Etherchannels, for configuration of Flexconfig, and a number of other various bits.
12-18-2017 07:35 AM
Thank you, I understand the advantages of FMC.
To configure PBR, do I need FMC?
Thanks.
12-18-2017 07:41 AM
Yes - PBR does require FMC.
It is a Flexconfig setting and those are only available with FMC.
02-22-2018 10:42 AM
Dual ISP - PBR is supported only in FMC ? . Is that a feature or it needs to be programmed such way to do PBR ? Please elaborate.
02-23-2018 12:52 AM
Yes, configuring PBR requires use of Flexconfig for all FTD platforms as of the current 6.2.2 release.
That will probably change in the future but which release exposes the feature without having to resort to Flexconfig is TBD at this time.
03-01-2018 01:52 AM
Hi Marvin,
i just wanna know, is it possible to buy 2100 series NGIPS and use it just for Firewall (without buy the IPS Subscription)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide