Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2462
Views
5
Helpful
9
Replies

Firepower 2110 management and deployment

omer14231
Level 1
Level 1

‎05-20-2018 02:57 AM - edited ‎02-21-2020 07:47 AM

Dear,

 

We have recently purchased two Firepower 2110 with threat, malware and URL license. Below is the BoQ of the new hardware

 

Cisco Firepower 2110 Master Bundle
Cisco Firepower 2110 ASA Appliance, 1U
SNTC-8X5XNBD Cisco Firepower 2110 ASA Appliance, 1U
AC Power Cord (UK), C13, BS 1363, 2.5m
Cisco ASA 9.8 Software for Firepower 2100 appliance series
Cisco Firepower 2100 - Add 5 Security Context Licenses
Firepower 2000 Series SSD for FPR-2110/2120
Cisco Firepower 2100 Standard ASA License
Firepower 2000 Series SSD Slot Carrier
Cisco FPR2110 Threat Defense Threat, Malware and URL License
Cisco FPR2110 Threat Defense Threat, Malware and URL 1Y Subs

 

We will be using it as a perimeter firewall with multiple security context, HA and IPsec VPN, Anyconnect VPN, URL filtering, AMP, IPS etc.

 

However, we currently do not have FMC license to make these units as HA and to configure security context as the on-box management FDM doesn't support configuring HA and security context. Kindly suggest if FMC is mandatory to configure HA and security context?

Also, we need to deploy this Firepower units as NGFW or NGIPS to achieve the above requirements? and what is the difference between using Firepower as NGFW or NGIPS?

 

Regards,

Omer

Labels:
0 Helpful
9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-20-2018 06:21 AM

Somebody advised you incorrectly with that bill of materials. A Firepower 2110 (or any 2100, 5100 or 9300 series Firepower appliance) can run either ASA logical device(s) or FTD logical device(s). That is, NGFW or NGIPS in marketing terms.

 

If you run an NGFW you get all the ASA features like multi-context, AnyConnect remote access VPN without feature restriction, etc. You do NOT get IPS, URL filtering, and Malware protection. So buying the license for those features on an NGFW is not only unnecessary but also something you will not be able to use at all. Also, you configure the ASA HA pair and their contexts using the traditional ASA methods (cli, ASDM etc.) - NOT FMC. You use FDM deploy the ASA logical devices on the chassis and assign interfaces to it, but once that's done everything else looks 98% like a classic ASA appliance.

 

If you run an NGIPS you get the integrated FTD image (not all ASA features - most definitely no multi-context and limited AnyConnect features). the following two line items in your list apply ONLY to NGIPS deployments:

 

Cisco FPR2110 Threat Defense Threat, Malware and URL License
Cisco FPR2110 Threat Defense Threat, Malware and URL 1Y Subs

Florin Barhala
Level 6
Level 6
In response to Marvin Rhoads

‎05-20-2018 06:49 AM

Marvin - how come you know so much about this FTD appliances; you work for Cisco after all?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Florin Barhala

‎05-20-2018 07:29 AM

I am an independent engineer but do work for a couple of partners. Since I do both pre-sales and post-sales (deployment), I do my best to keep very up to date on all things Cisco security. 

 

Since I've been working with security one way or another for about 35 years and Cisco for 25 years, I pretty much have the basics (and a few of the more advanced topics) figured out by now.

 

Please rate my earlier reply if it answered your questions.

0 Helpful

omer14231
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2018 12:32 AM

Hi Marvin Rhoads,

Thanks a lot for the detailed explanation .

But one thing can you please explain . If we want both features ( NGFW +
NGIPS ) like what we use to do with ASA 5585-X by adding sensor to FMC to
utilize both features. So with Firepower 2110 we need to buy two hardware's
for NGFW + NGIPS ? If we use Firepower 2110 as NGFW then we will able to
manage by FDM but we cannot configure security context and HA by using FDM ?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to omer14231

‎05-21-2018 12:46 AM

You're welcome @omer14231.

 

Until the multi-instance support comes out in FTD, Cisco has been encouraging customers to look at alternatives such as the 2-appliance (or 2 pairs of appliances) solutions such as you mention or possibly re-examining the design to see if an alternative such as zones might meet your requirements. By the way, the 2100 series may not ever have multi-instance support due to its hardware design.

 

When a 2100 series is running ASA image you only manage the chassis with FDM. All the NGFW features and configuration is done just as if is was a classic ASA.

0 Helpful

omer14231
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2018 12:57 AM

Thanks Marven.

So from FDM we can configure High Availability ?


0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to omer14231

‎05-21-2018 01:31 AM

No. FDM cannot currently be used to configure NGIPS (FTD image) HA (as of release 6.2.3). We expect that will be added in 6.3 (ca. Fall 2018). In the interim you would need to use FMC.

 

NGFW (ASA image) HA is configured, even on Firepower appliance, via ASA cli or ASDM, just like on ASA appliance.

0 Helpful

omer14231
Level 1
Level 1
In response to Marvin Rhoads

‎05-21-2018 02:10 AM

Thank you Marvin.



One last thing can you please what limitations for cisco anyconnect when
running FTD image . Can you please share with me the link of datasheet for
fire power.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card