Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2041
Views
25
Helpful
6
Replies

Firepower 2140 Assistance

Go to solution
Craddockc
Level 3
Level 3

‎06-15-2020 06:12 PM - edited ‎06-15-2020 06:14 PM

Dear community,

I am new to the Firepower appliances and had some questions. Our organization has 4x 2140 Firepower appliances, however they are not currently operational in the network. We are still currently running off of ASA5545X. We would like to migrate away from the ASA's onto the Firepower appliances but I am not sure where to start. The appliances seem to have the Firepower software already installed running version 6.2.2 (Build 81)and are currently imported into an FMC. I had a few questions about these devices:

 

-Do the 2140's run FXOS? I am unable to see if they are at the moment. From what I understand FXOS is like a hypervisor software that allows FTD software and ASA software to run on these devices?

-Do these devices run the ASA software? If not, how do you configure classic firewall rules on the device? is the ASA software accessed in a different way than the Firepower software?

 

I only have experience with the ASA 5545x running the Firepower module, which made the deployment much more straightforward. Any assistance you can provide on how all these software's fit together and how to go about accessing them on the device would be greatly appreciated! 

 

Thanks everyone!

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-15-2020 07:29 PM

Firepower appliances all run FXOS. On the higher end models (4100 and 9300 series) it's a separate OS that you interact with via the cli or Firepower Chassis Manager. On the 1100 and 2100 series with FTD it's embedded and it's not generally necessary to interact with it.

It's (very loosely) kind of like a hypervisor in that it controls the hardware and the FTD or ASA is a logical device that runs over the abstraction layer provided by FXOS.

A Firepower appliance can run ASA software but in that case you don't get any of the IPS or NGFW capability. Most people opt to run FTD which integrates ASA and Firepower capability in a unified image. The ASA subsystem is sometimes referred to as "LINA" while the Firepower bits are "Snort". That's an oversimplification but you will see the terms used nonetheless.

When migrating an ASA config to FTD you do have the option of just putting the ASA rules in a prefilter policy with a 1-1 match with the ASA. However I don't recommend that as you are missing out on the L7 deep packet inspection that you get from Snort. I recommend using the Firepower Migration Tool which will transfer the object and ACLs etc. from the ASA config to Firepower's Access Control Policy.

To learn more, please see any of the many fine Cisco Live presentations on Firepower or one of the recent books available from Cisco Press.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Craddockc

‎06-16-2020 07:56 PM

Depending on how you are managing the 2140 appliances you might not even log into the devices at all. If you use a Firepower Management Center (FMC) server, all but the initial setup of the appliances is done on FMC and deployed to the managed devices.

If you manage them without FMC then you would login to them directly and use the on-box Firepower Device Manager (FDM) GUI.

View solution in original post

6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-15-2020 07:29 PM

Firepower appliances all run FXOS. On the higher end models (4100 and 9300 series) it's a separate OS that you interact with via the cli or Firepower Chassis Manager. On the 1100 and 2100 series with FTD it's embedded and it's not generally necessary to interact with it.

It's (very loosely) kind of like a hypervisor in that it controls the hardware and the FTD or ASA is a logical device that runs over the abstraction layer provided by FXOS.

A Firepower appliance can run ASA software but in that case you don't get any of the IPS or NGFW capability. Most people opt to run FTD which integrates ASA and Firepower capability in a unified image. The ASA subsystem is sometimes referred to as "LINA" while the Firepower bits are "Snort". That's an oversimplification but you will see the terms used nonetheless.

When migrating an ASA config to FTD you do have the option of just putting the ASA rules in a prefilter policy with a 1-1 match with the ASA. However I don't recommend that as you are missing out on the L7 deep packet inspection that you get from Snort. I recommend using the Firepower Migration Tool which will transfer the object and ACLs etc. from the ASA config to Firepower's Access Control Policy.

To learn more, please see any of the many fine Cisco Live presentations on Firepower or one of the recent books available from Cisco Press.

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-15-2020 08:02 PM

Totally agree with @Marvin Rhoads 

prefer using the migration tool which works fine. 
just to add something about this tool, it won’t migrate any dynamic routing if you have any nor the VPN configuration which have to be taken care manually. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Craddockc
Level 3
Level 3
In response to Francesco Molino

‎06-16-2020 07:46 AM

Marvin/Francesco,

Thanks so much for your replies. So in my case the FXOS is embedded and I dont really need to mess with it, got it. I am still kind of confused as to how the FTD software works thought. When I SSH into the management interface of the device, it takes me to the CLI of the Firepower software 6.2.2, is this the FTD software? Or just Firepower software? Is there a difference?

Thank you.
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Craddockc

‎06-16-2020 11:31 AM

Firepower software and FTD are often used interchangeably. That's not exactly correct (i.e the older Firepower 7000 and 8000 series NGIPS run Firepower that's not FTD) but for most purposes it's fine to consider them as the same.

Go to solution
Craddockc
Level 3
Level 3
In response to Marvin Rhoads

‎06-16-2020 12:09 PM

Thank you Marvin. So the only software I should really be interacting with on the 2140 is the FTD software where the "ASA rules" are actually migrated into the Access Control Policy of the FMC? 

 

Thanks. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Craddockc

‎06-16-2020 07:56 PM

Depending on how you are managing the 2140 appliances you might not even log into the devices at all. If you use a Firepower Management Center (FMC) server, all but the initial setup of the appliances is done on FMC and deployed to the managed devices.

If you manage them without FMC then you would login to them directly and use the on-box Firepower Device Manager (FDM) GUI.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card