12-02-2021 06:51 AM
In case you missed it, Firepower 7.1 was released on 1 December:
https://software.cisco.com/download/home/286259687/type/286271056/release/7.1.0
We are still waiting on the Gold Star for release 7.0.1. Hopefully that will come soon!
12-02-2021 11:05 PM
I take the chance to ask for a suggestion about upgrading:
I need to upgrade a deployment soon in order to leverage saml support for anyconnect (azure mfa integration) and data interface management.
I was oriented toward 6.7 since it's more mature than 7.0.1, even if it's a short term release, do you agree about that, or do you think that 7.0.1, even if it's not gold star yet, worth the upgrade?
12-03-2021 12:50 AM
@Massimo Baschieri I would recommend 7.0.1 over any release of 6.7 at this time.
12-03-2021 11:18 AM
Thanks for the advice Marvin, are you saying that because of you own experience or you have some positive feedbacks from cisco tac?
Do you have any idea when 7.0.1 will become gold star?
12-03-2021 06:36 PM - edited 12-03-2021 06:37 PM
My recommendation is based on both having deployed about 20 production Firepower 7.0.1 firewalls to date (1010s, 2100 and 4100 series as well as FMC both on hardware and software platforms) as well as having positive (albeit informal) conversations with both TAC and other Cisco staff.
The ones I've deployed include locally-managed (FDM only), CDO-managed and FMC-managed.
We hope to see Gold Star status for 7.0.1 this month (December 2021) but it's pending internal Cisco approval still.
12-03-2021 10:57 PM
My deployment is quite complex, about 50 devices, FPR1Ks, 2Ks, ASA5516s, even ASA5545s
Did you also move to snort 3 on those deployments?
12-05-2021 06:14 AM
The upgrades I changed to Snort 3. The greenfield 7.0.1 ones are also using Snort 3. My primary motivation for that is the improved performance.
12-09-2021 08:19 PM - edited 12-10-2021 06:37 AM
I too noticed performance improvements by changing from Snort2 to Snort3. Preliminary tests I did with 7.0 on a small 1010 appliance gave about a 33% raw network speed difference with unmodified “Security over Connectivity” IPS policies. On a 350Mbps up/down link, full 350Mbps on Snort3 vs ~230Mbps on Snort2.
However Snort3 does block things randomly and out of the blue, whereas Snort2 does not - even while both are set to “detect”, and not “protect”. Seen it breaking server side tasks such as DNS XFER, SMTP STARTTLS sessions, and client access such as to Apple’s AppStore app - with or without an IPS policy set on the matching AC policy. It seemed less often on 7.0.1, but they are still plaguing me every now and then. Fastpath doesn't help, nor changing IPS or AC policies: I have to either bypass the firewall (wrong) or to downgrade to Snort2 and back to Snort3: somehow this keeps things working for another while.
So I’m on a difficult position now: to have random outages or to lose bandwidth.
12-11-2021 09:36 AM
12-08-2021 01:40 AM
@Marvin Rhoads but also to the others:
I take the chance you mentioned it, do you have a good experience on CDO?
Is it reliable as much as FMC is?
What are the features you miss the most about FMC?
Is identity working fine with CDO?
Thanks.
12-08-2021 04:32 AM
@Massimo Baschieri CDO generally works as advertised. It is not a 1-1 replacement for FMC just like FDM is not. I kind of think of it as Meraki MX vs. Cisco ASA or FTD. As long as you don't need the advanced features (of FMC), CDO is an attractive choice.
Identity works fine but I had to do the setup from FDM first and then CDO (and the Secure Analytics and Logging or SAL along with Stealthwatch Cloud / Secure Cloud Analytics) consumes it OK.
I had done a whitepaper on that about 2 years ago. In case you missed it here's a link:
12-09-2021 08:17 AM
Nice document Marvin, since I have no experience at all on FDM and CDO, can you please provide me a quick list of the features I'm about to loose moving from FMC to FMM/CDO?
Thanks,
12-09-2021 08:15 AM
It seems Cisco was faster than you expected, 7.0.1 became gold star today!!!
Now I've no doubt on the release to upgrade to.
12-09-2021 09:26 AM
There are quite a few things FDM cannot do that FMC can. Just weigh the respective configuration guides - 856 pages for FDM 7.0 vs. 3192 pages for FMC.
All the basics are there, just not some advanced features and the ability to manage multiple firewalls from one console, share objects, store events etc.
12-10-2021 11:25 PM
Here a list of the most important features (to me) I found missing in CDO:
security intelligence / TID
url/app reputation/advanced classification
advanced settings in access policies
active authentication
ssl inspection
prefilter
centralized logging without SAL
Others?
Maybe some of them are available directly on device through FDM, better than nothing, but not a good approach
Do you agree?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: