Solved: You can manage the 5506

gchevalley · ‎01-08-2016

We recently got a quote for a HA 5506 pair with Firepower and was surprised to see that it included a VM for the FireSight Management application. I have heard from a few people that the VM is not needed and we can run the management application on the ASA. Is this true and if so how well will it perform. Is there much advantage to running the VM on an ESX Host versus on the ASA?

This ASA will be used for general web traffic from the office staff going out to the internet. There will not be any internal sites with static NAT's configured on this ASA.

Marvin Rhoads · ‎01-08-2016

My recommendation is that the ASDM-based FirePOWER management is only good for lab or single device installations.

Even on a basic HA pair, if you use the ASDM-based approach you need to replicate every change on both units since they have no knowledge of one another and don't synchronize FirePOWER configuration like the base ASA does..

View solution in original post

Aastha Bhardwaj · ‎01-08-2016

Hi,

Yes you can manage the asa 5506 Firepowers via the asdm as well that is called on box management .

Refer : http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Though it is better it to be managed by the Defense center because it gives some added functionalities like graphs etc.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Pujita Patni · ‎01-08-2016

Hi,

ASA 5506 comes with the option of managing from the ASDM instead of the FireSight Management Center on the VM.

You can refer this:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/asa-fp-services/asa-with-firepower-services-local-management-configuration-guide-v60/Intro-Preface.html

Running this on a VM will give you more features.

Thanks,

Pujita

Marvin Rhoads · ‎01-08-2016

My recommendation is that the ASDM-based FirePOWER management is only good for lab or single device installations.

Even on a basic HA pair, if you use the ASDM-based approach you need to replicate every change on both units since they have no knowledge of one another and don't synchronize FirePOWER configuration like the base ASA does..

Ralph Rye · ‎01-20-2016

You can manage the 5506 locally or through a FireSight Management Console. There are some things you cannot do locally, I believe some of the correlation tasks are an example. I also think there will be a big different in the amount of events that can be stored locally versus forwarding the event information to a FireSight Management Console. I don't believe this is a Cisco published list of what cannot be done, at least I couldn't find one.

I run a 5506 at my house and I run a FireSight Management Console to manage it. I mainly do this because I want to see all the features and also be in the same management as most of my customers.

The other reason for running a FireSight Management Console would be to have one management device for multiple FirePower modules.

Jackie · ‎04-03-2018

Refer to captioned subject, looking forward for valuable feedback.

Regards

Abid Mazhar

Marvin Rhoads · ‎04-03-2018

@Jackie,

It's now known as Firepower Management Center. Cisco stopped using the "Firesight" term since release 6.0.

What will happen (or, more accurately, what will NOT happen) depends on your hardware model and software version. What are you planning on running?

FireSight Managment