Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3406
Views
0
Helpful
4
Replies

Firewalls - current status of ASA features vs FTD?

Go to solution
cawst
Level 1
Level 1

‎11-21-2018 10:35 AM - edited ‎02-21-2020 08:29 AM

We're looking at replacing our older ASA 5505, and trying to decide what direction to go.  We 100% need SSL VPN, so unfortunately the Meraki line is out as far as I can tell.  So now looking at the ASAs (and which software image we'd run) vs the NGFWs, and trying to figure out what would work best.  We would like some of the new IPS functionality, malware protection, etc...  However, I'd need to make sure we weren't losing anything we use currently.  Is there an up to date comparison anywhere of what might be missing from the FTD image that is in the ASA?  I know SSL VPN/Anyconnect used to be one of those features, but it looks like it's in now.  I can't find a comparison from within the last year.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to cawst

‎11-21-2018 12:29 PM

there is a good compare document :

 

http://networkequipmentcisco.blogspot.com/2018/04/cisco-asa-with-firepower-services-vs-ftd.html

 

Some i have noted from notes from forum :

 

Unsupported

  • Multiple-Context mode
  • Clientless SSL VPN
  • Configuration CLI
  • HA (Active/Standby) for Public Cloud (AWS/Azure)
  • ASA5585-X Platform support (not possible due to hardware architecture)
  • Hyper-V support
  • TLS Proxy for Encrypted Voice Inspection

Supported with limitations

  • Local device manager (no feature parity between FDM and FMC)
  • Central management via in-band data path (Staging or OOB required for remote management)
  • AnyConnect (no feature parity with ASA)
  • REST API (no feature parity with ASA REST API yet)
  • SSL Acceleration (only for FPR4100 & FPR9300)
  • Clustering (only for FPR4100 & FPR9300)
  • Unified Connection Logging (FTD Connection events do not include detailed L4 information, e.g. SYN Timeout, etc.)

Supported with FlexConfig

  • Modular Policy Framework (e.g. changing tcp timeouts, changing inspections depending on ACL)
  • Bidirectional Forwarding Detection (BFD)
  • Web Cache Communications Protocol (WCCP)
  • Virtual Extensible LAN (VXLAN)
  • Intermediate System to Intermediate System (IS-IS)
  • Enhanced Interior Gateway Routing Protocol (EIGRP)
  • Policy-based Routing (PBR)
  • Equal-cost multi-path routing (ECMP)
  • NetFlow

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
cawst
Level 1
Level 1
In response to balaji.bandi

‎11-21-2018 01:17 PM

That is definitely closer to up to date - thank you!  Although the blog post does say AnyConnect isn't supported, and it looks like it was added a couple of months after that.  The SSL VPN features not at parity was concerning, so I searched more on that specifically and found this list of limitations:  https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html#anc13

 

Something like this - an official, updated exact feature comparison - is what I was hoping to find across the board, but I'm definitely closer now.  Thanks!  Would welcome any other opinions/gotchas as well about potentially moving to FTD from ASA, but I'm feeling somewhat more informed now.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-21-2018 11:10 AM

Hi,

You can go for FTD, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features.

 

FTD can be deployed on Cisco Firepower 4100, 9300, 2100 appliances as well can be also be deployed on Cisco  ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.

 

FTD supports SSL VPN/Anyconnect  but it doesn't support two factor authentication. 

 

HTH

Abheesh

0 Helpful

Go to solution
cawst
Level 1
Level 1
In response to Abheesh Kumar

‎11-21-2018 11:19 AM

Thank you!  Are there any other features you're aware of that it doesn't support, or a place where I can see that feature comparison side by side?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to cawst

‎11-21-2018 12:29 PM

there is a good compare document :

 

http://networkequipmentcisco.blogspot.com/2018/04/cisco-asa-with-firepower-services-vs-ftd.html

 

Some i have noted from notes from forum :

 

Unsupported

  • Multiple-Context mode
  • Clientless SSL VPN
  • Configuration CLI
  • HA (Active/Standby) for Public Cloud (AWS/Azure)
  • ASA5585-X Platform support (not possible due to hardware architecture)
  • Hyper-V support
  • TLS Proxy for Encrypted Voice Inspection

Supported with limitations

  • Local device manager (no feature parity between FDM and FMC)
  • Central management via in-band data path (Staging or OOB required for remote management)
  • AnyConnect (no feature parity with ASA)
  • REST API (no feature parity with ASA REST API yet)
  • SSL Acceleration (only for FPR4100 & FPR9300)
  • Clustering (only for FPR4100 & FPR9300)
  • Unified Connection Logging (FTD Connection events do not include detailed L4 information, e.g. SYN Timeout, etc.)

Supported with FlexConfig

  • Modular Policy Framework (e.g. changing tcp timeouts, changing inspections depending on ACL)
  • Bidirectional Forwarding Detection (BFD)
  • Web Cache Communications Protocol (WCCP)
  • Virtual Extensible LAN (VXLAN)
  • Intermediate System to Intermediate System (IS-IS)
  • Enhanced Interior Gateway Routing Protocol (EIGRP)
  • Policy-based Routing (PBR)
  • Equal-cost multi-path routing (ECMP)
  • NetFlow

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
cawst
Level 1
Level 1
In response to balaji.bandi

‎11-21-2018 01:17 PM

That is definitely closer to up to date - thank you!  Although the blog post does say AnyConnect isn't supported, and it looks like it was added a couple of months after that.  The SSL VPN features not at parity was concerning, so I searched more on that specifically and found this list of limitations:  https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html#anc13

 

Something like this - an official, updated exact feature comparison - is what I was hoping to find across the board, but I'm definitely closer now.  Thanks!  Would welcome any other opinions/gotchas as well about potentially moving to FTD from ASA, but I'm feeling somewhat more informed now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card