Solved: Re: FMC FTD (Cluster) and Conext

Alex Ribas · ‎03-25-2021

I'm installing FTD in my network but I'd like to implement Context in FTD

I'm using FMC 6.3.0

1-FTD on ASA5516x

Model : Cisco ASA5516-X Threat Defense (75) Version 6.3.0 (Build 83)

2-FTD on ASA5516x

Model : Cisco ASA5516-X Threat Defense (75) Version 6.3.0 (Build 83)

My idea is: Clusters and Multiple contexts, I was comfortable to do it but when I'm was using Cisco ASA and Context (Failover etc) but in FTD and FMC I never did it before.

Anyone configured it before?

Thanks you

Alex Ribas

Rob Ingram · ‎03-25-2021

Multiple context does not exist on FTD, the closest feature is multi-instance, but that is only supported on FPR-4100/9300 hardware so will not work on your ASA 5516.

Clustering is also only supported on FPR-4100/9300 hardware, so will also not work on your hardware.

Your hardware will support Active/Standby failover.

For reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html

HTH

View solution in original post

Rob Ingram · ‎03-25-2021

The ASA 5516 only supports a maximum of 5 context....unless you were referring to 6 context across the 2 ASA 5516?

I don't see a reason why you need to run multiple-context. Why can you not just use one context, then you could run FTD image in HA.

View solution in original post

Rob Ingram · ‎03-25-2021

Yes, FTD managed via FDM (local management without FMC) can authenticate to AD.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-identity-sources.html

You then just create access control rules against AD users/groups with or without URL filtering

View solution in original post

Rob Ingram · ‎03-25-2021

Multiple context does not exist on FTD, the closest feature is multi-instance, but that is only supported on FPR-4100/9300 hardware so will not work on your ASA 5516.

Clustering is also only supported on FPR-4100/9300 hardware, so will also not work on your hardware.

Your hardware will support Active/Standby failover.

For reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html

HTH

Alex Ribas · ‎03-25-2021

So the solution in this case

Use Cisco ASA 5516-x Context(IoS) and Module Faiolver ok and

"FirePower Separate using filters integrate with FMC ? )

Any idea?

Thank you

Alex

Rob Ingram · ‎03-25-2021

You can use ASA software with FPR module managed via FMC.

Alex Ribas · ‎03-25-2021

Yes but

I have 2 Cisco ASA 5516x (6 Contexts) and one context we use to go to Internet.

My Plan is:

Profile Users Integrate Active Directory (GROUP_DIRECTOR_ FULL ACCESS) without URL Filter)

Profile Users integrate Acrive Direcgtory (GRUPO_USERS) Filter url

And user just FIrePower controller my context

It's possible?

Rob Ingram · ‎03-25-2021

The ASA 5516 only supports a maximum of 5 context....unless you were referring to 6 context across the 2 ASA 5516?

I don't see a reason why you need to run multiple-context. Why can you not just use one context, then you could run FTD image in HA.

Alex Ribas · ‎03-25-2021

Can I use URL filter per user (Active Directory) in one context using FirePower without FMC?

Thank you.

Rob Ingram · ‎03-25-2021

Yes, FTD managed via FDM (local management without FMC) can authenticate to AD.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/fdm/fptd-fdm-config-guide-630/fptd-fdm-identity-sources.html

You then just create access control rules against AD users/groups with or without URL filtering