Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
0
Helpful
2
Replies

FMC FTD - how? from ex-ASA

J_Vansen_S
Level 3
Level 3

‎04-07-2019 08:13 PM - edited ‎02-21-2020 09:01 AM

Hi All, 

It is our first time deploying FTD+FMC. Coming from years of  ASA deployment experience i am getting very frustrated  on how difficult this change is, does anyone else thinks that way?

 

How do i do a simple ping/connectivity test from the GUI of the FMC? 

I know i can do that by login into the FTD CLI, but that is not quite the way for me to do basic troubleshooting. 

Or how  do i do a packet tracing path like ASA  Gui?

 

In terms of ACL. Do  i group all of my basic L3 deny/allow subnets/ports acl together with all L7 rules, it is such a mess.

If i have 10-15 interfaces on my FTD, with 5-10 rules(l3+l7 rules) the access policy page is a big  gigantic mess. Someone please enlighten me, or what is ur way of doing it.

 

I  am tempted to re-image the whole FTD to  ASA image since im using 2100firepower, if i am  not getting the hang of this   mess!

 

Appreciate any help. 

 

0 Helpful
2 Replies 2

socratesp1980
Level 1
Level 1

‎04-07-2019 10:40 PM

How do I do a simple ping/connectivity test from the GUI of the FMC?

Devices --> Device Management -->click on the tools next to the FW --> Advanced Troubleshooting --> Threat Defence CLI This performs a ping command from the Threat Defence appliance, not the FMC.

 

How do I do a packet tracing path like ASA Gui?

Next tab packet tracer you may check the Capture w/Trace

 

Someone, please enlighten me, or what is ur way of doing it.

I am using rule categories based on the use of each ACL.

 

Hope all these helps. I know it is a bit confusing at first but give it some time. 

0 Helpful

J_Vansen_S
Level 3
Level 3
In response to socratesp1980

‎04-26-2019 06:56 PM

Thanks for your input!

Someone, please enlighten me, or what is ur way of doing it.
I am using rule categories based on the use of each ACL.

Do you use pre-filter, for all ur L3 rules?
As i understand, pre-filter is the ASA equivalent of doing L3 ACL, so it doesnt send it to inspect engine that hogs up more resources for L4-L7 inspection
Then again, if u work with the pre-filter page, there is no option to create category/interface segmentation which is really messy. I had to differentiate my rules using its rule name to group them together
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card