cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

874
Views
2
Helpful
5
Replies
Highlighted
Beginner

FTD or ASA OS

Hey All,

It seems Cisco made decision to go with FTD as only image for NGFW. Is anyone here who alrady implemented FTD across company (not pilot, not single firwall) ?

5 REPLIES 5
Highlighted
Beginner

Hi,

We have around 10 implementations with FTD. I can tell you will give you  a little pain in the head because there is some features that you need to work hard to delivery everything like customers want.

SSL/TLS decryption is the most trick feature imo. There is no many options to make a exception ( you can not add a external feed list to exclude. ex: office 365 ). You only can use URL categories and others SSL/TLS options to do this and, imo, is not the best way to to this.

FMC 6.2.2.1 is too slow if you comper if others vendor. But is much better now.

I like ASA a lot, working with Firepower about a 2 years need much improve to beat firewalls solutions like paloalto and fortnet. ( its sad but its true )

Btw all implementations was sucessfull. If you need some help we can help you.

Best regards

Pablo Costa

Highlighted

Hey Pablo,

Thanks for answer.

What about VPN functionalities. Both S2S VPN and AnyConnect Remote Access (group polices, Dynamic Access Polices, XML profiles)?

Highlighted

FTD now supports S2S VPN and RA VPN.

I have also deployed multiple FTDs for multiple customers in production. I have done many S2S VPNs. I have labbed up the AnyConnect RA VPN, as well.

I don't believe Dynamic Access Policies are supported at this time. But, depending on what you're using it for, you may have other options.

If you have specific use cases you want to confirm are available, you probably want to chat with your partner/account team.

Highlighted

hello

in the anyconnect the FTD have some limitations

Limitations

Currently unsupported on FTD, but available on ASA:

  • Double AAA Authentication
  • Dynamic Access Policy
  • Host Scan
  • ISE posture
  • RADIUS CoA
  • VPN load-balancer
  • Local authentication (Enhancement: CSCvf92680)
  • LDAP attribute map
  • AnyConnect customization
  • AnyConnect scripts
  • AnyConnect localization
  • Per-app VPN
  • SCEP proxy
  • WSA integration
  • SAML SSO
  • Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN
  • AnyConnect modules (NAM, Hostscan, AMP Enabler etc.) – DART is installed by default
  • TACACS, Kerberos (KCD Authentication and RSA SDI)
  • Browser Proxy

you can check this guide

AnyConnect Remote Access VPN configuration on FTD - Cisco

Highlighted
Beginner

I have been on a project for the past few months deploying ASA5516s converted to FTDs. The conversion takes about 3 hours. The FTDs are configured in a HA pair with no issues so far. The routing protocol is EIGRP so I had to use Flexconfig. Flexconfig takes a little time to get used to and it has been good. We had an issue with EIGRP authentication and Cisco has released a patch to us to take care of that issue.

With FTDs you do give up CLI configuration and that can slow down the configuration process, especially with the HA pair.

Content for Community-Ad