12-13-2017 12:03 AM
Hey All,
It seems Cisco made decision to go with FTD as only image for NGFW. Is anyone here who alrady implemented FTD across company (not pilot, not single firwall) ?
12-13-2017 08:55 AM
Hi,
We have around 10 implementations with FTD. I can tell you will give you a little pain in the head because there is some features that you need to work hard to delivery everything like customers want.
SSL/TLS decryption is the most trick feature imo. There is no many options to make a exception ( you can not add a external feed list to exclude. ex: office 365 ). You only can use URL categories and others SSL/TLS options to do this and, imo, is not the best way to to this.
FMC 6.2.2.1 is too slow if you comper if others vendor. But is much better now.
I like ASA a lot, working with Firepower about a 2 years need much improve to beat firewalls solutions like paloalto and fortnet. ( its sad but its true )
Btw all implementations was sucessfull. If you need some help we can help you.
Best regards
Pablo Costa
12-13-2017 11:47 AM
Hey Pablo,
Thanks for answer.
What about VPN functionalities. Both S2S VPN and AnyConnect Remote Access (group polices, Dynamic Access Polices, XML profiles)?
12-15-2017 10:17 AM
FTD now supports S2S VPN and RA VPN.
I have also deployed multiple FTDs for multiple customers in production. I have done many S2S VPNs. I have labbed up the AnyConnect RA VPN, as well.
I don't believe Dynamic Access Policies are supported at this time. But, depending on what you're using it for, you may have other options.
If you have specific use cases you want to confirm are available, you probably want to chat with your partner/account team.
02-07-2018 11:34 PM
hello
in the anyconnect the FTD have some limitations
Currently unsupported on FTD, but available on ASA:
you can check this guide
02-08-2018 12:05 PM
I have been on a project for the past few months deploying ASA5516s converted to FTDs. The conversion takes about 3 hours. The FTDs are configured in a HA pair with no issues so far. The routing protocol is EIGRP so I had to use Flexconfig. Flexconfig takes a little time to get used to and it has been good. We had an issue with EIGRP authentication and Cisco has released a patch to us to take care of that issue.
With FTDs you do give up CLI configuration and that can slow down the configuration process, especially with the HA pair.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide