10-14-2020 09:01 AM
Current setup
I have two old pairs of ASA5555 and a virtual FMC. The ASAs are associated with the FMC but they are managed via ASDM
New setup
I have two new pairs of FTD 1100s that are going to replace the two pairs of ASA5555 and I am keeping virtual FMC
Question
In your opinion, should I run the two new pairs of 1100s from the FDM (Firepower Device Manager) or run them as centralized management through the FMC?
Cisco Documentation
"For networks that include only a single device or just a few, where you do not need to use a high-powered
multiple-device manager like the FMC, you can use the integrated Firepower Device Manager (FDM)."
Cisco's statement doesn't leave me warm and fuzzy. Maybe I don't need the FMC to manage them, but I have it so should I use it? To my understanding, running them through the FMC means I will not use FDM at all? I assume I would set up VPN tunnels and everything else via the FMC?
Thank you for your responses. I'm also reading plenty of Cisco literature on this subject; Cisco's naming convention makes it a bit rough to follow e.g., FTD, FMC, FDM, ASA, ASDM, Firepower, FirePOWER, Sourcefire... [Palm-to-face]
10-14-2020 09:09 AM - edited 10-14-2020 09:09 AM
If you are replacing 2, i would suggest to use FMC, so you can centrally push the policies and more other features.
FDM has limited capabilities. ( when you using FMC, you need to manage device with FMC only, no FDM Local Management)
10-14-2020 09:18 AM
The FDM GUI is generally more user-friendly than FMC, especially for network admins who aren't interested in all of the IPS bells and whistles.
FMC can do a few things that aren't possible with FDM but that list is getting shorter with every release. The big ones (as of the current 6.6 release) are you cannot creae prefilter rules in FDM, cannot customize an IPS policy in FDM and FDM doesn't retain historical logs or do as much reporting as FMC. Also, by it's intrinsic nature FDM manages firewalls "one at a time" so there's no ability to reuse policies, objects etc. across multiple firewalls.
One other thing to consider is CDO management. CDO enhances FDM management by addressing the last caveat I mentioned earlier as giving some more GUI-based reporting and visibility. It's also cloud-based so you can easily log in and get the visibility from wherever you are.
In any case, if you use FMC you CANNOT use FDM. FDM and CDO are compatible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide