cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5569
Views
20
Helpful
10
Replies
sulaimangd
Beginner

Managing Cisco Firepower without FMC

Hi,

im trying to understand the following

when we say ASA with FirePower, we mean upgraded ASA boxes which have the Unified ASA Image?

What is FTD?

What is the Difference when we say ASA with FirePower and the Firepower Appliances?

and to manage a Cisco FirePower Applaince we need FMC, Right?

Thanks again.

1 ACCEPTED SOLUTION

Accepted Solutions
Marvin Rhoads
VIP Community Legend

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD.

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM). The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

View solution in original post

10 REPLIES 10
Marvin Rhoads
VIP Community Legend

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD.

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM). The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

View solution in original post

thanks marvin,

so when we say for example 

Cisco Firepower 4110 NGFW appliance running FXOS, so we are referring to FTD running on those boxes.

for that we need FMC to manage those devices am I right?

Thanks 

Yes that's right. You do require FMC to manage FTD logical devices on a 4110 chassis. 

so FXOS is the FTD?

No, FX-OS or Firepower eXtensible Operating System is the OS that manages the chassis resources.

You interact with it directly when you first setup the hardware and use it to deploy and assign resources (interfaces) to a logical device. Logical devices can be FTD, ASA or (for the 9300 chassis only) Radware virtual DefensePro (vDP).

FX-OS has a web-based GUI (Firepower Chassis Manager or FCM) or you can access it via cli or API to the chassis management interface.

Thanks Marvin,

in case we have a 4110 Appliance, and its running ASA software, so this can be managed using ASDM, but we will not be able to run FTD, so it's either ASA Code or FTD code?

Sulaiman

You're welcome.

That's correct - you run either an ASA or FTD logical device on a Firepower 4110. Never both at the same time.

The ASA looks pretty much like any other ASA when managing it with ASDM. The only differences are the few things you have to do via the FX-OS-based Firepower Chassis Manager (FCM). Those include (off the top of my head):

deploy and upgrade the image,

license features (via Smart Licensing) like 3DES-AES and AnyConnect (for ASA logical devices) and Firepower licenses for all FTD logical devices and AnyConnect (2100 series only for that bit on FTD as of 6.2.1),

allocate interfaces,

create portchannels.

Note that you need to apply the ASA 3DES-AES license via FCM using Smart Licensing before you can use ASDM to manage the ASA logical device.

Hi,

 

Regarding the FP2100 with ASA, how are the FirePower features activated? I understand that the device is running ASA code, so how do I enable the NFGW features, like AVC, IPS, etc?

 

Regards.

Thanks Marvin.

Got a question.

Lets assume we are migrating from an old ASA to FTD box running ASA image. Can the migration tool + FMC be used in that case?

I know it i useful in case we upgrade to FTD image but not sure when we run ASA image on FTD bix.

Marvin Rhoads
VIP Community Legend
Content for Community-Ad