07-09-2017 06:37 AM - edited 03-12-2019 02:40 AM
Hi,
im trying to understand the following
when we say ASA with FirePower, we mean upgraded ASA boxes which have the Unified ASA Image?
What is FTD?
What is the Difference when we say ASA with FirePower and the Firepower Appliances?
and to manage a Cisco FirePower Applaince we need FMC, Right?
Thanks again.
Solved! Go to Solution.
07-09-2017 08:10 AM
ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.
FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD.
Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.
There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.
We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM). The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).
07-09-2017 08:10 AM
ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.
FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD.
Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.
There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.
We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM). The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).
07-11-2017 11:24 PM
thanks marvin,
so when we say for example
Cisco Firepower 4110 NGFW appliance running FXOS, so we are referring to FTD running on those boxes.
for that we need FMC to manage those devices am I right?
Thanks
07-11-2017 11:28 PM
Yes that's right. You do require FMC to manage FTD logical devices on a 4110 chassis.
07-11-2017 11:32 PM
so FXOS is the FTD?
07-12-2017 03:42 AM
No, FX-OS or Firepower eXtensible Operating System is the OS that manages the chassis resources.
You interact with it directly when you first setup the hardware and use it to deploy and assign resources (interfaces) to a logical device. Logical devices can be FTD, ASA or (for the 9300 chassis only) Radware virtual DefensePro (vDP).
FX-OS has a web-based GUI (Firepower Chassis Manager or FCM) or you can access it via cli or API to the chassis management interface.
07-16-2017 12:13 AM
Thanks Marvin,
in case we have a 4110 Appliance, and its running ASA software, so this can be managed using ASDM, but we will not be able to run FTD, so it's either ASA Code or FTD code?
Sulaiman
07-16-2017 01:33 AM
You're welcome.
That's correct - you run either an ASA or FTD logical device on a Firepower 4110. Never both at the same time.
The ASA looks pretty much like any other ASA when managing it with ASDM. The only differences are the few things you have to do via the FX-OS-based Firepower Chassis Manager (FCM). Those include (off the top of my head):
deploy and upgrade the image,
license features (via Smart Licensing) like 3DES-AES and AnyConnect (for ASA logical devices) and Firepower licenses for all FTD logical devices and AnyConnect (2100 series only for that bit on FTD as of 6.2.1),
allocate interfaces,
create portchannels.
Note that you need to apply the ASA 3DES-AES license via FCM using Smart Licensing before you can use ASDM to manage the ASA logical device.
09-11-2017 10:24 AM
Hi,
Regarding the FP2100 with ASA, how are the FirePower features activated? I understand that the device is running ASA code, so how do I enable the NFGW features, like AVC, IPS, etc?
Regards.
03-15-2019 09:22 AM
Thanks Marvin.
Got a question.
Lets assume we are migrating from an old ASA to FTD box running ASA image. Can the migration tool + FMC be used in that case?
I know it i useful in case we upgrade to FTD image but not sure when we run ASA image on FTD bix.
03-15-2019 08:49 PM
Answered in your other thread:
https://community.cisco.com/t5/firewalls/asa-to-firepower-asa-image/td-p/3820285
08-29-2022 12:25 AM
Hi Marvin
How can configure FTD 4100 without FMC?
08-29-2022 01:17 AM - edited 08-29-2022 05:52 AM
@mohammedelmeligie1978 If you are not using FMC then first make sure the appliance is set for local management using the cli command "show managers".
Then follow this guide:
08-29-2022 04:39 AM
Marvin,
Does ASDM support inline pairing without fmc ?
08-29-2022 05:50 AM
@mohammedelmeligie1978 are you running ASA image or FTD image on your appliance?
Since you ask about ASDM that implies ASA image. Inline pairing is a mode specific to IPS which is not applicable for ASAs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide