Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12735
Views
20
Helpful
18
Replies

Managing Cisco Firepower without FMC

Go to solution
sulaimangd
Level 1
Level 1

‎07-09-2017 06:37 AM - edited ‎03-12-2019 02:40 AM

Hi,

im trying to understand the following

when we say ASA with FirePower, we mean upgraded ASA boxes which have the Unified ASA Image?

What is FTD?

What is the Difference when we say ASA with FirePower and the Firepower Appliances?

and to manage a Cisco FirePower Applaince we need FMC, Right?

Thanks again.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-09-2017 08:10 AM

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD.

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM). The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

View solution in original post

18 Replies 18

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-09-2017 08:10 AM

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (limited support on Firepower 2100 as of this posting), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD.

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software (2100 series runs FTD only until later this year). Note when they run ASA software it is without ANY Firepower NGIPS features.

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM). The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

Go to solution
sulaimangd
Level 1
Level 1
In response to Marvin Rhoads

‎07-11-2017 11:24 PM

thanks marvin,

so when we say for example 

Cisco Firepower 4110 NGFW appliance running FXOS, so we are referring to FTD running on those boxes.

for that we need FMC to manage those devices am I right?

Thanks 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sulaimangd

‎07-11-2017 11:28 PM

Yes that's right. You do require FMC to manage FTD logical devices on a 4110 chassis. 

0 Helpful

Go to solution
sulaimangd
Level 1
Level 1
In response to Marvin Rhoads

‎07-11-2017 11:32 PM

so FXOS is the FTD?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sulaimangd

‎07-12-2017 03:42 AM

No, FX-OS or Firepower eXtensible Operating System is the OS that manages the chassis resources.

You interact with it directly when you first setup the hardware and use it to deploy and assign resources (interfaces) to a logical device. Logical devices can be FTD, ASA or (for the 9300 chassis only) Radware virtual DefensePro (vDP).

FX-OS has a web-based GUI (Firepower Chassis Manager or FCM) or you can access it via cli or API to the chassis management interface.

Go to solution
sulaimangd
Level 1
Level 1
In response to Marvin Rhoads

‎07-16-2017 12:13 AM

Thanks Marvin,

in case we have a 4110 Appliance, and its running ASA software, so this can be managed using ASDM, but we will not be able to run FTD, so it's either ASA Code or FTD code?

Sulaiman

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sulaimangd

‎07-16-2017 01:33 AM

You're welcome.

That's correct - you run either an ASA or FTD logical device on a Firepower 4110. Never both at the same time.

The ASA looks pretty much like any other ASA when managing it with ASDM. The only differences are the few things you have to do via the FX-OS-based Firepower Chassis Manager (FCM). Those include (off the top of my head):

deploy and upgrade the image,

license features (via Smart Licensing) like 3DES-AES and AnyConnect (for ASA logical devices) and Firepower licenses for all FTD logical devices and AnyConnect (2100 series only for that bit on FTD as of 6.2.1),

allocate interfaces,

create portchannels.

Note that you need to apply the ASA 3DES-AES license via FCM using Smart Licensing before you can use ASDM to manage the ASA logical device.

Go to solution
pablohernandez
Level 1
Level 1
In response to Marvin Rhoads

‎09-11-2017 10:24 AM

Hi,

 

Regarding the FP2100 with ASA, how are the FirePower features activated? I understand that the device is running ASA code, so how do I enable the NFGW features, like AVC, IPS, etc?

 

Regards.

0 Helpful

Go to solution
dvalinho
Level 1
Level 1
In response to Marvin Rhoads

‎03-15-2019 09:22 AM

Thanks Marvin.

Got a question.

Lets assume we are migrating from an old ASA to FTD box running ASA image. Can the migration tool + FMC be used in that case?

I know it i useful in case we upgrade to FTD image but not sure when we run ASA image on FTD bix.

0 Helpful

Go to solution
mohammedelmeligie1978
Level 1
Level 1

‎08-29-2022 12:25 AM

Hi Marvin 

How can configure FTD 4100 without FMC?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mohammedelmeligie1978

‎08-29-2022 01:17 AM - edited ‎08-29-2022 05:52 AM

@mohammedelmeligie1978 If you are not using FMC then first make sure the appliance is set for local management using the cli command "show managers".

Then follow this guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-get-started.html#concept_D737C97687844B4F90349681810352D1

0 Helpful

Go to solution
mohammedelmeligie1978
Level 1
Level 1

‎08-29-2022 04:39 AM

 Marvin,

Does ASDM support inline pairing without fmc ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mohammedelmeligie1978

‎08-29-2022 05:50 AM

@mohammedelmeligie1978 are you running ASA image or FTD image on your appliance?

Since you ask about ASDM that implies ASA image. Inline pairing is a mode specific to IPS which is not applicable for ASAs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card