cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1947
Views
0
Helpful
7
Replies

missing and limited functionality with FMC controlling an ASA FTD

walter baziuk
Level 5
Level 5

here are the design issues that i found so far

  • cant set interface security level in GUI,
    • all interfaces stay at 0- this is a big BUG
  • no EIGRP route support,
    • only ospf. bgp and static-
    • no support for the  cisco EIGRP routing protocol
  • cant import CLI code,
    • setting object groups in GUI is very slow and tedious
    • i known the CLI syntax and its far easier to type into into textpad than in  GUI steps
  • no CONF T option in CLI in either CLI option ie.
    • expert shell or
    • SYSTEM SUPPORT DIAGNOSTIC_CLI
  • cant create a object with TCP éUDP option, only TCP or UDP.
  • cant use the combine TCPé UDP protocol names when creating a network or port object, only numbers are allowed
  • no ability to define ICMP object ie
    • to limit which ICMP messages are handled or responded too- a big bug

i really need a soln to import CLI, rather than just use the limited GUI- a bug bug
if i could import, then i could fix and get my old config into the new CLI format
i can get a running config from the CLI, i cant enter and config command

with current gui, there is a lot of missing functionality

1 Accepted Solution

Accepted Solutions

Hello Walter,

 

Unfortunately there is no support for conf t on FTD. Even if you were to remove it from the Manager.

It seems that you would be better served by keeping the ASA-SFR module combination instead of using FTD.

 

FTD does not have full functionality parity with ASA yet.

View solution in original post

7 Replies 7

walter baziuk
Level 5
Level 5
if i disconnect the FTD from the FMC ( all saves and deploys) will i get the CONF T access again on the FTD CLI

if so, can i then enter all valid CLI commands ( including those that the FMC GUI-cant do yet)

if so, when i reconnect the FTD to the FMC, will i fixed the issue and the FMC will support all the FTD supported CLI commands i entered

as mentioned, network and port objects and object groups are very tedious to enter in a GUI, copy and paste via textpad is FAR easier

Hello Walter,

 

Unfortunately there is no support for conf t on FTD. Even if you were to remove it from the Manager.

It seems that you would be better served by keeping the ASA-SFR module combination instead of using FTD.

 

FTD does not have full functionality parity with ASA yet.

AARRGGHH (;
my SE told me that it had most of the functionality

i received an RMA asa with V2 HW to fix the clock issue on Ver1 HW
he indicated that this would be a great opportunity to migrate to FTD with FMC.
i guess that was not true
i cant even set the interface security level (;

It is getting close, but the items you are asking for are not there.

Security Level is mainly handled by your Access Control policy and rules.

For EIGRP, you can use Flex Config.



The TCP-UDP object would have to be handled on the ACP, which is the slow way.



There is a migration tool we have that allows for the import of ASA Configuration to FTD. There are some limitations, but it can import most of the configuration.



https://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-migration-guide-620/asa2ftd_intro.html


i built the migration FMC. it was NOT useful. it could not convert any of our asa code 100% successfuly.

each time i had to open a TAC ticket and it took TAC at least two weeks to convert each asa CLI code base, some were not even that complicated.
in all cases, they were NOT bale to convert 100% of any CLI code base. we now looking at palo alto fw as they handle level 7 app much better

there is NO eigrp options

please show ne the screen shows and which menu support setting tghe secuity level from 0-100. it was easy on asa, no very hard on FMC with FTDNO eigrp.JPG

Hello Walter,

 

Please see the screenshot below.

EIGRP is not under the routing tab of the device, but it can be configured by using Flex Config.

Devices > FlexConfig.

 

Regarding security level, there is no concept of that on FTD, the access control rules are what is used to get traffic from one interface to the other.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: