cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1959
Views
10
Helpful
3
Replies

QoS on ASA-5525X with FirePower Services

N3t W0rK3r
Level 3
Level 3

I am trying to configure a QoS policy on my FMC server to deploy yo my ASA's to rate limit DropBox traffic.

I am running FirePower services v6.20 and my ASA's are running v9.8 in active/standby.

When I try to create the policy, I am supposed to identify a source interface object but none appear in the dialog box under Available Interface Objects.

When I go back and then try to create an interface object  group under object management, there are no interfaces listed under available interfaces in the interface group dialog.  It doesn't seem to matter what interface type I select from the dropdown either.

What am I missing here?  Why won't this work for me?  Is this a license issue? Or are my ASA's not supported?

Thanks in advance.

 

John

1 Accepted Solution

Accepted Solutions

@N3t W0rK3r you're welcome.

 

Here's a writeup I have shared with others. You may find it useful:

 

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

 

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (AnyConnect) feature set (basics are supported but not the advanced features), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD. FTD (on all platforms) DOES include IPsec site-site VPN.

 

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

 

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software. Note when they run ASA software it is without ANY Firepower NGIPS features.

 

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

 

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM) web-based GUI . The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

 

What a given customer is best served by depends on an informed analysis of their current and future requirements as well as their operational environment.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

The QoS feature set is only supported on FTD (in the context of using FMC to configure and deploy it). See this reference for confirmation:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/quality_of_service__qos__for_firepower_threat_defense.html#id_16322

 

For your use case, you would be limited to what's available on the ASA natively (i.e. distinct from the firepower service module).

Thanks Marvin but I am confused... how is FTD different from FirePower Services?  I thought they were one in the same.  Is FTD a separate product/device?  My apologies for my ignorance.

@N3t W0rK3r you're welcome.

 

Here's a writeup I have shared with others. You may find it useful:

 

ASA with FirePOWER means that the Firepower software is running on a module (software module for all but the ASA 5585-X) in addition to the classic ASA software. That is NOT the unified image.

 

FTD or Firepower Threat Defense is the unified image that combines ASA and FirePOWER features in one running image. Note some ASA features are currently not supported. Notably full SSL VPN (AnyConnect) feature set (basics are supported but not the advanced features), clientless SSL VPN and multiple context. There are a bunch of lesser features also not included in FTD. FTD (on all platforms) DOES include IPsec site-site VPN.

 

Firepower appliances is a term usually used to refer to the old Sourcefire (now branded Cisco) appliances like the 3D7000 and 3D8000 series. They run only Firepower software and not FTD.

 

There are now also Firepower 2100, 4100 and 9300 series appliances. Those run either FTD or ASA software. Note when they run ASA software it is without ANY Firepower NGIPS features.

 

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

 

We mostly need an FMC to manage Firepower appliances. When an ASA or 2100 series appliance is running FTD it can be managed (with limited features) using the on-box Firepower Device Manager (FDM) web-based GUI . The same idea goes for an ASA with FirePOWER service module - you can manage it completely with ASDM (as of Firepower version 6.0).

When we run FTD on an ASA it completely replaces the boot and running image on the ASA. There is no longer a separate ASA software and Firepower software - only FTD.

 

What a given customer is best served by depends on an informed analysis of their current and future requirements as well as their operational environment.

Review Cisco Networking for a $25 gift card