Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
5
Helpful
3
Replies

Simple FTD Question -- Are instantaneous changes possible? Yes or no?

Go to solution
brettp
Level 1
Level 1

‎11-08-2021 10:15 AM

Because Cisco is phasing out the ASA and moving to FTD, that would be the next logical upgrade in our environment. I have just started to scratch the surface and have been watching videos about FTD Hardware / OS. I learned that you have to make changes and then deploy them. In the videos, it's never instantaneous as was the case on the ASA hardware. It seems to take up to a few minutes for simple changes to take effect (IP address changes, Access Rule changes, etc.) I read on the Cisco website, We strongly recommend you deploy in a maintenance window or at a time when interruptions will have the least impact” because there can be dropped packets (and not just if/when Snort restarts.) Is that really the case? If I can not make a change on the fly that happens instantly, like updating an ACL, that is an instant deal breaker. Can someone who uses these FTD devices (with FTD OS, not ASA) in the real world answer this? Thanks!

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-08-2021 10:29 AM

@brettp yes that is generally true, you do need to deploy the changes which take a few minutes. However since version 7.0 you do have dynamic objects, which allow you to push changes via API and take effect immediately without having to push policy. More info.

 

https://www.youtube.com/watch?v=Gt5Yj7MgtG0&t=177s

 

View solution in original post

0 Helpful

Go to solution
#Mat
Level 6
Level 6

‎11-08-2021 11:16 AM

Hello! To add another hint, dropping packets by Snort engine restart is a very particular scenario. I don't know what kind of company do you manage but you rarely perceive the drops, so you shouldn't worry too much because there are different configurations to avoid that behavior.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/policy_management.html#concept_uc1_gtq_ty

 

Regards.

.

View solution in original post

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-08-2021 12:44 PM

Unlike ASAs (And many traditional network devices) where the configurations are stored in flat text file, FTD uses DBs under the hood. As a result, we will most likely never see configuration changes committed in similar fashion and speed to "wr mem" With that said, we are constantly working on optimizing the deployment mechanisms. Thus, with each new release, the amount of time required to deploy changes is improved. 

With regards to your 2nd topic: The deployment window will warn you if the pending changes will cause traffic interruptions. In addition, with the introduction of Snort3 (Firepower Threat Defense v7.0), we have eliminated most cases where snort restart is required. 

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-08-2021 10:29 AM

@brettp yes that is generally true, you do need to deploy the changes which take a few minutes. However since version 7.0 you do have dynamic objects, which allow you to push changes via API and take effect immediately without having to push policy. More info.

 

https://www.youtube.com/watch?v=Gt5Yj7MgtG0&t=177s

 

0 Helpful

Go to solution
#Mat
Level 6
Level 6

‎11-08-2021 11:16 AM

Hello! To add another hint, dropping packets by Snort engine restart is a very particular scenario. I don't know what kind of company do you manage but you rarely perceive the drops, so you shouldn't worry too much because there are different configurations to avoid that behavior.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/policy_management.html#concept_uc1_gtq_ty

 

Regards.

.
0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎11-08-2021 12:44 PM

Unlike ASAs (And many traditional network devices) where the configurations are stored in flat text file, FTD uses DBs under the hood. As a result, we will most likely never see configuration changes committed in similar fashion and speed to "wr mem" With that said, we are constantly working on optimizing the deployment mechanisms. Thus, with each new release, the amount of time required to deploy changes is improved. 

With regards to your 2nd topic: The deployment window will warn you if the pending changes will cause traffic interruptions. In addition, with the introduction of Snort3 (Firepower Threat Defense v7.0), we have eliminated most cases where snort restart is required. 

I hope this helps!

Thank you for rating helpful posts!

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card