11-08-2021 10:15 AM
Because Cisco is phasing out the ASA and moving to FTD, that would be the next logical upgrade in our environment. I have just started to scratch the surface and have been watching videos about FTD Hardware / OS. I learned that you have to make changes and then deploy them. In the videos, it's never instantaneous as was the case on the ASA hardware. It seems to take up to a few minutes for simple changes to take effect (IP address changes, Access Rule changes, etc.) I read on the Cisco website, “We strongly recommend you deploy in a maintenance window or at a time when interruptions will have the least impact” because there can be dropped packets (and not just if/when Snort restarts.) Is that really the case? If I can not make a change on the fly that happens instantly, like updating an ACL, that is an instant deal breaker. Can someone who uses these FTD devices (with FTD OS, not ASA) in the real world answer this? Thanks!
Solved! Go to Solution.
11-08-2021 10:29 AM
@brettp yes that is generally true, you do need to deploy the changes which take a few minutes. However since version 7.0 you do have dynamic objects, which allow you to push changes via API and take effect immediately without having to push policy. More info.
https://www.youtube.com/watch?v=Gt5Yj7MgtG0&t=177s
11-08-2021 11:16 AM
Hello! To add another hint, dropping packets by Snort engine restart is a very particular scenario. I don't know what kind of company do you manage but you rarely perceive the drops, so you shouldn't worry too much because there are different configurations to avoid that behavior.
Regards.
11-08-2021 12:44 PM
Unlike ASAs (And many traditional network devices) where the configurations are stored in flat text file, FTD uses DBs under the hood. As a result, we will most likely never see configuration changes committed in similar fashion and speed to "wr mem" With that said, we are constantly working on optimizing the deployment mechanisms. Thus, with each new release, the amount of time required to deploy changes is improved.
With regards to your 2nd topic: The deployment window will warn you if the pending changes will cause traffic interruptions. In addition, with the introduction of Snort3 (Firepower Threat Defense v7.0), we have eliminated most cases where snort restart is required.
I hope this helps!
Thank you for rating helpful posts!
11-08-2021 10:29 AM
@brettp yes that is generally true, you do need to deploy the changes which take a few minutes. However since version 7.0 you do have dynamic objects, which allow you to push changes via API and take effect immediately without having to push policy. More info.
https://www.youtube.com/watch?v=Gt5Yj7MgtG0&t=177s
11-08-2021 11:16 AM
Hello! To add another hint, dropping packets by Snort engine restart is a very particular scenario. I don't know what kind of company do you manage but you rarely perceive the drops, so you shouldn't worry too much because there are different configurations to avoid that behavior.
Regards.
11-08-2021 12:44 PM
Unlike ASAs (And many traditional network devices) where the configurations are stored in flat text file, FTD uses DBs under the hood. As a result, we will most likely never see configuration changes committed in similar fashion and speed to "wr mem" With that said, we are constantly working on optimizing the deployment mechanisms. Thus, with each new release, the amount of time required to deploy changes is improved.
With regards to your 2nd topic: The deployment window will warn you if the pending changes will cause traffic interruptions. In addition, with the introduction of Snort3 (Firepower Threat Defense v7.0), we have eliminated most cases where snort restart is required.
I hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide