@Oliver Kaiser wrote:
The firepower product portfolio can be kind of confusing but I will try to answer all your questions.
Currently we have two deployment options for ASA.
- ASA with Firepower Services (ASA running a seperate image for firepower functionality, next to ASA code)
- Firepower Threat Defense (Unified image containing ASA + Firepower code in a single OS)
Both deployment scenarios have different ways to manage them
- ASA with Firepower Services: Manage ASA using CLI/ASDM and Firepower Module using FMC/ASDM (I highly discourage anyone to manage firepower using ASDM. Its buggy and it will surely die off sooner or later)
- Firepower Threat Defense: FMC or FDM (Firepower Device Manager). FDM can only be used for entry/midrange firewalls (<= 5440-X) and is a dumbed down version of FMC which has some feature limitations and should be used for small environments that do not benefit from a central management using FMC.
- ASDM is no longer required since all "ASA" configuration is done on the FMC / FDM
Cisco Defense Orchestrator is Ciscos cloud offering to manage ASA / Firepower. To be honest, I have yet to meet anyone using it and I am not aware of any limitations.
Let me know if this answers your question.
I have a question regarding FDM deployment. For small companies it doesnt't make sense to purchase FMC for managing 1 ASA. So in my case I am trying to deploy ASA FTD with local manager - the Firepower device manager (FDM). It turns out there are many limitations - so far what I see is
- no possibility for etherchannel
- no local user database for RA VPN
- Identity Realm allows only integration with LDAP which cannot be used for RA VPN !!! no Radius
- cannot change outside data interface management port from 443 to something else
Correct me if some of these are wrong. These limitations seem very disappointing. A normal ASDM ASA can set all these with ease. The most worrying aspect is the RA VPN. How can it be configured for such deployment?
