cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1193
Views
10
Helpful
3
Replies
Highlighted
Beginner

Threat Defence, Firepower Defense Manager and Firepower Management Centre

Hi, 

can anyone explain the path for ASA and Firepower especially in relation to FMC. 
For eg, How does Firepower Defense Manager work in with a network that is running a FMC?


If ASDM will no longer be used, which device will be used to push ASA Firewall rules? 

Lastly how does Cisco Defense Orchestrator fit into the mix?

Everyone's tags (1)
3 REPLIES 3
Highlighted
Rising star

The firepower product

The firepower product portfolio can be kind of confusing but I will try to answer all your questions.

Currently we have two deployment options for ASA.

  • ASA with Firepower Services (ASA running a seperate image for firepower functionality, next to ASA code)
  • Firepower Threat Defense (Unified image containing ASA + Firepower code in a single OS)

Both deployment scenarios have different ways to manage them

  • ASA with Firepower Services: Manage ASA using CLI/ASDM and Firepower Module using FMC/ASDM (I highly discourage anyone to manage firepower using ASDM. Its buggy and it will surely die off sooner or later)
  • Firepower Threat Defense: FMC or FDM (Firepower Device Manager). FDM can only be used for entry/midrange firewalls (<= 5440-X) and is a dumbed down version of FMC which has some feature limitations and should be used for small environments that do not benefit from a central management using FMC.
    • ASDM is no longer required since all "ASA" configuration is done on the FMC / FDM

Cisco Defense Orchestrator is Ciscos cloud offering to manage ASA / Firepower. To be honest, I have yet to meet anyone using it and I am not aware of any limitations.

Let me know if this answers your question.

Highlighted

Re: The firepower product


@Oliver Kaiser wrote:

The firepower product portfolio can be kind of confusing but I will try to answer all your questions.

Currently we have two deployment options for ASA.

  • ASA with Firepower Services (ASA running a seperate image for firepower functionality, next to ASA code)
  • Firepower Threat Defense (Unified image containing ASA + Firepower code in a single OS)

Both deployment scenarios have different ways to manage them

  • ASA with Firepower Services: Manage ASA using CLI/ASDM and Firepower Module using FMC/ASDM (I highly discourage anyone to manage firepower using ASDM. Its buggy and it will surely die off sooner or later)
  • Firepower Threat Defense: FMC or FDM (Firepower Device Manager). FDM can only be used for entry/midrange firewalls (<= 5440-X) and is a dumbed down version of FMC which has some feature limitations and should be used for small environments that do not benefit from a central management using FMC.
    • ASDM is no longer required since all "ASA" configuration is done on the FMC / FDM

 

Cisco Defense Orchestrator is Ciscos cloud offering to manage ASA / Firepower. To be honest, I have yet to meet anyone using it and I am not aware of any limitations.

 

Let me know if this answers your question.

 

 

 


I have a question regarding FDM deployment. For small companies it doesnt't make sense to purchase FMC for managing 1 ASA. So in my case I am trying to deploy ASA FTD with local manager - the Firepower device manager (FDM). It turns out there are many limitations - so far what I see is

- no possibility for etherchannel

- no local user database for RA VPN

- Identity Realm allows only integration with LDAP which cannot be used for RA VPN !!! no Radius

- cannot change outside data interface management port from 443 to something else

 

Correct me if some of these are wrong. These limitations seem very disappointing. A normal ASDM ASA can set all these with ease. The most worrying aspect is the RA VPN. How can it be configured for such deployment?

Highlighted
Hall of Fame Guru

Re: The firepower product

Re points 1 and 4 that's correct.

Re points 2 and 3, in FDM 6.4 we can use both local and RADIUS authentication (in addition to AD / LDAP).

Subsequent releases may address your other requirements.