cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5533
Views
29
Helpful
16
Replies

Threat Defense Image Limitations

Comm2003
Level 1
Level 1

Hello ,

I'm asking about Cisco Threat defense image.

Many resources state there is still some limitations to this image, I tried to find a clear document covering this issue , but still can't find a clear list for unsupported features .

Any Help ?

Thanks.

1 Accepted Solution

Accepted Solutions

niko
Level 1
Level 1

Today attended a webinar where exactly this topic was covered. I won't rewrite everything, but this table should do the trick.

View solution in original post

16 Replies 16

Oliver Kaiser
Level 7
Level 7

The following relevant limitations exist as of today using the latest version 6.1 of FTD:

  • Site2Site VPN is only supported between FTD Devices. Support for any IPSec pear + certificate based authentication will be added with 6.2

  • AnyConnect is not supported. Scheduled to be released with version 6.3

  • Some features cannot be configured at the moment, which will be "fixed" using flex-config (write CLI and push to FTD via FMC) in version 6.2
    • Flex-Config can be used to do the following configuration which is not possible as of today: ALG, BFD, WCCP, VxLAN, ISIS, EIGRP, PBR... I guess in the long run this will all be possible through FMC/FDM.

  • Clustering, which will be added in 6.2

  • Multiple Context Mode

  • Clientless SSL VPN

Release version might be subject to change. If you have any questions let me know. 

Thanks all for your replies.

In my earlier searches I have found limitations on VPNs in a clear Cisco document.

But didn't find a clear reference covering entire non supported features.

Appreciating if anyone has a link for such resource.

Regards,

Are you referencing the FMC Configuration Guide?

I am not sure a dedicated document exists that lists every detail, but if you have used the FMC Config Guide let me tell you that Backup Peers are also not supported at the moment.

Apart from that I have not found any other issues apart from the ones listed in the config guide.

Great ,Many thanks.

Hello,

anyone know well will be available version 6.2 ?

According to the roadmap it should be out in mid december, but I would not count on that since 6.1 was delayed... January 2017 should be realistic.

Can you run ASA code in a Firepower 4110?

Yes, asa image is also supported on fp4110.

ok0000007

Hi Kaisero, great information.

do you have any document or link what it can read it? i need it to document in my job this limitations.

Regards

Cisco seldom says what something CANNOT do - that's against their self interest. One can generally assume if something is not documented then it is not supported.

By the way, FirePOWER 6.2 is just out - they did deliver on the features that Oliver mentioned as expected in 6.2

As Marvin said there is no public available document. The screenshot niko posted and the features I listed are the most interesting limitations when compared to ASA.

Since 6.2 has been released yesterday some of the mentioned features have been added. Since I have not tested 6.2 yet I cannot say how well everything works but atleast from clustering I would take a step back for the moment. ;)

As for new features added in FTD 6.2 that were still missing compared to ASA

  • Inter-Chassis Clustering
  • Flex-Config (Configuration Templates for sysopt options, eigrp, pbr, is-is, netflow export, mpf connection limits & timeout settings for tcp, proxy arp neighbor discovery, ipv6, ipv6 prefix delegation, wccp, vxlan, alg settings [e.g. disable smtp inspection])
  • Site2Site VPN Certificate based authentication support

regards

Oliver

niko
Level 1
Level 1

Today attended a webinar where exactly this topic was covered. I won't rewrite everything, but this table should do the trick.

ilukeberry
Level 1
Level 1

Too many features still missing to run this in production IMHO. I'm sticking with good ole ASA OS w/ FirePOWER as SW module.

piotr.smietanka
Level 1
Level 1

I have already reimage ASA to FTD image. Indeed GUI is seems to be very intuitive. However I have a question to cisco representatives. Is there any plans for FTD to improve the time of change convergence? Now, the very basic operation (turn off the interface) lasts above 1 min! This is rediculous. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: