Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
1
Helpful
13
Replies

Url and application filtering on FTD

Vishal6
Level 3
Level 3

‎06-23-2025 05:14 AM

Hello,

Wants to deployed MX105 at core level and FTD at perimeter level in our network. However i have procure utm licenses for MX appliances, not for FTD.

1. Can i achieve the url filtering at FTD after it gets filter from MX.

2. Wants to achieve load balancing using Meraki MX (using as a core FW) where FTD will be perimeter.

Attached diagram for reference.

Vishal6_0-1750680431797.png

 

 

 

0 Helpful
13 Replies 13

MHM Cisco World
VIP
VIP

‎06-23-2025 05:31 AM

It ok to use ftd url filter after other fw (except it will little slow your traffic if first fw also use url filter)

For other Q can you more elaborate 

Thanks 

MHM

0 Helpful

Vishal6
Level 3
Level 3
In response to MHM Cisco World

‎06-24-2025 11:03 PM

What if FTD don't have any threat, malware and url filtering license? Still it will process the traffic coming via Mx 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Vishal6

‎06-25-2025 06:28 AM

Can't see why not. Traffic routing will still work as normal, and the FTD will process that traffic just fine. The only thing is that the FTD in that case won't be doing any security inspection apart from the normal access lists checks.

0 Helpful

Vishal6
Level 3
Level 3

‎06-23-2025 05:33 AM

One more query, 

As we are not directly connecting Mx to Internet, how warm spare works here ?.

Would MX capture both isp ip address via FTD

Will using single private uplink  ip address (Link between FTD and MX) able to form warmspare ?

0 Helpful

Aref Alsouqi
VIP
VIP

‎06-23-2025 09:21 AM

Yes it should work, because from the MXs perspective they just need to be connected to Meraki dashboard, it doesn't really matter if they are connected directly to the internet or via another device as in your case. When the primary MX doesn't reach the Meraki dashboard anymore it will be assumed that is down and the secondary MX will become the primary. In your shared diagram there are no links between the switches, I'm assuming the switches will be connected to each other and both firewalls will be connected to each switch. That will provide you full resiliency. Regarding using URL filtering on the MX, as already mentioned, that shouldn't be an issue, you can turn on whichever security features on the MX and do part of the security inspections on them and leave the rest for the FTDs based on the licenses installed.

0 Helpful

Vishal6
Level 3
Level 3
In response to Aref Alsouqi

‎06-24-2025 11:05 PM

What about sdwan features on MX ?. Will it do load balancing as public IP link directly terminated on FTD and it (FTD) mostly use usp link for redundancy 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Vishal6

‎06-25-2025 06:26 AM

I don't think that will work because even if connect each MX to both firewalls, one of the firewalls will be passive, so the MX will have no chance to load balance the traffic accross the two firewalls.

0 Helpful

Vishal6
Level 3
Level 3
In response to Aref Alsouqi

‎06-25-2025 10:23 AM

Here 2 isp link will be terminated to both FTD, but primary FTD will use one isp at a time still it goes down. Can mx provide sdwan features here ?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Vishal6

‎06-26-2025 08:21 AM

I don't think it will because from the MX perspective it wouldn't be aware of the two ISP links nor their status, the MX would only have a point-to-point link to the active FTD. Why not to move the MXs to the edge and place the FTDs behind them?

Vishal6
Level 3
Level 3

‎06-30-2025 10:57 AM

Hi Aref,

Can i configure Warmspare between my Mx as per attached architecture in my very first post.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Vishal6

‎07-01-2025 02:05 AM

Hi Vishal. I can't see why not. However, you need to make sure that both MXs are able to receive the VRRP heartbeats sent by each other. In the diagram you shared there is no link between the two switches, if that will stay as is, then you need to connect each MX to both switches, or you need to connect the two switches together. Actually, best practice to provide full reseliency would be to connect each MX to each switch and connect both switches together or having them stacked.

0 Helpful

Vishal6
Level 3
Level 3

‎07-01-2025 05:31 AM

Hi,

As per meraki documentation, for warmspare we need individual ip for each meraki mx uplink ip. In my case both meraki mx would have same ip as it directly connected to Ftd (working as active passive setup). PFB link

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

Regarding switch, yes it will have interconnected links.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Vishal6

‎07-01-2025 08:24 AM

To which section in the document are you referring to? wouldn't each of the MXs in your case have its own IP for the connection with the active FTD?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card