cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
320
Views
5
Helpful
4
Replies
AlexPi
Beginner

Would you put FTD and FMC 6.7 in a busy production environment???

Hello All,

 

For the past year or so we have started using solely FTD devices, managed via FMC, for some of our main sites. In one of those sites we want to accommodate site-to-site VPN failover via the the pair of FTDs on site (2140). Unfortunately this feature only became available on version 6.7, which was released in November 2020. 

 

Does any of you have experience and any feedback in using 6.7 in production environments? Are there any risk that I should consider versus 6.6?

 

Any feedback that can help in making a more informant decision is very welcome!

 

Thanks in advance!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
4 REPLIES 4
Rob Ingram
VIP Mentor

Hi @AlexPi 

Which VPN feature are you referring to VTI or IKEv2 multi-peer?

Is this FTD going to be dedicated VPN appliance or your main firewall as well?

If dedicated VPN appliance I'd consider using 6.7 especially if that version only has the feature you require. I've not had any major issues, but obviously different organisations using other features may have experienced issues. Your mileage may vary.

Beware that 6.7 is a short-term release of FTD.

HTH

AlexPi
Beginner

Hello Rob,

 

Thanks for your reply. The pair of FTD on the site is our main firewall and our VPN appliance. We have two ISPs on the site configured to failover, but currently we use site-to-site VPN only on one. We want to be able to do so for both ISPs fo redundancy.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
Rob Ingram
VIP Mentor

@AlexPi 

It sounds like you are referring to IKEv2 multi-peer, which allows you to create backup peers for Site-to-Site VPNs. This was released in 6.6.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html

 

6.6.1 is the current cisco recommended version, so if multi-peer is the feature you require and you are concerned with 6.7 go with 6.6.1.

Hello Rob,

I have completely missed this! I will have a look further and test. 

Thanks for pointing it out.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
Content for Community-Ad