cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
5
Helpful
4
Replies

Would you put FTD and FMC 6.7 in a busy production environment???

AlexPi
Level 1
Level 1

Hello All,

 

For the past year or so we have started using solely FTD devices, managed via FMC, for some of our main sites. In one of those sites we want to accommodate site-to-site VPN failover via the the pair of FTDs on site (2140). Unfortunately this feature only became available on version 6.7, which was released in November 2020. 

 

Does any of you have experience and any feedback in using 6.7 in production environments? Are there any risk that I should consider versus 6.6?

 

Any feedback that can help in making a more informant decision is very welcome!

 

Thanks in advance!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
4 Replies 4

Hi @AlexPi 

Which VPN feature are you referring to VTI or IKEv2 multi-peer?

Is this FTD going to be dedicated VPN appliance or your main firewall as well?

If dedicated VPN appliance I'd consider using 6.7 especially if that version only has the feature you require. I've not had any major issues, but obviously different organisations using other features may have experienced issues. Your mileage may vary.

Beware that 6.7 is a short-term release of FTD.

HTH

AlexPi
Level 1
Level 1

Hello Rob,

 

Thanks for your reply. The pair of FTD on the site is our main firewall and our VPN appliance. We have two ISPs on the site configured to failover, but currently we use site-to-site VPN only on one. We want to be able to do so for both ISPs fo redundancy.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

@AlexPi 

It sounds like you are referring to IKEv2 multi-peer, which allows you to create backup peers for Site-to-Site VPNs. This was released in 6.6.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html

 

6.6.1 is the current cisco recommended version, so if multi-peer is the feature you require and you are concerned with 6.7 go with 6.6.1.

Hello Rob,

I have completely missed this! I will have a look further and test. 

Thanks for pointing it out.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: