During a sales meeting to discuss firewall options with a customer, it came up that they wanted to manage both classic firewall features (ACLs, NATs, VPN, etc) along with next generation firewall features (IPS, Malware detections, Application Visibility and Control, URL filtering, etc) in one single pane. As many of you know, Cisco ASA with FirePOWER services does not provide this, you have to manage the ASA features through one management console (CLI, ASDM, or CSM) and FirePOWER services through Firepower Management Console (FMC). Though, you can manage some smaller ASA-X models in single instance deployment with FMC features in ASDM. Firepower Threat Defense (FTD), however, does provide this single pane of management.
It has occurred to me that there are lot of people who are not familiar with FTD or confuse it with Cisco ASA with FirePOWER services so I decided to create a blog series to introduce it and go over some of its features.
Firepower Threat Defense (FTD) is an emerging product which Cisco has produced to integrate ASA services (ACLs, VPN, NATs, etc) and Firepower NGFW services (IPS/IDS, Malware, URL filtering, AVC) into a single platform image that can be used on various ASA-X series and Firepower hardware models. FTD is a separate platform from ASA with FirePOWER services, so if you are planning on using an ASA appliance for your FTD deployment then the ASA unit will need to be re-imaged with a FTD image.
FTD differs from Cisco ASA in that it is a zone-based firewall and does not support configuration through CLI. It is managed all by a GUI either through a Firepower Management Console (FMC) VM or appliance, or through its on-box management GUI called Firepower Device Management (FDM). FMC can manage multiple devices for a FTD and Firepower deployment as a central management platform, whereas FDM is only for a single device.
Cisco is continually migrating many ASA features to their FTD products. If you are looking at a FTD implementation, I would recommend reviewing the latest FTD software release guides and talk to your Cisco sales representative or partner as well to understand the latest features that FTD has to offer. The latest major/minor version of FTD is 6.2 release and the exact 6.2.X image version seems to vary depending on the hardware selected based off information on Cisco’s website. Features may also vary according to hardware model and software release installed, so again review the release notes and understand the features and limitations before proceeding with a FTD deployment.
Here are some of the features that have my interest in FTD:
- Stateful firewall capabilities
- Zone-Based Firewall
- Network Address Translations (NATs)
- Static and Dynamic Routing
- Snort based Next Generation IPS/IDS
- Advanced Malware Prevention (AMP)
- URL Filtering and Application Visibility and Control (AVC)
- SSL Decryption
- Site-to-Site VPN
- AnyConnect VPN (only with 2100 series models on version 6.2.1)
- Packet Tracer and Packet Capture
- Cisco ISE integration
- High Availability and Clustering
- Unified Platform for Firewall and NGFW capabilities
- More unified visibility of the network edge environment
- Migration tool for ASA to FTD
As you can see, there are many features to like about FTD and Cisco keeps migrating a lot of ASA with FirePOWER features to Firepower Threat Defense. If you are interested in Cisco FTD or ASA with FirePOWER services, please do not hesitate to reach out to me or my colleagues at eGroup!
You can reach me at www.linkedin.com/in/steven-schmidt-93107310 or firstname.lastname@example.org.
Stay tuned for my next blog, I will be discussing the migration from an existing ASA to FTD.