Friday, April 27, 2018

Cisco ASA with FirePower Services vs. FTD

More questions about the Cisco ASA with firepower services and FTD:

“What’s the difference between traditional Cisco ASA with firepower and new Cisco Firepower threat defense?”
“Why customer will go for Firepower threat defense, if they already have Cisco ASA with firepower services.”
“What are the benefits of FTD and additional features in FTD?”
“What are the key benefits of Cisco Firepower appliances (4100, 9300) and what are the limitations of Firepower Appliances?”

All the questions above have one point: What are the difference between FTD and Firepower appliance? 

In which scenarios they use and other use cases? 

FTD combines both ASA and firepower code into a single image. At the moment FTD has not reached feature parity with ASA features (no remote-access vpn, no multiple-context mode, no clustering, etc.) but it will be the way forward.

One of the benefits is that you won’t need to configure two separate instances (ASA & Firepower), but have a unified security policy that is managed either with Firepower Device Manager for small to mid-range deployments (ASA 5506-X-5525-X) or using the central management with Firepower Management Center.

The Firepower appliances (4100, 9300) are the new NGFW hardware platform that can run either ASA (without firepower services) or FTD software. They are basically the evolution of the asa hardware platform that support higher throughput.

You may want to go down the FTD road if do not require the features not yet implemented from ASA as stated above. In about two years it should be the defacto standard.

Feature Comparison (Q4, 2016):
FTD is an integrated image which combines all of the FirePOWER Services features with many (but not all) ASA firewall services.

If a customer is already running ASA with FirePOWER services, they may want to migrate in the long term to simplify management and operations. Short term, there are few compelling reasons.
Right now there are very few FTD features that are not available with a combination of ASA and FirePOWER services. Longer term, more development resources on the FTD side may change that equation.

The 4100 and 9300 series are a whole new hardware platform for security appliances based on the UCS hardware. They offer much higher performance for a very attractive price when compared to the ASA platforms.

FTD runs on either the new 4100 and 9300 series or the ASA appliances (except 5585-X). FirePOWER appliances run only the legacy FirePOWER image and will not run FTD image.

What is Cisco Firepower Threat Defense (FTD)?

Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features. This seems to be a good approach taken by Cisco especially when most of the Next Generation Firewall Vendors are offering Next Generation Solutions on a single platform with unified image. Currently the Cisco Firepower Threat Defense (FTD) unified software image is available in the following releases
  • 6.0
  • 6.2
The Cisco Firepower Threat Defense (FTD) is capable of offering following Next-Generation Firewall Services
  • Stateful firewall Capabilities
  • Static and dynamic routing
    • Supports RIP, OSPF, BGP, Static Routing
  • Next-Generation Intrusion Prevention Systems (NGIPS)
  • URL Filtering
  • Application visibility and control (AVC)
  • Advance Malware Protection
  • ISE Integration
  • SSL Decryption
  • Captive Portal
  • Multi-Domain Management
Currently Cisco Firepower Threat Defense (FTD) unified software can be deployed on Cisco Firepower 4100 Series and the Firepower 9300 appliances as well the FTD can be also be deployed on Cisco Firepower Threat Defense (FTD) ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA5508-XASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. However, the Cisco Firepower Threat Defense (FTD) unified software cannot be deployed on Cisco ASA 5505 and 5585-X Series appliances.

Some of the key features which Currently Cisco Firepower Threat Defense (FTD) lacks are as follows:
  • VPN Function
  • Multi Context mode
  • EIGRP and Multicast
  • Does not support Cisco ASA 5505 & 5585-X Appliances
The lack of VPN function is a major drawback which Cisco needs to overcome in upcoming release of Cisco Firepower Threat Defense image. This certainly discourages the enterprise customers to adopt the Cisco Firepower Threat Defense unified image on their supported ASA 5500- Series platforms.

More Related

9 comments:

  1. This article is outdated so please be aware that the section describing features not available in FTD no longer applies. Site to Site VPN's have been available since early versions of the FTD/FMC software and more recent firmware since early 2019 has supported RAVPN. Multi context mode is also supported but it is called multi instance and has been in the code since late 2018. I am not aware of threat defense ever not supporting multicast or EIGRP but at one point you did (and may still have to for multicast) utilize flex config to get it up and running. Non -x versions of the ASA and the 5585-X do in fact not support FTD but these devices have been EOS since before this article was even written so probably need to migrate off of that old hardware anyway.

    In short there is really no reason to not be running threat defense. This is where Cisco is putting all of their R&D and ASA software will likely be phased out completely within the next 2 years.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Thanks for the update. I have pair of ASA 5525-X which come with FirePower as Service installed; we're considering replacing that with FTD. Would you know if that upgrade requires a different software licence?

      Also, we use Cisco AnyConnect VPN; does that FTD support AnyConnect?

      Delete
  2. I think I am looking at the information provided by Inebriatedsoul.

    ReplyDelete
  3. Is there any update for 2020? as the comparison chart is 2016 one

    ReplyDelete
  4. Typically I never remark on online journals yet your article is persuading to the point that I never stop myself to say something regarding it. You're working admirably keep it up.
    internet speed booster

    ReplyDelete
  5. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man, Keep it up.
    firewall services

    ReplyDelete
  6. Next Generation firewalls are used to protect the system from being harmed. These firewalls filter the traffic configured on the system and checks for the faults by monitoring the data and do deep inspection by spotting malware.

    ReplyDelete