In talking to my customers, many are unaware of the new FTD (Full Threat Defense) options/image. I thought I would do a quick write up on FTD. Cisco now offers the ability to run the next generation firewall engine(FirePOWER) natively on your X series ASA with the FTD image.
History
When Cisco acquired SourceFire they brought in SourceFire’s Next Generation security platform FirePOWER that included Layer 7 firewall, URL Filtering, AMP (Advanced Malware Protection) and IPS/IDS. In my opinion, Cisco had L3/L4 and VPN mastered on the ASA but had some catching up to do in the next gen feature space. Personally, being both a customer of Sourcefire and Cisco, I was ecstatic when I saw the news on Twitter. SourceFire provided me deep security visibility and alerted me on what mattered with very little man power needed.
Initially Cisco offered the ability to run FirePOWER code set on top of the ASA like a VM. You could create rules in the ASA code to choose what traffic you wanted to send over to FirePOWER. So, to manage the ASA, you would use tools like CLI, ASDM, and CSM. To manage the FirePOWER component, you would leverage FirePower Management Center (Formerly known as Defense Center).
To simplify the stack, Cisco worked to combine features from ASA and FirePOWER together in a single code FTD. With the introduction of the FTD code you can run a single OS on your ASA-X firewall or leverage one of the new FTD appliances. In addition, Cisco announced several new FTD firewalls. (Note: FTD boxes can only run the FTD code or ASA code not both.)
To be fair, there are a few caveats to what is supported on FTD….not all features have been moved over from ASA to FTD. The biggest feature (for my customers) not yet supported on FTD is AnyConnect VPN, however, site to site is supported. Cisco is working diligently to add new features. (Check release notes for more info)
FirePower Mangement
FirePower Management Center (virtual or physical)– This is the tool used to monitor/manage ALL FirePOWER appliance. I will put together future post on FMC, but it is way more than just a pretty management tool.
ASDM FirePower plugin(FMC Light) – this is for small business and customers who only have a single firewall typically (ie 5506-X). You can manage FirePower policy and gain high level visibility from this plugin. (More Details)
FirePower Implementation options
- ASA + FirePOWER – manage ASA code and FirePOWER separately (supported on most ASA 5500-X) For the 5585-X you run FirePOWER on a separate blade.
- FTD on ASA – single image that can be consumed on most ASA 5500-X boxes
- FTD Firewall- Along with the announcement of the FTD code/image, Cisco announced several new FTD firewalls. The FTD boxes can only run the FTD code or ASA code not both.
- vFTD – You can run FTD virtually, this is perfect for datacenters, remote offices where you want to FTD on your router, the cloud(ie AWS) or my favorite lab.
Useful links
- FTD supported platforms
- Cisco FTD 6.1.0(Release Notes)
- Process to re-image ASA to run FTD
- ASA + FirePower Requirements/Config Guide
(Image curiosity of cisco.com)
Great write up Tim! And simple enough for an AM to understand 😉