Hello Eric! There are a few reasons. By far the most common reason I have run into is... Its a familiar firewall! So while Firepower offers the benefit in the future of allowing deep packet inspection (NGFW) and a myriad of other benefits they can "dip their toes" so to speak by getting the hardware, and switch over later. They also generally have much better performance for the cost especially with the new 1000 series Firepower versus ASA low end series. This is just the nature of technology progressing and allowing new products with similar price points but higher performance.
Nice video, thanks. One quick question- after re-imaged to the ASA code and having configured the ASA-imaged FPR, upon reload will it be reloaded into ASA code as if it is an ASA appliance (e.g. ASA5506-X)?
Edmund. It depends on the code that was used for the re-image. Anything up to ASA 9.13(1) is platform mode by default. Everything after that is appliance mode by default.
@@NathanStapp Hi Nate, Thanks a lot for the response…. Not exact sure about the differences between Platform vs Appliance mode? Does it mean in Appliance mode, it would act just like an ASA appliance after the re-imaged without having to worry that it might go into FXOS once reloaded? We want the FPR to be exactly like a ASA appliance… Cheers….
Juan, I apologize for missing this earlier. The way you upgrade depends on if you are running in Appliance Mode (default for ASA 9.14+) or Platform Mode (default for ASA prior to 9.14). for Platform Mode, it is similar to the upgrade method for the 4100's, you upload an image through Firepower Chassis Manager (FCM) - web gui for FXOS, and then click upgrade. For Appliance mode it is similar to the traditional ASA upgrade method, you download an image via FTP on CLI, and change the boot pointer.
Hello Nathan, thanks for this Video... Do you happen to know if the 1100 series can also be converted from FTD to ASA? we have an 1140 ordered as FTD and we need it as ASA...
Yes, you can covert 1140 to ASA. Please see below link for reference. www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl_x4b
Ushan, yes the running and startup configuration "get erased". I say that with quotes because the way you configure and managed FTD is completely different than ASA. There is no directly transferable version of the configuration. It would be more appropriate to say that the configuration is not compatible so cannot possibly be migrated.
Thank you for your video, but you said there is no FTD in the box just the FXOS while during the installation of the ASA image you were asked to reimage the FTD with ASA image !!
Hello Omar! I don't quite understand your comment but will briefly go over what happened in the video. The FPR 2100 starts with FTD (this means FTD running on FXOS - the pseudo hypervisor). I then re-imaged the box to ASA (which on the FPR 2100 means ASA running on FXOS). Both platforms still involve running FXOS it is just abstracted so most dont realize it is there. On the newer code bases you can run in what is called "appliance” mode which truly hides FXOS entirely so it would look and feel like the old ASA.
@@NathanStapp Hi Nathan, I just upgrade FPR2110 to a newer version and it changes the fxos mode to appliance. Will it be fine to boot the old image in asa and revert back to the old version using platform mode.
@@richlee2164 If you actually UPGRADE the box, then the mode will be maintained. If it started in platform it will stay platform. If you re-image, then on 9.13 and above it will be appliance mode by default. On the 1000 and 2000 appliances the ASA code is packaged together with FXOS (unified code), this means if you "downgrade" the ASA code that means you will downgrade the FXOS as well. Now to answer your question, you can change the box so that is boots the old version and it will work just fine. However, I would question why you want to use platform mode. It adds additional "work" to configuration like enabling interfaces just to use and "no shut" them in ASA. Appliance mode is better in every respect.
Thanks for the great video Nate!! Got my upgrade started in about two minutes!
Excellent! I went the USB route vs FTP, but the commands were extremely helpful
Can I use this same process to re-image from a current FTD code to a new FTD code. Do not have access to the FMC at the moment.
Hello. why would Engineers / companies purchase Firepower but convert it back to ASA code?
Hello Eric! There are a few reasons. By far the most common reason I have run into is... Its a familiar firewall! So while Firepower offers the benefit in the future of allowing deep packet inspection (NGFW) and a myriad of other benefits they can "dip their toes" so to speak by getting the hardware, and switch over later. They also generally have much better performance for the cost especially with the new 1000 series Firepower versus ASA low end series. This is just the nature of technology progressing and allowing new products with similar price points but higher performance.
True!! but instead will have firepower logically running ASA but i like the video though
Hi please help .. the configuration of asa mode plataform is lost when doing upgrade IOS?
this works. I decided not to mess with the Filezilla and just use an USB drive.
Nice video, thanks. One quick question- after re-imaged to the ASA code and having configured the ASA-imaged FPR, upon reload will it be reloaded into ASA code as if it is an ASA appliance (e.g. ASA5506-X)?
Edmund. It depends on the code that was used for the re-image. Anything up to ASA 9.13(1) is platform mode by default. Everything after that is appliance mode by default.
@@NathanStapp Hi Nate, Thanks a lot for the response…. Not exact sure about the differences between Platform vs Appliance mode?
Does it mean in Appliance mode, it would act just like an ASA appliance after the re-imaged without having to worry that it might go into FXOS once reloaded? We want the FPR to be exactly like a ASA appliance…
Cheers….
How about upgrading the ASA module in the firepower 2100s? it's done from the fxos/chassis as on the 4100's?
Juan, I apologize for missing this earlier. The way you upgrade depends on if you are running in Appliance Mode (default for ASA 9.14+) or Platform Mode (default for ASA prior to 9.14). for Platform Mode, it is similar to the upgrade method for the 4100's, you upload an image through Firepower Chassis Manager (FCM) - web gui for FXOS, and then click upgrade. For Appliance mode it is similar to the traditional ASA upgrade method, you download an image via FTP on CLI, and change the boot pointer.
Hello Nathan, thanks for this Video... Do you happen to know if the 1100 series can also be converted from FTD to ASA? we have an
1140 ordered as FTD and we need it as ASA...
Yes, you can covert 1140 to ASA. Please see below link for reference.
www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#reference_upj_nkl_x4b
Hey chanpreet! Thanks for responding. And Moti, as he said, yes!
Will this strep by step also work on the 1010 firewall ?
Yes in this case, the process is essentially identical, although it wouldn't hurt to post a video tutorial since I have a few sitting around....
Will it delete the all the running and startup configuration after converting to ASA?
Ushan, yes the running and startup configuration "get erased". I say that with quotes because the way you configure and managed FTD is completely different than ASA. There is no directly transferable version of the configuration. It would be more appropriate to say that the configuration is not compatible so cannot possibly be migrated.
@@NathanStapp Ok, that means we cannot use it in production environment.
Ushan, what are you trying to do specifically? we can discuss here or you can ask me directly nstapp@cisco.com
Thank you for your video, but you said there is no FTD in the box just the FXOS while during the installation of the ASA image you were asked to reimage the FTD with ASA image !!
Hello Omar! I don't quite understand your comment but will briefly go over what happened in the video. The FPR 2100 starts with FTD (this means FTD running on FXOS - the pseudo hypervisor). I then re-imaged the box to ASA (which on the FPR 2100 means ASA running on FXOS). Both platforms still involve running FXOS it is just abstracted so most dont realize it is there. On the newer code bases you can run in what is called "appliance” mode which truly hides FXOS entirely so it would look and feel like the old ASA.
@@NathanStapp Hi Nathan, I just upgrade FPR2110 to a newer version and it changes the fxos mode to appliance.
Will it be fine to boot the old image in asa and revert back to the old version using platform mode.
@@richlee2164 If you actually UPGRADE the box, then the mode will be maintained. If it started in platform it will stay platform. If you re-image, then on 9.13 and above it will be appliance mode by default. On the 1000 and 2000 appliances the ASA code is packaged together with FXOS (unified code), this means if you "downgrade" the ASA code that means you will downgrade the FXOS as well. Now to answer your question, you can change the box so that is boots the old version and it will work just fine. However, I would question why you want to use platform mode. It adds additional "work" to configuration like enabling interfaces just to use and "no shut" them in ASA. Appliance mode is better in every respect.