Good video. Quick question from me.. of you deploy these firewalls using the firepower device manager only. I assume if you later deploy FMC these are ok switching to manager by using the manager add command in cli then adding in FMC? No gotchas ?. also would this lab be usable in the free version of EVE-NG ? I don't have pro at the moment
@@ITSolutionsNetwork ah really ? Is this just in a EVE-NG lab environment or real world. say if you were using a hardware model running FTD code. And you have a manger either physical or virtual? And you wanted to later add an FTD to FMC it would wipe the config of the FTD ? Or this just EVE-NG specific ?
@@deltamme82 It’s an FTD thing. And even firepower module in ASA does the same, but in the ASA, you can set up fail-open not to disrupt a traffic flow.
Thanks for the video. It's fortuitous that you just posted this as I needed this. Question, this is a little out of the scope of the video, but have you ever used just the IPS function of a firepower device before? Current network has an IPS that is EOL and needs to be replaced, but there is an existing ASA 5525 firewall that is not going to be replaced at this time (it will be when the rest of the network is upgraded). My plan is to use the access control policy, which will be wide open, to forward all traffic to the IPS process for NGFW processing before the traffic is then forwarded to the firewall. I'm looking to make this as seamless as possible so the only thing I want to configure is the firepower and none of the other existing devices.
Definitely doable. I’m actually working on the long term project upgrading ASAs with firepower modules to new FTDs controlled via FMC for the same reason, Cisco is not going to extend the support. One thing you need to keep in mind is that for the traffic that is not supposed to be inspected by the IPS like for example IPSec or GRE, you will need to allow them via pre-filter.
@@ITSolutionsNetwork thanks for the info. One more question if you don't mind. When traffic reaches the firepower in an FTD configuration, does it automatically hit the access control policy (firewall) portion first and then forwarded to the IPS? Is there a way to have the IPS portion process the data first? It seems like it's splitting hairs, but I'm asking from a function perspective/location. The network that is getting upgraded wants the IPS device first, just like they have with their current setup now ( an aging McAfee 2850 sensor in front of their ASA). Again, thanks for the video and response. You have a grateful new subscriber.
@@fakirpoo Well, the access control policy is part of the snort process. The old school ACLs are now Prefilter Policy in the LINA process. So the FTD is built with two parts, LINA and Snort. LINA is what was ASA before the FTD. Prefilters are part of the LINA, and if there is no match, it goes to the SNORT, which is considered a best-practice scenario. I fail to see why someone would put SNORT before the ASA; it doesn't make sense to me. Here is your FTD packet Flow; once you see this, it all makes sense, and you'll know how to design. www.lammle.com/wp-content/uploads/2018/05/Latest-FTD-Packet-Flow-1.jpg
After all the licenses expires, functions that require license will stop accepting new changes, so you won't be able to make changes like applying policies for example.
Thanks for uploading this video, if someone new and want to configure Cisco FTD, must refer this video 👍
Hi David, It is an amazing video
Thank you.
Great work!!!!!!
Thank you!
Very good David, this is quick and easy. When are coming with HA pair of FTD?
That's a good reminder actually, I was thinking what to record next.
Thanks.
@@ITSolutionsNetwork No thank you David for making it. Appreciate it
Awesome! Are you planning to do FMC anytime soon?
Yes, I’m planning to do FMC as well.
Good video. Quick question from me.. of you deploy these firewalls using the firepower device manager only. I assume if you later deploy FMC these are ok switching to manager by using the manager add command in cli then adding in FMC? No gotchas ?. also would this lab be usable in the free version of EVE-NG ? I don't have pro at the moment
Correct, but you’ll lose the configuration when you change manager, so be ready to have a downtime.
A lab will be usable in a free version of eve-ng.
@@ITSolutionsNetwork ah really ? Is this just in a EVE-NG lab environment or real world. say if you were using a hardware model running FTD code. And you have a manger either physical or virtual? And you wanted to later add an FTD to FMC it would wipe the config of the FTD ? Or this just EVE-NG specific ?
@@deltamme82 It’s an FTD thing. And even firepower module in ASA does the same, but in the ASA, you can set up fail-open not to disrupt a traffic flow.
where i can got ftd 6.7 for testing inside eve-ng ?
Officially, you'll have to have the rights to download it from the Cisco site.
Unofficially, you'll have to search on your own.
Thanks for the video. It's fortuitous that you just posted this as I needed this. Question, this is a little out of the scope of the video, but have you ever used just the IPS function of a firepower device before? Current network has an IPS that is EOL and needs to be replaced, but there is an existing ASA 5525 firewall that is not going to be replaced at this time (it will be when the rest of the network is upgraded). My plan is to use the access control policy, which will be wide open, to forward all traffic to the IPS process for NGFW processing before the traffic is then forwarded to the firewall. I'm looking to make this as seamless as possible so the only thing I want to configure is the firepower and none of the other existing devices.
Definitely doable. I’m actually working on the long term project upgrading ASAs with firepower modules to new FTDs controlled via FMC for the same reason, Cisco is not going to extend the support.
One thing you need to keep in mind is that for the traffic that is not supposed to be inspected by the IPS like for example IPSec or GRE, you will need to allow them via pre-filter.
@@ITSolutionsNetwork thanks for the info. One more question if you don't mind. When traffic reaches the firepower in an FTD configuration, does it automatically hit the access control policy (firewall) portion first and then forwarded to the IPS? Is there a way to have the IPS portion process the data first? It seems like it's splitting hairs, but I'm asking from a function perspective/location. The network that is getting upgraded wants the IPS device first, just like they have with their current setup now ( an aging McAfee 2850 sensor in front of their ASA). Again, thanks for the video and response. You have a grateful new subscriber.
@@fakirpoo Well, the access control policy is part of the snort process. The old school ACLs are now Prefilter Policy in the LINA process. So the FTD is built with two parts, LINA and Snort. LINA is what was ASA before the FTD.
Prefilters are part of the LINA, and if there is no match, it goes to the SNORT, which is considered a best-practice scenario.
I fail to see why someone would put SNORT before the ASA; it doesn't make sense to me.
Here is your FTD packet Flow; once you see this, it all makes sense, and you'll know how to design.
www.lammle.com/wp-content/uploads/2018/05/Latest-FTD-Packet-Flow-1.jpg
@@ITSolutionsNetwork would you ever recommend putting a firepower on the network edge over a router?
@@fakirpoo Do you mean instead of a router or in front of the router?
Question, what happens if 90 days evaluation ends?. can we still use as nat devices
After all the licenses expires, functions that require license will stop accepting new changes, so you won't be able to make changes like applying policies for example.
Can i export my asa config file to ftd
There is a Firewall migration tool that can do that, but I never used that.
@@ITSolutionsNetwork what's the firewall migration tool called?
@@Sam-bw5sk Depends where are you looking at.
Google Cisco Secure Firewall Migration Tool and you should be able to find “Firepower Migration Tool”
David, Shall I have your LinkedIn account?