Solved: What direction is Cisco going?

Colin Higgins · ‎07-26-2017

I got an email from our Cisco rep today saying that Cisco has a new platform of firewalls and IPS devices: the FP2100, 4100, etc.

These appear to be the systems inherited from the Firesight purchase.

So where does this leave the ASA? The new systems have a completely different IOS and security architecture, and I am not sure if they can even be integrated into existing environments that have ASAs with Firepower / Firesight Servers? (in other words, you would have to buy new servers, software licensing, etc.)

Is Cisco moving away from the ASA? I hope not, since my clients are heavily invested in these devices.

And what about certification? The CCNP Security materials haven't been updated in a long time, and the Cisco press books are almost 5 years behind the exams at this point.

Anyone have any ideas on what is going on?

Marvin Rhoads · ‎07-26-2017

Both the ASA and FTD operating systems are being actively developed with no current plan to end-of-life the ASA hardware software as a platform.

Even when a given platform end-of-sales is announced, it will continue to be supported for 5 years.

The most advanced security features will be on FTD due to the nature of the current threat landscape and the inherent capabilities of Firepower for deep packet inspection. However the ASA stateful firewall still has a place in many environments.

Cisco Press, the publisher of official certification guides, is not part of Cisco. They are a Pearson company and develop and publish materials according to market demand. One can pass CCNP and even CCIE Security without ever consulting an OCG - I have done so myself using primarily the blueprint material referenced at Cisco Learning Network combined with hands-on experience.

View solution in original post

itsupport · ‎07-26-2017

I too find things a bit confusing and difficult, FTD is touted as the full-featured solution going forward, but I keep running into some serious missing basic functionality as I do an implementaion. Two things missing that are causing me grief are:

1. Cisco Anyconnect clients are not supported. For our head office firewall, we ordered an ASA-5508-X, vFMC console, and 25 Anyconnect clients. The online sales info seemd to indicate this was a reasonable solution, our vendor validated our design, and Cisco processed the order and took our money. However this is a configuration which simply does not work. :( Very unexpected, as Anyconnect has been supported by most devices for many years, and would seem to be a core feature for this class of device.

2. No PPPoE dialer without FMC. For branch offices, we opted for ASA 5506-Xs. All we want these devices to do is connect, establish a site to site VPN and send all traffic to the head office device. Really simple stuff. Several offices connect via ADSL, which almost always requires a dialer. Setting up the modem ahead of the device in half bridge mode is even problematic, unlike a PC client, the firewall does not pick up the default gateway, and will not work without manual configuration. Luckily, with fixed IPs we can get ths to work, but is messy. This device is marketed a something suitable for a SOHO environment, which will usually require a PPPoE connection.

View solution in original post

Marvin Rhoads · ‎07-26-2017

Both the ASA and FTD operating systems are being actively developed with no current plan to end-of-life the ASA hardware software as a platform.

Even when a given platform end-of-sales is announced, it will continue to be supported for 5 years.

The most advanced security features will be on FTD due to the nature of the current threat landscape and the inherent capabilities of Firepower for deep packet inspection. However the ASA stateful firewall still has a place in many environments.

Cisco Press, the publisher of official certification guides, is not part of Cisco. They are a Pearson company and develop and publish materials according to market demand. One can pass CCNP and even CCIE Security without ever consulting an OCG - I have done so myself using primarily the blueprint material referenced at Cisco Learning Network combined with hands-on experience.

Colin Higgins · ‎07-27-2017

That is interesting ...

It just seems like Cisco can't decide what route it wants to go with IPS/IDS. It has had numerous hardware and software products in a short amount of time, and since the Sourcefire purchase, things have gotten more confusing.

I assume that the FTD is basically an entirely different product that bears no resemblance to Cisco's other offerings (different OS/CLI, architecture, etc.), which makes it difficult for us guys that implement and support this stuff to re-tool our skillset every 6 months.

When I bring this stuff up to my network team here, they all look at me and say "we don't know anything about that system--might as well move us over to Fortinet", and it makes for a tough sell to my clients who are used to standardized (somewhat) Cisco solutions with long track records or reliability.

Marvin Rhoads · ‎07-27-2017

The CX product was the only one they abandoned development on. That was relatively new when they acquired Sourcefire with its superior technology back in October 2013. The classic Cisco IPS was overdue for replacement and that is just about end of life.

For the past almost 4 years they have been working on integrating that tech from Sourcefire into their systems. that started with Firepower modules on ASAs (while continuing to support and develop classic Firepower code on both the rebranded Sourcefire appliances as well as newly-developed ones).

For the past year and a half they have been (a bit slowly in may people's estimation) integrating that ASA and Firepower code together in Firepower Threat Defense (FTD) unified image. Under the covers it has a lot of each OS in it and is really not that difficult to get a handle on.

itsupport · ‎07-26-2017

I too find things a bit confusing and difficult, FTD is touted as the full-featured solution going forward, but I keep running into some serious missing basic functionality as I do an implementaion. Two things missing that are causing me grief are:

1. Cisco Anyconnect clients are not supported. For our head office firewall, we ordered an ASA-5508-X, vFMC console, and 25 Anyconnect clients. The online sales info seemd to indicate this was a reasonable solution, our vendor validated our design, and Cisco processed the order and took our money. However this is a configuration which simply does not work. :( Very unexpected, as Anyconnect has been supported by most devices for many years, and would seem to be a core feature for this class of device.

2. No PPPoE dialer without FMC. For branch offices, we opted for ASA 5506-Xs. All we want these devices to do is connect, establish a site to site VPN and send all traffic to the head office device. Really simple stuff. Several offices connect via ADSL, which almost always requires a dialer. Setting up the modem ahead of the device in half bridge mode is even problematic, unlike a PC client, the firewall does not pick up the default gateway, and will not work without manual configuration. Luckily, with fixed IPs we can get ths to work, but is messy. This device is marketed a something suitable for a SOHO environment, which will usually require a PPPoE connection.