Cisco Firepower 4110 NGFW Multi Context mode.

suman.samanta · ‎03-07-2018

Hi,

We want to deploy Cisco Firepower 4110 NGFW Appliance as a Multi context mode with 6 number of virtual context. Now my query is that, can we deploy 3 number context at router mode & other 3 number context in transparent mode ?

also if possible please share a cisco documents.

Regards,

Suman Samanta

Marvin Rhoads · ‎03-07-2018

I assume you are planning an ASA logical device on the 4110 since FTD logical devices do not currently support multiple context mode.

You can set the firewall mode independently for each context in multiple context mode.

Source: https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/intro-fw.html

That is regardless of whether it's a physical ASA or an ASA logical device on a Firepower hardware appliance.

suman.samanta · ‎03-08-2018

Hi Marvin,

Thanks for your reply,

But I want to clarify that we have 2 no hardware Cisco Firepower 4110 NGFW appliance, we want HA between these two appliance. After that we want to convert the appliances to context mode. Is it possible to do this ?

Marvin Rhoads · ‎03-08-2018

The high availability is established between the ASA logical devices running on the Firepower hardware chassis'. The hardware itself (which runs FX-OS) and the Firepower Chassis Manager used to manage it is unaware of any HA.

You would have to install an ASA logical device on each and then setup multiple context with HA between the ASAs. You do it the same way as if it was running on ASA hardware.

suman.samanta · ‎03-08-2018

Hi thanks for your reply,

I need another clarification that if we create 6 umber multi context mode in my HW ASA & between these can we create 3 number context in transperent mode or bridge mode & rest of 3 context in router mode of NAT mode. Is it possible ?

Marvin Rhoads · ‎03-08-2018

If you have the licenses for multiple contexts you can do that.

The modes are known as "transparent" and "routed". There is no "bridge" or "nat" mode although you can essentially perform those functions.

suman.samanta · ‎03-11-2018

HI Marvin,

Thanks for your Reply.

Now I understand..

One think, can you share any "Transparent” mode related deployment guide. It will be helpful for me.

Marvin Rhoads · ‎03-12-2018

The configuration guide is a good place to start with learning how to setup transparent mode.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/intro-fw.html

Other than that, check out some of the good books like:

http://www.ciscopress.com/store/cisco-asa-all-in-one-next-generation-firewall-ips-and-9781587143076

...or take an ASA course.

Bernard Lara · ‎12-26-2018

Dear Marvin,

Cisco FPR4110 supports multiple context - 10 included, 250 max when running ASA image, is there roadmap for FTD image context support?

Marvin Rhoads · ‎12-26-2018

FTD 6.3 introduced multiple instance support for Firepower 4100 and 9300 series appliances. Here's a link to the section of the configuration guide showing the capabilities:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_logical_devices.html?bookSearch=true#id_77542

There are no plans for this to be supported on ASA appliances running FTD.

Bernard Lara · ‎12-26-2018

Thanks Marvin, great! I was just looking on the data sheet and could not find this info. Just in time for another proposal. Cheers!

Marvin Rhoads · ‎12-26-2018

You're welcome. Please mark the reply as helpful it is was.