05-18-2018 06:21 PM - edited 02-21-2020 07:47 AM
I was hoping someone could shed some light on running Firepower right on the ASA vs running on a VM.
We just got two ASA5515-FPWR-K9 units that we want to run in a Active-Passive pair. They have Firepower module version 5.4.0-764 and ASA version 9.2(2)4. I would rather not use a VM for the management center, I would prefer to run it right on the ASA and manage it within ASDM. I've found tons of conflicting answers, but have reason to believe I need at least version 6.0 on the Firepower Module and ASA 9.5(2) in order to do this. We don't have a support contract yet, and I would love to confirm whether this is going to work before buying one.
Currently in ASDM I am unable to load any of the firepower menu's other than the status tab, which his what started me on this quest.
Thanks for any feedback.
06-29-2018 08:12 PM
Hi Chris-
It can definitely be confusing. Let me try to answer your questions:
1. With the ASA-5515-X you have the following options to run Firepower:
ASA with FirePOWER - In this mode, you have the ASA and Firepower software running independently on the box. The ASA piece can be managed with CLI and ASDM. The Firepower software can be managed with ASDM or FMC (Firepower Management Center). The ASDM will provide you with very limited feature set, thus, it is recommended that you use the FMC instead.
2. Your second option is to run FTD (Firepower Threat Defense). In this mode, you have a single image that combines the ASA and Firepower features together. Today, there is 100% Firepower feature parity and about 80% ASA feature parity. With each new release, more and more of the ASA features are being migrated over. You can manage the FTD software via the local FDM (Firepower Device Manager) or through FMC (Firepower Management Center). Similarly to ASDM, the FDM GUI provides limited functionality, thus, it is recommended that you use the FMC instead.
The FMC can be virtualized:
https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/fmcv/FMCv-quick.html
I hope this helps!
Thank you for rating helpful posts!
06-30-2018 07:35 AM
In addition to @nspasov 's answer (hey Neno - long time no see!), you can use ASDM to manage the Firepower module on all ASAs as of Firepower 6.0. The 5506-X, 5508-X and 5512-X allowed that with Firepower 5.4(x).
In any case if you use Firepower you should run the current release (6.2.3.2 as of now). It has a ton of features, bug fixes and vulnerability fixes that your older versions are lacking.
Note that if you use ASDM, you will need to manually log into each module and update its policies. The ASA HA pair configuration synchronization does not apply to the Firepower modules. If you use FMC, you can push policies at one time to both modules. That aspect is one of the main reasons to not use ASDM. Others include the ability to collect historical data and reporting.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: