FTD does have a cli but 98% of features (including ACLs) must be managed from the GUI (or via API).
The FTD cli is mainly for troubleshooting and the initial setup.
For a great and pretty comprehensive overview, have a look at the book "Cisco Firepower Threat Defense" by Nazmul Rajib. It's available on Safari.
I've had some dealings with FTD now and must admit, the ride can be quite bumpy. The shift towards GUI management is fundamental. And unfortunately, GUI is nowhere near as versatile as CLI. There is an option to use API calls, but that is not everyone's cup of tea and still API functionality falls short of GUI, so you can't rely on API for everything.
Another unpleasant side of FTD is that its code is in my view extremely raw and full of bugs. Which is expected, to be honest when you merge two different platform codes into single product. Being a big fan of ASA firewall, I must say that FTD doesn't really deliver up to Cisco's expectation of quality and stability. They rushed the product too fast without due testing and debugging.
i always thought the firepower module implementation was a yuck monster, that someday there would be a complete integration, but i never thought that firepower would become the whole enchilada, and there it is... perhaps the upside is that a certain amount of complexity gets removed from the tracks that support the ASA with the downside being a concentration within the track to create next generation deployment/migration robots.
This may be useful to you Steven... not sure. We're working with a product team that is providing us with some webinar recordings. This one just happened a couple weeks ago.
Thanks Steven for asking this question.
Based on what I have understood so far from their implementation model, A FTD is device which resembles UTM (Unified Threat Mitigation which includes IPS and URLF features together along with some Anti-X feature set) system while Cisco ASA is pure firewall and some level it can achieve UTM functions using the SSM modules. So as to come up with a focused solution, CIsco Firepower (or FTD) comes into the play.
There is an Firepower Management console (FMC), this allows you to control your policy in a better manner as you have one central access to all the firewall or FTD appliance you can control them.
The Firepower ecosystem is a bit different from the traditional model as it has its own OS and using this OS you can go to your traditional CLI, however for better efficiency and granular control of your company security policy, it is recommended to deploy policy from FMC.
Hope this helps and makes it easier for you to follow this new path.
First let’s make it clear, there are many diffrences between Cisco ASA and FTD , as you know Cisco acquired the Source fire, 5 or 4 years ago, and this company was expert in IPS technology. After that Cisco used their technology in its IPS products and changed the name of those products to Firepower. So Cisco’s IPS is actually Firepower. So now Cisco has following security products related to IPS, ASA and FTD:
1- Normal ASA
2- Firepower (IPS)
3- Firepower Module (you can install that as an IPS module on your ASA)
4- Integrated Firewall and IPS in the same box (Firepower Threat Defence) --- FTD
İn ASA 5500X series you can install ASA OS for instance 9.x, or FTD OS like 6.x and if you install FTD on that box your box in no longer an ASA, you have FTD on it.
So FTD OS, is a universal code that contains Firewall and IPS at the same time in one box.
regarding your question about CLI and GUI, both of them are available in FTD, but you can use CLI to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session.
I hope it's helpful
Please don't forget to rate if it was helpful
There is CLI like the traditional ASA for the physical FTD devices. You can manage the device using Firepower device manager (FDM) for standalone devices .FDM os a web browser based management and that will be the replacement of ASDM.
And if you have multiple devices , then it's better to manage them using a centralised server known as Firepower Management center (FMC).
For the virtual versions of FTD, you can't manage them locally. You need FMC.
No direct CLI configuration anymore. As mentioned already, you would use CLI only for the initial configuration and troubleshooting. You might use FlexConfig from FMC which would allow you to push CLI configuration from FMC to the FTD appliance(s). Below is part of a post of mind that might be helpful:
Is configuration via Lina on the development roadmap? I would have a hard time using an ASA if there was no GUI! Configuration is so much faster with the CLI for most things. I currently use these for clients, but each config is slightly different. So the ability to cut & paste parts of configs between devices saves an immense amount of time. Is there any sort of templating functionality, at least?
This is what Cisco says,
Use the Firepower Device Manager to configure, manage, and monitor the system. The features that you can configure through the browser are not configurable through the command-line interface (CLI); you must use the web interface to implement your security policies.
When we deploy configurations via FMC, We are able to see the commands that FMC pushes to the FTD devices but I don't think those commands can be entered directly from FTD CLI.
ASA CLI is useful for easy configurations (traditional firewall features) especially when you have multiple devices. Agree but I think Cisco will pitch these scenarios with FMC. Its like forcing you to buy FMC if you have multiple FTD devices. Easy management. And the traditional firewall thing is outdated, for configuring the NGFW features, it is convenient to have a GUI.
Since we are used to CLI, we may feel little strange. But a change is always good and we should welcome it ,if it's good.
A lot of interesting stuff in this discussion. I have been playing with FTD for a few weeks now and there a lots of nice things if you run lots of similar firewalls but for individual firewalls I really missing the quick configuration of the ASA.
Today I have been playing with ISIS and the CLI on the FTD contains show ospf nei and show eigrp nei but neither show clns nei nor show isis nei. For the latter two you have to use the FMC. The flex config requires "programming skills" not quite but it will be a shock to old networkers. If you venture into the REST interface (API) download POSTMAN but note it use oauth2 and MS powershell does not like self signed certificates. Open powershell is OK.
My favourite game of how do I with the FMC - is the shutdown which hides under configuration and process. Where else would you look.
So you apply a policy to a number of nodes but after one fails you want to delete it. For that you edit the policy and then there is a box from which you can remove the specific request. That took me ages to find.
There is a licensing satellite option if you can not get to the Internet but I have not got that working yet.
When playing, switching FTD mode between routed and transparent is a quick way to reset the system.
I am learning to love the FMC but deployment of a trivial change on one FTD takes ages and that is an area that needs to be improved.
My praise for FTD is there is a shutdown command something we never had on the ASA.
Hopefully somebody will write a super blog of everything you need to know.