1 2 Previous Next 27 Replies Latest reply: Feb 22, 2019 11:00 AM by Ruben RSS

    Cisco ASA vs Cisco FTD

    Steven Williams

      Looks like we have to move from our Cisco ASA5500x series to the new FTD platform, and before I start down that road, I am needing to understand this platform.


      So from what I can tell its bascially Sourcefire baked into the firewall. So now my firewall control (ACLs) will all be managed via GUI from something like Firepower Control center is this correct? Is there not a CLI for the FTD devices?

        • 1. Re: Cisco ASA vs Cisco FTD

          FTD does have a cli but 98% of features (including ACLs) must be managed from the GUI (or via API).


          The FTD cli is mainly for troubleshooting and the initial setup.


          For a great and pretty comprehensive overview, have a look at the book "Cisco Firepower Threat Defense" by Nazmul Rajib. It's available on Safari.

          • 2. Re: Cisco ASA vs Cisco FTD



            I've had some dealings with FTD now and must admit, the ride can be quite bumpy. The shift towards GUI management is fundamental. And unfortunately, GUI is nowhere near as versatile as CLI. There is an option to use API calls, but that is not everyone's cup of tea and still API functionality falls short of GUI, so you can't rely on API for everything.


            Another unpleasant side of FTD is that its code is in my view extremely raw and full of bugs. Which is expected, to be honest when you merge two different platform codes into single product. Being a big fan of ASA firewall, I must say that FTD doesn't really deliver up to Cisco's expectation of quality and stability. They rushed the product too fast without due testing and debugging.

            • 3. Re: Cisco ASA vs Cisco FTD

              Don't want to sound overly negative for no reason, but please read this blog post.


              • 4. Re: Cisco ASA vs Cisco FTD

                i always thought the firepower module implementation was a yuck monster, that someday there would be a complete integration, but i never thought that firepower would become the whole enchilada, and there it is... perhaps the upside is that a certain amount of complexity gets removed from the tracks that support the ASA with the downside being a concentration within the track to create next generation deployment/migration robots.

                • 5. Re: Cisco ASA vs Cisco FTD
                  Brett Lovins

                  This may be useful to you Steven... not sure. We're working with a product team that is providing us with some webinar recordings. This one just happened a couple weeks ago.

                  Next-Generation Firewall (NGFW) Training Videos

                  • 6. Re: Cisco ASA vs Cisco FTD
                    Girish Vyas

                    Thanks Steven for asking this question.


                    Based on what I have understood so far from their implementation model, A FTD is device which resembles UTM (Unified Threat Mitigation which includes IPS and URLF features together along with some Anti-X feature set) system while Cisco ASA is pure firewall and some level it can achieve UTM functions using the SSM modules. So as to come up with a focused solution, CIsco Firepower (or FTD) comes into the play.


                    There is an Firepower Management console (FMC), this allows you to control your policy in a better manner as you have one central access to all the firewall or FTD appliance you can control them.


                    The Firepower ecosystem is a bit different from the traditional model as it has its own OS and using this OS you can go to your traditional CLI, however for better efficiency and granular control of your company security policy, it is recommended to deploy policy from FMC.


                    Hope this helps and makes it easier for you to follow this new path.

                    • 7. Re: Cisco ASA vs Cisco FTD
                      Ali Gheidarpour  2xCCIE# 60158 (RS,SEC)

                      Hi Steven,


                      First let’s make it clear, there are many diffrences between Cisco ASA and FTD , as you know Cisco acquired the Source fire, 5  or 4 years ago, and this company was expert in IPS technology. After that Cisco used their technology in its IPS products and changed the name of those products to Firepower. So Cisco’s IPS is actually Firepower. So now Cisco has following security products related to IPS, ASA and FTD:

                           1- Normal ASA

                           2- Firepower (IPS)

                           3- Firepower Module (you can install that as an IPS module on your ASA)

                           4- Integrated Firewall and IPS in the same box (Firepower Threat Defence) --- FTD

                      İn ASA 5500X series you can install ASA OS for instance 9.x, or FTD OS like 6.x and if you install FTD on that box your box in no longer an ASA, you have FTD on it.

                      So FTD OS, is a universal code that contains Firewall and IPS at the same time in one box.

                      regarding your question about CLI and GUI, both of them are available in FTD, but you can use CLI to set up the system and do basic system troubleshooting. You cannot configure policies through a CLI session.

                      I hope it's helpful


                      Ali Gheidarpour


                      Please don't forget to rate if it was helpful

                      • 8. Re: Cisco ASA vs Cisco FTD

                        There is CLI like the traditional ASA  for the physical FTD devices. You can manage the device using Firepower device manager (FDM) for standalone devices .FDM os a web browser based management and that will be the replacement of ASDM.

                        And if you have multiple devices , then it's better to manage them using a centralised server known as Firepower Management center (FMC).

                        For the virtual versions of FTD, you can't manage them locally. You need FMC.


                        Cisco Firepower Threat Defense(FTD) NGFW: An Administrator's Handbook : A 100% practical guide on configuring and managing CiscoFTD using Cisco FMC and FDM., Jithin Alex, eBook - Amazon.com

                        • 9. Re: Cisco ASA vs Cisco FTD

                          good to know...

                          • 10. Re: Cisco ASA vs Cisco FTD
                            Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                            No direct CLI configuration anymore. As mentioned already, you would use CLI only for the initial configuration and troubleshooting. You might use FlexConfig from FMC which would allow you to push CLI configuration from FMC to the FTD appliance(s). Below is part of a post of mind that might be helpful:


                            FTD could be implemented in a different ways, such as a virtual appliance, running as a service on top of the ASA code, running on ASA hardware and as a physical appliance. Some of these implementations have prerequisites and some are not recommended. The best option of course would be to have an FTD running on a physical appliance.


                            The latest versions of FTD have improved a lot, and overcome a lot of the limitations they had at the beginning. There are still some differences in terms of how you apply the configuration comparing to what we used to do on ASA, as for example to configure policy maps and other features that you cannot configure through FMC or FDM through a predefined GUI menus, but you still be able to push them through what is called FlexConfig policies on FMC.


                            ASA engine is still there, even with the latest FTD versions, the ASA is still operational and it still does pretty much everything but the intelligence features such as DNS filtering, IPS, AMP, Identity management etc etc. The ASA is now knows as Lina engine on FTD, in fact, when you connect to FTD through the console, you can still go into the ASA module and running all the commands you would run on a normal ASA with same syntax, of course you cannot do any configuration from the command line any longer, but you can still run show commands, running packet capture, packet tracer etc etc.


                            In terms of FTD configuration, everything is done through the GUI, whether through FDM or FMC. In terms of technology, my personal opinion is that they would not be compared. ASA is a firewall, FTD is an intelligent firewall and much more, it can really give you a lot of advantages and a lot of more features that the ASA does not have.


                            FTD can absolutely replace an ASA in my opinion, I run it with all the features I had on my old ASA, and much more. One thing of a few to keep in mind is that when it comes to AnyConnect you have to use an external identity storage for authentication, whether RADIUS or AD, you cannot use the local users as we used to do on ASA. Another major thing to keep in mind is that with FTD there is no logic of the security levels we had on the ASA interfaces.


                            FTD is a powerful appliance, and I would highly recommend it over the legacy ASA devices. Here is an old post I had posted about the physical appliances:


                            The appliances 2100, 4100 and 9300 can run either FTD or ASA codes, but not both at the same time. Regardless if they run FTD or ASA, the underlying operating system will always be the FXOS. Through the FXOS supervisor, you can manage the FTD or ASA codes, and configuring the initial settings for the appliances themselves such as physical interfaces, application deployment, traffic distribution, clustering with other appliances etc etc. The FXOS command line is totally different than the ASA or even FTD. FXOS also allows to run third party applications such as Radware DDoS which runs in KVM mode on its security modules, on the other side ASA and FTD run in native mode. However, FTD software module on ASA allows the ASA to run its original code, in addition to the FTD software at the same time, from within the ASA you can access to the FTD and install/configure it and then you can redirect the traffic internally from the ASA to the FTD and filter it against the security policies you apply on the FTD module.

                            • 11. Re: Cisco ASA vs Cisco FTD

                              Is configuration via Lina on the development roadmap? I would have a hard time using an ASA if there was no GUI! Configuration is so much faster with the CLI for most things. I currently use these for clients, but each config is slightly different. So the ability to cut & paste parts of configs between devices saves an immense amount of time. Is there any sort of templating functionality, at least?

                              • 12. Re: Cisco ASA vs Cisco FTD

                                This is what Cisco says,

                                Use the Firepower Device Manager to configure, manage, and monitor the system. The features that you can configure through the browser are not configurable through the command-line interface (CLI); you must use the web interface to implement your security policies.


                                When we deploy configurations via FMC, We are able to see the commands that FMC pushes to the FTD devices but I don't think those commands can be entered directly from FTD CLI.


                                ASA CLI is useful for easy configurations (traditional firewall features) especially when you have multiple devices. Agree but I think Cisco will pitch these scenarios with FMC. Its like forcing you to buy FMC if you have multiple FTD devices. Easy management. And the traditional firewall thing is outdated, for configuring the NGFW features, it is convenient to have a GUI.

                                Since we are used to CLI, we may feel little strange. But a change is always good and we should welcome it ,if it's good.

                                • 13. Re: Cisco ASA vs Cisco FTD

                                  You won't see cli-based configuration of FTD going forward. You will see increased functionality being added to the API.


                                  "API is the new CLI."


                                  For better or worse, that's the way it is here in 2018.

                                  • 14. Re: Cisco ASA vs Cisco FTD

                                    Hi Steve


                                    A lot of interesting stuff in this discussion. I have been playing with FTD for a few weeks now and there a lots of nice things if you run lots of similar firewalls but for individual firewalls I really missing the quick configuration of the ASA.


                                    Today I have been playing with ISIS and the CLI on the FTD contains show ospf nei and show eigrp nei but neither show clns nei nor show isis nei. For the latter two you have to use the FMC. The flex config requires "programming skills" not quite but it will be a shock to old networkers. If you venture into the REST interface (API) download POSTMAN but note it use oauth2 and MS powershell does not like self signed certificates. Open powershell is OK.


                                    My favourite game of how do I with the FMC - is the shutdown which hides under configuration and process. Where else would you look.


                                    So you apply a policy to a number of nodes but after one fails you want to delete it. For that you edit the policy and then there is a box from which you can remove the specific request. That took me ages to find.


                                    There is a licensing satellite option if you can not get to the Internet but I have not got that working yet.


                                    When playing, switching FTD mode between routed and transparent is a quick way to reset the system.


                                    I am learning to love the FMC but deployment of a trivial change on one FTD takes ages and that is an area that needs to be improved.


                                    My praise for FTD is there is a shutdown command something we never had on the ASA.


                                    Hopefully somebody will write a super blog of everything you need to know.



                                    Regards Conwyn

                                    1 2 Previous Next