Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
8

ASA5508-X wih Firepower do i ned FMC?

Hi

I just got this device and i have never used this FDM webgui before. I need to setup PBR and security context but I cant find how I configure this.

All I have found is that i need FMC? Seems weird to me. I thought I could configure the device via ASDM but it doesnt seem possible.

So is FMC my only option to unblock these settings?

18 comments
90% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1

Thus far FMC has been a dumpster fire for us - painfully slow, nothing works the first time, bugs/gaps in functionality, take a coffee break waiting for a config to deploy after every tiny change, and a bunch of stuff has changed logically for no particular reason.

(And we paid to bring in real pros to do the configs, so it's not me screwing it up).

Avoid.

level 2

Unfortunately, the slow deployment times are a symptom of next-gen firewalls managed by a central appliance. Palo Alto has the same issues with Panorama.

Not that your other points aren't valid, but we are moving to a world where instantaneous deployment of rules is a thing of the past. (unless you get really good at rest APIs)

level 2

You make some valid points, but hopefully the future is brighter for your experience with FMC.

Release version 6.2.3 specifically addresses the issues (and a lot more) that you are referring to. Deployment times are much, much faster, although like /u/ItsANetworkProblem mentioned, are not instantaneous and I can't see them ever being as such.

Query times in FMC have been increased by 80% - the interface is the fastest it's ever been and will continue to be improved.

577 bugs were fixed in 6.2.3 - this is the most stable version yet, and has been receiving a lot of positive feedback.

I would recommend upgrading to 6.2.3 if you haven't yet.

level 3

Cheers, I'll certainly move that upgrade up on the to-do list.

level 4

Best of luck - I think you'll like it much more!

level 1

You only need FMC to configure IPS sensor, or if you are running the FTD image.

I am not too familiar with ASDM, but I know PBR and multi-context mode can be done via CLI

level 2
Original Poster1 point · 3 months ago

Yes the FTD image is running and when connecting to the console port I login to the firepower CLI which is new to me. I cant even configure an interface there.

level 3
CCNP R&S2 points · 3 months ago

Yes, if you are running FTD image then you need FMC to manage the ASA via GUI, otherwise you're stuck with CLI only.

level 4

As of 6.1, you no longer need FMC for local management of FTD devices.

As for configuring advanced features like PBR, you will need to use what Cisco calls "FlexConfig" and i am not sure if that is supported on the local device manager.

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-get-started.html

level 4
Original Poster1 point · 3 months ago

Okay! Thanks a lot :)

level 1

Hopping on this but how do people that are using FPMC get historical logs? Our director is wanting to save say 3 months worth of logs but even with bumping the virtual appliance up to 35,000,000 events it still only gets us about 3-4 weeks (medium size organization with 900 employees).

The virtual also tends to run quite a bit slower with 35,000,000 records rather than 10m. Even if I bought the entry level appliance that does 60m, it wouldn't get me to 3 months.

level 2
2 points · 2 months ago

It can't. You have to dump the logs to something else

level 3

What do other people use for that situation?

level 4

Graylog, Splunk, I am sure Cisco has some half baked product they'd be happy to sell you.

level 1

Using the FMC is a much better alternative to using FDM in stand-alone mode.

level 1
0 points · 3 months ago

Personally I will recommend you to install FMC. Tho whole idea of ngfw is loging, and loging would be stored on FMC for you to make changes based on logs. If you chose standalone firepower without FMC, I think you only get 24h loging.

Many bugs, performance has been fixed in version 6.2.3 so install this version.

If you face any problems or have further questions don't hesitate to contact me. Cheers

level 2
Original Poster1 point · 3 months ago

Thanks for your answer, i'll definitely check if I can get the FMC up and running as it seems its needed for most of the things I want.

level 2

? Fmc logging is garbage. Has almost no retention.

Community Details

127k

Subscribers

897

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.