28 Comments

  1. Bibbas
    September 28, 2019 @ 2:27 pm

    Hi Todd. Thank you for being so quick with this update.
    There seems to be a lot of changes with regards to URL Filtering on FPR 6.5 code (new categories names, multiple categories splitted etc.) Do you know how FTD 6.4 or lower will work with FMC 6.5 with regards to these changes ? Could this cause some issues if we deploy policy from FMC 6.5 with new categories to devices running 6.4 ?

    Reply

    • Todd Lammle
      September 28, 2019 @ 4:34 pm

      That’s a great question. From what I can tell, my 6.4 devices are still on bright cloud. I think in a new up date such as 6.4.0.6 maybe it will change, but let me check on that

      Reply

      • Jeff Fanelli
        October 21, 2019 @ 3:00 pm

        Older versions managed by FMC 6.5 will continue to use Brightcloud. There are no plans to make this change retroactive to older releases. Hope this helps!

        Reply

        • Todd Lammle
          October 21, 2019 @ 3:18 pm

          Jeff, thank you. That is odd for sure, but we appreciate the post!

          Reply

  2. Duque
    September 30, 2019 @ 7:26 am

    Hi Todd
    Nice to read your sum up of FTD 6.5. I agree that while it looks better with the new UI, it is far from usable and more painful compared to the old one. It just doesn’t look like its made with Frontpage 98 anymore, but that’s about it.

    What I found a big point in the release notes of 6.5 is they are warning us already about the Firepower Power User Agent soon going byebye and we should be going over to ISE-PIC/Passive Identity.
    I wish they would just give up FMC and focus on bringing CDO as an On-Prem solution (of course still has a lot missing and needs a lot of polishing) but the way CDO/SDC resp. FDM works with FTD is far better, compared to what FMC does.
    #nomoresftunnel

    I totally agree with the FPR1010 being a big change for Cisco, we really needed that FPR1010 (also 2 years ago ;) ). been working with the Layer2 Switch feature for a a while now and yes it is nice to have that function finally available. haven’t testet the PoE Ports yet.

    Reply

    • Todd Lammle
      September 30, 2019 @ 9:01 am

      Thank you for your comments.
      I do believe they are going to use CDO. It’s useful now, and I heard it was going to go into beta for FTD…can’t wait!
      But I use ISE with PxGrip with most of my customers anyway….

      Reply

  3. Jonathan
    September 30, 2019 @ 11:53 am

    Any changes to hit counters? Currently hit counters are always reset every deploy, then they go back to “0”.

    Reply

    • Todd Lammle
      September 30, 2019 @ 12:14 pm

      In the 6.4 and 6.5, the GUI hit counters are not reset, only the CLI (show access-list-config) and that still is reset
      Todd

      Reply

  4. Sundar
    October 2, 2019 @ 3:19 pm

    TrustSec with SXP and Destination SGT support are added to offer broader integration with ISE on FMC/FTD and FTD-API platforms. Please share your feedback, when you get an opportunity to review them.

    Reply

  5. John
    October 7, 2019 @ 10:51 am

    Hi Todd. Is there a feature to migrate FMC configurations to another one, virtual to virtual? I’m trying to see if I can deploy FMC wthout having to do many manual configurations. I do some configuration with REST API as well as importing configuration files with policies. Some of the configurations and settings I would like to have deployed (aside from platform settings) are login banner, external authentication, backup profiles/jobs, etc. Does 6.5 offer features for doing this?

    Reply

    • Todd Lammle
      October 7, 2019 @ 3:53 pm

      Yes, you can migrate from one FMC to another now – WITH 6.5 code….they must be the same code exactly, same VDB and same Snort version/date

      Reply

  6. Brandon
    October 11, 2019 @ 7:04 am

    Hello Todd. I really enjoy the content you publish in your blogs, very insightful and relevant. In the release notes for 6.5 there is reference to a FMCv 300. Do you have any insight to this new VMWare platform? I would also be interested to find out if you have any comments on the possibility of FMCv Hyper-V support? Thanks!

    Reply

    • Todd Lammle
      October 12, 2019 @ 10:27 am

      I couldn’t run it as I tried to put it on my server and it wouldn’t load. It takes a minumum of 64G of ram and huge amount of processing and storage…you might as well buy a hardware FMC! Don’t know about the Hyper-V support

      Reply

      • Kostas
        November 13, 2019 @ 2:08 am

        Hi Todd.

        I have a question regarding FMCv300 and hoping if you could provide some insight.
        I’m in the middle of a huge deployment and we were waiting for this “stronger” FMCv to become available so that we could test it. The problem is that it is nowhere available on the CCO download section. Since you mentioned that you couldn’t run it (due to high RAM requirements), I was wondering how did you get access to the OVA? Is it publicly available?

        Thanks in advance for your answer and for your great posts!

        Reply

        • Todd Lammle
          November 13, 2019 @ 7:22 am

          Hello, I am on the beta team so I have seen the vFMC300, but as you mentioned, I haven’t been able to run it. I don’t know when it will be released…soon though.
          However, I don’t think this is going to make your network analysis faster, nothing will. The v300 power is for managing up to 300 devices with a virtual FMC.
          If you have the current vFMC, then you can use 8 processors and up to 4TB of ram starting with version 6.5
          Add more processing and ram to your current system if you can.

          Reply

          • shahrukh aziz
            November 13, 2019 @ 10:38 am

            Thanks Todd, So with the current FMCv (max 25 device support) running code 6.4.0.4-34, I can set the VM to use 8 processors and up to 4TB of ram? what’s the max I can set the processor and RAM for FMCv-300?
            Also with upgrading from current FMCv to FMCv-300 is it just a license thing and having 6.5 running or do I have to install a new VM (once released)?

            Do you have a rough idea on the price difference between a FMCv300 and the FMC 1600 Appliance?

            Thanks

  7. Roy
    October 23, 2019 @ 1:56 pm

    I am still on 6.4.0.1. I have been hesitant to jump any higher because of all of the bugs people have mentioned. What is the highest stable release that people are using today? 6.5.0, 6.4.0.6 or what?

    Reply

  8. Todd Lammle
    October 23, 2019 @ 2:11 pm

    I think 6.5 is better than any 6.4 code, and I’ve been using 6.5 in production since it came out

    Reply

    • Roy
      October 23, 2019 @ 3:35 pm

      Thanks Todd! Any bugs that you have noticed or know about? Have you seen it on a 2110 yet?

      Reply

      • Roy
        October 23, 2019 @ 3:41 pm

        Also anything that I need to be prepared for with jumping from 6.4.0.1 to 6.5? Any changes that had to be made. Can I go straight from 6.4.0.1 to 6.5?

        Reply

  9. Todd Lammle
    October 23, 2019 @ 3:43 pm

    I think it is better than 6.4 for sure, and 6.5 fixed my HA issues with all version of 6.4
    you can go straight from .6.4.x to 6.5 for sure
    I ran 6.5 on 4140’s, 1010s, 1150s and vFTDs

    Reply

    • Alex
      October 23, 2019 @ 11:23 pm

      Hello Todd

      What HA issues have you encountered with FTD 6.4 that made you jump to 6.5 from the start?

      Regards
      Alex

      Reply

  10. Todd Lammle
    October 24, 2019 @ 8:58 am

    UPDATE 10/24/19: There is a NAT bug in 6.5, so please be aware of this before you upgrade!

    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp70833/?rfs=iqvred

    Reply

  11. Todd Lammle
    October 24, 2019 @ 4:02 pm

    Alex, the HA issues were intermittent. My FTD devices would just start acting up and then finally just stop working. You had to reboot and then remove the pair to get them working again…ugh

    Reply

  12. Giovanni
    October 26, 2019 @ 3:45 pm

    Hi Todd,

    Thanks for all the tips about Firepower.

    I still don’t understand how and why there is no support for tunnel interface on FTDs since there are on ASAs.

    Do you know if there is any way to configure BGP dynamic routing to Google Cloud via a VPN in FTD? In ASA I am running a Tunnel interface but again…no tun in FTD :(

    Thanks, I hope you can help me understand this (or suggest Cisco to add tunnel interfaces in FTD :) )

    Reply

    • Todd Lammle
      October 29, 2019 @ 1:38 pm

      Giovanni, I do not know the answer or if they support the tunnel you described. I will copy and send that to my contacts in cisco. Thank you for posting!

      Reply

  13. Tunde
    October 29, 2019 @ 9:10 pm

    Hello I am totally new to FTD and just deploying my first box, what is the implication of not registering the box upon start up. Right now am on the 90 day eval, I don’t intend to use the firepower side of the software, just the firewall features. What features will shut down at the end of the 90 days. Thanks

    Reply

    • Todd Lammle
      October 29, 2019 @ 9:15 pm

      I am not sure exactly what you mean by not using the Firepower side of the software. It’s all Firepower, right? So after 90 days it won’t let you deploy, but if you configure the FTD box through them FMC and deploy now, you can turn off the FMC and the FTD will still be working. You won’t get network analysis or malware lookups, but SI, URL filtering and IPS will still be working on the FTD. However you want the FMC for understanding your network, so after 90 days you can just build another FMC. This all precludes that you are just using this for training and not in production of course.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *