1. Bibbas
    September 28, 2019 @ 2:27 pm

    Hi Todd. Thank you for being so quick with this update.
    There seems to be a lot of changes with regards to URL Filtering on FPR 6.5 code (new categories names, multiple categories splitted etc.) Do you know how FTD 6.4 or lower will work with FMC 6.5 with regards to these changes ? Could this cause some issues if we deploy policy from FMC 6.5 with new categories to devices running 6.4 ?


    • Todd Lammle
      September 28, 2019 @ 4:34 pm

      That’s a great question. From what I can tell, my 6.4 devices are still on bright cloud. I think in a new up date such as maybe it will change, but let me check on that


      • Jeff Fanelli
        October 21, 2019 @ 3:00 pm

        Older versions managed by FMC 6.5 will continue to use Brightcloud. There are no plans to make this change retroactive to older releases. Hope this helps!


        • Todd Lammle
          October 21, 2019 @ 3:18 pm

          Jeff, thank you. That is odd for sure, but we appreciate the post!


  2. Duque
    September 30, 2019 @ 7:26 am

    Hi Todd
    Nice to read your sum up of FTD 6.5. I agree that while it looks better with the new UI, it is far from usable and more painful compared to the old one. It just doesn’t look like its made with Frontpage 98 anymore, but that’s about it.

    What I found a big point in the release notes of 6.5 is they are warning us already about the Firepower Power User Agent soon going byebye and we should be going over to ISE-PIC/Passive Identity.
    I wish they would just give up FMC and focus on bringing CDO as an On-Prem solution (of course still has a lot missing and needs a lot of polishing) but the way CDO/SDC resp. FDM works with FTD is far better, compared to what FMC does.

    I totally agree with the FPR1010 being a big change for Cisco, we really needed that FPR1010 (also 2 years ago ;) ). been working with the Layer2 Switch feature for a a while now and yes it is nice to have that function finally available. haven’t testet the PoE Ports yet.


    • Todd Lammle
      September 30, 2019 @ 9:01 am

      Thank you for your comments.
      I do believe they are going to use CDO. It’s useful now, and I heard it was going to go into beta for FTD…can’t wait!
      But I use ISE with PxGrip with most of my customers anyway….


  3. Jonathan
    September 30, 2019 @ 11:53 am

    Any changes to hit counters? Currently hit counters are always reset every deploy, then they go back to “0”.


    • Todd Lammle
      September 30, 2019 @ 12:14 pm

      In the 6.4 and 6.5, the GUI hit counters are not reset, only the CLI (show access-list-config) and that still is reset


  4. Sundar
    October 2, 2019 @ 3:19 pm

    TrustSec with SXP and Destination SGT support are added to offer broader integration with ISE on FMC/FTD and FTD-API platforms. Please share your feedback, when you get an opportunity to review them.


  5. John
    October 7, 2019 @ 10:51 am

    Hi Todd. Is there a feature to migrate FMC configurations to another one, virtual to virtual? I’m trying to see if I can deploy FMC wthout having to do many manual configurations. I do some configuration with REST API as well as importing configuration files with policies. Some of the configurations and settings I would like to have deployed (aside from platform settings) are login banner, external authentication, backup profiles/jobs, etc. Does 6.5 offer features for doing this?


    • Todd Lammle
      October 7, 2019 @ 3:53 pm

      Yes, you can migrate from one FMC to another now – WITH 6.5 code….they must be the same code exactly, same VDB and same Snort version/date


  6. Brandon
    October 11, 2019 @ 7:04 am

    Hello Todd. I really enjoy the content you publish in your blogs, very insightful and relevant. In the release notes for 6.5 there is reference to a FMCv 300. Do you have any insight to this new VMWare platform? I would also be interested to find out if you have any comments on the possibility of FMCv Hyper-V support? Thanks!


    • Todd Lammle
      October 12, 2019 @ 10:27 am

      I couldn’t run it as I tried to put it on my server and it wouldn’t load. It takes a minumum of 64G of ram and huge amount of processing and storage…you might as well buy a hardware FMC! Don’t know about the Hyper-V support


      • Kostas
        November 13, 2019 @ 2:08 am

        Hi Todd.

        I have a question regarding FMCv300 and hoping if you could provide some insight.
        I’m in the middle of a huge deployment and we were waiting for this “stronger” FMCv to become available so that we could test it. The problem is that it is nowhere available on the CCO download section. Since you mentioned that you couldn’t run it (due to high RAM requirements), I was wondering how did you get access to the OVA? Is it publicly available?

        Thanks in advance for your answer and for your great posts!


        • Todd Lammle
          November 13, 2019 @ 7:22 am

          Hello, I am on the beta team so I have seen the vFMC300, but as you mentioned, I haven’t been able to run it. I don’t know when it will be released…soon though.
          However, I don’t think this is going to make your network analysis faster, nothing will. The v300 power is for managing up to 300 devices with a virtual FMC.
          If you have the current vFMC, then you can use 8 processors and up to 4TB of ram starting with version 6.5
          Add more processing and ram to your current system if you can.


          • shahrukh aziz
            November 13, 2019 @ 10:38 am

            Thanks Todd, So with the current FMCv (max 25 device support) running code, I can set the VM to use 8 processors and up to 4TB of ram? what’s the max I can set the processor and RAM for FMCv-300?
            Also with upgrading from current FMCv to FMCv-300 is it just a license thing and having 6.5 running or do I have to install a new VM (once released)?

            Do you have a rough idea on the price difference between a FMCv300 and the FMC 1600 Appliance?


  7. Roy
    October 23, 2019 @ 1:56 pm

    I am still on I have been hesitant to jump any higher because of all of the bugs people have mentioned. What is the highest stable release that people are using today? 6.5.0, or what?


  8. Todd Lammle
    October 23, 2019 @ 2:11 pm

    I think 6.5 is better than any 6.4 code, and I’ve been using 6.5 in production since it came out


    • Roy
      October 23, 2019 @ 3:35 pm

      Thanks Todd! Any bugs that you have noticed or know about? Have you seen it on a 2110 yet?


      • Roy
        October 23, 2019 @ 3:41 pm

        Also anything that I need to be prepared for with jumping from to 6.5? Any changes that had to be made. Can I go straight from to 6.5?


  9. Todd Lammle
    October 23, 2019 @ 3:43 pm

    I think it is better than 6.4 for sure, and 6.5 fixed my HA issues with all version of 6.4
    you can go straight from .6.4.x to 6.5 for sure
    I ran 6.5 on 4140’s, 1010s, 1150s and vFTDs


    • Alex
      October 23, 2019 @ 11:23 pm

      Hello Todd

      What HA issues have you encountered with FTD 6.4 that made you jump to 6.5 from the start?



  10. Todd Lammle
    October 24, 2019 @ 8:58 am

    UPDATE 10/24/19: There is a NAT bug in 6.5, so please be aware of this before you upgrade!



    • Mathieu
      November 26, 2019 @ 2:46 am

      Version is release but in the release notes this bug is not mentioned under Resolved Issues?


      • Todd Lammle
        November 26, 2019 @ 12:29 pm

        Sorry, which bug are you referring to?


        • Roy
          November 26, 2019 @ 1:36 pm

          Mathieu is talking about the NAT bug you posted for 6.5. Anybody jump on yet? Any issues?


          • Todd Lammle
            November 26, 2019 @ 1:39 pm

            I won’t try 6.5 till next week now…thanks for the heads up

  11. Todd Lammle
    October 24, 2019 @ 4:02 pm

    Alex, the HA issues were intermittent. My FTD devices would just start acting up and then finally just stop working. You had to reboot and then remove the pair to get them working again…ugh


  12. Giovanni
    October 26, 2019 @ 3:45 pm

    Hi Todd,

    Thanks for all the tips about Firepower.

    I still don’t understand how and why there is no support for tunnel interface on FTDs since there are on ASAs.

    Do you know if there is any way to configure BGP dynamic routing to Google Cloud via a VPN in FTD? In ASA I am running a Tunnel interface but again…no tun in FTD :(

    Thanks, I hope you can help me understand this (or suggest Cisco to add tunnel interfaces in FTD :) )


    • Todd Lammle
      October 29, 2019 @ 1:38 pm

      Giovanni, I do not know the answer or if they support the tunnel you described. I will copy and send that to my contacts in cisco. Thank you for posting!


  13. Tunde
    October 29, 2019 @ 9:10 pm

    Hello I am totally new to FTD and just deploying my first box, what is the implication of not registering the box upon start up. Right now am on the 90 day eval, I don’t intend to use the firepower side of the software, just the firewall features. What features will shut down at the end of the 90 days. Thanks


    • Todd Lammle
      October 29, 2019 @ 9:15 pm

      I am not sure exactly what you mean by not using the Firepower side of the software. It’s all Firepower, right? So after 90 days it won’t let you deploy, but if you configure the FTD box through them FMC and deploy now, you can turn off the FMC and the FTD will still be working. You won’t get network analysis or malware lookups, but SI, URL filtering and IPS will still be working on the FTD. However you want the FMC for understanding your network, so after 90 days you can just build another FMC. This all precludes that you are just using this for training and not in production of course.


  14. Matt
    December 4, 2019 @ 6:57 am

    Thanks for all the testing and sharing of info you provide. Any update on the “unnamed” FTD device you said you could comment on in Nov?


  15. Anthony
    January 2, 2020 @ 11:40 am

    Any insider info on FMC 300? It’s been some time since they announced with no follow up.


    • Todd Lammle
      January 2, 2020 @ 11:42 am

      Hi Anthony, yes, it is available now, but I have never run it because my servers won’t even install it. I have to buy a new server and at that point, I might was well buy a FMC appliance….but that said, I’ll be getting my new server next week and will try it anyway! I have zero customers with interest in it at this point. You?


      • Anthony
        January 2, 2020 @ 12:29 pm

        We are looking at it because we have a stretched HA datacenter design with ACI Multisite between two physical sites. Because we deem it to be a Tier 1 workload and want the ability to move it and be highly available in a HA/DR scenario, virtual seemed like the path of least resistance. Any thoughts?


        • Todd Lammle
          January 2, 2020 @ 12:50 pm

          Hi Anthony, that’s not what they are designed for, so I do not recommend this. However, I have customers that do this and it does work, but Cisco does NOT support that design.
          Why the vFMC300? how many devices do you have? the vFMC300 is not better than any other FMC, it just manages up to 300 devices….it’s not faster. The vFMC 25 version now supports 4Tb of ram starting wtih 6.5 code…


          • Anthony
            January 2, 2020 @ 1:12 pm

            We are approaching the sensor limit of 25 and anticipate surpassing it. We’d only push the FMC to the opposing datacenter in dire circumstances – a true lights out DR scenario. When might it be time to also consider CDO? Do you anticipate prime time readiness down the road?

  16. Todd Lammle
    January 2, 2020 @ 1:24 pm

    NO on the CDO…I beta that for Cisco and you don’t want that yet…trust me. I see some business use in the future for CDO…

    Also, you may consider buying two 2600’s or 4600’s instead….you really don’t really want to run 25 on the vFMC, it really just can’t handle it…the vFMC300 will work, but I think the cost could be prohibited or equal to the hardware at this point…the amount of process and ram it uses means you may need a new server, and at that point the 2600 may work for you for the same price point, but you’d need two…so there’s that


Leave a Reply

Your email address will not be published. Required fields are marked *