1. rtaccon
    December 5, 2018 @ 3:02 pm

    About the Multi-instance (at the moment) it”s ONLY available for Cisco Firepower 4100/9300 (too much $) will this feature be available on a Cisco ASA 5508 (as currently available a license with up 5 multiple context) ?
    As the ASA5505 will be EoS cause will not support FTD version 6.3 do you know if a new “soho” Cisco Firepower applicance will be available or the Cisco ASA 5508 will be the new entry level device for FTD ?
    Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)


    • lammle
      December 5, 2018 @ 6:16 pm

      It will be eventually available on the 5500x but remember it’s not contexts but instances. That means each image gets its own CPU and memory. They can have a shared port, for example a port going to the internet, but that’s it, they are all very much separated services!


      • kaisero
        December 7, 2018 @ 11:56 am

        “It will be eventually available on the 5500x” – Are you really sure about that Todd? IMO multi-instance will be something that will be limited to FPR2100/4100/9300 since it is built on top of FX-OS hence there is a certain dependency. Combine that with the amount of resources required for multi-instance I think it will not be available on the old 5500-X series, which will probably be EOLED in a few years.


        • lammle
          December 7, 2018 @ 12:01 pm

          I had heard that the 5500x will get it, but we’ll see
          they are all already EOL…but they can run a pure FTD image for a long time, so they might get it, we’ll see…but I don’t recommend running it on those for the reason you state


  2. Colin Higgins
    December 6, 2018 @ 8:27 am

    We have 16 firewalls split among two FMC appliances. Even with administering only 8 firewalls (FTDs and ASAs with Firepower), the system is extremely slow and sluggish. I can’t imagine trying to add multi-instance to this, or user-based access control.

    The problem is largely with Java and the underlying system. Will Cisco ever go to HTML 5 in order to clean up FMC?


    • lammle
      December 6, 2018 @ 3:10 pm

      Yes, make sure you have 16 Gig or RAM if you’re vFMC….if you have 2500 or 4500 that’s the best you get
      6.2.3 code should be your minimum code, if you’re not running that, it will be slower than need be.


  3. Abbaszadeh
    December 6, 2018 @ 2:01 pm

    Thanks for your attention.


  4. Rob
    December 15, 2018 @ 8:47 pm

    Thanks for the write up… obviously the upgrade path is FMC then FTD… I’m curious if some of these features are available if you are only running 6.3 FMC and say 6.2.3.x for the FTD. Also, since the 5506s are no longer support beyond 6.2, will some of the administrative features available in 6.3 work for those devices? Namely the syslog configuration and the Contextual Cross-launch?


    • lammle
      December 16, 2018 @ 9:06 am

      I run 6.3 FMC and 6.2.3 for FTD devices at a lot of customers right now – works great. Yes, you lose some features like FQDN but not Syslog…no problems so far and I have done about 40 devices in the last 1.5 weeks…thanks for writing!


  5. Stefan
    January 18, 2019 @ 6:51 am

    Hi Todd, thanks for the write up.

    Regarding the multi-instance.. do you know how many instances are supported on the 4100 appliances ?
    -can’t seem to find the info in release notes.

    Kind regards


    • lammle
      January 18, 2019 @ 7:48 am

      Hi Stefan. Yes, you can get as many instances as you have cores. Each instance takes 8 cores, so depending on the model and cores you have will determine that amount
      however, they are coming out with 4115, 4125, 4145 and 4155 soon and it will double the amount of cores!


  6. Sammy
    January 23, 2019 @ 12:23 pm

    Thanks Tod for new updates. Is it safe to upgrade FTD to 6.3? Is it stable ?


    • lammle
      January 23, 2019 @ 12:53 pm

      Very! I highly recommend it!
      I’ve had 5 classes with it and most of my customers use it now too.


  7. shahad
    May 28, 2019 @ 4:15 am

    Hi Lammle, IAB and AAB are not enabled by default in FTD 6.3. no mention for that in release notes, also in the configuration guides its clearly stated that AAB is not enabled by default however your screen shots shows enabled:

    “By default the AAB is disabled; to enable AAB follow the steps described.
    AAB activates when an excessive amount of time is spent processing a single packet. AAB activation partially restarts the Snort process, which temporarily interrupts the inspection of a few packets. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information”


    “Not all deployments require IAB, and those that do might use it in a limited fashion. Do not enable IAB unless you have expert knowledge of your network traffic, especially application traffic, and system performance, including the causes of predictable performance issues. Before you run IABin bypass mode, make sure that trusting the specified traffic does not expose you to risk.”

    is it possible to adjust this information so its not misleading anyone. Thank you for your valuable contributions


    • lammle
      May 28, 2019 @ 7:05 am

      yes, this is correct, Shahad, I believe I wrote that because it was supposed to be on by default, but they are not. AAB should be on by default, but even with 6.4 it still is not!
      Thanks for posting!


Leave a Reply

Your email address will not be published. Required fields are marked *