In October 2018 I produced this post to collect some feedback on utilizing Firepower/FTD in production.

We did attempt it ourselves in production though so we might form our own viewpoint, general it truly was as bad as explained in the texts you see on the web.

Usually you wear'' t anticipate whatever to be truly great, often the documents is not actually that well or possibly the user interface is carrying out not quick enough so you utilize the CLI which you wear'' t actually mind … however for FTD it is actually the general experience where nearly every part was terrible from the start and you might not sensible argue for such an item at all. From preliminary implementation, software application upgrades, everyday operation and troubleshooting … simply whatever.

Negative elements:

Overall Software quality: We did 2 small software application upgrades, among them triggered a failure, the other one took a number of hours and did ruin a couple of things later on Documentation: is either not existing and even simply incorrect (for instance NAT64 setup, verified by TAC) Central Management: Cisco agents informed us straight that whatever listed below the biggest FMC hardware home appliance is not functional and we won'' t more than happy with it( to be reasonable this particular hw generation is now end-of-sale) Hardware Performance: They revealed us an internal efficiency calculator which supplied outrageous numbers, we sized truly thoroughly as all of us understand datasheet numbers are “” a bit off” “the majority of the times, however for FTD this was truly simply excruciating Development: “” Everything will improve in the next release” “ought to be printed on tee shirts, they simply kept appealing and appealing, bear in mind that we currently took a look at FTD in 2018 and have actually know what development was made up to this point

Positive elements:

Price: they made a ridiculous inexpensive deal to remain in the video game Integration: as we have a great deal of Cisco items in location, combination would undoubtedly be native into those if required (e.g. Cisco ISE, Wireless controllers and so on) Cisco appears to be conscious and they understand they need to find a solution for it

They needed to contend versus Palo Alto and it actually was straight forward, I was really satisfied how Palo does things, specifically the main management which offers many functions you typically need to utilize a 3rd celebration tool like Algosec or Tufin.

There was a great deal of politics included as we have actually been an all Cisco store up until now and a couple of individuals actually did not like to move far from it, however the proof was sufficient versus them and stability was the essential argument.

In the end we moved the majority of our efficient clusters within 2019 and are extremely delighted Palo Alto clients. Truthfully I believe practically every other significant Firewall supplier would be much better than what we saw with Firepower.

Something I observed when comparing them is that Cisco is still putting out fires and doesn'' t appear to have the time or ressources for proper advancement of the item (the still rush half-finished functions into the field).

We still purchased a couple of Firepower hardware devices and run ASA software application on them if we wear'' t have the requirement for NGFW functions (e.g. committed ClientVPN Firewall) and even on those we deal with significant concerns with the provided efficiency.

In 5 years whatever may be various however for now: keep away from Firepower/FTD if you can.

Happy brand-new year

sent by / u/Philibilly [link] [remarks]

Read more: