Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/engine.

Here are the main benefits of multi-instance solutions:

  • Hardware-level traffic processing isolation

  • Hardware-level fault isolation

  • Independent software version management

  • Independent upgrades and restarts

  • Full management isolation

  • Full feature parity between the container and native instances

The Firepower chassis comes with a supervisor and up to 3 security modules. This allows us to deploy logical devices. A logical device allow us to run one application instance. During deployment of a logical device the following items are defined:

  • Application instance type - native or container

  • Version

  • Assign interfaces

  • Configure bootstrap settings

Native is single instance mode which will consume all resources. Container instance mode will consume what you define. Quick note, it is important to understand that each platform has the following capabilities. Also, this is currently only supported on 4100 & 9300 platforms:

To put things into perspective the FTD multi instance capability is very similar to the ASA multi context mode. ASA multi context mode partitions a single application instance. The FTD multi instance allows independent container instances. The FTD containers totally segregate resources, configuration management, reloads, & software updates. While the ASA context mode shares resources from the chassis.

Here is a brief overview of the anatomy of a container instance:

The last piece I want to cover now that we have a better understanding of multi-instance is how licensing works:

  • Each FTD subscription license is shared by all instances on a module • License sharing requires all instances to be managed by a single FMC • With multiple FMCs, each requires a separate set of FTD subscriptions.

Check out more FTD posts via the <ftd> tag. Cheers!


Recent Posts

See All

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases: Receipt:

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it