Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/engine.


Here are the main benefits of multi-instance solutions:

  • Hardware-level traffic processing isolation

  • Hardware-level fault isolation

  • Independent software version management

  • Independent upgrades and restarts

  • Full management isolation

  • Full feature parity between the container and native instances

The Firepower chassis comes with a supervisor and up to 3 security modules. This allows us to deploy logical devices. A logical device allow us to run one application instance. During deployment of a logical device the following items are defined:

  • Application instance type - native or container

  • Version

  • Assign interfaces

  • Configure bootstrap settings

Native is single instance mode which will consume all resources. Container instance mode will consume what you define. Quick note, it is important to understand that each platform has the following capabilities. Also, this is currently only supported on 4100 & 9300 platforms:

To put things into perspective the FTD multi instance capability is very similar to the ASA multi context mode. ASA multi context mode partitions a single application instance. The FTD multi instance allows independent container instances. The FTD containers totally segregate resources, configuration management, reloads, & software updates. While the ASA context mode shares resources from the chassis.


Here is a brief overview of the anatomy of a container instance:


The last piece I want to cover now that we have a better understanding of multi-instance is how licensing works:

  • Each FTD subscription license is shared by all instances on a module • License sharing requires all instances to be managed by a single FMC • With multiple FMCs, each requires a separate set of FTD subscriptions.

Check out more FTD posts via the <ftd> tag. Cheers!

0 comments

Recent Posts

See All

Email Security - Breaking Down DKIM & DMARC

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it

Email Security - Breaking Down SPF

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entai

Configuring & Verifying FTD NAT

"The What?" - In this post I will cover configuring NAT on Cisco FTD. Then I will walkthrough how to verify deployment with successful translations. The topology used to demo is below: "The Why?" -