In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/engine.
Here are the main benefits of multi-instance solutions:
Hardware-level traffic processing isolation
Hardware-level fault isolation
Independent software version management
Independent upgrades and restarts
Full management isolation
Full feature parity between the container and native instances
The Firepower chassis comes with a supervisor and up to 3 security modules. This allows us to deploy logical devices. A logical device allow us to run one application instance. During deployment of a logical device the following items are defined:
Application instance type - native or container
Configure bootstrap settings
Native is single instance mode which will consume all resources. Container instance mode will consume what you define. Quick note, it is important to understand that each platform has the following capabilities. Also, this is currently only supported on 4100 & 9300 platforms:
To put things into perspective the FTD multi instance capability is very similar to the ASA multi context mode. ASA multi context mode partitions a single application instance. The FTD multi instance allows independent container instances. The FTD containers totally segregate resources, configuration management, reloads, & software updates. While the ASA context mode shares resources from the chassis.
Here is a brief overview of the anatomy of a container instance:
The last piece I want to cover now that we have a better understanding of multi-instance is how licensing works:
Each FTD subscription license is shared by all instances on a module • License sharing requires all instances to be managed by a single FMC • With multiple FMCs, each requires a separate set of FTD subscriptions.
Check out more FTD posts via the <ftd> tag. Cheers!