top of page

Cisco FTD feature limitations

I have seen frequently that this topic comes up every now and therefore I thought it would be a great idea to create an overview of unsupported features for FTD in comparison to ASA.

First this first we have to know what is what:

FTD combines both ASA and Firepower code into a single image. At the moment FTD has not reached feature parity with ASA features (no remote-access vpn, no multiple-context mode, no clustering, etc.) but it will be the way forward.One of the benefits is that you wont need to configure two seperate instances (ASA & Firepower), but have a unified security policy that is managed either with Firepower Device Manager for small to mid-range deployments (ASA 5506-X - 5525-X) or using the central management with Firepower Management Center. The Firepower appliances (4100, 9300) are the new NGFW hardware platform that can run either ASA (without firepower services) or FTD software. They are basically the evolution of the asa hardware platform that support higher throughput.You may want to go down the FTD road if do not require the features not yet implemented from ASA as stated above. In about two years it should be the defacto standard.Feature Comparison (Q4, 2016)

Please keep in mind that this list is best-effort and might not reflect the current status entirely. In case you spot any errors just let me know and I will change the list accordingly. I extracted this picture from one of the security webinars in October 2016 and many things could get changed since then.


  • Multiple-Context mode

  • Different vm form factors (ASAv supports various throughput options, NGFWv is capped at max 1.2Gbit)

  • ASA5585-X Platform support (not possible due to hardware architecture)

  • Hyper-V support

  • TLS Proxy for Encrypted Voice Inspection

  • Clientless SSL VPN

  • Configuration CLI

  • HA (Active/Standby) for Public Cloud (AWS/Azure)

Supported with FlexConfig

  • Modular Policy Framework (e.g. changing tcp timeouts, changing inspections depending on ACL)

  • Bidirectional Forwarding Detection (BFD)

  • Virtual Extensible LAN (VXLAN)

  • Intermediate System to Intermediate System (IS-IS)

  • Enhanced Interior Gateway Routing Protocol (EIGRP)

  • Policy-based Routing (PBR)

  • Equal-cost multi-path routing (ECMP)

  • NetFlow

  • Web Cache Communications Protocol (WCCP)

Supported but limitated

  • Local device manager (no feature parity between FDM and FMC)

  • Central management via in-band data path (Staging or OOB required for remote management)

  • AnyConnect (no feature parity with ASA)

  • REST API (no feature parity with ASA REST API yet)

  • SSL Acceleration (only for FPR4100 & FPR9300)

  • Clustering (only for FPR4100 & FPR9300)

  • Unified Connection Logging (FTD Connection events do not include detailed L4 information, e.g. SYN Timeout, etc.)

TRADEMARK LEGAL NOTICE All product names, logos, and brands are property of their respective owners in the Austria or other countries.All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.Use of these names, logos, and brands does not imply endorsement.The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other company. Pheniix runs as an independent blog.

bottom of page