Exam 350-701 topic 1 question 133 discussion

What a tricky question, but I think I just got you the perfect answer and the perfect link from Cisco. The correct answer is A, not B. The reason why, According to Cisco, if you want to migrate your ASA to FTD and want to manage them both through "CDO and FDM" then use (CDO), but if you want to migrate ASA to FTD and manage both in the same time (Centralized) then use FMC" So the answer is absolutely A, and here is the link: https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/ASA2FTD_with_FP_Migration_Tool_cdo_chapter_011.html

Vote for B FMC will manage only Firepower images (FTD or Firepower module Services). CDO is able to centrally manage your ASAs, FTD, Meraki security policies and AWS VPC security policies. For FMC, you need to have a local VM (with some resources like 32G RAM) and need to manage the redundancy as well. CDO is cloud based (could have a local VM with small resources to communicate with the cloud and not expose your devices management). You need to see CDO like the Meraki portal for Cisco Security Firewalls. https://community.cisco.com/t5/network-security/a-classic-cdo-vs-fmc/td-p/4070116

I would say is CDO because FMC is usually a VM.

It is CDO, which can migrate from ASA to FTD. Cisco FMC is a fairly new thing, where Cisco hosts the FMC for you, since that thing is supposed to have around 30GB of memory, even when managing one or two FTD devices. Also, FMC cannot migrate from ASA to FTD, you have to re-enter the entire configuration from scratch.

It is B. CDO . The FMC cannot help with the ASA-to-FTD migration, you do that using the Firepower Migration Tool, then the config is loaded in to the FMC once migrated. CDO on the other hand does allow you to migrate ASA to FTD (managed using FDM thou), but it also allows you to then manage thouse FDM FTDs too. https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/ASA2FTD_with_FP_Migration_Tool_cdo_chapter_011.html https://www.cisco.com/c/en/us/td/docs/security/cdo/managing-ftd-with-cdo/managing-ftd-with-cisco-defense-orchestrator/managing-ftd-with-cdo.html

The answer can be A) FMC using an appliance, not a virtual machine, or B) CDO without SDCs... it's a hard one, but I would go for A, has more sense if it must be a "centralized solution"

"The organization does not have a local VM" 1-FDM(manage device locally ) 2-CDO(cloud based central management no need VM) 3-FMC(VM based central management)

It is Cisco question do not overthink it - if you cannot use VM you are left with CDO https://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-migration-guide-620/asa2ftd_migration_procedure.pdf FMC: Step 1 Download one of the following images from Support: • Firepower Management Center Virtual for VMware • Firepower Management Center Virtual for KVM Step 2 Use the image file to install a dedicated Firepower Management Center Virtual, as described in the appropriate guide: • Cisco Firepower Management Center Virtual for VMware Deployment Quick Start Guide • Cisco Firepower Management Center Virtual for KVM Deployment Quick Start Guide Step 3 Connect to the Firepower Management Center via ssh, using the admin username. Step 4 Log in to the root shell: sudo su - Step 5 Run the following command: enableMigrationTool.pl After the process completes, refresh any web interface sessions running on the Firepower Management Center to use the migration tool.

Answer is CDO

i came cross this situation for deploying FPR1150 firewalls. basically you will have 3 options 1-FDM(manage device locally ) 2-CDO(cloud based central management no need VM) 3-FMC(VM based central management) so for this question you need to manage them from controller but not from the VM you manage, answer is CDO . so B.

A is correct. FMC supports both physical and virtual appliances, hence it can be deployed as a virtual machine on an existing server infrastructure or as a physical appliance. also FMC supports the migration of Cisco ASA configurations to Cisco FTD

B is incorrect. CDO (Cisco Defense Orchestrator) is a cloud-based management solution that can manage multiple Cisco security products, including ASA (Adaptive Security Appliance) and FTD. However, it requires a local VM to be deployed in order to manage on-premises devices.

A is correct

I will go with B. Very good comparison between CDO and FMC pros and cons in this link https://community.cisco.com/t5/network-security/a-classic-cdo-vs-fmc/td-p/4070116 Main two points here to note: there is no local VM as per the question. FMC needs a local VM. Secondly, the question clearly says the existing ASA must migrate over to FTD - CDO can do that however FMC you need to do separate migration tool.

cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_logical_devices.html

Is B as it states ASA to FTD migration CDO can be used.

It's B - CDO. "organization deploys multiple Cisco FTD appliances and WANTS TO manage" - i. e. is NOT managing it now but wants to do it (probably) in the future. "organization does not have a local VM" - i. e. no place for FMC deployment, "ave existing Cisco ASA that must migrate over to Cisco FTDs" - just another feason for CDO and its migration tool