TTechclick ⚡ XP 0% All lessons
Cisco · Secure Firewall · architecture & platformsInteractive · L1 / L2 / L3

Cisco Secure Firewall — Architecture, LINA/Snort & the Platforms

Inside one FTD image, LINA and Snort split the work and hand packets back and forth; FMC drives them over a secure sftunnel channel; and the same image runs on a whole family of appliances and virtual FTDv. This lesson maps the LINA-to-Snort handoff, the management plane and sftunnel, the hardware (1000–4200 and 4100/9300 on FXOS), and the virtual and cloud options.

📅 2026-06-18 · ⏱ 15 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A deeper, interactive guide to Cisco Secure Firewall architecture and the platform family (2026): the LINA data plane versus the Snort inspection engine and how a packet is handed between them, the FMC management plane and the sftunnel control channel on TCP 8305, the hardware appliances (1000/1100, 2100, 3100, 4200, and 4100/9300 on FXOS with FCM and multi-instance), and FTDv virtual on VMware, KVM and the major clouds.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

LINA vs Snort

Division of labour and the handoff.

 2

FMC & sftunnel

The management plane on TCP 8305.

 3

Hardware family

1000–4200, 4100/9300, FXOS & FCM.

 4

Virtual & cloud

FTDv, multi-instance, scaling.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Which engine deep-inspects a packet — IPS, AVC, URL — inside FTD?

Answered in LINA vs Snort.

2. What TCP port does the FMC-to-device sftunnel use?

Answered in FMC & sftunnel.

3. Which platforms use the FXOS chassis OS and multi-instance?

Answered in Hardware family.

Most engineers think…

Most people imagine that 'turning on IPS' means every packet gets fully scanned by one big monolithic firewall process. That picture hides the two-engine reality and the very real blind spots you can create.

Inside one FTD image, LINA and Snort split the work. LINA classifies and forwards; the prefilter can fast-path a flow so it never reaches Snort, and on supported platforms hardware flow offload can push a flow past inspection for speed. That is great for throughput — and a blind spot if you offload something you actually needed to inspect. Understanding the handoff is what keeps you fast and safe.

① LINA vs Snort — division of labour & the handoff

One FTD image, two engines, one clean split. LINA — the ASA-derived data plane — owns the L3/L4 world: interfaces, routing, NAT, VPN, the stateful connection table, flow offload and the 5-tuple part of access control. Snort — the inspection engine (Snort 3 by default) — owns the payload: NGIPS, application visibility (AVC), URL filtering and file/malware.

How a packet is handed over

LINA classifies the packet first. The prefilter policy decides fast-path versus inspect: a flow that is trusted or fast-pathed stays entirely in LINA, while a flow that needs inspection is handed to Snort. Snort deep-inspects, returns a verdict, and LINA enforces it and forwards. On supported appliances, established trusted flows can be offloaded to hardware for raw throughput — bypassing Snort by design.

The interview line: LINA classifies and forwards; prefilter decides fast-path vs inspect; Snort inspects and verdicts back to LINA.

Figure 1 — LINA responsibilities vs Snort responsibilities
One image, two engines: LINA moves and permits at L3/L4; Snort inspects the payload.LINA responsibilities vs Snort responsibilitiesLINA (data plane)Interfaces & routingNAT and VPNStateful L3/L4 ACLConnection table & flowSnort (inspection)NGIPS (Talos rules)Application visibility (AVC)URL filteringFile & malware defence
One image, two engines: LINA moves and permits at L3/L4; Snort inspects the payload.
Figure 2 — The LINA to Snort handoff
LINA classifies, the prefilter decides fast-path vs inspect, Snort inspects, and the verdict returns to LINA.The LINA to Snort handoffLINA classify5-tuple + flow lookupPrefilterfast-path or inspectSnort inspectNGIPS / AVC / URLVerdict to LINAallow / dropForwardegress packet
LINA classifies, the prefilter decides fast-path vs inspect, Snort inspects, and the verdict returns to LINA.
Name the handoff in interviews

Do not just say 'FTD does IPS'. Say: LINA classifies the packet, the prefilter decides fast-path versus inspect, flows needing inspection are handed to Snort, and Snort returns a verdict LINA enforces. Describing the handoff — including fast-path and flow offload — shows you understand the architecture, not just the marketing.

▶ Watch a packet handed from LINA to Snort and back

How one flow is classified, inspected and forwarded inside the two-engine FTD. Press Play for the healthy path, then Break it to see the classic blind spot.

① LINA classifyThe packet arrives; LINA does the L3/L4 lookup and matches it against the prefilter and access control policy.
② Prefilter decidesThe prefilter decides this flow needs deep inspection (not fast-path), so LINA hands it to the Snort engine.
③ Snort inspectSnort deep-inspects the payload — NGIPS, AVC and URL — and returns a clean verdict to LINA.
④ Verdict + forwardLINA enforces the verdict and forwards the packet out the egress interface, fully inspected.
Press Play to step through the healthy LINA-Snort-LINA path. Then press Break it.
Quick check · Q1 of 10 · Understand

Which engine deep-inspects the packet payload for IPS, AVC and URL?

Correct: c. Snort is the deep-inspection engine. LINA classifies and forwards at L3/L4; the prefilter only decides fast-path versus inspect before Snort sees the flow.
👉 So far: LINA classifies and forwards at L3/L4; the prefilter decides fast-path vs inspect; Snort deep-inspects and returns a verdict LINA enforces. Trusted flows can bypass Snort.

② The management plane — FMC & sftunnel

The data plane (LINA/Snort) moves packets; the management plane configures and monitors the device. In an enterprise that plane is FMC, which centrally owns policy, events and reporting for many FTDs.

FMC reaches each managed device over a dedicated, encrypted control channel called sftunnel, which runs on TCP 8305. Everything between FMC and the FTD — policy deployments, event streaming, health and licensing — travels inside sftunnel. If 8305 is blocked between FMC and the device, the device stops getting policy and stops sending events, even though traffic may still flow.

The interview line: FMC is the management brain; sftunnel on TCP 8305 is the secure channel that carries config and events between FMC and FTD.

Figure 3 — FMC manages FTD over sftunnel
Policy, events and health travel inside the encrypted sftunnel channel on TCP 8305.FMC manages FTD over sftunnelFMCcentral managersftunnelTLS on TCP 8305FTD mgmtreceives policyEvents backlogs + health to FMC
Policy, events and health travel inside the encrypted sftunnel channel on TCP 8305.
⚙️
LINA / Snort split
tap to flip

LINA is the ASA data plane (L3/L4, NAT, VPN, routing, flow offload); Snort is the inspection engine (NGIPS, AVC, URL, malware). One image, two engines.

🔀
Prefilter handoff
tap to flip

The prefilter decides fast-path vs inspect. Fast-pathed/offloaded flows stay in LINA; flows needing inspection are handed to Snort, which verdicts back.

🔐
sftunnel (TCP 8305)
tap to flip

The encrypted FMC-to-FTD device channel. Carries policy deploys, event streaming, health and licensing. Block 8305 and management breaks.

🏗️
FXOS & multi-instance
tap to flip

The 4100/9300 run the FXOS chassis OS (managed by Firepower Chassis Manager) and support multi-instance — several isolated FTD logical devices on one box.

Forgetting sftunnel needs TCP 8305

A classic failure: FTD passes traffic fine but will not take a policy deploy or show events in FMC. The cause is almost always TCP 8305 (sftunnel) blocked between FMC and the device by a firewall or ACL in the management path. Management and data planes are separate — fix 8305 reachability.

Quick check · Q2 of 10 · Remember

FMC manages each FTD over a secure channel called sftunnel. Which TCP port?

Correct: b. sftunnel — the encrypted FMC-to-device management channel carrying policy, events and health — runs on TCP 8305. Block it and the device stops getting policy and sending events.
👉 So far: FMC is the management plane; it reaches each FTD over the encrypted sftunnel channel on TCP 8305, which carries policy, events and health — separate from the data plane.

③ Hardware appliances — 1000–4200 and 4100/9300 on FXOS

The same FTD image runs across a hardware family that scales by throughput. The Secure Firewall 1000/1100, 2100, 3100 and 4200 series cover small branch up to large campus and data-centre edge, with the 3100 and 4200 adding hardware flow offload and higher throughput.

The high-end chassis

The Firepower 4100 and 9300 are high-end chassis that run a chassis operating system, FXOS, managed by Firepower Chassis Manager (FCM). On these you can run multi-instance (container) deployments — several isolated FTD logical devices on one box. The 9300 in particular targets service-provider and very high throughput.

The interview line: 1000–4200 are appliances; 4100/9300 are FXOS chassis managed by FCM that support multi-instance — throughput scales with the platform.

Figure 4 — Platform tiers, small to large
The same FTD image runs from a small branch appliance up to the high-end FXOS chassis.Platform tiers, small to large1000 / 1100Small branch / SOHO2100Branch and mid-size3100Campus / data-centre edge4200High-throughput data centre4100 / 9300FXOS chassis, multi-instance
The same FTD image runs from a small branch appliance up to the high-end FXOS chassis.
Quick check · Q3 of 10 · Remember

Which platforms use the FXOS chassis OS and support multi-instance (container) deployments?

Correct: a. The high-end Firepower 4100 and 9300 run FXOS (managed by Firepower Chassis Manager) and support multi-instance — several isolated FTD logical devices on one chassis.
👉 So far: Appliances 1000–4200 scale by throughput; the high-end 4100/9300 run the FXOS chassis OS (managed by FCM) and support multi-instance container FTDs.

④ Virtual & cloud — FTDv and scaling

You do not need hardware to run FTD. FTDv is the virtual firewall: the same FTD image as a VM on VMware and KVM on-prem, and on AWS, Azure, GCP and OCI in the cloud. It is licensed by performance tier and managed by the same FMC/CDO.

You scale in two directions. Up: pick a bigger appliance, or a 4100/9300 chassis with multi-instance to carve one box into several FTDs. Out: deploy more FTDv instances (often behind a load balancer or cloud auto-scale) so capacity grows with demand. Throughput always tracks the platform you choose; FMC stays the single management plane across all of them.

The interview line: one image everywhere — appliances, FXOS chassis with multi-instance, or FTDv on VMware/KVM/AWS/Azure/GCP/OCI — scaled up by platform or out by instances, all under one FMC.

Figure 5 — The Cisco Secure Firewall family
One FTD image spans physical appliances, the FXOS chassis and virtual FTDv across clouds.The Cisco Secure Firewall familyFTD imageLINA + Snort1000 / 21003100 / 42004100 / 9300 (FXOS)FTDv (VMware/KVM)FTDv (AWS/Azure/GCP/OCI)
One FTD image spans physical appliances, the FXOS chassis and virtual FTDv across clouds.

Arjun at a Mumbai data centre faces this

An internal server-to-server flow is clearly malicious in logs elsewhere, but FTD never raised an IPS event on it even though the IPS policy is enabled.

Likely cause

An aggressive trust/prefilter rule plus hardware flow offload sends that established flow straight through LINA, so Snort never inspects it — a blind spot, not a missing signature.

Diagnosis

Trace the connection: it shows as offloaded/fast-pathed in the connection table, which means it bypassed Snort by design.

FMC ▸ Policies ▸ Prefilter / Access Control ▸ review trust & offload for that flow
Fix

Remove the trust/fast-path rule (or exclude that flow from flow offload) so the flow is handed to Snort for full inspection instead of being offloaded.

Verify

Re-test: the flow now shows as inspected in the connection events and the IPS engine raises the expected intrusion event.

Confirm a flow is actually inspected

Never assume a flow is being scanned just because IPS is enabled. Check the connection event: if it shows trust/fast-path or hardware offload, Snort never touched it. Read the connection table to prove inspection rather than trusting that the policy 'should' apply.

Quick check · Q4 of 10 · Apply

You need to run FTD in Azure with no physical appliance. What do you deploy?

Correct: d. FTDv is the same FTD image as a virtual machine, supported on VMware and KVM on-prem and on AWS, Azure, GCP and OCI in the cloud — no hardware required.
👉 So far: FTDv runs the same image on VMware/KVM and AWS/Azure/GCP/OCI. Scale up by platform/multi-instance or out by more FTDv instances — one FMC over all of it.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which engine owns NAT, VPN, routing and the stateful connection table?

Correct: a. LINA is the ASA-derived data plane — interfaces, routing, NAT, VPN and the connection table (plus flow offload). Snort handles deep inspection; FXOS is the chassis OS on the 4100/9300.
Q6 · Understand

What travels inside the sftunnel channel between FMC and an FTD?

Correct: b. sftunnel (TCP 8305) is the management channel: it carries policy deployments, events, health and licensing between FMC and the device, separate from the data plane that moves user traffic.
Q7 · Apply

You must run several isolated FTD firewalls on a single high-end box. Which option fits?

Correct: c. Multi-instance (container instances) on the FXOS-based 4100/9300 lets you run several isolated FTD logical devices on one chassis, each with its own resources, managed via FCM.
Q8 · Analyze

FTD passes traffic fine but will not accept a policy deploy and shows no events in FMC. Most likely cause?

Correct: d. The data plane and management plane are separate. Traffic flowing while policy/events fail points squarely at the sftunnel management channel on TCP 8305 being blocked between FMC and the device.
Q9 · Evaluate

An interviewer asks how a packet moves through the two engines. Best answer?

Correct: a. LINA classifies first, the prefilter chooses fast-path or inspect, flows needing inspection go to Snort, and Snort's verdict returns to LINA for forwarding. Trusted flows can be fast-pathed or offloaded.
Q10 · Evaluate

Why can aggressive flow offload create a security blind spot?

Correct: c. Flow offload moves an established, trusted flow to the platform fast path/hardware for throughput, bypassing Snort. If you offload a flow that actually needed inspection, it leaves un-inspected — a blind spot to fix by excluding it from offload/trust.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: how is a packet handed from LINA to Snort, and where can it skip Snort entirely? Then compare with the expert version.

Expert version: LINA classifies the packet at L3/L4 and consults the prefilter and access control policy; the prefilter decides fast-path versus inspect. A flow marked for inspection is handed to Snort, which deep-inspects (NGIPS, AVC, URL, malware) and returns a verdict that LINA enforces before forwarding. A packet can skip Snort entirely when a trust/prefilter fast-path rule applies, or when an established trusted flow is offloaded to hardware on supported platforms — great for throughput but a blind spot if you offload something that needed inspecting. The whole thing is driven by FMC over the encrypted sftunnel channel on TCP 8305, and the same FTD image runs on appliances, FXOS chassis with multi-instance, and virtual FTDv across the clouds.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

LINA
The ASA-derived data plane inside FTD: interfaces, routing, NAT, VPN, the connection table, flow offload and stateful L3/L4 access control.
Snort
The deep-inspection engine inside FTD (Snort 3 by default): NGIPS, application visibility (AVC), URL filtering and file/malware defence.
Prefilter / fast-path
An early LINA policy that decides whether a flow is fast-pathed (kept in LINA, skipping Snort) or handed to Snort for inspection.
Flow offload
Pushing an established, trusted flow to the platform fast path/hardware so it bypasses software inspection for throughput — a potential blind spot.
sftunnel (TCP 8305)
The encrypted FMC-to-FTD management channel carrying policy deploys, events, health and licensing — separate from the data plane.
FXOS
Firepower eXtensible Operating System — the chassis OS on the 4100/9300 that hosts FTD logical devices and manages the hardware.
Firepower Chassis Manager (FCM)
The web UI on FXOS (4100/9300) for managing chassis interfaces, logical devices and multi-instance deployments.
Multi-instance
Container instances on the 4100/9300: several isolated FTD logical devices on one chassis, each with dedicated resources.
FTDv
Virtual FTD — the same FTD image as a VM on VMware and KVM and on AWS, Azure, GCP and OCI, licensed by performance tier.

📚 Sources

  1. Cisco — Cisco Secure Firewall Threat Defense architecture: LINA and Snort data path. cisco.com/go/secure-firewall
  2. Cisco — Secure Firewall Management Center: device management and the sftunnel channel (TCP 8305). cisco.com
  3. Cisco — Secure Firewall 1000/2100/3100/4200 appliance data sheets. cisco.com
  4. Cisco — Firepower 4100/9300 with FXOS, Firepower Chassis Manager and multi-instance. cisco.com
  5. Cisco — Cisco Secure Firewall Threat Defense Virtual (FTDv) for VMware, KVM, AWS, Azure, GCP and OCI. cisco.com
  6. Cisco — Prefilter, fast-path and flow offload in Secure Firewall Threat Defense. cisco.com

What's next?

Got the architecture and platforms? Next, go deep on deployment and interface modes — routed vs transparent firewall mode, inline pair vs inline tap, passive/SPAN and ERSPAN, and how security zones group interfaces for policy.

Next · All interview lessons → Practice on exam.techclick.in →