How many software images make up an FTD firewall?

Correct: b. FTD is a single unified image. Both the LINA data plane and the Snort inspection engine live inside that one image, on every Cisco Secure Firewall.

A single small branch firewall has no separate management server. How would you manage it on-box?

Correct: c. FDM is the on-box web GUI built into FTD for managing one device with no separate server — ideal for a small standalone branch. FMC and CDO are external/central/cloud managers.

Why is the same threat blocked identically whether it arrives via VPN or a routed interface on one FTD?

Correct: d. Both paths terminate in LINA, which hands flows marked for inspection to the one shared Snort engine. Inspection is consistent because there is a single engine inside the single image.

An interviewer asks which Smart Licensing entitlements you need for NGIPS plus web category blocking. Best answer?

Correct: a. Essentials covers the firewall base; NGIPS needs the Threat (IPS) entitlement and web category/reputation blocking needs the URL Filtering entitlement. Malware Defense is a separate add-on for file inspection.

Snort is overwhelmed on an FTD with no Fail Open configured. What happens to traffic needing inspection, and is that intended?

Correct: b. Default FTD behaviour is fail-close: traffic that needs Snort is dropped if Snort cannot inspect it, protecting you. Snort Fail Open is an optional, deliberate trade-off toward availability.

What Is Cisco Secure Firewall (FTD) & FMC? LINA, Snort & Where It Fits (2026)

Q: Cisco FTD is best described as…

Correct: b. FTD is a single software image that contains both the ASA-derived LINA data plane and the Snort deep-inspection engine. It is not two boxes and not Snort alone.

Q: Which engine performs deep inspection — NGIPS, AVC, URL filtering and malware?

Correct: c. Snort (Snort 3 by default) is the deep-inspection engine. LINA handles L3/L4, NAT, VPN and routing; it hands flows marked for inspection to Snort.

Q: You must manage 40 FTD firewalls with full IPS and URL policy from one console. Which manager?

Correct: a. FMC (Firepower Management Center) is the central, multi-device manager for many FTDs with the full feature set. FDM only manages one device; CDO is the cloud alternative.

Q: Coming from a classic ASA, what does moving to FTD actually change?

Correct: d. FTD keeps the ASA data plane inside LINA — stateful L3/L4 firewall, NAT, routing and VPN — and adds the Snort engine for NGIPS, AVC, URL filtering and malware, with central management.

Q: Which statement about LINA is correct?

Correct: a. LINA is the ASA-derived data plane: interfaces, routing, NAT, VPN, the connection table and stateful L3/L4 access control. NGIPS and URL filtering belong to Snort.

Most engineers think…

Most people picture an NGFW as 'an ASA with an IPS module bolted on'. That mental model costs you marks in an interview and confuses you the first time Snort drops traffic the ASA would have passed.

Cisco FTD (Firepower Threat Defense) is one unified image with two engines inside it. LINA is the ASA-derived data plane — interfaces, routing, NAT, VPN and stateful L3/L4 firewalling — and Snort is the deep-inspection engine for NGIPS, app visibility, URL filtering and malware. There is no separate box: one image, two engines, managed centrally by FMC. Understanding that split is what lets you read a drop, choose a manager and license it correctly.

① What FTD actually is — one image, two engines

The single most important idea: Cisco FTD is one unified software image, not a stack of devices. Inside that one image are two engines that cooperate on every flow. (Cisco now brands the product family Cisco Secure Firewall; FTD is short for Firepower Threat Defense, also called Cisco Secure Firewall Threat Defense.)

The first engine is LINA — the data plane carried over from the classic ASA. It owns interfaces, routing, NAT, site-to-site and remote-access VPN, the connection table and stateful L3/L4 access control. The second engine is Snort — the deep-inspection brain. Snort 3 is the current default engine, and it does NGIPS, application visibility & control (AVC), URL filtering and file/malware defence.

So when someone says 'FTD', hear one image = LINA + Snort. LINA gets the packet on and off the wire and applies fast L3/L4 rules; Snort looks inside the packet for threats. That single sentence is the whole foundation of this vendor.

Figure 1 — Classic ASA vs Cisco FTD

FTD keeps the entire ASA data plane (LINA) and adds the Snort inspection engine on top, centrally managed.

Figure 2 — What lives inside the FTD image

One image, three layers — the LINA data plane, the Snort inspection engine, and the management/control glue.

Quick check · Q1 of 10 · Understand

Cisco FTD is best described as…

a) An ASA with a separate IPS appliance wired beside itb) One unified image running two engines — LINA and Snortc) A cloud-only proxy with no on-prem deviced) Just the Snort IPS on its own

Correct: b. FTD is a single software image that contains both the ASA-derived LINA data plane and the Snort deep-inspection engine. It is not two boxes and not Snort alone.

👉 So far: Cisco FTD = one unified image with two engines: LINA (ASA data plane — L3/L4, NAT, VPN, routing) plus Snort (deep inspection — NGIPS, AVC, URL, malware).

② LINA + Snort — who does what

The two engines have a clean division of labour. LINA (the ASA data plane) handles everything that is about moving and permitting traffic: physical and logical interfaces, routing, NAT, VPN termination, the stateful connection table, and the L3/L4 part of the Access Control Policy (the 5-tuple allow/deny). It is fast because it never has to read the application payload.

Where Snort takes over

When an Access Control rule says inspect, LINA hands the flow to Snort for deep inspection: NGIPS, application detection (AVC), URL category/reputation filtering, and file/malware defence. Snort returns a verdict and LINA enforces it. The prefilter and Security Intelligence can drop or fast-path traffic early, so Snort only sees what actually needs deep inspection.

The interview line: LINA = the ASA muscle (L3/L4, NAT, VPN); Snort = the inspection brain (IPS, AVC, URL, malware). Same image, two jobs.

Figure 3 — One packet across FTD

LINA gets the packet on the wire and applies L3/L4 rules; Snort does the deep inspection before egress.

🧱

FTD (one image)

tap to flip

Firepower Threat Defense — one unified software image that contains both engines (LINA + Snort). The single thing you deploy on every Cisco Secure Firewall.

⚙️

LINA (data plane)

tap to flip

The ASA-derived engine: interfaces, routing, NAT, VPN, the connection table and stateful L3/L4 access control. The fast 'move and permit' muscle.

🔬

Snort (inspection)

tap to flip

The deep-inspection engine — Snort 3 by default. NGIPS, application visibility (AVC), URL filtering and file/malware defence, driven by Cisco Talos.

🎛️

FMC (central manager)

tap to flip

Cisco Secure Firewall Management Center — one console for policy, events and reporting across many FTDs. FDM is on-box for one device; CDO is cloud.

Say 'one image, two engines' in interviews

Lead with the line that signals you actually understand Cisco Secure Firewall: FTD is one image running LINA (the ASA data plane — L3/L4, NAT, VPN) and Snort (deep inspection — NGIPS, AVC, URL, malware). That one sentence separates you from people who call it 'an ASA with IPS bolted on'.

▶ Watch one packet cross an FTD — LINA then Snort

How a single allowed-with-inspection packet is handled end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① LINA ingressThe packet arrives on an FTD interface; LINA does the L3/L4 work and checks the prefilter and Security Intelligence feeds from Talos.

▼

② Access ControlThe Access Control rule matches and says Allow — but with inspection — so LINA marks the flow to be handed to Snort.

▼

③ Snort inspectionSnort deep-inspects: NGIPS signatures, application detection (AVC) and URL category all run, and Snort returns a verdict.

▼

④ EgressLINA enforces Snort's verdict (allow) and forwards the packet out the egress interface, fully inspected.

Press Play to step through the healthy LINA-to-Snort path. Then press Break it.

Quick check · Q2 of 10 · Remember

Which engine performs deep inspection — NGIPS, AVC, URL filtering and malware?

a) LINAb) FXOSc) Snortd) The connection table

Correct: c. Snort (Snort 3 by default) is the deep-inspection engine. LINA handles L3/L4, NAT, VPN and routing; it hands flows marked for inspection to Snort.

👉 So far: LINA moves and permits traffic at L3/L4; when a rule says inspect, it hands the flow to Snort, which returns a verdict LINA enforces. Snort 3 is the default.

③ How you manage it — FMC vs FDM vs CDO

FTD itself is the same image everywhere; what differs is who manages it. There are three options. FMC — Firepower Management Center — is the central manager: one console that owns policy, events and reporting for many FTD devices. It is what most enterprises run.

FDM — Firepower Device Manager — is the on-box GUI baked into FTD for managing a single device, with no separate server. It suits a small site or a standalone firewall. CDO — Cisco Defense Orchestrator — is the cloud manager: it manages FTD (and ASA and other devices) from Cisco's cloud, so you do not host an on-prem manager.

One rule of thumb: many devices + deep features → FMC; one small device → FDM; cloud-first / many sites → CDO. A device is managed by one of these at a time, not all three.

Figure 4 — Three ways to manage FTD

The same FTD image is driven by one of three managers — central, on-box, or cloud.

Confusing FMC with FDM

FMC is the central, multi-device manager (a separate server or appliance). FDM is the on-box GUI for a single device. They are not the same and you generally pick one model per device. Mixing them up is the classic Cisco Secure Firewall interview slip — keep central (FMC), on-box (FDM) and cloud (CDO) clearly separated.

Quick check · Q3 of 10 · Apply

You must manage 40 FTD firewalls with full IPS and URL policy from one console. Which manager?

a) FMC (central manager)b) FDM (on-box GUI)c) The device CLI onlyd) No manager — each device is standalone

Correct: a. FMC (Firepower Management Center) is the central, multi-device manager for many FTDs with the full feature set. FDM only manages one device; CDO is the cloud alternative.

👉 So far: Three managers for the same FTD image: FMC (central, many devices), FDM (on-box, one device) and CDO (cloud). Pick one per device.

④ Where it fits — from ASA to NGFW, and licensing

FTD is the NGFW successor to the classic ASA. ASA gave you a rock-solid stateful L3/L4 firewall plus VPN — and that is exactly what lives on in the LINA engine. FTD adds the Snort engine on top: NGIPS, application visibility, URL filtering and malware defence, all managed centrally. So migrating from ASA to FTD is less 'rip and replace the firewall' and more 'keep the firewall, gain deep inspection and central management'.

Smart Licensing — what unlocks what

Capabilities are turned on by Smart Licensing tiers. An Essentials base license covers the firewall itself; on top you add IPS / Threat (NGIPS with Talos rules), URL Filtering (category & reputation) and Malware Defense (file inspection and retrospection). Threat intelligence — IPS rules and the Security Intelligence feeds — comes from Talos.

The interview line: one FTD image keeps the ASA data plane (LINA) and adds Snort-based NGFW features, managed by FMC/FDM/CDO and licensed in tiers from Essentials upward.

Figure 5 — From ASA to NGFW, by licence tier

Start at the Essentials base and add Threat, URL and Malware entitlements to light up Snort features.

Priya at a Hyderabad fintech faces this

She enabled URL filtering and intrusion rules on a new FTD, but the features show as unlicensed and the policy will not deploy.

Likely cause

Only the Essentials base entitlement is assigned in Smart Licensing — the Threat and URL Filtering add-on licences were never attached to the device.

Diagnosis

Open the licensing page: the device shows Essentials registered but Threat, URL and Malware as 'not enabled', which is why those policy elements are greyed out.

FMC ▸ System ▸ Licenses ▸ Smart Licensing ▸ assign per device

Fix

Assign the Threat (IPS), URL Filtering and Malware Defense entitlements to the FTD in Smart Licensing, then re-deploy the access control policy.

Verify

Re-deploy succeeds; IPS rules and URL categories now apply, and the licence page shows Threat/URL/Malware as enabled on the device.

Prove a feature is licensed, not just configured

Never assume IPS or URL filtering is active because you ticked a box. Check Smart Licensing on the device — Essentials plus the right add-on (Threat / URL / Malware) must be assigned, or the policy silently fails to deploy. Read the licence state, do not guess.

Quick check · Q4 of 10 · Analyze

Coming from a classic ASA, what does moving to FTD actually change?

a) You lose the stateful firewall and VPN entirelyb) Nothing changes — FTD and ASA are identicalc) FTD removes NAT and routingd) The L3/L4 firewall and VPN stay (in LINA) and you gain Snort NGIPS/AVC/URL/malware

Correct: d. FTD keeps the ASA data plane inside LINA — stateful L3/L4 firewall, NAT, routing and VPN — and adds the Snort engine for NGIPS, AVC, URL filtering and malware, with central management.

👉 So far: FTD is the NGFW successor to ASA — keep LINA's firewall/VPN, add Snort features — licensed in Smart Licensing tiers (Essentials + Threat/URL/Malware), with Talos intel.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why is Cisco FTD called 'one image, two engines' rather than 'an ASA with an IPS module'? Then compare with the expert version.

Expert version: Because a single FTD software image contains both engines that cooperate on every flow: LINA, the ASA-derived data plane that does interfaces, routing, NAT, VPN and stateful L3/L4 access control, and Snort, the deep-inspection engine (Snort 3 by default) that does NGIPS, application visibility, URL filtering and file/malware. LINA moves and permits traffic and, when a rule says inspect, hands the flow to Snort, which returns a verdict LINA enforces. There is no bolt-on box — it is one image managed by FMC, FDM or CDO, which keeps the entire ASA firewall and adds NGFW inspection on top, licensed in Smart Licensing tiers from Essentials upward.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Cisco FTD & FMC at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

FTD (Firepower Threat Defense): Cisco Secure Firewall Threat Defense — the single unified NGFW image that contains both the LINA data plane and the Snort inspection engine.
LINA: The ASA-derived data plane inside FTD: interfaces, routing, NAT, VPN, the connection table, flow offload and stateful L3/L4 access control.
Snort: The deep-inspection engine inside FTD (Snort 3 is the default). Does NGIPS, application visibility (AVC), URL filtering and file/malware defence.
FMC (Management Center): Cisco Secure Firewall Management Center (formerly Firepower Management Center) — the central, multi-device manager for policy, events and reporting.
FDM (Device Manager): Firepower Device Manager — the on-box web GUI built into FTD for managing a single device with no separate server.
CDO (Defense Orchestrator): Cisco Defense Orchestrator — the cloud-delivered manager for FTD (and ASA and other devices) across many sites.
Smart Licensing: Cisco account-based licensing: an Essentials base plus add-on entitlements (Threat/IPS, URL Filtering, Malware Defense) assigned to each device.
Talos: The Cisco threat-intelligence group that authors the IPS rules and Security Intelligence blocklists FTD uses.
Snort Fail Open: An optional FTD setting that lets traffic pass un-inspected if Snort is down; the default is fail-close, which drops such traffic for security.

📚 Sources

Cisco — Cisco Secure Firewall Threat Defense (FTD) product and data sheet. cisco.com/go/secure-firewall
Cisco — Secure Firewall Management Center (FMC) configuration guide: LINA, Snort, access control. cisco.com/c/en/us/support/security/firepower-management-center
Cisco — Firepower Device Manager (FDM) and Cisco Defense Orchestrator (CDO) management options. cisco.com
Cisco — Snort 3 in Secure Firewall Threat Defense (default inspection engine). cisco.com
Cisco — Cisco Smart Licensing for Secure Firewall: Essentials, Threat, URL Filtering, Malware Defense. cisco.com
Cisco Talos — Threat intelligence: IPS rules and Security Intelligence feeds. talosintelligence.com

What's next?

Got what FTD and FMC are? Next, go deep on the architecture and platform family — exactly how LINA hands a packet to Snort, the sftunnel management channel, and the hardware (1000–4200, 4100/9300 on FXOS) and virtual FTDv options.

Next · All interview lessons → Practice on exam.techclick.in →

What Is Cisco Secure Firewall? — FTD, FMC, LINA & Snort

🎯 By the end you will be able to

Pick where you want to start

What FTD is

LINA + Snort

How you manage it

Where it fits

① What FTD actually is — one image, two engines

② LINA + Snort — who does what

Where Snort takes over

▶ Watch one packet cross an FTD — LINA then Snort

③ How you manage it — FMC vs FDM vs CDO

④ Where it fits — from ASA to NGFW, and licensing

Smart Licensing — what unlocks what

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?