https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3207169#M1065155 <P>Hi,</P> <P>You can use the global&nbsp; policy as follows:</P> <P>-Identify the traffic that you need to send to the IPS module.</P> <P>-create a class-map for access-list</P> <P>-apply the class-map under the global policy-map</P> <P>&nbsp;</P> <P>access-list IPS extended permit ip any any</P> <P>class-map IPS-TRAFFIC-CLASS<BR />&nbsp;description Traffic for IPS Processing<BR />&nbsp;match access-list IPS</P> <P>policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect rsh<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect skinny<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect sip<BR />&nbsp; inspect netbios<BR />&nbsp; inspect tftp<BR />&nbsp; inspect ip-options<BR />&nbsp; inspect icmp<BR />&nbsp; inspect snmp<BR /> class IPS-TRAFFIC-CLASS<BR />&nbsp; sfr fail-open</P> <P>&nbsp;</P> <P>Thanks</P> <P>John</P> Mon, 30 Oct 2017 00:45:22 GMT johnd2310 2017-10-30T00:45:22Z https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3207041#M1065153 <P>Hi Guys,</P> <P>&nbsp;</P> <P>I want to check on how to redirect the ASA traffic into firepower for IPS and AMP. Current ASA global policy match the&nbsp;default-inspection-traffic. I suppose this does not match all traffic. Hence wondering&nbsp; what the general best practice for configuring service policy in ASA to enable the ASA Firepower inspection ? Meaning to say, Should I use the current global policy as it is or should I&nbsp; modify the current global policy match to any any instead of default-inception-traffic ?&nbsp;</P> <P>&nbsp;</P> <P>Regards</P> <P>Ragulan</P> <P>&nbsp;</P> Fri, 21 Feb 2020 14:35:31 GMT https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3207041#M1065153 ragulan_dms 2020-02-21T14:35:31Z https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3207048#M1065154 <P>Best practice varies according to what you are trying to inspect.</P> <P>&nbsp;</P> <P>Many organizations match all and inspect that but if you have specific traffic you need to target then yours would be different.</P> <P>&nbsp;</P> <P>Also if you have, for instance, a significant amount of traffic that you trust (like IPsec going to a termination point inside your network) then you would exempt that from inspection.</P> Sun, 29 Oct 2017 14:19:03 GMT https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3207048#M1065154 Marvin Rhoads 2017-10-29T14:19:03Z https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3207169#M1065155 <P>Hi,</P> <P>You can use the global&nbsp; policy as follows:</P> <P>-Identify the traffic that you need to send to the IPS module.</P> <P>-create a class-map for access-list</P> <P>-apply the class-map under the global policy-map</P> <P>&nbsp;</P> <P>access-list IPS extended permit ip any any</P> <P>class-map IPS-TRAFFIC-CLASS<BR />&nbsp;description Traffic for IPS Processing<BR />&nbsp;match access-list IPS</P> <P>policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect rsh<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect skinny<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect sip<BR />&nbsp; inspect netbios<BR />&nbsp; inspect tftp<BR />&nbsp; inspect ip-options<BR />&nbsp; inspect icmp<BR />&nbsp; inspect snmp<BR /> class IPS-TRAFFIC-CLASS<BR />&nbsp; sfr fail-open</P> <P>&nbsp;</P> <P>Thanks</P> <P>John</P> Mon, 30 Oct 2017 00:45:22 GMT https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3207169#M1065155 johnd2310 2017-10-30T00:45:22Z https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3209027#M1065156 <P>Thanks John and Melvin. This means , for example, ftp traffic will go through both ASA inspection and firepower IPS ?&nbsp;</P> <P>&nbsp;</P> Thu, 02 Nov 2017 01:37:19 GMT https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3209027#M1065156 ragulan_dms 2017-11-02T01:37:19Z https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3209048#M1065157 <P>Yes, ASA runs its own inspect and sends a&nbsp;<U>copy</U> of the packets to the Firepower module.</P> <P>Firepower runs preprocessor and other&nbsp;advanced security (IPS, AMP...) on the connections and instructs the ASA to drop&nbsp;or reset a connection if needed.</P> <P>Hope that helps.</P> Thu, 02 Nov 2017 01:47:44 GMT https://community.cisco.com/t5/network-security/asa-5500-x-firepower-configuration/m-p/3209048#M1065157 Patrick Moubarak 2017-11-02T01:47:44Z