topic FirePower Appliance Placement in Network Security

FirePower Appliance Placement

rsharp001 — Tue, 10 Mar 2020 03:32:37 GMT

I have a FirePower 8k series appliance that is tied together with ISE pxGrid. Currently, the FP is setup with 2 ports inline on the outside of the firewall(ASA). I have a SPAN on the inside of the firewall that sends trafic to another port on the FP acting as an IDS. Using passive identity with no SGTs

I can see the identity info when traffic is seen inside but once it goes out the firewall it is lost. Is there a way to preserve that data or should I plan to bring the IPS inside the firewall?

Re: FirePower Appliance Placement

Marvin Rhoads — Tue, 10 Mar 2020 14:30:06 GMT

The identity integration associates a given username with the IP address of the endpoint where that user was authenticated. If the outside traffic has been NATted, you lose that association information.

You can only see the end to end flow using something like StealthWatch which can stitch together flows from records originating from an ASA or FTD firewall using the NSEL type of Netflow records which include the NAT translation information.

Otherwise, yes - you would need to have the IPS inside. That is the recommended placement for IPS' (generally speaking) when they are distinct from the firewall.

Re: FirePower Appliance Placement

Rob Ingram — Tue, 10 Mar 2020 15:36:01 GMT

Aside from NAT that Marvin mentioned, you would lose the SGT unless you were doing inline tagging between devices (within the network).

Re: FirePower Appliance Placement

rsharp001 — Tue, 10 Mar 2020 16:23:33 GMT

Thank you Marvin.