topic Re: What ever you can get out of in Network Security

Cisco ASA Firepower - Monitor-Only Mode Deployment Question

RaviKumar Nadendla — Sun, 10 Mar 2019 13:43:21 GMT

Hi,

We will be doing a POV for ASA Firepower services(ASA 5506X) and came across a question about deployment. Our goal is not to touch/impact the network and introduce the ASA Firepower Services into the production with monitor-only mode to analyze traffic. We knew that the ASA needs to be in transparent for this.

My question is, Can we just change ASA mode to transparent, assign a interface to Firepower traffic forward, nothing else on ASA as we want to use only firepower services?

My core switch has connection to Internet router and do not want to put ASA in the path using transparent. Just SPAN from switch to ASA Firepower? Can this be done? Do not want to use ASA at all...

Ravi

This is indeed doable.

Dennis Perto — Mon, 28 Nov 2016 11:36:33 GMT

This is indeed doable.

Page 16-21 in this document: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.pdf

The ASA must be configured in Single context and transparent mode.

interface gigabitethernet 0/5
no nameif
traffic-forward sfr monitor-only
no shutdown

Thanks. Thought of same. I

RaviKumar Nadendla — Tue, 29 Nov 2016 12:33:44 GMT

Thanks.

Is this traffic-forward interface separate from firepower management 1/1 or can I use M1/1 as traffic-forward interface?

You can not use the

Dennis Perto — Fri, 02 Dec 2016 10:39:38 GMT

You can not use the Management port as the listening port.

The management port is only used for managing the ASA and the Firepower module. 🙂

Thanks..Understand now..

RaviKumar Nadendla — Fri, 02 Dec 2016 14:27:11 GMT

Thanks..Understand now..

My purpose was solved. Now we are success with Firepower services without configuring anything else in ASA in the network.

So a stand-alone ASA-X could,

Thomas Winther — Wed, 28 Dec 2016 13:27:37 GMT

So a stand-alone ASA-X could, in "traffic-forward sfr monitor-only"-mode, provide the visibility for Users/applications/traffic rates/URLs, that we do not get from the classic ASA?

Can the Firepower module forward all that info by Syslog to my external SIEM/Cloud App analysis system?

How about performance numbers for this passive setup?

Thanks!

What ever you can get out of

Dennis Perto — Wed, 28 Dec 2016 13:42:43 GMT

What ever you can get out of your standard Firepower installation, you can also get out of this passive listening setup with a standalone ASA connected to either a FMC or on-board managed while sending all the syslog you want. 🙂

Performance numbers depends on the model of the ASA. You are welcome to call me.

Re: What ever you can get out of

Roy Olarte — Sun, 01 Oct 2017 00:27:09 GMT

Hi, We will also doing this setup by using FTD 5508-X.

Would still be possible for a passive deployment using FTD5508-X?

Appreciate your response.

Re: What ever you can get out of

Marvin Rhoads — Sun, 01 Oct 2017 08:31:01 GMT

Sure - either an ASA with ASA software and a Firepower service module or an ASA (or Firepower) appliance running FTD can work in such a scenario.

Re: What ever you can get out of

Roy Olarte — Sun, 01 Oct 2017 11:46:24 GMT

But it is not available for FDM only right?

By the way, for this passive interface deployment, does it also mean one interface is enough to monitor the traffic?

TIA!

Re: What ever you can get out of

Marvin Rhoads — Sun, 01 Oct 2017 14:38:56 GMT

That's correct, you cannot configure passive mode interfaces using FDM. See the following:

When you use Firepower Device Manager to configure the device, there are several limitations to interface configuration. If you need any of the following features, you must use Firepower Management Center to configure the device.

Routed firewall mode only is supported. You cannot configure transparent firewall mode interfaces.
IPS-only mode is not supported. You cannot configure interfaces to be inline, inline tap, passive, or ERSPAN for IPS-only processing. IPS-only mode interfaces bypass many firewall checks and only support IPS security policy. In comparison, Firewall mode interfaces subject traffic to firewall functions such as maintaining flows, tracking flow states at both IP and TCP layers, IP defragmentation, and TCP normalization. You can also optionally configure IPS functions for this firewall mode traffic according to your security policy.
You cannot configure EtherChannel or redundant interfaces.

(plus several more limitations)

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/fdm/fptd-fdm-config-guide-620/fptd-fdm-interfaces.html#concept_6940083A55184D009B6406EF167C9DD4

A single interface is indeed enough to monitor the traffic.

Re: Cisco ASA Firepower - Monitor-Only Mode Deployment Question

sreejith_r — Sun, 25 Nov 2018 20:09:22 GMT

Hi Ravi,

As far as I understand,in passive monitor-only mode we won't be creating access control policies.Then how do we see recommended actions from FMC.Will it be seen under Threats/Intrusion events?