topic Hi Marvin, in Network Security

ASA 5585X Firepower hardware module in passive mode

y.lo — Sun, 10 Mar 2019 13:25:38 GMT

We would like to connect a ASA 5585X Firepower hardware module to a switch span port to discover current live traffic on the production network.

However there is no traffic being captured using a service-policy.

The documentation I can find is about configuring software Firepower module, with a passive monitor-only interface to capture traffic from a switch span port. The configuration for 5585X Firepower hardware module in passive mode does not mention about switch span port.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html

Can 5585X Firewpower hardware module do the same as software module to capture traffic from a switch span port?

To use a FirePOWER module

Marvin Rhoads — Mon, 03 Aug 2015 13:16:41 GMT

To use a FirePOWER module where the ASA is monitor-only off a span port, the ASA must first be in transparent mode. (The default mode is routed.)

Note that switching to transparent mode will clear the configuration of the ASA!

So, the following is required at a minimum (given int gi0/0 - otherwise substitute whatever interface is connected to the span port):

ciscoasa(config)#firewall transparent
ciscoasa(config)# interface gigabitethernet0/0 
ciscoasa(config-if)# no nameif
ciscoasa(config-if)# traffic-forward sfr monitor-only
ciscoasa(config-if)# no shutdown

Thanks for your response

y.lo — Mon, 03 Aug 2015 13:24:05 GMT

Thanks for your response Marvin. However I think the information you provided are for FirePOWER software module.

There is no such command "traffic-forward sfr monitor-only" on any ASA 5585X interface, which runs 9.2.3.4.

Regarding the transparent mode, may I know how to switch to it?

As noted in the command

Marvin Rhoads — Mon, 03 Aug 2015 13:30:34 GMT

As noted in the command reference, transparent mode is a prerequisite for the command. So to setup the traffic-forward command used in span port configurations, the ASA must FIRST be in transparent mode.

The first command I listed does that (and clears your entire pre-existing configuration - so make sure you are on console and the firewall isn't handling production traffic!).

Thanks for the comment. I

y.lo — Mon, 03 Aug 2015 13:37:54 GMT

Thanks for the comment. I will give it a try.

In the document I quoted at the very beginning, it says that to configure passive mode, we should use in a service policy map

sfr fail-open monitor-only

What is the purpose of this command?

You can do it in a service

Marvin Rhoads — Mon, 03 Aug 2015 13:43:18 GMT

You can do it in a service policy map like they say. The difference is that also allows the other base ASA features to be configured an operating on the traffic and the FirePOWER module is the passive element. We would use that method when you had an existing routed ASA and only wanted to test the FirePOWER module features without affecting other traffic through the box.

When you have a span port, the ASA by definition isn't needed for anything but passive monitoring.

Hi Marvin,

7maloney4 — Tue, 02 Feb 2016 05:56:45 GMT

Hi Marvin,

I have set up my asa with the commands above what I notice when I discover the Firepower sensor is that Firesight does not see the GI0/0 data interface. I am assuming that I can forward the spanned sensor data to firesight? Firesight 5.4.1 Firepower 5.4.05-24.

Thanks Cameron

@7maloney4,

Marvin Rhoads — Tue, 02 Feb 2016 13:45:29 GMT

@7maloney4,

Please share your configuration, specifically for interface Gi0/0.

Hi Marvin,

7maloney4 — Tue, 02 Feb 2016 23:34:27 GMT

Hi Marvin,

int gi0/0

firewall transparent
interface gigabitethernet0/0
no nameif
traffic-forward sfr monitor-only

no shutdown

Thanks Cameron

That looks right. FireSIGHT

Marvin Rhoads — Wed, 03 Feb 2016 03:51:04 GMT

That looks right. FireSIGHT will not see the data interface and recognize it as part of a security zone in this use case - that's by design.

However your policies should still be effective - i.e., be able to trigger on the passively collected data.

Ah ok when I didn't see the

7maloney4 — Wed, 03 Feb 2016 04:41:00 GMT

Ah ok when I didn't see the Interface I assumed there was an issue I will have a look for the data.

Thankyou for your help Cameron.