topic Re: Cisco ASA use Sophos UTM IPS in Network Security

Cisco ASA use Sophos UTM IPS

Mokhalil82 — Fri, 21 Feb 2020 15:45:58 GMT

I am trying to understand if the ASA can use the IPS on the Sophos UTM 9.

We have a pair of ASA 5585-X firewalls with IPS. I am in the process of looking to replace the IPS module with a firepower module.

We also have a Sophos UTM 9 that does all the email and web filtering etc.

Am I able to utilize the IPS functionality of the Sophos UTM to work with the ASA?

Not that I want to do that but its a question I just want to answer whether it can work

Thanks

Re: Cisco ASA use Sophos UTM IPS

Florin Barhala — Mon, 14 May 2018 13:21:42 GMT

Why wouldn't work?
It ALL depends of the design you're using to scan traffic already with your UTM appliances. Are you using some kind of "transparent mode" or you redirect traffic? Just add a network diagram for your setup.

Re: Cisco ASA use Sophos UTM IPS

Mokhalil82 — Mon, 14 May 2018 14:41:34 GMT

I have just attached a diagram.

The UTM sits alongside the ASA currently. The ASA does the IPSEC VPNs and the UTM does the SSL VPNs.

All our web traffic currently uses the inside address of the UTM as the gateway (the computers have a client that talks to the sophos cloud web gateway which proxies the web traffic to the UTM first) and then sent out the inside interface to the ASA before leave the outside interface of the ASA.

So If in this case we want to utilize Sophos for the IPS, what is the best way to achieve this?

Re: Cisco ASA use Sophos UTM IPS

Bogdan Nita — Mon, 14 May 2018 15:31:36 GMT

I usually try to avoid designs where there are 2 default gateways possible and one of those is the ASA.
They may work at first, but after a while a request will come that can't be done because the ASA does not support icmp redirections and wants to see the going and return traffic.
Usually it's a better idea to have only one device as default gateway and the other one connected using a interconnect network.
I am not familiar with the Sophos UTM, but if it is a UTM it has the functions available on the ASA and plus some, so why still use the ASA in this case ?
If you want to offload the site to site VPNs to the ASA, I would use the UTM as default gateway and have a interconnect to the ASA so that vpn traffic still gets filtered by the UTM.
If you are planning to use both devices for filtering traffic, the acl based device (in this case the ASA) would be placed before and the IPS, because devices running IPS are more resource intensive.

HTH

Bogdan

Re: Cisco ASA use Sophos UTM IPS

Florin Barhala — Tue, 15 May 2018 13:55:19 GMT

I subscribe's to Bogdan's reply. I would preferably use transparent mode for UTM so you will be left with only "one default gateway".