Firepower Threat Defense on ISR - DMVPN Phase 1 spoke to spoke traffic
If we are using an ISR 4000 series as a DMVPN hub (DMVPN Phase 1) and want to run a Firepower sensor on a UCS-E series compute module within that module, will the sensor see spoke to spoke traffic bouncing off the hub. If so, are we limited to IDS mode or is inline IPS mode possible?
Best I can tell based on the link below is that traffic needs to physically come in through a front panel port, be bridged to the sensor, then sent back to the router for it to be in IPS mode. That would not include DMVPN spoke to spoke traffic I would think. Finally, if we are able to do IPS mode for the traffic specified, are we able to write zone based firewall rules on the sensor? There is mention in Cisco docs that ZBFW is not supported on BDI in IPS mode so I would hope those rules would be written on the sensor.
Worst case scenario we can just do IOS ZBFW and IOS Snort IPS, however I don’t want to spend $$$ on a UCS-E series then find out I can’t do what I need to do.
Inviting all Security & Networking professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network and security management tools.
Click here to take the 5-minute s...
This guide is intended to show some nifty and powerful use cases that a lot of customers either want or don’t know they want. There are tons of other content out there for specific knobs or capabilities, but this is looking to be a more complete...
Since ASDM 7.12(2) I am no longer able to run ASDM on CentOS 7 using javaws. It appears to launch and dies. However, I am now running ASDM directly in java and it works fine.First attempt "javaws https://<ip of firewall>/admin/public/asd...
User Experience Enhancements
Expansion of Activity Descriptions
Activity Descriptions provide more context and help with understanding and security implications of suspicious Activities. With this update, we are expanding the coverage to a vast majority o...