Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
1
Replies

ASA 5500-X with Sourcefire and HTTP Inspection

Go to solution
snowmizer
Level 1
Level 1

‎03-17-2015 12:50 PM - edited ‎03-11-2019 10:39 PM

I have an ASA 5525-X with the Sourcefire module and would like some verification about whether HTTP inspection should be enabled on the ASA. Basically, on my 5510 I had a HTTP inspect policy configured on the outside interface (matching specific URI information) which also dropped connections with HTTP protocol violations. When setting up my 5525-X I set up the same inspect policy on the outside interface I'm running into an issue where I can't download ISOs from Microsoft because the ASA is dropping the connection since there is a HTTP protocol violation.

Couple of questions:

1. Should I be doing http inspection on any interface on the ASA or leave that to the Sourcefire module?

2. How can I find out what the protocol violation is and how can I fix it?

 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sjarchung
Level 1
Level 1

‎09-02-2016 11:11 PM

Compatibility with ASA Features

The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA FirePOWER module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage.

You must follow these configuration restrictions on the ASA:

  • Do not configure ASA inspection on HTTP traffic that you send to the ASA FirePOWER module.
  • Do not configure Cloud Web Security (ScanSafe) inspection on traffic that you send to the ASA FirePOWER module. If traffic matches both your Cloud Web Security and ASA FirePOWER service policies, the traffic is forwarded to the ASA FirePOWER module only. If you want to implement both services, ensure there is no overlap between the traffic matching criteria for each service.
  • Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA FirePOWER module.

Other application inspections on the ASA are compatible with the ASA FirePOWER module, including the default inspections.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
sjarchung
Level 1
Level 1

‎09-02-2016 11:11 PM

Compatibility with ASA Features

The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA FirePOWER module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage.

You must follow these configuration restrictions on the ASA:

  • Do not configure ASA inspection on HTTP traffic that you send to the ASA FirePOWER module.
  • Do not configure Cloud Web Security (ScanSafe) inspection on traffic that you send to the ASA FirePOWER module. If traffic matches both your Cloud Web Security and ASA FirePOWER service policies, the traffic is forwarded to the ASA FirePOWER module only. If you want to implement both services, ensure there is no overlap between the traffic matching criteria for each service.
  • Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA FirePOWER module.

Other application inspections on the ASA are compatible with the ASA FirePOWER module, including the default inspections.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card