Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4029
Views
0
Helpful
7
Replies

ASA FirePower and Protocol Inspection

WILLIAM STEGMAN
Level 4
Level 4

‎10-19-2015 10:45 AM - edited ‎03-11-2019 11:46 PM

When I begin forwarding traffic to an ASA's firepower module, either in-line or monitor only mode, do I need to disable the traditional protocol inspection offered by the ASA such as is found in the global policy map that inspects http, ftp, icmp, etc?  I know ftp inspection allows for some active ftp connections, and turning it off might impact production.  Is anyone aware of any recommendations or caveats regarding deploying the firepower module and conflicts with traditional protocol inspection?

thank you, 

Bill

 

 

Update, this is addressed at:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-139412''

Looks like it only applies to HTTP

Labels:
0 Helpful
7 Replies 7

Dinkar Sharma
Cisco Employee
Cisco Employee

‎10-20-2015 01:36 PM

Hi William,

You don't need to disable any other protocol Inspection. I believe the document refers to disable HTTP inspection in regards to Scansafe.You would simple be adding more overhead in traffic inspection if FirePOWER is performing URL filtering (HTTP/HTTPS) inspection for you.

Thanks,

Dinkar

 

 

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to Dinkar Sharma

‎10-20-2015 10:05 PM

Hi Dinkar,

isn't the sourcefire network analysis policy a protocol inspection by itself?

I was wondering if the two interfere to each other, or at least it it's a cpu wasting having both enabled.

Regards,

Massimo.

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Massimo Baschieri

‎10-21-2015 01:27 AM

Hi Massimo,

 

Adding to what Dinkar has suggested, the inspection on ASA is used to make changes in the layer 7 header of application such as FTP. So if you have NAT for the FTP traffic, the ASA inspection would be used to create pinholes and perform IP translation on the layer7 payload of FTP traffic. Whereas, the inspection on sourcefire is used to permit/deny the traffic based on the security policies on sfr.

So basically ASA and SFR works in tandem to provide overall control on traffic.

 

Hope it answers your query.

 

Thanks,

R.Seth

Rate if it helps!!

 

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to Rishabh Seth

‎10-21-2015 01:49 AM

Hi Rishabh,

your exposition is absolutely clear to me, but what happens to sourcefire if asa inspection is configured to block or altering traffic based on L7 payload?

Is asa inspection happening before or after sourcefire?

Thanks,

Massimo.

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Massimo Baschieri

‎10-21-2015 02:14 AM

As per my understanding the ASA inspection takes place before the SFR.

 

For compatibility you can refer the link which Dinkar has suggested in his post. Here is an excerpt from the same doc:

 

Compatibility with ASA Features

The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA FirePOWER module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage.

You must follow these configuration restrictions on the ASA:

  • Do not configure ASA inspection on HTTP traffic that you send to the ASA FirePOWER module.
  • Do not configure Cloud Web Security (ScanSafe) inspection on traffic that you send to the ASA FirePOWER module. If traffic matches both your Cloud Web Security and ASA FirePOWER service policies, the traffic is forwarded to the ASA FirePOWER module only. If you want to implement both services, ensure there is no overlap between the traffic matching criteria for each service.
  • Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA FirePOWER module.

Other application inspections on the ASA are compatible with the ASA FirePOWER module, including the default inspections.

 

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

 

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to Rishabh Seth

‎10-21-2015 02:25 AM

Thank you Rishabh!!!

0 Helpful

tgrundbacher
Level 1
Level 1
In response to Rishabh Seth

‎12-05-2016 08:59 AM

Hi all

Does anybody know of recommendations for FTD deployments regarding inspects? Since good ol' ASA code still runs the lower layers of FTD, have the inspects gone, or are they applied in the background with default settings? I can't find anything inspect-related on the FTD platform setting in the FMC which is where I'd look for them.

Concrete question: My customer would like to make strict HTTP checks, e.g. he doesn't want to allow Telnet connections on port 80 towards HTTP servers. How would you configure such protocol enforcement options in FTD? I'm not sure how I'd have to configure this using HTTP configuration preprocessors...

Toni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card