Thanks.

Is this traffic-forward interface separate from firepower management 1/1 or can I use M1/1 as traffic-forward interface?

You can not use the Management port as the listening port.

The management port is only used for managing the ASA and the Firepower module. :)

Thanks..Understand now..

My purpose was solved. Now we are success with Firepower services without configuring anything else in ASA in the network.

So a stand-alone ASA-X could, in "traffic-forward sfr monitor-only"-mode, provide the visibility for Users/applications/traffic rates/URLs, that we do not get from the classic ASA?

Can the Firepower module forward all that info by Syslog to my external SIEM/Cloud App analysis system?

How about performance numbers for this passive setup?

Thanks!

What ever you can get out of your standard Firepower installation, you can also get out of this passive listening setup with a standalone ASA connected to either a FMC or on-board managed while sending all the syslog you want. :)

Performance numbers depends on the model of the ASA. You are welcome to call me. 

Hi, We will also doing this setup by using FTD 5508-X.

Would still be possible for a passive deployment using FTD5508-X?

Appreciate your response.

But it is not available for FDM only right?

By the way, for this passive interface deployment, does it also mean one interface is enough to monitor the traffic?

TIA!

That's correct, you cannot configure passive mode interfaces using FDM. See the following:

When you use Firepower Device Manager to configure the device, there are several limitations to interface configuration. If you need any of the following features, you must use Firepower Management Center to configure the device.

• Routed firewall mode only is supported. You cannot configure transparent firewall mode interfaces.

   

• IPS-only mode is not supported. You cannot configure interfaces to be inline, inline tap, passive, or ERSPAN for IPS-only processing. IPS-only mode interfaces bypass many firewall checks and only support IPS security policy. In comparison, Firewall mode interfaces subject traffic to firewall functions such as maintaining flows, tracking flow states at both IP and TCP layers, IP defragmentation, and TCP normalization. You can also optionally configure IPS functions for this firewall mode traffic according to your security policy.

   

• You cannot configure EtherChannel or redundant interfaces.

(plus several more limitations)

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/fdm/fptd-fdm-config-guide-620/fptd-fdm-interfaces.html#concept_6940083A55184D009B6406EF167C9DD4

A single interface is indeed enough to monitor the traffic.