cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
5968
Views
0
Helpful
11
Replies

Cisco ASA Firepower - Monitor-Only Mode Deployment Question

Hi,

We will be doing a POV for ASA Firepower services(ASA 5506X) and came across a question about deployment. Our goal is not to touch/impact the network and introduce the ASA Firepower Services into the production with monitor-only mode to analyze traffic. We knew that the ASA needs to be in transparent for this.

My question is, Can we just change ASA mode to transparent, assign a interface to Firepower traffic forward, nothing else on ASA as we want to use only firepower services?

My core switch has connection to Internet router and do not want to put ASA in the path using transparent. Just SPAN from switch to ASA Firepower? Can this be done? Do not want to use ASA at all...

Ravi

1 ACCEPTED SOLUTION

Accepted Solutions
Contributor

This is indeed doable.

This is indeed doable.

Page 16-21 in this document: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.pdf

The ASA must be configured in Single context and transparent mode.

interface gigabitethernet 0/5
 no nameif
 traffic-forward sfr monitor-only  
 no shutdown

11 REPLIES 11
Contributor

This is indeed doable.

This is indeed doable.

Page 16-21 in this document: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.pdf

The ASA must be configured in Single context and transparent mode.

interface gigabitethernet 0/5
 no nameif
 traffic-forward sfr monitor-only  
 no shutdown

Thanks. Thought of same. I

Thanks.

Is this traffic-forward interface separate from firepower management 1/1 or can I use M1/1 as traffic-forward interface?

Contributor

You can not use the

You can not use the Management port as the listening port.

The management port is only used for managing the ASA and the Firepower module. :)

Thanks..Understand now..

Thanks..Understand now..

My purpose was solved. Now we are success with Firepower services without configuring anything else in ASA in the network.

Beginner

So a stand-alone ASA-X could,

So a stand-alone ASA-X could, in "traffic-forward sfr monitor-only"-mode, provide the visibility for Users/applications/traffic rates/URLs, that we do not get from the classic ASA?

Can the Firepower module forward all that info by Syslog to my external SIEM/Cloud App analysis system?

How about performance numbers for this passive setup?

Thanks!

Contributor

What ever you can get out of

What ever you can get out of your standard Firepower installation, you can also get out of this passive listening setup with a standalone ASA connected to either a FMC or on-board managed while sending all the syslog you want. :)

Performance numbers depends on the model of the ASA. You are welcome to call me. 

Beginner

Re: What ever you can get out of

Hi, We will also doing this setup by using FTD 5508-X.

Would still be possible for a passive deployment using FTD5508-X?

 

Appreciate your response.

Hall of Fame Master

Re: What ever you can get out of

Sure - either an ASA with ASA software and a Firepower service module or an ASA (or Firepower) appliance running FTD can work in such a scenario.
Beginner

Re: What ever you can get out of

But it is not available for FDM only right?

By the way, for this passive interface deployment, does it also mean one interface is enough to monitor the traffic?

TIA!

Hall of Fame Master

Re: What ever you can get out of

That's correct, you cannot configure passive mode interfaces using FDM. See the following:

 

When you use Firepower Device Manager to configure the device, there are several limitations to interface configuration. If you need any of the following features, you must use Firepower Management Center to configure the device.

  • Routed firewall mode only is supported. You cannot configure transparent firewall mode interfaces.

     

  • IPS-only mode is not supported. You cannot configure interfaces to be inline, inline tap, passive, or ERSPAN for IPS-only processing. IPS-only mode interfaces bypass many firewall checks and only support IPS security policy. In comparison, Firewall mode interfaces subject traffic to firewall functions such as maintaining flows, tracking flow states at both IP and TCP layers, IP defragmentation, and TCP normalization. You can also optionally configure IPS functions for this firewall mode traffic according to your security policy.

     

  • You cannot configure EtherChannel or redundant interfaces.

(plus several more limitations)

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/fdm/fptd-fdm-config-guide-620/fptd-fdm-interfaces.html#concept_6940083A55184D009B6406EF167C9DD4

 

A single interface is indeed enough to monitor the traffic.

Highlighted
Beginner

Re: Cisco ASA Firepower - Monitor-Only Mode Deployment Question

Hi Ravi,

As far as I understand,in passive monitor-only mode we won't be creating access control policies.Then how do we see recommended actions from FMC.Will it be seen under Threats/Intrusion events?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards