Ok, i got it.

What about passive mode? Does physical FP have it ?

For example can i install FP inline and step-by-step enable policie? So it will not affect production traffic.

Yup, physical FP have everything that a virtual FP have and much more.

You can use a single interface to use it in passive mode or have it inline and still make sure the IPS is in IDS mode to just detect things and not drop anything so you can proceed with step by step installation.

thanks!

One more thing - can FP work as Active-Active? I found information about active\standby cluster but what if we have Active\active setup ? 

Hi

It can. You have have the both the FP registered to same FMC as individual units and have then as active-active. or use them in stack to combine the strength of both the device into one.

http://www.cisco.com/c/en/us/support/docs/security/firepower-8000-series-appliances/200306-Configuration-of-Stack-on-the-Cisco-Fire.html

Rate if helps.

Yogesh

things got a little bit clearer :)

Last one - can we remove our proxy and change it to FP?
We are using client authorization (access policy based on user group) and URL filtration. For this task as i assume we need to install sourcefire agent on AD and then it will make mapping. but what if our user will change network location ? For example he was using wired access then switched to wireless obviously IP chaged but reauthentication wasn't done ( no reason to).
Will FP understand that this is the same user but with different IP ?

Awesome!

So to convert information to knowledge let me sum it up:

We can place FP after the cisco ASA in A\A mode as two separated boxes in L2 mode (no l3 for passing traffic) connected to one FMSC. For deployment scenario we place it in inline mode and all policies in monitor. Then step-by-step enable policies and test result. SSL inspection will be active for all traffic egress from users and ingress to servers so we can protect hosted web-sites(via MITM). For user auhtorization we will use sourcefire agent. For entire traffic we can enable AMP services.

Am I missing something ?

You got it all covered.

Awesome!

Thank you very much! 

Hi,

found another question :)

If we have 8 copper interfaces on FP, i assume its 4 pairs of In/out groups.

We have two traffic points - in DMZ and internal. Can we connect 2 pairs to DMZ and another 2 to internal traffic point ?

Policies will be bounded to this "zones".

But what is concerning that FP will see double traffic when some one is going from internal zone to dmz.

For example we have one pair of interface right behind FW - it's will cover all egress traffic to internet. And another point right after core switches, so it will see any egress trafic to DMZ and to WAN. 

Will it be working properly ? Because traffic will pass FP two times.