cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1748
Views
5
Helpful
1
Replies

ASA 5585-X with SourceFire

m.yost
Beginner
Beginner

I am looking at a 5585-X with SourceFire but am unsure if traffic flow is similar to the software based SourceFire based on the lower end ASA's.  In the lowend ASA's, the traffic is passed from ASA to Sourcefire and back to ASA through the backplane.  With the 5585-X solution, the SourceFire card has physical interfaces on it.  Are the physical interfaces only used with tap/mirror traffic when in IDS mode?  Or do you have to direct traffic through them in inline mode as well?  This obviously changes the L1/L2 design if we have to physically force the traffic through the SourceFire module.

The second question I had was how does things work with SourceFire and multiple contexts?  It appears multiple contexts are supported, however is it possible to define different SourceFire policies depending on which context we are dealing with?

Thanks

1 Accepted Solution

Accepted Solutions

erkostla
Cisco Employee
Cisco Employee

The packet flow is the same for midrange and the 5585-X.   The interfaces on the FirePOWER card act like ordinary ASA interfaces.  Traffic entering them is sent through the backplane to the ASA module for ingress processing and then passed back to the FirePOWER module (if the MPF indicates that it should).   The only exception is the management interface.  Unlike the midrange firewalls, on the 5585-X the FirePOWER module and ASA module have separate management interfaces.

If the ASA is in multi-context mode, there is a single instance of FirePOWER.   Each context decides what traffic to forward the FirePOWER.    There is a single access policy that applies to all contexts, but you can use security zones to apply specific rules to specific contexts.  Also, events can be filtered based on security context.

View solution in original post

1 Reply 1

erkostla
Cisco Employee
Cisco Employee

The packet flow is the same for midrange and the 5585-X.   The interfaces on the FirePOWER card act like ordinary ASA interfaces.  Traffic entering them is sent through the backplane to the ASA module for ingress processing and then passed back to the FirePOWER module (if the MPF indicates that it should).   The only exception is the management interface.  Unlike the midrange firewalls, on the 5585-X the FirePOWER module and ASA module have separate management interfaces.

If the ASA is in multi-context mode, there is a single instance of FirePOWER.   Each context decides what traffic to forward the FirePOWER.    There is a single access policy that applies to all contexts, but you can use security zones to apply specific rules to specific contexts.  Also, events can be filtered based on security context.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: