Solved: ASA 5585-X with SourceFire

m.yost · ‎07-09-2015

I am looking at a 5585-X with SourceFire but am unsure if traffic flow is similar to the software based SourceFire based on the lower end ASA's. In the lowend ASA's, the traffic is passed from ASA to Sourcefire and back to ASA through the backplane. With the 5585-X solution, the SourceFire card has physical interfaces on it. Are the physical interfaces only used with tap/mirror traffic when in IDS mode? Or do you have to direct traffic through them in inline mode as well? This obviously changes the L1/L2 design if we have to physically force the traffic through the SourceFire module.

The second question I had was how does things work with SourceFire and multiple contexts? It appears multiple contexts are supported, however is it possible to define different SourceFire policies depending on which context we are dealing with?

Thanks

erkostla · ‎07-13-2015

The packet flow is the same for midrange and the 5585-X. The interfaces on the FirePOWER card act like ordinary ASA interfaces. Traffic entering them is sent through the backplane to the ASA module for ingress processing and then passed back to the FirePOWER module (if the MPF indicates that it should). The only exception is the management interface. Unlike the midrange firewalls, on the 5585-X the FirePOWER module and ASA module have separate management interfaces.

If the ASA is in multi-context mode, there is a single instance of FirePOWER. Each context decides what traffic to forward the FirePOWER. There is a single access policy that applies to all contexts, but you can use security zones to apply specific rules to specific contexts. Also, events can be filtered based on security context.

View solution in original post

erkostla · ‎07-13-2015

The packet flow is the same for midrange and the 5585-X. The interfaces on the FirePOWER card act like ordinary ASA interfaces. Traffic entering them is sent through the backplane to the ASA module for ingress processing and then passed back to the FirePOWER module (if the MPF indicates that it should). The only exception is the management interface. Unlike the midrange firewalls, on the 5585-X the FirePOWER module and ASA module have separate management interfaces.

If the ASA is in multi-context mode, there is a single instance of FirePOWER. Each context decides what traffic to forward the FirePOWER. There is a single access policy that applies to all contexts, but you can use security zones to apply specific rules to specific contexts. Also, events can be filtered based on security context.