You can do it in a service

y.lo · ‎08-03-2015

We would like to connect a ASA 5585X Firepower hardware module to a switch span port to discover current live traffic on the production network.

However there is no traffic being captured using a service-policy.

The documentation I can find is about configuring software Firepower module, with a passive monitor-only interface to capture traffic from a switch span port. The configuration for 5585X Firepower hardware module in passive mode does not mention about switch span port.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html

Can 5585X Firewpower hardware module do the same as software module to capture traffic from a switch span port?

Marvin Rhoads · ‎08-03-2015

To use a FirePOWER module where the ASA is monitor-only off a span port, the ASA must first be in transparent mode. (The default mode is routed.)

Note that switching to transparent mode will clear the configuration of the ASA!

So, the following is required at a minimum (given int gi0/0 - otherwise substitute whatever interface is connected to the span port):

ciscoasa(config)#firewall transparent
ciscoasa(config)# interface gigabitethernet0/0 
ciscoasa(config-if)# no nameif
ciscoasa(config-if)# traffic-forward sfr monitor-only
ciscoasa(config-if)# no shutdown

y.lo · ‎08-03-2015

Thanks for your response Marvin. However I think the information you provided are for FirePOWER software module.

There is no such command "traffic-forward sfr monitor-only" on any ASA 5585X interface, which runs 9.2.3.4.

Regarding the transparent mode, may I know how to switch to it?

Marvin Rhoads · ‎08-03-2015

As noted in the command reference, transparent mode is a prerequisite for the command. So to setup the traffic-forward command used in span port configurations, the ASA must FIRST be in transparent mode.

The first command I listed does that (and clears your entire pre-existing configuration - so make sure you are on console and the firewall isn't handling production traffic!).

y.lo · ‎08-03-2015

Thanks for the comment. I will give it a try.

In the document I quoted at the very beginning, it says that to configure passive mode, we should use in a service policy map

sfr fail-open monitor-only

What is the purpose of this command?

Marvin Rhoads · ‎08-03-2015

You can do it in a service policy map like they say. The difference is that also allows the other base ASA features to be configured an operating on the traffic and the FirePOWER module is the passive element. We would use that method when you had an existing routed ASA and only wanted to test the FirePOWER module features without affecting other traffic through the box.

When you have a span port, the ASA by definition isn't needed for anything but passive monitoring.

7maloney4 · ‎02-01-2016

Hi Marvin,

I have set up my asa with the commands above what I notice when I discover the Firepower sensor is that Firesight does not see the GI0/0 data interface. I am assuming that I can forward the spanned sensor data to firesight? Firesight 5.4.1 Firepower 5.4.05-24.

Thanks Cameron

Marvin Rhoads · ‎02-02-2016

@7maloney4,

Please share your configuration, specifically for interface Gi0/0.

7maloney4 · ‎02-02-2016

Hi Marvin,

int gi0/0

firewall transparent
interface gigabitethernet0/0
no nameif
traffic-forward sfr monitor-only

no shutdown

Thanks Cameron

Marvin Rhoads · ‎02-02-2016

That looks right. FireSIGHT will not see the data interface and recognize it as part of a security zone in this use case - that's by design.

However your policies should still be effective - i.e., be able to trigger on the passively collected data.

7maloney4 · ‎02-02-2016

Ah ok when I didn't see the Interface I assumed there was an issue I will have a look for the data.

Thankyou for your help Cameron.

ASA 5585X Firepower hardware module in passive mode