Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10748
Views
5
Helpful
4
Replies

ASA traffic redirection to firepower

Go to solution
ring zer0
Level 1
Level 1

‎07-07-2016 09:57 AM - edited ‎03-12-2019 01:00 AM

In a typicall firewall we configure an ACL policy and then attach URL filtering or application control policy with that policy to take effect. With Cisco ASA firepower we need to configure the ASA first redirect the traffic to the service module which turns out to be a complete firewall and not just modules doing URL inspection etc, and configure everything from begining and assign filtering policies. logically the packet goes to one firewall which doesnt have nex gen features so it redirects to another firewall (sourcefire) which does the inspection and moves forward.
Dont you think this approach is way differnet than other vendors? and also how much extra effort or time it takes for you on average to configure or manage an ASA firepower environment compared to others.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcel Maeder
Level 4
Level 4

‎07-08-2016 05:41 AM

You can use the threat defense image, so you just have one firewall to configure (check the prerequisites). Or you just allow all traffic on the ASA and redirect everything to firepower.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎07-07-2016 12:30 PM

we run several clients on ASA 5585 with FirePower module using FireSight management.  I do not find it hard to configure or manage at all.  We use FirePower for URL filtering, IPS as well as AMP. Once everything was up and running I mainly just send URL category change requests to Brightcloud to unblock wrongly categorized websites.  On the very rare occasion I have to add new policies to accompany newly added sites. But even this is a piece of cake.

The approach is not all that much different than other vendors.  Take CheckPoint for example.  There you need to buy licenses for blades to be able to use URL filtering.  Here the URL is already built into the firewall which is not the case with the ASA...yet.  But I would not be supprised to see the firewall functionality disappear from the FirePower ASA module.  

Now, ofcourse if you have the FirePower appliance then you don't need a firewall in the mix as it can also do firewalling, but if you have an ASA and want to add IPS and URL filter then you just need to buy a license for these and you are good to go.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Marcel Maeder
Level 4
Level 4

‎07-08-2016 05:41 AM

You can use the threat defense image, so you just have one firewall to configure (check the prerequisites). Or you just allow all traffic on the ASA and redirect everything to firepower.

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to Marcel Maeder

‎07-08-2016 05:52 AM

Hello Team,

For simple traffic redirection , please refer the following link and search for the keyword "Redirect Traffic to the SFR Module".

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Rate if the post helps you.

Regards

Jetsy 

Go to solution
ring zer0
Level 1
Level 1

‎07-08-2016 01:27 PM

Thanks, this makes sense. I tried to find a doc which list all the features supported by FTD image but couldn't get one. Got some random information from different websites and found out that basic feature like VPN isn't even supported

http://www.cisco.com/c/en/us/td/docs/security/firepower/601/6011/relnotes/firepower-system-release-notes-version-6011.html

They don't mention features supported like , is policy based routing or GRE interfaces or time based access control list etc. I couldn't find a doc which says all this, do  you think they have one?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card