cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10054
Views
5
Helpful
4
Replies

ASA traffic redirection to firepower

ring zer0
Beginner
Beginner
In a typicall firewall we configure an ACL policy and then attach URL filtering or application control policy with that policy to take effect. With Cisco ASA firepower we need to configure the ASA first redirect the traffic to the service module which turns out to be a complete firewall and not just modules doing URL inspection etc, and configure everything from begining and assign filtering policies. logically the packet goes to one firewall which doesnt have nex gen features so it redirects to another firewall (sourcefire) which does the inspection and moves forward.
Dont you think this approach is way differnet than other vendors? and also how much extra effort or time it takes for you on average to configure or manage an ASA firepower environment compared to others.
1 Accepted Solution

Accepted Solutions

Marcel Maeder
Enthusiast
Enthusiast

You can use the threat defense image, so you just have one firewall to configure (check the prerequisites). Or you just allow all traffic on the ASA and redirect everything to firepower.

View solution in original post

4 Replies 4

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

we run several clients on ASA 5585 with FirePower module using FireSight management.  I do not find it hard to configure or manage at all.  We use FirePower for URL filtering, IPS as well as AMP. Once everything was up and running I mainly just send URL category change requests to Brightcloud to unblock wrongly categorized websites.  On the very rare occasion I have to add new policies to accompany newly added sites. But even this is a piece of cake.

The approach is not all that much different than other vendors.  Take CheckPoint for example.  There you need to buy licenses for blades to be able to use URL filtering.  Here the URL is already built into the firewall which is not the case with the ASA...yet.  But I would not be supprised to see the firewall functionality disappear from the FirePower ASA module.  

Now, ofcourse if you have the FirePower appliance then you don't need a firewall in the mix as it can also do firewalling, but if you have an ASA and want to add IPS and URL filter then you just need to buy a license for these and you are good to go.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marcel Maeder
Enthusiast
Enthusiast

You can use the threat defense image, so you just have one firewall to configure (check the prerequisites). Or you just allow all traffic on the ASA and redirect everything to firepower.

Hello Team,

For simple traffic redirection , please refer the following link and search for the keyword "Redirect Traffic to the SFR Module".

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Rate if the post helps you.

Regards

Jetsy 

ring zer0
Beginner
Beginner

Thanks, this makes sense. I tried to find a doc which list all the features supported by FTD image but couldn't get one. Got some random information from different websites and found out that basic feature like VPN isn't even supported

http://www.cisco.com/c/en/us/td/docs/security/firepower/601/6011/relnotes/firepower-system-release-notes-version-6011.html

They don't mention features supported like , is policy based routing or GRE interfaces or time based access control list etc. I couldn't find a doc which says all this, do  you think they have one?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers