Solved: Re: ASA with Sourcefire and FTD Deployment Mode

patelvc7601 · ‎02-08-2019

Hi

I have a situation where Cisco ASA with Sourcefire is inline mode , ASA is acting as a default gateway & can monitor the traffic .

Now Customer wants to monitor the traffic for rest of the IP, where ASA is not in the path . reading the https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.pdf

Looks like , Passive monitor-only (traffic forwarding) mode will help but than it says ASA needs to be in transparent mode.

in short, I wanted to use ASA with Source fire for inline mode for some interface & inline tap monitor mode /or even passive monitor mode . does this possible ?

Does FTD help in this situation ?

Sincerely

Viral Patel

Marvin Rhoads · ‎02-12-2019

You cannot mix and match interface modes on an ASA with Firepower service module since a single service-policy governs the traffic redirection.

With FTD the multiple interfaces can be in different modes and there are other options with your policy that can be used as well. But the migration from ASA with Firepower to FTD potentially introduces other issues depending on how the ASA is being used.

View solution in original post

Marvin Rhoads · ‎02-12-2019

You cannot mix and match interface modes on an ASA with Firepower service module since a single service-policy governs the traffic redirection.

With FTD the multiple interfaces can be in different modes and there are other options with your policy that can be used as well. But the migration from ASA with Firepower to FTD potentially introduces other issues depending on how the ASA is being used.

patelvc7601 · ‎02-15-2019

As always , Marvin rocks.