Cisco ASA 5585 SSP10 with Firepower: Where to apply policies?

Bilal Ahmad · ‎12-29-2016

Hi ,

I am having a Cisco ASA 5585 SSP 10 with Firepower module for IPS with Control and Protection licences. I am migrating from Cisco 5515 ASA to this new firewall. Currently the cisco 5515 is having some policies which are applied on the outside interface. These are normal ACL which are checking traffic till layer 4.

Now when I am upgrading the firewall to 5585 and with firepower modules, I need some advice where to implement the seurity policies? In ASA or in Firepower. Also in firepower I am getting the option for zones , so I can make policies between zones rather than on the interfaces. This will save me administrative overhead and results in less policy base.

I need some clarification regarding:

1. Where to apply the security policies on ASA or Firepower?

2. What is the advantage and disadvantage of applying policies in firpower and not on ASA.?

3, Will there b any performance issue if I allow all traffic in ASA and apply all policies in firepower.?

Please advice

Marvin Rhoads · ‎12-29-2016

1. The systems are complimentary. Apply ACLs on the ASA like you always have. Inspect the allowed traffic in the FirePOWER module.

2. FirePOWER module policies do not have the advantage of dropping the traffic at the ingress interface like you normally do with the ASA. Also, the ASA is a stateful firewall. The FirePOWER module is not (by itself).

3. If you wait until it gets to the module before making a basic decision, you are wasting a lot of the appliance's processing power on allowing unnecessary traffic.

Once you migrate to FirePOWER Threat Defense (FTD) image type in the future, all of the above is integrated into a single image. Then the questions are moot as it's all configured in FMC.