Re: Cisco ASA module FirePOWER enable bypass rules interfaces (IDS)

Alex Ribas · ‎07-20-2021

Hi All

I was wondering if someone enables and uses the FirePOWER module Cisco ASA without FMC.

I didn't find documentation clearly about it.

Any help is welcome.

Cheers

Alex

Chakshu Piplani · ‎07-20-2021

You question isn't that clear but you can manage Firepower services using ASDM

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/200889-Using-ASDM-to-manage-a-FirePOWER-module.html

Hope this helps

Chakshu

Do rate helpful posts!

Alex Ribas · ‎07-20-2021

Thank you

But if we have inside and outside interface for example:

Can we enable just for check traffic in interfaces?

Thank you a lot.

Cheers

Alex

Alex Ribas · ‎07-20-2021

I understood but I was wondering if we can enable IPS (by pass) in each Security zone Interfaces like this below

Thank you

Alex

Marvin Rhoads · ‎07-20-2021

The Firepower service module ("sfr") is referenced in the global_policy policy-map. As such, the ASA sends traffic to the sfr module based on a matched class-map ACL.

So whatever traffic matches the ACL (often "ip any any") is sent to Firepower for inspection. Not just traffic on one interface or another.

Alex Ribas · ‎07-20-2021

Hi Marvin

I understood but I was wondering if we can enable IPS (by pass) in each Security zone Interfaces like this in atthached.

Thank you

Alex

Marvin Rhoads · ‎07-20-2021

If you migrated to FTD you could do a prefilter rule to trust those zones and thus bypass Snort (Firepower) altogether.

In an ASA with Firepower service module I believe you would have to craft the ACL used to select the traffic inspected by Firepower to not include the subnets in the zones where you don't want inspection.