Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3601
Views
15
Helpful
6
Replies

Cisco ASA module FirePOWER enable bypass rules interfaces (IDS)

Alex Ribas
Level 1
Level 1

‎07-20-2021 05:27 AM

Hi All

I was wondering if someone enables and uses the FirePOWER module Cisco ASA without FMC.

I didn't find documentation clearly about it.

Any help is welcome.

Cheers

Alex

 

 

 

0 Helpful
6 Replies 6

Chakshu Piplani
Cisco Employee
Cisco Employee

‎07-20-2021 09:18 AM

You question isn't that clear but you can manage Firepower services using ASDM

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/200889-Using-ASDM-to-manage-a-FirePOWER-module.html

 

image.png

 

Hope this helps

 

Chakshu

Do rate helpful posts!

Alex Ribas
Level 1
Level 1
In response to Chakshu Piplani

‎07-20-2021 11:14 AM

Thank  you

But if we have inside and outside interface for example:

Can we enable just for check traffic in interfaces?

Thank you a lot.

Cheers

Alex

 

 

0 Helpful

Alex Ribas
Level 1
Level 1
In response to Chakshu Piplani

‎07-20-2021 12:33 PM

I understood but I was wondering if we can enable IPS (by pass) in each Security zone Interfaces like this below

 

Thank you

Alex

asaZone.png

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-20-2021 11:34 AM

The Firepower service module ("sfr") is referenced in the global_policy policy-map. As such, the ASA sends traffic to the sfr module based on a matched class-map ACL.

So whatever traffic matches the ACL (often "ip any any") is sent to Firepower for inspection. Not just traffic on one interface or another.

Alex Ribas
Level 1
Level 1
In response to Marvin Rhoads

‎07-20-2021 12:20 PM

Hi Marvin

 

I understood but I was wondering if we can enable IPS (by pass) in each Security zone Interfaces like this in atthached.

 

Thank you

Alex

 

 

asaZone.png
Preview file
31 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Alex Ribas

‎07-20-2021 07:58 PM

If you migrated to FTD you could do a prefilter rule to trust those zones and thus bypass Snort (Firepower) altogether.

In an ASA with Firepower service module I believe you would have to craft the ACL used to select the traffic inspected by Firepower to not include the subnets in the zones where you don't want inspection.

Review Cisco Networking for a $25 gift card
Top