Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
0
Helpful
7
Replies

Firepower Threat Defense use Both Firewall and IPS on same interface

Go to solution
DRC
Level 1
Level 1

‎03-15-2018 04:56 PM - edited ‎02-21-2020 07:31 AM

I'm looking at replacing the FP7030 with the FP2110 or higher. I was intrigued with the options to have a firewall and IPS on one box using the FTD Image. After scanning the documents for configuration setup. We will use the FTD firewall mode, but it looks as if we can't use the IPS function. Is it accurate to say that even though both modes are supported in the same appliance that we will only be able to use the Firewall mode but cant use the IPS function on that same network? I want to use this to do inter-vlan routing at the firewall and then send data to router if needed to WAN, but that requires the firewall to have physical sub interfaces, but then we wont be able to use the IPS because that is a network tap and traffic is then forwarded to one interface to the next without routing. I thought the FTD was a combination of services that could be utilized. Are there some valid solutions to apply a security policy to the firewall interfaces?

 

Thanks. 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to DRC

‎03-15-2018 06:48 PM

Check it out on Cisco website or labminutes ftd videos.

I've deployed a bunch of ftd and i ensure you you can apply intrusion policies on access policies on routed ftd firewall


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-15-2018 05:31 PM

Hi

When you build your access policies on FTD you can decide to apply or not ips policies on a per rule basis. This means that you can have rules only based on firewall policies and some with ips and/or malware check.

If you decide to go with FTD, i highly recommend to get FMC because with FDM (local management of FTD), you're limited in some features.

Can you elaborate please the wan part, i don't get your point. What do you want to do with it?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
DRC
Level 1
Level 1
In response to Francesco Molino

‎03-15-2018 05:46 PM

Thanks for the response. 

We have to equip an IDS to our network.

The FTD states to be a combination of IPS/Firewall. But you can only create an interface as a firewall (routed) or IPS (bridged) If we route (firewall) then I can apply sub interfaces, VPN, and more. But I lose the IPS function for those sub interface networks. If I use the IPS (bridge) on the interfaces then I have to forward traffic to my router (WAN) and build the trunk there. I wanted to have traffic enter the WAN and then hit firewall, per our policy we must have the WAN routing facing our PE. The firewall could be utilized for inter vlan routing, and also negate me from using the ZBFW on the WAN. 

 

The FP2110 comes with 12 1GE interfaces.

I just thought of an idea about using the IPS function from Router to FP, then plug a cable from that interface on the FP into another interface on the same FP that is then a firewall interface.

 

 

I have a FMC1000K9 managing all my devices.

 

 Thanks. 

 

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to DRC

‎03-15-2018 05:52 PM

Where did you see that you can't use ips in firewall mode?
On FMC, ips is called intrusion policies.

If needed you can have both interface type (routed or passive).
With passive interfaces you can do IDS or IPS.
However, if you configure your firewall in routed mode, then on all your policies filtering traffic you can apply intrusion policies which are ips policies.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
DRC
Level 1
Level 1
In response to Francesco Molino

‎03-15-2018 06:38 PM

There are two modes Firewall and FTD.

 

I'm using the FTD IOS version.

 

I thought that if I have the interface on the device also in routed mode for Firewall then I could not apply IPS policies to that same interface. IPS in the documentation was a L2 function, routed L3, and then also the documentation reads as if the IPS mode could only operate in bridge mode, and you cant put interfaces in both bridge and routed. But you are telling me that I can have a firewall interface managed in FMC and still apply a security policy that performs IPS functions to it. That seems then that the Device would be applying firewall policies and IPS policies. That would be great. 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to DRC

‎03-15-2018 06:48 PM

Check it out on Cisco website or labminutes ftd videos.

I've deployed a bunch of ftd and i ensure you you can apply intrusion policies on access policies on routed ftd firewall


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
DRC
Level 1
Level 1
In response to Francesco Molino

‎03-15-2018 08:51 PM

Thanks. I'm going to investigate this further, find and check out those videos.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to DRC

‎03-16-2018 05:10 AM

No pb, let me know if you need more information

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card