Solved: Hi Marvin,

m.kafka · ‎07-12-2016

Hi everybody,

I can't find any decent guide how ASA for FXOS (aka Asa for Firepower) operates together with Firepower Threat defense.

The "Quick Start Guides" available in the ASA documentation section (http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp4100/asa-firepower4100-qsg.html) do not describe how traffic is handled, e.g. which service (FP Threat Defense or ASA) is receiving traffic from interfaces and how the traffic will be forwarded to the other Service.

For Example, will the ASA receive traffic from interfaces, process it according to NAT, routing and basic traffic filters and then forward the traffic to FT Threat Defense or can the two solutions communicate only via physical interfaces?

I have read the documentation how to deploy ASA for FXOS and I know, that interfaces are owned by the hypervisor or chassis manager but I can't find a descriptions how the two different services are interacting.

I am well familiar with the operation of Firepower Services module together with the ASA platform, but the solution of ASA running on FP-Appliances seems to be very different.

Hope anyone can point me to a configuration guide.

Rgds, MiKa

Marvin Rhoads · ‎07-12-2016

See the note in the document you linked:

If you are configuring standalone logical devices, you must install the same software type on all modules in the chassis; different software types are not supported at this time. Note that modules can run different versions of a particular device type, but all modules must be configured as the same type of logical device.

This is what I was referring to. I have confirmed this limitation personally with the Cisco Technical Marketing Engineer (TME) for the FirePOWER 9300.

View solution in original post

Marvin Rhoads · ‎07-12-2016

When you run the ASA image on a FirePOWER appliance (4100 series or 9300), you do not have the option of FTD or any other FirePOWER NGIPS policies (IPS, URL Filtering or Advanced Malware Protection).

So the ASA processing is just like the classic ASA processing - without any option to redirect to service module via service-policy and policy map / class map.

m.kafka · ‎07-12-2016

Hi Marvin,

I understood, that Firepower Threat defense and ASA on FXOS can coexist simultaneously on the same Firepower Appliance. At least http://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos201/web-config/b_GUI_ConfigGuide_FXOS_201/logical_devices.html suggests that more than one logical device can be installed. Correct me if I'm wrong here.

At the moment I see three different service types available:

Firepower Threat defense
ASA for Firepower
Radware DefensePro

I couldn't see any restrictions about different types of logical devices on the same box.

This is what I interpret from the configuration guide.

So the 4100 allows only a single service, either ASA or Firepower Threat defense?

Couldn't see that clearly...

Thanks for your effort,

About the Firepower 9300: are you positive that you can't install different service types on different modules? Because that's necessary for the Radware DefensePro/ASA service chaining.

MiKa

Marvin Rhoads · ‎07-12-2016

See the note in the document you linked:

If you are configuring standalone logical devices, you must install the same software type on all modules in the chassis; different software types are not supported at this time. Note that modules can run different versions of a particular device type, but all modules must be configured as the same type of logical device.

This is what I was referring to. I have confirmed this limitation personally with the Cisco Technical Marketing Engineer (TME) for the FirePOWER 9300.

m.kafka · ‎07-12-2016

Hi Marvin,

maybe that's the reason for misinterpretation. I was interpreting "Software type" to standalone/cluster as in "device type" a few lines above.

Thanks for the clear answer, MiKa

Integrating ASA for Firepower (running on FXOS) with Firepower Threat defense