All I can find in the ASDM is under Configurations > Firewall > Service Policy Rules

Here there is a policy called global-class with a tab called 'ASA FirePOWER Inspection' which is enabled and permits traffic.

I can't see any:

configuration -> ASA FirePower Module -> Device -> Interfaces  or Firewall -> Inspect Policy

I do see the ASA FirePOWER Status tab under home and shows as 'Up' for status and application status

Any ideas?

Hello,

Yes there is a FMC server, but I have no idea how the ASA servers data to it or how the ASA chooses what interface to monitor, all very confusing :).  Seems there is no FirePower section on the ASDM apart from the tab on the home screen.

This is what I see:

en/act# show module sfr detail
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5516
Hardware version: N/A
Serial Number: JADx
Firmware version: N/A
Software version: 6.2.2.1-73
MAC Address Range: 005d.xe.x7 to 005d.xe.x7
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.2.1-73
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: 172.x.x.5
Mgmt IP addr: 172.x.x.7
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 172.x.x.254
Mgmt web ports: 443
Mgmt TLS enabled: true

Correct. When the Firepower service module is managed by FMC ("DC addr: 172.x.x.5") the the management of the module is not done at all via ASDM not can you see anything about it other than it's presence, software version, the fact that it is up and remotely managed.

The module inspects traffic that is sent to it via the ASA backplane according to the class-map/policy-map/service policy construct on the ASA config. Typically we send all traffic to the module (maybe excepting some that we don't want to inspect like for instance encrypted traffic that passes through the ASA). How the module inspects and what it does is completely configured on and reported to the FMC.

The ASA service policy pushes traffic to the internal Firepower module. The module interacts with the FMC to both receive configuration and send events.

In an FMC, the policies primarily are under an Access Control policy (ACP). The most common is the ACP itself but can also include Intrusion, Network Discovery, SSL and File polices as well as other elements like Security Intelligence and QoS.

There are several books as well as numerous free Cisco Live presentations that cover these in much more detail if you're interested in learning more.

All interface configuration is done from the ASA. FMC only configures policies and related settings for the Firepower service module.

A Firepower service module (or, by extension, FMC) doesn't monitor ASA interfaces per se. It monitors traffic sent to is by the ASA class-map which is referenced in a policy-map and applied via a service policy (usually global). The class-map can say monitor all traffic or only traffic that matches an ACL. Whatever it scoops up is sent to the service module - irrespective of ASA interfaces.

Perhaps this flowchart will help explain it:

hi,

there are two ways to manage the ASA with FirePower (FP): locally via ASDM or via a central FMC.

do you want to learn how your current ASA talks to FMC? or are you removing the active/passive pair from FMC and do your own lab?

try to locate for the ASA policy-map and/or firepower ACL (if any).

you can refer to this helpful link to learn about ASA FP, ASDM and FMC:

http://wannabecybersecurity.blogspot.com/2019/01/cisco-asa-firepower-traffic-redirection.html

hi,

the FP module on the ASA talks to FMC via the global policy map (and ACL) traffic redirection and registering the managed device/sensor (ASA FP) to the FMC.

you configure the security zones which the ASA interfaces are associated and then apply the FMC access control policy (ACP).

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/06/configuring-cisco-fmc-objects-and.html