Solved: NextGen IPS firepower appliances deployment with multitenancy support

osi_badran · ‎01-04-2016

Dears,

i have a concern regarding deploying and designing firepower next generation IPS appliances 8250 in multi-tenancy deployment, as i need to have inline IPS appliance running in two different zones (edge and DC), at the same time to have higher bandwidth with selecting correct type of interfaces to be BP or NBP for this setup to utilize this high IPS bandwidh around 10G !

second point: what are the options of building redundant IPS solution ? so no single point of failure !

Thanks all.

Marvin Rhoads · ‎01-06-2016

The NGIPS appliance itself does not support multi-tenancy cleanly. You can have different policies on different interface pairs of a given sensor but that sensor can only belong to a single domain.

You can use the Domain Management feature of FirePOWER Manager 6.0 to segregate your tenants' access across different managed devices:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Domain_Management.html

View solution in original post

Philip D'Ath · ‎01-05-2016

Cisco have a great marketing video.

https://www.youtube.com/watch?v=0kcXhm9Vbyw&index=1&list=PLFT-9JpKjRTAB1jxPP0GT_PEdI6Hu32TQ

I have no idea still.

osi_badran · ‎01-05-2016

thanks its a nice video but all about ACI automation and integration with security overview, not about firepower NGIPS solution .

anyway i think as per some researches that NGIPS doesn't support multiple contexts or multi tenants as cisco IPS can do with virtual sensors ! i need to confirm this information

as well i found stacking doesnt provide HA over single point of failure, its only adding devices processors to the cluster connected to primary unit by stacking connectors back to back !

Marvin Rhoads · ‎01-06-2016

The NGIPS appliance itself does not support multi-tenancy cleanly. You can have different policies on different interface pairs of a given sensor but that sensor can only belong to a single domain.

You can use the Domain Management feature of FirePOWER Manager 6.0 to segregate your tenants' access across different managed devices:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Domain_Management.html

osi_badran · ‎01-06-2016

What about FP Manager 5.4 ? does it support the same ?

Marvin Rhoads · ‎01-06-2016

No. The domain feature for multitenant support is new as of FP Manager 6.0

Collin Clark · ‎01-25-2016

You can put the ASA in multiple context mode and SFR for each independently.

Marvin Rhoads · ‎01-26-2016

Collin,

I believe the FirePOWER module still is limited to a single Policy Set (and/or Domain when using the 6.0-or later feature) even though the base ASA is in multiple context mode.

The module has no awareness of the ASA's context configuration.

osi_badran · ‎01-06-2016

What about FP Manager 5.4 ? does it support the same ?