cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
20
Helpful
12
Replies

Physical Firepower

Valery Denisov
Level 1
Level 1

Hello!

There is serious lack of information regarding firepower appliances. For example you can find many things about ASA with SFR, but nothing about physical Firepower appliances.

Thats why i have two questions:
Can we replace our proxy with Physical FP in inline mode(client authorization, per user url statistic detalization and etc.) ? Can't find any guides.


Can physical firepower be normal L3 Router ? I need to implement SSL-inspection in inline mode for users, but how to do it ? Appliance must be L3 Gateway for inner routers? And what about defending SSL resourses like Exchange OWA, can it be reverse proxy ?

Thanks!

2 Accepted Solutions

Accepted Solutions

yogdhanu
Cisco Employee
Cisco Employee

Hi

The data sheet

http://www.cisco.com/c/en/us/products/collateral/security/firepower-7000-series-appliances/datasheet-c78-732954.html

Installation guide

http://www.cisco.com/c/en/us/td/docs/security/firepower/hw/firepower_device/firepower_7k8k_device.html

User guide is same for SFR module or physical devices.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60.html

View solution in original post

You are right. That can be done.

So there are 2 ways to achieve this. one with cisco ISE integration and other with user agent.

For your scenario, yes there will be 2 entries for the same user with 2 different IP.

Even if the new logon event is not generated on AD, user agent should be able to probe the pc directly and identify that the user is there but with a different IP.

View solution in original post

12 Replies 12

yogdhanu
Cisco Employee
Cisco Employee

Hi Valery,

Yes, you can use Physical FP in inline mode for controlling URL and client authorization etc.

It doesn't act exactly as proxy but can act as NGFW.  It does have ability to implement SSL inspection and that can be done while the appliance is inline mode. So L3 mode is not required.

You can use physical Firepower with NAT and as a L3 device but with limited functionality. I would suggested to use physical device in inline mode (designed to work best this way)

Rate if helps.

Yogesh

Ok, i got it.

What about passive mode? Does physical FP have it ?

For example can i install FP inline and step-by-step enable policie? So it will not affect production traffic.

Yup, physical FP have everything that a virtual FP have and much more.

You can use a single interface to use it in passive mode or have it inline and still make sure the IPS is in IDS mode to just detect things and not drop anything so you can proceed with step by step installation.

thanks!

One more thing - can FP work as Active-Active? I found information about active\standby cluster but what if we have Active\active setup ? 

Hi

It can. You have have the both the FP registered to same FMC as individual units and have then as active-active. or use them in stack to combine the strength of both the device into one.

http://www.cisco.com/c/en/us/support/docs/security/firepower-8000-series-appliances/200306-Configuration-of-Stack-on-the-Cisco-Fire.html

Rate if helps.

Yogesh

things got a little bit clearer :)

Last one - can we remove our proxy and change it to FP?
We are using client authorization (access policy based on user group) and URL filtration. For this task as i assume we need to install sourcefire agent on AD and then it will make mapping. but what if our user will change network location ? For example he was using wired access then switched to wireless obviously IP chaged but reauthentication wasn't done ( no reason to).
Will FP understand that this is the same user but with different IP ?

You are right. That can be done.

So there are 2 ways to achieve this. one with cisco ISE integration and other with user agent.

For your scenario, yes there will be 2 entries for the same user with 2 different IP.

Even if the new logon event is not generated on AD, user agent should be able to probe the pc directly and identify that the user is there but with a different IP.

Awesome!

So to convert information to knowledge let me sum it up:

We can place FP after the cisco ASA in A\A mode as two separated boxes in L2 mode (no l3 for passing traffic) connected to one FMSC. For deployment scenario we place it in inline mode and all policies in monitor. Then step-by-step enable policies and test result. SSL inspection will be active for all traffic egress from users and ingress to servers so we can protect hosted web-sites(via MITM). For user auhtorization we will use sourcefire agent. For entire traffic we can enable AMP services.

Am I missing something ?

You got it all covered.

Awesome!

Thank you very much! 

Hi,

found another question :)

If we have 8 copper interfaces on FP, i assume its 4 pairs of In/out groups.

We have two traffic points - in DMZ and internal. Can we connect 2 pairs to DMZ and another 2 to internal traffic point ?

Policies will be bounded to this "zones".

But what is concerning that FP will see double traffic when some one is going from internal zone to dmz.

For example we have one pair of interface right behind FW - it's will cover all egress traffic to internet. And another point right after core switches, so it will see any egress trafic to DMZ and to WAN. 

Will it be working properly ? Because traffic will pass FP two times.

yogdhanu
Cisco Employee
Cisco Employee

Hi

The data sheet

http://www.cisco.com/c/en/us/products/collateral/security/firepower-7000-series-appliances/datasheet-c78-732954.html

Installation guide

http://www.cisco.com/c/en/us/td/docs/security/firepower/hw/firepower_device/firepower_7k8k_device.html

User guide is same for SFR module or physical devices.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60.html

Review Cisco Networking for a $25 gift card