cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Physical Firepower

Valery Denisov
Beginner
Beginner

Hello!

There is serious lack of information regarding firepower appliances. For example you can find many things about ASA with SFR, but nothing about physical Firepower appliances.

Thats why i have two questions:
Can we replace our proxy with Physical FP in inline mode(client authorization, per user url statistic detalization and etc.) ? Can't find any guides.


Can physical firepower be normal L3 Router ? I need to implement SSL-inspection in inline mode for users, but how to do it ? Appliance must be L3 Gateway for inner routers? And what about defending SSL resourses like Exchange OWA, can it be reverse proxy ?

Thanks!

2 ACCEPTED SOLUTIONS

Accepted Solutions

yogdhanu
Cisco Employee
Cisco Employee

Hi

The data sheet

http://www.cisco.com/c/en/us/products/collateral/security/firepower-7000-series-appliances/datasheet-c78-732954.html

Installation guide

http://www.cisco.com/c/en/us/td/docs/security/firepower/hw/firepower_device/firepower_7k8k_device.html

User guide is same for SFR module or physical devices.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60.html

View solution in original post

You are right. That can be done.

So there are 2 ways to achieve this. one with cisco ISE integration and other with user agent.

For your scenario, yes there will be 2 entries for the same user with 2 different IP.

Even if the new logon event is not generated on AD, user agent should be able to probe the pc directly and identify that the user is there but with a different IP.

View solution in original post

12 REPLIES 12

yogdhanu
Cisco Employee
Cisco Employee

Hi Valery,

Yes, you can use Physical FP in inline mode for controlling URL and client authorization etc.

It doesn't act exactly as proxy but can act as NGFW.  It does have ability to implement SSL inspection and that can be done while the appliance is inline mode. So L3 mode is not required.

You can use physical Firepower with NAT and as a L3 device but with limited functionality. I would suggested to use physical device in inline mode (designed to work best this way)

Rate if helps.

Yogesh

Ok, i got it.

What about passive mode? Does physical FP have it ?

For example can i install FP inline and step-by-step enable policie? So it will not affect production traffic.

Yup, physical FP have everything that a virtual FP have and much