There is serious lack of information regarding firepower appliances. For example you can find many things about ASA with SFR, but nothing about physical Firepower appliances.
Thats why i have two questions:
Can we replace our proxy with Physical FP in inline mode(client authorization, per user url statistic detalization and etc.) ? Can't find any guides.
Can physical firepower be normal L3 Router ? I need to implement SSL-inspection in inline mode for users, but how to do it ? Appliance must be L3 Gateway for inner routers? And what about defending SSL resourses like Exchange OWA, can it be reverse proxy ?
Solved! Go to Solution.
The data sheet
User guide is same for SFR module or physical devices.
You are right. That can be done.
So there are 2 ways to achieve this. one with cisco ISE integration and other with user agent.
For your scenario, yes there will be 2 entries for the same user with 2 different IP.
Even if the new logon event is not generated on AD, user agent should be able to probe the pc directly and identify that the user is there but with a different IP.
Yes, you can use Physical FP in inline mode for controlling URL and client authorization etc.
It doesn't act exactly as proxy but can act as NGFW. It does have ability to implement SSL inspection and that can be done while the appliance is inline mode. So L3 mode is not required.
You can use physical Firepower with NAT and as a L3 device but with limited functionality. I would suggested to use physical device in inline mode (designed to work best this way)
Rate if helps.
Yup, physical FP have everything that a virtual FP have and much