cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
916
Views
5
Helpful
6
Replies

Testing the device in production.

n.avramenko87
Beginner
Beginner

Hello friends! I need your help again. How can I tested sensor in production? When I apply any of politic or settings to fire power I have  a break in the network work.And it bothers me!It is not good tested in production.

What I have:

1.Internet -- ASA -- FIREPOWER - (Switch - - - MY LAN------)

I see it as a working version of my lan.

2.Can I use for testing this scheme:

Internet -- ASA - - (Switch - FIREPOWER - Switch - MY LAN------) Will it work?

Thank you!

6 Replies 6

ankojha
Participant
Participant

Hi,

Yes, the second scenario is supposed to work fine.

If you are using firepower module running on ASA,then you can try putting the module in monitor-only and monitor the traffic which is coming to the same.

If you have sensor, then you can enable inline set for interfaces and make sure first they are up

and then you can direct traffic, if in case you encounter the problem enable bypass for the interface so that traffic is bypassed through the sensor.

Note: make sure that interface settings such as duplex speed match the inline sets on the sensor

and on the sensor set it to auto negotiate.

Please mark and rate helpful posts.

Thanks,

Ankita

I use only Sensor.

Thank you for your answer. At first i need to use sensos for discovering network.And 2 scheme will be work! I try it to testing! 

But in production i think it is only firsh scheme can works.

Do I understand correctly that if i use sensor as passive i can discovering my network?

Hello Team,

Either you can set your ASA firepower  in monitor only or inline mode.

When its in inline mode, it will inspect the traffic that is redirects from ASA  to Firepower and Firepower will take the actions based on the policies that you mentioned.

If you dont need then you can just keep the Firepower in monitor only mode so that it will send just the copy of traffic to Firepower and it wont perform any inspection.

It would be good if you refer the following deployment scenario guides to understand more about how to setup and also refer the second link for initial installation and traffic redirection after installation.

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html   (this is applicable for Firepower setup also )

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Rate and mark correct , if the post helps you

Regards

Jetsy 

OK! Thank you! I have 2 questions!

1.One man said me that if we want to use  FirePower  we need router :

Internet -- Router -- FirePower -- ASA -- LAN

In my lan ASA used as a router too.Can  I used FirePower without Router:

Internet -- ASA -- FirePower -- LAN

2. I try to configure sensor. I want to see all information about my lan (host computers ports applications)

- I configured  access control policy - network discovery only

- system find only hosts in my lan

I read manuals  and if I understand correctly that for "application seen" I need to configure  Active Scanning?

And I see that firesigh has application detectors, how can I use it? Сould there be best practice for using sensor?

Hello! And still would like to clarify information. I have the same lan that on the scheme. Will it work with FirePower? Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: