The FWSM architecture is heirachical using four different components: Network Processor 1 (NP1)
Network Processor 2 (NP2)
Network Processor 3 (NP3)
Control Point (CP, PC, CPU)
NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets.
NP1 and NP2 are responsible for the following functions:
- Perform per packet session lookup
- Maintain connection table
- Perform NAT/PAT
- TCP checks
- Handle reassembled IP packets (NP2 only)
- TCP sequence number shift for "randomization"
- Syn Cookies
NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions: - Processes first packet in a flow
- ACL checks
- Translation creation
- Embryonic/establish connection counts
- TCP/UDP checksums
- Per-flow offset calculation for TCP sequence number "randomization"
- TCP intercept
- IP reassembly
NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2.
The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself:
- AAA (Radius/TACACS+)
- URL filtering (Websense/N2H2)
- Management traffic (telnet/SSH/HTTPS/SNMP)
- Failover communictions
- Routing protocols
- Most Layer 7 fixups/inspections
For further information on NP utilization, please refer to the following document:
Hi AllI have just ONE Ldap authenticantion in connection do VPN AnyConnectionSo Tried to find some option to use 2 Two LDAP (HA) just in case one fail I have secondary.I didn't find option secondary tunnel-group TUNNEL_VPN general-attributesadd...
Hello all,I have a vpn between my branch and main office. From the branch I can reach the main office and the devices there.I would like the branch site to hit the main sites asa and then use it for the internet breakout. I just want it for a few internet...
It appears there is no way to set AMP to automatically update the client software connectors. Do I have that right? We have a relatively small deployment of 25 machines and no dedicated IT department. We need the security software to stay...
We have a Dictionary setup with all of our Executives on it to protect us from receiving emails from people pretending to be our executives and this works great. I was wondering if it would be possible to do something like this with all users in our GAL? ...
Hi everyone, We have an FMC set up that is managing a number of FTD devices. We currently have alerts set up to send emails when intrusion events occur. Emails are generated using the Impact Flag settings and when specific rules are fired (via the In...