The FWSM architecture is heirachical using four different components: Network Processor 1 (NP1)
Network Processor 2 (NP2)
Network Processor 3 (NP3)
Control Point (CP, PC, CPU)
NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets.
NP1 and NP2 are responsible for the following functions:
- Perform per packet session lookup
- Maintain connection table
- Perform NAT/PAT
- TCP checks
- Handle reassembled IP packets (NP2 only)
- TCP sequence number shift for "randomization"
- Syn Cookies
NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions: - Processes first packet in a flow
- ACL checks
- Translation creation
- Embryonic/establish connection counts
- TCP/UDP checksums
- Per-flow offset calculation for TCP sequence number "randomization"
- TCP intercept
- IP reassembly
NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2.
The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself:
- AAA (Radius/TACACS+)
- URL filtering (Websense/N2H2)
- Management traffic (telnet/SSH/HTTPS/SNMP)
- Failover communictions
- Routing protocols
- Most Layer 7 fixups/inspections
For further information on NP utilization, please refer to the following document:
Hi Guys, I need some help, i am deploying BYOD for andriod and i need to know the ip address for teh google play which should be allowed to download app. I am not able to find out all the ip address which is required. Thanks
Hello everyone, I am happy that I joined this community. I know that this is the best place to learn and help people, but at this moment I need some help because it's very urgent. I have 2 ASA 5505 connected by an interface. The interface is to ...
Hi experts, Doing some research for a customer's project. I found that ISE does not contains any posture remediation actions for Crowdstrike software (please see attachment). I've check both the AntiMalware and AntiVirus remediation options and didn'...
Have a couple of firepower devices in HA , managed by FDM. I'm trying to add a token for smart licensing registration however I can't seem to see or select any option other than 'US region'. This is happening under both the cloud services registration and...
Hi, can anyone help me to how setup a client-to-site vpn on RV345 router, I've tried many ways but no luck. I already went through the Cisco guide for this onhttps://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb...