16-19
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 ASA FirePOWER (SFR) Module
Configure the ASA FirePOWER Module
ASDM Restrictions for Managing ASA FirePOWER
Keep the following restrictions in mind when configuring ASA FirePOWER using ASDM.
•
If you enable command authorization on the ASA that hosts the module, you must log in with a user
name that has privilege level 15 to see the
ASA FirePOWER
home, configuration, and monitoring
pages. Read-only or monitor-only access to
ASA FirePOWER
pages other than the status page is
not supported.
•
If you configure the ASA in a failover pair, the ASA FirePOWER configuration is not automatically
synchronized with the ASA FirePOWER module on the secondary device. Thus, you must manually
export the ASA FirePOWER configuration from the primary and import it into the secondary every
time you make a change. We recommend using FireSIGHT Management Center for any device
configured for failover.
•
If you are using Java 7_u51 up to Java 8, you need to import the SSL certificate from the ASA
FirePOWER module to your workstation to view the configuration pages. Go to
Wizard > ASDM
Identity Certificate Wizard
to obtain the certificate. Then, go to your Java Control Panel and
import it, and restart ASDM. This is a general issue with these Java versions, and you will also need
to import the certificate from the ASA to configure it through ASDM.
Redirect Traffic to the ASA FirePOWER Module
For inline and inline tap (monitor-only) modes, you configure a service policy to redirect traffic to the
module. If you want passive monitor-only mode, you configure a traffic redirection interface, which
bypasses ASA policies.
The following topics explain how to configure these modes.
Configure Inline or Inline Tap Monitor-Only Modes
Redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific
traffic that you want to send. In this mode, ASA policies, such as access rules, are applied to the traffic
before it is redirected to the module.
Before You Begin
•
If you have an active service policy redirecting traffic to an IPS or CX module (that you replaced
with the ASA FirePOWER), you must remove that policy before you configure the ASA
FirePOWER service policy.
•
Be sure to configure consistent policies on the ASA and the ASA FirePOWER (through FireSIGHT
Management Center). Both policies should reflect the passive or inline mode of the traffic.
•
In multiple context mode, perform this procedure within each security context.
Procedure
Step 1
Create an L3/L4 class map to identify the traffic that you want to send to the module.
class-map
name
match
parameter
Example:
hostname(config)# class-map firepower_class_map
hostname(config-cmap)# match access-list firepower
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......