16-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 ASA FirePOWER (SFR) Module
The ASA FirePOWER Module
How the ASA FirePOWER Module Works with the ASA
You can configure your ASA FirePOWER module using one of the following deployment models:
•
Inline mode—In an inline deployment, the actual traffic is sent to the ASA FirePOWER module, and
the module’s policy affects what happens to the traffic. After dropping undesired traffic and taking
any other actions applied by policy, the traffic is returned to the ASA for further processing and
ultimate transmission.
•
Inline tap monitor-only mode (ASA inline)—In an inline tap monitor-only deployment, a copy of
the traffic is sent to the ASA FirePOWER module, but it is not returned to the ASA. Inline tap mode
lets you see what the ASA FirePOWER module would have done to traffic, and lets you evaluate the
content of the traffic, without impacting the network. However, in this mode, the ASA does apply
its policies to the traffic, so traffic can be dropped due to access rules, TCP normalization, and so
forth.
•
Passive monitor-only (traffic forwarding) mode—If you want to prevent any possibility of the ASA
with FirePOWER Services device impacting traffic, you can configure a traffic-forwarding interface
and connect it to a SPAN port on a switch. In this mode, traffic is sent directly to the ASA
FirePOWER module without ASA processing. The traffic is “black holed,” in that nothing is
returned from the module, nor does the ASA send the traffic out any interface. You must operate the
ASA in single context transparent mode to configure traffic forwarding.
Be sure to configure consistent policies on the ASA and the ASA FirePOWER. Both policies should
reflect the inline or monitor-only mode of the traffic.
The following sections explain these modes in more detail.
ASA FirePOWER Inline Mode
In inline mode, traffic goes through the firewall checks before being forwarded to the ASA FirePOWER
module. When you identify traffic for ASA FirePOWER inspection on the ASA, traffic flows through
the ASA and the module as follows:
1.
Traffic enters the ASA.
2.
Incoming VPN traffic is decrypted.
3.
Firewall policies are applied.
4.
Traffic is sent to the ASA FirePOWER module.
5.
The ASA FirePOWER module applies its security policy to the traffic, and takes appropriate actions.
6.
Valid traffic is sent back to the ASA; the ASA FirePOWER module might block some traffic
according to its security policy, and that traffic is not passed on.
7.
Outgoing VPN traffic is encrypted.
8.
Traffic exits the ASA.
The following figure shows the traffic flow when using the ASA FirePOWER module in inline mode. In
this example, the module blocks traffic that is not allowed for a certain application. All other traffic is
forwarded through the ASA.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...