Asa Firepower Inline Mode - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
About the ASA FirePOWER Module
•
•
Be sure to configure consistent policies on the ASA and the ASA FirePOWER. Both policies should
reflect the inline or monitor-only mode of the traffic.
The following sections explain these modes in more detail.
ASA FirePOWER Inline Mode
In inline mode, traffic goes through the firewall checks before being forwarded to the ASA FirePOWER
module. When you identify traffic for ASA FirePOWER inspection on the ASA, traffic flows through
the ASA and the module as follows:
1.
2.
3.
4.
5.
6.
7.
8.
The following figure shows the traffic flow when using the ASA FirePOWER module in inline mode. In
this example, the module blocks traffic that is not allowed for a certain application. All other traffic is
forwarded through the ASA.
Cisco ASA Series Firewall CLI Configuration Guide
7-2
Inline tap monitor-only mode (ASA inline)—In an inline tap monitor-only deployment, a copy of
the traffic is sent to the ASA FirePOWER module, but it is not returned to the ASA. Inline tap mode
lets you see what the ASA FirePOWER module would have done to traffic, and lets you evaluate the
content of the traffic, without impacting the network. However, in this mode, the ASA does apply
its policies to the traffic, so traffic can be dropped due to access rules, TCP normalization, and so
forth.
Passive monitor-only (traffic forwarding) mode—If you want to prevent any possibility of the ASA
with FirePOWER Services device impacting traffic, you can configure a traffic-forwarding interface
and connect it to a SPAN port on a switch. In this mode, traffic is sent directly to the ASA
FirePOWER module without ASA processing. The traffic is "black holed," in that nothing is
returned from the module, nor does the ASA send the traffic out any interface. You must operate the
ASA in single context transparent mode to configure traffic forwarding.
Traffic enters the ASA.
Incoming VPN traffic is decrypted.
Firewall policies are applied.
Traffic is sent to the ASA FirePOWER module.
The ASA FirePOWER module applies its security policy to the traffic, and takes appropriate actions.
Valid traffic is sent back to the ASA; the ASA FirePOWER module might block some traffic
according to its security policy, and that traffic is not passed on.
Outgoing VPN traffic is encrypted.
Traffic exits the ASA.
Chapter 7
ASA FirePOWER Module
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
