Cisco ASA 5506-X Configuration Manual page 359
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 16
ASA FirePOWER (SFR) Module
ASDM Restrictions for Managing ASA FirePOWER
Keep the following restrictions in mind when configuring ASA FirePOWER using ASDM.
•
•
•
Redirect Traffic to the ASA FirePOWER Module
For inline and inline tap (monitor-only) modes, you configure a service policy to redirect traffic to the
module. If you want passive monitor-only mode, you configure a traffic redirection interface, which
bypasses ASA policies.
The following topics explain how to configure these modes.
Configure Inline or Inline Tap Monitor-Only Modes
Redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific
traffic that you want to send. In this mode, ASA policies, such as access rules, are applied to the traffic
before it is redirected to the module.
Before You Begin
•
•
•
Procedure
Create an L3/L4 class map to identify the traffic that you want to send to the module.
Step 1
class-map name
match parameter
Example:
hostname(config)# class-map firepower_class_map
hostname(config-cmap)# match access-list firepower
If you enable command authorization on the ASA that hosts the module, you must log in with a user
name that has privilege level 15 to see the ASA FirePOWER home, configuration, and monitoring
pages. Read-only or monitor-only access to ASA FirePOWER pages other than the status page is
not supported.
If you configure the ASA in a failover pair, the ASA FirePOWER configuration is not automatically
synchronized with the ASA FirePOWER module on the secondary device. Thus, you must manually
export the ASA FirePOWER configuration from the primary and import it into the secondary every
time you make a change. We recommend using FireSIGHT Management Center for any device
configured for failover.
If you are using Java 7_u51 up to Java 8, you need to import the SSL certificate from the ASA
FirePOWER module to your workstation to view the configuration pages. Go to Wizard > ASDM
Identity Certificate Wizard to obtain the certificate. Then, go to your Java Control Panel and
import it, and restart ASDM. This is a general issue with these Java versions, and you will also need
to import the certificate from the ASA to configure it through ASDM.
If you have an active service policy redirecting traffic to an IPS or CX module (that you replaced
with the ASA FirePOWER), you must remove that policy before you configure the ASA
FirePOWER service policy.
Be sure to configure consistent policies on the ASA and the ASA FirePOWER (through FireSIGHT
Management Center). Both policies should reflect the passive or inline mode of the traffic.
In multiple context mode, perform this procedure within each security context.
Configure the ASA FirePOWER Module
Cisco ASA Series Firewall CLI Configuration Guide
16-19
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
