Home > Articles > Introduction to and Design of Cisco ASA with FirePOWER Services

Introduction to and Design of Cisco ASA with FirePOWER Services

Chapter Description

In this chapter from Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP, authors Omar Santos, Panos Kampanakis, and Aaron Woland provide an introduction to the Cisco ASA with FirePOWER Services solution. It also provides design guidance and best practices for deploying Cisco ASA with FirePOWER Services.

Inline versus Promiscuous Mode

The Cisco ASA FirePOWER module can be configured in either of the following modes:

  1. Inline mode

  2. Promiscuous monitor-only (passive) mode

Inline Mode

When the Cisco ASA FirePOWER module is configured in inline mode, the traffic passes through the firewall policies before it is sent to the Cisco ASA FirePOWER module.

Figure 2-1 illustrates the order of operations when the Cisco ASA FirePOWER module is configured in inline mode.

Figure 2-1

Figure 2-1 Inline Mode

  1. 1. Network traffic is received on a given interface of the Cisco ASA. In this example, the traffic is received in the outside interface.

  2. 2. If IPsec or SSL VPN is configured, the incoming encrypted traffic is decrypted.

  3. 3. Firewall policies are applied to the traffic.

  4. 4. If the traffic is compliant and allowed by the firewall policies, it is sent to the Cisco ASA FirePOWER module.

  5. 5. The Cisco ASA FirePOWER module inspects the traffic and applies its security policies and takes appropriate actions. If traffic is not compliant with security policies or is determined to be malicious, the Cisco ASA FirePOWER module sends back a verdict to the ASA, and the ASA blocks the traffic and alerts the network security administrator. All valid traffic is allowed by the Cisco ASA.

  6. 6. If IPsec or SSL VPN is configured, the outgoing traffic is encrypted.

  7. 7. The network traffic is sent to the network.

Promiscuous Monitor-Only Mode

When the Cisco ASA FirePOWER module is configured in promiscuous monitor-only mode, a copy of each packet of the traffic that is defined in the service policy is sent to the Cisco ASA FirePOWER module.

Figure 2-2 illustrates the order of operations when the Cisco ASA FirePOWER module is configured in promiscuous monitor-only mode:

  1. 1. Network traffic is received on a given interface of the Cisco ASA. In this example, the traffic is received in the outside interface.

    Figure 2-2

    Figure 2-2 Promiscuous Monitor-Only Mode

  2. 2. If IPsec or SSL VPN is configured, the incoming encrypted traffic is decrypted.

  3. 3. Firewall policies are applied to the traffic.

  4. 4. If the traffic is compliant and allowed by the firewall policies, a copy of each packet is sent to the Cisco ASA FirePOWER module. If traffic is not compliant with security policies or is determined to be malicious, the Cisco ASA FirePOWER module can be configured to alert the administrator, but it does not block the traffic.

  5. 5. If IPsec or SSL VPN is configured, the outgoing traffic is encrypted.

  6. 6. The network traffic is sent to the network.

As you can see, the most secure and effective way to configure the Cisco ASA FirePOWER module is in inline mode. You can configure the Cisco ASA FirePOWER module in promiscuous monitor-only mode when you are evaluating and performing capacity planning for a new deployment.

The Cisco ASA FirePOWER module modes are a bit different than those of the Cisco FirePOWER Series of appliances, which support the following deployment modes/options:

  • Standalone IPS (active/standby)

  • Clustering

  • SourceFire Redundancy Protocol (SFRP)

  • Bypass and non-bypass modules

Cisco FirePOWER Series next-generation intrusion prevention systems (NGIPS) appliances can be deployed in multiple modes at once:

  • Passive

  • Inline

  • Routed

  • Switched

3. Cisco ASA FirePOWER Management Options | Next Section Previous Section

There are currently no related articles. Please check back later.