3 Replies Latest reply: Aug 5, 2016 5:42 AM by rajesh.mohapatra@hyh.com RSS

Management of ASA with Firepower Services

Mi900009461

Hello all I am new to the community, and after watching multiple video presentations regarding the ASA with firepower services I have a few questions.

 

  • An ASA with Firepower Services requires a Firesight management device (physical or virtual) - Correct?
    • Is there a High Availability option for a physical Firesight management?
  • Does the Firesight management also manage the ASA's firewall rules?
    • I ask because I believe there was mention that a rule could have a specific IPS policy assigned to it.
    • If this is true I would believe that the use of CLI or ASDM on the ASA would no longer be usable - Correct?
  • When changes are made on the Firesight management station are they applied immediately to the ASA, like managing via CLI or is there another step to applying he changes?
  • When change are applied what if anything happens to existing connections?
  • 1. Re: Management of ASA with Firepower Services
    ConstantinMohorea

    - with 6.0 you can manage FirePower with ASDM on any ASA. However, you will miss all the analytical beauty of FireSight, essentially the "After" part of the "Before, During, After" concept

    - Ruleset is independent however, you may decide to configure all your rules in FireSight. However, Firepower Threat Defense works as you describe: all configuration is by FTD and in CLI you can only do "show" stuff. And if I am not mistaken, FTD at the moment available only on virtual vngips

    - Typically you have to apply/deploy changes

  • 2. Re: Management of ASA with Firepower Services
    dennisperto

    An ASA with Firepower Services requires a Firesight management device (physical or virtual) - Correct?

    - That is correct.

     

    Is there a High Availability option for a physical Firesight management?

    - Read about this in the bottom of Table 2 on this page: http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-732251.html

     

    Does the Firesight management also manage the ASA's firewall rules?

    - Not yet. Cisco is developing Firepower Threat Defence that does excately that.

     

    I ask because I believe there was mention that a rule could have a specific IPS policy assigned to it.

    - This is correct in the terms on Firepower Access Control Rules. Not ASA firewall rules.

     

    If this is true I would believe that the use of CLI or ASDM on the ASA would no longer be usable - Correct?

    - The new Threat Defence system will be managed from Firepower Management Center. Not CLI nor ASDM.

     

    When changes are made on the Firesight management station are they applied immediately to the ASA, like managing via CLI or is there another step to applying he changes?

    - No. You will have to deploy the new policy to the Firepower sensor first.

     

    When change are applied what if anything happens to existing connections?

    - I actually am not sure about this. I have never seen any connections being dropped when applying policy. Cisco has made a note about this in their manual: Firepower Management Center Configuration Guide, Version 6.0 - Policy Management [Cisco FireSIGHT Management Center] -…

    • When you enable Inspect traffic during policy apply:
      • Certain configurations can require the Snort process to restart.
      • When the configurations you deploy do not require a Snort restart, the system initially uses the currently deployed access control policy to inspect traffic, and switches during deployment to the access control policy you are deploying.
    • When you disable Inspect traffic during policy apply, the Snort process always restarts when you deploy.
    • How a Snort restart affects traffic depends on the interface configuration and the platform.

     

     

    I hope this helps

  • 3. Re: Management of ASA with Firepower Services
    rajesh.mohapatra@hyh.com

    It is a great explanation. Can I configure all my rules which i have configured in ASA in firepower?