Network technologies and trends

Aug 20 2016   11:40AM GMT

Cisco ASA FirePOWER deployment options – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
ASA
Cisco
Decryption
Encryption
IPsec
Security
Security policies
Ssl vpn
traffic

Cisco ASA FirePOWER module can be configured in promiscuous monitor-only mode also known as passive mode. As the name suggests, in passive mode the Cisco ASA FirePOWER module does nothing to the traffic passes through it. Rather the ASA just forwards a copy of the packet to Cisco ASA FirePOWER module.

The below figure illustrates the complete order of operation of the Cisco ASA FirePOWER module in Promiscuous monitor-only (passive) mode

Figure 1.1 - ASA FirePOWER Passive Mode

Figure 1.1 – ASA FirePOWER Module in promiscuous monitor-only mode

Suppose Host A sent a traffic to host B, it will go through the following process

  1. Traffic sent from Host A is received by an Outside interface of the ASA Firewall
  2. Suppose IPsec or SSL VPN is configured them the incoming encrypted traffic is decrypted.
  3. Firewall policies are applied to the decrypted traffic.
  4. If the received traffic is complaint and allowed by the ASA policies them a copy traffic is sent to the ASA FirePOWER module. If the traffic is not complaint with security policies or it is malicious in nature, then the Cisco ASA FirePOWER module can be configured to send an alert to Network Security Administrator, however it cannot take any action to stop the malicious or non-complainant traffic.
  5. Suppose IPsec or SSL VPN is configured them the decrypted traffic is encrypted back
  6. The processed traffic is then forwarded to respective interface, in this case its an Inside interface.

One can see the real benefit of Cisco ASA FirePOWER module in Inline mode, as the Promiscuous monitor-only (passive) mode has no capability to take any action on an infected or non-complaint traffic. Rather it might be useful for POCs and even good for capacity planning for any new deployments.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: