Overblog Follow this blog
Edit post Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Discussion: Management of ASA with Firepower Services

March 3 2016 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall, #Cisco & Cisco Network

Cisco ASA with FirePOWER Services-Key Security Features

Cisco ASA with FirePOWER Services-Key Security Features

Discussion: Management of ASA with Firepower Services

We talked Cisco ASA with Firepower Services a lot before. With Cisco ASA with FirePOWER Services, you consolidate multiple security layers in a single platform, eliminating the cost of buying and managing multiple solutions.

The Cisco Firepower Next-Generation Firewall is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It includes Application Visibility and Control (AVC), optional Firepower next-gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP), and URL Filtering. Cisco Firepower NGFW provides advanced threat protection before, during, and after attacks.

Cisco ASA with FirePOWER Services, Stop more threats with a threat-focused NGFW

Beat sophisticated cyber attacks with superior security. We offer the industry’s first threat-focused next-generation firewall (NGFW). You get the confidence of the most-deployed stateful firewall combined with application control, next-generation intrusion prevention system (NGIPS), and advanced malware protection (AMP).

Discussion: Management of ASA with Firepower Services

There are a few questions about the Management of ASA with Firepower Services. Let’s look at the discussion from Cisco Communities

1. An ASA with Firepower Services requires a Firesight management device (physical or virtual) - Correct?

Yes, that’s correct.

2. Is there a High Availability option for a physical Firesight management?

Read about this in the bottom of Table 2 on this page:

http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-732251.html

3. Does the Firesight management also manage the ASA's firewall rules?

--Not yet. Cisco is developing Firepower Threat Defence that does excately that.

4. I ask because I believe there was mention that a rule could have a specific IPS policy assigned to it. This is correct in the terms on Firepower Access Control Rules. Not ASA firewall rules.

5. If this is true I would believe that the use of CLI or ASDM on the ASA would no longer be usable - Correct?

The new Threat Defence system will be managed from Firepower Management Center. Not CLI nor ASDM.

6. When changes are made on the Firesight management station are they applied immediately to the ASA, like managing via CLI or is there another step to applying he changes?

No. You will have to deploy the new policy to the Firepower sensor first.

7. When change are applied what if anything happens to existing connections?

- I actually am not sure about this. I have never seen any connections being dropped when applying policy. Cisco has made a note about this in their manual: Firepower Management Center Configuration Guide, Version 6.0 - Policy Management [Cisco FireSIGHT Management Center] -…

  • When you enable Inspect traffic during policy apply:
    • Certain configurations can require the Snort process to restart.
    • When the configurations you deploy do not require a Snort restart, the system initially uses the currently deployed access control policy to inspect traffic, and switches during deployment to the access control policy you are deploying.
  • When you disable Inspect traffic during policy apply, the Snort process always restarts when you deploy.
  • How a Snort restart affects traffic depends on the interface configuration and the platform.

Original Discussion from https://communities.cisco.com/thread/59509

More Related…

What are the Considerations While Buying a Cisco Next-Generation Firewall?

NGFW-Cisco ASA with FirePOWER Services

Cisco ASA 5500-X Series’ New Features & Main Model Comparison

How to Enable the Wireless Access Point (ASA 5506W-X)?

How to Deploy the ASA 5508-X or ASA 5516-X in Your Network?

Cisco ASA 5506-X with Version 9.4.1–Policy Based Routing

ASA 5508-X and ASA 5516-X Overview

ASA 5506-X/SecurityPlus, 5506W-X & 5506H-X, Cisco ASA with FirePOWER Services, What’s New Here?

Share this post

Repost 0

Comment on this post