7-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 ASA FirePOWER Module
About the ASA FirePOWER Module
Figure 7-2 ASA FirePOWER Inline Tap Monitor-Only Mode
ASA FirePOWER Passive Monitor-Only Traffic Forwarding Mode
If you want to operate the ASA FirePOWER module as a pure Intrusion Detection System (IDS), where
there is no impact on the traffic at all, you can configure a traffic forwarding interface. A traffic
forwarding interface sends all received traffic directly to the ASA FirePOWER module without any ASA
processing.
The module applies the security policy to the traffic and lets you know what it would have done if it were
operating in inline mode; for example, traffic might be marked “would have dropped” in events. You can
use this information for traffic analysis and to help you decide if inline mode is desirable.
Traffic in this setup is never forwarded: neither the module nor the ASA sends the traffic on to its
ultimate destination. You must operate the ASA in single context and transparent modes to use this
configuration.
The following figure shows an interface configured for traffic-forwarding. That interface is connected to
a switch SPAN port so the ASA FirePOWER module can inspect all of the network traffic. Another
interface sends traffic normally through the firewall.
Figure 7-3 ASA FirePOWER Passive Monitor-Only, Traffic-Forwarding Mode
ASA
Main System
inside
ASA FirePOWER
ASA FirePOWER
inspection
outside
VPN
Decryption
Firewall
Policy
Copied Traffic
371445
Gig 1/3
Gig 1/1
SPAN
Port
ASA
Main System
ASA FirePOWER
Backplane
ASA FirePOWER
inspection
Forwarded Traffic
Switch
403428
inside outside
VPN
Decryption
Firewall
Policy
To Next Page
Loading...
Need help?
General
