Cisco FirePOWER: Inline + TAP

Can I have a production ASA with FirePOWER Inline IPS to do detection of a traffic passively spanned from a switchport? It can be done with Firepower Threat Defence (FTD) appliance without losing any functionality of the production sensor as discussed here. Let’s find out if a FirePOWER can be turned into IDS on the stick.

Cisco FirePOWER: 6.0

When traffic is traversing ASA we leverage service-policy by configuring Inline IPS or Inline IDS (Monitor-Only) modes by following this article.

And to operate the module in passive (TAP) monitor-only mode, we need to configure a traffic-forwarding interface and connect the interface to a SPAN port on a switch.

CLI commands needed are listed below.

firewall transparent
interface GigabitEthernet1/1
no nameif
no security-level
traffic-forward sfr monitor-only

Easy right, but wait, because the limitations apply:

  • The ASA must be in single-context and transparent mode.
  • Traffic-forwarding interfaces must be physical interfaces, not VLANs or BVIs.
  • Traffic-forwarding interfaces cannot be used for ASA traffic, failover or management-only.
  • You cannot configure both a traffic-forwarding interface and a service policy for ASA FirePOWER traffic.
  • Not supported by TAC based on the below warning.

FirePOWER TAP mode

So after all is said and done, it turns out if I have an ASA in routed, mulit-context or Inline mode then none of the available ports can be used for TAP. My only options are to migrate it to FTD appliance (limitation aside) or get a 5506-x, a low TCO SMB unit, convert it to a transparent mode with 9.5 code and use it in TAP mode on up to 4 interfaces.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar