Can I have a production ASA with FirePOWER Inline IPS to do detection of a traffic passively spanned from a switchport? It can be done with Firepower Threat Defence (FTD) appliance without losing any functionality of the production sensor as discussed here. Let’s find out if a FirePOWER can be turned into IDS on the stick.
Cisco FirePOWER: 6.0
When traffic is traversing ASA we leverage service-policy by configuring Inline IPS or Inline IDS (Monitor-Only) modes by following this article.
And to operate the module in passive (TAP) monitor-only mode, we need to configure a traffic-forwarding interface and connect the interface to a SPAN port on a switch.
CLI commands needed are listed below.
traffic-forward sfr monitor-only
Easy right, but wait, because the limitations apply:
- The ASA must be in single-context and transparent mode.
- Traffic-forwarding interfaces must be physical interfaces, not VLANs or BVIs.
- Traffic-forwarding interfaces cannot be used for ASA traffic, failover or management-only.
- You cannot configure both a traffic-forwarding interface and a service policy for ASA FirePOWER traffic.
- Not supported by TAC based on the below warning.
So after all is said and done, it turns out if I have an ASA in routed, mulit-context or Inline mode then none of the available ports can be used for TAP. My only options are to migrate it to FTD appliance (limitation aside) or get a 5506-x, a low TCO SMB unit, convert it to a transparent mode with 9.5 code and use it in TAP mode on up to 4 interfaces.