Wednesday, July 25, 2018

Firepower Inspection Scope

Hello all,

I have tried posting on various forums and have read a large volume of Cisco documentation, but can't seem to find the scope of Firepower inspection to ASA "self" when it is running in an ASA as a virtual module. Specifically, I know that traffic going into one interface and leaving another can be fed through the Firepower module for inspection, but what if traffic is being delivered to ASA self?

For example, if an attacker is hitting the ASA's AnyConnect web portal that traffic would go to ASA self not through the ASA so would it be inspected by the imbedded Firepower module? This would also apply to management traffic such as SSH.

Another use case would be, can Firepower throw an alert that the ASA is being scanned by Qualys or similar? Most of the scan would be filtered by the ASAs reflexive ACL and dropped before being processed by Firepower, but for services open to the public like the AnyConnect web portal, what would I see if anything?

Cisco describes redirecting traffic to the Firepower module onsite of an ASA here under the "Redirect Traffic to the SFR Module" header: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

Thanks in advance.



No comments:

Post a Comment