CCIE or Null!

My journey to CCIE!

Packet Flow with FirePower.

leave a comment »

As I was going through some CiscoLive365 sessions (Remember CiscoLive365 is great!) just this last weekend I came across the slides for BRKSEC-2028 – Deploying Next Generation Firewall with ASA & Firepower services. Unfortunately there is no video for this session yet but the presentation slides are there and luckily the slides are detailed enough so you can easily follow along with the content. One the slides that stood out of to me was where the new FirePower modules (Hardware or Software) falls into the order of operations as traffic passes through the ASA. Screenshot below:

SourceFire Packet Flow

I think the big call-outs here are:

  1. The FirePower module will not actually drop the traffic itself, the traffic gets ‘marked’ if the traffic is to be dropped. All the traffic that passes to the FirePower module will indeed get passed right back to the ASA and it is the responsibility of the Cisco ASA to actually drop the traffic.
  2. Even existing connections still get inspected if the security policy demands.
  3. ACL’s and XLate entries will filter traffic before the traffic even makes it to the FirePower module.
  4. This is only slightly different from how the existing IPS Module inspects traffic from ASA. In regards to the flow path.

Definitely some good information to know when building out your new policies.

Written by Stephen J. Occhiogrosso

December 10, 2014 at 9:00 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: