Lab Minutes Forum
Technical Discussion => Security => Topic started by: Ratha on March 08, 2016, 07:54:45 PM
-
Dear Labminute,
Currently I am using ASA with basic license and planning upgrade to FirePower with full feature license. However feel concerning with configuration on existing appliance and New appliance are different while FirePower will use with management center.
so my question are:
Will we configure everything on management center(ex:NAT,VPN,AMP,...)?
Can I backup existing configuration and restore on ASA FirePower? if can does configuration with work with firepower automatically?
-
Hi Ratha,
Firstly I would like to highlight few basic points here.
1. For the Base Firewall configuration it would be the same (NAT,VPN,ACLs and all) means you can take backup and directly do copy pasting stuff.
2. Here, Management Center is used for only Sourcefire module configuration.
For more reference go through below link
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html
Thanks,
Milin
-
There will be a unified image released at some point this year where you can do everything in one management console.
For now ASA config is still done via CLI or ASDM and the Firepower config as mentioned above is done via the management centre
-
I had the same questions a while back.
Basically ASA with FirePOWER is exactly what this says - ASA + FirePOWER - 2 technologies in one. I am using the ASA 5585-X with FirePOWER module - it is a chassis with 2 physical blades in it - one blade for ASA and one for FirePOWER.
The ASA blade controls everything - interfaces, routing, NAT, port channel etc.
The FirePOWER blade is like a Next Gen Firewall (Palo Alto etc) but because Sourcefire used to be a IPS it does not control things like NAT, routing or other network related functions.
The way you use the FirePOWER is to send specific traffic to it for inspection using class and policy maps on the ASA blade. It's confusing and not very user friendly but hopefully the unified platform will fix that.
-
Just like all the other replies said, ASA continues to work the same way with/without Firepower. You redirect traffic from ASA to Firepower (internally) for additional application-level type processing. There will be some overlapping in function like ACL that you can do on either ASA or FP and it will be up to you. You still manage ASA with CLI/ASDM while using Firepower Mgmt Center for FP module. Lab Minutes have an extensive video series if you are interested in learning more http://labminutes.com/video/sec/ASA%20FirePower.
Regarding what sucanushie mentioned, Cisco is releasing a unified image for ASA where ASA and FP are included in a single OS. Everything is meant to be managed from FMC GUI. Right now, the 4100 is available while other 5500X platforms will be supported later. First software release (6.0.1) will only support basic ASA functions (route/NAT/ACL) so if you have a need for advanced ASA features, you are better off staying on ASA code for a while.