Before onboarding an ASA FirePOWER module, you will need the right kind of SDC to manage it. Consider these three types of ASA FirePOWER module deployments:
If the ASA's management interface uses a public IP address and the ASA FirePOWER module's management interface uses a public IP address, then you can manage the ASA FirePOWER module with Cisco Defense Orchestrator in the cloud.
If the ASA's management interface uses a private IP address and the ASA FirePOWER services module's management interface uses private IP addresses, then you must use an on-premise Secure Device Connector to manage the device. See Deploying an On-Prem CDO Secure Device Connector (SDC) for more information.
If the ASA's management interface has a public address and the ASA FirePOWER module's management interface uses a private IP address, you will need to create a NAT rule to connect the two interfaces. In this case, use the Enabling FirePOWER Services on your ASA procedure.
- Onboard the ASA running the ASA FirePOWER module using the Onboarding Devices and Services procedure. If the ASA FirePOWER module is installed on an ASA running in multi-context mode, onboard the ASA in the admin context.
- In CDO, click Devices & Services, and select the ASA you just onboarded. If the ASA is in multi-context mode, select the IP address for the admin context.
- Click the button in the Device Actions pane at the right.
- If prompted, download, review, and accept the certificate.
- In the Select Configuration dialog, choose one of these two actions:
- Use existing configuration on the device. You are accepting the existing policy configurations on the ASA FirePOWER device. After clicking Confirm, Defense Orchestrator onboards the device. You are done.
- Configure Manually. Click Configure Manually to change any of the security policy setting on the device when you onboard it. The selections you make override the configuration on the FirePOWER module. Click Confirm and continue with the following step.
- (Optional) Configure the actions for the various categories by checking the box next to the category you want to configure and then choosing the desired action for that category.
- (Optional) Choose a default action for handling all traffic that is not blacklisted by Security Intelligence or does not match any of the other rules in the access control policy.
- Trust All Traffic. This allows the traffic to continue to its final destination without further inspection.
- Connectivity over Security: This policy is built for organizations where connectivity (being able to get to all resources) takes precedence over network infrastructure security. The intrusion policy enables far fewer rules than those enabled in the Security over Connectivity policy. Only the most critical rules that block traffic are enabled. Select this policy if you want to apply some intrusion protection but you are fairly confident in the security of your network.
- Balanced Security and Connectivity: This policy is designed to balance overall network performance with network infrastructure security. This policy is appropriate for most networks. Select this policy for most situations where you want to apply intrusion prevention. The system uses the Balanced Security and Connectivity policies and settings as defaults in most cases.
- Security over Connectivity: This policy is built for organizations where network infrastructure security takes precedence over user convenience. The intrusion policy enables numerous network anomaly intrusion rules that could alert on or drop legitimate traffic. Select this policy when security is paramount or for traffic that is high risk.
- Block All Traffic. This policy blocks traffic without further evaluation by any policy.
- (Optional) Enable Device Reporting. This is required if you want to add Report Groups to your Reports Dashboard.
- (Optional) Enable IPS updates.
- Click Connnect. CDO onboards the device.