ASA FirePOWER templates are CDO representations of ASA FirePOWER module configuration and policy information. They provide a simple way to save the state of an ASA FirePOWER module, onboard new ASA FirePOWER modules using a standard policy, and experiment with policy changes without affecting live modules.
Note: The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP). The ASA FirePOWER module runs as a separate application from the ASA. This is not the same as Firepower Threat Defense running on Firepower hardware or as a virtual machine.
Creating an ASA FirePOWER Template
ASA FirePOWER templates can be created based on a live ASA FirePOWER devices or other templates.
- Open the Devices & Services page.
- Click on the ASA FirePOWER module you want to use as the source of the template.
- Click Create Template in the Actions pane on the right.
- Choose a name for your template.
- Click Create Template.
Editing Template Settings and Configuration Data
ASA FirePOWER templates include configuration data specifying a specific network deployment, as well as settings specifying IPS Policy, IPS update settings, and Event collection settings.
To edit an ASA FirePOWER template, follow these instructions:
- Open the Devices & Services page.
- Select the template you want to edit.
- Click the Edit button in the Configuration area and fill in the fields for network settings.
- In the Default IPS Policy section, choose one of these settings:
- Trust All Traffic: All network traffic is allowed to pass to its destination without further inspection; however, file inspection by AMP and intrusion inspection are still applied.
- Connectivity over Security: These policies are built for organizations where connectivity (being able to get to all resources) takes precedence over network infrastructure security. The intrusion policy enables far fewer rules than those enabled in the Security over Connectivity policy. Only the most critical rules that block traffic are enabled.
- Balanced Security and Connectivity: These policies are built for both speed and detection. Used together, they serve as a good starting point for most organizations. The system uses the Balanced Security and Connectivity policies and settings as defaults in most cases.
- Security over Connectivity: These policies are built for organizations where network infrastructure security takes precedence over user convenience. The intrusion policy enables numerous network anomaly intrusion rules that could alert on or drop legitimate traffic.
- Block All Traffic: Blocks all traffic that is not specifically allowed by policy.
- Enable or disable Device Reporting. This enables CDO to collect information from the FTD and create reports on the Monitoring > Reports page.
- Enable or disable IPS Updates. This enables the default recurring rule update settings defined in ASDM locaged at Configuration > ASA FirePOWER Configuration > Updates > Rule Updates tab > Recurring Rule Update Imports section.
Note: Enalbing IPS Updates will only be effective if the ASA FirePOWER module has internet access.
Managing a Template
To change the name of the template, or to delete it, use the buttons in the right sidebar of the Devices & Services page.
Templates support all of the same functions as live devices, except functions related to reading from or deploying to an on-boarded device. To change the access rules associated with an ASA FirePOWER template:
- Navigate Policies > Application.
- Type the URL category, URL, application or IPS you want to manage and select it from the list.
- Select your template from the list of devices and templates that appears.
- Change the rule action for that template from the list box in the details pane.
Onboarding a New ASA FirePOWER Module with a Template
To onboard a new AS FirePOWER module using a template, follow the Firepower onboarding instructions and select the option to configure from template to supply the policy. You will see a dialog to select the template, and you will be able to view the policy to be applied. If you don't see the option to onboard using a template, or if you don't see the template you'd like to use in the template selection dropdown menu, the device you're onboarding may not have the licenses required to apply the template's policy. Separate ASA FirePOWER module licenses are required to use URL Category rules and File Category Rules. If your template has any of these licenses, you will not be able to use it to onboard a device that does not.
Note: When you onboard a live ASA FirePOWER module using a template, the module inherits the template's IPS Policy, IPS update setting, and Event collection setting.The live ASA FirePOWER module's network configuration will not be affected; it will not inherit the network configuration of the template.