Allen-Bradley Stratix 5950 - Chapter 8 Firewall Modes; Firewall Modes Overview

To Next Page

To Previous Page

Rockwell Automation Publication 1783-UM010C-EN-P - June 2019 91

Chapter 8

Firewall Modes

ASA software provides the firewall features such as ACL, NAT, VPN, and

overall system and platform management. FirePOWER software provides the

Next Generation IPS features, Application Control, Network Discovery, and

Network AMP functionality.

The ASA runs in two different firewall modes:

•Routed

•Transparent

In routed mode, the ASA is considered to be a router hop in the network.

In transparent mode, the ASA acts like a ‘bump in the wire,’ or a ‘stealth

firewall,’ and is not considered a router hop. The ASA connects to the same

network on its inside and outside interfaces.

FirePOWER module can operate in two modes: inline mode and passive

mode. The following figures provide overview of traffic flow in these two

modes.

Figure 21 - Traffic Flow under Inline Mode

Main Page

Default Chapter3
- Table of Contents3
- Additional Resources8
Preface8
- Summary of Changes8
About the Security Appliance11
Chapter 1 Overview11
- Hardware Features12
  - Status Indicators15
- Installation of the Security Appliance16
- Express Setup Button16
- Power Supply17
- Small Form Factor Pluggable (SFP) Modules17
- Memory and Storage17
- SD Card17
- USB Ports17
- Management Ethernet Port18
- Console Port18
- Alarm Ports19
- Power Supply19
  - CLI Commands19
- Temperature Sensor20
- Software Features20
Chapter 2 Industrial Firewall Technology Overview21
- Logical Framework23
- Network Protection (Adaptive Security Appliance)23
- Intrusion Prevention and Detection (Firepower)25
- Machine/Skid Protection25
  - Transparent Mode25
- Routed Mode26
  - Nat26
  - Considerations26
- Redundant Star Cell/Area Zone Protection28
  - Considerations28
- Ring Cell/Area Zone Protection29
  - Considerations30
- Cell/Area Zone Monitoring31
  - Considerations31
- Time Synchronization32
Industrial Firewall Use Cases21
Configure the Security Appliance37
Chapter 3 Configure the Security Appliance Prerequisites38
- Device Setup39
- Configure a Test Policy to Block CIP Administrative Traffic53
- Configure Precision Time Protocol (PTP)71
Prerequisites38
- Ethernet Devices38
Chapter 4 Status Indicators73
Chapter 575
- Firesight Management Center75
- Cisco Security Manager (CSM)77
- Management Recommendations79
- Integration of New Firewalls79
- Centralized Management80
Overview75
Chapter 6 Power Failure of the System81
- Enable the Hardware Bypass by Using CLI Commands81
  - Default State of the Hardware Bypass82
- ASA CLI Commands for Hardware Bypass82
- Limitations of Hardware Bypass83
  - Hardware Bypass CLI83
Chapter 7 CIP Preprocessor87
- CIP Access Control Policies88
- CIP Access Control Policy Rule Limitations89
- CIP Intrusion Policies90
Chapter 8 Industrial Firewall Deployment Considerations92
- Inline Transparent Mode92
- Inline Transparent Monitor-Only Mode94
- Inline Routed Mode95
- Passive Monitor-Only Mode95
- Deployment Recommendations96
- Industrial Firewall Use Cases97
Chapter 9 Updating ASDM Software103
- Updating ASA Software107
- Back up Controls License111
- Install the SFR 6.4.0 Update111
Updating the Device103
Chapter 10 Obtain the Current Running Software Versions117
- Reset the Device to Factory Defaults118
Troubleshoot117
Glossary125
Index127

Allen-Bradley Stratix 5950 - Chapter 8 Firewall Modes; Firewall Modes Overview

Table of Contents