Rockwell Automation Publication 1783-UM010C-EN-P - June 2019 95
Firewall Modes Chapter 8
Inline Routed Mode
In routed mode, the ASA is considered to be a router hop in the network.
• Routed mode operates in layer 3 router mode.
• Each interface has IP addresses assigned and other typical layer 3
attributes are assigned.
• With two subnets active, CAN'T put the box into bypass mode.
• Only Active/Standby Mode - No data traffic in link
• Remote access to ISA directly.
• For routed mode, the following types of traffic are allowed through, by
default:
– Unicast IPv4 and IPv6 traffic from a higher security interface to a
lower security interface.
• Broadcast and multicast traffic is blocked even if you allow it in an access
rule, including unsupported dynamic routing protocols and DHCP
(unless you configure DHCP relay).
Passive Monitor-only Mode
If you want to help prevent any possibility of the IFW to impact traffic, you can
configure a traffic-forwarding interface and connect it to a SPAN port on a
switch. In this mode, all traffic is sent directly to the IFW FirePOWER module
without firewall processing. The traffic is ‘black holed,’ in that nothing is
returned from the module, nor does the IFW send the traffic out any interface.
In passive monitor-only mode, the module applies the security policy to the
traffic and indicates what it could do if it were operating in inline transparent
mode. For example, traffic could be marked ‘would have dropped’ in events.
Figure 25 - IFW Traffic Flow for Passive Monitor-only Mode shows the traffic flow when IFW is
in passive monitor-only mode
As shown in the figure, traffic flows through the IFW as follows:
1. Traffic enters the IFW on the traffic-forwarding interface.
2. All traffic is sent directly to the FirePOWER module.
3. The FirePOWER module applies its security policy to the traffic, and
logs events only.
To Next Page
Loading...