We're starting to deploy ASA now to replace some aging / end of life devices (PIX and IDS sensors). Once the network admins set up the required IDS module(s) etc. on the ASA, I can then configure each of them as reporting devices in MARS (I can also discover the individual settings on the IPS e.g. virtual sensors ). Basically looks just like an IPS v7 box.
Question: should I first set up the ASA itself in MARS, and then use the discover feature top-down for MARS to uncover the IPS, firewall modules etc. - as opposed to configuring each module individually as a reporting device in MARS? Aside from the add'l effort required, are there any distinct advantages or issues with one method vs the other? What are the gotcha's if we ignore the ASA (from MARS perspective) and treat all modules individually - i.e. MARS would have no knowlege of the ASA itself, and considers the modules to be all "stand alone" in that respect...?
hope that makes sense
You could use either methods and both of them are absolutely fine. There are no specific gotchas if you add the modules individually just that it is a little more work and it is absolutely fine to have the modules configured individually on the MARS.
Hope this clarifies!!