Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Next Generation Firewall with Multiple contexts limitations

Question 1. In ASA Firewall with multiple context how can i divert traffic to firepower module and in which context should i put the management port? will it be in admin context or it will be shared in all the contexts?

 

Question 2. Is OSPF and SLA tracking is supported in ASA Firewall with multiple context?

 

Question 3. Is Dynamic Analysis” unmark check box does not send actual data to cloud for sandboxing and normal SHA-256 check-mechanism is active simultaneously in Firesight management center ?

3 REPLIES

Question 1. In ASA Firewall

Question 1. In ASA Firewall with multiple context how can i divert traffic to firepower module and in which context should i put the management port? will it be in admin context or it will be shared in all the contexts?

Answer:-  You need to define policy in the context config to divert traffic to firepower module. Management interface can not be allocated to multiple contexts. It’s best to just allocate the management interface to the admin context. Also, you can create sub-interfaces on the management interface but you can NOT assign the same VLAN (i.e. the management VLAN in your organization) to these sub-interfaces, since they need to be on different subnets. So in order to manage individual contexts directly, it is best to just use the other interface/subinterface in each context as the management address for that context

Question 2. Is OSPF and SLA tracking is supported in ASA Firewall with multiple context?

Answer 2: Multiple context mode does not support the following features:

RIP
OSPFv3. (OSPFv2 is supported.)
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN. (Site-to-site VPN is supported.)

Question 3. Is Dynamic Analysis” unmark check box does not send actual data to cloud for sandboxing and normal SHA-256 check-mechanism is active simultaneously in Firesight management center ?

Answer :- The AMP Threat Grid cloud or on-premises AMP Threat Grid appliance runs the file in a sandbox environment to determine whether the file is malicious, and returns a threat score that describes the likelihood a file contains malware. From the threat score, you can view a dynamic analysis summary report that details why the cloud assigned the threat score. By unmark check this box Dynamic Analysis will stop. 

If this is helpful please rate or marked it as answered if you got your answer.

New Member

Doest it mean that:

Doest it mean that:

SLA tracking is supported ?

As you said unmarking Dynamic analysis  will stop file sandboxing, so will it stop sending SHA-256 value to Cloud as well ?

Hi,

Hi,

Yes SLA tracking is supported.

Yes, by unmarking Dynamic analysis will stop sending SHA-256 value to cloud as well.

If this is helpful please rate.

56
Views
15
Helpful
3
Replies