US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43

Cisco ASA & ASA FirePOWER Services training agenda

Cisco ASA & ASA FirePOWER Services training agenda



Cisco ASA FirePOWER Services training

Today I have privilege to announce our new Cisco ASA FirePOWER and Cisco ASA Services training agenda. In this post I will describe the agenda in detail and what you can expect from each training module. As you perhaps recall from short agenda posted on our training list, this training is a condensed meshup prepared especially for those who work with Cisco ASA FirePOWER appliances with SFR modules.

How this ASA FirePOWER training applies to current Cisco offering?

As you may now, we live in reality where there are multiple lines of firewall security products from Cisco. There are Firepower appliances 9000, 4000 and 2000 lines, FTD (Firepower Threat Defence) images available on ASA, and ASA FirePOWER Services with FirePOWER module (SFR) so this may confusing some of you. However the good news is that Cisco is on the way to achieve functional parity between ASA FirePOWER and Firepower appliances so taking this course you will understand working with ASA FirePOWER as well as FirePOWER and FTP because main configuration is done on FMC (Firepower Management Center) that manages as Firepower Appliances as well as ASA FirePOWER Services in the same manner (at the time of writing with little differences related to functionalities).


Cisco ASA basics

The first module is the good old ASA and way through the iron rules of interface and subinterface configuration, security level concepts that dictates the behaviour of Adaptive Security Algorithm. We talk about the traffic rules traversing the ASA, we stop for while and talk about IP traffic, TCP, UDP, ICMP protocols fundamentals in the context of stateful firewall that is Cisco ASA. In addition this module describes the management rules and concerns with ASA-OS, its hardening, ssh, telnet  and AAA configuration. Of course, there are labs in module 1 to get warmed and ready for challenges of next modules.

1) Networking basics with ASA

  • ASA Interfaces, Subinterfaces, VLANs
  • DHCP, Set route options
  • Security Level Concept
  • Inter and Intra interface flows
  • Basic Management (Logging, traffic to the box, aaa, ntp sync)
  • Management Real Life Use Cases


Static and dynamic routing on ASA

This module is about routing. For those who know routing module will be soft and easy. For those who are not familiar with EIGRP, RIP, OSPF i BGP this is good occasion to get familiar with these routing processes. We configure dynamics that reflects most real life routing scenarios on Internet Edge like e.g. BGP (available from 9.2 ASA-OS) and default network redistribution. We also send some LAN prefixes to ASA. At the end we show link redundancy (with redundant interface) and LACP often used in large and critical environment.

2) ASA Routing and Link Redundancy

  • ASA Static routing
  • ASA Dynamic routing
  • Port Channels, Link redundancy


ACL, NAT, objects and MPF

About the 3rd module we could write separate book. „Traffic restrictions” considers key concepts for ASA: ACL (Access Control List), NAT (Network Address Translation) of course for versions 8.3 and higher  (remember that we are at 9.X reality ! ) and MPF, the essence of L4 and higher level traffic inspection. In this module we practice twice NAT, object NAT, translate users to go to Internet remembering the definitions of static NAT, static PAT, dynamic NAT, PAT, source NAT and destination NAT (we draw on whiteboard the process ! want to know how NAT handles ICMP? ). We expose services to Internet i.e. from DMZ (servers: www and ftp). We check how does Modular Policy Framework for FTP traffic work and FTP without „inspect ftp”. This is the key module on the way to understand and master NAT, ACL in connection with routing. You will understand differences between traffic going through the ASA and „to the box” traffic.

3) Traffic Restrictions

  • Object and object groups
  • ACLs
  • NAT (8.3+) Concept
  • ASA Modular Policy Framework (MPF)


High Availability

You may or may not remember that ASA supports an Active / Standby in pair and Active / Active in multi-context mode HA architecture. In this section we focus on how failover really works, for example: if the two appliances need IP address each, or there is any virtual IP, what maximum delays (RTT – Round Trip Time) are accepted to built Active / Standby and Active / Active? We analize the  failover process in detail: role switchover in active / standby and election process. In addition we talk about Cisco ASA Clustering supported on ASA 5580, 5585-X. We consider the pros and cons of clustering and how performance degrades in comparison with single appliance.

4) High Availability

  • Failover Active-Standby
  • Clustering Active-Active
  • Security Contexts
  • Resource Limitations
  • Cisco ASA Clustering



Virtual Private Networking on ASA is most common used VPN solution on enterprise (i can get the risk saying that 😉 ). During this module we analyse functionalities that ASA gives in terms of IPSec VPN implementation, for example we consider how lack of GRE (Generic Route Encapsulation) tunnelling impacts the VPN solution in large scale etc. We check if it’s possible to establish IPSec VPN with peers from different vendors. At the end we take the Cisco Anyconnect Secure Mobility Client for testing while understanding VPN remote access solutions. We consider the impact on UX and service reliability for SSL VPN contrary to IPSec IKEv2 VPN where Anyconnect supports both. Implementing VPN we are still in context of real enterprise network thus we integrate Anyconnect with ASA and Cisco ISE (Identity Services Engine) and give the example of how to apply the Multi-factor Authentication (MFA). The description of such implementation  you can find here.

5) VPNs

  • IPSec Site2Site
  • Anyconnect SSL VPN client


FirePOWER Services

We are getting to the point in module no 6. We start working with FirePOWER Services. We get familiar with licensing of FirePOWER, solution design and implementation limitations. We go through the installation steps of firepower managements system called FMC (Firepower Management Center), and then install SFR module, module installed on ASA as a „software” module. After that we register our modules in FMC and redirect traffic to SFR. In such way we establish Firepower environment and we are ready to work with Cisco Next Generation Firewall.

6) FirePOWER Architecture and licensing

  • Licensing, Architecture, Limitations
  • Firepower Management Center installation
  • SFR Modules Provisioning
  • Traffic Flow & Redirection


ACP, Intrusion policy, AMP, File Policy i URL Filtering…

Module 7 is a cream de la cream of firepower part. We start going to describe the rules and configuration of ACP (Access Control Policy), policies that aggregate the FirePOWER rules. Each participant of Cisco ASA FirePOWER training is able to configure and test inside out the policies and their behaviour. We add to game step by step following concepts: URL filtering, AMP (Anti-Malware Protection), File Policy, IPS (Intrusion Policy) – of course every policy that you built is checked to fully understand it. Remember that we all have test machines and DMZ server exclusively for each participant. Often during Application Control section it is raised a question: „how is it possible to control application encrypted by SSL”? Very good question! Time to touch the SSL Policy. At the end there is something handy for network admins and companies that have separate network and security departments: List & Feeds.

7) ASA FirePOWER core features configuration

  • Traffic processing and actions
  • Access Control Policies
  • ACP rules
  • AND OR logic
  • Application control
  • URL and URL categories – filtering
  • AMP for Networks Concept – File & Malware policy
  • IPS Concept – basic ruleset – Intrusion Policy
  • SSL Policies
  • Lists & Feeds

Active Directory, pxGRID i troubleshooting

The last module is kind of “advanced” topic where we check how FirePOWER integrates with other systems like AD. We consider two options: Active Directory with Firepower User Agent vs. pxGRID protocol. Each participant has to decide which approach is better for his / her environment. Two approaches and two solutions for identity firewalling. What would be bootcamp without troubleshooting, established sessions check, tracking packets and guessing the actions that were taken on? Or also how to verify hit counts  service-policy MPF in order to check sensor matching traffic? Troubleshooting is one of the key topics in this bootcamp.

8) ASA FirePOWER advanced features configuration

  • AD integration
  • FMC User Agents vs Cisco pxGRID
  • Troubleshooting and reporting


You can download the agenda and check the dates of coming training here.


Marcin Bialy

Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

Paul Scranage
20 August 2021 at 13:31

Hi Marcin

I’ve been looking at this page ( and although dated 2018 the content is of interest to us – our engineers could do with some training on ASA5506/5508, especially the FirePOWER (IPS/AMP) aspects. We are in the UK, so I was wondering if the course (or maybe something bespoke) could be provided online or it was only for locals in Poland?

I look forward to hearing back from you in due course.



Marcin Bialy
24 August 2021 at 11:08

Hi Paul, thanks for interest in Grandmetric offering. Yes, the training can be conducted online. I have sent direct message to you via email.



Leave a Reply

Your email address will not be published.

Sign up to our newsletter!