The flagship firewall of Cisco – the Cisco ASA (Adaptive Security Appliance) and FirePOWER technology (the result acquisition of Source Fire company by Cisco in 2013) lied down the foundation of the “next-generation firewall” line of products in Cisco’s portfolio: ASA FirePOWER Services. This next-generation firewall is composed of widely known ASA-OS and software module (SFR) that takes care of main “next-generation” functions like Application Control, Intrusion Protection, Anti-Malware, and URL Filtering.
Align with next-generation functions there is appropriate licensing proposed by Cisco, in fact, similar to other vendors, where licensing goes according to firewall functionality (you can read more about other vendors licensing here). In ASA FirePOWER there are the following licenses available:
Besides the licenses described above ASA OS itself is also licensed as it was before. It means
In red, you can see the production traffic flow. Traffic flows normally from appliance to appliance between regular ASA interfaces based on a routing table (or PBR). However, ASA internal traffic redirection which is done by Modular Policy Framework (MPF) is responsible for directing the production traffic to FirePOWER modules (know also as SFR module) which is optional by design but of course essential for next-generation firewall functions to take effect.
This traffic redirection is performed within the internal ASA interface connecting the ASA data plane and SFR module plane. Traffic that is directed to the SFR module is inspected under different conditions and actions are made according to configured policies. Those policies called Access Control Policies are in turn configured from a management station called Firepower Management Center (FMC) where all the modules are synchronized to. FMC can be VM as well as a physical appliance. Black lines depict Firepower management traffic from FMC to sensors and from sensors to FMC. This black line is typically some kind of management segment within the network. Designing for FirePOWER in your network you need to remember that sensors use the mgmt segment for logging to FMC and FMC uses mgmt to monitor sensors, pull data, and push configuration. That means that this part of the network could be somehow utilized especially by logging traffic.