Cisco Systems, Inc.1Radware DefensePro Service Chain for ASA Quick Start GuideFirst Published: January 27, 2016Last Updated: June 14, 20181. About Radware DefensePro Service Chaining for ASAThe Cisco FXOS chassis can support multiple services (for example, an ASA firewall, and a third-party DDoS application) on a single blade. These applications can be linked together to form a Service Chain. In Firepower eXtensible Operating System (FXOS) 1.1.4 and later on the Firepower 4120, 4140, 4150, and 9300 security appliances, the third-party Radware DefensePro virtual platform can be installed to run in front of the ASA firewall. Radware DefensePro is a KVM-based virtual platform that provides distributed denial-of-service (DDoS) detection and mitigation capabilities on the FXOS chassis. When Service Chaining is enabled on your FXOS chassis, ingress traffic from the network must first pass through the DefensePro virtual platform before reaching the ASA firewall.You can deploy Radware DefensePro with the ASA in the following modes: Standalone Intra-chassis cluster Active/Standby failoverNote: Service Chaining is not supported in an inter-chassis cluster or Active/Active failover configuration. However, the Radware DefensePro (vDP) application can be deployed in a standalone configuration in an inter-chassis cluster scenario. The DefensePro application can run as separate instances on up to three security modules.Note: The Radware DefensePro virtual platform may be referred to as Radware vDP (virtual DefensePro), or simply vDP.The Radware DefensePro application may occasionally be referred to as a Link Decorator for the ASA firewall.Licensing Requirements for the Radware DefensePro Service ChainLicensing for the Radware Virtual DefensePro application on the Firepower 4100 and 9300 series devices is handled through the Radware APSolute Vision Manager. Go to the Cisco Commerce Workspace (CCW) to order a throughput license for your device. After submitting this request, you will receive a login and link to the Radware Portal, where you can then request a license. For more information and documentation on Radware’s APSolute Vision Manager and throughput licensing requirements, see the documentation on Radware’s site (htttps://portals.radware.com/Customer/Home/Downloads/Management-Monitoring/?Product=APSolute-Vision). Note that you must be registered with Radware to access this portal.
Radware DefensePro Service Chain for ASA Quick Start Guide2. Deploy and Configure Radware vDP in a Service Chain2Timezone Sync RequirementsPrior to deploying Radware vDP on your Firepower security appliance, you must ensure that your Chassis Manager is set to use an NTP Server, with the etc/UTC Time Zone. Procedure1.In the Firepower Chassis Manager, choose Platform Settings to open the NTParea in the Platform Settingspage.