02-01-2019 08:05 AM - edited 03-12-2019 07:16 AM
Set up firepower services. Followed various documentation. Once completed noticed the graphs weren't populating. Realized I didn't have licensing so I purchased that. Still doesn't work.
The firewall can ping the firepower module
When I run:
show service-policy sfr
I get:
Global policy:
Service-policy: global_policy
Class-map: SFR
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 21152328, drop 0, reset-drop 0
Shouldn't the packet input match the packet output?
This probably means I have a mis-configuration somewhere.... But I am not sure where to start.
Thanks
02-02-2019 01:16 AM
02-04-2019 05:42 AM
How do you do that in command line? Are talking about in the firepower config?
02-04-2019 08:13 AM
You need to issue the following commands on the firewall,
show run class-map SFR
make sure you have an ACL in the match access-list statement something like " match access-list SFR-ACL"
SFR-ACL should include traffic that you want to send to SFR Module.
Below is the output from my lab firewall.
access-list SFR_ACL extended permit ip any any
class-map SFR_ACL
match access-list SFR_ACL
policy-map global_policy
class SFR_ACL
sfr fail-open
02-05-2019 07:26 AM
I must have done something wrong... Here is what I got
ciscoasa# show run class-map SFR
!
class-map SFR
match any
!
ciscoasa#
02-08-2019 05:30 AM
Can you offer anymore help?
02-08-2019 05:35 AM
class-map SFR
match any
class-map inspection_default
match default-inspection-traffic
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: