Bypass Firepower SFR for certain traffic

GRANT3779 · ‎03-01-2016

I have similar to the following -

policy-map global_policy
class Class_FP
sfr fail-open

class-map Class_FP
match any

service-policy global_policy global

If I want certain traffic to not go to the Firepower SFR what is the best way to achieve this? Running ASA 5516X. I'm sure it is causing some problems for two hosts.

Thanks

Marvin Rhoads · ‎03-01-2016

Change your class-map rule from "match any" to be an access list which exempts the hosts you want to bypass the sfr module.

eimis · ‎10-25-2018

sorry to reply to an old thread:

so if i have:

where my Internal-Networks is a group of subnets etc., that will in theory bypass sfr for all Internal-Networks group?

ASA# sh run access-list | include global_mpc_1
access-list global_mpc_1 extended deny ip any object-group Internal-Networks
access-list global_mpc_1 extended permit ip any any
ASA#

Kasun Bandara · ‎11-27-2018

Hi,

you can create service policy which selects the internal subnet which you don't need to send through FP module. then you can deselect FP inspection for those networks.

regards,

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

brian02134 · ‎01-19-2023

Did that work? I have a similar need to have some traffic bypass inspection. Thanks in advance.