cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4681
Views
5
Helpful
4
Replies

Change firepower IPS module from monitor mode to block mode

damode
Level 1
Level 1

I want to upgrade 2 cisco asa 5515x to include firepower IPS modules and

  • configure new IPS sensors in monitor mode and add to FMC with new policies
  • post the analysis for any false positives, change the sensors to block mode.

Please guide me how I can achieve this.

Thanks in advance.

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map. 

 

In the class-map the key command is:

 

sfr { fail-close | fail-open } [ monitor-only ]

You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.

 

Here are some helpful references:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1660444

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc10

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map. 

 

In the class-map the key command is:

 

sfr { fail-close | fail-open } [ monitor-only ]

You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.

 

Here are some helpful references:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1660444

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc10

Thanks for your response, Marvin.

HI Marvin.

 

sfr { fail-close | fail-open } [ monitor-only ]

Does This command "monitor -only"  only affect the IDS function (intrusion policy)?

For example if I create a rule (L3/L4 without intrusion policy)with a block action  in the FMC and I have the monitor -only , Does the packet will be blocked by the firepower module?

 

Thanks for your help.

Regards.

Marvin Rhoads
Hall of Fame
Hall of Fame

When the class-map action is "sfr monitor-only" then the ASA will ignore any block or drop verdict coming from the Firepower service module. The module will still detect per the intrusion policy (IDS) but cannot enforce it (IPS).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: