01-26-2018 11:54 PM - edited 02-21-2020 07:13 AM
I want to upgrade 2 cisco asa 5515x to include firepower IPS modules and
Please guide me how I can achieve this.
Thanks in advance.
Solved! Go to Solution.
01-27-2018 06:45 AM
The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map.
In the class-map the key command is:
sfr { fail-close | fail-open } [ monitor-only ]
You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.
Here are some helpful references:
01-27-2018 06:45 AM
The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map.
In the class-map the key command is:
sfr { fail-close | fail-open } [ monitor-only ]
You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.
Here are some helpful references:
01-28-2018 03:22 PM
Thanks for your response, Marvin.
01-22-2021 07:38 PM
HI Marvin.
sfr { fail-close | fail-open } [ monitor-only ]
Does This command "monitor -only" only affect the IDS function (intrusion policy)?
For example if I create a rule (L3/L4 without intrusion policy)with a block action in the FMC and I have the monitor -only , Does the packet will be blocked by the firepower module?
Thanks for your help.
Regards.
01-22-2021 11:31 PM
When the class-map action is "sfr monitor-only" then the ASA will ignore any block or drop verdict coming from the Firepower service module. The module will still detect per the intrusion policy (IDS) but cannot enforce it (IPS).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: