02-06-2020 02:00 AM - edited 02-21-2020 09:54 AM
Hi,
I deployed ASA 5516 with firepower model. I would like to know if firewall power subscription is expired all traffic will bypass or block ?
If i want to use ASA function only without using firepower function ,Can deployed ?
Solved! Go to Solution.
02-08-2020 07:29 PM - edited 02-08-2020 07:30 PM
If you have an ASA running ASA code (not FTD) with Firepower service module and no longer wish to use the module, simply remove the policy-map entry that redirects traffic to it.
For example:
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# no class sfr
Or if that is the only entry in the service-policy you can remove it altogether:
ciscoasa(config)# no service-policy global_policy global
Reference:
If you don't want it to be resident on the ASA at all you can further remove the software module altogether:
Step 1 Uninstall the software module image and associated configuration. hostname# sw-module module sfr uninstall Module sfr will be uninstalled. This will completely remove the disk image associated with the sw-module including any configuration that existed within it. Uninstall module sfr? [confirm] Step 2 Reload the ASA. You must reload the ASA before you can install a new module. hostname# reload
Either way the management cable is not needed for Firepower if you aren't using the module.
02-06-2020 04:29 AM
Whether you are running ASA with Firepower service module or ASA with FTD OS, expiration of any Firepower subscription (IPS) or license (URL Filtering or AMP) will not prevent traffic from flowing.
It will prevent enforcement of policies that use the latter two features. The IPS will continue to work without the right to download any new rule updates (SRU), Vulnerability Database (VDB) or Geolocation information.
02-08-2020 06:06 PM
Hi,
Let me know if firepower is expired do i need to disconnect management cable ? Or can i deploy without connect this management cable to switch or Can i deploy without using firewall power function ?
02-08-2020 07:29 PM - edited 02-08-2020 07:30 PM
If you have an ASA running ASA code (not FTD) with Firepower service module and no longer wish to use the module, simply remove the policy-map entry that redirects traffic to it.
For example:
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# no class sfr
Or if that is the only entry in the service-policy you can remove it altogether:
ciscoasa(config)# no service-policy global_policy global
Reference:
If you don't want it to be resident on the ASA at all you can further remove the software module altogether:
Step 1 Uninstall the software module image and associated configuration. hostname# sw-module module sfr uninstall Module sfr will be uninstalled. This will completely remove the disk image associated with the sw-module including any configuration that existed within it. Uninstall module sfr? [confirm] Step 2 Reload the ASA. You must reload the ASA before you can install a new module. hostname# reload
Either way the management cable is not needed for Firepower if you aren't using the module.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide