cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
249
Views
30
Helpful
3
Replies
Highlighted
Participant

ASA 5516 with firepower

Hi,

I deployed ASA 5516 with firepower model. I would like to know if firewall power subscription is expired all traffic will bypass or block ?

If i want to use ASA function only without using firepower function ,Can deployed ?

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

Re: ASA 5516 with firepower

If you have an ASA running ASA code (not FTD) with Firepower service module and no longer wish to use the module, simply remove the policy-map entry that redirects traffic to it.

For example:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# no class sfr

Or if that is the only entry in the service-policy you can remove it altogether:

ciscoasa(config)# no service-policy global_policy global

Reference:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

If you don't want it to be resident on the ASA at all you can further remove the software module altogether:

Step 1 Uninstall the software module image and associated configuration.

hostname# sw-module module sfr uninstall
 
Module sfr will be uninstalled. This will completely remove the disk image
associated with the sw-module including any configuration that existed within it.
 
Uninstall module sfr? [confirm]
 
Step 2 Reload the ASA. You must reload the ASA before you can install a new module.

hostname# reload

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#31927

 

Either way the management cable is not needed for Firepower if you aren't using the module.

View solution in original post

3 REPLIES 3
Highlighted
Hall of Fame Guru

Re: ASA 5516 with firepower

Whether you are running ASA with Firepower service module or ASA with FTD OS, expiration of any Firepower subscription (IPS) or license (URL Filtering or AMP) will not prevent traffic from flowing.

It will prevent enforcement of policies that use the latter two features. The IPS will continue to work without the right to download any new rule updates (SRU), Vulnerability Database (VDB) or Geolocation information.

Highlighted
Participant

Re: ASA 5516 with firepower

Hi,

Let me know if firepower is expired do i need to disconnect management cable ? Or can i deploy without connect this management cable to switch or Can i deploy without using firewall power function ?

ASA.jfif

Everyone's tags (1)
Hall of Fame Guru

Re: ASA 5516 with firepower

If you have an ASA running ASA code (not FTD) with Firepower service module and no longer wish to use the module, simply remove the policy-map entry that redirects traffic to it.

For example:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# no class sfr

Or if that is the only entry in the service-policy you can remove it altogether:

ciscoasa(config)# no service-policy global_policy global

Reference:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

If you don't want it to be resident on the ASA at all you can further remove the software module altogether:

Step 1 Uninstall the software module image and associated configuration.

hostname# sw-module module sfr uninstall
 
Module sfr will be uninstalled. This will completely remove the disk image
associated with the sw-module including any configuration that existed within it.
 
Uninstall module sfr? [confirm]
 
Step 2 Reload the ASA. You must reload the ASA before you can install a new module.

hostname# reload

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#31927

 

Either way the management cable is not needed for Firepower if you aren't using the module.

View solution in original post