Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2313
Views
30
Helpful
3
Replies

ASA 5516 with firepower

Go to solution
MrBeginner
Spotlight
Spotlight

‎02-06-2020 02:00 AM - edited ‎02-21-2020 09:54 AM

Hi,

I deployed ASA 5516 with firepower model. I would like to know if firewall power subscription is expired all traffic will bypass or block ?

If i want to use ASA function only without using firepower function ,Can deployed ?

 

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MrBeginner

‎02-08-2020 07:29 PM - edited ‎02-08-2020 07:30 PM

If you have an ASA running ASA code (not FTD) with Firepower service module and no longer wish to use the module, simply remove the policy-map entry that redirects traffic to it.

For example:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# no class sfr

Or if that is the only entry in the service-policy you can remove it altogether:

ciscoasa(config)# no service-policy global_policy global

Reference:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

If you don't want it to be resident on the ASA at all you can further remove the software module altogether:

Step 1 Uninstall the software module image and associated configuration.

hostname# sw-module module sfr uninstall
 
Module sfr will be uninstalled. This will completely remove the disk image
associated with the sw-module including any configuration that existed within it.
 
Uninstall module sfr? [confirm]
 
Step 2 Reload the ASA. You must reload the ASA before you can install a new module.

hostname# reload

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#31927

 

Either way the management cable is not needed for Firepower if you aren't using the module.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-06-2020 04:29 AM

Whether you are running ASA with Firepower service module or ASA with FTD OS, expiration of any Firepower subscription (IPS) or license (URL Filtering or AMP) will not prevent traffic from flowing.

It will prevent enforcement of policies that use the latter two features. The IPS will continue to work without the right to download any new rule updates (SRU), Vulnerability Database (VDB) or Geolocation information.

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Marvin Rhoads

‎02-08-2020 06:06 PM

Hi,

Let me know if firepower is expired do i need to disconnect management cable ? Or can i deploy without connect this management cable to switch or Can i deploy without using firewall power function ?

ASA.jfif

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MrBeginner

‎02-08-2020 07:29 PM - edited ‎02-08-2020 07:30 PM

If you have an ASA running ASA code (not FTD) with Firepower service module and no longer wish to use the module, simply remove the policy-map entry that redirects traffic to it.

For example:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# no class sfr

Or if that is the only entry in the service-policy you can remove it altogether:

ciscoasa(config)# no service-policy global_policy global

Reference:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

If you don't want it to be resident on the ASA at all you can further remove the software module altogether:

Step 1 Uninstall the software module image and associated configuration.

hostname# sw-module module sfr uninstall
 
Module sfr will be uninstalled. This will completely remove the disk image
associated with the sw-module including any configuration that existed within it.
 
Uninstall module sfr? [confirm]
 
Step 2 Reload the ASA. You must reload the ASA before you can install a new module.

hostname# reload

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#31927

 

Either way the management cable is not needed for Firepower if you aren't using the module.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card