ASA and Firepower Bypass

Phil Bradley · ‎02-12-2018

I am trying to bypass the Firepower module on my ASA and I'm not sure which command actually accomplishes this. Here what I have in my config:

no monitor-interface service-module

I also get empty results when I issue the command "show service-policy sfr ".

Rahul Govindan · ‎02-12-2018

Referencing this:
https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc12

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open monitor-only

The above sends a copy of the traffic to the SFR, but does not take action based on Firepower rules. You can use this for visibility. If you want to stop even this, change the last command to "no sfr fail-open".

Phil Bradley · ‎02-12-2018

So if I reboot the sourcefire module does traffic stop flowing into the outside interface until the module comes back up? Or does the policy listed below keep traffic flowing while the sfr module is down?

Rahul Govindan · ‎02-12-2018

The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is unavailable.
The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is unavailable.
Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you do not include the keyword, the traffic is sent in inline mode.

I think you would want to set it to "fail-open monitor-only" at the least if you want minimal traffic interruption.