ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open monitor-only
The above sends a copy of the traffic to the SFR, but does not take action based on Firepower rules. You can use this for visibility. If you want to stop even this, change the last command to "no sfr fail-open".
So if I reboot the sourcefire module does traffic stop flowing into the outside interface until the module comes back up? Or does the policy listed below keep traffic flowing while the sfr module is down?
The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is unavailable. The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is unavailable. Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you do not include the keyword, the traffic is sent in inline mode.
I think you would want to set it to "fail-open monitor-only" at the least if you want minimal traffic interruption.