Showing results for 
Search instead for 
Did you mean: 

ASA and Firepower Bypass

Phil Bradley

I am trying to bypass the Firepower module on my ASA and I'm not sure which command actually accomplishes this. Here what I have in my config:


no monitor-interface service-module


I also get empty results when I issue the command "show service-policy sfr ".


3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni
Referencing this:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open monitor-only

The above sends a copy of the traffic to the SFR, but does not take action based on Firepower rules. You can use this for visibility. If you want to stop even this, change the last command to "no sfr fail-open".

So if I reboot the sourcefire module does traffic stop flowing into the outside interface until the module comes back up? Or does the policy listed below keep traffic flowing while the sfr module is down?

The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is unavailable.
The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is unavailable.
Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you do not include the keyword, the traffic is sent in inline mode.

I think you would want to set it to "fail-open monitor-only" at the least if you want minimal traffic interruption.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: