cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
5
Helpful
6
Replies

ASA firepower module Configuration help

kajumblies15
Level 1
Level 1

Hello, 

I am working on an ASA 5555x with a firepower module. I am struggling to determine if my configurtation is working in regards to traffic making it to the module and back out to the ASA. What i am attempting to achieve here is all traffic coming in should do their normal ACL check then go to the firepower module and be ether allowed or denied based upon an access control rule in the ASA Firepower configuration section of ASDM. I would like to see traffic stop making it across if i set the access control rule on the module to block right now its not working. I have created the service policy to redirect to the module but i cannot tell if its working since the block access control policy is not working. 

Thank You

1 Accepted Solution

Accepted Solutions

Use the command "clear service-policy global" to clear the statistics for the policy map counters.  This will make it easier to see the counter increase or not.  If it is not increasing it possibly means that there is an issue with traffic matching in the class-map.

But as I requested earlier, it will be a little easier to understand what is happening if we see the configuration of the devices in question.  Please remember to remove any  sensitive information from the configuration such as usernames, passwords and public IPs before posting it to the forum.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

We would need to see your ASA running configuration as well as the FirePOWER module configuration to get a better idea of what might be happening.

--
Please remember to select a correct answer and rate helpful posts

balaji.bandi
Hall of Fame
Hall of Fame

adding to other post 

you can check :

show service-policy sfr

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kajumblies15
Level 1
Level 1

I can provide the configs. When i run the show service-policy sfr it shows that there are packets going in and out. However that number doesn't increment and the outgoing packets don't go to zero when i try to set a block all rule in the module.

post the output here and config as requested for better advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Use the command "clear service-policy global" to clear the statistics for the policy map counters.  This will make it easier to see the counter increase or not.  If it is not increasing it possibly means that there is an issue with traffic matching in the class-map.

But as I requested earlier, it will be a little easier to understand what is happening if we see the configuration of the devices in question.  Please remember to remove any  sensitive information from the configuration such as usernames, passwords and public IPs before posting it to the forum.

--
Please remember to select a correct answer and rate helpful posts

This worked perfectly. I was able to tweak the firepower access controll rules and starting out with clear counters helped a lot and things are properly incrementing packet wise. Thank You

Review Cisco Networking for a $25 gift card