03-01-2016 03:50 AM - edited 03-10-2019 06:34 AM
I have similar to the following -
policy-map global_policy
class Class_FP
sfr fail-open
class-map Class_FP
match any
service-policy global_policy global
If I want certain traffic to not go to the Firepower SFR what is the best way to achieve this? Running ASA 5516X. I'm sure it is causing some problems for two hosts.
Thanks
03-01-2016 05:47 PM
Change your class-map rule from "match any" to be an access list which exempts the hosts you want to bypass the sfr module.
10-25-2018 11:47 AM
sorry to reply to an old thread:
so if i have:
where my Internal-Networks is a group of subnets etc., that will in theory bypass sfr for all Internal-Networks group?
ASA# sh run access-list | include global_mpc_1 access-list global_mpc_1 extended deny ip any object-group Internal-Networks access-list global_mpc_1 extended permit ip any any ASA#
11-27-2018 09:29 PM
Hi,
you can create service policy which selects the internal subnet which you don't need to send through FP module. then you can deselect FP inspection for those networks.
regards,
01-19-2023 12:53 PM
Did that work? I have a similar need to have some traffic bypass inspection. Thanks in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: