01-26-2018 11:54 PM - edited 02-21-2020 07:13 AM
I want to upgrade 2 cisco asa 5515x to include firepower IPS modules and
Please guide me how I can achieve this.
Thanks in advance.
Solved! Go to Solution.
01-27-2018 06:45 AM
The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map.
In the class-map the key command is:
sfr { fail-close | fail-open } [ monitor-only ]
You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.
Here are some helpful references:
01-27-2018 06:45 AM
The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map.
In the class-map the key command is:
sfr { fail-close | fail-open } [ monitor-only ]
You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.
Here are some helpful references:
01-28-2018 03:22 PM
Thanks for your response, Marvin.
01-22-2021 07:38 PM
HI Marvin.
sfr { fail-close | fail-open } [ monitor-only ]
Does This command "monitor -only" only affect the IDS function (intrusion policy)?
For example if I create a rule (L3/L4 without intrusion policy)with a block action in the FMC and I have the monitor -only , Does the packet will be blocked by the firepower module?
Thanks for your help.
Regards.
01-22-2021 11:31 PM
When the class-map action is "sfr monitor-only" then the ASA will ignore any block or drop verdict coming from the Firepower service module. The module will still detect per the intrusion policy (IDS) but cannot enforce it (IPS).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide