Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5325
Views
5
Helpful
4
Replies

Change firepower IPS module from monitor mode to block mode

Go to solution
damode
Level 1
Level 1

‎01-26-2018 11:54 PM - edited ‎02-21-2020 07:13 AM

I want to upgrade 2 cisco asa 5515x to include firepower IPS modules and

  • configure new IPS sensors in monitor mode and add to FMC with new policies
  • post the analysis for any false positives, change the sensors to block mode.

Please guide me how I can achieve this.

Thanks in advance.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-27-2018 06:45 AM

The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map. 

 

In the class-map the key command is:

 

sfr { fail-close | fail-open } [ monitor-only ]

You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.

 

Here are some helpful references:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1660444

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc10

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-27-2018 06:45 AM

The Firepower module gets traffic from the parent ASA by applying a service-policy to an interface (or globally). The service-policy references a policy-map which in turn references a class-map. 

 

In the class-map the key command is:

 

sfr { fail-close | fail-open } [ monitor-only ]

You would use that optional "monitor-only" keyword to operate in IDS mode. When you are ready to move to IPS mode simply change that one line.

 

Here are some helpful references:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html#pgfId-1660444

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc10

0 Helpful

Go to solution
damode
Level 1
Level 1
In response to Marvin Rhoads

‎01-28-2018 03:22 PM

Thanks for your response, Marvin.

0 Helpful

Go to solution
ccarrionm
Level 1
Level 1
In response to Marvin Rhoads

‎01-22-2021 07:38 PM

HI Marvin.

 

sfr { fail-close | fail-open } [ monitor-only ]

Does This command "monitor -only"  only affect the IDS function (intrusion policy)?

For example if I create a rule (L3/L4 without intrusion policy)with a block action  in the FMC and I have the monitor -only , Does the packet will be blocked by the firepower module?

 

Thanks for your help.

Regards.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-22-2021 11:31 PM

When the class-map action is "sfr monitor-only" then the ASA will ignore any block or drop verdict coming from the Firepower service module. The module will still detect per the intrusion policy (IDS) but cannot enforce it (IPS).

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top