Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4666
Views
5
Helpful
4
Replies

Cisco ASA5555X with Firepower enabled - Temporarily disable firepower services ?

Go to solution
dclee
Level 1
Level 1

‎10-21-2015 03:54 PM - edited ‎03-11-2019 11:47 PM

We are about to upgrade our prod ASA5555x to use the Firepower services. I have been testing it in the lab

for a few days now and all appears to be working well.

Go live is this Sat eve.

My question is should I run into connectivity issues etc due to SF config, what is the best way to temporarily disable

the SF services ?

It seems if I remove the access-list match statement from the class-map SF uses that seems to do the trick.

Wondering if there is a better way to get this done.

Cheers


Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎10-21-2015 04:27 PM

Hi,

If you remove the command : sfr fail-open from the policy-map by which you are redirecting the traffic to the SFR .

Policy-map global-policy
Class-map sfr
no Sfr fail-open

 

Regards,

Aastha

 

 

 

View solution in original post

4 Replies 4

Go to solution
Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎10-21-2015 04:27 PM

Hi,

If you remove the command : sfr fail-open from the policy-map by which you are redirecting the traffic to the SFR .

Policy-map global-policy
Class-map sfr
no Sfr fail-open

 

Regards,

Aastha

 

 

 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Aastha Bhardwaj

‎10-22-2015 04:55 AM

Aastha's approach is a clean break from the sfr module.

Using John's approaches would still result in the traffic being passed through the module by the ASA. The first one just removes the module for FireSIGHT management - the applied policies are still present on the module. For the second one, even if the sfr policy is "allow all" with the rules disabled, the packets still flow into and out of the module to have that decision made.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎10-22-2015 07:58 AM

hi,

i agree the ASA command is simpler.

i've tried it and it works like a charm.

mpf-policy-map-class mode commands/options:
  fail-close  Block traffic if SFR card fails
  fail-open   Permit traffic if SFR card fails
ciscoasa(config-pmap-c)# no sfr fail-open

 

 

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎10-22-2015 01:49 AM

hi,

i could see 2 approaches here. the quick way is to remove your device (5555x) under Policies > Access Control > Targets > Selected Device (click trash can beside it).

 

another approach would be to disable ALL rules one by one under Policies > Access Control > click pencil icon on the desired rule > uncheck Enabled.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card