We are about to upgrade our prod ASA5555x to use the Firepower services. I have been testing it in the lab
for a few days now and all appears to be working well.
Go live is this Sat eve.
My question is should I run into connectivity issues etc due to SF config, what is the best way to temporarily disable
the SF services ?
It seems if I remove the access-list match statement from the class-map SF uses that seems to do the trick.
Wondering if there is a better way to get this done.
Solved! Go to Solution.
Aastha's approach is a clean break from the sfr module.
Using John's approaches would still result in the traffic being passed through the module by the ASA. The first one just removes the module for FireSIGHT management - the applied policies are still present on the module. For the second one, even if the sfr policy is "allow all" with the rules disabled, the packets still flow into and out of the module to have that decision made.
i could see 2 approaches here. the quick way is to remove your device (5555x) under Policies > Access Control > Targets > Selected Device (click trash can beside it).
another approach would be to disable ALL rules one by one under Policies > Access Control > click pencil icon on the desired rule > uncheck Enabled.