cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4388
Views
5
Helpful
4
Replies

Cisco ASA5555X with Firepower enabled - Temporarily disable firepower services ?

dclee
Beginner
Beginner

We are about to upgrade our prod ASA5555x to use the Firepower services. I have been testing it in the lab

for a few days now and all appears to be working well.

Go live is this Sat eve.

My question is should I run into connectivity issues etc due to SF config, what is the best way to temporarily disable

the SF services ?

It seems if I remove the access-list match statement from the class-map SF uses that seems to do the trick.

Wondering if there is a better way to get this done.

Cheers


Dave

1 Accepted Solution

Accepted Solutions

Aastha Bhardwaj
Cisco Employee
Cisco Employee

Hi,

If you remove the command : sfr fail-open from the policy-map by which you are redirecting the traffic to the SFR .

Policy-map global-policy
Class-map sfr
no Sfr fail-open

 

Regards,

Aastha

 

 

 

View solution in original post

4 Replies 4

Aastha Bhardwaj
Cisco Employee
Cisco Employee

Hi,

If you remove the command : sfr fail-open from the policy-map by which you are redirecting the traffic to the SFR .

Policy-map global-policy
Class-map sfr
no Sfr fail-open

 

Regards,

Aastha

 

 

 

Aastha's approach is a clean break from the sfr module.

Using John's approaches would still result in the traffic being passed through the module by the ASA. The first one just removes the module for FireSIGHT management - the applied policies are still present on the module. For the second one, even if the sfr policy is "allow all" with the rules disabled, the packets still flow into and out of the module to have that decision made.

hi,

i agree the ASA command is simpler.

i've tried it and it works like a charm.

mpf-policy-map-class mode commands/options:
  fail-close  Block traffic if SFR card fails
  fail-open   Permit traffic if SFR card fails
ciscoasa(config-pmap-c)# no sfr fail-open

 

 

johnlloyd_13
Engager
Engager

hi,

i could see 2 approaches here. the quick way is to remove your device (5555x) under Policies > Access Control > Targets > Selected Device (click trash can beside it).