Solved: Re: fail to secure state

Jeff Horton · ‎08-23-2022

Is there a way to configure the ASA 5555X to fail to a secure state upon a failure?

Jeff Horton · ‎08-23-2022

I believe I have found the answer in another question in the community forum.

https://community.cisco.com/t5/network-security/when-an-asa-device-fails-does-it-fail-in-open-state-or-closed/m-p/1631848/highlight/true

View solution in original post

Marvin Rhoads · ‎08-23-2022

Failure can mean many things - from the box crashing to an interface going down to a bug causing certain traffic to be mishandled. Obviously if the former happens no traffic will pass through the device. I suppose you could call that "fail to a secure state".

We would need to know more about the context of your question to answer your original question better.

Jeff Horton · ‎08-23-2022

There is a DISA STIG that has the following requirement: The firewall must fail to a secure state upon the failure of the following: system initialization, shutdown, or system abort.

Thanks for the quick response.

Jeff Horton · ‎08-23-2022

The fix text says: Configure the firewall to stop forwarding traffic or maintain the configured security policies up the failure of the following actions: system initialization, shutdown, or system abort.

Could I create an EEM that shuts down ports incase of one of the actions? If so, what syslog id would I get the EEM to monitor?

Sorry for so many questions. This has been biting me for a long time now and I have to fix with a solution or they will have to accept a risk acceptance.

Jeff Horton · ‎08-23-2022

I believe I have found the answer in another question in the community forum.

https://community.cisco.com/t5/network-security/when-an-asa-device-fails-does-it-fail-in-open-state-or-closed/m-p/1631848/highlight/true

fail to secure state

Cisco Secure Firewall (FTD) - How To

Secure Access: How to

Cisco Secure Client 5.1.8.105 (MR8)

Link-State Advertisements 'LSA' OSPF - Basis -

Secure Firewall (FMC/FTD): はじめての AI アシスタント