Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2155
Views
0
Helpful
4
Replies

FW#sh service-policy SFR

Go to solution
keithcclark71
Level 3
Level 3

‎03-21-2017 11:43 AM - edited ‎03-12-2019 06:20 AM

When issuing a sh service-policy sfr to view the packet input and output stats I have 0 counter on "Input". I am collecting events in the FMC but I am also seeing this error. Any ideas??? I am running in Monitor-Only"

Critical Modules:1,Normal Modules:15,Disabled Modules:21
Module Interface Status: Interface 'DataPlaneInterface0' is not receiving any packets

Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 18726, drop 0, reset-drop 0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tarjoshi
Level 1
Level 1
In response to keithcclark71

‎03-22-2017 09:31 AM

The monitor-only is indeed for assessment purposes only; however, you will be able to test out the action taken by the sfr module without interrupting any network traffic.

In monitor-only mode the module receives a copy of the actual packet and takes action on the dummy packet, under the FMC Analysis > Connection > Events you will be able to see the packet and details along with the action.

For example, lets say we create a rule to block facebook.com using the Access control rules and the policy is applied to the module. Now, if any user is accessing facebook.com that event will be shown as a "Block" on the FMC and you will be able to get details of the user without interrupting his access. In the similar manner, you will see "would have been blocked" events for any traffic triggering an Intrusion rule. Once you are satisfied with the rules and the working of the module you can switch to inline mode and start blocking/handling actual network traffic.

The sfr module handles traffic which is going through the ASA based on the service-policy. It will not be logging any access to the ASA itself; that has to be done on the ASA. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
tarjoshi
Level 1
Level 1

‎03-21-2017 01:14 PM

In the monitor-only mode the input packets are displayed as 0 which is expected. 

For the DataplaneInterface not receiving any traffic error, please confirm if you are getting this error on the secondary ASA; if that is the case this is also expected as only the primary unit is handling the traffic. 

0 Helpful

Go to solution
keithcclark71
Level 3
Level 3
In response to tarjoshi

‎03-22-2017 08:43 AM

Not running a secondary so no HA pair here.  What I had was some generalized questions if you or someone might be able to answer.

If I am running fail-open monitor-only what is the point of trying to introduce any access control policies or anything realting to traffic manipulation from the FMC?

Is there anything at all that can be tested from an IDS/IPS standpoint in monitor-only mode??? Is it just for assessment purposes to gain visibilty into the traffic?

If I have 3 interfaces on ASA for VLAN purposes say nameif Outside nameif Admin nameif DMZ

If Admin tries to connect to DMZ will the SFR event log this? If so what would be the point of configuring access policy rules when the ASA would already be doing this???

0 Helpful

Go to solution
tarjoshi
Level 1
Level 1
In response to keithcclark71

‎03-22-2017 09:31 AM

The monitor-only is indeed for assessment purposes only; however, you will be able to test out the action taken by the sfr module without interrupting any network traffic.

In monitor-only mode the module receives a copy of the actual packet and takes action on the dummy packet, under the FMC Analysis > Connection > Events you will be able to see the packet and details along with the action.

For example, lets say we create a rule to block facebook.com using the Access control rules and the policy is applied to the module. Now, if any user is accessing facebook.com that event will be shown as a "Block" on the FMC and you will be able to get details of the user without interrupting his access. In the similar manner, you will see "would have been blocked" events for any traffic triggering an Intrusion rule. Once you are satisfied with the rules and the working of the module you can switch to inline mode and start blocking/handling actual network traffic.

The sfr module handles traffic which is going through the ASA based on the service-policy. It will not be logging any access to the ASA itself; that has to be done on the ASA. 

0 Helpful

Go to solution
keithcclark71
Level 3
Level 3
In response to tarjoshi

‎03-23-2017 09:42 AM

Thank you for that reply it is much appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card