03-21-2017 11:43 AM - edited 03-12-2019 06:20 AM
When issuing a sh service-policy sfr to view the packet input and output stats I have 0 counter on "Input". I am collecting events in the FMC but I am also seeing this error. Any ideas??? I am running in Monitor-Only"
Critical Modules:1,Normal Modules:15,Disabled Modules:21
Module Interface Status: Interface 'DataPlaneInterface0' is not receiving any packets
Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 18726, drop 0, reset-drop 0
Solved! Go to Solution.
03-22-2017 09:31 AM
The monitor-only is indeed for assessment purposes only; however, you will be able to test out the action taken by the sfr module without interrupting any network traffic.
In monitor-only mode the module receives a copy of the actual packet and takes action on the dummy packet, under the FMC Analysis > Connection > Events you will be able to see the packet and details along with the action.
For example, lets say we create a rule to block facebook.com using the Access control rules and the policy is applied to the module. Now, if any user is accessing facebook.com that event will be shown as a "Block" on the FMC and you will be able to get details of the user without interrupting his access. In the similar manner, you will see "would have been blocked" events for any traffic triggering an Intrusion rule. Once you are satisfied with the rules and the working of the module you can switch to inline mode and start blocking/handling actual network traffic.
The sfr module handles traffic which is going through the ASA based on the service-policy. It will not be logging any access to the ASA itself; that has to be done on the ASA.
03-21-2017 01:14 PM
In the monitor-only mode the input packets are displayed as 0 which is expected.
For the DataplaneInterface not receiving any traffic error, please confirm if you are getting this error on the secondary ASA; if that is the case this is also expected as only the primary unit is handling the traffic.
03-22-2017 08:43 AM
Not running a secondary so no HA pair here. What I had was some generalized questions if you or someone might be able to answer.
If I am running fail-open monitor-only what is the point of trying to introduce any access control policies or anything realting to traffic manipulation from the FMC?
Is there anything at all that can be tested from an IDS/IPS standpoint in monitor-only mode??? Is it just for assessment purposes to gain visibilty into the traffic?
If I have 3 interfaces on ASA for VLAN purposes say nameif Outside nameif Admin nameif DMZ
If Admin tries to connect to DMZ will the SFR event log this? If so what would be the point of configuring access policy rules when the ASA would already be doing this???
03-22-2017 09:31 AM
The monitor-only is indeed for assessment purposes only; however, you will be able to test out the action taken by the sfr module without interrupting any network traffic.
In monitor-only mode the module receives a copy of the actual packet and takes action on the dummy packet, under the FMC Analysis > Connection > Events you will be able to see the packet and details along with the action.
For example, lets say we create a rule to block facebook.com using the Access control rules and the policy is applied to the module. Now, if any user is accessing facebook.com that event will be shown as a "Block" on the FMC and you will be able to get details of the user without interrupting his access. In the similar manner, you will see "would have been blocked" events for any traffic triggering an Intrusion rule. Once you are satisfied with the rules and the working of the module you can switch to inline mode and start blocking/handling actual network traffic.
The sfr module handles traffic which is going through the ASA based on the service-policy. It will not be logging any access to the ASA itself; that has to be done on the ASA.
03-23-2017 09:42 AM
Thank you for that reply it is much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide