Solved: MPF For ASA+FirePower

johnlloyd_13 · ‎10-17-2015

hi,

i'm trying to redirect ALL traffic to a firepower module on an ASA5515x.

could someone advise what's the best way to do it or both achieve the same thing?

option 1:

class-map global-class
match any

policy-map global_policy
class global-class
sfr fail-open

OR

option 2:

access-list SFR_ACL extended permit ip any any

class-map SFR
match access-list SFR_ACL

policy-map global_policy
class SFR
sfr fail-open

Karsten Iwen · ‎10-17-2015

There is also option three:

policy-map global_policy
 class class-default
  sfr fail-open

Although all three ways should work, I would consider this one the most elegant if you want all traffic to be sent to SFR.

Karsten Iwen · ‎10-17-2015

There is also option three:

policy-map global_policy
 class class-default
  sfr fail-open

Although all three ways should work, I would consider this one the most elegant if you want all traffic to be sent to SFR.

johnlloyd_13 · ‎10-17-2015

hi karsten,

thanks for feedback!

how about whitelist an IP or subnet?

do you create a deny ACL on the ASA or everything is done on FireSight?

Karsten Iwen · ‎10-17-2015

That depends on the sizing of your ASA.

If your SFR is fast enough to handle all traffic, I still would send all traffic to the module and use the access-policies there to allow the traffic.
If the SFR is to slow to handle all traffic, then option 2 is the way to go and exclude traffic from being sent to SFR. But that makes your implementation a little more complex.