Solved: Turning off the FirePOWER sfr module safely on 5516-X

janiax · ‎12-28-2018

Hello,

My customer uses ASA 5516-X with FirePOWER ONLY as a VPN gateway (both SSL and IPsec).
Since the ASA is not doing any traffic inspection, the FirePOWER module is redundant and I would like to turn it off.

The ASA operates in active/standby configuration.
Is there a way how to turn the sfr module off without any downtime?

Can just safely issue sw-module module sfr shutdown?
Is reboot required?

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

Many thanks for your help.

asa/act/pri# sh module all

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5516-X with FirePOWER services, 8GE, AC, ASA5516
sfr FirePOWER Services Software Module ASA5516

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 mac to mac 3.0 1.1.8 9.8(2)24
sfr mac to mac N/A N/A 6.2.0-362

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.2.0-362

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up

Sheraz.Salim · ‎12-28-2018

yes go to asa cli vis ssh/console give command.

sw-module module sfr shudown

as long as the sfr is shutdown there is no expolit can happen. as this is a production active standby ASA you also need to shutdown the sfr on the passive ASA.

prior to do this work make sure you do not monitor this SFR.

no reboot require. however just in case if you need to bring it up give the command

sw-module module sfr reset

Is there a way how to turn the sfr module off without any downtime?

sw-module module sfr shudown. No downtime

Can just safely issue sw-module module sfr shutdown?

yes.
Is reboot required?

no

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?

No, if you not using it and if you dont have FMC, or if this module is not in production you can leave this on side.
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

if you power off your computer off can you exploit it. same logic if the sfr is power off (sw-module module sfr shudown) sw-module module sfr shudown

please rate if i was helpful

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎12-28-2018

yes go to asa cli vis ssh/console give command.

sw-module module sfr shudown

as long as the sfr is shutdown there is no expolit can happen. as this is a production active standby ASA you also need to shutdown the sfr on the passive ASA.

prior to do this work make sure you do not monitor this SFR.

no reboot require. however just in case if you need to bring it up give the command

sw-module module sfr reset

Is there a way how to turn the sfr module off without any downtime?

sw-module module sfr shudown. No downtime

Can just safely issue sw-module module sfr shutdown?

yes.
Is reboot required?

no

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?

No, if you not using it and if you dont have FMC, or if this module is not in production you can leave this on side.
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

if you power off your computer off can you exploit it. same logic if the sfr is power off (sw-module module sfr shudown) sw-module module sfr shudown

please rate if i was helpful

please do not forget to rate.

janiax · ‎03-05-2019

Thanks!

NIOC-Norfolk1 · ‎04-07-2020

Will uninstalling the sfr module affect the device if firepower management is not currently being used?

Sheraz.Salim · ‎04-07-2020

Will uninstalling the sfr module affect the device if firepower management is not currently being used?

you mean if you uninstall the sfr module (sfr sensor) from the ASA will affect the firepower management. if this is the case and your question. if you uninstall the sfr module your asa traffic will be keep working but there will be no layer 7 inspection. in regards to the Firepower Managment Center etiher you have to delete the sensor and later once you install a new one you have register it in FMC.

let me know if i answer your question.

please do not forget to rate.

NIOC-Norfolk1 · ‎04-07-2020

We don't have a Firepower management Center installed on our network. We only have ASA firewalls installed. Is there a reason to have the ASA firepower module installed on the ASAs?

Sheraz.Salim · ‎04-07-2020

We don't have a Firepower management Center installed on our network. We only have ASA firewalls installed. Is there a reason to have the ASA firepower module installed on the ASAs?

oh I see I thought you running FMC. yes you can shutdown you sfr on your ASA unit. however, it better you have a layer 7 inspection running with SFR.

please do not forget to rate.

NIOC-Norfolk1 · ‎04-07-2020

Is there way to update the firepower module software through the CLI? The current software came up on a bug report and I need to either figure out a way to update or I need to uninstall the module.

Sheraz.Salim · ‎04-07-2020

Here is the link will find you helpful

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/firepower-fmc.html

please do not forget to rate.

johnlloyd_13 · ‎03-25-2021

hi sheraz,

i plan to permanently disable the SFR module on a ASA 5545-X since it's not being used.

what's the difference between 'sw-module module sfr uninstall' and 'sw-module module sfr shudown'?

i remember i disabled SFR on ASA before but couldn't remember which command i used. after code upgrade/reboot the SFR went UP again. i need to know which command will completely and permanently remove SFR?

per cisco doc, it mentioned to shutdown then uninstall. can you please confirm?

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Sheraz.Salim · ‎03-26-2021

'sw-module module sfr uninstall' means the software installed on the SSD drive in your ASA will delete this software premantely.

'sw-module module sfr shudown' means it will power off the module so if required you can bring it up when needed.

ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall

however, just thinking might if you change your mind in future and want you use the SFR moudle what you can do is just mount off the hard disk at the front end of your ASA (de-seat it). but if you do not plan to use it in future than yes just uninstall it as mentioned above on these two command.

please do not forget to rate.

haprinz · ‎06-16-2021

Hi Sheraz,

Since i haven't found anything else, isn't there a way to just disable the SFR module's startup after a reboot, without uninstalling?
i mean 'shutdown' is only a temporary solution, if you don't need it.
if you uninstall, it's gone...
..or is there a way to kinda reinstall/update the SFR again..?

Thanks /hans

Sheraz.Salim · ‎06-16-2021

Hi Haprinz,

if you using the ASA-5508 to 5555 you can un-mount physical hard disk on these ASA doing this the sfr software will be in the hard disk but it will not in service until you mount back in the ASA.

Regards,

sheraz.

please do not forget to rate.

NIKH.SHRI1 · ‎06-12-2023

Try this, worked for me.
https://edledge.com/unwanted-asa-failover-due-to-sfr-error/

RajeewPerera · ‎11-06-2024

Hi team

for RMA mishap I need to get a photo of the SN of the SFR. If I power down my asa and pull the SFR out and take photo and put it back in and power up. Will my SFR configurations still be there or do I need to triage and reconfigure?

thank you in advance