cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
287
Views
15
Helpful
7
Replies
Highlighted
Contributor

Does ASA Fail close upon failure?

Does the ASA firewall fail closed if the firewall filtering function is nonfunctional? I am trying to look for some Cisco docs about this but can't find it.

1 ACCEPTED SOLUTION

Accepted Solutions
Frequent Contributor

Re: Does ASA Fail close upon failure?

So I don't think your question is relevant in this case. As far as I am aware the 4100 or any FTD appliance for that matter won't be able to run next gen features with ASA code, only classic ASA features so you won't be sending anything to a module. My answer was based on ASA running FP services which still stands if you went down that route.
7 REPLIES 7
Frequent Contributor

Re: Does ASA Fail close upon failure?

If you are redirecting traffic from ASA through backplane to a firepower module or older IPS module you can configure the ASA to fail close if the module fails.
Any traffic that was configured to be redirected through to the module would not be forwarded out the Firewall in the case of fail close. I haven't seen this option configured in production however.
Contributor

Re: Does ASA Fail close upon failure?

So if there is no other module or IPS being used, would the ASA just stop allowing traffic if any other functions stop working like ACLs or something?
Frequent Contributor

Re: Does ASA Fail close upon failure?

If we are talking about ASA with Firepower Services or IPS module then think of them as separate entities. The ASA does all the usual Firewally stuff, NATs, your ACLs etc...
When traffic flows through the ASA you have a policy map / class map which can match on certain subnets (most of the time I see matching all ip traffic) and you send this traffic to the Firepower / IPS module which will then do its thing. Depending on the IPS policies you have, traffic wiill be allowed to flow back through the ASA or the ASA will drop it.
If your policy is sending all traffic through to the module and the module fails, no traffic will traverse through the firewall.
This is a high level view 🙂 you can attach your firepower redirection to only certain interfaces rather than all and also only redirect certain traffic so a module failure may not stop all traffic. Depends on your setu
Contributor

Re: Does ASA Fail close upon failure?

Its a Firepower 4100, however running ASA code on it. I don't believe there is a IPS module.
VIP Advisor

Re: Does ASA Fail close upon failure?

what is the model of the ASA ?

 

here is document for fail-close (is this what you after ?)

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/modules_csc.html

BB
*** Rate All Helpful Responses ***
Contributor

Re: Does ASA Fail close upon failure?

Sorry it is a Firepower 4100 running ASA code.
Frequent Contributor

Re: Does ASA Fail close upon failure?

So I don't think your question is relevant in this case. As far as I am aware the 4100 or any FTD appliance for that matter won't be able to run next gen features with ASA code, only classic ASA features so you won't be sending anything to a module. My answer was based on ASA running FP services which still stands if you went down that route.
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards