cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2362
Views
15
Helpful
7
Replies

Does ASA Fail close upon failure?

CiscoPurpleBelt
Level 6
Level 6

Does the ASA firewall fail closed if the firewall filtering function is nonfunctional? I am trying to look for some Cisco docs about this but can't find it.

1 Accepted Solution

Accepted Solutions

So I don't think your question is relevant in this case. As far as I am aware the 4100 or any FTD appliance for that matter won't be able to run next gen features with ASA code, only classic ASA features so you won't be sending anything to a module. My answer was based on ASA running FP services which still stands if you went down that route.

View solution in original post

7 Replies 7

GRANT3779
Spotlight
Spotlight
If you are redirecting traffic from ASA through backplane to a firepower module or older IPS module you can configure the ASA to fail close if the module fails.
Any traffic that was configured to be redirected through to the module would not be forwarded out the Firewall in the case of fail close. I haven't seen this option configured in production however.

So if there is no other module or IPS being used, would the ASA just stop allowing traffic if any other functions stop working like ACLs or something?

If we are talking about ASA with Firepower Services or IPS module then think of them as separate entities. The ASA does all the usual Firewally stuff, NATs, your ACLs etc...
When traffic flows through the ASA you have a policy map / class map which can match on certain subnets (most of the time I see matching all ip traffic) and you send this traffic to the Firepower / IPS module which will then do its thing. Depending on the IPS policies you have, traffic wiill be allowed to flow back through the ASA or the ASA will drop it.
If your policy is sending all traffic through to the module and the module fails, no traffic will traverse through the firewall.
This is a high level view 🙂 you can attach your firepower redirection to only certain interfaces rather than all and also only redirect certain traffic so a module failure may not stop all traffic. Depends on your setu

Its a Firepower 4100, however running ASA code on it. I don't believe there is a IPS module.

balaji.bandi
Hall of Fame
Hall of Fame

what is the model of the ASA ?

 

here is document for fail-close (is this what you after ?)

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/modules_csc.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sorry it is a Firepower 4100 running ASA code.

So I don't think your question is relevant in this case. As far as I am aware the 4100 or any FTD appliance for that matter won't be able to run next gen features with ASA code, only classic ASA features so you won't be sending anything to a module. My answer was based on ASA running FP services which still stands if you went down that route.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco