cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19912
Views
35
Helpful
15
Replies

Turning off the FirePOWER sfr module safely on 5516-X

janiax
Beginner
Beginner

Hello,

My customer uses ASA 5516-X with FirePOWER ONLY as a VPN gateway (both SSL and IPsec).
Since the ASA is not doing any traffic inspection, the FirePOWER module is redundant and I would like to turn it off.

The ASA operates in active/standby configuration.
Is there a way how to turn the sfr module off without any downtime?

Can just safely issue sw-module module sfr shutdown?
Is reboot required?

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

 

Many thanks for your help.


asa/act/pri# sh module all

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5516-X with FirePOWER services, 8GE, AC, ASA5516
sfr FirePOWER Services Software Module ASA5516

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 mac to mac 3.0 1.1.8 9.8(2)24
sfr mac to mac N/A N/A 6.2.0-362

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.2.0-362

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up

1 Accepted Solution

Accepted Solutions

Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

yes go to asa cli vis ssh/console give command.

 

sw-module module sfr shudown

 

as long as the sfr is shutdown there is no expolit can happen. as this is a production active standby ASA you also need to shutdown the sfr on the passive ASA.

 

prior to do this work make sure you do not monitor this SFR.

 

no reboot require. however just in case if you need to bring it up give the command

 

sw-module module sfr reset

 

 

 

 

 

Is there a way how to turn the sfr module off without any downtime?

sw-module module sfr shudown. No downtime

Can just safely issue sw-module module sfr shutdown?

yes.
Is reboot required?

no

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?

No, if you not using it and if you dont have FMC, or if this module is not in production you can leave this on side.
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

if you power off your computer off can you exploit it. same logic if the sfr is power off (sw-module module sfr shudown) sw-module module sfr shudown

 

 

 

please rate if i was helpful

please do not forget to rate.

View solution in original post

15 Replies 15

Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

yes go to asa cli vis ssh/console give command.

 

sw-module module sfr shudown

 

as long as the sfr is shutdown there is no expolit can happen. as this is a production active standby ASA you also need to shutdown the sfr on the passive ASA.

 

prior to do this work make sure you do not monitor this SFR.

 

no reboot require. however just in case if you need to bring it up give the command

 

sw-module module sfr reset

 

 

 

 

 

Is there a way how to turn the sfr module off without any downtime?

sw-module module sfr shudown. No downtime

Can just safely issue sw-module module sfr shutdown?

yes.
Is reboot required?

no

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?

No, if you not using it and if you dont have FMC, or if this module is not in production you can leave this on side.
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

if you power off your computer off can you exploit it. same logic if the sfr is power off (sw-module module sfr shudown) sw-module module sfr shudown

 

 

 

please rate if i was helpful

please do not forget to rate.

Thanks!

Will uninstalling the sfr module affect the device if firepower management is not currently being used?

Will uninstalling the sfr module affect the device if firepower management is not currently being used?

 

you mean if you uninstall the sfr module (sfr sensor) from the ASA will affect the firepower management. if this is the case and your question. if you uninstall the sfr module your asa traffic will be keep working but there will be no layer 7 inspection. in regards to the Firepower Managment Center etiher you have to delete the sensor and later once you install a new one you have register it in FMC. 

let me know if i answer your question.

please do not forget to rate.

We don't have a Firepower management Center installed on our network. We only have ASA firewalls installed. Is there a reason to have the ASA firepower module installed on the ASAs?

We don't have a Firepower management Center installed on our network. We only have ASA firewalls installed. Is there a reason to have the ASA firepower module installed on the ASAs?

 

oh I see I thought you running FMC. yes you can shutdown you sfr on your ASA unit. however, it better you have a layer 7 inspection running with SFR. 

please do not forget to rate.

Is there way to update the firepower module software through the CLI? The current software came up on a bug report and I need to either figure out a way to update or I need to uninstall the module.

Here is the link will find you helpful 

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/firepower-fmc.html

please do not forget to rate.

johnlloyd_13
Engager
Engager

hi sheraz,

 

i plan to permanently disable the SFR module on a ASA 5545-X since it's not being used.

 

what's the difference between 'sw-module module sfr uninstall' and 'sw-module module sfr shudown'?

 

i remember i disabled SFR on ASA before but couldn't remember which command i used. after code upgrade/reboot the SFR went UP again. i need to know which command will completely and permanently remove SFR?

 

per cisco doc, it mentioned to shutdown then uninstall. can you please confirm?

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

'sw-module module sfr uninstall' means the software installed on the SSD drive in your ASA will delete this software premantely.

'sw-module module sfr shudown' means it will power off the module so if required you can bring it up when needed.

 

ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall

 

however, just thinking might if you change your mind in future and want you use the SFR moudle what you can do is just mount off the hard disk at the front end of your ASA (de-seat it). but if you do not plan to use it in future than yes just uninstall it as mentioned above on these two command. 

please do not forget to rate.

haprinz
Beginner
Beginner

Hi Sheraz,

 

Since i haven't found anything else, isn't there a way to just disable the SFR module's startup after a reboot, without uninstalling?
i mean 'shutdown' is only a temporary solution, if you don't need it.
if you uninstall, it's gone...
..or is there a way to kinda reinstall/update the SFR again..?

Thanks /hans

Hi Haprinz,

if you using the ASA-5508 to 5555 you can un-mount physical hard disk on these ASA doing this the sfr software will be in the hard disk but it will not in service until you mount back in the ASA.

 

Regards,

sheraz.

please do not forget to rate.

Peter82
Beginner
Beginner

Hey guyyz 

I have ASA 5545-X  and correct command  is   

ciscoasa# sw-module module ips shutdown

 ciscoasa# sw-module module ips uninstall

The sw-module module sfr shudown  doesn't work 

I have sent these commands but I still can't do format flash:  stil saying 

hutdown module ips? [confirm]
Shutdown issued for module ips.
ciscoasa# format flash:

ERROR: There are one or more sw-modules running on the system. Please shut down the sw-modules before attempting to format flash:

ciscoasa# sw-module module ips uninstall

Module ips will be uninstalled. This will completely remove the disk image assocated with the sw-module including any configuration that existed within it.

Uninstall module ips? [confirm]

Module ips cannot be uninstalled, not in Up, Down, or Unresponsive state.
ciscoasa# format flash:

ERROR: There are one or more sw-modules running on the system. Please shut down the sw-modules before attempting to format flash:

EDIT :  Actually it worked now after while ... heh 

Does it make sense to remove it from the policy-map also. Is there any performance issues or additional hops for the traffic if the sfr module was shutdown but still configured in policy-map?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers