cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26829
Views
35
Helpful
13
Replies

Turning off the FirePOWER sfr module safely on 5516-X

janiax
Level 1
Level 1

Hello,

My customer uses ASA 5516-X with FirePOWER ONLY as a VPN gateway (both SSL and IPsec).
Since the ASA is not doing any traffic inspection, the FirePOWER module is redundant and I would like to turn it off.

The ASA operates in active/standby configuration.
Is there a way how to turn the sfr module off without any downtime?

Can just safely issue sw-module module sfr shutdown?
Is reboot required?

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

 

Many thanks for your help.


asa/act/pri# sh module all

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5516-X with FirePOWER services, 8GE, AC, ASA5516
sfr FirePOWER Services Software Module ASA5516

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 mac to mac 3.0 1.1.8 9.8(2)24
sfr mac to mac N/A N/A 6.2.0-362

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.2.0-362

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up

1 Accepted Solution

Accepted Solutions

yes go to asa cli vis ssh/console give command.

 

sw-module module sfr shudown

 

as long as the sfr is shutdown there is no expolit can happen. as this is a production active standby ASA you also need to shutdown the sfr on the passive ASA.

 

prior to do this work make sure you do not monitor this SFR.

 

no reboot require. however just in case if you need to bring it up give the command

 

sw-module module sfr reset

 

 

 

 

 

Is there a way how to turn the sfr module off without any downtime?

sw-module module sfr shudown. No downtime

Can just safely issue sw-module module sfr shutdown?

yes.
Is reboot required?

no

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?

No, if you not using it and if you dont have FMC, or if this module is not in production you can leave this on side.
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

if you power off your computer off can you exploit it. same logic if the sfr is power off (sw-module module sfr shudown) sw-module module sfr shudown

 

 

 

please rate if i was helpful

please do not forget to rate.

View solution in original post

13 Replies 13

yes go to asa cli vis ssh/console give command.

 

sw-module module sfr shudown

 

as long as the sfr is shutdown there is no expolit can happen. as this is a production active standby ASA you also need to shutdown the sfr on the passive ASA.

 

prior to do this work make sure you do not monitor this SFR.

 

no reboot require. however just in case if you need to bring it up give the command

 

sw-module module sfr reset

 

 

 

 

 

Is there a way how to turn the sfr module off without any downtime?

sw-module module sfr shudown. No downtime

Can just safely issue sw-module module sfr shutdown?

yes.
Is reboot required?

no

If I'd leave sfr on, do I need to do the patch management for it as well, even though it does not inspect any traffic?

No, if you not using it and if you dont have FMC, or if this module is not in production you can leave this on side.
Is there a way how to exploit a FirePOWER vulnerability, even though ASA does not redirect any traffic to it?

if you power off your computer off can you exploit it. same logic if the sfr is power off (sw-module module sfr shudown) sw-module module sfr shudown

 

 

 

please rate if i was helpful

please do not forget to rate.

Thanks!

Will uninstalling the sfr module affect the device if firepower management is not currently being used?

Will uninstalling the sfr module affect the device if firepower management is not currently being used?

 

you mean if you uninstall the sfr module (sfr sensor) from the ASA will affect the firepower management. if this is the case and your question. if you uninstall the sfr module your asa traffic will be keep working but there will be no layer 7 inspection. in regards to the Firepower Managment Center etiher you have to delete the sensor and later once you install a new one you have register it in FMC. 

let me know if i answer your question.

please do not forget to rate.

We don't have a Firepower management Center installed on our network. We only have ASA firewalls installed. Is there a reason to have the ASA firepower module installed on the ASAs?

We don't have a Firepower management Center installed on our network. We only have ASA firewalls installed. Is there a reason to have the ASA firepower module installed on the ASAs?

 

oh I see I thought you running FMC. yes you can shutdown you sfr on your ASA unit. however, it better you have a layer 7 inspection running with SFR. 

please do not forget to rate.

Is there way to update the firepower module software through the CLI? The current software came up on a bug report and I need to either figure out a way to update or I need to uninstall the module.

Here is the link will find you helpful 

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/firepower-fmc.html

please do not forget to rate.

johnlloyd_13
Level 9
Level 9

hi sheraz,

 

i plan to permanently disable the SFR module on a ASA 5545-X since it's not being used.

 

what's the difference between 'sw-module module sfr uninstall' and 'sw-module module sfr shudown'?

 

i remember i disabled SFR on ASA before but couldn't remember which command i used. after code upgrade/reboot the SFR went UP again. i need to know which command will completely and permanently remove SFR?

 

per cisco doc, it mentioned to shutdown then uninstall. can you please confirm?

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

'sw-module module sfr uninstall' means the software installed on the SSD drive in your ASA will delete this software premantely.

'sw-module module sfr shudown' means it will power off the module so if required you can bring it up when needed.

 

ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall

 

however, just thinking might if you change your mind in future and want you use the SFR moudle what you can do is just mount off the hard disk at the front end of your ASA (de-seat it). but if you do not plan to use it in future than yes just uninstall it as mentioned above on these two command. 

please do not forget to rate.

haprinz
Level 1
Level 1

Hi Sheraz,

 

Since i haven't found anything else, isn't there a way to just disable the SFR module's startup after a reboot, without uninstalling?
i mean 'shutdown' is only a temporary solution, if you don't need it.
if you uninstall, it's gone...
..or is there a way to kinda reinstall/update the SFR again..?

Thanks /hans

Hi Haprinz,

if you using the ASA-5508 to 5555 you can un-mount physical hard disk on these ASA doing this the sfr software will be in the hard disk but it will not in service until you mount back in the ASA.

 

Regards,

sheraz.

please do not forget to rate.

NIKH.SHRI1
Level 1
Level 1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: