7-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 ASA FirePOWER Module
Configure the ASA FirePOWER Module
• The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is
unavailable.
• Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you
do not include the keyword, the traffic is sent in inline mode. Be sure to configure consistent policies
on the ASA and the ASA FirePOWER. See ASA FirePOWER Inline Tap Monitor-Only Mode,
page 7-3 for more information.
Example:
hostname(config-pmap-c)# sfr fail-close
Step 5 If you created multiple class maps for ASA FirePOWER traffic, you can specify another class for the
policy and apply the sfr redirect action.
See Feature Matching Within a Service Policy, page 11-5 for detailed information about how the order
of classes matters within a policy map. Traffic cannot match more than one class map for the same action
type.
Step 6 If you are editing an existing service policy (such as the default global policy called global_policy), you
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy policymap_name {global | interface interface_name}
Example:
hostname(config)# service-policy inside_policy interface inside
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Configure Passive Traffic Forwarding
If you want to operate the module in passive monitor-only mode, where the module gets a copy of the
traffic and neither it nor the ASA can affect the network, configure a traffic forwarding interface and
connect the interface to a SPAN port on a switch. For more details, see ASA FirePOWER Passive
Monitor-Only Traffic Forwarding Mode, page 7-4.
The following guidelines explain the requirements for this deployment mode:
• The ASA must be in single-context and transparent mode.
• You can configure up to 4 interfaces as traffic-forwarding interfaces. Other ASA interfaces can be
used as normal.
• Traffic-forwarding interfaces must be physical interfaces, not VLANs or BVIs. The physical
interface also cannot have any VLANs associated with it.
• Traffic-forwarding interfaces cannot be used for ASA traffic; you cannot name them or configure
them for ASA features, including failover or management-only.
• You cannot configure both a traffic-forwarding interface and a service policy for ASA FirePOWER
traffic.
Procedure
Step 1 Enter interface configuration mode for the physical interface you want to use for traffic-forwarding.
interface physical_interface
To Next Page
Loading...
Need help?
General