Cisco Cisco Firepower Management Center 2000 Manuel Technique
In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not
returned to the ASA. Passive mode allows you to view the actions that the SFR module
would have completed in regards to the traffic. It also allows you to evaluate the content of
the traffic, without an impact to the network.
returned to the ASA. Passive mode allows you to view the actions that the SFR module
would have completed in regards to the traffic. It also allows you to evaluate the content of
the traffic, without an impact to the network.
If you want to configure the SFR module in passive mode, use the monitor-only keyword
(as shown in the next example). If you do not include the keyword, the traffic is sent in inline
mode.
(as shown in the next example). If you do not include the keyword, the traffic is sent in inline
mode.
ciscoasa(config-pmap-c)# sfr fail-open monitor-only
Warning: The monitor-only mode does not allow the SFR service module to deny or block
malicious traffic.Caution: It might be possible to configure an ASA in monitor-only mode with
the use of the interface-level traffic-forward sfr monitor-only command; however, this
configuration is purely for demonstration functionality and should not be used on a production
ASA. Any issues that are found in this demonstration feature are not supported by the Cisco
Technical Assistance Center (TAC). If you desire to deploy the ASA SFR service in passive
mode, configure it with the use of a policy-map.
Specify a location and apply the policy. You can apply a policy globally or on an interface. In
order to override the global policy on an interface, you can apply a service policy to that
interface.
malicious traffic.Caution: It might be possible to configure an ASA in monitor-only mode with
the use of the interface-level traffic-forward sfr monitor-only command; however, this
configuration is purely for demonstration functionality and should not be used on a production
ASA. Any issues that are found in this demonstration feature are not supported by the Cisco
Technical Assistance Center (TAC). If you desire to deploy the ASA SFR service in passive
mode, configure it with the use of a policy-map.
Specify a location and apply the policy. You can apply a policy globally or on an interface. In
order to override the global policy on an interface, you can apply a service policy to that
interface.
The global keyword applies the policy map to all of the interfaces, and the interface
keyword applies the policy to one interface. Only one global policy is allowed. In this
example, the policy is applied globally:
keyword applies the policy to one interface. Only one global policy is allowed. In this
example, the policy is applied globally:
ciscoasa(config)# service-policy global_policy global
Caution: The policy map global_policy is a default policy. If you use this policy and want to
remove it on your device for troubleshooting purposes, ensure that you understand its
implication.
remove it on your device for troubleshooting purposes, ensure that you understand its
implication.
4.
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Register a Device with a FireSIGHT Management Center
●
●
●
●