US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Cisco ASA FirePOWER Services: Traffic redirection with MPF

    Design & Configure

    Cisco ASA FirePOWER Services: Traffic redirection with MPF

    Technology: Network Security
    Area: Next Generation Firewalls
    Vendor: Cisco
    Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X
    Platform: Cisco ASA


    Ready to migrate from ASA to a supported firewall solution

    To redirect the traffic to the SFR (FirePOWER) module Modular Policy Framework (MPF) needs to be used. MPF is responsible for directing the production traffic to ASA FirePOWER modules which is optional by design but essential for next-generation firewall functions.


    To start passing traffic via the SFR module you need to specify the access list that describes the traffic being redirected (permit statement redirects traffic, deny does not). The below example redirects all traffic (any) to the module:

    access-list SFR_REDIRECT extended permit ip any any


    Then match the previously created ACL with the class map:

    class-map SFR_REDIRECT
     match access-list SFR_REDIRECT


    Specify class map within global policy and precise mode of operation which can be fail-open or fail-close. Fail-open allows passing the traffic by ASA OS in case of SFR module failure, the second prevents passing in such case:

    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
     class SFR_REDIRECT
      sfr fail-open


    Another interesting option while steering the traffic flow is the monitor-only mode of redirection where traffic is only copied to ASA instead of being redirected. In this mode, you can monitor the traffic not affecting it inline by SFR actions. This mode is often used in Proof of Concept (PoC) projects or newly implemented ASA FirePOWER in a production environment.

    sfr fail-open monitor-only


    See also the fundamentals in the design corner: What is Cisco FirePOWER? The introduction

    Author: Marcin Bialy