Cisco ASA FirePOWER Services: Traffic redirection with MPF

Technology: Network Security
Area: Next Generation Firewalls
Vendor: Cisco
Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X
Platform: Cisco ASA

In order to redirect the traffic to SFR (FirePOWER) module Modular Policy Framework (MPF) needs to be used. MPF is responsible for directing the production traffic to ASA FirePOWER modules which is optional by design but of course essential for next generation firewall functions.

To start passing traffic via SFR module you need to specify the access list that will describe the traffic being redirected (permit statement redirects traffic, deny does not). Below example redirects all traffic (any) to module:

access-list SFR_REDIRECT extended permit ip any any

Then match previously created ACL with class map:

class-map SFR_REDIRECT
 match access-list SFR_REDIRECT

Specify class map withing global policy and prcise mode of operation which can be fail-open or fail-close. Fail-open allows to pass the traffic by ASA OS in case of SFR module failure, the second prevents passing in such case:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class SFR_REDIRECT
  sfr fail-open

Another interesting option while steering the traffic flow is the monitor-only mode of redirection where traffic is only copied to ASA instead of being redirected. In this mode you can monitor the traffic not affecting it inline by SFR actions. This mode is often used in Proof of Concept (PoC) projects or newly implemented ASA FirePOWER in production environment.

sfr fail-open monitor-only

See also the fundamentals in design corner: What is Cisco FirePOWER? The introduction