Cisco ASA FirePOWER Services: Traffic redirection with MPF

Technology: Network Security
Area: Next Generation Firewalls
Vendor: Cisco
Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X
Platform: Cisco ASA

In order to redirect the traffic to SFR (FirePOWER) module Modular Policy Framework (MPF) needs to be used. MPF is responsible for directing the production traffic to ASA FirePOWER modules which is optional by design but of course essential for next generation firewall functions.

To start passing traffic via the SFR module you need to specify the access list that will describe the traffic being redirected (permit statement redirects traffic, deny does not). The below example redirects all traffic (any) to the module:

access-list SFR_REDIRECT extended permit ip any any

Then match the previously created ACL with the class map:

class-map SFR_REDIRECT
 match access-list SFR_REDIRECT

Specify class map within global policy and precise mode of operation which can be fail-open or fail-close. Fail-open allows passing the traffic by ASA OS in case of SFR module failure, the second prevents passing in such case:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class SFR_REDIRECT
  sfr fail-open

Another interesting option while steering the traffic flow is the monitor-only mode of redirection where traffic is only copied to ASA instead of being redirected. In this mode, you can monitor the traffic not affecting it inline by SFR actions. This mode is often used in Proof of Concept (PoC) projects or newly implemented ASA FirePOWER in a production environment.

sfr fail-open monitor-only

See also the fundamentals in the design corner: What is Cisco FirePOWER? The introduction