Menu

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

  • en
  • pl
  • Cisco ASA FirePOWER Services: Traffic redirection with MPF

    Design & Configure

    Cisco ASA FirePOWER Services: Traffic redirection with MPF

    Technology: Network Security
    Area: Next Generation Firewalls
    Vendor: Cisco
    Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X
    Platform: Cisco ASA

    ASA migration options

    In order to redirect the traffic to SFR (FirePOWER) module Modular Policy Framework (MPF) needs to be used. MPF is responsible for directing the production traffic to ASA FirePOWER modules which is optional by design but of course essential for next generation firewall functions.

     

    To start passing traffic via the SFR module you need to specify the access list that will describe the traffic being redirected (permit statement redirects traffic, deny does not). The below example redirects all traffic (any) to the module:

    access-list SFR_REDIRECT extended permit ip any any

     

    Then match the previously created ACL with the class map:

    class-map SFR_REDIRECT
     match access-list SFR_REDIRECT

     

    Specify class map within global policy and precise mode of operation which can be fail-open or fail-close. Fail-open allows passing the traffic by ASA OS in case of SFR module failure, the second prevents passing in such case:

    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
     class SFR_REDIRECT
      sfr fail-open

     

    Another interesting option while steering the traffic flow is the monitor-only mode of redirection where traffic is only copied to ASA instead of being redirected. In this mode, you can monitor the traffic not affecting it inline by SFR actions. This mode is often used in Proof of Concept (PoC) projects or newly implemented ASA FirePOWER in a production environment.

    sfr fail-open monitor-only

     

    See also the fundamentals in the design corner: What is Cisco FirePOWER? The introduction

    Author: Marcin Bialy
     
    Grandmetric