US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43

Cisco ASA FirePOWER Services: Traffic redirection with MPF

Design & Configure

Cisco ASA FirePOWER Services: Traffic redirection with MPF

Technology: Network Security
Area: Next Generation Firewalls
Vendor: Cisco
Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X
Platform: Cisco ASA


In order to redirect the traffic to SFR (FirePOWER) module Modular Policy Framework (MPF) needs to be used. MPF is responsible for directing the production traffic to ASA FirePOWER modules which is optional by design but of course essential for next generation firewall functions.

To start passing traffic via SFR module you need to specify the access list that will describe the traffic being redirected (permit statement redirects traffic, deny does not). Below example redirects all traffic (any) to module:

access-list SFR_REDIRECT extended permit ip any any


Then match previously created ACL with class map:

class-map SFR_REDIRECT
 match access-list SFR_REDIRECT


Specify class map withing global policy and prcise mode of operation which can be fail-open or fail-close. Fail-open allows to pass the traffic by ASA OS in case of SFR module failure, the second prevents passing in such case:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  sfr fail-open


Another interesting option while steering the traffic flow is the monitor-only mode of redirection where traffic is only copied to ASA instead of being redirected. In this mode you can monitor the traffic not affecting it inline by SFR actions. This mode is often used in Proof of Concept (PoC) projects or newly implemented ASA FirePOWER in production environment.

sfr fail-open monitor-only


See also the fundamentals in design corner: What is Cisco FirePOWER? The introduction

Author: Marcin Bialy