US Region
Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com
EMEA Region
GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com
Technology: Network Security
Area: Next Generation Firewalls
Vendor: Cisco
Software: 8.X, 9.X, FMC 5.X, 6.X, SFR module 5.X , 6.X
Platform: Cisco ASA
In order to redirect the traffic to SFR (FirePOWER) module Modular Policy Framework (MPF) needs to be used. MPF is responsible for directing the production traffic to ASA FirePOWER modules which is optional by design but of course essential for next generation firewall functions.
To start passing traffic via the SFR module you need to specify the access list that will describe the traffic being redirected (permit statement redirects traffic, deny does not). The below example redirects all traffic (any) to the module:
access-list SFR_REDIRECT extended permit ip any any
Then match the previously created ACL with the class map:
class-map SFR_REDIRECT
match access-list SFR_REDIRECT
Specify class map within global policy and precise mode of operation which can be fail-open or fail-close. Fail-open allows passing the traffic by ASA OS in case of SFR module failure, the second prevents passing in such case:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class SFR_REDIRECT
sfr fail-open
Another interesting option while steering the traffic flow is the monitor-only mode of redirection where traffic is only copied to ASA instead of being redirected. In this mode, you can monitor the traffic not affecting it inline by SFR actions. This mode is often used in Proof of Concept (PoC) projects or newly implemented ASA FirePOWER in a production environment.
sfr fail-open monitor-only
See also the fundamentals in the design corner: What is Cisco FirePOWER? The introduction