16-20
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 16 ASA FirePOWER (SFR) Module
Configure the ASA FirePOWER Module
If you want to send multiple traffic classes to the module, you can create multiple class maps for use in
the security policy. For information on matching statements, see
Identify Traffic (Layer 3/4 Class Maps),
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map
name
Example:
hostname(config)# policy-map global_policy
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name.
Step 3
Identify the class map you created at the start of this procedure.
class
name
Example:
hostname(config-pmap)# class firepower_class_map
Step 4
Send the traffic to the ASA FirePOWER module.
sfr
{
fail-close
|
fail-open
} [
monitor-only
]
Where:
•
The
fail-close
keyword sets the ASA to block all traffic if the ASA FirePOWER module is
unavailable.
•
The
fail-open
keyword sets the ASA to allow all traffic through, uninspected, if the module is
unavailable.
•
Specify
monitor-only
to send a read-only copy of traffic to the module, i.e. inline tap mode. If you
do not include the keyword, the traffic is sent in inline mode. Be sure to configure consistent policies
on the ASA and the ASA FirePOWER. See
ASA FirePOWER Inline Tap Monitor-Only Mode,
for more information.
Example:
hostname(config-pmap-c)# sfr fail-close
Step 5
If you created multiple class maps for ASA FirePOWER traffic, you can specify another class for the
policy and apply the
sfr
redirect action.
Feature Matching Within a Service Policy, page 1-5
for detailed information about how the order of
classes matters within a policy map. Traffic cannot match more than one class map for the same action
type.
Step 6
If you are editing an existing service policy (such as the default global policy called global_policy), you
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy
policymap_name
{
global
|
interface
interface_name
}
Example:
hostname(config)# service-policy global_policy global
The
global
keyword applies the policy map to all interfaces, and
interface
applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......