Configure Inline Or Inline Tap Monitor-Only Modes - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 7
ASA FirePOWER Module
Configure Inline or Inline Tap Monitor-Only Modes
Redirect traffic to the ASA FirePOWER module by creating a service policy that identifies specific
traffic that you want to send. In this mode, ASA policies, such as access rules, are applied to the traffic
before it is redirected to the module.
Before You Begin
•
•
•
Procedure
Step 1
Create an L3/L4 class map to identify the traffic that you want to send to the module.
class-map name
Example:
hostname(config)# access-list my-sfr-acl permit ip any 10.1.1.0 255.255.255.0
hostname(config)# access-list my-sfr-acl2 permit ip any 10.2.1.0 255.255.255.0
hostname(config)# class-map my-sfr-class
hostname(config-cmap)# match access-list my-sfr-acl
If you want to send multiple traffic classes to the module, you can create multiple class maps for use in
the security policy. For information on matching statements, see
page
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map {global_policy | name}
Example:
hostname(config)# policy-map inside_policy
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name. To create a new interface-based
policy, specify a new name.
Step 3
Identify the class map you created at the start of this procedure.
class name
Example:
hostname(config-pmap)# class my-sfr-class
Send the traffic to the ASA FirePOWER module.
Step 4
sfr {fail-close | fail-open} [monitor-only]
Where:
•
If you have an active service policy redirecting traffic to an IPS or CX module (that you replaced
with ASA FirePOWER), you must remove that policy before you configure the ASA FirePOWER
service policy.
Be sure to configure consistent policies on the ASA and the ASA FirePOWER. Both policies should
reflect the inline or inline tap mode of the traffic.
In multiple context mode, perform this procedure within each security context.
match parameter
11-13.
The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is
unavailable.
Configure the ASA FirePOWER Module
Identify Traffic (Layer 3/4 Class Maps),
Cisco ASA Series Firewall CLI Configuration Guide
7-11
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
