Cisco ASA 5506-X Configuration Manual page 360
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Configure the ASA FirePOWER Module
If you want to send multiple traffic classes to the module, you can create multiple class maps for use in
the security policy. For information on matching statements, see
page
Add or edit a policy map that sets the actions to take with the class map traffic.
Step 2
policy-map name
Example:
hostname(config)# policy-map global_policy
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you
want to edit the global_policy, enter global_policy as the policy name.
Step 3
Identify the class map you created at the start of this procedure.
class name
Example:
hostname(config-pmap)# class firepower_class_map
Step 4
Send the traffic to the ASA FirePOWER module.
sfr {fail-close | fail-open} [monitor-only]
Where:
The fail-close keyword sets the ASA to block all traffic if the ASA FirePOWER module is
•
unavailable.
The fail-open keyword sets the ASA to allow all traffic through, uninspected, if the module is
•
unavailable.
•
Specify monitor-only to send a read-only copy of traffic to the module, i.e. inline tap mode. If you
do not include the keyword, the traffic is sent in inline mode. Be sure to configure consistent policies
on the ASA and the ASA FirePOWER. See
page 16-3
Example:
hostname(config-pmap-c)# sfr fail-close
If you created multiple class maps for ASA FirePOWER traffic, you can specify another class for the
Step 5
policy and apply the sfr redirect action.
See
Feature Matching Within a Service Policy, page 1-5
classes matters within a policy map. Traffic cannot match more than one class map for the same action
type.
If you are editing an existing service policy (such as the default global policy called global_policy), you
Step 6
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy policymap_name {global | interface interface_name}
Example:
hostname(config)# service-policy global_policy global
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Cisco ASA Series Firewall CLI Configuration Guide
16-20
1-13.
for more information.
Chapter 16
Identify Traffic (Layer 3/4 Class Maps),
ASA FirePOWER Inline Tap Monitor-Only Mode,
for detailed information about how the order of
ASA FirePOWER (SFR) Module
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
