Skip to main content
Goline Logo
Goline It Services Logo

Home

About Us

Services

Solutions

Systems Architecture

Support

FAQ

News

  • GOLINE SA Announces Strategic Partnership with NetApp November 7th, 2025
    GOLINE SA is excited to announce a new partnership with NetApp, a global leader in cloud data services and storage solutions. This collaboration aims to help organizations modernize their IT infrastructure, streamline data management, and enhance performance across cloud and hybrid environments. Modern Data Solutions for Businesses Through this partnership, GOLINE integrates advanced data management solutions, enabling businesses to securely store, manage, and access critical information across cloud, on-premises, or hybrid setups. Clients can benefit from: Flexible and scalable storage solutions to meet growing data needs Simplified management of cloud and on-premises environments Enterprise-grade security for sensitive and mission-critical data...
  • GOLINE SA Announces Partnership with Omnissa November 7th, 2025
    GOLINE SA is proud to announce a new strategic partnership with Omnissa, a global leader in digital workspace platforms and Horizon Cloud Service solutions. This collaboration marks a significant step forward in helping organizations embrace secure, flexible, and high-performance work environments. Why Choose Omnissa for Your Business? The platform enables virtual desktops, applications, and unified endpoint management. Organizations can deploy scalable workspaces across cloud, hybrid, or on-premises setups. Key benefits include: Easy access to desktops and apps on any device Centralized management for Windows, macOS, iOS, Android, and ChromeOS Strong security with access controls and multi-factor authentication Automated scaling to...
  • GOLINE SA partners with Cloudflare November 6th, 2025
    Goline is proud to announce a strategic partnership with Cloudflare, the world leader in web performance and security solutions. This collaboration aims to provide goline.ch customers with state-of-the-art protection against cyber threats while delivering lightning-fast website performance. Through this partnership, Goline integrates Cloudflare’s advanced services, including DDoS protection, CDN caching, DNS security, and edge computing, allowing businesses to secure and optimize their websites effortlessly. Users will benefit from improved page load speed, enhanced reliability, and robust defense against malicious attacks. This partnership with Cloudflare enables goline to offer unmatched security and performance solutions to clients. By leveraging Cloudflare’s cutting-edge technology,...

Cisco ASA SFR Module (Install/Uninstall)

Paolo Caparrelli Cisco 22 June 2022

<!DOCTYPE html> <html> <head> </head> <body> <p><strong>Cisco ASA SFR Module (Install/Uninstall)</strong><br /><br />ciscoasa# sw-module module sfr uninstall<br />ciscoasa# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.0.0-1005.img<br />ciscoasa# sw-module module sfr recover boot<br />ciscoasa# debug module-boot</p> <p>ciscoasa# show module sfr (or show module)</p> <p><br />ciscoasa# session sfr console<br />Opening console session with module sfr.<br />Connected to module sfr. Escape character sequence is 'CTRL-^X'.<br /><br />Cisco ASA SFR Boot Image 5.3.1<br />asasfr login: admin<br />Password: Admin123</p> <p> </p> <h2>Introduction</h2> <p>This document describes how to install and configure a Cisco FirePOWER (SFR) module that runs on a Cisco Adaptive Security Appliance (ASA) and how to register the SFR module with the Cisco FireSIGHT Management Center.</p> <p><a class="auto_toc_anchor" name="anc1"></a></p> <h2>Prerequisites</h2> <p><a class="auto_toc_anchor" name="anc2"></a></p> <h3>Requirements</h3> <p>Cisco recommends that your system meet these requirements before you attempt the procedures that are described in this document:</p> <ul> <li>Ensure that you have at least 3GB of free space on the flash drive (disk0), in addition to the size of the boot software.</li> <li>Ensure that you have access to the privileged EXEC mode. In order to access the privileged EXEC mode, enter the <strong>enable</strong> command into the CLI. If a password was not set, then press <strong>Enter</strong>:<br /><br /> <pre>ciscoasa&gt; enable Password: ciscoasa# </pre> </li> </ul> <p><a class="auto_toc_anchor" name="anc3"></a></p> <h3>Components Used</h3> <p>In order to install the FirePOWER Services on a Cisco ASA, these components are required:</p> <ul> <li>Cisco ASA software Version 9.2.2 or later</li> <li>Cisco ASA platforms 5512-X through 5555-X</li> <li>FirePOWER Software Version 5.3.1 or later</li> </ul> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: If you want to install FirePOWER (SFR) Services on an ASA 5585-X Hardware Module, read <a href="http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118824-configure-firepower-00.html" target="_blank" rel="nofollow noopener">Installation of FirePOWER (SFR) Services on ASA 5585-X Hardware Module</a>.</p> <p>These components are required on the Cisco FireSIGHT Management Center:</p> <ul> <li>FirePOWER Software Version 5.3.1 or later</li> <li>FireSIGHT Management Center FS2000, FS4000 or virtual appliance</li> </ul> <p>The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.</p> <p><a class="auto_toc_anchor" name="anc4"></a></p> <h2>Background Information</h2> <p>The Cisco ASA FirePOWER module, also known as the ASA SFR, provides next-generation Firewall services, such as:</p> <ul> <li>Next Generation Intrusion Prevention System (NGIPS)</li> <li>Application Visibility and Control (AVC)</li> <li>URL filtering</li> <li>Advanced Malware Protection (AMP)</li> </ul> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: You can use the ASA SFR module in Single or Multiple context mode, and in Routed or Transparent mode.</p> <p><a class="auto_toc_anchor" name="anc5"></a></p> <h3>Before You Begin</h3> <p>Consider this important information before you attempt the procedures that are described in this document:</p> <ul> <li>If you have an active service policy that redirects traffic to an Intrusion Prevention System (IPS)/Context Aware (CX) module (that you replaced with the ASA SFR), you must remove it before you configure the ASA SFR service policy.<br /><br /></li> <li>You must shut down any other software modules that currently run. A device can run a single software module at a time. You must do this from the ASA CLI. For example, these commands shut down and uninstall the IPS software module, and then reload the ASA:<br /><br /> <pre>ciscoasa# sw-module module ips shutdown ciscoasa# sw-module module ips uninstall ciscoasa# reload</pre> The commands that are used in order to remove the CX module are the same, except the <strong>cxsc</strong> keyword is used instead of <strong>ips</strong>:<br /><br /> <pre>ciscoasa# sw-module module cxsc shutdown ciscoasa# sw-module module cxsc uninstall ciscoasa# reload</pre> </li> <li>When you reimage a module, use the same <strong>shutdown</strong> and <strong>uninstall</strong> commands that are used in order to remove an old SFR image. Here is an example:<br /><br /> <pre>ciscoasa# sw-module module sfr uninstall</pre> </li> <li>If the ASA SFR module is used in Multiple context mode, perform the procedures that are described in this document within the system execution space.</li> </ul> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/tip.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Tip</strong>: In order to determine the status of a module on the ASA, enter the <strong>show module</strong> command.</p> <p><a class="auto_toc_anchor" name="anc6"></a></p> <h2>Install</h2> <p>This section describes how to install the SFR module on the ASA and how to set up the ASA SFR boot image.</p> <p><a class="auto_toc_anchor" name="anc7"></a></p> <h3>Install the SFR Module on the ASA</h3> <p>Complete these steps in order to install the SFR module on the ASA:</p> <ol> <li>Download the ASA SFR system software from Cisco.com to an HTTP, HTTPS, or FTP server that is accessible from the ASA SFR management interface.<br /><br /></li> <li>Download the boot image to the device. You can use either the Cisco Adaptive Security Device Manager (ASDM) or the ASA CLI in order to download the boot image to the device. <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: Do not transfer the system software; it is downloaded later to the Solid State Drive (SSD).</p> Complete these steps in order to download the boot image via the ASDM:<br /><br /> <ol type="A"> <li>Download the boot image to your workstation, or place it on an FTP, TFTP, HTTP, HTTPS, Server Message Block (SMB), or Secure Copy (SCP) server.<br /><br /></li> <li>Choose <strong>Tools &gt; File Management</strong> in the ASDM.<br /><br /></li> <li>Choose the appropriate File Transfer command, either <em>Between Local PC and Flash </em>or <em>Between Remote Server and Flash</em>.<br /><br /></li> <li>Transfer the boot software to the flash drive (disk0) on the ASA.</li> </ol> Complete these steps in order to download the boot image via the ASA CLI:<br /><br /> <ol type="A"> <li>Download the boot image on an FTP, TFTP, HTTP, or HTTPS server.<br /><br /></li> <li>Enter the <strong>copy</strong> command into the CLI in order to download the boot image to the flash drive. <br /><br />Here is an example that uses HTTP protocol (replace the <strong>&lt;HTTP_Server&gt;</strong> with your server IP address or host name):<br /><br /> <pre>ciscoasa# copy http://<em>&lt;HTTP_SERVER&gt;</em>/asasfr-5500x-boot-5.3.1-152.img disk0:/asasfr-5500x-boot-5.3.1-152.img</pre> </li> </ol> </li> <li>Enter this command in order to configure the ASA SFR boot image location in the ASA flash drive:<br /><br /> <pre>ciscoasa# sw-module module sfr recover configure image disk0:/<em>file_path</em></pre> Here is an example:<br /><br /> <pre>ciscoasa# sw-module module sfr recover configure image disk0: /asasfr-5500x-boot-5.3.1-152.img</pre> </li> <li>Enter this command in order to load the ASA SFR boot image:<br /><br /> <pre>ciscoasa# sw-module module sfr recover boot</pre> During this time, if you enable <strong>debug module-boot</strong> on the ASA, these debugs are printed:<br /><br /> <pre>Mod-sfr 788&gt; *** EVENT: Creating the Disk Image…<br />Mod-sfr 789&gt; *** TIME: 05:50:26 UTC Jul 1 2014<br />Mod-sfr 790&gt; ***<br />Mod-sfr 791&gt; ***<br />Mod-sfr 792&gt; *** EVENT: The module is being recovered.<br />Mod-sfr 793&gt; *** TIME: 05:50:26 UTC Jul 1 2014<br />Mod-sfr 794&gt; ***<br />…<br />Mod-sfr 795&gt; ***<br />Mod-sfr 796&gt; *** EVENT: Disk Image created successfully.<br />Mod-sfr 797&gt; *** TIME: 05:53:06 UTC Jul 1 2014<br />Mod-sfr 798&gt; ***<br />Mod-sfr 799&gt; ***<br />Mod-sfr 800&gt; *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_3.img,<br /> ISO: -cdrom /mnt/disk0<br />Mod-sfr 801&gt; /asasfr-5500x-boot-5.3.1-152.img, Num CPUs: 6, RAM: 7659MB,<br /> Mgmt MAC: A4:4C:11:29:<br />Mod-sfr 802&gt; CC:FB, CP MAC: 00:00:00:04:00:01, HDD: -drive file=/dev/md0,<br /> cache=none,if=virtio,<br />Mod-sfr 803&gt; Dev<br />Mod-sfr 804&gt; ***<br />Mod-sfr 805&gt; *** EVENT: Start Parameters Continued: RegEx Shared Mem:<br /> 32MB, Cmd Op: r, Shared M<br />Mod-sfr 806&gt; em Key: 8061, Shared Mem Size: 64, Log Pipe: /dev/ttyS0_vm3,<br /> Sock: /dev/ttyS1_vm3,<br />Mod-sfr 807&gt;  Mem-Path: -mem-path /hugepages<br />Mod-sfr 808&gt; *** TIME: 05:53:06 UTC Jul 1 2014<br />Mod-sfr 809&gt; ***<br />Mod-sfr 810&gt; IVSHMEM: optarg is key=8061,64,unix:/tmp/nahanni, name is,<br /> key is 8061, size is 6<br />…<br />Mod-sfr 239&gt; Starting Advanced Configuration and Power Interface daemon:<br /> acpid.<br />Mod-sfr 240&gt; acpid: starting up with proc fs<br />Mod-sfr 241&gt; acpid: opendir(/etc/acpi/events): No such file or directory<br />Mod-sfr 242&gt; starting Busybox inetd: inetd… done.<br />Mod-sfr 243&gt; Starting ntpd: done<br />Mod-sfr 244&gt; Starting syslogd/klogd: done<br />Mod-sfr 245&gt;<br />Cisco ASA SFR Boot Image 5.3.1</pre> </li> <li>Wait approximately 5 to 15 minutes for the ASA SFR module to boot up, and then open a console session to the operational ASA SFR boot image.</li> </ol> <p><a class="auto_toc_anchor" name="anc8"></a></p> <h3>Set Up the ASA SFR Boot Image</h3> <p>Complete these steps in order to set up the the newly installed ASA SFR boot image:</p> <ol> <li>Press <strong>Enter</strong> after you open a session in order to reach the login prompt. <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: The default username is <strong>admin</strong>, and the default password is <strong>Admin123</strong>.</p> Here is an example:<br /><br /> <pre>ciscoasa# session sfr console Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Cisco ASA SFR Boot Image 5.3.1 asasfr login: admin Password: Admin123</pre> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/tip.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Tip</strong>: If the ASA SFR module boot has not completed, the session command fails and a message appears to indicate that the system is unable to connect over TTYS1. If this occurs, wait for the module boot to complete and try again.</p> </li> <li>Enter the <strong>setup</strong> command in order to configure the system so that you can install the system software package:<br /><br /> <pre>asasfr-boot&gt; setup Welcome to SFR Setup [hit Ctrl-C to abort] Default values are inside []</pre> You are then prompted for this information:<br /><br /> <ul> <li><strong>Host name</strong> – The host name can be up to 65 alphanumeric characters, with no spaces. The use of hyphens is allowed.<br /><br /></li> <li><strong>Network address</strong> – The network address can be either static IPv4 or IPv6 addresses. You can also use DHCP for IPv4, or IPv6 stateless auto-configuration.<br /><br /></li> <li><strong>DNS information</strong> – You must identify at least one Domain Name System (DNS) server, and you can also set the domain name and search domain.<br /><br /></li> <li><strong>NTP information</strong> – You can enable Network Time Protocol (NTP) and configure the NTP servers in order to set the system time.<br /><br /></li> </ul> </li> <li>Enter the <strong>system install </strong>command in order to install the system software image:<br /><br /> <pre>asasfr-boot &gt;system install [noconfirm] <em>url</em></pre> Include the <strong>noconfirm</strong> option if you do not want to respond to confirmation messages. Replace the <strong>url</strong> keyword with the location of the <strong>.pkg</strong> file. Here is an example:<br /><br /> <pre>asasfr-boot &gt;system install http:/<em>&lt;HTTP_SERVER&gt;</em>/asasfr-sys-5.3.1-152.pkg Verifying Downloading Extracting Package Detail Description: Cisco ASA-FirePOWER 5.3.1-152 System Install Requires reboot: Yes Do you want to continue with upgrade? [y]: y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state. Upgrading Starting upgrade process … Populating new system image Reboot is required to complete the upgrade. Press 'Enter' to reboot the system. (press Enter) Broadcast message from root (ttyS1) (Mon Jun 23 09:28:38 2014): The system is going down for reboot NOW! Console session with module sfr terminated.</pre> </li> </ol> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: When the installation is complete, the system reboots. Allow ten or more minutes for the application component installation and for the ASA SFR services to start. The output of the <strong>show module sfr</strong> command should indicate that all processes are <strong>Up</strong>.</p> <p><a class="auto_toc_anchor" name="anc9"></a></p> <h2>Configure</h2> <p>This section describes how to configure the FirePOWER software and the FireSIGHT Management Center, and how to redirect traffic to the SFR module.</p> <p><a class="auto_toc_anchor" name="anc10"></a></p> <h3>Configure the FirePOWER Software</h3> <p>Complete these steps in order to configure the FirePOWER software:</p> <ol> <li>Open a session to the ASA SFR module. <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: A different login prompt now appears because the login occurs on a fully-functional module.</p> Here is an example:<br /><br /> <pre>ciscoasa# session sfr Opening command session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Sourcefire ASA5555 v5.3.1 (build 152) Sourcefire3D login:</pre> </li> <li>Log in with the username <strong>admin</strong> and the password <strong>Sourcefire</strong>.<br /><br /></li> <li>Complete the system configuration as prompted, which occurs in this order:<br /><br /> <ol type="A"> <li>Read and accept the End User License Agreement (EULA).<br /><br /></li> <li>Change the admin password.<br /><br /></li> <li>Configure the management address and DNS settings, as prompted. <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: You can configure both IPv4 and IPv6 management addresses.</p> </li> </ol> Here is an example:<br /><br /> <pre>System initialization in progress. Please stand by. You must change the password for 'admin' to continue. Enter new password: &lt;new password&gt; Confirm new password: &lt;repeat password&gt; You must configure the network to continue. You must configure at least one of IPv4 or IPv6. Do you want to configure IPv4? (y/n) [y]: y Do you want to configure IPv6? (y/n) [n]: Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: Enter an IPv4 address for the management interface [192.168.45.45]:198.51.100.3 Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0 Enter the IPv4 default gateway for the management interface []: 198.51.100.1 Enter a fully qualified hostname for this system [Sourcefire3D]: asasfr.example.com Enter a comma-separated list of DNS servers or 'none' []:<br /> 198.51.100.15, 198.51.100.14 Enter a comma-separated list of search domains or 'none' [example.net]: example.com If your networking information has changed, you will need to reconnect. For HTTP Proxy configuration, run 'configure network http-proxy'</pre> </li> <li>Wait for the system to reconfigure itself.</li> </ol> <p><a class="auto_toc_anchor" name="anc11"></a></p> <h3>Configure the FireSIGHT Management Center</h3> <p>In order to manage an ASA SFR module and security policy, you must <a href="http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html" target="_blank" rel="nofollow noopener">register it with a FireSIGHT Management Center</a>. You cannot perform these actions with a FireSIGHT Management Center:</p> <ul> <li>Configure the ASA SFR module interfaces</li> <li>Shut down, restart, or otherwise manage the ASA SFR module processes</li> <li>Create backups from, or restore backups to, the ASA SFR module devices</li> <li>Write access control rules in order to match traffic with the use of VLAN tag conditions</li> </ul> <p><a class="auto_toc_anchor" name="anc12"></a></p> <h3>Redirect Traffic to the SFR Module</h3> <p>In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:</p> <ol> <li>Select the traffic that should be identified with the <strong>access-list</strong> command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.<br /><br /> <pre>ciscoasa(config)# access-list sfr_redirect extended permit ip any any</pre> </li> <li>Create a class-map in order to match the traffic on an access list:<br /><br /> <pre>ciscoasa(config)# class-map sfr ciscoasa(config-cmap)# match access-list sfr_redirect</pre> </li> <li>Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline (normal) deployment mode. <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Note</strong>: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.</p> <ul> <li>In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission. This example shows how to create a policy-map and configure the ASA SFR module in the inline mode:<br /><br /> <pre>ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open </pre> </li> <li>In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not returned to the ASA. Passive mode allows you to view the actions that the SFR module would have completed in regards to the traffic. It also allows you to evaluate the content of the traffic, without an impact to the network.<br /><br />If you want to configure the SFR module in passive mode, use the <strong>monitor-only</strong> keyword (as shown in the next example). If you do not include the keyword, the traffic is sent in inline mode.<br /><br /> <pre>ciscoasa(config-pmap-c)# sfr fail-open monitor-only</pre> </li> </ul> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/warn.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Warning</strong>: The <strong>monitor-only</strong> mode does not allow the SFR service module to deny or block malicious traffic.</p> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/caut.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Caution</strong>: It might be possible to configure an ASA in <em>monitor-only</em> mode with the use of the interface-level <strong>traffic-forward sfr monitor-only</strong> command; however, this configuration is purely for demonstration functionality and should not be used on a production ASA. Any issues that are found in this demonstration feature are not supported by the Cisco Technical Assistance Center (TAC). If you desire to deploy the ASA SFR service in passive mode, configure it with the use of a <em>policy-map</em>.</p> </li> <li>Specify a location and apply the policy. You can apply a policy globally or on an interface. In order to override the global policy on an interface, you can apply a service policy to that interface.<br /><br />The <strong>global</strong> keyword applies the policy map to all of the interfaces, and the <strong>interface</strong> keyword applies the policy to one interface. Only one global policy is allowed. In this example, the policy is applied globally:<br /><br /> <pre>ciscoasa(config)# service-policy global_policy global</pre> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/caut.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>Caution</strong>: The policy map <strong>global_policy</strong> is a default policy. If you use this policy and want to remove it on your device for troubleshooting purposes, ensure that you understand its implication.</p> </li> </ol> <p><a class="auto_toc_anchor" name="anc13"></a></p> <h2>Verify</h2> <p>There is currently no verification procedure available for this configuration.</p> <p><a class="auto_toc_anchor" name="anc14"></a></p> <h2>Troubleshoot</h2> <p>There is currently no specific troubleshooting information available for this configuration.</p> </body> </html>

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x