By default, even if the box is fully functional and correctly installed, the traffic won’t be passed to the FirePOWER instance. We will have to configure it by ourselves.

To accomplish this we will create an ACL for the traffic we would like to pass by to the FirePOWER instance.

access-list ACL_SFR extended permit ip any any

afterwards we will create a class-map where we will match all the traffic from the ACL „ACL_SFR“. We will name it „TO-SFR“ and it should look like this.

class-map TO-SFR
match access-list ACL_SFR

Finally we will merge our new class to the global policy and set the action „sfr fail-open“.

policy-map global_policy
class TO-SFR
sfr fail-open

Whats the difference between fail-open or fail-close?

fail-open tells the ASA to pass all the traffic uninspected in case the FirePOWER module is not available.

fail-close sets the ASA to drop all the traffic if the FirePOWER module is unavailable

As an example, the FirePOWER module can be unavailable during the upgrade of the module or due to lack of resources.

Thanks for reading! See you soon…