1. Open a session to the ASA SFR module.

INBASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Sourcefire ASA5555 v5.3.1 (build 152)
Sourcefire3D login:

  1. Log in with the username admin and the password Admin123.
  2. Complete the system configuration as prompted, which occurs in this order:
    • Read and accept the End User License Agreement (EULA).
    • Change the admin password.
    • Configure the management address and DNS settings, as prompted.

Example -ASA:

  • System initialization in progress. Please stand by. You must change the password
  •  for ‘admin’ to continue. Enter new password: <new password>
  • Confirm new password: <repeat password>
  • You must configure the network to continue.
  • You must configure at least one of IPv4 or IPv6.
  • Do you want to configure IPv4? (y/n) [y]: y
  • Do you want to configure IPv6? (y/n) [n]:
  • Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
  • Enter an IPv4 address for the management interface []:
  • Enter an IPv4 netmask for the management interface []:
  • Enter the IPv4 default gateway for the management interface []:
  • Enter a fully qualified hostname for this system [Sourcefire3D]: asasfr.example.com
  • Enter a comma-separated list of DNS servers or ‘none’ []:,
  • Enter a comma-separated list of search domains or ‘none’ [example.net]: example.com
  • If your networking information has changed, you will need to reconnect.
  • For HTTP Proxy configuration, run ‘configure network http-proxy’
  • Wait for the system to reconfigure itself.


Redirect Traffic to the SFR Module

In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:

  1. Select the traffic that should be identified with the access-list command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.

INBASA(config)# access-list sfr_redirect extended permit ip any any

2.Create a class-map in order to match the traffic on an access list:

INBASA(config)# class-map sfr
INBASA(config-cmap)# match access-list sfr_redirect

  • Configure the deployment mode. passive (monitor-only) or inline (normal) .

Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.

  • In an inline deployment,
    • INBASA(config)# policy-map global_policy
      INBASA(config-pmap)# class sfr
      INBASA(config-pmap-c)# sfr fail-open
  • In a passive deployment,

INBASA(config-pmap-c)# sfr fail-open monitor-only

3. Specify a location and apply the policy. You can apply a policy globally or on an interface.

INBASA(config)# service-policy global_policy global

The global keyword applies the policy map to all of the interfaces and the interface keyword applies the policy to one interface.