- Open a session to the ASA SFR module.
INBASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is ‘CTRL-^X’.
Sourcefire ASA5555 v5.3.1 (build 152)
Sourcefire3D login:
- Log in with the username admin and the password Admin123.
- Complete the system configuration as prompted, which occurs in this order:
- Read and accept the End User License Agreement (EULA).
- Change the admin password.
- Configure the management address and DNS settings, as prompted.
Example -ASA:
- System initialization in progress. Please stand by. You must change the password
- for ‘admin’ to continue. Enter new password: <new password>
- Confirm new password: <repeat password>
- You must configure the network to continue.
- You must configure at least one of IPv4 or IPv6.
- Do you want to configure IPv4? (y/n) [y]: y
- Do you want to configure IPv6? (y/n) [n]:
- Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
- Enter an IPv4 address for the management interface [192.168.45.45]:198.51.100.3
- Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
- Enter the IPv4 default gateway for the management interface []: 198.51.100.1
- Enter a fully qualified hostname for this system [Sourcefire3D]: asasfr.example.com
- Enter a comma-separated list of DNS servers or ‘none’ []:
198.51.100.15, 198.51.100.14 - Enter a comma-separated list of search domains or ‘none’ [example.net]: example.com
- If your networking information has changed, you will need to reconnect.
- For HTTP Proxy configuration, run ‘configure network http-proxy’
- Wait for the system to reconfigure itself.
Redirect Traffic to the SFR Module
In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:
- Select the traffic that should be identified with the access-list command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.
INBASA(config)# access-list sfr_redirect extended permit ip any any
2.Create a class-map in order to match the traffic on an access list:
INBASA(config)# class-map sfr
INBASA(config-cmap)# match access-list sfr_redirect
- Configure the deployment mode. passive (monitor-only) or inline (normal) .
Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.
- In an inline deployment,
- INBASA(config)# policy-map global_policy
INBASA(config-pmap)# class sfr
INBASA(config-pmap-c)# sfr fail-open
- INBASA(config)# policy-map global_policy
- In a passive deployment,
INBASA(config-pmap-c)# sfr fail-open monitor-only
3. Specify a location and apply the policy. You can apply a policy globally or on an interface.
INBASA(config)# service-policy global_policy global
The global keyword applies the policy map to all of the interfaces and the interface keyword applies the policy to one interface.