To configure SFR (Sourcefire) on an ASA firewall, follow the steps below:
Before configuring SFR firewall should be properly configured and accessible :
Step 1:Obtain a license: SFR requires a license to be installed before it can be configured. You can obtain a license by purchasing it from Cisco .
Step 2:Install the SFR module: The SFR module is installed separately from the ASA firmware. You can download the module from the Cisco website and then upload it to the ASA using TFTP or SCP.
Step 3:Enable SFR on the ASA with below command
ASA(config)# module sfr enable
Step 4:Configure the interface: You must configure the interface that will be used to connect to the SFR module.Use below commands to configure interface:
ASA(config)# interface GigabitEthernet 0/1
ASA(config-if)# nameif sfr
ASA(config-if)# security-level 100
ASA(config-if)# ip address 10.168.0.1 255.255.255.252
Step 5: Configure Policy to redirect the traffic from Firewall to SFR.
ASA(config)# service-policy global_policy global
ASA(config)# class-map inspection_default
ASA(config-cmap)# match default-inspection-traffic
ASA(config-cmap)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# sfr fail-open
Step 6:Configure the SFR module
ASA(config)# sfr fail-close
ASA(config)# sfr module sfr recover configure