Lab Minutes Forum
Technical Discussion => Security => Topic started by: gvoden on March 27, 2016, 01:49:06 PM
-
I am trying to use my ASA 5585-X as a pure sniffer where it sends all traffic to the SFR module without having to use the policy map redirect method.
I am following this doc:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#95136
When I enter the below command at interface level it's all good:
traffic-forward sfr monitor-only
However doing a "show run" doesn't list that command and even though traffic is received on the physical port it does not get processed.
Does it matter which ASA ports I am using?
-
Does Firepower mgmt center does not see traffic from the FP module? I assume you already have FP added as a device on mgmt center, as well as having ASA running in transparent single-context mode. I don't believe which interface you use matters.
Below is a link to discussion similar to what you are trying to do if that helps.
https://supportforums.cisco.com/discussion/12572586/asa-5585x-firepower-hardware-module-passive-mode
-
So it looks like this is a bug in the code for the ASA - I am on 9.3.2 and entering the command "traffic-forward sfr monitor-only" does not actually apply to the configuration.
When I do "show run" the command does not appear under the interface config. It turns out this is fixed in ASA code 9.5.2
https://quickview.cloudapps.cisco.com/quickview/bug/CSCuw32576
I upgraded one of my spare boxes to 9.5.2 and now I see the "traffic-forward" command applied in the configuration. Next step will be to send SPAN traffic to make sure it actually works.
-
Bug sounds about right.. Thanks you sharing the resolution.
-
Just sent SPAN traffic to the 5585-X and it works fine - FirePOWER can identify the app traffic without issues.
-
Thanks for an update gvoden. :D