Quick start for FMC and ASA with firepower module

access-list sfr_redirect extended permit ip any any
class-map sfr
 match access-list sfr_redirect

Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline (normal) deployment mode.

Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.

In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission. This example shows how to create a policy-map and configure the ASA SFR module in the inline mode:

policy-map global_policy
 class sfr
  sfr fail-open

In a passive deployment, a copy of the traffic is sent to the SFR service module, but it is not returned to the ASA. Passive mode allows you to view the actions that the SFR module would have completed in regards to the traffic. It also allows you to evaluate the content of the traffic, without an impact to the network.

If you want to configure the SFR module in passive mode, use the monitor-only keyword (as shown in the next example). If you do not include the keyword, the traffic is sent in inline mode.

policy-map global_policy
 class sfr
  sfr fail-open monitor-only

to Register a Firepower module

session sfr

login in with your username and password then run the following

configure manager add <IP ADDRESS> <reg_key>