If the vulnerability has been exploited on the Cisco ASA NGFW and the traffic is interrupted, as a mitigation, the Modular Policy Framework (MPF) configuration on the Cisco ASA that is used to direct the user traffic toward the Cisco ASA NGFW can be removed. This will cause all user traffic to bypass Cisco ASA NGFW module inspection and allow it to pass through the Cisco ASA without inspection provided by the ASA NGFW.
The following example shows how to disable the redirecting of web traffic to the Cisco ASA NGFW module from the Cisco ASA firewall:
ASA(config)# policy-map cx_traffic_policy
ASA(config-pmap)# class cx_traffic
ASA(config-pmap-c)# no cxcs
Cisco ASA can be configured with fail-open
under MPF configuration. The fail-open
keyword sets the Cisco ASA to allow all traffic through, uninspected, if the Cisco ASA NGFW module is unavailable.
Alternatively, fragmented traffic can be disallowed on the Cisco ASA firewall. This will cause the Cisco ASA firewall not to accept any fragments on its interfaces. Consequently, the Cisco ASA will not send any fragments to the Cisco ASA NGFW software module for inspection.
The following example shows how to disable processing of fragmented traffic on the Cisco ASA firewall:
ASA(config)# fragment chain 1
Note: The above example will disable fragments on all the Cisco ASA interfaces. Fragmented traffic directed to and through the Cisco ASA will be dropped. Consequently, the Cisco ASA will not forward any fragmented traffic to the Cisco ASA NGFW or any of the configured modules.