Firepower

sweigle88 — Thu, 17 Feb 2022 21:20:34 GMT

Hello,

We just received 2 physical Firepowers 2110's with stock loaded 6.6.1-91 software that are supposed to be in a HA setup. I was told you can add ASA software. Is there any reason to do this other than being more comfortable with that software? I'm assuming you manage these through command line and/or Device manager? Reading the documentation, it seems the Device manager is meant for small installations like this, but seems clunky. I've also read you can manage these through Ansible. Sorry, I did not spec these appliances out. That person has left. Advice is much appreciated on best way to manage two physical firepowers.

Re: Firepower

Rob Ingram — Thu, 17 Feb 2022 21:30:59 GMT

@sweigle88 you could run either FTD software or traditional ASA software. The FTD software supports all the NGFW features such as url filtering, ssl decryption etc, the ASA does not support these features.

An advantage of using ASA software is that it supports more feature than the FTD, there isn't full feature parity, though it's much improved.

You can manage the FTD centrally using the FMC, locally using FDM or cloud using CDO. Using FDM or CDO has quite or lot less supported features than if managed by an FMC.

Re: Firepower

sweigle88 — Thu, 17 Feb 2022 22:00:58 GMT

@Rob Ingram ASAs had a pretty good CLI to configure the device with lots of documentation. I haven't seen as much documentation on CLI set up for firepowers. Do you have to use FMC, FDM or CDO? Or can you use the CLI and then potentially tie with Ansible?

thanks,

Re: Firepower

Rob Ingram — Thu, 17 Feb 2022 22:09:00 GMT

@sweigle88 no, you cannot use the CLI on the FTD to manage or configure 99% of the features.

The CLI is only used for initial network connectivity using the management interface and troubleshooting. You cannot configure ACLs, VPNs etc, for that you must use the FDM, FMC or CDO GUI.

You can use RestAPI.

Re: Firepower

sweigle88 — Fri, 18 Feb 2022 00:03:28 GMT

@Rob Ingram Wow. I have to repeat. You have to use GUIs to manage Firepowers? No CLI that is useful?

Re: Firepower

Rob Ingram — Fri, 18 Feb 2022 04:50:51 GMT

@sweigle88 yes you must use the GUI, as stated limited CLI

Re: Firepower

Aref Alsouqi — Fri, 18 Feb 2022 15:18:05 GMT

If you want to manage your firewalls through CLI then the option would be to spin up ASA code on those appliances, however, I wouldn't recommend it as as @Rob Ingram said, the ASA firewalls do not support the next gen firewalls features, but tbh it all depends on what you want to do with those firewalls and if you have additional next gen core firewalls in your network.

The FTD CLI is very limited, it is true that there are a few commands you can use from the CLI, but there is nothing such as you go and configure things in the ASA way. With FTD there are two CLI modes, one is called CLISH which is the default landing mode where you see the ">" sign, and another which is the "expert" mode where you see the "#" sign. To go into the expert mode you type "expert" from the CLISH and it takes you to the Linux based operating system on the FTD which is called FXOS (Firepower eXtensible Operating System). If you want to get to the ASA looks and feel CLI (Lina engine), then one way to do that is from the CLISH mode, you type "system support diagnostic-cli", however, that will not allow you to go into the configure terminal mode. From there you can still run some troubleshooting commands such as packet capture, packet-tracer, show commands and debugs, so only for troubleshooting purpose and obv if you want to parse some of the device configuration.

Take a look at this list just to give you a rough idea of what you can get when you connect to the FTD CLISH in terms of commands:

>
aaa-server Specify a AAA server
activate-tunnel-group-scripts Reload ASDM generated scripts for username-from-certificate
app-agent Configure appagent features
asp Configure ASP parameters
attribute Modify a monitored attribute
blocks Set block diagnostic parameters
capture Capture inbound and outbound packets on one or more interfaces
capture-traffic Display traffic or save to specified file
clear Reset functions
cluster Cluster exec mode commands
configure Change to Configuration mode
conn Connection
connect Connect to another component.
copy Copy from one file to another
cpu general CPU stats collection tools
crypto Execute crypto Commands
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
dns List files on a filesystem
dynamic-access-policy-config Activates the DAP selection configuration file.
eotool Change to Enterprise Object Tool Mode
exit Exit this CLI session
expert Invoke a shell
failover Perform failover operation in Exec mode
file Change to File Mode
fips Execute FIPS tests
fsck Filesystem check
help Interactive help for commands
history Display the current session's command line history
ldapsearch Test LDAP configuration
logging Configure flash file name to save logging buffer
logout Logout of the current CLI session
memory Memory tools
more Display the contents of a file
no Negate a command or set its defaults
nslookup Look up an IP address or host name with the DNS servers
packet-tracer trace packets in F1 data path
perfmon Change or view performance monitoring options
pigtail Tail log files for debugging (pigtail)
ping Test connectivity from specified interface to an IP address
pmtool Change to PMTool Mode
reboot Reboot the sensor
redundant-interface Redundant interface
restore This command is used to restore FTD from sfr prompt
sftunnel-status Show sftunnel status
sftunnel-status-brief Show sftunnel status brief
show Show running system information
shun Manages the filtering of packets from undesired hosts
shutdown Shutdown the sensor
system Change to System Mode
tail-logs Tails the logs selected by the user
test Test subsystems, memory, interfaces, and configurations
traceroute Find route to remote network
undebug Disable debugging functions (see also 'debug')
upgrade Install Upgrade Package
verify Verify a file
vpn-sessiondb Configure the VPN Session Manager
webvpn-cache Remove cached object

> configure
audit_cert Change to Audit_cert Configuration Mode
CGroups-logging-timer Set CGroups logging time in minutes
coredump Change to Coredump Configuration Mode
crl Add a CRL URL
disable-https-access Disable https access
disable-ssh-access Disable ssh access
firewall Change to Firewall Configuration Mode
flow-offload Configure dynamic flow offload
high-availability Change to Configure High-Availability Mode
https-access-list Configure the https access list
identity-subnet-filter Modify subnet filters
inspection Configure default inspection for firewall
log-events-to-ramdisk Configure Logging of Events to disk
manager Change to Manager Configuration Mode
mini-coredump mini-coredump generation enable/disable
network Change to Network Configuration Mode
password Change password
periodic-memstats-dump Enable/disable periodic dumping of preprocessors memory stats
policy Change to policy rollback Mode
policy-deploy-debug Enable or Disable debug log for policy deploy
snort Configure Snort options
ssh-access-list Configure the ssh access list
ssl-protocol Configure SSL protocols for https web access.
syslog_server Change to Syslog Server config Mode
tcp-randomization Configure tcp connection randomization
unlock_time Set unlock time for a locked out user (CC/UCAPL mode only)
user Change to User Configuration Mode
user-time-zone set user time zone

topic Re: Firepower in Network Security

Firepower

Re: Firepower

Re: Firepower

Re: Firepower

Re: Firepower

Re: Firepower

Re: Firepower