topic You're welcome. Please mark in Network Security

ASA with FirePOWER Services Questions

brandonbittinger — Tue, 12 Mar 2019 09:03:58 GMT

Hello all,

I have just recently installed the FirePOWER services module on our ASA 5512-X and I had a few questions I wanted to run by the community about it. So far I have been able to grasp it but there where a few things I would appreciate some clarification on.

1.) I am using ASDM to manage both the appliance and the FirePOWER module. Are all of the features available when not using a Firepower Management Center? For example I was creating a File Rule and when I select either of the Malware Cloud Lookup options I do not get the 4 check boxes in ASDM for Spero Analysis for EXEs, Dynamic Analysis, Capacity Handling, and Local Malware Analysis. Does this mean I am unable to do things like sandboxing as well?

2.) I have created Zones to try and match traffic by interface because there are a few interfaces that need to be excluded from the monitoring and filtering. I created an IPS and File Policy rule as one rule and used the "Inside" and "Outside" zones for both the destination to source of the rule. It seems like it is matching traffic as I am getting logs I just wanted to confirm this since the default action is to do the IPS scan.

3.) Can you mix and match zones and networks? For example if I want to create a geoblocking rule for outbound connection could I add the "Inside" zone to the source of the rule and the geoblocked networks to the destination under the network tab? I was not sure if you can mix and match zones and networks to match traffic.

4.) When creating a file rule you have the option to choose the protocol and you can choose SMTP, POP3, and IMAP. Does this mean that AMP for Networks is capable of scanning incoming and outgoing emails? And if so does this include any attachments the emails may have?

I also saw some documentation that the 5512-X could not manage the Firepower module from ASDM, and only 3 ASA models allowed it to manage the module form ASDM. Was this changed or am I just lucky it is working and that is why I don't have all of the features?

Any help is appreciated. Thanks!

1. Correct - ASDM management

Marvin Rhoads — Wed, 15 Mar 2017 04:36:45 GMT

1. Correct - ASDM management is limited and you cannot perform several functions that are available from FMC. I always recommend FMC be used - the cost for an entry level license is quite reasonable.

2. That should be fine.

3. Yes - in a given rule of your Access Control Policy all of the settings are combined via logical "AND".

4. I believe AMP for networks is limited to scanning PDF files attached to emails. I base tha on this reference:

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AMP-Config.html#pgfId-2271146

5. It was initially only the "Kenton" platforms (5506/08/16). As of FirePOWER 6.0, Cisco added ASDM manageability for the 5500-X "Saleen" platforms (5512/15/24/45/55/85). As I noted earlier, we almost always recommend using FMC as most customers quickly realize they want to do more than can be done with ASDM only.

Thank you for your reply I

brandonbittinger — Sat, 18 Mar 2017 14:39:06 GMT

Thank you for your reply I believe that answers most of my questions. Everything is already setup and running so my next question would be if I get a FMC how difficult is it to move the licenses to the FMC and setup the Firepower module to be managed by the FMC instead? I don't have anything too complete setup at the moment so if I have to recreate my access rules or reconfigure the module it is not that big of a deal at this point.

After using ASDM to manage the module I have gotten fairly frustrated with the lack of reporting features it has. From what I have seen the FMC give you substantially better reporting and searching options that give you a lot more visibility into what is going one where.

You're welcome. Please mark

Marvin Rhoads — Sat, 18 Mar 2017 15:02:59 GMT

You're welcome. Please mark your question as answered if it has been.

I believe rehosting your FirePOWER classic type licenses from ASDM to FMC requires a TAC ticket as those license types don't currently allow self-service rehosting.

Awesome! I will certainly

brandonbittinger — Sat, 18 Mar 2017 15:10:10 GMT

Awesome! I will certainly look into this. Thanks again!