topic Hello Marvin, in Network Security

Question about Firewalling & Content Filtering using ASA 5525-X

Terence Lockette — Tue, 12 Mar 2019 07:01:38 GMT

Hello all,

I'm in the process of purchasing a quantity of 2 for the following:

ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle
Cisco ASA5525 FirePOWER IPS, AMP and URL Licenses
Cisco FireSIGHT Management Center,(VMWare) for 2 devices

These will replace our guest network firewall and content filter which are currently Barracuda devices. I'm not sure if it's worth mentioning but there are 3 networks behind our guest network. The 1st is the main guest network that has the current firewall, Web filter, switches, and guest devices. The 2nd network services a remote network where we used PBR to get it's traffic routed to the guest network. The last network is a network created where clients are behind the PacketFence captive portal so the server has 2 NICs (one on the main network and the other behind the portal that serves clients behind it. Eventually, users on the main network will be moved behind the captive portal.

We're going to run the ASAs in active/standby HA. What I need to know is since this will be a new install/configure from scratch, is there any documentation that will guide me through the process of getting this up and running step-by-step? For instance, do I need to configure my firewall with all required configurations first and then proceed to configure CX for content filtering? We're not going to run, at least for now, FirePOWER services so I don't think the install/configuration of FirePOWER and the FireSIGHT Mgmt Center would be necessary unless it's used for the URL/Content filtering. I just need to be pointed in the right direction as to how to get started. Thanks!

Regards,

Terence

CX is an older discontinued

Marvin Rhoads — Fri, 11 Dec 2015 03:46:28 GMT

CX is an older discontinued module. It is no longer sold.

On your platform, content filtering etc. would be done using the FirePOWER module. Hopefully you purchased the licenses for that - "TA" at least (for IPS), "TAC" (adds URL filtering) or "TAMC" adds Malware protection or AMP).

There is a good Cisco Live presentation that covers creating policies. Please refer to BRKSEC-2018 from Cisco Live San Diego 2015 available free at ciscolive365.com

Hello Marvin,

Terence Lockette — Fri, 11 Dec 2015 14:33:41 GMT

Hello Marvin,

In my original post, I stated that we were purchasing the following:

ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle
Cisco ASA5525 FirePOWER IPS, AMP and URL Licenses
Cisco FireSIGHT Management Center,(VMWare) for 2 devices

Our vendor understood what we were looking to do and provided the necessary licensing to accomplish that. I'll take a look at the video from Cisco Live to get an idea as to how to start. Thanks!

Terence

OK sure - I saw that but I

Marvin Rhoads — Fri, 11 Dec 2015 14:47:52 GMT

OK sure - I saw that but I was picking up on where you said further down "proceed to configure CX for content filtering?"

There are also some good free videos on Lab Minutes for setting up FirePOWER. See the following: http://labminutes.com/video/sec/ASA%20FirePower

Oh ok lol. Yeah the reason I

Terence Lockette — Fri, 11 Dec 2015 14:54:02 GMT

Oh ok lol. Yeah the reason I mentioned CX is because LabMinutes has their videos labeled as CX but that may be for the older module as you stated. Thanks again!

Terence

Marvin,

Terence Lockette — Fri, 11 Dec 2015 18:40:44 GMT

Marvin,

I just happened to notice that the FireSIGHT Management Center is VMWare so does that mean it doesn't support Hyper-V? If not, then I'll need to look at another solution for what I'm trying to do for our guest network as we're a Hyper-V shop and won't be adding another VM environment.

Terence

Sorry but FireSIGHT

Marvin Rhoads — Fri, 11 Dec 2015 19:23:16 GMT

Sorry but FireSIGHT Management Center (known as FirePOWER Management Center as of version 6.0) is not available for Hyper-V.

I've had several customers with the same question and have been banging the drum with my Cisco contacts for most of the year over this request but it's not resulted in any progress to date.

You can manage an ASA FirePOWER module directly from ASDM (capability now extended to all of the ASA 5500-X series) but that's not very feasible if you have more than one or two ASAs.

If you're only dealing with the one 5506 it might be fine for you though.

Thanks Marvin.

Terence Lockette — Fri, 11 Dec 2015 19:27:15 GMT

Thanks Marvin.

Unfortunately, we would be looking to purchase 2 ASA 5525-Xs with the appropriate FirePOWER licenses but now we won't because we're a Hyper-V only shop and will not add a mixed VM environment. Thanks for your response.

You're welcome.

Marvin Rhoads — Fri, 11 Dec 2015 19:31:23 GMT

You're welcome.

Maybe the Cisco BU will read your post and tip the scales to get the developers to release Hyper-V support. After all it's just a Linux box with an Oracle db, Tomcat app server and Apache web server under the covers.

Please mark your question as answered it it has been.

Marvin,

Terence Lockette — Mon, 28 Dec 2015 18:38:28 GMT

Marvin,

Do I have to run IPS in order to use URL/Content Filtering or can I just use URL/Content filtering without running IPS?

Terence

Terence,

Marvin Rhoads — Mon, 28 Dec 2015 18:45:18 GMT

Terence,

The IPS license is optional although I've always seen my customers opt for it.

The URL Filtering license can be added alone to the base Cisco ASA with FirePOWER Services license or as part of a bundle with the IPS and Apps or IPS and Apps and AMP licenses.

Gotcha. So I don't have to

Terence Lockette — Mon, 28 Dec 2015 18:47:33 GMT

Gotcha. So I don't have to run IPS in order to use URL/Content filtering because they're separate licenses. Thanks!

Marvin,

Terence Lockette — Thu, 31 Dec 2015 02:10:53 GMT

Marvin,

One last question. I'm going to be running my ASAs in active/standby HA. How does this work with FirePOWER? Is there documentation that covers this scenario? I'm assuming that I would have to have the same source fire files installed on both devices. I also understand that the management interface needs to be used so does this mean separate IP addresses for both boxes for the management interface? Some clarity would be greatly appreciated!

Thanks,

Terence

HA pairs and/or multiple ASAs

Marvin Rhoads — Thu, 31 Dec 2015 02:37:12 GMT

HA pairs and/or multiple ASAs with FirePOWER modules (or dedicated FirePOWER appliances) are where FirePOWER Manager becomes more compelling (contrasted with local management using ASDM).

With the manager, we can combine devices into a device group and apply policy once. They will always be in sync and there's little or no need to log into the individual modules or appliances once they've been setup. Their respective events will be correlated into single database to give you a unified view of all the connections, IOCs, etc.

Yes each FirePOWER module in an ASA HA pair has its own unique IP address and uses the ASA physical management interface (m0/0) for communications back to the FirePOWER Manager (or to ASDM if you go that route). That is in addition to any management address or interface you use on the ASA itself.

Thought I wouldn't have any

Terence Lockette — Wed, 06 Jan 2016 15:37:10 GMT

Thought I wouldn't have any more questions but I have to ask this...do I have to have my ASAs configured prior to installing FireSIGHT or can I install FireSIGHT and then get my ASAs configured prior to doing the actual configuration of my policies via the management console? I know what IPs I need to use for my ASAs and FireSIGHT.

Thanks,

Terence

You can configure the

Marvin Rhoads — Wed, 06 Jan 2016 15:55:36 GMT

You can configure the FirePOWER module independent of the parent ASA it resides in. Of course the module needs to have been installed - if it's not you have to image it from the ASA cli.

See the Quick Start Guide here for IP addressing:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-144598

Basically the FP module requires you to use the ASA management interface. It has its own default gateway independent of the host ASA. (It's basically a Linux VM with FirePOWER software.)

It's optional whether you also want to use that same physical interface (m0/0) for ASA management - most people do not and instead manage the ASA via the inside interface. That's primarily because (prior to ASA 9.5) a single context ASA only has one routing table. So unless you have a true out of band management network, using the ASA's m0/0 interface for management is challenging.

Thanks Marvin! I typically

Terence Lockette — Wed, 06 Jan 2016 15:58:25 GMT

Thanks Marvin! I typically use the inside interface to manage the ASA. I checked out some videos from LabMinutes and they put the management interface on the same subnet as their inside interface for their FireSIGHT deployment. I'm looking to use this same method. Is this ok?

Terence

Yes - the labminutes method

Marvin Rhoads — Wed, 06 Jan 2016 16:05:03 GMT

Yes - the labminutes method will work.

It can be confusing for folks who are new to the box to have two physical interfaces in the same subnet. As long as you remember they are being used by two different operating systems (ASA software and FirePOWER software - kind of like VMs on a hypervisor), it makes sense.

That makes perfect sense!

Terence Lockette — Wed, 06 Jan 2016 16:11:01 GMT

That makes perfect sense! Marvin I truly thank you for your help and assistance in this matter as it is very new to me.

Regards,

Terence