topic Re: New to Firepower in Network Security

New to Firepower

Andrew White — Fri, 21 Feb 2020 17:18:47 GMT

Hello,

I've inherited a couple of Cisco ASAs in active/passive mode that have Firepower installed. It seems there is also a VM appliance that I have access too.

Can anyone provide some handy commands to check how it's configure and what is being utilised?

Also I can't see what interfaces are being monitored.

Anything to give me a head start would be great then I can do some proper reading.

Thanks

Re: New to Firepower

curdubanbogdan — Wed, 17 Jul 2019 09:35:01 GMT

If FirePower is already configured you can use ASDM and it will scan Firepower module also. There you can access configuration -> ASA FirePower Module -> Device -> Interfaces. There you can see what interfaces are being placed in Zones and at Access Policy Rules you can see what Zones are placed in Source and Destination. At ASA configuration you can verify Firewall -> Inspect Policy -> global-map (or any other name) -> Check what traffic is passed to firepower for inspection and if it is monitor only or actualy inspecting the traffic.

Re: New to Firepower

Andrew White — Wed, 17 Jul 2019 10:47:59 GMT

All I can find in the ASDM is under Configurations > Firewall > Service Policy Rules

Here there is a policy called global-class with a tab called 'ASA FirePOWER Inspection' which is enabled and permits traffic.

I can't see any:

configuration -> ASA FirePower Module -> Device -> Interfaces or Firewall -> Inspect Policy

I do see the ASA FirePOWER Status tab under home and shows as 'Up' for status and application status

Any ideas?

Re: New to Firepower

Marvin Rhoads — Wed, 17 Jul 2019 12:20:58 GMT

From the ASA cli "show module sfr detail". If it is managed by the Firepower Management center (FMC, formerly known as Defense center or DC) that will be indicated in the output. If the module has been setup, similar info will show up on the Firepower section of the ASDM main page (down at the bottom center).

If the module is FMC-managed then all policies and settings are done on that server.

Re: New to Firepower

Andrew White — Wed, 17 Jul 2019 14:29:02 GMT

Hello,

Yes there is a FMC server, but I have no idea how the ASA servers data to it or how the ASA chooses what interface to monitor, all very confusing :). Seems there is no FirePower section on the ASDM apart from the tab on the home screen.

This is what I see:

en/act# show module sfr detail
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5516
Hardware version: N/A
Serial Number: JADx
Firmware version: N/A
Software version: 6.2.2.1-73
MAC Address Range: 005d.xe.x7 to 005d.xe.x7
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.2.1-73
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: 172.x.x.5
Mgmt IP addr: 172.x.x.7
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 172.x.x.254
Mgmt web ports: 443
Mgmt TLS enabled: true

Re: New to Firepower

Marvin Rhoads — Wed, 17 Jul 2019 14:56:48 GMT

Correct. When the Firepower service module is managed by FMC ("DC addr: 172.x.x.5") the the management of the module is not done at all via ASDM not can you see anything about it other than it's presence, software version, the fact that it is up and remotely managed.

The module inspects traffic that is sent to it via the ASA backplane according to the class-map/policy-map/service policy construct on the ASA config. Typically we send all traffic to the module (maybe excepting some that we don't want to inspect like for instance encrypted traffic that passes through the ASA). How the module inspects and what it does is completely configured on and reported to the FMC.

Re: New to Firepower

Andrew White — Wed, 17 Jul 2019 16:16:59 GMT

Ah I see, so the ASA will have a policy somewhere just pushing all the traffic to the FMC? Then the FMC has policies to monitor what interfaces?

Would you be kind enough to point me in the right direction to where there policies would be on the FMC?

I will check on the ASA at that global service policy as it must list the FMC IP somewhere?

Thanks again!

Re: New to Firepower

Marvin Rhoads — Thu, 18 Jul 2019 03:08:58 GMT

The ASA service policy pushes traffic to the internal Firepower module. The module interacts with the FMC to both receive configuration and send events.

In an FMC, the policies primarily are under an Access Control policy (ACP). The most common is the ACP itself but can also include Intrusion, Network Discovery, SSL and File polices as well as other elements like Security Intelligence and QoS.

There are several books as well as numerous free Cisco Live presentations that cover these in much more detail if you're interested in learning more.

Re: New to Firepower

Andrew White — Thu, 18 Jul 2019 05:50:59 GMT

Thanks. I will certainly do that.

I just need to first enable or remove an interface and wondered how I do that in FMC?

Kind regards

Re: New to Firepower

Marvin Rhoads — Thu, 18 Jul 2019 13:01:52 GMT

All interface configuration is done from the ASA. FMC only configures policies and related settings for the Firepower service module.

Re: New to Firepower

Andrew White — Thu, 18 Jul 2019 13:04:56 GMT

Hello,

Where on the ASA is this configured? We have many interfaces and I need to see which ones are being monitored.

I can't seem to locate this on the ASDM.

Re: New to Firepower

Marvin Rhoads — Thu, 18 Jul 2019 15:19:34 GMT

A Firepower service module (or, by extension, FMC) doesn't monitor ASA interfaces per se. It monitors traffic sent to is by the ASA class-map which is referenced in a policy-map and applied via a service policy (usually global). The class-map can say monitor all traffic or only traffic that matches an ACL. Whatever it scoops up is sent to the service module - irrespective of ASA interfaces.

Perhaps this flowchart will help explain it:

Re: New to Firepower

johnlloyd_13 — Fri, 19 Jul 2019 14:41:26 GMT

hi,

there are two ways to manage the ASA with FirePower (FP): locally via ASDM or via a central FMC.

do you want to learn how your current ASA talks to FMC? or are you removing the active/passive pair from FMC and do your own lab?

try to locate for the ASA policy-map and/or firepower ACL (if any).

you can refer to this helpful link to learn about ASA FP, ASDM and FMC:

http://wannabecybersecurity.blogspot.com/2019/01/cisco-asa-firepower-traffic-redirection.html

Re: New to Firepower

Andrew White — Fri, 19 Jul 2019 15:30:59 GMT

I’m trying to work out how the ASA talks to the FMC and how I can select what interfaces it’s monitoring.

Re: New to Firepower

johnlloyd_13 — Sat, 20 Jul 2019 01:28:03 GMT

hi,

the FP module on the ASA talks to FMC via the global policy map (and ACL) traffic redirection and registering the managed device/sensor (ASA FP) to the FMC.

you configure the security zones which the ASA interfaces are associated and then apply the FMC access control policy (ACP).

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/06/configuring-cisco-fmc-objects-and.html

Re: New to Firepower

Andrew White — Sat, 20 Jul 2019 10:02:17 GMT

So when the FirePOWER module is setup you are asked to point it to the FMC IP and that's it?

I did find this global policy which I guess is auto generated:

en/act# session sfr con
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

> show managers
Type : Manager
Host : 172.x.x.5
Registration : Completed

And

System> show summary
-----------[ xxx-lh-sfr-02.xx.xx.local ]------------
Model : ASA5516 (72) Version 6.2.2.1 (Build 73)
UUID : 39c6acdc-1aae-11e8-b5d-8568d7f2
Rules update version : 2019-07-17-001-vrt
VDB version : 294
----------------------------------------------------

------------------[ policy info ]-------------------
Access Control Policy : Cisco123-Default
Intrusion Policy : Balanced Security and Connectivity

--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A

So I'm assuming all traffic then is sent to the module and on the FMC I can choose what interface to monitor from there? I can's see how I can select a new interface to monitor or deselect. See below:

There is a policy of some sort:

To me it's like this isn't even setup properly.

Thanks

Re: New to Firepower

johnlloyd_13 — Sat, 20 Jul 2019 11:24:36 GMT

hi,

your FMC has intrusion policy rule (IPS) configured. notice the yellow shield icon is enabled.

it seems like your FMC is not fully configured. notice there's a zero (0) count under logging (scroll icon).

Re: New to Firepower

Marvin Rhoads — Sat, 20 Jul 2019 11:34:07 GMT

You have not confirmed what is setup on the ASA with respect to what I mentioned earlier. i.e.:

"The module inspects traffic that is sent to it via the ASA backplane according to the class-map/policy-map/service policy construct on the ASA config."

If the ASA isn't sending traffic then the module cannot inspect anything - no matter what is or is not configured in the FMC and deployed to the module with respect to policy.

When we deploy an ASA with Firepower service module, it is very common that all of the access-lists and port forwarding etc. continues to be handled by the ASA config. That includes all interface configuration and everything you usually find in an ASA without any service module.

The Firepower service module gives us the opportunity to further inspect the traffic for intrusion detection and prevention purposes - traffic which has already been allowed, NATted, will be routed etc. by the parent ASA. Those inspections are in the form of Snort rules, security intelligence checks (looking for IP and URL blacklists and whitelists for source or destination traffic), protocol conformance, file inspections (if you have the Malware license), URL policy enforcement (if you have the URL Filtering license) and so forth.

Re: New to Firepower

Andrew White — Sat, 20 Jul 2019 14:19:29 GMT

Strange as I do get email alerts from time to say certain traffic has been dropped.

Re: New to Firepower

Andrew White — Sat, 20 Jul 2019 14:26:57 GMT

Hi Marvin,

I thought the global policy listed above was what you required, can you let me know what commands should identify how this is setup and I will post back?

What is strange I've been getting email alerts on dropped traffic (although it's stopped recently) and I can't on the FMC where this is configured. I've been asked to add our guest network interface on the ASA to the FirePOWER inspection rules, but as you can see I've struggling to find this.