topic ASA with FirePower Services URL Filtering blocks nothing in Network Security

ASA with FirePower Services URL Filtering blocks nothing

Boyan Sotirov — Fri, 21 Feb 2020 15:36:19 GMT

I'm working on an ASA 5516-X with FirePower Services.

Unfortunately we don't have a budget for FMC, so the management of the FirePower moduels is done via ASDM. But anyhow, we managed to get it working.

Now the task is to configure a URL filtering policy on the FirePower Module. We have been successful in importing all 4 licenses and updating the Geolocation and IPS databases. So far so good.

But still, I'm not able to get the URL filtering going... It seems like the nothing is matched and the traffc just passes through...

Here are the specs:

ASA software version 9.8(2)20

The FirePower module looks fine:

ciscoasa/act/pri# show module sfr details
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5516
Hardware version: N/A
Serial Number: JAD21240FR4
Firmware version: N/A
Software version: 6.2.0-362
MAC Address Range: 7070.8b67.d51b to 7070.8b67.d51b
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.0-362
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 10.11.12.202
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 10.11.12.254
Mgmt web ports: 443
Mgmt TLS enabled: true

Now, here's what we have configured.

1. First configure a URL filtering policy on the FirePower module. Check in the attached file.

2. Than an ACL was created to match traffic from one particular source IP we're testing the policies with. This is attached to a class map and added to the default global_policy

access-list FP_REDIRECT extended permit ip host 10.15.16.11 any

class-map sfr
match access-list FP_REDIRECT

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class sfr
sfr fail-open

3. I also see hits when I check the sfr policy

ciscoasa/act/pri# show service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 486, packet output 486, drop 0, reset-drop 0

So, it should mean that whenever we generate traffic from the source we're matching, it should get redirected to the FirePower module, where there's a URL filtering policy.

But it does not work!

It does not work even if I put a static URL object...

So I cannot understand why this happens?

How can I further troubleshoot and make sure:

1. Traffic is properlly redirected to the FirePower module

2. The URL filtering policy is properly matched

Any hint or idea is appreciated!

Re: ASA with FirePower Services URL Filtering blocks nothing

Boyan Sotirov — Thu, 05 Apr 2018 21:32:14 GMT

After ponding around and reading additional materials I think I know where my problem is.
The URL filtering policy is just no applied. On the picture you could see the status of the policy as "Access Control Policy out of date on device". that's cool, but how to actually apply it?
I read a book on ASA with Firepower services right now, and there the autor shows a screenshot from ASDM with the policy where there's a button "Apply ASA FirePower Changes". The question is, why I don't have such a button on my device?

Re: ASA with FirePower Services URL Filtering blocks nothing

Boyan Sotirov — Thu, 05 Apr 2018 21:36:21 GMT

Attaching the full screenshot

Re: ASA with FirePower Services URL Filtering blocks nothing

Boyan Sotirov — Mon, 16 Apr 2018 05:27:52 GMT

I found a solution to this problem.
Indeed the FirePower policy needs to be saved first, and than applied to the device. So, as explained earlier, saving is straight forward. Applying the config to the FirePower module though is not. In older versions there used to be a button "Apply..." right next to the save button. In the newer versions we have to use:
1. File->Deploy
2. Or use the "Deploy" button from the ASDM....in the upper left corner.

Re: ASA with FirePower Services URL Filtering blocks nothing

Florin Barhala — Mon, 16 Apr 2018 11:11:02 GMT

I do have a question/curiosity: I have a cluster with firepower module and license.
Why don't I have the option of configuring the Firepower from ASDM? I have no Configuration\Firepower menu; I can only see the URL to a dedicated server in the Home button/section.

Thanks!

Re: ASA with FirePower Services URL Filtering blocks nothing

Boyan Sotirov — Mon, 16 Apr 2018 11:20:16 GMT

Hello Florin,

By cluster I guess you mean Active/Standby configuration. But even in a cluster configuration it will still hold true.

The reason you don't see the menu is most likely because you haven't configured an IP address of your FirePower module.

You have to do it manually for each an every member of the cluster or Active/Standby setup.

And depending on the ASA model you have different options on how to connect the FirePower module to your physical network. In high end models you have a dedicated management port. While the lower end models use the dedicated management port of the chassis - it's only one, so you must configure another port on the ASA and use it as a dedicated management port.

Once you do that and cable the dedicated port properly, your ASDM will establish SSL connection with the ASA first, and from the backplane it will learn the IP address of the FirePower module and it will establish another parallel SSL session to the FirePower module. This is how you will be able to manage both the ASA software and the FirePower module from ASDM. It's convoluted I know! But that's how this product works. Let me know if this helps, I did this recently so details are still fresh in my memory 🙂

Keep in mind that the FirePower module has different management from the ASA, and it's reachable via the dedicated physical port and the IP address configured there. From the ASA software you could communicate to the FirePower module over the data and control plane - internal to the chassis. But over the control plane you could configure only basic things. It's expected that the FirePower module is configured either via ASDM (which by the way is neither preferred, nor the recommended method... well, maybe in very small deployments) or via the FMC software.

Re: ASA with FirePower Services URL Filtering blocks nothing

Florin Barhala — Mon, 16 Apr 2018 11:25:19 GMT

Ok - that was lengthy. I inherited this config and there's a server Firesight or Firepower Management server that I personally find tough to work with. Not to mention I love ASDM "preview commands" option.

Does Firepower module has CLI? If I SSH to any ASA can I see firepower mgmt. config?

Thanks!

Re: ASA with FirePower Services URL Filtering blocks nothing

Boyan Sotirov — Mon, 16 Apr 2018 11:29:20 GMT

Yes, the FirePower module has a CLI, you can access it via SSH once it has a reachable IP address.
The initial configuration of the FirePower module is done via ASA CLI. You need "session sfr console" to login with the default username and password (admin, Admin123), accept the EULA and configure the IP address. You could also reach "expert mode" or the CLI of the Linux distro on which the FirePower runs. You also have some show commands within the CLI. Maybe some hidden commands too... of which I'm not aware of.

Re: ASA with FirePower Services URL Filtering blocks nothing

Florin Barhala — Mon, 16 Apr 2018 11:32:48 GMT

Thanks mate! I really need to read more about this.