cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

47555
Views
95
Helpful
67
Replies
Beginner

Re: Ask the expert- Best practices on Cisco FirePOWER

Hi Marvin

 

I have a question regarding FMC, is it possible to manage multiple ASA with FirePower services Firewalls  and FTD appliances all from the same FMC so long as the FMC is licenced to manage the required amount of devices?

 

And if not then what is the recommended approach if you have an existing FMC managing a reasonable sized estate of ASA with FirePower services and you want to gradually migrate to FTD??

 

Cheers

 

Dchill

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@dchill,

 

Sure, FMC is designed to manage multiple sensors. It comes as a virtual appliance licensed for 2, 10 or 25 managed devices. It also comes as hardware appliance option. Hardware FMCs are not limited by number of managed devices but rather by storage size for events etc.

 

As long as you have the current license types (SKU with "SF" in the product number like SF-FMC-VMW-K9) for your virtual FMC, you can mix and match Firepower service modules on ASA, FTD appliances, and classic Firepower NGIPS devices (i.e. the old Sourcefire appliances now branded Cisco).

Beginner

Re: Ask the expert- Best practices on Cisco FirePOWER

 

Hi Marvin

 

I am aware that FTD does not as yet have full feature parity with ASA code, though I know it does support OSPF. Had a customer today wanting to know if FTD would allow them to triangulate 3 x sites via layer 2 circuits, and then to run OSPF over IPSEC tunnels between the 3 sites to facilitate the dynamic routing.

 

Could be a show stopper if the FTD would not support OSPF over IPSEC VPN so if you could let me know that would be great.

 

Cheers

 

Dchil

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@dchill,

 

You cannot pass the OSPF directly via the IPsec tunnel as it uses multicast to form neighbor adjacencies.

 

In such a case, Cisco recommends having the downstream routers that will be the OSPF neighbors use and encapsulation like GRE via which they tunnel that peering. Thus the FTD devices running the IPsec tunnels only see the unicast traffic from their local peering routers and the respective sites corresponding peers.

 

There's a configuration guide for doing that here:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14381-gre-ipsec-ospf.html

 

It's 10 years old but still valid as far as I know - just mentally replace the Pix with FTD. :)

Enthusiast

Re: Ask the expert- Best practices on Cisco FirePOWER

I've got one that's been bugging me for a while. When you set up a pair of ASAs in Active standby, with Firepower IPS modules. The FHM always reports an error that the standby is not receiving data. It's obviously because the standby is in standby. I usually have to edit the policy to not report that error. I feel as is that a work around. What is the right way make I so the standby does not report the no data inline error?

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@robinson,

 

I've been doing the same thing as you - edit the Health policy.

 

I agree it's a bit of a hack. I think the root problem is that the ASAs' Firepower modules have no awareness of each other. Without that awareness, the standby unit's module genuinely thinks it's unhealthy.

Re: Ask the expert- Best practices on Cisco FirePOWER

Hello, do I have to consider a license of Remote Access VPN and Site-to-site VPN for Firepower 2120 device??  Do they have a grace of 2 VPN peers connections like ASA??

 

Thanks in advance.

 

Regards,

Juan Carlos Arias

 

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@Juan Carlos Arias Perez,

 

There's not an automatic 2 peer license with FTD Smart-licensed devices. However, Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation license, please visit: https://www.cisco.com/go/license. Select the following: Get Other Licenses -> Demo and Evaluation -> Security Products -> AnyConnect Plus/Apex (ASA) Demo license.

 

Also note that if you have existing AnyConnect 4.x PAK-based licenses you can have them shared with your Smart License account. As long as you don't exceed the licensed number of unique users, Anyconnect 4.x licenses can be used on multiple devices simultaneously.

Frequent Contributor

Re: Ask the expert- Best practices on Cisco FirePOWER

Hi  Marvin Rhoads is there an example of how to (script) make a deploy a bulk of rules under ACP and nats with REST API?

How was your experience with migrating ASA to FTD? When I tested the migration tool I felt that I lose the control.

Thanks.-

 

.
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@#Mat,

 

Sorry but I don't have experience doing that. You might have a look at Oliver Kaiser's blog here:

 

http://dependencyhell.net/2017/08/27/Automating-ACP-Bulk-Changes/

 

I have heard a fair amount of criticism from my peers about the migration tool.

Frequent Contributor

Re: Ask the expert- Best practices on Cisco FirePOWER

Hi  Marvin Rhoads is there an example of how to (script) make a deploy a bulk of rules under ACP and nats with REST API?

 

How was your experience with migrating ASA to FTD? When I tested the migration tool I felt that I lose the control.

 

Thanks.-

 

.
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@#Mat

 

Duplicate post - answered above.

Beginner

Re: Ask the expert- Best practices on Cisco FirePOWER

Hi Marvin,

I have a FMC that controls 2 x Firepower4120s as HA with Base and Threat Licenses. What can i do with these licenses? Can you explain or advise a detailed document. For example, can i do URL filtering, application control etc.?

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@ozgur.ocalan,

 

You cannot do URL Filtering with a Base plus Threat license. URL Filtering and Malware protection are separately licensed features, as is remote access VPN (AnyConnect).

 

The Firepower Management Center Configuration Guide has a definitive listing of what's included in the various licenses. I have quoted it here for your information as follows:

 



Base Licenses

The Base license allows you to:

  • implement user and application control by adding user and application conditions to access control rules

     

  • configure your Firepower Threat Defense devices to perform switching and routing (including DHCP relay and NAT)

     

  • configure Firepower Threat Defense devices as a high availability pair

     

  • configure security modules as a cluster within a Firepower 9300 chassis (intra-chassis clustering)

     

  • configure Firepower 9300 or Firepower 4100 series devices running Firepower Threat Defense as a cluster (inter-chassis clustering)

     

Your purchase of a Firepower Threat Defense device or Firepower Threat Defense Virtual automatically includes a Base license. All additional licenses (Threat, Malware, or URL Filtering) are optional.

A Base license is added to the Firepower Management Center for every Firepower Threat Defense device you register.

 

Threat Licenses

A Threat license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:

  • Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.

     

  • File control allows you to detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. AMP for Networks, which requires a Malware license, allows you to inspect and block a restricted set of those file types based on their dispositions.

     

  • Security Intelligence filtering allows you to blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

     

You can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering (TC), Malware (TM), or both (TCM).

If you disable Threat on managed devices, the Firepower Management Center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the Firepower Management Center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing policies until you re-enable Threat.



Reference: 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/licensing_firepower_system.html?bookSearch=true#reference_A00D8504BBA84A27B07B74014AA7337A

Highlighted
Contributor

Re: Ask the expert- Best practices on Cisco FirePOWER

We are an educational institution aligned with Cisco academy. We have just purchased 3 asa 5506.

How can we run Firepower on all three devices, across classes and across years?