cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9295
Views
10
Helpful
13
Replies

ASA Firepower pointless feature, half baked implementation, url filter not working, IDS blocking itself

Michael Braun
Level 1
Level 1

Well, this is probably more than a rant as anything else, but it this point I am not just disappointed with the whole ASA Firepower implementation but quite mad at Cisco for tossing out a product with promises not delivered.

Especially the ASDM Management of the FP Module (on a 5512)

The URL Filter

What point does any URL filter have, if it is not filtering correctly?

You can block porn all day long, yet it can not even prevent the number one hit on google search for porn.!!! SERIOUSLY?????

Just in case my number one hit is different than anyone else's, it is pornolaba.com.

While it is listed as adult on brightcloud, the FP module (mind the ASDM Management Version) is not capable of preventing the page from opening and displaying all of its content. While it somehow prevented playing vidz inside the browser, it let me download them as video files (well, the browser just popped up with "where to save the mp4 to...)

I have the same setup running on a 5506 with the Management Center, it seems to work better there (at least no video download) but I was able to view the main site too.

For all of you suggesting to use an Ironport,,,blah blah... if I wanted to use one I would have, I am talking about a simple url filter, which FP is supposed to be, I do not need a dedicated appliance for that, especially a way to expensive Ironport.

Besides that, even if porn is the only blocked cat. that I have configured, other sites (due to the IDS I guess) are opening extremely slow at first. Maybe because of the brightcloud lookup. Mainly on sites with lots of external links or distributed on Akamai.

(Fun part is, I can see SFP drop request from its own ASA management interface connecting to brightcloud.)

Any open source web filter can do better than this implementation of an URL Filter.

ASDM Management of FP

That is another ugly example of not doing anything right. Response time, reaction time is slow and I mean slow. Why put this into the ASA, if the CPU cannot handle the load? Besides it being really sluggish, compared to the management center on VMWare, it feels like half the features are missing, reporting is utterly useless, or settings are just spread over different parts of the gui compared to FPMC.

In a long run, or really doing it right, the ASDM implementation is pointless. And why the hell is this still JAVA??%$%#^@$#

JAVA SUCKS - GOT IT? - I have several VMs running due to the fact the there is nothing as incompatible as Java. Every pity java app will only run with whatever version it feels like - one 0.0.0.0.0.0.0.0.01 minor update - not working anymore.

NO ONE NEEDS JAVA - GET A REAL PROGRAMMER AND WRITE THIS IN C or at least something other than Java.

FP Management

So, we determined the ASDM implementation is useless, now we have to PAY for a management center that is needed in order to correctly configure a feature that has been sold with the ASA? And no one felt the need to mention that on the ASA website?

Granted, the 2 device lic is fairly reasonable priced, but it still has a price and for something necessary to configure a feature sold with the hardware, that I find a questionable business practice.

Furthermore, comparing the price tag for the higher license like 10 devices - that is as always so much overpriced that is stand in no comparison with the price for the module and/or hardware.

But even if we overlook that, WHY IS IT NOT RUNNNING ON Hyper-V?????????

Why is Cisco clamping down on it so hard to only run on VMware or KVM? Well maybe because their business policy is similar to Cisco? Overpricing and ripping customers off?

There is NO - absolutely NO reason to force customers to use VMWare or KVM. Any virtual implementation should be available on the platform of my choosing. There is no technical reason for it not to work on Hyper-V or Citrix or whatever. Others can do it too.

Cisco should be aware that there are more and more companies are pushing into the market and every year there is more and more that Cisco has to share with others BECAUSE of things like that.

Last but not least,

ASA Access Rules, FP Rules

If I have permitted ACLs, I have permitted them for a reason. FP seems to ignore that and just blocks communication on that port.

For example I have external connection from a static IP to an ASA on port 38000 which is by nat/pat translated to x.x.x.x / 3389 - yes RDP.

But as soon as I flip the switch, the FP is blocking all connections to that port. REALY?

I had to do another PERMIT on the Access Control in FP? SERIOULSY?

Also we manage quite a few ASAs for customers, where is the option to manage the FP Module from a Public IP AND internal IP?

Also it is not wanting to cooperate when doing it through a vpn tunnel and with source nat. Bummer, so I have to have a VM at all sites to manage the FP internally...  at least I have not seen any other way as of yet.

Now of course it could be that this is all some bugs, or a coincidence of unfortunate configuration events that lead to all this, but I am using latest updates, even rebooted twice.

Ok done. Lets conclude:

- URL Filter not working as it should, ESPECIALLY porn site are not getting blocked correctly. For most customers, that is a no-go.

- ASDM only java - becoming more and more a problem especially since Chrome and IE dropped it.

- FP Management on ASDM is half baked, slow, sluggish, looks different compare to FPMC, reporting stinks

- FP MC, works, menu structure feels a bit criss-crossed, BUT it has a price tag for what should be free. Also higher license versions (other than 2) are way to expensive. Only web based, thus slow, power hungry, would it be written in a real programming language it would be much better and faster as a real application. Reporting actually works well.

Unfortunately all of Cisco Software Suits are overpriced by a factor of 10.

- Supports only VMware,KVM, no logic behind that other that Cisco has VMWare shares. Ignores other VM platforms

But maybe all this is just a fluke and gone by itself tomorrow...or maybe the documentation sucks and I was not able to find the needed parts...

1 Accepted Solution

Accepted Solutions

Oliver Kaiser
Level 7
Level 7

I understand your frustration. A rant after encountering limitations and bugs is understandable and necessary for vendors to take problems seriously.

I will try to explain some of the issues and tell you my opinions, might help  :)

1) Firepower ASDM Management

It is a bad implementation full of bugs and not maintained very much because there is more focus on Firepower Management Center and the new Firepower Device Manager (for FTD). IMO it should not be used by anyone. I know using a VM (FMC) to manage a single firewall seems like an overkill but its worth it. ASDM Management will die off sooner or later, it has been a dirty hack to provide on-board management without FMC.

2) URL Filtering

To understand why this is happening, understanding the url filtering architecture might be of help. Firepower uses the Brightcloud database for url filtering which is about 400MB and stored in a shared memory segment on the firepower module. Since smaller ASAs have less memory, the 400MB database cannot be loaded into memory and another db with 30MB is used. To work around "unknown" URLs a flag can be configured to lookup unknown URLs online if they cannot be found in the local database.

tl;dr low-end ASAs url filtering has limitations when it comes to categorization

3) Using WSA to work around URL Filtering bugs and limitations

I am with you on that one. Using an additional product is not acceptable. 6.2 will be focused on stability and many bugs considering url filtering should be fixed by then.

4) Firepower Management Center

We might see Hyper-V support in the future. Since many shop deploy VMware / KVM I think Hyper-V hasnt been a high-priority roadmap item, but I understand the frustration for MS-only shops. 

FMCv 6.0 looks like it does not need a device license for devices (encountered during a recent installation), but I will ask a cisco rep, since it isnt documented anywhere.

Considering performance... They definitely need to do some refactoring and solve performance issues. Many api calls / db queries just fry a single cpu core which leads to performance issues.

5) Access Rules

Using ASA + Firepower Services can result in a somewhat redundant ruleset depending on how you design your firepower policy but other approaches might solve this (e.g. only blacklisting + permit any any with inspection). Another possible workaround is an any-any ruleset on ASA side and only configure policies in firepower (more suitable for smaller deployments).

Using the converged image (FTD... ASA+Firepower Code in one image) makes this issue obsolete, but FTD does not have feature parity yet.

6) Management via Public IP

Why not NAT/PAT the management interface IP of the firepower module and only permit access from your FMC? Works fine without issues.

Let me know if you have any question. 

View solution in original post

13 Replies 13

Oliver Kaiser
Level 7
Level 7

I understand your frustration. A rant after encountering limitations and bugs is understandable and necessary for vendors to take problems seriously.

I will try to explain some of the issues and tell you my opinions, might help  :)

1) Firepower ASDM Management

It is a bad implementation full of bugs and not maintained very much because there is more focus on Firepower Management Center and the new Firepower Device Manager (for FTD). IMO it should not be used by anyone. I know using a VM (FMC) to manage a single firewall seems like an overkill but its worth it. ASDM Management will die off sooner or later, it has been a dirty hack to provide on-board management without FMC.

2) URL Filtering

To understand why this is happening, understanding the url filtering architecture might be of help. Firepower uses the Brightcloud database for url filtering which is about 400MB and stored in a shared memory segment on the firepower module. Since smaller ASAs have less memory, the 400MB database cannot be loaded into memory and another db with 30MB is used. To work around "unknown" URLs a flag can be configured to lookup unknown URLs online if they cannot be found in the local database.

tl;dr low-end ASAs url filtering has limitations when it comes to categorization

3) Using WSA to work around URL Filtering bugs and limitations

I am with you on that one. Using an additional product is not acceptable. 6.2 will be focused on stability and many bugs considering url filtering should be fixed by then.

4) Firepower Management Center

We might see Hyper-V support in the future. Since many shop deploy VMware / KVM I think Hyper-V hasnt been a high-priority roadmap item, but I understand the frustration for MS-only shops. 

FMCv 6.0 looks like it does not need a device license for devices (encountered during a recent installation), but I will ask a cisco rep, since it isnt documented anywhere.

Considering performance... They definitely need to do some refactoring and solve performance issues. Many api calls / db queries just fry a single cpu core which leads to performance issues.

5) Access Rules

Using ASA + Firepower Services can result in a somewhat redundant ruleset depending on how you design your firepower policy but other approaches might solve this (e.g. only blacklisting + permit any any with inspection). Another possible workaround is an any-any ruleset on ASA side and only configure policies in firepower (more suitable for smaller deployments).

Using the converged image (FTD... ASA+Firepower Code in one image) makes this issue obsolete, but FTD does not have feature parity yet.

6) Management via Public IP

Why not NAT/PAT the management interface IP of the firepower module and only permit access from your FMC? Works fine without issues.

Let me know if you have any question. 

Thanks for your input on this, at least now i do not feel like i am the only one complaining.

1.) ASDM Management

Yes, it does look like a dirty hack. Nevertheless, since the ASA is running a Linux Kernel, Cisco could have done better. Or at least advised that this is just a temp implementation and it will go away. Luckily i only pitched the integration to the customers as a "helper" and the FMC should be used for serious work.

We may see a centralized management for ASA and FP in the future, but hopefully this will be NEAR future. Long time overdue it is anyways, especially getting rid of Java.
While i like the console of course, some things, especially on the ASA are just easier with ASDM, VPN wizard e.g.

Remembering the botched implementation of CX,AIX etc, it just leaves you with a bad aftertaste.

2.) Ugh, makes sense, i did suspect that, well, it is mentioned in the online docs - but failed to specify EXACTLY which ASA suffers from that and which may not.

But, if a customer does test "porn" - and they do, missing the first hit on goggle and not being able to correctly block it - makes it look ridicules in the eyes of the customer. There is no excuse why it cannot block that site - probably the whole IP, where there is one porn site hosted, probably a lot of others are too.
Legally, if a minor gets a hit on that, you can be in BIG trouble. So it is a decision maker.

3.) I sure hope so, currently it is more a bonus option to have FP instead of a selling point.

If i need in depth filtering and reporting, of course there is no way past WSA.
And it comes with a hefty price tag. That is one thing i do not get with Cisco. If they just lower their prices for mid sized business - i remember the Spam Filter was such a project, and we sold that thing like hot chocolate croissants on a cold winter day, and then it got dropped - they could slam the market with Cisco and point the world green.

4.)Yeah well, it is not like Hyper V just popped up out of nowhere, it has been pushed hard by MS and we have a lot of customers - especially in the mid size business, that are using MS instead of VMW. Granted VMW has stepped down from their high horse a bit, but considering that the small to medium companies in a whole have more assets compared to the major players, ignoring them you should not.

If the two device VM is indeed free, well, at least it would be a band aid for the time being.

5.) Yes it does, but it should not. FP should be able to read the NAT rules and understand to not block traffic on these ports - or a warning of a possible overlap woulda been nice.
I guess if and when it is a fully integrated system, we just have to keep that in mind. Although i do not remember a warning anywhere pointing that out. Learning by doing i guess.

6.) Actually i have not thought of that since i was thinking the management interface is more like an isolated interface. OK, i will give that a try.

But by doing so, if the ASA has to communicate with the FPMC especially for the URL filtering, latency may just be to much and user experience will drop. And if users have to wait an additional second for a page to open - you know how that goes.

Thanks for your participation.

Markus

 

Now, just for kicks, 

as i understand i buy a Firewpower System, in my case an ASA + Subs.

And then i still have to BUY a License to manage to afore mentioned system?

FS-VMW-2-SW-K9 (Because the ASA Firepower Management is pointless)

Really.... this is like buying a car and afterwards being told the motor is not included but instead comes on a separate trailer, that also only hooks up to certain hitches (VMware,KVM)

And then have the audacity to charge 15k for a 25 Dev Lic ???

FS-VMW-SW-K9   Cisco Firepower Management Center, (VMWare) for 25 devices 10,795.00
CON-SAU-VMW   SW APP SUPP + UPGR Virtual FireSIGHT Software 5,397.00

The Price for a car for some software that should have been included ?

I do not know who in the upper section makes decisions like that, but this is definitely one of the major reasons people are turning their back on Cisco.

There is NO REASON to charge 400 -500 ticks PER Device Lic.

And in the same sentence saying " oh this is really cheap and affordable pricing"

Sorry but the price is not and never will be justified.

I got feedback considering licensing from my cisco rep. The device licenses for FMCv are still required - the output from the licensing page is quite misleading atm.

I am also not a big fan of the licensing model and would prefer some tearing which could include advanced reporting/analytics for X devices, but device configuration/management should not be licensed IMO.

Considering the price... substract 50% to get the real price. ;)

True, i posted the list price but whats even worse and i just had this happening today, explain to a customer why a 10dev lic cost 1200 but a 25 dev lic cost 6000? in  my calculation it should be x2.5 = 3600 or even less since you buy MORE.

Funny thing thou, it looks like they took the price for the hardware box (50dev), took 50 percent of it and made it the price for the virtual 25devs.

Just forgot to take into account that IT DOES NOT COME WITH A SERVER!@! They are just lic's.

I am going to complain about this to a Cisco Rep but unless you are a Fortune 500 customer....

(50% already deducted :))

Hi everyone. That's why i hate ASA when licensing part comes. Unfortunately, I have to install around 30 5512, 5515 boxes for a customer who only love brand and two of them are in my lab with same problem mentioned by Michael Braun.  I worked on fortigate and its 1000 % better than ASA from SMB to midsize. One box everything is inside url, ips, app control, amp. All is gui based on one page to mention everything that's why anyone can manage it. When u compare the price of box and license, fortigate is ahead from ASA. 

Regards!

ACEIT ACEIT
Level 1
Level 1

Agreed, one of the worst integration between two system in history.

They glued the two worlds - ASA <-> Firepower - it seems with shipment tape.

I've been in software eng. and of course this happens during acquisitions etc. but what so far is released is half baked.

And now the fun part, due to Intel's Atom disaster, we can now reinstall all of our FP ASAs, just one takes hours to complete and afterwards the hassle with switching the license keys...do this times 30 - fun fun ahead....

Well yea don't get us started on Cisco licensing hell on the new ASA platform.

The opposite of simplicity... chassis lic, anyconnect, no wait... also APEX to enable some functions, sourcefire IDS, no wait u need also URL filtering to do that and that... ah well you need to manage it, so buy also the vmware appliance... lol... and of course multiple point and GUI to input the license data you payed for..  the VARs too have difficulty in navigating such twisted licensing landscape...

Hope that at least they are able to squeeze that extra profit in product differentiation with these overly designed licensing plans, otherwise I can't explain it.

And yes u are right....... have fun in replacing all of the above during RMA scenarios.... :(

We have been on Cisco for firewalling for legacy reasons, but those were the time that you bought a PIX series and that's it..... nowadays if starting from ground zero I would reconsider the brand choice JUST for the licensing overhead...

I feel you. Been there, done that.  One to two hours to reinstall or update Firepower in ASA. And if you change your mind to use FP from ASDM to Firepower management System, you have to delete the license also from your cisco account and transfer it to firepower management system machine.

tsiemers1
Spotlight
Spotlight

Agreed.  We have had Firepower using the FMC for about a year now.  We are in the process of transitioning to a different content/IPS filter.  Every time we were told it could do something we would try to implement it and it would be nothing but headaches.  

Needs a complete revamp before I'll consider going back to the filtering part of it.  The ASA on their own I have no problem with.

Hi, I just want to back everyone's opinion up.

I'm running a 5506W-X, ASA part is good although ASDM could do with a makeover, but what the heck is this Firepower thing doing? Initially I thought waoo NGFW, how cool - however this turned out to be a huge disappointment.

1. You buy a firewall with firepower, but then have to pay extra to use it.

2. You need a smartnet account to download updates to fix defects in for something you've already payed for, additional $$$$.

3. Dispite all, I've played around with firepower and it doesn't do anything.

Get your act together Cisco!

By the way, have looked at Paloalto, looks good so far.

Yea Cisco is doing big favors to their competitors with the latest instances of Firewalls.

As a summary, my 2 cents:

- simplify, simplify, simplify as a general guideline

- get tradeoff between license complexity and profit right. If you get things too much complicated many costumers you go to competitors due to the licensing nonsense. Even experienced VARs minds explode when confronted with Cisco license-delirium

- replace ASDM with a web client. One solution for all the features. Don't let customers think of two products (ASA and FP) when they use the product. The necessary management system should be on the firewall itself not outside as default (just run a VM on the firewall itself if you want to isolate things).

Review Cisco Networking for a $25 gift card