Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3642
Views
15
Helpful
9
Replies

ASA FirePOWER Reporting generate

Go to solution
Alex Ribas
Beginner
Beginner

‎09-11-2021 09:10 AM

Hi All

I'm using Cisco ASa 5516 and we have module FirePOWER.

I'd like to know how do I generate traffic to see in this option.

ASA FirePOWER Reporting.

I appreciate your help guys.

FIREPOWER.png

thank you

Alex

 

2 Accepted Solutions

Accepted Solutions

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

‎09-11-2021 09:41 AM - edited ‎09-11-2021 09:44 AM

 

In order for reporting to work you need to configure some rule. forexample Firepower need to see the traffic that is passing by the IPS moudles so it can started feed up the information.

here this link is good start for you

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/asa-fp-services/asafps-local-mgmt-config-guide-v63/using_asa_firepower_reporting.html

 

Have you redirected the traffic to SFR module.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Redirect Traffic to the SFR Module

In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:

  1. Select the traffic that should be identified with the access-list command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.
    ciscoasa(config)# access-list sfr_redirect extended permit ip any any
  2. Create a class-map in order to match the traffic on an access list:
    ciscoasa(config)# class-map sfr
    ciscoasa(config-cmap)# match access-list sfr_redirect
  3. Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline (normal) deployment mode.

    Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.

    • In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission. This example shows how to create a policy-map and configure the ASA SFR module in the inline mode:
      ciscoasa(config)# policy-map global_policy
      ciscoasa(config-pmap)# class sfr
      ciscoasa(config-pmap-c)# sfr fail-open
please do not forget to rate.

View solution in original post

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to Alex Ribas

‎09-11-2021 12:02 PM - edited ‎09-11-2021 12:06 PM

This seem strange

 

Global policy:
Service-policy: global_policy
Class-map: sfr_class
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 645942, drop 0, reset-drop 0

 

 

could you run these command

 

!

show run all class-map sfr_class

!

and get the access-list from this class map and then give command

 

(Example) show access-list sfr_redirect

please do not forget to rate.

View solution in original post

9 Replies 9

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

‎09-11-2021 09:41 AM - edited ‎09-11-2021 09:44 AM

 

In order for reporting to work you need to configure some rule. forexample Firepower need to see the traffic that is passing by the IPS moudles so it can started feed up the information.

here this link is good start for you

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/asa-fp-services/asafps-local-mgmt-config-guide-v63/using_asa_firepower_reporting.html

 

Have you redirected the traffic to SFR module.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

Redirect Traffic to the SFR Module

In order to redirect traffic to the ASA SFR module, you must create a service policy that identifies specific traffic. Complete these steps in order to redirect traffic to an ASA SFR module:

  1. Select the traffic that should be identified with the access-list command. In this example, all of the traffic from all of the interfaces is redirected. You can do this for specific traffic as well.
    ciscoasa(config)# access-list sfr_redirect extended permit ip any any
  2. Create a class-map in order to match the traffic on an access list:
    ciscoasa(config)# class-map sfr
    ciscoasa(config-cmap)# match access-list sfr_redirect
  3. Specify the deployment mode. You can configure your device in either a passive (monitor-only) or inline (normal) deployment mode.

    Note: You cannot configure both a passive mode and inline mode at the same time on the ASA. Only one type of security policy is allowed.

    • In an inline deployment, after the undesired traffic is dropped and any other actions that are applied by policy are performed, the traffic is returned to the ASA for further processing and ultimate transmission. This example shows how to create a policy-map and configure the ASA SFR module in the inline mode:
      ciscoasa(config)# policy-map global_policy
      ciscoasa(config-pmap)# class sfr
      ciscoasa(config-pmap-c)# sfr fail-open
please do not forget to rate.

Go to solution
Alex Ribas
Beginner
Beginner
In response to Sheraz.Salim

‎09-11-2021 11:25 AM

Hi Sheraz thank you 

I already created the acl

 

access-list sfr_redirection_acl extended permit ip any any
class-map sfr_class
match access-list sfr_redirection_acl
class sfr_class
sfr fail-open monitor-only

Bu I didn't see any traffic in FirePOWER reporting 

 

 

0 Helpful

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to Alex Ribas

‎09-11-2021 11:44 AM

can you run these command and show us the output

 

show service-policy sfr
show module sfr

Also have to configured any rule for the Firepower IPS insection etc?

 

please do not forget to rate.
0 Helpful

Go to solution
Alex Ribas
Beginner
Beginner
In response to Sheraz.Salim

‎09-11-2021 11:50 AM

Global policy:
Service-policy: global_policy
Class-map: sfr_class
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 645942, drop 0, reset-drop 0




Mod Card Type Model Serial
No.
---- -------------------------------------------- ------------------
-----------
sfr FirePOWER Services Software Module ASA5516 xxxxx

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------
---------------
sfr e41f.7b9a.12c4 to e41f.7b9a.12c4 N/A N/A 6.6.1-91

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ----------------
--------------------------
sfr ASA FirePOWER Up 6.6.1-91

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
sfr Up Up

0 Helpful

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to Alex Ribas

‎09-11-2021 12:02 PM - edited ‎09-11-2021 12:06 PM

This seem strange

 

Global policy:
Service-policy: global_policy
Class-map: sfr_class
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 645942, drop 0, reset-drop 0

 

 

could you run these command

 

!

show run all class-map sfr_class

!

and get the access-list from this class map and then give command

 

(Example) show access-list sfr_redirect

please do not forget to rate.

Go to solution
Alex Ribas
Beginner
Beginner
In response to Sheraz.Salim

‎09-11-2021 12:05 PM

I agree 

And how do I fix it?

the command I received form TAC Cisco  

 

0 Helpful

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to Alex Ribas

‎09-11-2021 12:09 PM

You already opened an case with cisco in this regards?

 

please do not forget to rate.
0 Helpful

Go to solution
Alex Ribas
Beginner
Beginner
In response to Sheraz.Salim

‎09-11-2021 12:14 PM

I'll open the case.

Thank you 

Alex

 

0 Helpful

Go to solution
Alex Ribas
Beginner
Beginner
In response to Sheraz.Salim

‎09-11-2021 11:43 AM

Hi Sheraz

My main goal is

 

interface wguest monitoring the all traffic

 

source wguest 172.29.13.0/24 destination below monitoring these networks and application below.

 

wguest.png

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents