cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2452
Views
10
Helpful
17
Replies

ASA with Firepower module

Anukalp S
Level 1
Level 1

Hi.. I have been running cisco ASA 5545 X with firepower module installed, it has two storage device with model number- Micron_M600 ( not sure if it is SSD). However firepower module has setup and is showing up(ver 6.2.0).

I will be going to build FMC also to manage it.

I need your help to guide me to send traffic in/out from ASA towards firepower so that traffic could get inspect, policies could get applied on traffic through firepower.

Please suggest in what should i accomplish it.

 

17 Replies 17

johnlloyd_13
Level 9
Level 9

hi,

you'll need to redirect traffic to the ASA FP module, add/register device to FMC, apply NGFW license feature in FMC and create your access control policies/rules.

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/01/cisco-asa-firepower-traffic-redirection.html

Thanks for help john, also i want traffic going to firepower should be in monitoring only, dont want any action/filter so that i could monitor initially what type or category of traffic flowing.

you can leverage the FMC 'network discovery' and/or configure access rule to allow all traffic and enable logging to monitor your user traffic/application.

you typically want to observe traffic for at least 30 days (1 month) before applying your NGFW policies, i.e. URL filter, anti-malware, etc.

see helpful link:

http://wannabecybersecurity.blogspot.com/2019/05/configuring-cisco-fmc-network-discovery.html

You can use following guides:

 

Install and configure firepower ASA service module.

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

 

FMC initial configuration

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118595-configure-firesight-00.html

 

Register Device in FMC

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html

 

For monitor mode you can either use monitor-only keyword when redirecting traffic to firepower module or uncheck drop inline option in intrusion policy.

 

 

Hi Dileep /All.. Is FMC is mandatory required here for managing firepower, Can't policies(webfilter,IPS.etc) be created/configured without FMC.

Also please confirm if any additional license require on FMC for configuring policies.

You can configure and deploy policies for your ASA Firepower service module using ASDM. ASDM can manage only one module at a time and does not provide any historical reporting or object and policy reuse.

If you use FMC you get much more fine tuning, visibility and reporting features. You can also manage multiple modules and use common objects and policies. FMC requires its own license.

Whether you use ASDM or FMC you require a no-cost Control license for each module (mandatory). Depending on which features you want to use you must also purchase IPS, URL Filtering or Malware (AMP) licenses. They are all term subscriptions or licenses and are available for 1-, 3-, or 5-years. You can buy them individually or in combination packages (costs a bit less that way).

Hi..Thanks for your suggestion.

I just have configured ASA firepower but after configuring IP add, mask ..etc details. It is throwing some error and putting me into same window and asking to configure again IP add, mask.etc details. Please see below error log. Is is king of bug.

 

================================================

System (/usr/local/sf/bin/service_control.sh iptables restart) Failed -- (iptables-restore: line 1 failed)

Printing stack trace:
called from /usr/lib/perl5/site_perl/5.10.1/Error.pm (150)
called from /usr/lib/perl5/site_perl/5.10.1/Error.pm (396)
called from /usr/local/sf/lib/perl/5.10.1/SF/PeerManager/ConfigFiles.pm (785)
called from /usr/local/sf/lib/perl/5.10.1/SF/PeerManager/ConfigFiles.pm (1110)

====================================================================

 

asa# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

 

asa# sh module sfr details
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5545
Hardware version: N/A
Serial Number: XXXXX
Firmware version: N/A
Software version: 6.2.0-362
MAC Address Range: 1880.90f8.72a5 to 1880.90f8.72a5
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.0-362
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: X.X.X.X
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: X.X.X.X
Mgmt web ports: 443
Mgmt TLS enabled: true

The output indicates the module is up/up and an FMC manager is configured. Have you registered the device from within FMC?

Hi Marvin.. i will use ASDM to access firepower module.

Need one more help here to configure firepower module. Management interface of ASA is free so will use it for firepower management. There will be no name and security level under the management interface and will provide firepower module ip from same segment of ASA inside interface. Now gateway address need to be of ASA inside interface or core switch connected to ASA inside. Please confirm on correct gateway need to configure.

 

Also if we configure manager ip on firepower then we will not able to access it through ASDM? please confirm.

Gateway address should be whatever gateway allows you to reach the rest of your internal network, including the Firepower Management Center. If your core switch is where you route to from the ASA Inside interface and that switch uses SVIs (VLAN interfaces) then you should use that. Just connect the ASA management interface into a switch interface on the same VLAN as the ASA inside interface.

And yes - when you configure an FMC as the manager that will disable the use of ASDM for Firepower service module management.

Hi.. i have done setting up firepower now and able to see firepower tabs and redirected traffic on ASA towards firepower. I have not yet setup any policies, its showing default traffic allow on firepower. But why i am not able to see anything on firepower reporting graph. is there any thing left to do.

At a minimum you need to assign an Intrusion Policy to your traffic flowing through the Firepower service module. Most basic users assign "Balanced Security and Connectivity" and enable logging (at beginning of connection and to event viewer) for that policy.

Hi Marvin,

Thanks for update, i have done same but still no data display in ASDM under firepower reporting section.

I had created policy, any any under all section and call IPS and logging as begining of connection.. but still no data displaying. Please suggest.

Can you share the class-map, policy map etc. bits of the ASA config that redirect the traffic to the Firepower module?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: