09-02-2019 11:45 PM
Hi.. I have been running cisco ASA 5545 X with firepower module installed, it has two storage device with model number- Micron_M600 ( not sure if it is SSD). However firepower module has setup and is showing up(ver 6.2.0).
I will be going to build FMC also to manage it.
I need your help to guide me to send traffic in/out from ASA towards firepower so that traffic could get inspect, policies could get applied on traffic through firepower.
Please suggest in what should i accomplish it.
09-03-2019 01:55 AM
hi,
you'll need to redirect traffic to the ASA FP module, add/register device to FMC, apply NGFW license feature in FMC and create your access control policies/rules.
see helpful link:
http://wannabecybersecurity.blogspot.com/2019/01/cisco-asa-firepower-traffic-redirection.html
09-03-2019 05:22 AM
Thanks for help john, also i want traffic going to firepower should be in monitoring only, dont want any action/filter so that i could monitor initially what type or category of traffic flowing.
09-03-2019 06:03 AM - edited 09-03-2019 06:52 AM
you can leverage the FMC 'network discovery' and/or configure access rule to allow all traffic and enable logging to monitor your user traffic/application.
you typically want to observe traffic for at least 30 days (1 month) before applying your NGFW policies, i.e. URL filter, anti-malware, etc.
see helpful link:
http://wannabecybersecurity.blogspot.com/2019/05/configuring-cisco-fmc-network-discovery.html
09-03-2019 01:43 PM
You can use following guides:
Install and configure firepower ASA service module.
FMC initial configuration
Register Device in FMC
For monitor mode you can either use monitor-only keyword when redirecting traffic to firepower module or uncheck drop inline option in intrusion policy.
09-07-2019 01:54 AM
Hi Dileep /All.. Is FMC is mandatory required here for managing firepower, Can't policies(webfilter,IPS.etc) be created/configured without FMC.
Also please confirm if any additional license require on FMC for configuring policies.
09-07-2019 02:40 AM
You can configure and deploy policies for your ASA Firepower service module using ASDM. ASDM can manage only one module at a time and does not provide any historical reporting or object and policy reuse.
If you use FMC you get much more fine tuning, visibility and reporting features. You can also manage multiple modules and use common objects and policies. FMC requires its own license.
Whether you use ASDM or FMC you require a no-cost Control license for each module (mandatory). Depending on which features you want to use you must also purchase IPS, URL Filtering or Malware (AMP) licenses. They are all term subscriptions or licenses and are available for 1-, 3-, or 5-years. You can buy them individually or in combination packages (costs a bit less that way).
09-20-2019 05:39 AM
Hi..Thanks for your suggestion.
I just have configured ASA firepower but after configuring IP add, mask ..etc details. It is throwing some error and putting me into same window and asking to configure again IP add, mask.etc details. Please see below error log. Is is king of bug.
================================================
System (/usr/local/sf/bin/service_control.sh iptables restart) Failed -- (iptables-restore: line 1 failed)
Printing stack trace:
called from /usr/lib/perl5/site_perl/5.10.1/Error.pm (150)
called from /usr/lib/perl5/site_perl/5.10.1/Error.pm (396)
called from /usr/local/sf/lib/perl/5.10.1/SF/PeerManager/ConfigFiles.pm (785)
called from /usr/local/sf/lib/perl/5.10.1/SF/PeerManager/ConfigFiles.pm (1110)
====================================================================
asa# sh ver
Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)
asa# sh module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5545
Hardware version: N/A
Serial Number: XXXXX
Firmware version: N/A
Software version: 6.2.0-362
MAC Address Range: 1880.90f8.72a5 to 1880.90f8.72a5
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.0-362
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: X.X.X.X
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: X.X.X.X
Mgmt web ports: 443
Mgmt TLS enabled: true
09-20-2019 09:30 PM
The output indicates the module is up/up and an FMC manager is configured. Have you registered the device from within FMC?
09-23-2019 05:16 AM
Hi Marvin.. i will use ASDM to access firepower module.
Need one more help here to configure firepower module. Management interface of ASA is free so will use it for firepower management. There will be no name and security level under the management interface and will provide firepower module ip from same segment of ASA inside interface. Now gateway address need to be of ASA inside interface or core switch connected to ASA inside. Please confirm on correct gateway need to configure.
Also if we configure manager ip on firepower then we will not able to access it through ASDM? please confirm.
09-23-2019 07:14 AM
Gateway address should be whatever gateway allows you to reach the rest of your internal network, including the Firepower Management Center. If your core switch is where you route to from the ASA Inside interface and that switch uses SVIs (VLAN interfaces) then you should use that. Just connect the ASA management interface into a switch interface on the same VLAN as the ASA inside interface.
And yes - when you configure an FMC as the manager that will disable the use of ASDM for Firepower service module management.
09-28-2019 08:54 AM
Hi.. i have done setting up firepower now and able to see firepower tabs and redirected traffic on ASA towards firepower. I have not yet setup any policies, its showing default traffic allow on firepower. But why i am not able to see anything on firepower reporting graph. is there any thing left to do.
09-28-2019 07:24 PM
At a minimum you need to assign an Intrusion Policy to your traffic flowing through the Firepower service module. Most basic users assign "Balanced Security and Connectivity" and enable logging (at beginning of connection and to event viewer) for that policy.
09-29-2019 02:27 AM
Hi Marvin,
Thanks for update, i have done same but still no data display in ASDM under firepower reporting section.
I had created policy, any any under all section and call IPS and logging as begining of connection.. but still no data displaying. Please suggest.
09-29-2019 04:09 AM
Can you share the class-map, policy map etc. bits of the ASA config that redirect the traffic to the Firepower module?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide