04-05-2018 01:06 PM - edited 02-21-2020 07:36 AM
I'm working on an ASA 5516-X with FirePower Services.
Unfortunately we don't have a budget for FMC, so the management of the FirePower moduels is done via ASDM. But anyhow, we managed to get it working.
Now the task is to configure a URL filtering policy on the FirePower Module. We have been successful in importing all 4 licenses and updating the Geolocation and IPS databases. So far so good.
But still, I'm not able to get the URL filtering going... It seems like the nothing is matched and the traffc just passes through...
Here are the specs:
ASA software version 9.8(2)20
The FirePower module looks fine:
ciscoasa/act/pri# show module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5516
Hardware version: N/A
Serial Number: JAD21240FR4
Firmware version: N/A
Software version: 6.2.0-362
MAC Address Range: 7070.8b67.d51b to 7070.8b67.d51b
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.0-362
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 10.11.12.202
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 10.11.12.254
Mgmt web ports: 443
Mgmt TLS enabled: true
Now, here's what we have configured.
1. First configure a URL filtering policy on the FirePower module. Check in the attached file.
2. Than an ACL was created to match traffic from one particular source IP we're testing the policies with. This is attached to a class map and added to the default global_policy
access-list FP_REDIRECT extended permit ip host 10.15.16.11 any
!
class-map sfr
match access-list FP_REDIRECT
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class sfr
sfr fail-open
!
3. I also see hits when I check the sfr policy
ciscoasa/act/pri# show service-policy sfr
Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 486, packet output 486, drop 0, reset-drop 0
So, it should mean that whenever we generate traffic from the source we're matching, it should get redirected to the FirePower module, where there's a URL filtering policy.
But it does not work!
It does not work even if I put a static URL object...
So I cannot understand why this happens?
How can I further troubleshoot and make sure:
1. Traffic is properlly redirected to the FirePower module
2. The URL filtering policy is properly matched
Any hint or idea is appreciated!
Solved! Go to Solution.
04-15-2018 10:27 PM
04-05-2018 02:32 PM
04-05-2018 02:36 PM
04-15-2018 10:27 PM
04-16-2018 04:11 AM
04-16-2018 04:20 AM
Hello Florin,
By cluster I guess you mean Active/Standby configuration. But even in a cluster configuration it will still hold true.
The reason you don't see the menu is most likely because you haven't configured an IP address of your FirePower module.
You have to do it manually for each an every member of the cluster or Active/Standby setup.
And depending on the ASA model you have different options on how to connect the FirePower module to your physical network. In high end models you have a dedicated management port. While the lower end models use the dedicated management port of the chassis - it's only one, so you must configure another port on the ASA and use it as a dedicated management port.
Once you do that and cable the dedicated port properly, your ASDM will establish SSL connection with the ASA first, and from the backplane it will learn the IP address of the FirePower module and it will establish another parallel SSL session to the FirePower module. This is how you will be able to manage both the ASA software and the FirePower module from ASDM. It's convoluted I know! But that's how this product works. Let me know if this helps, I did this recently so details are still fresh in my memory :)
Keep in mind that the FirePower module has different management from the ASA, and it's reachable via the dedicated physical port and the IP address configured there. From the ASA software you could communicate to the FirePower module over the data and control plane - internal to the chassis. But over the control plane you could configure only basic things. It's expected that the FirePower module is configured either via ASDM (which by the way is neither preferred, nor the recommended method... well, maybe in very small deployments) or via the FMC software.
04-16-2018 04:25 AM
04-16-2018 04:29 AM
04-16-2018 04:32 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide