cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
68378
Views
95
Helpful
67
Replies

Ask the expert- Best practices on Cisco FirePOWER

Cisco Moderador
Community Manager
Community Manager

This topic is a chance to discuss more about all you need to know about Cisco FirePOWER security solution. On this session, Marvin Rhoads will be answering all kind of questions about FirePOWER Management Center (FMC), FirePOWER Threat Defense (FTD) and FirePOWER service modules to FirePOWER appliances. All kind of topics related to this solution, such as operation, configuration, design architecture, troubleshooting, installation and licensing will be covered.

 

Centralize, integrate, and simplify security management on your network

 

To participate in this event, please use the Join the Discussion : Cisco Ask the Expert button below to ask your questions

 

Ask questions from Monday, March 19th to Friday 30th 2018

 

Featured Expert

 

CSC Photo - Marvin Rhoads.jpgMarvin Rhoads is a network security engineer with over 3 decades of experience. He focuses on Cisco network security solutions in his work as an independent consultant performing client-facing design and deployment services for several Cisco Partners. In addition to his 25 years of experience as a Cisco customer, Marvin has worked with Cisco partners for the past 7 years. Marvin holds several security and professional certifications, including a CCNP Security. He holds a Master’s Degree in Systems Engineering and a Bachelor’s Degree in Electronics Engineering Technology. He’s currently pursuing a CCIE Security certification.  

 

Marvin is passionate about helping and learning from his peers in the industry. He has been an active Cisco Support Community contributor since 2001. He has been named as a Cisco Designated VIP for 6 years in a row. In 2017 he was recognized as a member of the elite Cisco Support Community Hall of Fame program.

 

Marvin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation at the Security Category.  

 

Find other events or open new discussions https://supportforums.cisco.com/t5/community-ideas/bd-p/5911-discussions-community-ideas 

 

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
 

 

67 Replies 67

dchill
Level 1
Level 1

Hi Marvin

 

I have a question regarding FMC, is it possible to manage multiple ASA with FirePower services Firewalls  and FTD appliances all from the same FMC so long as the FMC is licenced to manage the required amount of devices?

 

And if not then what is the recommended approach if you have an existing FMC managing a reasonable sized estate of ASA with FirePower services and you want to gradually migrate to FTD??

 

Cheers

 

Dchill

@dchill,

 

Sure, FMC is designed to manage multiple sensors. It comes as a virtual appliance licensed for 2, 10 or 25 managed devices. It also comes as hardware appliance option. Hardware FMCs are not limited by number of managed devices but rather by storage size for events etc.

 

As long as you have the current license types (SKU with "SF" in the product number like SF-FMC-VMW-K9) for your virtual FMC, you can mix and match Firepower service modules on ASA, FTD appliances, and classic Firepower NGIPS devices (i.e. the old Sourcefire appliances now branded Cisco).

 

Hi Marvin

 

I am aware that FTD does not as yet have full feature parity with ASA code, though I know it does support OSPF. Had a customer today wanting to know if FTD would allow them to triangulate 3 x sites via layer 2 circuits, and then to run OSPF over IPSEC tunnels between the 3 sites to facilitate the dynamic routing.

 

Could be a show stopper if the FTD would not support OSPF over IPSEC VPN so if you could let me know that would be great.

 

Cheers

 

Dchil

@dchill,

 

You cannot pass the OSPF directly via the IPsec tunnel as it uses multicast to form neighbor adjacencies.

 

In such a case, Cisco recommends having the downstream routers that will be the OSPF neighbors use and encapsulation like GRE via which they tunnel that peering. Thus the FTD devices running the IPsec tunnels only see the unicast traffic from their local peering routers and the respective sites corresponding peers.

 

There's a configuration guide for doing that here:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14381-gre-ipsec-ospf.html

 

It's 10 years old but still valid as far as I know - just mentally replace the Pix with FTD. :)

I've got one that's been bugging me for a while. When you set up a pair of ASAs in Active standby, with Firepower IPS modules. The FHM always reports an error that the standby is not receiving data. It's obviously because the standby is in standby. I usually have to edit the policy to not report that error. I feel as is that a work around. What is the right way make I so the standby does not report the no data inline error?

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"

@robinson,

 

I've been doing the same thing as you - edit the Health policy.

 

I agree it's a bit of a hack. I think the root problem is that the ASAs' Firepower modules have no awareness of each other. Without that awareness, the standby unit's module genuinely thinks it's unhealthy.

Hello, do I have to consider a license of Remote Access VPN and Site-to-site VPN for Firepower 2120 device??  Do they have a grace of 2 VPN peers connections like ASA??

 

Thanks in advance.

 

Regards,

Juan Carlos Arias

 

@Juan Carlos Arias Perez,

 

There's not an automatic 2 peer license with FTD Smart-licensed devices. However, Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation license, please visit: https://www.cisco.com/go/license. Select the following: Get Other Licenses -> Demo and Evaluation -> Security Products -> AnyConnect Plus/Apex (ASA) Demo license.

 

Also note that if you have existing AnyConnect 4.x PAK-based licenses you can have them shared with your Smart License account. As long as you don't exceed the licensed number of unique users, Anyconnect 4.x licenses can be used on multiple devices simultaneously.

#Mat
Level 6
Level 6

Hi  Marvin Rhoads is there an example of how to (script) make a deploy a bulk of rules under ACP and nats with REST API?

How was your experience with migrating ASA to FTD? When I tested the migration tool I felt that I lose the control.

Thanks.-

 

.

@#Mat,

 

Sorry but I don't have experience doing that. You might have a look at Oliver Kaiser's blog here:

 

http://dependencyhell.net/2017/08/27/Automating-ACP-Bulk-Changes/

 

I have heard a fair amount of criticism from my peers about the migration tool.

#Mat
Level 6
Level 6

Hi  Marvin Rhoads is there an example of how to (script) make a deploy a bulk of rules under ACP and nats with REST API?

 

How was your experience with migrating ASA to FTD? When I tested the migration tool I felt that I lose the control.

 

Thanks.-

 

.

@#Mat

 

Duplicate post - answered above.

ozgur.ocalan
Level 1
Level 1

Hi Marvin,

I have a FMC that controls 2 x Firepower4120s as HA with Base and Threat Licenses. What can i do with these licenses? Can you explain or advise a detailed document. For example, can i do URL filtering, application control etc.?

@ozgur.ocalan,

 

You cannot do URL Filtering with a Base plus Threat license. URL Filtering and Malware protection are separately licensed features, as is remote access VPN (AnyConnect).

 

The Firepower Management Center Configuration Guide has a definitive listing of what's included in the various licenses. I have quoted it here for your information as follows:

 



Base Licenses

The Base license allows you to:

  • implement user and application control by adding user and application conditions to access control rules

     

  • configure your Firepower Threat Defense devices to perform switching and routing (including DHCP relay and NAT)

     

  • configure Firepower Threat Defense devices as a high availability pair

     

  • configure security modules as a cluster within a Firepower 9300 chassis (intra-chassis clustering)

     

  • configure Firepower 9300 or Firepower 4100 series devices running Firepower Threat Defense as a cluster (inter-chassis clustering)

     

Your purchase of a Firepower Threat Defense device or Firepower Threat Defense Virtual automatically includes a Base license. All additional licenses (Threat, Malware, or URL Filtering) are optional.

A Base license is added to the Firepower Management Center for every Firepower Threat Defense device you register.

 

Threat Licenses

A Threat license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:

  • Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.

     

  • File control allows you to detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. AMP for Networks, which requires a Malware license, allows you to inspect and block a restricted set of those file types based on their dispositions.

     

  • Security Intelligence filtering allows you to blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

     

You can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering (TC), Malware (TM), or both (TCM).

If you disable Threat on managed devices, the Firepower Management Center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the Firepower Management Center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing policies until you re-enable Threat.



Reference: 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/licensing_firepower_system.html?bookSearch=true#reference_A00D8504BBA84A27B07B74014AA7337A

Gallifrean
Level 7
Level 7

We are an educational institution aligned with Cisco academy. We have just purchased 3 asa 5506.

How can we run Firepower on all three devices, across classes and across years?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: