03-12-2018 05:10 PM - edited 02-21-2020 07:30 AM
This topic is a chance to discuss more about all you need to know about Cisco FirePOWER security solution. On this session, Marvin Rhoads will be answering all kind of questions about FirePOWER Management Center (FMC), FirePOWER Threat Defense (FTD) and FirePOWER service modules to FirePOWER appliances. All kind of topics related to this solution, such as operation, configuration, design architecture, troubleshooting, installation and licensing will be covered.
Centralize, integrate, and simplify security management on your network
To participate in this event, please use the button below to ask your questions
Ask questions from Monday, March 19th to Friday 30th 2018
Featured Expert
Marvin Rhoads is a network security engineer with over 3 decades of experience. He focuses on Cisco network security solutions in his work as an independent consultant performing client-facing design and deployment services for several Cisco Partners. In addition to his 25 years of experience as a Cisco customer, Marvin has worked with Cisco partners for the past 7 years. Marvin holds several security and professional certifications, including a CCNP Security. He holds a Master’s Degree in Systems Engineering and a Bachelor’s Degree in Electronics Engineering Technology. He’s currently pursuing a CCIE Security certification.
Marvin is passionate about helping and learning from his peers in the industry. He has been an active Cisco Support Community contributor since 2001. He has been named as a Cisco Designated VIP for 6 years in a row. In 2017 he was recognized as a member of the elite Cisco Support Community Hall of Fame program.
Marvin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation at the Security Category.
Find other events or open new discussions https://supportforums.cisco.com/t5/community-ideas/bd-p/5911-discussions-community-ideas
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
03-23-2018 04:41 AM
Hi Marvin
I have a question regarding FMC, is it possible to manage multiple ASA with FirePower services Firewalls and FTD appliances all from the same FMC so long as the FMC is licenced to manage the required amount of devices?
And if not then what is the recommended approach if you have an existing FMC managing a reasonable sized estate of ASA with FirePower services and you want to gradually migrate to FTD??
Cheers
Dchill
03-23-2018 10:53 PM
Sure, FMC is designed to manage multiple sensors. It comes as a virtual appliance licensed for 2, 10 or 25 managed devices. It also comes as hardware appliance option. Hardware FMCs are not limited by number of managed devices but rather by storage size for events etc.
As long as you have the current license types (SKU with "SF" in the product number like SF-FMC-VMW-K9) for your virtual FMC, you can mix and match Firepower service modules on ASA, FTD appliances, and classic Firepower NGIPS devices (i.e. the old Sourcefire appliances now branded Cisco).
03-27-2018 03:56 AM
Hi Marvin
I am aware that FTD does not as yet have full feature parity with ASA code, though I know it does support OSPF. Had a customer today wanting to know if FTD would allow them to triangulate 3 x sites via layer 2 circuits, and then to run OSPF over IPSEC tunnels between the 3 sites to facilitate the dynamic routing.
Could be a show stopper if the FTD would not support OSPF over IPSEC VPN so if you could let me know that would be great.
Cheers
Dchil
03-29-2018 04:33 AM
You cannot pass the OSPF directly via the IPsec tunnel as it uses multicast to form neighbor adjacencies.
In such a case, Cisco recommends having the downstream routers that will be the OSPF neighbors use and encapsulation like GRE via which they tunnel that peering. Thus the FTD devices running the IPsec tunnels only see the unicast traffic from their local peering routers and the respective sites corresponding peers.
There's a configuration guide for doing that here:
It's 10 years old but still valid as far as I know - just mentally replace the Pix with FTD. :)
03-28-2018 03:39 PM
I've got one that's been bugging me for a while. When you set up a pair of ASAs in Active standby, with Firepower IPS modules. The FHM always reports an error that the standby is not receiving data. It's obviously because the standby is in standby. I usually have to edit the policy to not report that error. I feel as is that a work around. What is the right way make I so the standby does not report the no data inline error?
03-29-2018 04:39 AM
I've been doing the same thing as you - edit the Health policy.
I agree it's a bit of a hack. I think the root problem is that the ASAs' Firepower modules have no awareness of each other. Without that awareness, the standby unit's module genuinely thinks it's unhealthy.
03-23-2018 12:57 PM
Hello, do I have to consider a license of Remote Access VPN and Site-to-site VPN for Firepower 2120 device?? Do they have a grace of 2 VPN peers connections like ASA??
Thanks in advance.
Regards,
Juan Carlos Arias
03-23-2018 10:57 PM
There's not an automatic 2 peer license with FTD Smart-licensed devices. However, Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation license, please visit: https://www.cisco.com/go/license. Select the following: Get Other Licenses -> Demo and Evaluation -> Security Products -> AnyConnect Plus/Apex (ASA) Demo license.
Also note that if you have existing AnyConnect 4.x PAK-based licenses you can have them shared with your Smart License account. As long as you don't exceed the licensed number of unique users, Anyconnect 4.x licenses can be used on multiple devices simultaneously.
03-23-2018 07:46 PM
Hi Marvin Rhoads is there an example of how to (script) make a deploy a bulk of rules under ACP and nats with REST API?
How was your experience with migrating ASA to FTD? When I tested the migration tool I felt that I lose the control.
Thanks.-
03-23-2018 10:59 PM
Sorry but I don't have experience doing that. You might have a look at Oliver Kaiser's blog here:
http://dependencyhell.net/2017/08/27/Automating-ACP-Bulk-Changes/
I have heard a fair amount of criticism from my peers about the migration tool.
03-23-2018 07:47 PM
Hi Marvin Rhoads is there an example of how to (script) make a deploy a bulk of rules under ACP and nats with REST API?
How was your experience with migrating ASA to FTD? When I tested the migration tool I felt that I lose the control.
Thanks.-
03-23-2018 11:00 PM
03-24-2018 12:07 PM
Hi Marvin,
I have a FMC that controls 2 x Firepower4120s as HA with Base and Threat Licenses. What can i do with these licenses? Can you explain or advise a detailed document. For example, can i do URL filtering, application control etc.?
03-24-2018 08:40 PM
You cannot do URL Filtering with a Base plus Threat license. URL Filtering and Malware protection are separately licensed features, as is remote access VPN (AnyConnect).
The Firepower Management Center Configuration Guide has a definitive listing of what's included in the various licenses. I have quoted it here for your information as follows:
Base Licenses
The Base license allows you to:
implement user and application control by adding user and application conditions to access control rules
configure your Firepower Threat Defense devices to perform switching and routing (including DHCP relay and NAT)
configure Firepower Threat Defense devices as a high availability pair
configure security modules as a cluster within a Firepower 9300 chassis (intra-chassis clustering)
configure Firepower 9300 or Firepower 4100 series devices running Firepower Threat Defense as a cluster (inter-chassis clustering)
Your purchase of a Firepower Threat Defense device or Firepower Threat Defense Virtual automatically includes a Base license. All additional licenses (Threat, Malware, or URL Filtering) are optional.
A Base license is added to the Firepower Management Center for every Firepower Threat Defense device you register.
Threat Licenses
A Threat license allows you to perform intrusion detection and prevention, file control, and Security Intelligence filtering:
Intrusion detection and prevention allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
File control allows you to detect and, optionally, block users from uploading (sending) or downloading (receiving) files of specific types over specific application protocols. AMP for Networks, which requires a Malware license, allows you to inspect and block a restricted set of those file types based on their dispositions.
Security Intelligence filtering allows you to blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by access control rules. Dynamic feeds allow you to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.
You can purchase a Threat license as a stand-alone subscription (T) or in combination with URL Filtering (TC), Malware (TM), or both (TCM).
If you disable Threat on managed devices, the Firepower Management Center stops acknowledging intrusion and file events from the affected devices. As a consequence, correlation rules that use those events as a trigger criteria stop firing. Additionally, the Firepower Management Center will not contact the internet for either Cisco-provided or third-party Security Intelligence information. You cannot re-deploy existing policies until you re-enable Threat.
Reference:
03-25-2018 04:34 PM
We are an educational institution aligned with Cisco academy. We have just purchased 3 asa 5506.
How can we run Firepower on all three devices, across classes and across years?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide