Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
0
Helpful
6
Replies

Automating the creation of a Firepower access control policy from an ASA firewall policy?

dam0c0nr0y
Level 1
Level 1

‎03-06-2018 08:26 AM - edited ‎02-21-2020 07:28 AM

In our solution we are using Firepower Management Centre 2000 appliances to manage Firepower SFR software modules in Cisco ASA 5500-X series firewall – so the Firepower products we are using fall into the category of “Cisco ASA with Firepower Services” which is an earlier generation of Firepower product to the more recent "Firepower Threat Defense" generation of products.

 

The approach we have in our solution is to mirror the base ASA firewall policy in the Firepower access control policy and we’re trying to reduce the pain of doing this for Firepower – particularly when we’re generating a lot of new firewall policies on the base ASA as we plan to do.

 

The question:

 

  • Is there any way of creating a Firepower access control policy from an ASA firewall policy?

 

I have found references online (here) that there is an ASA-to-Firepower Threat Defense migration tool where it states that “the migration tool allows you to convert an ASA configuration file in .cfg or .txt format to a Firepower import file in .sfo format, which you can then import on your production Management Center”.

 

However, I cannot find any references to an equivalent tool for use with the "Cisco ASA with Firepower Services" generation of products.

 

As far as I know, the only way to generate Firepower access control policies for our set of products is to produce them manually using the Firepower Management Centre 2000 GUI.

 

Can anyone advise on this subject? or provide definitive confirmation on whether a Cisco supported method exists of automating the creation of a Firepower access control policy from an ASA firewall policy?

 

Thanks

Labels:
0 Helpful
6 Replies 6

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-06-2018 08:50 AM

The ASA to FTD migration tool only converts the ASA objects, NAT and ACL's from the ASA. Since this has no relation to Firepower services, it does not matter if you have just an ASA or an ASA with Firepower services.

 

You can use the tool to easily migrate the ASA ACL's to the Pre-Filter Policy on the FMC. The Pre-filter policies are very similar to ASA ACL's since they only have L3/L4 rule conditions. For Application rules, if you are using the same FMC to manage the existing ASA w/ Firepower services and the FTD, you can use the same Access Control Policies for the new devices as long as the interface objects referenced are not specific to the Firepower services.

0 Helpful

dam0c0nr0y
Level 1
Level 1
In response to Rahul Govindan

‎03-06-2018 09:07 AM

Thanks for the reply Rahul.

However, to further clarify, are you saying that we could use the ASA to FTD migration tool to produce ".sfo" configuration files that could be imported to a Firepower Management Centre 2000 appliance for use in our Cisco ASA with Firepower Services-based solution? i.e. in order to create the required Firepower access control policy from an ASA firewall policy?

Damian

 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to dam0c0nr0y

‎03-06-2018 09:58 AM

Technically this should be possible. When you use the migration tool, export the ASA rules to the Access control policy rather than Pre-filter policy (the tool recommends pre-filter by default) . Access Control Policies can be used by either FTD or ASA w/Firepower services.

 

ftd-migration.PNGI have not tested out the last step of pushing this to an Firepower module running on an ASA, but don't see any issues that could come up. You would obviously have to map the right ASA interfaces to the right security zones on the FMC since the ACP's only have zone information on it.

0 Helpful

dam0c0nr0y
Level 1
Level 1
In response to Rahul Govindan

‎03-07-2018 02:34 AM

Thanks Rahul.

I will need to explore this further in order to prove that the migration tool works for our specific Firepower solution i.e. that the Firepower Access Control Policy created by the migration tool from the base ASA configuration actually works with our older generation of Firepower platform (i.e. FMC 2000 appliances managing SFR modules in ASA 5500-X series).

 

Also, from reading the "Cisco ASA to Firepower Threat Defense Migration Guide" (here) installation of the Migration Tool requires either:

  • A) Firepower Management Center Virtual for VMware

or

  • B) Firepower Management Center Virtual for KVM

As the Firepower Management Center instances that we are using are hardware appliances (not virtual) I will need to investigate if we can stand-up a Firepower Management Center Virtual instance in order to firstly enable the installation of the Migration Tool.

Have got some work to do on this front in order to build confidence that the approach will actual work for our Firepower solution.

Regards

Damian

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to dam0c0nr0y

‎03-07-2018 03:24 AM

Yup, I keep one FMC VM just for migration purposes for all my projects. I can re-use the same VM multiple times and files exported from the FMV VM can be imported onto a hardware FMC also. 

0 Helpful

dam0c0nr0y
Level 1
Level 1
In response to Rahul Govindan

‎03-07-2018 03:54 AM

Nice. We may also want to keep a FMC VM for similar purposes here - once I have proven that this approach works for us that is. Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card