10-03-2017 08:24 AM - edited 02-21-2020 06:25 AM
Current Hardware and Software levels
9300 FXOS = 2.2(2.17)
9300 FTD (Logical Device) = 6.2.2.81
3500 FMC = 6.2.2 (build 81)
*Note* No ASA module. Security Module is for FTD.
The issue seems to be with setting up exernal authentication. The instructions indicate setting up extermal authencation through FTD settings. However, there isn't an external authentication settings in this area on the FMC.
"Step 1. Navigate to Devices > Platform Settings.
Step 2. Either edit the policy which exists as you click on the pencil icon or create a new FTD policy as you click the New Policy button and select type as Threat Defense Settings."
Step 2 found here > https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html#anc10
Anyhow, External Authencication doesn't exist in this mode -- /see below picture.
Has anyone else seen this issue?
This is what I see when I follow the instructions --
10-03-2017 01:26 PM
I've managed to follow the following proceedures, but it still is not working yet.
Procedure
Step 1 | Select Devices > Platform Settings and create or edit a Firepower Threat Defense policy. |
Step 2 | Select HTTP. |
Step 3 | Enable the HTTPS server by clicking Enable HTTP server. |
Step 4 | (Optional) Change the HTTPS port. The default is 443. |
Step 5 | Identify the interfaces and IP addresses that allow HTTPS connections. Use this table to limit which interfaces will accept HTTPS connections, and the IP addresses of the clients who are allowed to make those connections. You can use network addresses rather than individual IP addresses.
|
Step 6 | Click Save. You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them. |
10-04-2017 01:17 AM
My FMC looks the same as yours and matches what the official configuration guide for 6.2.2 says we should see for FTD devices:
I am running FMC 6.2.2 with a single FTDv device in my lab.
I believe the article you referenced is incorrect (or misleading at best) as the settings they refer to are only available for classic classic Firepower devices or ASA with Firepower service module. That is also what is correctly reflected in the section of the configuration guide referring to them:
I checked testing a new Firepower platform policy (not FTD) and do see the option for external authentication. I don't believe that FTD devices support external authentication at this time. I submitted feedback on the document you referenced to ask that the authors correct the language implying otherwise.
10-04-2017 05:10 AM
I guess it seemed natural to want to log into the FTD as we do similarly on the AMP8150's, but this simply is not the case. HTTPS access is to the FXOS only.
This is the response from Cisco yesterday when a TAC was opened.
--------------------------------------------------------------------------------------
""From my understanding of your problem description, you are wanting to enable HTTPS on the FTD, 9300.
As you are managing the device via FMC (Firepower Management Center), there will not be HTTPS functionality for the FTD.
HTTPS on the FTD is used when you are managing the device locally, via Firepower Chassis Manager Web Interface.""
----------------------------------------------------------------------------------------
We are needing to get Interface, CPU, and RAM stats, so it appears widgets are used on the FMC to pull those in from the FTD. So far just playing around with them, I'm only able to get these stats from the FMC itself, so I'll keep working at it to figure out how to get them from the FTD.
10-04-2017 05:25 AM
I haven't rried it but you might want to walk the SNMP MIB tree on the chassis itself and see how much of what you are looking for can be provided there.
10-04-2017 05:39 AM
Appreciate the suggestion... I logged into the FXOS, and looked at the SNMP options and only SNMP version 2 is available :( Unfortunately or fortunately, depending on how you want to look at it, Version 2 isn't an option for us especially with a security device.
Best Regards,
10-04-2017 05:45 AM
Are you sure? The Configuration guide indicates full SNMPv3 support (priv and auth) as follows:
The Firepower chassis provides the following support for SNMP:
The Firepower chassis supports read-only access to MIBs.
The Firepower chassis supports the HMAC-SHA-96 (SHA) authentication protocol for SNMPv3 users.
The Firepower chassis uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, the Firepower chassis uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.
10-04-2017 06:01 AM
10-05-2017 07:44 AM - edited 10-05-2017 08:21 AM
Okay, I've downloaded the FIREPOWER MIBS and have loaded them up on a SNMP management system and have Version 3 encryption and authentication working... I'm successfully walking the FXOS system.
So, on the 8150's, what we used to like to do was look at some system stats... Like Interface Utilization, which I can now do with SNMP, so no issues there.
CPU utilization with SNMP, appears to only show the 2 physical processors, and I'm having a difficult time breaking those down to the 36 cores these 2 physical processors have. So, help finding a mib there would be appreciated.
SNORT Process CPU%. We used to look at the snort processes and find how much processor they were using. One of the reasons why we upgraded to the 9300 was because the 8150's were getting over-loaded, and we knew this because we activly montitored snort. I'm trying to find the right mib that will break down the snort processes and how much Processor % they are using.
Best Regards,
10-09-2017 08:09 AM
An enhancement request was approved by our Rep and logged by Cisco to add Widgets on the FMC which will show stats for the FTD boxes it manages. Unknown timeline for completion if ever.
We lost that ability when we upgraded to new hardware and software, and the only work around is with snmp mibs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide