Configure HTTPS on FTD from the FMC

david.campeau · ‎10-03-2017

Current Hardware and Software levels

9300 FXOS = 2.2(2.17)

9300 FTD (Logical Device) = 6.2.2.81

3500 FMC = 6.2.2 (build 81)

*Note* No ASA module. Security Module is for FTD.

The issue seems to be with setting up exernal authentication. The instructions indicate setting up extermal authencation through FTD settings. However, there isn't an external authentication settings in this area on the FMC.

"Step 1. Navigate to Devices > Platform Settings.

Step 2. Either edit the policy which exists as you click on the pencil icon or create a new FTD policy as you click the New Policy button and select type as Threat Defense Settings."

Step 2 found here > https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html#anc10

Anyhow, External Authencication doesn't exist in this mode -- /see below picture.

Has anyone else seen this issue?

This is what I see when I follow the instructions --

david.campeau · ‎10-03-2017

I've managed to follow the following proceedures, but it still is not working yet.

Procedure

Step 1	Select Devices > Platform Settings and create or edit a Firepower Threat Defense policy.
Step 2	Select HTTP.
Step 3	Enable the HTTPS server by clicking Enable HTTP server.
Step 4	(Optional) Change the HTTPS port. The default is 443.
Step 5	Identify the interfaces and IP addresses that allow HTTPS connections. Use this table to limit which interfaces will accept HTTPS connections, and the IP addresses of the clients who are allowed to make those connections. You can use network addresses rather than individual IP addresses. Click Add to add a new rule, or click the Edit icon to edit an existing rule. Configure the rule properties: IP Address—The network object that identifies the hosts or networks you are allowing to make HTTPS connections. Choose an object from the drop-down menu, or add a new network object by clicking the + button. Security Zones—Add the zones that contain the interfaces to which you will allow HTTPS connections. For interfaces not in a zone, you can type the interface name into the field below the Selected Security Zone list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones. Click OK.
Step 6	Click Save. You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Marvin Rhoads · ‎10-04-2017

My FMC looks the same as yours and matches what the official configuration guide for 6.2.2 says we should see for FTD devices:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/platform_settings_for_firepower_threat_defense.html#topic_418BE5911F2849CB881D4E5E79343E9C

I am running FMC 6.2.2 with a single FTDv device in my lab.

I believe the article you referenced is incorrect (or misleading at best) as the settings they refer to are only available for classic classic Firepower devices or ASA with Firepower service module. That is also what is correctly reflected in the section of the configuration guide referring to them:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/firepower_platform_settings.html#concept_E832134433CF40719F024D30DA6BD301

I checked testing a new Firepower platform policy (not FTD) and do see the option for external authentication. I don't believe that FTD devices support external authentication at this time. I submitted feedback on the document you referenced to ask that the authors correct the language implying otherwise.

david.campeau · ‎10-04-2017

I guess it seemed natural to want to log into the FTD as we do similarly on the AMP8150's, but this simply is not the case. HTTPS access is to the FXOS only.

This is the response from Cisco yesterday when a TAC was opened.

--------------------------------------------------------------------------------------

""From my understanding of your problem description, you are wanting to enable HTTPS on the FTD, 9300.

As you are managing the device via FMC (Firepower Management Center), there will not be HTTPS functionality for the FTD.

HTTPS on the FTD is used when you are managing the device locally, via Firepower Chassis Manager Web Interface.""

----------------------------------------------------------------------------------------

We are needing to get Interface, CPU, and RAM stats, so it appears widgets are used on the FMC to pull those in from the FTD. So far just playing around with them, I'm only able to get these stats from the FMC itself, so I'll keep working at it to figure out how to get them from the FTD.

Marvin Rhoads · ‎10-04-2017

I haven't rried it but you might want to walk the SNMP MIB tree on the chassis itself and see how much of what you are looking for can be provided there.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221/platform_settings.html#concept_144471F8E7CD4BA683372EFF0797574C

david.campeau · ‎10-04-2017

Appreciate the suggestion... I logged into the FXOS, and looked at the SNMP options and only SNMP version 2 is available :( Unfortunately or fortunately, depending on how you want to look at it, Version 2 isn't an option for us especially with a security device.

Best Regards,

Marvin Rhoads · ‎10-04-2017

Are you sure? The Configuration guide indicates full SNMPv3 support (priv and auth) as follows:

The Firepower chassis provides the following support for SNMP:

Support for MIBs

The Firepower chassis supports read-only access to MIBs.

Authentication Protocol for SNMPv3 Users

The Firepower chassis supports the HMAC-SHA-96 (SHA) authentication protocol for SNMPv3 users.

AES Privacy Protocol for SNMPv3 Users

The Firepower chassis uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.

The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, the Firepower chassis uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.

david.campeau · ‎10-04-2017

I looked at the Web Interface and looked at the upper left hand corner. However, if you look below where it says SNMP Users, I believe that is where SNMP version 3 is configured. Not well layed out, but will get the job done. Thanks for finding the document.

david.campeau · ‎10-05-2017

Okay, I've downloaded the FIREPOWER MIBS and have loaded them up on a SNMP management system and have Version 3 encryption and authentication working... I'm successfully walking the FXOS system.

So, on the 8150's, what we used to like to do was look at some system stats... Like Interface Utilization, which I can now do with SNMP, so no issues there.

CPU utilization with SNMP, appears to only show the 2 physical processors, and I'm having a difficult time breaking those down to the 36 cores these 2 physical processors have. So, help finding a mib there would be appreciated.

SNORT Process CPU%. We used to look at the snort processes and find how much processor they were using. One of the reasons why we upgraded to the 9300 was because the 8150's were getting over-loaded, and we knew this because we activly montitored snort. I'm trying to find the right mib that will break down the snort processes and how much Processor % they are using.

Best Regards,

david.campeau · ‎10-09-2017

An enhancement request was approved by our Rep and logged by Cisco to add Widgets on the FMC which will show stats for the FTD boxes it manages. Unknown timeline for completion if ever.

We lost that ability when we upgraded to new hardware and software, and the only work around is with snmp mibs.