Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
5
Helpful
3
Replies

FirePOWER: First steps

ammann9113
Level 1
Level 1

‎11-29-2016 08:20 AM - edited ‎03-10-2019 06:43 AM

Hello everyone

As the title suggest, I am currently playing around with the SFR module on my 5506-X. I think I set everything up corretly for everything is working so far. All software is updated to the latest releases.

Now to the problem or rather the question; I've created a "Service Policy Rule" which sends all traffic originating from the inside interface to the FirePOWER module. There I created a rule, a "Access Control Policy"-Rule. Now I applied this rule for traffic from source zone inside to destination zone outside (I added the respective interface to each zone). Everything else, networks, users, ports, etc. is left to "any". To the rule I added a file policy which should block downloads of EXE files. At least I hoped it would... When I try to download a file to a host on the inside (simple "wget"), I can get the file without problems.

At the "Real Time Eventing" menu I can see (many) "ASA FirePOWER Connection" events (nothing else). I have DNS queries, NTP, and HTTP(S) events but nothing in the file or malware file section.

The details of the events show that the correct rule, the one I created, applies.

So, my question is; did I get something wrong?

Many thanks!

Labels:
0 Helpful
3 Replies 3

Oliver Kaiser
Level 7
Level 7

‎11-29-2016 10:11 AM

Based on your description it should work. Could your provide some more information to troubleshoot this?

  1. Which release are you using (6.1.0?)
  2. Do you download via http or https (https wont work since the connection is encrypted)
  3. Screenshot of your file policy
  4. Screenshot of your access-control-policy rule (incl. inspection tab, log tab)
  5. Screenshot of matching http connection event

regards

Oliver

ammann9113
Level 1
Level 1
In response to Oliver Kaiser

‎11-29-2016 11:28 AM

Well, shame on me.. it looks like I mess something up. Everything working now. I guess I got redirected to HTTPS before...

Thanks anyway! And since we're here, I have a few other questions:

- Is there a way to tell the "Real Time Eventing" to save the logs for a specific time? Or is there a similar reporting function hidden somewhere? Or do I need to parse the syslog messages?

- I attached two screenshots of the reporting tab. There are, for example, "unknown" applications listed. Is there a way to get more info out of this? what protocol was used for example.

- The other screenshot shows the policy hits. I got hits on the default policy. Any way to find out what that was?

- The whole access control policy thing.. what is the practice here? Summarize as much as possible? Or create rules for specific things like file policy, intrusion etc.? Would someone share a screenshot of their access control policy?

Preview file
194 KB
Preview file
188 KB
0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to ammann9113

‎11-29-2016 12:47 PM

You will have to log to syslog, ASDM has no persistent log, unlike Firepower Management Center

Unknown applications are unknown because open-app-id could not identify the application. To debug the application detection you can open cli on firepower module and execute the command system support application-identification-debug

for the policy hits use syslog or check your "Real Time Eventing" in ASDM

Considering access-control-policy: it really depends on your setup. Try to segment where it makes sense. E.g. blacklists first, specific rules afterwards and more generic rules at the bottom to catch everything else.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card