cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
672
Views
0
Helpful
18
Replies
Enthusiast

integrate cisco firepower management center and ASA5516-x

Hi There,

i have cisco 5516-x with FP module and FPMC installed on VM (6.0.1). i have added license and enabled them for device. also i have added service policy rules in ASA 5516 with enabling firepower inspection. but still i am not able to do URL filtering or any malware filtering. i have tried may methods to do this. still not luck. can some one helps me to configure this from beginning or is there any clear guide which explain initial installation of firepower integration. 

thank you in advance

18 REPLIES 18
Highlighted
Hall of Fame Guru

Have you deployed the Access

Have you deployed the Access Control Policy (ACP) with URL and File inspection rules?

Please share a screen shot of Device Management and ACP pages.

Highlighted
Enthusiast

Hi Marvin,

Hi Marvin,

Please find attached images for those captures. i guess i am doing some small mistake. but i cannot find it.. :(

i can see application traffic on dashboard, but when i click on that application it is not shows any record details.

Thanks in advance

Highlighted
Cisco Employee

Hi Kasun,

Hi Kasun,

The screenshots looks correct. Can you please also share ouptu  of "show service-policy sfr"  from ASA CLI and a screenshot of all access control policy rules unless the 1 you shared is on Top.

Thanks

Yogesh

Highlighted
Enthusiast

Hi Yogesh,

Hi Yogesh,

please find attached details below. thanks for looking in to this..

thank you

Highlighted
Hall of Fame Guru

Kasun,

Kasun,

I notice your "blockeicar" has an application rule included. Only traffic matching that condition AND the URL condition will have the selected Block with Reset action applied.

Highlighted
Enthusiast

Hi Marvin,

Hi Marvin,

i have tested that also, please check attached. i dont know what is the issue in that. is there any way to trouble from firewall side?

thank you

Highlighted
Hall of Fame Guru

You cannot trace the logic in

You cannot trace the logic in FirePOWER 6.0.1 that you are using, either on the firewall or from FirePOWER Management Center.

Your FirePOWER Management Center Connection Record will show what URL Category a given connection was classified into.

In FMC 6.1, Cisco added the capability to do a lookup of the category directly from the Web UI. (You could always just put the URL into brightcloud.com service that Cisco uses in the backend.)

In FMC 6.2 we now have the capability to do a packet-tracer fucntion from the Health Monitoring Advnaced Troubleshooting tools section of FMC.

Highlighted
Enthusiast

Hi Marvin,

Hi Marvin,

Thanks a lot for update. if i removed asa firepower management from firepower center will cause any down time? or can i just remove management center and install new center. also can i transfer my FP license to new center?

thank you

Highlighted
Hall of Fame Guru

Changing from one management

Changing from one management center to another will not cause any downtime on the managed devices. When you redeploy policies (either from an existing or new FMC) there can be a brief interruption of packet processing.

Rehosting or transferring licenses requires TAC assistance (Global Licensing Operations queue) for Classic licenses such as are used by your 5516-X FirePOWER Service module managed by FMC.

(The newer Smart licenses used by FTD can be rehosted via self-service.)

Highlighted
Enthusiast

HI Marvin,

HI Marvin,

i will plan to upgrade then. after that i hope to do configurations again. hope that will work fine.

is there anything need to check from firewall/?

thank you

Highlighted
Enthusiast

Hi All,

Hi All,

i have added FPMC policies to interface. i did not created any Zones. is that can be a issue? because asa doesn't have zones created .

thank you all

Highlighted
Cisco Employee

Hello Kasun,

Hello Kasun,

For URL filtering , you can refer the following video tutorial.

https://www.youtube.com/watch?v=nXIBDQqekPY

Regards

Jetsy 

Highlighted
Enthusiast

Still I dont have a answer

Still I dont have a answer for this matter. when URL filtering, i can filter manual URLs but not categories. also i cant see any of loggin record for blocking traffic. this is really weird. 

Highlighted
Hall of Fame Guru

For logging - have you set

For logging - have you set the rules in your Access Control Policy to create log entries? They won't by default.