01-11-2021 01:56 PM - last edited on 01-13-2021 10:12 PM by Jimena Saez
Español | Português | Français | Русский | 日本語 | 简体中文 |
This event is a chance to discuss about Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) regarding products, management, installation, configuration, implementation, use, and integration with other devices within your network. Learn the best practices to make the most of the advanced firewall settings, as well as the best practices to troubleshoot its common issues. This forum event works well as an introduction for those who are not familiar with the security tools and have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Tuesday, January 12 to Friday, January 22, 2021
For more information, visit the Security Discussions category.
Find further events on Security Events list.
01-12-2021 04:30 AM - edited 01-12-2021 04:31 AM
Hello team,
When using an FDM-managed FTD 6.7 appliance we are directed to use the API for adding snmp-server hosts. Reference:
However, when querying the interfaces using the API explorer, we are unable to get the diagnostic interface details. The API query GET /devices/default/interfaces only returns information for data interfaces. GET /devices/default/operational/interfaces shows us diagnostic interface information but not the interface "version", "name", "id", and "type" fields needed for the POST /object/snmphosts/ API.
So how do we add an snmp-server for the diagnostic interface? The appliance in question is a Firepower 2140 if that makes any difference.
01-12-2021 01:55 PM - edited 01-12-2021 02:05 PM
Hi Marvin,
To get the details of the diagnostic interface, first, get the id of the Management interface with the API query InterfaceInfo > GET /operational/interfaceinfo/{objId}. You can leave the default value for the objid parameter.
{
"interfaceInfoList": [
{
"interfaceId": "string",
"hardwareName": "string",
"speedCapability": [
"AUTO"
],
"duplexCapability": [
"AUTO"
],
"interfacePresent": true,
"id": "string",
"type": "InterfaceInfoEntry"
}
],
"id": "string",
"type": "InterfaceInfo",
"links": {
"self": "string"
}
}
This is an example of the API response for the Management interface.
{
"interfaceInfoList": [
{
"interfaceId": "b727b013-c677-11e9-adec-5d5808710d61",
"hardwareName": "Management1/1",
"speedCapability": [
"IGNORE"
],
"duplexCapability": [
"IGNORE"
],
"interfacePresent": true,
"id": "default",
"type": "interfaceinfoentry"
}
],
"id": "default",
"type": "interfaceinfo",
"links": {
"self": "https://x.x.x.x/api/fdm/v5/operational/interfaceinfo/default"
}
}
Collect the interfaceId
value, this will be the value of the objid of the next query.
Now go to Interface > GET/devices/default/operational/interfaces/{objId}. Add the interfaceId
value of the Management interface from the above query and execute the API call.
From the API response, you will get the diagnostic interface details.
{
"name": "diagnostic",
"hardwareName": "Management1/1",
"ipv4Address": {
"ipAddress": null,
"netmask": null,
"type": "ipv4address"
},
"ipv6Address": {
"ipAddress": null,
"type": "ipv6address"
},
"macAddress": "string",
"speedType": null,
"enabled": true,
"linkState": "UP",
"id": "b727b013-c677-11e9-adec-5d5808710d61",
"type": "interfacedata",
"links": {
"self": "https://x.x.x.x/api/fdm/v5/devices/default/operational/interfaces/b727b013-c677-11e9-adec-5d5808710d61"
}
}
01-13-2021 04:32 AM
@Berenice Guerra That's helpful but I am still unable to create a well-formed PUT using the information derived from the instructions you gave. Perhaps it would be best if I opened a TAC case for this issue.
It is VERY frustrating that, for a senior engineer with over 10 years experience with Cisco firewalls, I can no longer easily do what took ONE LINE of configuration on an ASA now that we are on FTD.
01-16-2021 03:34 PM
Hi Marvin,
You are right, seems this configuration is not supported in the diagnostic interface. But for sure you can open a TAC case, they will be able to help you and provide you further details about these changes in the currently latest version.
01-12-2021 10:25 AM
Hello,
On ASA if an access-list allows connections between 2 interfaces with the same security-level, are these connections still subject to the ‘same-security-traffic permit inter-interface’ command check?
Thanks
Note: This question is a translation of a post originally created in Portuguese by Didier M. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
01-12-2021 10:26 AM
Yes. Even if an access-list allows connections between 2 interfaces with the same security-level, the "same-security-traffic permit inter-interface" command is still needed to allow connections.
01-12-2021 12:53 PM
Hi,
Is it possible to integrate ASA with Firepower services into the new SecureX dashboard ?
Cdlt. JMD
* This is a question posted in French by Jean MD. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
01-13-2021 08:01 AM - edited 01-13-2021 08:02 AM
Hi JMD,
Yes in fact, you can integrate your ASA devices with Firepower services with SecureX.
For this you will need to setup a proxy, Cisco Security Services Proxy (CSSP), which will work as a Syslog for the FTD in order to forward the events. The CSSP file to setup can be downloaded from the SSE portal.
For further details look within the next Cisco content.
Cisco Video Portal - https://video.cisco.com/video/6161531920001
Cisco Tech Notes - https://www.cisco.com/c/en/us/td/docs/security/firepower/integrations/CTR/Firepower_and_Cisco_Threat_Response_Integration_Guide/send_events_to_the_cloud_using_syslog.html
Thanks for asking
Bere
01-12-2021 04:57 PM - edited 01-12-2021 06:15 PM
Is there any upgrade path and procedure for firepower devices?
Note: This question is a translation of a post originally created in Japanese by S.Takenaka. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
01-13-2021 12:46 AM
Hi, yes there is path specially for oldest version of firepower (6.1.0,6.2.0 and 6.2.3).
On the release notes of each version you can find the upgrade path. For versions 6.2.3+ you can upgrade directly to any base version (6.3.0, 6.4.0 , 6.5.0 , 6.6.0
The procedure is the same for the firepower devices and firepower threat defense. You can see the following link for the procedure.
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/213269-upgrade-procedure-through-fmc-for-firepo.html
The upgrade must be done first on the FMC and then on the sensors. The FMC must be on higher or same version of the sensors.
01-12-2021 07:05 PM - edited 01-12-2021 07:11 PM
hi,
we'll be doing a tech refresh soon with our ASA 5500-X series. per checking EOL link, there's no product replacement yet and i tried to search in cisco links and tried to google but no avail.
our ASA simply does ACL, NAT, security/customer context, A/S HA, S2S and RA VPN in our environment and we just need to do a 1-1 replacement.
can someone advise the "rule of thumb" in sizing the equivalent ASA below:
ASA5525x > FPR21xx ?
ASA5545x > FPR41xx ?
ASA 5555x > FPR41xx ?
ASA5585-X > FPR9300 ?
we also plan to run the classic ASA image/appliance. is there a separate for this or is license structure shared with FTD?
01-14-2021 01:36 PM
Hi,
I would recommend you to try the Firepower Performance Estimator tool. To meet better the performance of each appliance and if it suits your needs.
ASA5525x, ASA5545x, ASA 5555x would be good to move to an FPR21xx appliance and ASA5585-X > FPR41xx would be capable to handle basic configurations.
You can configure ASA as an instance in any of these appliances FPR21xx, FPR41xx, and FPR 9300. For the ASA compatibility version, you can look at the Cisco ASA Compatibility Guide
For the license, it's required to convert your classic licenses to smart licenses. Here is some Cisco Documentation about how to do it.
01-15-2021 02:05 AM
hi,
i'm getting an "access denied" in the FP estimator tool even though i got a valid CCO login.
is the tool/portal accessible to the public?
is there an alternative sizing tool like CCW?
01-16-2021 03:39 PM
The FP Estimator Tool is accessible to the public. May you would need to reach out to your account team to get the access request.
There is no other like a sizing tool for the device equivalents you are looking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide