cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19368
Views
65
Helpful
56
Replies

Security Global Forum for ASA and FTD Topics - AMA

ciscomoderator
Community Manager
Community Manager

banner_AMAGL_en_lp2_900x150_12jan_2021.png

Español  Português Français Русский  日本語 简体中文

This event is a chance to discuss about Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) regarding products, management, installation, configuration, implementation, use, and integration with other devices within your network. Learn the best practices to make the most of the advanced firewall settings, as well as the best practices to troubleshoot its common issues. This forum event works well as an introduction for those who are not familiar with the security tools and have recently started using them.

To participate in this event, please use the reply-button.png button below to ask your questions

Ask questions from Tuesday, January 12 to Friday, January 22, 2021

Featured experts
Photo_bguerram_100x140.pngBerenice Guerra Martinez is a Technical Consulting Engineer at the Cisco Global Technical Assistance Center (TAC) for Security - Next Generation Firewall (NGFW). She specializes in Threat Detection, ASA and Firepower configuration and best practices, and Firepower integrations. Berenice has a bachelor’s degree in electronic engineering with a cybersecurity specialization and is a Telecommunications Technician. She holds three different Cisco certifications: CCNA R&S, CyberOps Associate, and DevNet Associate.

Photo_namiagar_100x140.pngNamit Agarwal is a Technical Marketing Engineer in the Security Business Group. He is based out of Toronto, Canada. He partners closely with our platform product management team and leads critical technical enablement engagements. He joined Cisco in 2009 and has held multiple positions, most recently working as a Technical Leader with the Security CX team in Bangalore, India. In that role, he worked on escalations, led serviceability initiatives for product improvement, and drove engagements with the NGFW sales teams. He is a CCIE n°33795 Security and has experience with multiple Cisco Security solutions such as Cisco Firewalls, IPS, VPN, and Cloud Security.

Photo_igasimov_100x140.pngIlkin Gasimov is a Technical Consulting Engineer in the Cisco Global TAC for Security - NGFW. He joined the TAC team in 2017 and since then has mainly been focused on supporting Cisco NGFW platforms and on the collaboration with the Cisco Business Unit to contribute to the NGFW product quality improvement. He has also delivered troubleshooting sessions to the partners and customers. Before joining Cisco, he had hands-on experience with the Cisco ASA firewalls in enterprise and mobile networking environments. He holds a CCIE n°54979 Security certification since 2016.

Photo_ricargut_100x140.png
Ricardo Diez Gutierrez Gonzalez is a Technical Consulting Engineer at the Cisco HTTS TAC for Security – NGFW – ASA – VPN. He joined Cisco six years ago. He belonged to the incubator program for six months achieving his CCNA and then he became a full-time engineer. Later he obtained his Specialist NGFW and CCNP security certifications.  He is currently studying for the CCIE exam.
 

For more information, visit the Security Discussions category.
Find further events on Security Events list.

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?  
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
56 Replies 56

Marvin Rhoads
Hall of Fame
Hall of Fame

Hello team,

When using an FDM-managed FTD 6.7 appliance we are directed to use the API for adding snmp-server hosts. Reference:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216551-configure-and-troubleshoot-snmp-on-firep.html#anc7

However, when querying the interfaces using the API explorer, we are unable to get the diagnostic interface details. The API query GET /devices/default/interfaces only returns information for data interfaces. GET /devices/default/operational/interfaces shows us diagnostic interface information but not the interface "version", "name", "id", and "type" fields needed for the POST /object/snmphosts/ API.

So how do we add an snmp-server for the diagnostic interface? The appliance in question is a Firepower 2140 if that makes any difference.

Hi Marvin,

 

To get the details of the diagnostic interface, first, get the id of the Management interface with the API query InterfaceInfo > GET /operational/interfaceinfo/{objId}. You can leave the default value for the objid parameter.

{
  "interfaceInfoList": [
    {
      "interfaceId": "string",
      "hardwareName": "string",
      "speedCapability": [
        "AUTO"
      ],
      "duplexCapability": [
        "AUTO"
      ],
      "interfacePresent": true,
      "id": "string",
      "type": "InterfaceInfoEntry"
    }
  ],
  "id": "string",
  "type": "InterfaceInfo",
  "links": {
    "self": "string"
  }
}

This is an example of the API response for the Management interface.

{
  "interfaceInfoList": [
     {
      "interfaceId": "b727b013-c677-11e9-adec-5d5808710d61",
      "hardwareName": "Management1/1",
      "speedCapability": [
        "IGNORE"
      ],
      "duplexCapability": [
        "IGNORE"
      ],
      "interfacePresent": true,
      "id": "default",
      "type": "interfaceinfoentry"
    }
  ],
  "id": "default",
  "type": "interfaceinfo",
  "links": {
    "self": "https://x.x.x.x/api/fdm/v5/operational/interfaceinfo/default"
  }
}

Collect the interfaceId value, this will be the value of the objid of the next query.

Now go to Interface > GET/devices/default/operational/interfaces/{objId}. Add the interfaceIdvalue of the Management interface from the above query and execute the API call.

 

From the API response, you will get the diagnostic interface details.

{
  "name": "diagnostic",
  "hardwareName": "Management1/1",
  "ipv4Address": {
    "ipAddress": null,
    "netmask": null,
    "type": "ipv4address"
  },
  "ipv6Address": {
    "ipAddress": null,
    "type": "ipv6address"
  },
  "macAddress": "string",
  "speedType": null,
  "enabled": true,
  "linkState": "UP",
  "id": "b727b013-c677-11e9-adec-5d5808710d61",
  "type": "interfacedata",
  "links": {
    "self": "https://x.x.x.x/api/fdm/v5/devices/default/operational/interfaces/b727b013-c677-11e9-adec-5d5808710d61"
  }
}

 

@Berenice Guerra That's helpful but I am still unable to create a well-formed PUT using the information derived from the instructions you gave. Perhaps it would be best if I opened a TAC case for this issue.

It is VERY frustrating that, for a senior engineer with over 10 years experience with Cisco firewalls, I can no longer easily do what took ONE LINE of configuration on an ASA now that we are on FTD.

Hi Marvin,

You are right, seems this configuration is not supported in the diagnostic interface. But for sure you can open a TAC case, they will be able to help you and provide you further details about these changes in the currently latest version.

Cisco Moderador
Community Manager
Community Manager

Hello,

On ASA if an access-list allows connections between 2 interfaces with the same security-level, are these connections still subject to the ‘same-security-traffic permit inter-interface’ command check?

Thanks

Note: This question is a translation of a post originally created in Portuguese by Didier M. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

Yes. Even if an access-list allows connections between 2 interfaces with the same security-level, the "same-security-traffic permit inter-interface" command is still needed to allow connections.

Hi,

Is it possible to integrate ASA with Firepower services into the new SecureX dashboard ?

Cdlt. JMD

* This is a question posted in French by Jean MD. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

Hi JMD,

Yes in fact, you can integrate your ASA devices with Firepower services with SecureX.

For this you will need to setup a proxy, Cisco Security Services Proxy (CSSP), which will work as a Syslog for the FTD in order to forward the events. The CSSP file to setup can be downloaded from the SSE portal.

For further details look within the next Cisco content.

Cisco Video Portal - https://video.cisco.com/video/6161531920001

Cisco Tech Notes - https://www.cisco.com/c/en/us/td/docs/security/firepower/integrations/CTR/Firepower_and_Cisco_Threat_Response_Integration_Guide/send_events_to_the_cloud_using_syslog.html

 

Thanks for asking

Bere

Is there any upgrade path and procedure for firepower devices?

Note: This question is a translation of a post originally created in Japanese by S.Takenaka.  It has been translated by Cisco Community to share the inquiry and its solution in different languages.

Hi, yes there is path specially for oldest version of firepower (6.1.0,6.2.0 and 6.2.3).
On the release notes of each version you can find the upgrade path. For versions 6.2.3+ you can upgrade directly to any base version (6.3.0, 6.4.0 , 6.5.0 , 6.6.0
The procedure is the same for the firepower devices and firepower threat defense. You can see the following link for the procedure.
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/213269-upgrade-procedure-through-fmc-for-firepo.html
The upgrade must be done first on the FMC and then on the sensors. The FMC must be on higher or same version of the sensors.

johnlloyd_13
Level 9
Level 9

hi,

we'll be doing a tech refresh soon with our ASA 5500-X series. per checking EOL link, there's no product replacement yet and i tried to search in cisco links and tried to google but no avail.

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/eos-eol-notice-c51-743545.html

 

our ASA simply does ACL, NAT, security/customer context, A/S HA, S2S and RA VPN in our environment and we just need to do a 1-1 replacement.

 

can someone advise the "rule of thumb" in sizing the equivalent ASA below:

 

ASA5525x > FPR21xx ?

 

ASA5545x > FPR41xx ?

 

ASA 5555x > FPR41xx ?

 

ASA5585-X > FPR9300 ?

 

we also plan to run the classic ASA image/appliance. is there a separate for this or is license structure shared with FTD?

Hi,

I would recommend you to try the Firepower Performance Estimator tool. To meet better the performance of each appliance and if it suits your needs.

 

ASA5525x, ASA5545x, ASA 5555x would be good to move to an FPR21xx appliance and ASA5585-X > FPR41xx would be capable to handle basic configurations.

 

You can configure ASA as an instance in any of these appliances FPR21xx, FPR41xx, and FPR 9300. For the ASA compatibility version, you can look at the Cisco ASA Compatibility Guide 

 

For the license, it's required to convert your classic licenses to smart licenses. Here is some Cisco Documentation about how to do it.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/smart-licensing/qsg/b_Smart_Licensing_QuickStart/b_Smart_Licensing_QuickStart_chapter_011.pdf

https://software.cisco.com/web/fw/softwareworkspace/smartlicensing/ssmcompiledhelps/c_Convert_Classic_Licensing.html

hi,

i'm getting an "access denied" in the FP estimator tool even though i got a valid CCO login.

is the tool/portal accessible to the public?

is there an alternative sizing tool like CCW?

The FP Estimator Tool is accessible to the public. May you would need to reach out to your account team to get the access request.

 

There is no other like a sizing tool for the device equivalents you are looking for.

Review Cisco Networking for a $25 gift card