This event is a chance to discuss about Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) regarding products, management, installation, configuration, implementation, use, and integration with other devices within your network. Learn the best practices to make the most of the advanced firewall settings, as well as the best practices to troubleshoot its common issues. This forum event works well as an introduction for those who are not familiar with the security tools and have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Tuesday, January 12 to Friday, January 22, 2021
You can create captures in two different ways on the FTD.
Using the GUI :
Go to system > health > monitor.
Search and select the device where you can enable the captures
Click on Advanced troubleshooting
Navigate to Capture w/ Trace and then click on Add captures
SSH in to the FTD.
You will get to the clish ( clish icon >)
We need to jump to LINA side (ASA code) using the following command
>system support diagnostic-cli
Password: <------ just hit enter, there is not enabled password
Here you can enable the captures using the same commands you use on the ASA
firepower#capture in interface inside match ip any any
In addition to Ricardo's solution I can tell that FTD devices contains a LINA part which we can run some of the commands you used to use within the ASA devices. In order to navigate from the clish prompt, the FTD portion, to the LINA side (ASA). Type the ‘system support diagnostic-cli’ command, this should take you to the LINA portion where you would be able to run most of the ASA commands.
For further details about how to setup a packet captures in the NGFW Products Family you can consult the next content.
Cisco Video Portal - https://video.cisco.com/video/6176793105001
Cisco Tech Notes - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html
Yes, the ASA is supported on some virtual eviroments. It is called ASAv and we support:
Amazon Web Services
Kernel-baased Virtual Machine (KVM
Oracle Cloud Infrastructure (OCI)
For more information please check
Yes, the deployment of ASA is supported in different virtual platforms like VMWare, KVM or Azure.
For further details about how to deploy an ASAv on Microsoft Azure see the next video from the Cisco Video Portal site. https://video.cisco.com/video/6175870414001
How can I replace a pair of HA ASAs if a unit is faulty?
Thanks a lot,
Note: This question is a translation of a post originally created in Spanish by Adolfo Suarez. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
Here is the procedure:
1 .- After you replace the unit (RMA) you have to connect the ASA interfaces and turn it on the device.
2 .- Re-host the license (open a TAC case with licensing team).
3 .- If the ASA is on multicontext, change to multiple-context using the command "mode multiple". It will reboot the firewall.
3 .- From the unit that is working, take the output of the "show run failover" command , change the role (if the working unit is the primary then change it to secondary) and paste it on the faulty device.
4 .- Enable the failover using the command "failover"
5.- Check services and test a failover using the command "no failover active" on the active unit
We have a pair of FP4115's and a pair FMC2600 boxes with 3 FTD HA instances running within the 4115's. Were 184.108.40.206 for FMC/FTD and 2.8(1.125) for FXOS.
It's being suggested by our MSP to go to 6.6.1-91 for FMC/FTD which makes absolute sense from a security and stability perspective. From a functionality perspective 6.7 however looks like it will address the reasons we we haven't migrated to AnyConnect yet from MS DirectAccess, we've bought all the appropriate licences, and there are other features that will make our MSPs life easier.
Any idea when 6.7 will move to suggested release? Are there any risks we could face by ignoring the suggested advice and guiding our MSP to go to that version?
There is no date defined to make 6.7 the next recommended version. In fact, the 6.7 version was released to add new features to the Firepower devices.
I'd say that if you have made a proper analysis of your network requirements and see the most suitable one version than the other then it will depend on your network environment the one which would work better for you.
Is Speed test or any third party speed testing a good measure for speed testing for Firepower devices?
* This is a question posted in French by ADC. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
When you test with any speed testing website, or any bandwidth measurement tool, such as, iperf, one large single stream TCP flow is generated. This type of large TCP flow is called an Elephant Flow. An Elephant Flow is a single session, relatively long running network connection that consumes a large or disproportionate amount of bandwidth. This type of flow is assigned to one Snort instance, therefore the test result displays the throughput of single snort instance, not the aggregate throughput rating of the appliance.
One good option will be a FTP transfer through the firewall
Also you can use this tool to estimate the performance of your firepower device
The file policy can detect and inspect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). Any, the default, detects files in HTTP, SMTP, IMAP, POP3, FTP, and NetBIOS-ssn (SMB) traffic.
In order for the file policy be in effect for the above protocols in encrypted connections, such as HTTPS, such connections should be decrypted first. The IM software typically uses encrypted connections, so they are subject to decryption before file policy takes in effect on the payload. Whether a particular connection can be decrypted or not, depends on few factors. The Encrypted Traffic Handling section of the configuration guide shows the guidelines and limitiations of handling encrypted traffic in Firepower software.
Hello Cisco team,
First of all, thank you for the initiative in these types of events, they are really very helpful for the community.
I have a little question regarding VPN filters in a Client to site VPN (Anyconnect) in FTD managed by FDM.
In ASA I use to create a VPN filter for local users like this:
I create the ACL
access-list VPN-FILTER-NAME permit <ip/tcp/udp> object-group IPPOOL <LOCAL-NETWORK/PORT>
And then I apply the ACL in the username attributes:
username <user> attributes
vpn-filter value VPN-FILTER-NAME
access-list AQUAMAN-FILTER extended permit tcp object-group CLIENT-VPN-IPPOOL host 172.24.16.10 eq 3389
username aquaman password 12345
username aquaman attributes
vpn-filter value AQUAMAN-FILTER
and it works.
But in the FDM, I have not found a feature where I can create this kind of filter.
In FDM users are created by Objects > Users > Add Local User (Service Types: RA-VPN)
Name and password are the only attributes that I can fill.
I already tried to enable the Identity Policy in the Policies tab, and then created an ACL adding the source (IPPOOL) and destinations (<LOCAL-NETWORK/PORT>) and the local users that were created. Bypass Access Control policy for decrypted traffic (sysopt permit-VPN) was disabled in Remote Access VPN Connection Profiles, in order for the ACL created could take effect. But It did not work.
Maybe I am missing something, could you please help me with the best practices in order to create VPN filters for local users in a Client to site VPN (Anyconnect) by FDM?
Hi, currently FDM does not support specifying user attributes such as vpn-filter for local users. The local users used in the Remote Access VPN are detected as part of Passive Identity and can be used in the Access Control Policy to control access for the VPN user.
It is in effect better than the ASA option, as we can specify applications as well in the Access Control Policy rule.For this to work, we need to enable the Identity Policy in FDM and there is no need to create an Identity rule.
I just tested this on FDM and it works. You can reverify the settings and let me know ( Can you confirm what you are seeing the connection events on the FDM monitoring tab ).