Solved: Web filtering in Cisco ASA using the sfr module

diwakar410 · ‎05-07-2016

Hello there,

I have Cisco ASA 5515-x version 9.2(2) and i am using ASDM version 7.2(2). I have sfr module 5.3.1 in the ASA. I want to enable the web filtering feature in ASA. Previously, i used the regex expression method in the ASA to do the url filtering but this was not effective. Since, i have license for the firesight management i want to use it.

But i am confused as some cisco docs are saying that we need to configure firesight management in vmware while other are suggesting to run the boot image in the ASA itself. What is the proper way of doing it?

From the show module command, i can see my sfr module is up so does that mean the sfr module is pre-installed and i don't have to do much configurations?

It would be better for me to run it in ASA itself but if it doesn't work that way then i will configure in VM. So please clearify me regarding my options and my best chances.

If it is to be installed in VM or in ASA itself, then please provide me the link to download boot images and other files from cisco.com. I have the cisco user name and password but could not find the correct softwares.

Thank you in advance.

Marvin Rhoads · ‎05-07-2016

Your ASA 5515-X is running the minimum version necessary to support the FirePOWER (sfr) module. The module is also running the initial release of FirePOWER software for ASA module-based FirePOWER.

With that combination of ASA and FirePOWER software on your appliance, you are required to use an external FirePOWER Manager to manage the module (create policies, apply licenses, monitor event etc.)

As of ASA 9.5(1) and FirePOWER 6.0 you have the option to do most of the same functions via ASDM. You would need to upgrade both the ASA (and ASDM) and FirePOWER module to accomplish that.

In either case you would need the Protect and URL Filtering licenses for the FirePOWER module.

The Quick Start Guide is here: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Also see the excellent Lab Minutes vidoe guides for FirePOWER: http://labminutes.com/video/sec/ASA%20FirePower

The ASA and ASDM Software is here:

https://software.cisco.com/download/type.html?mdfid=284143128&flowid=31442

FirePOWER module software is here:

https://software.cisco.com/download/release.html?mdfid=286271171&flowid=77243&softwareid=286277393&release=6.0.1&relind=AVAILABLE&rellifecycle=&reltype=latest

To run FirePOWER Management Center VM, that software is here:

https://software.cisco.com/download/release.html?mdfid=286259687&flowid=54052&softwareid=286271056&release=5.4.1.6&relind=AVAILABLE&rellifecycle=&reltype=latest

All of the above links require a cisco.com userid with entitlement (support contract) to download the software.

View solution in original post

Marvin Rhoads · ‎05-09-2016

To do it manually is possible without URL filtering license but much more laborious.

First define the URLs you want to block. Objects > Object management > URL then add the one at a time.

Now that you have the objects defined, build an Access Control policy using them.

Policies > Access Control > New Policy. The Add Rule and choose from the URL tab and sub-tab to pick the objects you created earlier.

This is all in addition to any other Access Policy elements, Network Discovery policy etc.

View solution in original post

Marvin Rhoads · ‎05-07-2016

Your ASA 5515-X is running the minimum version necessary to support the FirePOWER (sfr) module. The module is also running the initial release of FirePOWER software for ASA module-based FirePOWER.

With that combination of ASA and FirePOWER software on your appliance, you are required to use an external FirePOWER Manager to manage the module (create policies, apply licenses, monitor event etc.)

As of ASA 9.5(1) and FirePOWER 6.0 you have the option to do most of the same functions via ASDM. You would need to upgrade both the ASA (and ASDM) and FirePOWER module to accomplish that.

In either case you would need the Protect and URL Filtering licenses for the FirePOWER module.

The Quick Start Guide is here: http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Also see the excellent Lab Minutes vidoe guides for FirePOWER: http://labminutes.com/video/sec/ASA%20FirePower

The ASA and ASDM Software is here:

https://software.cisco.com/download/type.html?mdfid=284143128&flowid=31442

FirePOWER module software is here:

https://software.cisco.com/download/release.html?mdfid=286271171&flowid=77243&softwareid=286277393&release=6.0.1&relind=AVAILABLE&rellifecycle=&reltype=latest

To run FirePOWER Management Center VM, that software is here:

https://software.cisco.com/download/release.html?mdfid=286259687&flowid=54052&softwareid=286271056&release=5.4.1.6&relind=AVAILABLE&rellifecycle=&reltype=latest

All of the above links require a cisco.com userid with entitlement (support contract) to download the software.

diwakar410 · ‎05-08-2016

Hello Marvin,

Thanks a lot for your input. I did the task as you have suggested and it was quite fruitful.

We have installed the firepower management center in our Vmware Exsi in our sfr module 5.3.1. Our ASA is 5515-x version 9.2.2 and ASDM version 7.2.2.
Management IP of ASA is 192.168.1.1 and the source fire defense center of firepower management center is 192.168.0.9 and we have installed the license for sfr module. But we don't have the url filtering license.
Both are in different networks. Now, i don't see any connection of defense center with the ASA. How am i going to block traffic or do the url filtering this way?
My requirements are simple and all i want is the ultimate solution for the url filtering. And we don't have url filtering license. How to filter the traffic?

Marvin Rhoads · ‎05-08-2016

You need to register your FirePOWER module to FireSIGHT. That is a prerequisite. the Quick Start Guide describes how to do so.

You will also need to apply both the control license and purchase and apply the URL filtering license.

Once you have done so, you can use URLs in your Access Policy and deploy that to the managed and licensed FirePOWER modules.

diwakar410 · ‎05-08-2016

Hi Marvin,

Actually i had not register my FirePOWER module to FIRESIGHT. Ok i will do that.

The thing that is bothering me is i don't have url filtering license, all i had was the license for the Firesight management center which was for monitoring 2 devices. So is there a way i can use url filtering through firesight management center?

diwakar410 · ‎05-08-2016

Hi Marvn,

To be precise, i need to manually block the url and that too without url filtering license.

I want to one by one block the urls.

Diwakar

Marvin Rhoads · ‎05-09-2016

To do it manually is possible without URL filtering license but much more laborious.

First define the URLs you want to block. Objects > Object management > URL then add the one at a time.

Now that you have the objects defined, build an Access Control policy using them.

Policies > Access Control > New Policy. The Add Rule and choose from the URL tab and sub-tab to pick the objects you created earlier.

This is all in addition to any other Access Policy elements, Network Discovery policy etc.

diwakar410 · ‎05-11-2016

Hi Marvin,

I have installed "Sourcefire_Defense_Center_Virtual64_VMware-5.3.1-152.tar" on my virtual machine and it was working. Now the cisco support Engineer says i need to upgrade to at least version 5.4.1.6 on DC and 5.4.0.7 on SFR. Now this has confused me. In my understanding, DC is the defense center which was created using this "Sourcefire_Defense_Center_Virtual64_VMware-5.3.1-152.tar" image file. If so, then what is to be upgraded to 5.4.0.7 on SFR. SFR is something that is running on ASA is what he told me. But my ASA is running on version 9.2.(2).

Now i have 5.3.1 on DC that is running on VM, do i uninstall it and then install the 5.4.0 -763 tar.gz? Will that way work?

What is difference between FireSIGHT Virtual Defense Center for VMware Package Installer and Sourcefire 3D Defense Center S3 Upgrade 5.4 ?

Can you please explain me the whole thing? Sorry for preety long queries.

Thank you in advance.

Jetsy Mathew · ‎05-12-2016

Hello Diwakar,

The answer to your first question is , the engineer must have meant to upgrade the Defence Center (Firesight Management Center ) from existing version of 5.3.1 to 5.4.1.6 which is latest available and stable version . By SFR he means the Firepower device or Firepower SFR module that you have integrated with the ASA firewall. It depends on you what kind of Firepower you have . Verify what kind of Firepower you have like if its a Firepower hardware device or sfr module.

If you have a DC in 5.3.1 version , you just have to upgrade the DC to 5.4 directly. This is a base image FireSIGHT Virtual Defense Center for VMware Package Installer to start the fresh installation from 5.4.0. and then update the patch Sourcefire 3D Defense Center S3 Upgrade 5.4 .

Refer the following release notes for 5.4 upgrade steps and procedures.

http://www.cisco.com/c/en/us/td/docs/security/firesight/540/relnotes/FireSIGHT-System-Release-Notes-v5-4.html#pgfId-51290

5.4 is a major release upgrade due to which it has an installer file as well as a patch.Since you have a 5.3.1 already , you just need to use the patch Sourcefire 3D Defense Center S3 Upgrade 5.4 and update it..

Rate if this post helps you.

Regards

Jetsy