Thursday, February 4, 2016

ASA FirePower Basic Configuration

I've posted my first hands-on experience with the ASA FirePower module after I was sent for training a few months ago. Our Cisco account manager was generous in providing me the hardware needed for my proof-of-concept (POC) in our office. Since my one-day training wasn't enough, I've used the videos found in Lab Minutes website to help with my POC.

Cisco also released a free virtual FireSight demo website, which is still accessible as of this writing, where you can play around its policies all day long. The username is dcloud and 23083 for the password.



My lab setup is composed of a Cisco ASA5515-X with FirePower module (an SSD drive), FireSight (a.k.a Defense Center), a monitoring PC, Layer 2 switch and an autonomous AP for connecting wireless clients (laptop and smartphone). The ASA runs a 9.2(2.4) image and FirePower is on 5.4 OS.



ciscoasa# sw-module ?

  module  Act on a module
ciscoasa# sw-module module ?

Available module ID(s):
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
ciscoasa# sw-module module sfr ?     // OPERATIONS WE CAN PERFORM ON SFR

  recover    Configure recovery of this module
  reload     Reload the module
  reset      Reset the module
  shutdown   Shut down the module
  uninstall  Uninstall the module


ciscoasa# session ?

Available module ID(s):
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
ciscoasa# session sfr ?

  console  Login to console port on another module.
  do       Execute a command on another module.
  ip       Configure Module logging port ip addresses
  <cr>
ciscoasa# session sfr console ?

  <cr>
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

Sourcefire3D login: admin
Password: Sourcefire      // DEFAULT LOGIN admin / Sourcefire

Last login: Tue Oct 13 08:13:28 UTC 2015 from 192.168.1.13 on pts/0

Copyright 2004-2014, Cisco and/or its affiliates. All rights reserved. Sourcefire is
a registered trademark of Sourcefire, Inc. All other trademarks are
property of their respective owners.

Sourcefire Linux OS v5.4.0 (build 126)
Sourcefire ASA5515 v5.4.0 (build 763)


kdump               Enable or disable kernel crash dump data collection
log-ips-connection  Configure Logging of Connection Events
manager             Change to Manager Configuration Mode
network             Change to Network Configuration Mode
password            Change password
user                Change to User Configuration Mode
vmware-tools        Configure state of VMware Tools

> configure manager

add     Configure managing Defense Center
delete  Remove managing Defense Center

> configure manager add

configure manager add <host> <key> [nat-id]
 Configure managing Defense Center

  host     hostname | ipv4 address | ipv6 address | DONTRESOLVE
  key      registration key
  nat-id   optional nat-id (required if host set to DONTRESOLVE) []

> configure manager add 192.168.1.6 firepower


ciscoasa# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515            FCH1825JABC
 ips Unknown                                      N/A                FCH1825JABC
cxsc Unknown                                      N/A                FCH1825JABC
 sfr FirePOWER Services Software Module           ASA5515            FCH1825JABC

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   0 1c6a.7a18.7123 to 1c6a.7a18.7456  1.0          2.1(9)8      9.4(1)
 ips 1c6a.7a18.7789 to 1c6a.7a18.7789  N/A          N/A
cxsc 1c6a.7a18.7789to 1c6a.7a18.7789 N/A          N/A
 sfr 1c6a.7a18.7789 to 1c6a.7a18.7978  N/A          N/A          5.4.0-763

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable
 sfr ASA FirePOWER                  Up               5.4.0-763

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable
 ips Unresponsive       Not Applicable
cxsc Unresponsive       Not Applicable
 sfr Up                 Up

Mod  License Name   License Status  Time Remaining
---- -------------- --------------- ---------------
 ips IPS Module     Disabled        perpetual

ciscoasa# show module ?

Available module ID(s):
  0     Module ID
  all   show all module information for all slots
  cxsc  Module ID
  ips   Module ID
  sfr   Module ID
  |     Output modifiers
  <cr>

ciscoasa# show module sfr ?

  details  show detailed hardware module information
  log      show logs for this module
  recover  show recover configuration for this module
  |        Output modifiers
  <cr>
ciscoasa# show module sfr details
Getting details from the Service Module, please wait...

Card Type:          FirePOWER Services Software Module
Model:              ASA5515
Hardware version:   N/A
Serial Number:      FCH1825JABC
Firmware version:   N/A
Software version:   5.4.0-763
MAC Address Range:  1c6a.7a18.7123 to 1c6a.7a18.7456
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       5.4.0-763
Data Plane Status:  Up
Console session:    Ready
Status:             Up
DC addr:            192.168.1.5
Mgmt IP addr:       192.168.1.6
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       0.0.0.0
Mgmt web ports:     443
Mgmt TLS enabled:   true



The “interesting” network traffic is redirected to the FirePower module. The redirection is quickly done on ASDM by going to Configuration > Service Policy Rules > Global Policy. Click on global-class and tick Any Traffic under Traffic Classification tab.  Under Rule Actions Tab, go to ASA FirePOWER Inspection, tick Enable ASA FirePOWER for this traffic flow and choose Permit traffic radio button. Note that activating more FirePower features will change its performance according to its product performance matrix.




ciscoasa# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class global-class  
  sfr fail-open     // TRAFFIC WILL BE FORWARDED EVEN WHEN SFR FAILS OR UPDATING

 class inspection_default
  inspect dns preset_dns_map
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect icmp
  inspect icmp error
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp

ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

> configure

kdump               Enable or disable kernel crash dump data collection
log-ips-connection  Configure Logging of Connection Events
manager             Change to Manager Configuration Mode
network             Change to Network Configuration Mode
password            Change password
user                Change to User Configuration Mode
vmware-tools        Configure state of VMware Tools

> configure manager

add     Configure managing Defense Center
delete  Remove managing Defense Center

> configure manager add

configure manager add <host> <key> [nat-id]
 Configure managing Defense Center

  host     hostname | ipv4 address | ipv6 address | DONTRESOLVE
  key      registration key
  nat-id   optional nat-id (required if host set to DONTRESOLVE) []

> configure manager add 192.168.1.6

configure manager add <host> <key> [nat-id]
 Configure managing Defense Center

  host     hostname | ipv4 address | ipv6 address | DONTRESOLVE
  key      registration key
  nat-id   optional nat-id (required if host set to DONTRESOLVE) []

> configure manager add 192.168.1.6 firepower

> show managers
Type                      : Manager
Host                      : 192.168.1.5
Registration              : Completed


ciscoasa# show service-policy

Global policy:
  Service-policy: global_policy
    Class-map: global-class
      SFR: card status Up, mode fail-open
        packet input 7291276, packet output 7291461, drop 3022, reset-drop 21
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 180712, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 2 pkts/sec, v6-fail-close 0
      Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: icmp, packet 9279, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: icmp error, packet 333, lock fail 0, drop 0, reset-drop 0, 5-min-
pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0
, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: netbios, packet 24, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-
rate 0 pkts/sec, v6-fail-close 0
      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
0 pkts/sec, v6-fail-close 0
      Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
 0 pkts/sec, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
 0 pkts/sec, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0


Here are some post setup that are useful on the FireSight system. You could modify the FireSight hostname, management IP address, NTP server, etc. under System > Local  System Policy.




You could update the FireSight host license and update other licensed features (which are non-transferrable) under System > Licenses.




You could adjust FireSight health monitoring thresholds under Health > Health Policy.



Before creating system health alerts under Health Monitor Alert, we need to create the actual alerts under Policies > Actions > Alerts and click on Create Alert.




Under Health Monitor Alerts, you could create a customized alert and choose the Severity level and the Modules you want to monitor.


You also need to perform regular patches on the FireSight system and FirePower module or sensor under System > Updates. The FireSight would need an Internet access in order to get updates from Cisco. The update can be done manually by downloading the update file and clicking on Upload Update and automatically by just clicking Download updates.


The Rule Updates pertains to intrusion rules (signature) which can be manually updated or automatically by setting the import frequency date/time. It's better to uncheck the Reapply access control policies after the rule update import completes so that we know and control what updates are being applied to the system.


Lastly, you could perform a Geolocation Updates, which is a database of country, city, coordinates (similar to GPS), etc. This is similar to Facebook's GeoTagging where your photo shows the place where it was taken.


2 comments:

  1. Great post!I agree with everything you said.Please visit once at qosnetworking.com.

    ReplyDelete
  2. FireSight demo website is no longer available. Too bad.

    ReplyDelete