Cisco also released a free virtual FireSight demo website, which is still accessible as of this writing, where you can play around its policies all day long. The username is dcloud and 23083 for the password.
My lab setup is composed of a Cisco ASA5515-X with FirePower module (an SSD drive), FireSight (a.k.a Defense Center), a monitoring PC, Layer 2 switch and an autonomous AP for connecting wireless clients (laptop and smartphone). The ASA runs a 9.2(2.4) image and FirePower is on 5.4 OS.
ciscoasa# sw-module ?
module Act on a module
ciscoasa# sw-module module ?
Available module ID(s):
cxsc Module ID
ips Module ID
sfr Module ID
ciscoasa# sw-module module sfr ? // OPERATIONS WE CAN PERFORM ON SFR
recover Configure recovery of this module
reload Reload the module
reset Reset the module
shutdown Shut down the module
uninstall Uninstall the module
ciscoasa# session ?
Available module ID(s):
cxsc Module ID
ips Module ID
sfr Module ID
ciscoasa# session sfr ?
console Login to console port on another module.
do Execute a command on another module.
ip Configure Module logging port ip addresses
<cr>
ciscoasa# session sfr console ?
<cr>
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Sourcefire3D login: admin
Password: Sourcefire // DEFAULT LOGIN admin / Sourcefire
Last login: Tue Oct 13 08:13:28 UTC 2015 from 192.168.1.13 on pts/0
Copyright 2004-2014, Cisco and/or its affiliates. All rights reserved. Sourcefire is
a registered trademark of Sourcefire, Inc. All other trademarks are
property of their respective owners.
Sourcefire Linux OS v5.4.0 (build 126)
Sourcefire ASA5515 v5.4.0 (build 763)
kdump Enable or disable kernel crash dump data collection
log-ips-connection Configure Logging of Connection Events
manager Change to Manager Configuration Mode
network Change to Network Configuration Mode
password Change password
user Change to User Configuration Mode
vmware-tools Configure state of VMware Tools
> configure manager
add Configure managing Defense Center
delete Remove managing Defense Center
> configure manager add
configure manager add <host> <key> [nat-id]
Configure managing Defense Center
host hostname | ipv4 address | ipv6 address | DONTRESOLVE
key registration key
nat-id optional nat-id (required if host set to DONTRESOLVE) []
> configure manager add 192.168.1.6 firepower
ciscoasa# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515 FCH1825JABC
ips Unknown N/A FCH1825JABC
cxsc Unknown N/A FCH1825JABC
sfr FirePOWER Services Software Module ASA5515 FCH1825JABC
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 1c6a.7a18.7123 to 1c6a.7a18.7456 1.0 2.1(9)8 9.4(1)
ips 1c6a.7a18.7789 to 1c6a.7a18.7789 N/A N/A
cxsc 1c6a.7a18.7789to 1c6a.7a18.7789 N/A N/A
sfr 1c6a.7a18.7789 to 1c6a.7a18.7978 N/A N/A 5.4.0-763
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 5.4.0-763
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Up Up
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
ciscoasa# show module ?
Available module ID(s):
0 Module ID
all show all module information for all slots
cxsc Module ID
ips Module ID
sfr Module ID
| Output modifiers
<cr>
ciscoasa# show module sfr ?
details show detailed hardware module information
log show logs for this module
recover show recover configuration for this module
| Output modifiers
<cr>
ciscoasa# show module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: FCH1825JABC
Firmware version: N/A
Software version: 5.4.0-763
MAC Address Range: 1c6a.7a18.7123 to 1c6a.7a18.7456
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 5.4.0-763
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: 192.168.1.5
Mgmt IP addr: 192.168.1.6
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 0.0.0.0
Mgmt web ports: 443
Mgmt TLS enabled: true
The “interesting” network traffic is redirected to the FirePower
module. The redirection is quickly done on ASDM by going to Configuration > Service Policy Rules > Global Policy. Click on global-class and tick Any Traffic under Traffic Classification tab. Under Rule Actions Tab, go to ASA FirePOWER Inspection, tick Enable ASA FirePOWER for this traffic flow and choose Permit traffic radio button. Note that activating more FirePower features will change its performance according to its product performance matrix.
ciscoasa# show run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class global-class
sfr fail-open // TRAFFIC WILL BE FORWARDED EVEN WHEN SFR FAILS OR UPDATING
class inspection_default
inspect dns preset_dns_map
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
> configure
kdump Enable or disable kernel crash dump data collection
log-ips-connection Configure Logging of Connection Events
manager Change to Manager Configuration Mode
network Change to Network Configuration Mode
password Change password
user Change to User Configuration Mode
vmware-tools Configure state of VMware Tools
> configure manager
add Configure managing Defense Center
delete Remove managing Defense Center
> configure manager add
configure manager add <host> <key> [nat-id]
Configure managing Defense Center
host hostname | ipv4 address | ipv6 address | DONTRESOLVE
key registration key
nat-id optional nat-id (required if host set to DONTRESOLVE) []
> configure manager add 192.168.1.6
configure manager add <host> <key> [nat-id]
Configure managing Defense Center
host hostname | ipv4 address | ipv6 address | DONTRESOLVE
key registration key
nat-id optional nat-id (required if host set to DONTRESOLVE) []
> configure manager add 192.168.1.6 firepower
> show managers
Type : Manager
Host : 192.168.1.5
Registration : Completed
ciscoasa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: global-class
SFR: card status Up, mode fail-open
packet input 7291276, packet output 7291461, drop 3022, reset-drop 21
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 180712, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 2 pkts/sec, v6-fail-close 0
Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: icmp, packet 9279, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: icmp error, packet 333, lock fail 0, drop 0, reset-drop 0, 5-min-
pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0
, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: netbios, packet 24, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-
rate 0 pkts/sec, v6-fail-close 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
0 pkts/sec, v6-fail-close 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
0 pkts/sec, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate
0 pkts/sec, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
Here are some post setup that are useful on the FireSight system. You could modify the FireSight hostname, management IP address, NTP server, etc. under System > Local System Policy.
You could update the FireSight host license and update other licensed features (which are non-transferrable) under System > Licenses.
You could adjust FireSight health monitoring thresholds under Health > Health Policy.
Before creating system health alerts under Health Monitor Alert, we need to create the actual alerts under Policies > Actions > Alerts and click on Create Alert.
Under Health Monitor Alerts, you could create a customized alert and choose the Severity level and the Modules you want to monitor.
You also need to perform regular patches on the FireSight system and FirePower module or sensor under System > Updates. The FireSight would need an Internet access in order to get updates from Cisco. The update can be done manually by downloading the update file and clicking on Upload Update and automatically by just clicking Download updates.
The Rule Updates pertains to intrusion rules (signature) which can be manually updated or automatically by setting the import frequency date/time. It's better to uncheck the Reapply access control policies after the rule update import completes so that we know and control what updates are being applied to the system.
Great post!I agree with everything you said.Please visit once at qosnetworking.com.
ReplyDeleteFireSight demo website is no longer available. Too bad.
ReplyDelete