You'll need to upgrade and configure the FirePower sensor (ASA FP module in this scenario) before adding to FirePower Management Center (FMC). I had a separate post regarding the upgrade procedure for FirePower. It's also recommended to upgrade the sensor with the same (or lower) image version used by FMC otherwise it won't establish communication if the sensor has a higher version compared to FMC.
To check FMC version go under Help > About.
To check the ASA FirePower module version, use the show module sfr details command.
ciscoasa# show m?
mdm-proxy memory mfib mgcp
mmp mode module monitor-interface
mrib mroute
ciscoasa# show module ?
Available module ID(s):
0 Module ID
all show all module information for all slots
cxsc Module ID
ips Module ID
sfr Module ID
| Output modifiers
<cr>
ciscoasa# show module sfr ?
details show detailed hardware module information
log show logs for this module
recover show recover configuration for this module
| Output modifiers
<cr>
ciscoasa# show module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5525
Hardware version: N/A
Serial Number: FCH1834JABC
Firmware version: N/A
Software version: 6.0.0-1005
MAC Address Range: fc5b.39aa.5162 to fc5b.39aa.1234
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.0.0-1005
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured // Defense Center/FireSight/FirePower
Mgmt IP addr: 192.168.45.45 // DEFAULT IP ADDRESS
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 0.0.0.0
Mgmt web ports: 443
Mgmt TLS enabled: true
ciscoasa# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
firepower login: admin
Password: Admin123 // DEFAULT admin/password
Last login: Fri Aug 18 02:31:18 UTC 2017 on pts/0
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5525 v6.0.0 (build 1005)
To configure the FirePower and FMC IP address (and key) use the command configure network and configure manager respectively.
> configure
kdump Enable or disable kernel crash dump data collection
log-events-to-ramdisk Configure Logging of Events to disk
log-ips-connection Configure Logging of Connection Events
manager Change to Manager Configuration Mode
network Change to Network Configuration Mode
password Change password
user Change to User Configuration Mode
vmware-tools Configure state of VMware Tools
> configure network
dns Configure DNS
hostname Set the hostname
http-proxy Configure HTTP Proxy settings
http-proxy-disable Disable HTTP Proxy settings
ipv4 Configure IPv4 networking
ipv6 Configure IPv6 networking
management-interface Change to Management Port Configuration Mode
management-port Change TCP port for management
static-routes Change to Static Route Configuration Mode
> configure network ipv4
delete Disable IPv4 networking
dhcp Configure IPv4 via DHCP
manual Configure IPv4 manually
> configure network ipv4 manual
configure network ipv4 manual <ipaddr> <netmask> [gw] [interface]
Configure IPv4 manually
ipaddr IPv4 address
netmask IPv4 netmask
gw IPv4 gateway []
interface management interface (optional - default if omitted) []
> configure network ipv4 manual 172.20.3.8
configure network ipv4 manual <ipaddr> <netmask> [gw] [interface]
Configure IPv4 manually
ipaddr IPv4 address
netmask IPv4 netmask
gw IPv4 gateway []
interface management interface (optional - default if omitted) []
> configure network ipv4 manual 172.20.3.8 255.255.255.240
configure network ipv4 manual <ipaddr> <netmask> [gw] [interface]
Configure IPv4 manually
ipaddr IPv4 address
netmask IPv4 netmask
gw IPv4 gateway []
interface management interface (optional - default if omitted) []
> configure network ipv4 manual 172.20.3.8 255.255.255.240 172.20.3.1
> show ifconfig
cplane Link encap:Ethernet HWaddr 00:00:00:04:00:01
inet addr:127.0.4.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe04:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62022 errors:0 dropped:0 overruns:0 frame:0
TX packets:10669 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3721890 (3.5 Mb) TX bytes:959900 (937.4 Kb)
eth0 Link encap:Ethernet HWaddr FC:5B:39:AA:51:62
inet addr:172.20.3.8 Bcast:172.20.2.15 Mask:255.255.255.240
inet6 addr: fe80::fe5b:39ff:feaa:5162/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:376991 errors:0 dropped:0 overruns:0 frame:0
TX packets:296182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:336895980 (321.2 Mb) TX bytes:212304568 (202.4 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:342 errors:0 dropped:0 overruns:0 frame:0
TX packets:342 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25960 (25.3 Kb) TX bytes:25960 (25.3 Kb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> show managers
No managers configured.
> configure manager
add Configure managing Defense Center
delete Remove managing Defense Center
> configure manager add
configure manager add <host> <key> [nat-id]
Configure managing Defense Center
host hostname | ipv4 address | ipv6 address | DONTRESOLVE
key registration key
nat-id optional nat-id (required if host set to DONTRESOLVE) []
> configure manager add 172.20.7.3
configure manager add <host> <key> [nat-id]
Configure managing Defense Center
host hostname | ipv4 address | ipv6 address | DONTRESOLVE
key registration key
nat-id optional nat-id (required if host set to DONTRESOLVE) []
> configure manager add 172.20.7.3 cisco123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.
> show managers
Host : 172.20.7.3
Registration Key : ****
Registration : pending
RPC Status :
The Registration status will change to Completed once the sensor is successfully added in FMC.
> show managers
Type : Manager
Host : 172.20.7.3
Registration : Completed
You can perform troubleshooting in FirePower CLI using the system support command.
> system
access-control Change to Access-Control Mode
disable-http-user-cert Disable HTTP User Cert
file Change to File Mode
generate-troubleshoot Run troubleshoot
ldapsearch Test LDAP configuration
lockdown-sensor Remove access to bash shell
reboot Reboot the sensor
stig-compliance STIG Compliance setting
support Change to System Support Mode - Only do this if directed by Support.
> system support
application-identification-debug Generate application identification debug messages
bootloader Display bootloader information
capture-traffic Display traffic or save to specified file
debug-DAQ Debug for DAQ functionality
debug-DAQ-reset Reset DAQ debug configuration file
dump-table Dump specified database tables to common file repository
eotool Change to Enterprise Object Tool Mode
file-malware-debug Generate file malware debug messages
firewall-engine-debug Generate firewall debug messages
firewall-engine-dump-user-identity-data Generate a file containing the current state of user identity within the firewall
fstab Display the file systems table
iptables Display IP packet filter rules
network-options Display network options
nslookup Look up an IP address or host name with the DNS servers
ntp Show NTP configuration
partitions Display partition information
pigtail Tail log files for debugging (pigtail)
ping Ping a host to check reachability
platform Display platform information
pmtool Change to PMTool Mode
repair-table Repair specified database tables
rpms Display RPM information
run-rule-profiling Run Rule Profiling
scsi Show SCSI device information
set-arc-mode Set the Automatic Resource Configuration optimization mode
sftunnel-status Show sftunnel status
show-arc-mode Show the Automatic Resource Configuration optimization mode value
silo-drain Assists with Disk Management
ssl-debug Debugging for SSL functionality
ssl-debug-reset Reset SSL Debug configuration file
ssl-tuning Tune aspects of SSL functionality
ssl-tuning-reset Reset SSL Tuning configuration file
swap Display swap information
tail-logs Tails the logs selected by the user
traceroute Find route to remote network
utilization Display current system utilization
view-files View files in the system
> system support ping
system support ping <hostname>
Ping a host to check reachability
hostname host
> system support ping 172.20.7.3
PING 172.20.7.3 (172.20.7.3) 56(84) bytes of data.
64 bytes from 172.20.7.3: icmp_req=1 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=2 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=3 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=4 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=5 ttl=61 time=227 ms
^C
--- 172.20.7.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 227.770/227.809/227.880/0.304 ms
To add a sensor in FMC, go to Devices > Device Management > Add > Add Device.
Type the Host IP address, optionally change the Display Name, type the Registration Key (same key used on the sensor), skip Group, choose Access Control (required) > click Register.
It took a couple of minutes for the sensor to be added in FMC.
The newly added sensor will be automatically put under Ungrouped.
Click Add > Add Group > type a group Name > choose a sensor under Available Devices column (from Ungrouped) > click Add to move under Devices column.
To apply licenses on the new sensor, go to Devices > Device Management > click a specific sensor > click Device tab > click License (pencil icon).
I wasn't able to initially tick all four License Capabilities (Protection, Control, Malware, URL Filtering). This was due to unavailable Protection and Control License in FMC which were used up by the other sensors.
FMC can't apply any Access Policy and will report a validation error due to the said Protection and Control license issue.
You can request the Protection and Control license for FREE from Cisco's Licensing team. I have a separate post about licensing in FMC.
The Protection+Control and URL Filtering+Malware license count are now equal.
I'm was able to apply (tick) the four license after the Protection and Control license was applied (and enough URL Filtering and Malware license available).
To check FMC version go under Help > About.
To check the ASA FirePower module version, use the show module sfr details command.
ciscoasa# show m?
mdm-proxy memory mfib mgcp
mmp mode module monitor-interface
mrib mroute
ciscoasa# show module ?
Available module ID(s):
0 Module ID
all show all module information for all slots
cxsc Module ID
ips Module ID
sfr Module ID
| Output modifiers
<cr>
ciscoasa# show module sfr ?
details show detailed hardware module information
log show logs for this module
recover show recover configuration for this module
| Output modifiers
<cr>
ciscoasa# show module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5525
Hardware version: N/A
Serial Number: FCH1834JABC
Firmware version: N/A
Software version: 6.0.0-1005
MAC Address Range: fc5b.39aa.5162 to fc5b.39aa.1234
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.0.0-1005
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured // Defense Center/FireSight/FirePower
Mgmt IP addr: 192.168.45.45 // DEFAULT IP ADDRESS
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 0.0.0.0
Mgmt web ports: 443
Mgmt TLS enabled: true
ciscoasa# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
firepower login: admin
Password: Admin123 // DEFAULT admin/password
Last login: Fri Aug 18 02:31:18 UTC 2017 on pts/0
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5525 v6.0.0 (build 1005)
To configure the FirePower and FMC IP address (and key) use the command configure network and configure manager respectively.
> configure
kdump Enable or disable kernel crash dump data collection
log-events-to-ramdisk Configure Logging of Events to disk
log-ips-connection Configure Logging of Connection Events
manager Change to Manager Configuration Mode
network Change to Network Configuration Mode
password Change password
user Change to User Configuration Mode
vmware-tools Configure state of VMware Tools
> configure network
dns Configure DNS
hostname Set the hostname
http-proxy Configure HTTP Proxy settings
http-proxy-disable Disable HTTP Proxy settings
ipv4 Configure IPv4 networking
ipv6 Configure IPv6 networking
management-interface Change to Management Port Configuration Mode
management-port Change TCP port for management
static-routes Change to Static Route Configuration Mode
> configure network ipv4
delete Disable IPv4 networking
dhcp Configure IPv4 via DHCP
manual Configure IPv4 manually
> configure network ipv4 manual
configure network ipv4 manual <ipaddr> <netmask> [gw] [interface]
Configure IPv4 manually
ipaddr IPv4 address
netmask IPv4 netmask
gw IPv4 gateway []
interface management interface (optional - default if omitted) []
> configure network ipv4 manual 172.20.3.8
configure network ipv4 manual <ipaddr> <netmask> [gw] [interface]
Configure IPv4 manually
ipaddr IPv4 address
netmask IPv4 netmask
gw IPv4 gateway []
interface management interface (optional - default if omitted) []
> configure network ipv4 manual 172.20.3.8 255.255.255.240
configure network ipv4 manual <ipaddr> <netmask> [gw] [interface]
Configure IPv4 manually
ipaddr IPv4 address
netmask IPv4 netmask
gw IPv4 gateway []
interface management interface (optional - default if omitted) []
> configure network ipv4 manual 172.20.3.8 255.255.255.240 172.20.3.1
> show ifconfig
cplane Link encap:Ethernet HWaddr 00:00:00:04:00:01
inet addr:127.0.4.1 Bcast:127.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::200:ff:fe04:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62022 errors:0 dropped:0 overruns:0 frame:0
TX packets:10669 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3721890 (3.5 Mb) TX bytes:959900 (937.4 Kb)
eth0 Link encap:Ethernet HWaddr FC:5B:39:AA:51:62
inet addr:172.20.3.8 Bcast:172.20.2.15 Mask:255.255.255.240
inet6 addr: fe80::fe5b:39ff:feaa:5162/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:376991 errors:0 dropped:0 overruns:0 frame:0
TX packets:296182 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:336895980 (321.2 Mb) TX bytes:212304568 (202.4 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.255.255.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:342 errors:0 dropped:0 overruns:0 frame:0
TX packets:342 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25960 (25.3 Kb) TX bytes:25960 (25.3 Kb)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
> show managers
No managers configured.
> configure manager
add Configure managing Defense Center
delete Remove managing Defense Center
> configure manager add
configure manager add <host> <key> [nat-id]
Configure managing Defense Center
host hostname | ipv4 address | ipv6 address | DONTRESOLVE
key registration key
nat-id optional nat-id (required if host set to DONTRESOLVE) []
> configure manager add 172.20.7.3
configure manager add <host> <key> [nat-id]
Configure managing Defense Center
host hostname | ipv4 address | ipv6 address | DONTRESOLVE
key registration key
nat-id optional nat-id (required if host set to DONTRESOLVE) []
> configure manager add 172.20.7.3 cisco123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.
> show managers
Host : 172.20.7.3
Registration Key : ****
Registration : pending
RPC Status :
The Registration status will change to Completed once the sensor is successfully added in FMC.
> show managers
Type : Manager
Host : 172.20.7.3
Registration : Completed
You can perform troubleshooting in FirePower CLI using the system support command.
> system
access-control Change to Access-Control Mode
disable-http-user-cert Disable HTTP User Cert
file Change to File Mode
generate-troubleshoot Run troubleshoot
ldapsearch Test LDAP configuration
lockdown-sensor Remove access to bash shell
reboot Reboot the sensor
stig-compliance STIG Compliance setting
support Change to System Support Mode - Only do this if directed by Support.
> system support
application-identification-debug Generate application identification debug messages
bootloader Display bootloader information
capture-traffic Display traffic or save to specified file
debug-DAQ Debug for DAQ functionality
debug-DAQ-reset Reset DAQ debug configuration file
dump-table Dump specified database tables to common file repository
eotool Change to Enterprise Object Tool Mode
file-malware-debug Generate file malware debug messages
firewall-engine-debug Generate firewall debug messages
firewall-engine-dump-user-identity-data Generate a file containing the current state of user identity within the firewall
fstab Display the file systems table
iptables Display IP packet filter rules
network-options Display network options
nslookup Look up an IP address or host name with the DNS servers
ntp Show NTP configuration
partitions Display partition information
pigtail Tail log files for debugging (pigtail)
ping Ping a host to check reachability
platform Display platform information
pmtool Change to PMTool Mode
repair-table Repair specified database tables
rpms Display RPM information
run-rule-profiling Run Rule Profiling
scsi Show SCSI device information
set-arc-mode Set the Automatic Resource Configuration optimization mode
sftunnel-status Show sftunnel status
show-arc-mode Show the Automatic Resource Configuration optimization mode value
silo-drain Assists with Disk Management
ssl-debug Debugging for SSL functionality
ssl-debug-reset Reset SSL Debug configuration file
ssl-tuning Tune aspects of SSL functionality
ssl-tuning-reset Reset SSL Tuning configuration file
swap Display swap information
tail-logs Tails the logs selected by the user
traceroute Find route to remote network
utilization Display current system utilization
view-files View files in the system
> system support ping
system support ping <hostname>
Ping a host to check reachability
hostname host
> system support ping 172.20.7.3
PING 172.20.7.3 (172.20.7.3) 56(84) bytes of data.
64 bytes from 172.20.7.3: icmp_req=1 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=2 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=3 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=4 ttl=61 time=227 ms
64 bytes from 172.20.7.3: icmp_req=5 ttl=61 time=227 ms
^C
--- 172.20.7.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 227.770/227.809/227.880/0.304 ms
To add a sensor in FMC, go to Devices > Device Management > Add > Add Device.
Type the Host IP address, optionally change the Display Name, type the Registration Key (same key used on the sensor), skip Group, choose Access Control (required) > click Register.
It took a couple of minutes for the sensor to be added in FMC.
The newly added sensor will be automatically put under Ungrouped.
Click Add > Add Group > type a group Name > choose a sensor under Available Devices column (from Ungrouped) > click Add to move under Devices column.
To apply licenses on the new sensor, go to Devices > Device Management > click a specific sensor > click Device tab > click License (pencil icon).
I wasn't able to initially tick all four License Capabilities (Protection, Control, Malware, URL Filtering). This was due to unavailable Protection and Control License in FMC which were used up by the other sensors.
FMC can't apply any Access Policy and will report a validation error due to the said Protection and Control license issue.
You can request the Protection and Control license for FREE from Cisco's Licensing team. I have a separate post about licensing in FMC.
The Protection+Control and URL Filtering+Malware license count are now equal.
I'm was able to apply (tick) the four license after the Protection and Control license was applied (and enough URL Filtering and Malware license available).
No comments:
Post a Comment