My Network Security Journal: January 2018

Sunday, January 21, 2018

Troublesooting Cisco ASA FirePOWER Module via CLI

You can directly SSH to the Cisco FirePOWER Module IP address or issue the session sfr console from the ASA privileged EXEC mode. Below are some useful Cisco FirePOWER Module troubleshooting commands via the command line interface (CLI). These commands are also the same on the Firepower Threat Defense (FTD) device.

$ ssh -l admin 172.27.5.18
The authenticity of host '172.27.5.18 (172.27.5.18)' can't be established.
RSA key fingerprint is b7:d4:2e:76:c3:2a:1d:46:a5:a2:f0:7e:73:d1:12:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.27.5.18' (RSA) to the list of known hosts.
Password:
Last login: Thu Dec 21 04:15:09 2017

Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)

>

ciscoasa# session ?

Available module ID(s):
sfr Module ID
ongc-11high-FW02# session sfr ?

console Login to console port on another module.
do       Execute a command on another module.
ip       Configure Module logging port ip addresses
<cr>
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

>

Displaying the Access Control Policy Details

You can use the show access-control-config command to view the access control policy configuration.

> show

access-control-config Show Current Access-Control Configuration
audit-cert             Display audit_log cert if any
audit-log              Show audit log
cpu                    Show CPU utilization
database               Change to Show Database Mode
device-settings        Show device settings
disk                   Show disk usage
disk-manager           Display current status of local disk(s)
dns                    Show DNS configuration
hostname               Show hostname
hosts                  Show hosts
ifconfig               Show currently configured interfaces
interfaces             Show interface configuration
kdump                  Display status of kernel crash dump feature
log-events-to-ramdisk Display Logging of Events to hard disk
log-ips-connection     Display Logging of Connection Events setting
managers               Show managing Defense Centers
memory                 Show available memory
model                  Show model
netstat                Show network connections
network                Show configuration of management interface
network-static-routes Show static routes for management interfaces
ntp                    Show NTP configuration
perfstats              Show perfstats
process-tree           Show processes in tree format
processes              Show processes
route                  Show configured routes
serial-number          Show serial number
ssl-policy-config      Show Current SSL Policy Configuration
summary                Show summary
syslog                 Show syslog <filter> <max lines per page>
time                   Show time
traffic-statistics     Show traffic statistics
user                   Show specified users
users                  Show all users
version                Show versions

Show> access-control-config

===========[ Default Allow All Traffic ]============
Description               :
=================[ Default Action ]=================
Default Action            : Fast-path
Logging Configuration
    DC                    : Disabled
    Beginning             : Disabled
    End                   : Disabled
Rule Hits                 : 0
Variable Set              : Default-Set

===[ Security Intelligence - Network Whitelist ]====
    Name                  : Global-Whitelist (List)
    IP Count              : 0
    Zone                  : any

===[ Security Intelligence - Network Blacklist ]====
Logging Configuration     : Enabled
    DC                    : Enabled

---------------------[ Block ]----------------------
    Name                  : Global-Blacklist (List)
    IP Count              : 0
    Zone                  : any

=====[ Security Intelligence - URL Whitelist ]======
    Name                  : Global-Whitelist-for-URL (List)
    URL Count             : 0
    Zone                  : any

=====[ Security Intelligence - URL Blacklist ]======
Logging Configuration     : Enabled
    DC                    : Enabled

---------------------[ Block ]----------------------
    Name                  : Global-Blacklist-for-URL (List)
    URL Count             : 0
    Zone                  : any

=======[ Security Intelligence - DNS Policy ]=======
    Name                  : Default DNS Policy
    Logging Configuration : Enabled
        DC                : Enabled

======[ Rule Set: admin_category (Built-in) ]=======

=====[ Rule Set: standard_category (Built-in) ]=====

=======[ Rule Set: root_category (Built-in) ]=======

===============[ Advanced Settings ]================
General Settings
Maximum URL Length                  : 1024
Interactive Block Bypass Timeout    : 600
Do not retry URL cache miss lookup : No
Inspect Traffic During Apply        : Yes
Network Analysis and Intrusion Policies
Initial Intrusion Policy            : No Rules Active
Initial Variable Set                : Default-Set
Default Network Analysis Policy     : Balanced Security and Connectivity
Files and Malware Settings
File Type Inspect Limit             : 1460
Cloud Lookup Timeout                : 2
Minimum File Capture Size           : 6144
Maximum File Capture Size           : 1048576
Min Dynamic Analysis Size           : 15360
Max Dynamic Analysis Size           : 2097152
Malware Detection Limit             : 10485760
Transport/Network Layer Preprocessor Settings
Detection Settings
    Ignore VLAN Tracking Connections : No
Maximum Active Responses            : No Maximum
Minimum Response Seconds            : No Minimum
Session Termination Log Threshold   : 1048576
Detection Enhancement Settings
Adaptive Profile                    : Disabled
Performance Settings
Event Queue
    Maximum Queued Events             : 5
    Disable Reassembled Content Checks: False
Performance Statistics
    Sample time (seconds)             : 300
    Minimum number of packets         : 10000
    Summary                           : False
    Log Session/Protocol Distribution : False
Regular Expression Limits
    Match Recursion Limit             : Default
    Match Limit                       : Default
Rule Processing Configuration
    Logged Events                     : 5
    Maximum Queued Events             : 8
    Events Ordered By                 : Content Length
Intelligent Application Bypass Settings
    State                                          : Off
    Bypassable Applications and Filters            : 0 Applications/Filters
Latency-Based Performance Settings
Packet Handling                     : Disabled

=============[ Interactive Block HTML ]=============
HTTP/1.1 200 OK
Connection: close
Content-Length: 869
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Access Denied</title>
<style type="text/css">body {margin:0;font-family:verdana,sans-serif;} h1 {margin:0;padding:12px 25px;background-

color:#343434;color
:#ddd} p {margin:12px 25px;} strong {color:#E0042D;}</style>
</head>
<body>
<h1>Access Denied</h1>
<p>
<strong>You are attempting to access a forbidden site.</strong><br/><br/>
You may continue to the site by clicking on the button below.<br/>
<em>Note:</em> You must have cookies enabled in your browser to continue.</br><br/>
Consult your system administrator for details.<br/><br/>
<noscript><em>This page uses Javascript. Your browser either doesn't support Javascript or you have it turned off.<br/>
To continue to the site, please use a Javascript enabled browser.</em></noscript>
</p>
</body>
</html>

Displaying the Network Configuration

There are several ways to view the network configuration on a Cisco FirePOWER Module.

> show network
===============[ System Information ]===============
Hostname                  : firepower
Domains                   : example.net
Management port           : 8305
IPv4 Default route
Gateway                 : 172.27.5.19

======================[ eth0 ]======================
State                     : Enabled
Channels                  : Management & Events
Mode                      : Non-Autonegotiation
MDI/MDIX                  : Auto/MDIX
MTU                       : 1500
MAC Address               : 50:0F:80:80:AB:CD
----------------------[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 172.27.5.18
Netmask                   : 255.255.255.224
Broadcast                 : 172.27.5.19
----------------------[ IPv6 ]----------------------
Configuration             : Disabled

===============[ Proxy Information ]================
State                     : Disabled
Authentication            : Disabled

> show ifconfig      // SIMILAR TO LINUX ifconfig COMMAND
cplane    Link encap:Ethernet HWaddr 00:00:00:02:00:01
          inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
          inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:7593492 errors:0 dropped:3777883 overruns:0 frame:0
          TX packets:1908174 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:478730921 (456.5 Mb) TX bytes:175547469 (167.4 Mb)

eth0      Link encap:Ethernet HWaddr 50:0F:80:80:AD:DC
          inet addr:172.27.5.18 Bcast:172.27.5.19 Mask:255.255.255.0
          inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:41729 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63173 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5891158 (5.6 Mb) TX bytes:58229136 (55.5 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.255.255.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:65536 Metric:1
          RX packets:355317 errors:0 dropped:0 overruns:0 frame:0
          TX packets:355317 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:45879853 (43.7 Mb) TX bytes:45879853 (43.7 Mb)

tun1      Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
          inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 50:0F:80:80:12:34
IPv4 Address              : 172.27.5.18
----------------------[ tun1 ]----------------------
IPv6 Address              : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------

Analyzing Running Processes

> show disk    // TO CHECK DISK USAGE; SIMILAR TO LINUX df COMMAND
Filesystem      Size Used Avail Use% Mounted on
/dev/root       3.7G 777M 2.8G 22% /
devtmpfs        1.1G   80K 1.1G   1% /dev
/dev/sda1        99M 6.1M   88M   7% /boot
/dev/vda7        38G 6.9G   29G 20% /var
none            1.1G 340K 1.1G   1% /dev/shm
tmpfs           1.1G     0 1.1G   0% /dev/cgroups

> show processes     // SIMILAR TO LINUX ps COMMAND
PID USER      PR NI VIRT RES SHR S %CPU %MEM    TIME+ COMMAND
23195 sfsnort    1 -19 815m 12m 3704 S    6 0.6 274:40.56 snort
3464 root      20   0 30124 788 736 S    2 0.0   1664:41 UEChanneld
3465 root      20   0 2055m 409m 1808 S    2 18.5 702:23.82 java
21094 root      20   0 2157m 56m 1432 S    2 2.6 24:02.67 SFDataCorrelato
31825 admin     20   0 17428 1332 976 R    2 0.1   0:00.02 top
    1 root      20   0 4220 672 624 S    0 0.0   0:51.49 init
    2 root      20   0     0    0    0 S    0 0.0   0:00.00 kthreadd
    3 root      20   0     0    0    0 S    0 0.0   0:05.25 ksoftirqd/0
    5 root       0 -20     0    0    0 S    0 0.0   0:00.00 kworker/0:0H
    7 root      RT   0     0    0    0 S    0 0.0   0:36.82 migration/0
    8 root      20   0     0    0    0 S    0 0.0 15:14.21 rcu_preempt
    9 root      20   0     0    0    0 S    0 0.0   0:00.00 rcu_bh
   10 root      20   0     0    0    0 S    0 0.0   0:00.00 rcu_sched

<OUTPUT TRUNCATED>

> show process-tree    // SIMILAR TO LINUX pstree COMMAND
init(1)-+-acpid(2369)
        |-agetty(3418)
        |-agetty(3419)
        |-agetty(3420)
        |-crond(1729)
        |-login(22993)---clish(23050)---{clish}(23053)
        |-nscd(20395)-+-{nscd}(20396)
        |             |-{nscd}(20397)
        |             |-{nscd}(20398)
        |             |-{nscd}(20399)
        |             |-{nscd}(20400)
        |             `-{nscd}(20401)
        |-pm(3433)-+-ASAConfig.pl(3452)
        |          |-ActionQueueScra(3615)
        |          |-CloudAgent(3463)-+-{CloudAgent}(3529)
        |          |                  |-{CloudAgent}(3530)
        |          |                  |-{CloudAgent}(3531)
        |          |                  |-{CloudAgent}(3532)
        |          |                  `-{CloudAgent}(3533)
        |          |-Pruner.pl(3614)
        |          |-SFDataCorrelato(21094)-+-{SFDataCorrelato}(21103)
        |          |                        |-{SFDataCorrelato}(21104)
        |          |                        |-{SFDataCorrelato}(21105)
        |          |                        |-{SFDataCorrelato}(21107)
        |          |                        |-{SFDataCorrelato}(21108)
        |          |                        |-{SFDataCorrelato}(21109)
        |          |                        |-{SFDataCorrelato}(21110)
        |          |                        |-{SFDataCorrelato}(21111)
        |          |                        |-{SFDataCorrelato}(21112)
        |          |                        |-{SFDataCorrelato}(21113)
        |          |                        |-{SFDataCorrelato}(21134)
        |          |                        |-{SFDataCorrelato}(21137)
        |          |                        |-{SFDataCorrelato}(21138)
        |          |                        |-{SFDataCorrelato}(21140)
        |          |                        |-{SFDataCorrelato}(21141)
        |          |                        |-{SFDataCorrelato}(21142)
        |          |                        |-{SFDataCorrelato}(21143)
        |          |                        |-{SFDataCorrelato}(21144)
        |          |                        |-{SFDataCorrelato}(21145)
        |          |                        |-{SFDataCorrelato}(21146)
        |          |                        |-{SFDataCorrelato}(21147)
        |          |                        |-{SFDataCorrelato}(21148)
        |          |                        |-{SFDataCorrelato}(21149)
        |          |                        |-{SFDataCorrelato}(21150)
        |          |                        |-{SFDataCorrelato}(21152)
        |          |                        |-{SFDataCorrelato}(21156)
        |          |                        |-{SFDataCorrelato}(21157)
        |          |                        |-{SFDataCorrelato}(21158)
        |          |                        |-{SFDataCorrelato}(21160)
        |          |                        `-{SFDataCorrelato}(23205)

<OUTPUT TRUNCATED>

Using the System Log (Syslog)

> expert       // GO TO EXPERT MODE
admin@firepower:~$ cd /        // CHANGE TO ROOT DIRECTORY
admin@firepower:/$ ls
DBCheck.log Volume bin boot cisco dev etc home lib lib64 lost+found mnt proc root sbin sys tmp usr var
admin@firepower:/$ cd /var/log
admin@firepower:/var/log$ ls
action_queue.log                                  firstboot.S50install-remediation-modules        process_stdout.log
action_queue.log.1.gz                             firstboot.S51install_health_policy.pl           process_stdout.log.1.gz
action_queue.log.2.gz                             firstboot.S52install_system_policy.pl           process_stdout.log.2.gz
action_queue.log.3.gz                             firstboot.S53change_reconciliation_baseline.pl process_stdout.log.3.gz
action_queue.log.4.gz                             firstboot.S53createcsds.pl                      process_stdout.log.4.gz
asacx_init.log                                    firstboot.S70remove_casuser.pl                  pruner.log
audit                                             firstboot.S70update_sensor_objects.sh           pruner.log.1.gz
btmp                                              firstboot.S85patch_history-init                 pruner.log.2.gz
cc-integrity.log                                  firstboot.S90banner-init                        pruner.log.3.gz
cisco                                             firstboot.S95copy-crontab                       pruner.log.4.gz
configure-model.log                               firstboot.S96grow_var.sh                        query_engine.log
configure.log                                     firstboot.S96install_sf_whitelist               query_engine.log.1.gz
configure.log.old                                 firstboot.S96install_vmware_tools.pl            query_engine.log.2.gz
cron                                              firstboot.S96localize-templates                 query_engine.log.3.gz
cron.1.gz                                         firstboot.S96ovf-data.pl                        query_engine.log.4.gz
cron.2.gz                                         firstboot.S97compress-client-resources          reconfigure.45update-sensor.pl
cron.3.gz                                         firstboot.S97create_platinum_forms.pl           reconfigure.55recalculate_arc.pl
cron.4.gz                                         firstboot.S97install_cas                        remove_old_var.log
diskmanager.log                                   firstboot.S97install_cloud_support.pl           removed_packages
dmesg                                             firstboot.S97install_geolocation.pl             removed_scripts
eth0.down.log                                     firstboot.S97install_ssl_inspection.pl          sa
eth0.down.log.old                                 firstboot.S97update_modprobe.pl                 sam.log
eth0.up.log                                       firstboot.S98check-db-integrity.sh              sam.log.1.gz
eth0.up.log.old                                   firstboot.S98htaccess-init                      sam.log.2.gz
eth1.down.log                                     firstboot.S98is-sru-finished.sh                 sam.log.3.gz
eth1.down.log.old                                 firstboot.S99_z_cc-integrity.sh                 sam.log.4.gz
eth1.up.log                                       firstboot.S99correct_ipmi.pl                    scripts
eth1.up.log.old                                   firstboot.S99start-system                       seshat
faillog                                           firstboot.S99z_db_restore                       setup
firesight-query.log                               firstboot.control                               sf
firesight-query.log.1.gz                          httpd                                           snapshot_manager.log
firesight-query.log.2.gz                          ifup-static-route.log                           syncd.log
firesight-query.log.3.gz                          init_cgroups.log                                syncd.log.1.gz
firesight-query.log.4.gz                          initialize.log                                  syncd.log.2.gz
firstboot.S01reset_failopen_if                    lastlog                                         syncd.log.3.gz
firstboot.S01virtual-machine-reconfigure          lo.down.log                                     syncd.log.4.gz
firstboot.S02aws-pull-cfg                         lo.down.log.old                                 time_series.log
firstboot.S04fix-httpd.sh                         lo.up.log                                       time_series.log.1.gz
firstboot.S05set-default-ipv4.pl                  lo.up.log.old                                   time_series.log.2.gz
firstboot.S05set-mgmnt-port                       messages                                        time_series.log.3.gz
firstboot.S06addusers                             messages.1.gz                                   time_series.log.4.gz
firstboot.S07uuid-init                            messages.2.gz                                   top.log
firstboot.S08configure_mysql                      messages.3.gz                                   top.log.1.gz
firstboot.S09database-init                        messages.4.gz                                   top.log.10.gz
firstboot.S10database.15vulndb-init.log           model_info_log                                  top.log.11.gz
firstboot.S11database-populate                    mojo                                            top.log.12.gz
firstboot.S12install_infodb                       myisamchk.log                                   top.log.13.gz
firstboot.S15set-locale.sh                        nscd.log                                        top.log.14.gz
firstboot.S16update-sensor.pl                     nscd.log.1.gz                                   top.log.2.gz
firstboot.S19cert-tun-init                        nscd.log.2.gz                                   top.log.3.gz
firstboot.S20cert-init                            nscd.log.3.gz                                   top.log.4.gz
firstboot.S21disable_estreamer                    nscd.log.4.gz                                   top.log.5.gz
firstboot.S25create_default_des.pl                ntp.log                                         top.log.6.gz
firstboot.S30init_lights_out_mgmt.pl              openssl-selftest.log                            top.log.7.gz
firstboot.S40install_default_filters.pl           packages                                        top.log.8.gz
firstboot.S42install_default_dashboards.pl        process_stderr.log                              top.log.9.gz
firstboot.S43install_default_report_templates.pl process_stderr.log.1.gz                         umpd_stderr.log
firstboot.S44install_default_app_filters.pl       process_stderr.log.2.gz                         urldb_log
firstboot.S45install_default_realms.pl            process_stderr.log.3.gz                         wtmp
firstboot.S47install_default_sandbox_EO.pl        process_stderr.log.4.gz                         wtmp.1

admin@firepower:/var/log$ cat eth0.down.log       // USE cat TO VIEW DETAILED LOGS
Clearing static routes
Unconfiguring default route
Ignoring -device
Ignoring eth0
(5) No device specified
Command [clear_default_route -device eth0 -4] succeeded!
Unconfiguring address on eth0
Unconfiguring IPv4 on eth0
Command [/sbin/ip -4 addr flush dev eth0] succeeded!
Successfully unconfigure eth0 for IPv4
Command [unconfigure_ip -4 -device eth0] succeeded!
Unconfiguring IPv6
Command [/usr/sbin/dhclient -6 -x eth0 -sf /etc/sysconfig/network-scripts/dhclient-script] succeeded!
Ignoring -device
Ignoring eth0
Command [/sbin/ip -6 route delete default dev eth0] succeeded!
Unconfiguring IPv6 on eth0
Stoping ipv6
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Successfully unconfigure eth0 for IPv6
Command [/sbin/ip -6 addr flush dev eth0 scope global] succeeded!
Command [total_unconfigure -device eth0 -6] succeeded!
Downing interface
Command [/sbin/ip link set dev eth0 down] succeeded!
Command [down_interface -device eth0] succeeded!

Generating Advanced Troubleshooting Logs

> system generate-troubleshoot

system generate-troubleshoot options ...
Run troubleshoot

options ...   Selectable Troubleshoot Options

> system generate-troubleshoot
One or more subset options required. Displaying list of options:
ALL - Run ALL Of The Following Options
SNT - Snort Performance and Configuration
PER - Hardware Performance and Logs
SYS - System Configuration, Policy, and Logs
DES - Detection Configuration, Policy, and Logs
NET - Interface and Network Related Data
VDB - Discovery, Awareness, VDB Data, and Logs
UPG - Upgrade Data and Logs
DBO - All Database Data
LOG - All Log Data
NMP - Network Map Information

> system generate-troubleshoot all    // TAKE SEVERAL MINUTES TO FINISH; CISCO TAC WILL USUALLY ASK YOU TO RUN AND SEND THE OUTPUT TO THEM FOR FURTHER ANALYSIS

> system support

application-identification-debug         Generate application identification debug messages
bootloader                               Display bootloader information
capture-traffic                          Display traffic or save to specified file
debug-DAQ                                Debug for DAQ functionality
debug-DAQ-reset                          Reset DAQ debug configuration file
dump-table                               Dump specified database tables to common file repository
eotool                                   Change to Enterprise Object Tool Mode
file-malware-debug                       Generate file malware debug messages
firewall-engine-debug                    Generate firewall debug messages
firewall-engine-dump-user-identity-data Generate a file containing the current state of user identity within the firewall
firewall-httpmod-debug                   Generate http_mod preprocessor debug messages
fstab                                    Display the file systems table
iptables                                 Display IP packet filter rules
network-options                          Display network options
nslookup                                 Look up an IP address or host name with the DNS servers
ntp                                      Show NTP configuration
partitions                               Display partition information
pigtail                                  Tail log files for debugging (pigtail)
ping                                     Ping a host to check reachability
platform                                 Display platform information
pmtool                                   Change to PMTool Mode
repair-table                             Repair specified database tables
rpms                                     Display RPM information
run-rule-profiling                       Run Rule Profiling
scsi                                     Show SCSI device information
set-arc-mode                             Set the Automatic Resource Configuration optimization mode
sftunnel-status                          Show sftunnel status
show-arc-mode                            Show the Automatic Resource Configuration optimization mode value
silo-drain                               Assists with Disk Management
ssl-client-hello-display                 Display SSL Client Hello configuration settings
ssl-client-hello-enabled                 SSL Client Hello Enabled Settings
ssl-client-hello-force-reset             Reset SSL Client Hello configuration file without user confirmation
ssl-client-hello-reset                   Reset SSL Client Hello configuration file
ssl-client-hello-tuning                  SSL Client Hello Detailed Tuning
ssl-debug                                Debugging for SSL functionality
ssl-debug-reset                          Reset SSL Debug configuration file
ssl-tuning                               Tune aspects of SSL functionality
ssl-tuning-reset                         Reset SSL Tuning configuration file
swap                                     Display swap information
tail-logs                                Tails the logs selected by the user
trace                                    Generate debug trace messages for packets
traceroute                               Find route to remote network
utilization                              Display current system utilization
view-files                               View files in the system

> system support firewall-engine-debug   // DEBUG ACCESS CONTROL RULE IN REAL TIME

Monday, January 1, 2018

Configuring Cisco ASA FirePOWER Module via ASDM

I'm currently studying the new CCNP Security SENSS 300-206 exam to re-certify my CCNP Security. The study materials I'm using are the SENSS Student Guide Volumes 1 and 2, Cisco Next-Generation Security Solutions All-in-one Cisco ASA FirePOWER Services, NGIPS, and AMP by Omar Santos, SENSS CBT Nuggets videos by Keith Barker, a Cisco ASA 8.4 virtual lab in GNS3, an ASA 5506X with FirePOWER Module and the Cisco FMC demo in dCloud (Cisco Connection Online or CCO login required).

The ASA 5506-X Management 1/1 interface must be connected to a switch in order to manage the ASA (and FirePOWER module) via ASDM. The ASA FirePOWER module needs to be configured with an IP address in order to be detected by ASDM and it can use the same subnet with the Management 1/1 IP address. The SSH and ASDM function on the ASA Management 1/1 interface is independent from the ASA FirePower module.

You can login to the ASA FirePOWER module using the session sfr console from privilege mode and type admin / Admin123 for the username and password login.

ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

firepower login: admin
Password: Admin123
Last login: Tue Dec 19 01:50:22 UTC 2017 on ttyS1

Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)

>

You can verify the ASA FirePOWER module software version using the show version command. The ASA 5506-X FirePOWER module is pre-installed with the latest version (6.2.0 as of this writing).

> show version
-------------------[ firepower ]--------------------
Model                     : ASA5506H (72) Version 6.2.0 (Build 362)
UUID                      : eb919100-a201-11e7-ba3a-acd556562abc
Rules update version      : 2016-03-28-001-vrt
VDB version               : 271
----------------------------------------------------

You can verify the ASA FirePOWER module IP address using the show ifconfig command and the logical eth0 interface has a default IP address of 192.168.45.45/24.

> show ifconfig
cplane    Link encap:Ethernet HWaddr 00:00:00:02:00:01
          inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
          inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:7383290 errors:0 dropped:3673355 overruns:0 frame:0
          TX packets:1855097 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:465477809 (443.9 Mb) TX bytes:170663745 (162.7 Mb)

eth0      Link encap:Ethernet HWaddr 50:0F:80:80:AB:CD
          inet addr:192.168.45.45 Bcast:192.168.45.255 Mask:255.255.255.0
          inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:528 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:85907 (838 Kb) TX bytes:426 (426.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.255.255.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:65536 Metric:1
          RX packets:225446 errors:0 dropped:0 overruns:0 frame:
          TX packets:225446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:28145463 (26.8 Mb) TX bytes:28145463 (26.8 Mb)

tun1      Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
          inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

You can configure the ASA FirePOWER module IP address when you initially login via the session sfr console privilege mode command and after accepting the EULA.You can use the configure network ipv4 manual <IP ADDRESS> <SUBNET MASK> <DEFAULT GATEWAY> command to change the default network settings.

> configure network ipv4 manual 172.27.5.18 255.255.255.224 172.27.5.19
Setting IPv4 network configuration.
Network settings changed.

> show ifconfig
cplane    Link encap:Ethernet HWaddr 00:00:00:02:00:01
          inet addr:127.0.2.1 Bcast:127.0.255.255 Mask:255.255.0.0
          inet6 addr: fe80::200:ff:fe02:1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:7393835 errors:0 dropped:3678566 overruns:0 frame:0
          TX packets:1857932 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:466143182 (444.5 Mb) TX bytes:170923927 (163.0 Mb)

eth0      Link encap:Ethernet HWaddr 50:0F:80:80:AB:CD
          inet addr:172.27.5.18 Bcast:172.27.5.19 Mask:255.255.255.224
          inet6 addr: fe80::520f:80ff:fe80:addc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:24632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41879 errors:0 dropped:0 overruns:0 carrier:0
          collsions:0 txqueuelen:1000
          RX bytes:2238878 (2.1 Mb) TX bytes:48324650 (46.0 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.255.255.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:65536 Metric:1
        RX packets:236554 errors:0 dropped:0 overruns:0 frame:0
          TX packets:236554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:30401602 (28.9 Mb) TX bytes:30401602 (28.9 Mb)

tun1      Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:169.254.0.1 P-t-P:169.254.0.1 Mask:255.255.0.0
          inet6 addr: fdcc::bd:0:ffff:a9fe:1/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 opped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

You're also now able to SSH directly to the FirePOWER module IP address.

$ ssh -l admin 172.27.5.18
Password:
Last login: Fri Dec 22 07:05:29 2017 from 10.111.0.14

Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.0 (build 42)
Cisco ASA5506H v6.2.0 (build 362)

>

To test via ping type expert (root or admin user) and then use the sudo ping <DESTINATION IP> command.

> expert
admin@firepower:~$ sudo ping 172.27.5.19      // DEFAULT GATEWAY/UPSTREAM ROUTER
PING 172.27.5.19 (172.27.5.19) 56(84) bytes of data.
64 bytes from 172.27.5.19: icmp_req=1 ttl=255 time=0.963 ms
64 bytes from 172.27.5.19: icmp_req=2 ttl=255 time=0.445 ms
64 bytes from 172.27.5.19: icmp_req=3 ttl=255 time=0.342 ms
64 bytes from 172.27.5.19: icmp_req=4 ttl=255 time=0.384 ms
64 bytes from 172.27.5.19: icmp_req=5 ttl=255 time=0.352 ms
64 bytes from 172.27.5.19: icmp_req=6 ttl=255 time=0.404 ms
^C
--- 172.27.5.19 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 0.342/0.481/0.963/0.219 ms

admin@firepower:~$ sudo ping 172.20.7.10      // ASDM PC
PING 172.20.7.10 (172.20.7.10) 56(84) bytes of data.
64 bytes from 172.20.7.10: icmp_req=1 ttl=123 time=88.2 ms
64 bytes from 172.20.7.10: icmp_req=2 ttl=123 time=147 ms
64 bytes from 172.20.7.10: icmp_req=3 ttl=123 time=127 ms
64 bytes from 172.20.7.10: icmp_req=4 ttl=123 time=95.1 ms
64 bytes from 172.20.7.10: icmp_req=5 ttl=123 time=107 ms
64 bytes from 172.20.7.10: icmp_req=6 ttl=123 time=94.4 ms
^C
--- 172.20.7.10 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms
rtt min/avg/max/mdev = 88.262/110.068/147.233/20.959 ms

The ASA 5506-X had ASDM 7.8(1) installed and I'm using a Windows 7 machine with Java 1.8.0_131 installed. You can check the Java on your local machine or via ASDM by going to Help > About Cisco ASDM.

Once the ASA FirePOWER module IP address has been configured, you can now access and manage it locally via ASDM. There are three additional ASA FirePOWER tabs that will appear in ASDM: ASA FirePOWER Dashboard, ASA FirePOWER Reporting and ASA FirePOWER Status.

You'll need redirect IP traffic to the ASA FirePOWER module in order to apply its policies by going to Configuration > Firewall > Service Policy Rules > Add.

Choose the default Global > click Next.

Type a name for the new traffic class > click Any Traffic > click Next. You can alternatively specify specific IP address or subnets using an ACL instead of all IP traffic.

Go to ASA FirePOWER Inspection tab > tick Enable ASA FirePOWER for this traffic flow > choose Permit traffic. This is a fail-open option or normal traffic will still flow through the ASA even if the FirePOWER module fails. Click Finish > then Apply.

You can configure local policies on the ASA FirePOWER module via ASDM without the help or policy update or push from the Firepower Management Center (FMC).You go to Configuration > ASA FirePower Configuration > Policies > Access Control Policy

You change the default Access Control: Trust All Traffic to Intrusion Prevention: Balanced Security and Connectivity

You'll need to create some Rules by clicking OK on the pop-up message and click Store ASA FirePOWER Changes > click Add Rule.