so I"m evaling a 5550-X with FPR services, I've setup the ASA side fine, just not sure how to go about making use and configuring the FPR side. I've searched through the vendor side, but I'm too new to this to grasp their documentation.
tia
Are the docs online? I could give them a read to help out.
Here's what I could find
STEP 1 Validate your configuration.
STEP 2 Activate your Smart Licenses.
STEP 3 Configure your policies.
STEP 4 Prepare for deployment.
...and this was in the 5500-x resource center.
don;t like the new Cisco site, back button don't even work.
DAMN AND 5500-x EOl announced already
LDoS August 31, 2022
time to get mucking with those 4100's
Farewell, 5500-X series, we hardly knew ya...
Looks like Cisco left out
STEP 5. ? ? ?
STEP 6. PROFIT!
Are you running FMC?
Quote from: DanC on July 16, 2017, 05:15:50 AM
Are you running FMC?
no, but I think I might have to, that is to register it.
I have a working ASA-X / SFR set up. I recently just set it up again from scratch and I'm not finished yet.
FMC runs in KVM now, I am running mine on Red Hat Virtualisation. I haven't tried managing SFR via ASDM but I noticed the ASDM tabs display some FMC-like content when I was setting it up.
Don't apply any licenses until you've done most of the work. Get SFR installed on the ASA and if you're going to use FMC then do all that set up as well. I understand that you need the license at the time of the policy push.
Then there's the policies. Mine aren't perfect but I'm getting there.
EOL? I just bought our remote site a 5506X 2 weeks ago, still waiting for it to arrive :blank: Although the hardware was zero cost because I bought a 1-year TAMC subscription. I want encrypted traffic analytics... over the weekend 86% of my traffic (at home, mind) was tcp/443. :smug:
Quote from: ristau5741 on July 14, 2017, 10:59:46 AM
DAMN AND 5500-x EOl announced already
Do you have a link for that? I see that they are EOLing a bunch of them, but I don't see anything for the entire line.
maybe it was only the 5585-X :doh:
found here
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/eos-eol-notice-c51-738643.html
5512-X and 5515-X here
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-738644.html
https://supportforums.cisco.com/blog/12294976/asa-5500-x-sourcefire-firepower-configuration
this might be what I'm looking for.
I remember being told that ripping out the IPS and CXSC stuff was *VITAL* for the success of installing FirePower.
That's when the Cisco rep got the stinkeye from all of us and we made noises about applying purchase costs of CXSC modules towards FirePower gear and licensing...
CX didn't work for me. Kept failing over the ASAs and other problems. I had that on eval and didn't accept it, then saw SFR at Cisco live. SFR and CXC is either or, as it uses the same hardware you can't run both. CX was a pile of :squint:
@Ristau:
Some helpful links below to get you going. Also see the PoV doc attached.
The doc explains plugging it inline in transparent mode as one option for a PoV. You can then run a span VLAN from your LAN to another port on the ASA and get insight into LAN to LAN traffic in addition, eg client-server although I've not done that. I have active/standby ASAs in routed mode so I don't have the ability to run a span port to the ASA. But the 5506 I have on order might well be going into the remote office in transparent mode - not planned it yet.
Policy config helpful guide: https://popravak.wordpress.com/2015/05/19/sourcefire-access-control-policies-part-one/
Intrusion prevention policy: https://popravak.wordpress.com/2015/05/21/sourcefire-intrusion-prevention-policy/
Active Directory stuff: http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html#anc6
Great video on getting policies set up and tips, such as adding your network subnets to the global whitelist so that if something is blacklisted then your private stuff is not blocked out:
https://www.youtube.com/watch?v=kCZQrAYdrFo
DNS Sinkhole: http://www.packetu.com/2016/07/05/firepower-threat-defense-dns-sinkholing/
While finding one of the links above, I found this one which has a great title but I've not watched this one at all: https://www.youtube.com/watch?v=NcDl-Weujck
A few more tips - I'm running the very latest 6.2 code on the FMC and ASA module / sensor. I had a couple of issues that were fixed with applying the latest update. One of the issues was network discovery was not finding anything at all. Can't remember what the 2nd one was, I'll have to scour my emails.
Another thing on my list of things to do is to set up the scheduling. At the moment my setup automatically checks for updates related to software and VDB as well as geolocation
HTH
I mangled my ASA, got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over. I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either. trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.
Quote from: ristau5741 on July 21, 2017, 10:51:15 AM
I mangled my ASA, got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over. I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either. trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.
Sometimes, in the fast-cheap-good arrangement, you get only one... or zero...
figured it out.
via asdm,
context management
system context
tools
comand line interface
multiple line
enter
config t
sw-module module sfr shutdown noconfirm
then
config t
sw-module module sfr uninstall noconfirm
Quote from: ristau5741 on July 21, 2017, 10:51:15 AM
I mangled my ASA, got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over. I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either. trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.
Been there :)
You can console into the SFR module from the ASA itself BTW:
session sfr console Are you using FTD image or ASA image? I have decided to stick with the ASA image as I understand that the FTD image has missing features compared to the ASA image. Eventually we'll need to go FTD but at the moment I don't think it's suitable for most cases. One of the missing features is VPN so you can't VPN to your ASA when using FTD. Although I've not been keeping up with the revisions and roadmap so I am expecting this to change quickly. FTD image was also a higher cost when I had quotes a few weeks ago.
Quote from: Dieselboy on July 22, 2017, 09:50:33 PM
Are you using FTD image or ASA image? I have decided to stick with the ASA image as I understand that the FTD image has missing features compared to the ASA image. Eventually we'll need to go FTD but at the moment I don't think it's suitable for most cases. One of the missing features is VPN so you can't VPN to your ASA when using FTD. Although I've not been keeping up with the revisions and roadmap so I am expecting this to change quickly. FTD image was also a higher cost when I had quotes a few weeks ago.
using the asa image on the 5500-X devices, and working to setup FTD and the ASA images on two 4100 eval appliances so I can compare. those, working on installing FMC right now for working through the licensing, Cisco is coming on site to day to assist with
getting the 4100's up and running licensed so I can continue my eval testing.
btw Cisco needs a CCLE Cisco Certified Licensing Expert. that'd be one hell of a test.
Quote from: ristau5741 on July 24, 2017, 06:52:00 AM
btw Cisco needs a CCLE Cisco Certified Licensing Expert. that'd be one hell of a test.
It's Cisco Certified Licensing Information Expert, or CCLIE. :smug:
If you need CCLIE just to fix licensing these days then I need to find the door :twitch: :twisted: >:D :XD:
Quote from: Dieselboy on July 24, 2017, 10:54:20 PM
If you need CCLIE just to fix licensing these days then I need to find the door :twitch: :twisted: >:D :XD:
it's not about the getting the license, just need to go to the Cisco Licensing portal,
whether you need to use the classic licensing scheme or the new smart software licensing.
The real trick is to know exactly what one needs to license and how many licenses are needed.
this in particular is related to provided Cisco solutions, such as unified communications. Wireless, Mobility, NAC, ISE, etc.
Stick it on Eval licensing for 90 days, have a play and then activate your PAK's.
There's also the FTDv which is worth running in the lab to play about with. FirePower in general is quite a learning curve I've found, it's an awesome bit of kit when you understand everything it's doing under the hood, but it's still a bit clunky with ASA+FP Services.
I'd recommend Micronics Zero 2 Hero Sec training if you can get work to pay and have the time. They cover a lot of FP on that.
Also, Todd Lammle has started doing a specific FP course online and in person too, I've not attended that but heard good things on LinkedIn etc.
Are you licensed for AMPs and IPS?
Quote from: DanC on July 29, 2017, 12:34:05 PM
Are you licensed for AMPs and IPS?
just evaluating.
I have my out of the box 5506 running SFR 6.0.2 - and it's not working properly (doing weird things). I am updating to 6.0.2.52 because this happened before and was fixed after I updated. FYI - update the software on the sensor to get everything working :) Thought I'd mention that.