Getting Started with ASA FirePOWER

[icecream-guy]

so I"m evaling a 5550-X with FPR services,  I've setup the ASA side fine,  just not sure how to go about making use and configuring the FPR side.    I've searched through the vendor side, but I'm too new to this to grasp their documentation.

tia

[deanwebb]

Are the docs online? I could give them a read to help out.

[icecream-guy]

Here's what I could find

STEP 1 Validate your configuration.
STEP 2 Activate your Smart Licenses.
STEP 3 Configure your policies.
STEP 4 Prepare for deployment.


...and this was in the 5500-x resource center.

don;t like the new Cisco site, back button don't even work.

[icecream-guy]

DAMN AND 5500-x EOl announced already

LDoS August 31, 2022


time to get mucking with those 4100's

[deanwebb]

Farewell, 5500-X series, we hardly knew ya...

Looks like Cisco left out

STEP 5. ? ? ?
STEP 6. PROFIT!

[DanC]

Are you running FMC?

[icecream-guy]

Are you running FMC?

no, but I think I might have to, that is to register it.

[Dieselboy]

I have a working ASA-X / SFR set up. I recently just set it up again from scratch and I'm not finished yet.

FMC runs in KVM now, I am running mine on Red Hat Virtualisation. I haven't tried managing SFR via ASDM but I noticed the ASDM tabs display some FMC-like content when I was setting it up.

Don't apply any licenses until you've done most of the work. Get SFR installed on the ASA and if you're going to use FMC then do all that set up as well. I understand that you  need the license at the time of the policy push.

Then there's the policies. Mine aren't perfect but I'm getting there.

EOL? I just bought our remote site a 5506X 2 weeks ago, still waiting for it to arrive  Although the hardware was zero cost because I bought a 1-year TAMC subscription. I want encrypted traffic analytics... over the weekend 86% of my traffic (at home, mind) was tcp/443. 

[dlots]

DAMN AND 5500-x EOl announced already

Do you have a link for that?  I see that they are EOLing a bunch of them, but I don't see anything for the entire line.

[icecream-guy]

maybe it was only the 5585-X 

found here

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/eos-eol-notice-c51-738643.html

5512-X and 5515-X here
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-738644.html

[icecream-guy]

https://supportforums.cisco.com/blog/12294976/asa-5500-x-sourcefire-firepower-configuration
this might be what I'm looking for.

[deanwebb]

I remember being told that ripping out the IPS and CXSC stuff was *VITAL* for the success of installing FirePower.

That's when the Cisco rep got the stinkeye from all of us and we made noises about applying purchase costs of CXSC modules towards FirePower gear and licensing...

[Dieselboy]

CX didn't work for me. Kept failing over the ASAs and other problems. I had that on eval and didn't accept it, then saw SFR at Cisco live. SFR and CXC is either or, as it uses the same hardware you can't run both. CX was a pile of 

@Ristau:

Some helpful links below to get you going. Also see the PoV doc attached.

The doc explains plugging it inline in transparent mode as one option for a PoV. You can then run a span VLAN from your LAN to another port on the ASA and get insight into LAN to LAN traffic in addition, eg client-server although I've not done that. I have active/standby ASAs in routed mode so I don't have the ability to run a span port to the ASA. But the 5506 I have on order might well be going into the remote office in transparent mode - not planned it yet.

Policy config helpful guide: https://popravak.wordpress.com/2015/05/19/sourcefire-access-control-policies-part-one/

Intrusion prevention policy: https://popravak.wordpress.com/2015/05/21/sourcefire-intrusion-prevention-policy/

Active Directory stuff: http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html#anc6

Great video on getting policies set up and tips, such as adding your network subnets to the global whitelist so that if something is blacklisted then your private stuff is not blocked out:
https://www.youtube.com/watch?v=kCZQrAYdrFo

DNS Sinkhole: http://www.packetu.com/2016/07/05/firepower-threat-defense-dns-sinkholing/

While finding one of the links above, I found this one which has a great title but I've not watched this one at all: https://www.youtube.com/watch?v=NcDl-Weujck

A few more tips - I'm running the very latest 6.2 code on the FMC and ASA module / sensor. I had a couple of issues that were fixed with applying the latest update. One of the issues was network discovery was not finding anything at all. Can't remember what the 2nd one was, I'll have to scour my emails.

Another thing on my list of things to do is to set up the scheduling. At the moment my setup automatically checks for updates related to software and VDB as well as geolocation

HTH

[icecream-guy]

I mangled my ASA,  got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over.  I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either.  trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.

[deanwebb]

I mangled my ASA,  got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over.  I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either.  trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.

Sometimes, in the fast-cheap-good arrangement, you get only one... or zero...