Getting Started with ASA FirePOWER

Started by icecream-guy, July 14, 2017, 08:58:00 AM

Previous topic - Next topic

icecream-guy

so I"m evaling a 5550-X with FPR services,  I've setup the ASA side fine,  just not sure how to go about making use and configuring the FPR side.    I've searched through the vendor side, but I'm too new to this to grasp their documentation.

tia
:professorcat:

My Moral Fibers have been cut.

deanwebb

Are the docs online? I could give them a read to help out.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Here's what I could find

STEP 1 Validate your configuration.
STEP 2 Activate your Smart Licenses.
STEP 3 Configure your policies.
STEP 4 Prepare for deployment.


...and this was in the 5500-x resource center.

don;t like the new Cisco site, back button don't even work.


:professorcat:

My Moral Fibers have been cut.

icecream-guy

DAMN AND 5500-x EOl announced already

LDoS August 31, 2022


time to get mucking with those 4100's
:professorcat:

My Moral Fibers have been cut.

deanwebb

#4
Farewell, 5500-X series, we hardly knew ya...

Looks like Cisco left out

STEP 5. ? ? ?
STEP 6. PROFIT!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

DanC


icecream-guy

Quote from: DanC on July 16, 2017, 05:15:50 AM
Are you running FMC?
no, but I think I might have to, that is to register it.
:professorcat:

My Moral Fibers have been cut.

Dieselboy

I have a working ASA-X / SFR set up. I recently just set it up again from scratch and I'm not finished yet.

FMC runs in KVM now, I am running mine on Red Hat Virtualisation. I haven't tried managing SFR via ASDM but I noticed the ASDM tabs display some FMC-like content when I was setting it up.

Don't apply any licenses until you've done most of the work. Get SFR installed on the ASA and if you're going to use FMC then do all that set up as well. I understand that you  need the license at the time of the policy push.

Then there's the policies. Mine aren't perfect but I'm getting there.

EOL? I just bought our remote site a 5506X 2 weeks ago, still waiting for it to arrive  :blank: Although the hardware was zero cost because I bought a 1-year TAMC subscription. I want encrypted traffic analytics... over the weekend 86% of my traffic (at home, mind) was tcp/443.  :smug:

dlots

Quote from: ristau5741 on July 14, 2017, 10:59:46 AM
DAMN AND 5500-x EOl announced already


Do you have a link for that?  I see that they are EOLing a bunch of them, but I don't see anything for the entire line.


icecream-guy

:professorcat:

My Moral Fibers have been cut.

deanwebb

I remember being told that ripping out the IPS and CXSC stuff was *VITAL* for the success of installing FirePower.

That's when the Cisco rep got the stinkeye from all of us and we made noises about applying purchase costs of CXSC modules towards FirePower gear and licensing...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

CX didn't work for me. Kept failing over the ASAs and other problems. I had that on eval and didn't accept it, then saw SFR at Cisco live. SFR and CXC is either or, as it uses the same hardware you can't run both. CX was a pile of  :squint:

@Ristau:

Some helpful links below to get you going. Also see the PoV doc attached.

The doc explains plugging it inline in transparent mode as one option for a PoV. You can then run a span VLAN from your LAN to another port on the ASA and get insight into LAN to LAN traffic in addition, eg client-server although I've not done that. I have active/standby ASAs in routed mode so I don't have the ability to run a span port to the ASA. But the 5506 I have on order might well be going into the remote office in transparent mode - not planned it yet.

Policy config helpful guide: https://popravak.wordpress.com/2015/05/19/sourcefire-access-control-policies-part-one/

Intrusion prevention policy: https://popravak.wordpress.com/2015/05/21/sourcefire-intrusion-prevention-policy/

Active Directory stuff: http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200329-Configure-Active-Directory-Integration-w.html#anc6

Great video on getting policies set up and tips, such as adding your network subnets to the global whitelist so that if something is blacklisted then your private stuff is not blocked out:
https://www.youtube.com/watch?v=kCZQrAYdrFo

DNS Sinkhole: http://www.packetu.com/2016/07/05/firepower-threat-defense-dns-sinkholing/

While finding one of the links above, I found this one which has a great title but I've not watched this one at all: https://www.youtube.com/watch?v=NcDl-Weujck

A few more tips - I'm running the very latest 6.2 code on the FMC and ASA module / sensor. I had a couple of issues that were fixed with applying the latest update. One of the issues was network discovery was not finding anything at all. Can't remember what the 2nd one was, I'll have to scour my emails.

Another thing on my list of things to do is to set up the scheduling. At the moment my setup automatically checks for updates related to software and VDB as well as geolocation

HTH

icecream-guy

I mangled my ASA,  got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over.  I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either.  trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on July 21, 2017, 10:51:15 AM
I mangled my ASA,  got the firepower sw module loaded, without the proper cabling in place and lost cli and ssh to my ASA CLI,
also lost CLI console. seems the SFR took over.  I do have ASDM access tot he ASA, I do see the firepower module, but cant manage that from asdm either.  trying how to get things back in order so I can continue my firewall testing. can't seem to shut the module down.


Sometimes, in the fast-cheap-good arrangement, you get only one... or zero...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.