But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center).
WARNING: If you are going to use FMC DON’T register your licences in the ASDM, they all need to be registered in the FMC.
Solution
Before you can register the SFR module in the FMC, you need to have set it up, and have ran though the initial setup. The process is the same if you intend to use the ASDM or the FMC. You can then choose whether to register from command line in the SFR, or via the ASDM.
Register SFR with FMC via Command Line
Connect to the parent firewall and open a session with the sfr module;
[box]
PETES-ASA# session sfr
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
PETES-SFR login: admin
Password:{pasword}
Last login: Fri Apr 8 05:04:49 UTC 2016 on ttyS1
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5506 v6.0.0 (build 1005)
>
[/box]
You can then add the FMC as a manager, you will need to supply a registration key.
[box]
> configure manager add 10.9.20.25 password123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.
[/box]
Register SFR with FMC via ASDM
Connect to the ASDM > Configuration > ASA FirePOWER Configuration > Integration >Remote Management > Add Manager.
Specify the IP of the FMC Appliance, and registration key > Save.
It should then say ‘pending registration’.
Configure the FirePOWER Management Appliance to Accept the SFR Registration
Provide the IP of the SFR module, a display name, the registration key you used above. If you have setup a group you can use it and select your Access Control Policy (dont panic if you have not configured one yet) > Register.
It can take a while, but eventually it should register like so;
Problems
Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible,and that the network is not blocking the connection.
Had this problem for a while, (Credit to Craig Paolozzi for finding the fix.) Both the SFR, and the FMC console needed static routes adding to them (even though they could ping each other!) Pointing to each other.
Related Articles, References, Credits, or External Links
I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step!
Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well.
Solution
Cisco ASA Test AAA Authentication From Command Line
You will need to know the server group and the server you are going to query, below the ASA is using LDAP, but the process is the same for RADIUS, Kerberos, TACACS+, etc.
[box]
Petes-ASA# show run | begin aaa
aaa-server TEST-LDAP-SERVER protocol ldap
aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10
ldap-base-dn dc=TEST,dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=asa,OU=Users,OU=Test-Corp,dc=TEST,dc=net
server-type auto-detect
[/box]
To test your user, (username: ttester password: Password123);
[box]
Petes-ASA# test aaa-server authentication TEST-LDAP-SERVER host 192.168.110.10 username ttester password Password123
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
INFO: Authentication Successful
[/box]
Cisco ASA Test AAA Authentication From ASDM
Log into the ADSM > Configuration > Device Management > Users/AAA > Select the Server Group > Select the Server > Test.
Select ‘Authentication’ > Enter Username/Password > OK.
Cisco IOS Test AAA Authentication From Command Line
As above, you need to know which server group, and server, you are going to test authentication against;
[box]
Petes-Router#show run aaa
!
aaa authentication login default local
aaa authorization exec default local
!
aaa group server radius RADIUS-GROUP
server-private 192.168.110.10 key 666999
!
aaa new-model
aaa session-id common
!
[/box]
Text
[box]
Petes-Router#test aaa group RADIUS-GROUP tester Password123 legacy
Attempting authentication test to server-group RADIUS-GROUP using radius
User was successfully authenticated.
OR
Petes-Router#test aaa group RADIUS-GROUP tester Password123 new-codeUser successfully authenticated
USER ATTRIBUTES
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
noescape 0 True
autocmd 0 " ppp negotiate"
Petes-Router#
[/box]
Related Articles, References, Credits, or External Links
You have probably tried to do this and found he option ‘greyed out’ because in the DHCP management console you can’t change the subnet mask of a scope.
I needed to change a clients DHCP scope because I was changing their subnet from /24 to /16. I could have simply deleted and recreated the scope, but they has a lot of custom settings for their phone system, and hundreds of reservations (which I know is unusual).
Solution
I wrote an article a long time ago about migrating DHCP scopes, this process uses the same method to take a backup of the scope, then you can edit the subnet mask, and ‘re-import’ the scope again.
I was changing a clients LAN subnet this week, (dropping the mask from /24 to /16). When I attempted to change the management IP on the clients HP switches this happened;
[box]
HP2510-24G(config)# vlan 1
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0The IP address (or subnet) 10.0.0.250/16 already exists.
HP2510-24G(vlan-1)#
[/box]
At first I though the switch was complaining because the IP was remaining the same, I was just changing the mask, (which is a bit bobbins, but there you go). Turns out this is normal behaviour? Yes I could have got my console cable out, and walked to the comms room and done this;
[box]
HP2510-24G(config)# vlan 1
HP2510-24G(config)#no ip address 10.0.0.250 255.255.255.0
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0
HP2510-24G(vlan-1)#
[/box]
But that would mean getting off my lazy backside, and what if I was hundred of miles from the switch?
Solution
To solve the problem you need to enter the HP switch menu system, this will let you change the IP on the fly. Obviously if you change the IP, make sure you can connect to it’s old, (and new), IPs or you will lose remote management.
From CLI type ‘menu’ {Enter}, you may be asked if you want to save the config. Choose ‘Switch Configuration’.
IP Configuration.
Edit.
Use the cursor keys and navigate to the IP/Subnet mask, and change accordingly > {Enter}
Select Save > Reconnect to the new IP address.
Related Articles, References, Credits, or External Links
On a newly deployed FirePOWER service module I wanted to test connectivity and attempted to ping a public IP address. This is what happened;
> expert admin@Petes-SFR:~$ ping 8.8.8.8 ping: icmp open socket: Operation not permitted
My first though was, “Well you have to set a default gateway on the SFR when you set it up, so the firewall is probably blocking ICMP”. So I checked the default policy and indeed there was no ICMP inspection turned on.
UPDATE: The correct way to do this, (as pointed out below) is the use;
[box]system support ping {IP or Hostname}[/box]
-=-=-=- Back to the original post -=-=-=-
On checking the Firewall, (Note: The decrement-ttl-tcl isn’t really needed, I do that to make tracerts work).
[box]
Petes-FW(config)# policy-map global_policy
Petes-FW(config-pmap)# class inspection_default
Petes-FW(config-pmap-c)# inspect icmp
Petes-FW(config-pmap-c)# class class-default
Petes-FW(config-pmap-c)# set connection decrement-ttl
Petes-FW(config-pmap-c)# exit
Petes-FW(config-pmap)# exit
Petes-FW(config)# write mem
Building configuration...
Cryptochecksum: ae83c992 52a79538 b8370d6f 36125070
3120 bytes copied in 0.290 secs
[OK]
Petes-FW(config)#
[/box]
Unfortunately it still didn’t work!
Solution
Some forum searching yielded the same error on other flavours of Linux, the fix there was to change some permissions, so I gave that a try, and it worked.
[box]
admin@Petes-SFR:~$ sudo chmod u+s /bin/ping
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:{Your-SFR-Admin-Password}
admin@Petes-SFR:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_req=1 ttl=52 time=12.8 ms
64 bytes from 8.8.8.8: icmp_req=2 ttl=52 time=13.7 ms
64 bytes from 8.8.8.8: icmp_req=3 ttl=52 time=12.6 ms
64 bytes from 8.8.8.8: icmp_req=4 ttl=52 time=13.2 ms
[/box]
Related Articles, References, Credits, or External Links
If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?
Solution
Change the FirePOWER Module IP Address
Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).
[box]
Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
GRAINGER-SFR login: admin
Password:{your password}
Last login: Thu Apr 7 08:11:00 UTC 2016 on pts/0
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)
> show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 00:C8:8B:C1:0E:0C
IPv4 Address : 192.168.1.100
---------------------[ tunl0 ]----------------------
----------------------------------------------------
>
[/box]
To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;
Routing traffic back from the ASA , in most cases you will have a static route (or routes) tied to the inside interface of the firewall. Or you may have dynamic routing if your network is a little more complex. But your FirePOWER module is essentially a small Linux box sat inside the firewall, it has its own network connection and maintains its own routing table.
You may have already noticed if your FirePOWER module is down or unreachable you will see an error like this;
Cannot connect to the ASA ForePOWER module
This means you can talk to the insider interface but not the FirePOWER module. If it’s misconfigured see the following article;
But what if you’re on a different network segment, and the ASA can talk to you but the SFR module can’t?
Solution
Adding a Static Route to the SFR Module
To put a static route on the SFR module you have to connect to it directly. Connect the firewall and then open a session with the module.
[box]
Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)
Sourcefire3D login: admin
Password: {your-password}
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
>
[/box]
You need to find what the SFR has called its management interface, usually it’s eth0 but let’s check;
[box]
>Show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
----------------------[ DMZ ]-----------------------
Physical Interface : GigabitEthernet1/3
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 00:F2:AA:66:94:3F
IPv4 Address : 10.0.0.253
----------------------[ tun1 ]----------------------
IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------
1. Make sure the user you will be performing the migration as, is in the right security groups, (Organizational Management and Recipient Management).
2. On the Legacy Exchange server download the PF-Migration-Scripts-v2 Then extract them to the servers C: drive.
3. Launch the Exchange Management Shell > Change to the script directory > Then create a folder name to folder size mapping file by running the Export-PublicFolderStatistics.ps1 script, supply the name of the file you want to create. (Here I use PublicFoldersStats.csv). Then supply the name of the server, (the legacy one, with the source public folders on it).
[box]
cd c:\Scripts
./Export-PublicFolderStatistics.ps1 PublicFoldersStats.csvMail-Server
[/box]
4. Create a Public Folder to Mailbox mapping file, by running the PublicFolderToMailboxMapGenerator.ps1 script, supply it with the maximum mailbox size (in bytes) Note: The Maximum size is 25GB. You will also need to supply the import file you created in step 3 (PublicFoldersStats.csv). Finally supply the name of the output file you wish to generate i.e. Folder2Mailbox.csv.
[box]
./PublicFolderToMailboxMapGenerator.ps1
[/box]
5. Open the last CSV file you created (Folder2Mailbox.csv) and take note of the TargetMailbox name. By default the first one is called Mailbox1, I’m changing it to Public-Folder-Mailbox and saving the change. Note: You may get more than one! If so take note of them all, or rename them accordingly.
6. Now copy the ‘Scripts’ Directory from your legacy 2010 Exchange server, to the new 2013 / 2016 Server.
7. Whilst still on the new Exchange 2013 / 2016 Server, you need to open a command shell, navigate to the scripts directory and then run the Create-PublicFolderMailboxesForMigration.ps1 script. Reply ‘A’ to run all the scripts, then supply the name of the mapping csv you created above, (Folder2Mailbox.csv). Supply the estimated concurrent users to this mailbox, and enter ‘Y’ to proceed. Now the public folder mailbox will be created.
(Note: Public folders are now in a Mailbox, NOT their own Mailbox database, as in older versions of Exchange).
[box]
cd c:\Scripts
./Create-PublicFolderMailboxesForMigration.ps1
[/box]
8. Next we need to create a ‘batch task’ much the same as when we migrate multiple mailboxes. This first command creates the task, and the second one sets it running. (Change the values in red to match your own).
Update: 05/08/16: Make sure you have a ‘mailbox database’ mounted on the source Exchange server before proceeding, or you may see the following problem.
It might say Queued for quite a while, don’t worry!
Check Public Folder Migration Progress Option 2 From EAC
Open the Exchange Admin Center website and logon. Navigate to recipients > Migration > View Details
10. If you were looking at the progress you will see its stops just before 100%, this is because you need to “Lock” the source public folder and let the migration complete. WARNING this will involve downtime, so warn your users, or do this next step out of hours.
To MAKE SURE you are ready, check either the progress report like so;
Or, re-run the progress command above and look for 95% completion and ‘Automatically suspending job’
DOWNTIME FROM THIS POINT ONWARDS
11. Go to the legacy Exchange 2010 server and ‘lock’ the source public folders for migration, and restart the service.
12. Now access to the legacy Public Folder Database is shut down, but before replication to the new Public Folder Mailbox can be completed you need to return to the new Exchange 2013 / 2016 server and run the following commands;
This can take a little time, I would wait least a couple of hours before proceeding (depending on your network topology, if you have a slow network or the Exchange 2010 server is on another network segment it may take longer).
Now to check the migration worked with a test user, and (provide everything is OK, unlock the Public Folders.
Log on as that user, (Outlook 2010 SP3 or Later.) Make sure the public folders are correct, you can expand them, the permissions are correct and you can create and delete entries.
It’s All Gone Wrong!
Don’t panic! You can remove the migration request with the following command;
Note: As per feedback (from Tobias Gebler) Test mail flow to your public folders, you may need to manually “Mail Enable” them before they function properly, In some cases you need to disable then re-enable them before they work properly.
14. Remember in Outlook Web App 2013 / 2016, public folders are not visible until you add them!
Note: If, (post Migration to Exchange 2016). Your users cannot access the public folders, see the following article.