When attempting to track Users with FirePOWER, the FMC would not show any usernames?
Solution
Theres a lot of reasons this might not work, let’s take a look at a few of them.
Firstly make sure the server running the ‘user agent’ is listed under System >Integration > Identity Sources > User Agent.
It probably goes without saying, but over on server running the user agent, make sure it can see the Domain Controller(s) and the FMC (everything is green).
Make sure your DC’s are setup to audit logon events! (I’ve had to do this in local policy directly on the DC’s before).
Ensure you have setup a ‘Realm’ for you active directory, and it’s enabled. (System > Integration > Realms).
WARNING: In some versions of the FMC there’s a ‘Bug’ that requires you use the NETBIOS name of your domain rather than its full domain name, (as shown in the example on the right).
After you have made the change, ensure you can still download the users and groups. Don’t forget to ‘Save’ the changes, and redeploy the settings.
Make sure you have an ‘Identity Policy‘, and that it’s set to discover users by ‘Passive Authentication‘, and it’s set to use the ‘Realm‘ you created. (Policies > Access Control > Identity).
In your main ‘Access Control Policy‘ > In at least one of the rules, under ‘Users‘, ensure that your ‘Realm‘ is selected and added. (Policies > Access Control).
You also under your ‘Network Discovery‘ policy make sure ‘Users‘ has been added.
Then take a look under Analysis > Users > User Activity. Make sure that logon events are getting logged, and mapped to IP addresses.
Once all the boxes are ‘ticked’, users should start appearing.
Related Articles, References, Credits, or External Links
Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.
This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.
Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).
Solution
First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;
Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.
The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)
Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.
Upload your update, (this can take a while).
When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).
Note: This is a reboot of the FirePOWER module, NOT the Firewall.
You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or newer (which shows a nice progress bar). So;
Don’t panic: it looks like it’s crashed for hours – it’s fine.
There are other things you can look at if you’re nervous.
Monitoring FirePOWER upgrades
What I like to do is SSH into the firewall and issue the following command;
[box]debug module-boot[/box]
Then you can (after a long pause of nothing appearing to happen!) see what is going on.
You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.
If you are currently running 6.1.0 or above you get this which is a little better.
Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.
Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!
[box]
PETES-FW# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD2008761R
sfr FirePOWER Services Software Module ASA5508 JAD2008761R
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00c8.8ba0.9b71 to 00c8.8ba0.9b90 1.0 1.1.8 9.7(1)
sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Not Applicable 6.0.0-1005
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Unresponsive Not Applicable
MANY HOURS LATER
PETES-FW# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD2008761R
sfr FirePOWER Services Software Module ASA5508 JAD2008761R
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00c8.8ba0.9b71 to 00c8.8ba0.9b79 1.0 1.1.8 9.7(1)
sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70 N/A N/A 6.0.1-29
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.0.1-29
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
[/box]
Related Articles, References, Credits, or External Links
While replacing a FirePOWER Management console, I got this error;
Interface Status
Interface ‘DataPlaneInterface0’ is not receiving any packets
Solution
A look a the health monitor showed me the same thing;
Firstly, common sense dictates, that this is a live firewall and traffic is actually flowing though it? In my case the traffic simply needed to be ‘sent though’ the module. Execute the following, (or check for the presence of matching configuration);
[box]
access-list ACL-FirePOWER extended permit ip any any
class-map CM-SFR
match access-list ACL-FirePOWER
exit
policy-map global_policy
class CM-SFR
sfr fail-open
exit
exit
write mem
[/box]
Note: Here I’m assuming you want to ‘fail-open’ i.e. not block traffic if the FirePOWER module fails, and you are inspecting ‘inline’ (not passively).
Then apply the cup of coffee rule, and ensure some traffic is sent via the firewall.
Failover (Active / Standby) Firewalls and FirePOWER
As pointed out (below, thanks Marvin) If you have an active/standby failover firewall pair, you will also see this error from the SFR module in the standby firewall. Which makes sense because this firewall is not passing any traffic!
Related Articles, References, Credits, or External Links
FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.
So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.
Note: This is for Version 6.0.0
You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.
Solution
Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!
In the FMC > System > Integration >Identity Sources > User Agent > New Agent > Supply the IP of the server that you are going to install the agent on > OK > Save.
On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall
On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.
Grant your firepower user Remote Enable > Apply > OK.
On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.
Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.
On the Default Domain Controllers Group Policy > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log >Add in your FirePOWER user.
Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).
On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.
Open the agent and add in your domain controllers.
Note: Sometimes, you may have the following problem;
I was deploying a Cisco FirePOWER user agent last week, but once setup, the agent reported that the Real-Time status for SOME of the domain controllers was permanently ‘Unavailable’. Now I know you have to be patient with these things so I went and had a coffee.
Still it refused to ‘go green’.
Solution
I addition to all the other rights and firewall rules that you normally have to check. You may have to create another ‘inbound’ firewall rule on you domain controllers.
Type = Custom > Next > All Programs > Next > Protocol type = TCP, Local Port = RPC Dynamic Ports, Remote Port = All Ports > Next.
Add the IP address of the FirePOWER Management Appliance > Next > Allow the Connection > Next.
I’m allowing for all profiles > Next > Give the rule an easy to recognise name > Finish.
Now back on the server that’s running the user agent, you should just need to restart the ‘Cisco Firepower User Agent’ service. Though I usually just reboot the server and apply the ‘cup of coffee rule’.
That Didn’t Work!
All my domain controllers, (a mixture of 2012 R2 and 2016 servers) then reported in fine, ALL EXCEPT ONE. I even tried disabling the firewall, I rechecked all the other pre-requisites and made sure it was using the default domain controller group policy, if flatly refused to ‘go-green’.
You can enable logging on the user agent, and get it to log, to the server event log, so I tried that and got;
Event ID 2317: Unable to attach to event listener {IP-Address}. Check firewall settings on AD Server. Attempted to perform an unauthorised operation.
No matter what I did, I could not get this one domain controller to report in. In the end I installed the FirePOWER agent directly on this domain controller, and added it as a new agent source in the FirePOwer Management appliance, then it reported fine.
Related Articles, References, Credits, or External Links
Once deployed, authentication is handled by the appliances own internal user database, in larger organisations this is a little impractical. So the ability to create an Active Directory Group, and delegate access to Firesight to members of that group is a little more versatile.
Solution
I’m making the assumption that the appliance does not already have external authentication setup at all, so I’ll cover everything from start to finish.
Newer Versions
Logon to the Appliance > System >Users > External Authentication > Add External Authentication Object
Older Versions
Logon to the Appliance > System > Local User Management > External Authentication > Create External Authentication Object.
Authentication Method: LDAP
Name: Chose a sensible name for the connection.
Server Type: MS Active Directory
Host Name/IP Address: the IP of your domain controller
Port:389 (this is standard LDAP)
If you have a second Domain Controller enter the details here.
Note: In Active Directory, I’ve created a USER to make the connection to Active Directory with, and I’ve also created a SECURITY GROUP that my administrators will be in.
You can use the ldp.exe tool to locate and find the correct LDAP path for the user you created, (and the group because you will need that in a minute as well).
Base DN: Usually the root of the domain, in standard LDAP format.
Username: The LDAP path to the user you created.
Password: For the user above.
UI Access Attribute: sAMAccountName
Shell Access Attribute: sAMAccountName
I’m simply having one administrative group, if you have a granular RBAC requirement, there are a number of pre-configured roles you can assign your AD groups to, (or you can create custom ones). So I’m adding the LDAP path of my administrators group to the ‘Administrator’ role.
Also set the default role to ‘Security Analyst (Read Only).
Group Member Attribute: member.
Username: A user in the AD Administrative group you created.
Password: Password for the above account.
Press ‘Test’
All being well you should see a success, Press Save.
Newer Versions
Switch the ‘slider’ to enabled > Save > Save and Apply. (Now skip to All Systems below).
Older Versions
You now need to add this to the policy being applied to this appliance. System > Local System Policy > Select the policy in use >Edit.
External Authentication
Status: Enabled
Default User Role: System Analyst (Read Only)
Finally change the slider button and ensure it is ticked. Save policy and exit.
Now apply the policy (green tick).
Tick the appliance > Apply.
Success.
All Systems
Now you can login with your administrative AD accounts.
You can also create a local user to match an AD account.
And get the appliance to use AD for authentication of this user.
Related Articles, References, Credits, or External Links
For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version).
This lets you create policies centrally and then deploy them to your devices in bulk.
Solution
Deploy the FirePOWER Management Center Appliance
Obviously before you start you need to have VMware (ESX or vCenter). With 250GB of storage free, (you can deploy it thin provisioned). You will also need to allocate 8GB of RAM and 4 virtual CPUs. Whichever network (or VMware port Group) you connect the appliance to it needs to have IP connectivity to the devices you intend to manage.
Download the FMC Appliance: Be aware it downloads in tar.gz format so on a Windows machine you will need something like 7Zip to uncompress the files. You WONT find the file under the firewalls, they are listed under;
You will need to accept the EULA, then set the admin password, and some basic IP settings.
I’ve got IPv6 disabled, if you want to address the appliance with IPv6 enter the details here.
Even after the appliance has been imported and powered on it can take 20-30 minutes before you can log on. At this point I would go and do something else. If you really must, then open a ‘console’ session and wait until the logon prompt is shown. You can then logon to the web portal.
Go to System > Updates > Download and install any updates > Visit both the ‘Rule Updates’ and the ‘Geolocation Updates’ tabs and set a time to download them.
Don’t Install the licences Just Yet! Add your devices to the FMC first, then if there’s a problem and you need to rebuild/redeploy, you don’t have to go cap in hand to Cisco licensing to get the licences re-armed. To add the SFR devices see the following article;
Network Discovery: Older version of the FMC used to only look for RFC 1918 IP ranges, This was changed at some point to 0.0.0.0/0 so you couldn’t misconfigure the system by having a private address space internally for example. This was a good idea but Ive seen some firewalls fall over trying to run discovery on every IP address they see! So lets manually add in our subnets. Objects > Object Management > Add Network > Add Object > Add one for you internal network(s).
Policies > Network Discovery > Remove the 0.0.0.0 Rule.
Create a new discovery rule using just your subnet(s).
Adding Licences To FirePOWER Management Center
You used to have to licence the appliance itself, after version 6 you don’t need to do that, if you have a licence and you try and apply it nothing happens and you just see this message;
Note: FireSIGHT is the old name for FirePOWER Management Center.
What Licences do I need to Add? Your Next Generation Firewalls now come with a ‘CONTROL LICENSE‘ in the box, it is in a large white card envelope, you don’t need to open it the number you need is on the front of the envelope. You add a control licence for every device you want to manage (they do not expire).
System > Licences > Classic Licenses > You need to take a note of the ‘Licence Key’, (which is the MAC address of the appliance with a 66 in front of it). This is the serial number you need to enter on the Cisco licensing portal.
When you get the licence back, if you open it in a text editor, it will look like this (its essentially a digital certificate). Copy everything from ‘— BEGIN‘ to ‘License —‘
Paste in the text > Submit License.
Repeat for each licence (IDS, AMP, URL Filtering ,etc)
You will also need to allocate the licenses to devices. Devices > Device Management Select the Device in question > Edit.
To use an intrusion policy the devices each need a ‘Protection‘ licence. Note: You get a protection licence now automatically when you add a CONTROL licence, but you still need to pay a subscription to legally obtain the updates.
Policies > Access control > Intrusion > Create Policy.
Give the policy a recognisable name > Create and Edit policy.
The policy it creates is based on the ‘Balances Security and Connectivity’ Template. You might want to add a few extra rules > Rules > Blacklist > Select All.
Rule State > Drop and Generate Events.
Repeat for ‘Malware’. Note: This does NOT require and AMP licence@
Repeat for PUA (Probably Unwanted Applications).
Repeat for ‘Indicator Compromise‘.
Repeat for ‘Exploit Kit‘.
Search for ‘1201’ and locate the ‘INDICATOR-COMPROMISE 403 Forbidden’ rule and DISABLE IT.
Policy Information > Commit Changes > OK.
Note: To be used, the Intrusion policy needs to be declared in an Access control policy (or set as a Default Action).
Also in the Access Policy set the logging to ‘Log at the end of connection‘.
As mentioned above you can also set it as the ‘Default Action‘.
Configuring FirePOWER AMP and File Policy
You need an AMP, (subscription based licence) to enable the ‘Malware Cloud Lookup, or Block Malware‘ Actions, but you can have a file policy and block specific file types.
Polices > Access Control > Malware and File > New File Policy.
Give the policy a name you will remember > Save.
Action = Malware Cloud lookup > Add in the files you want to scan > Below I’ve set it to store unknown files > Save.
Then create another rule below that that detects all files.
As above the file policy wont be applied to anything unless you specify it in an access policy.
In the rule also set the logging to ‘log at the end of connection’.
Configuring FirePOWER URL Filtering Policy
You need to have a URL filtering licence allocated to the devices you want to use this policy on.
Unlike File policies and Intrusion policies, URL filtering is configured directly on your Access Control policy > Add Rule.
Here’s an example of blocking some categories you don’t want viable in tour organisation.
In a rule that only has URL filtering set the login to ‘Log at the beginning of the conneciton‘.
When done, don’t forget to ‘Deploy‘ the new policy to your managed devices. Deploy > Select Devices > Deploy.
hen Related Articles, References, Credits, or External Links
But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center).
WARNING: If you are going to use FMC DON’T register your licences in the ASDM, they all need to be registered in the FMC.
Solution
Before you can register the SFR module in the FMC, you need to have set it up, and have ran though the initial setup. The process is the same if you intend to use the ASDM or the FMC. You can then choose whether to register from command line in the SFR, or via the ASDM.
Register SFR with FMC via Command Line
Connect to the parent firewall and open a session with the sfr module;
[box]
PETES-ASA# session sfr
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
PETES-SFR login: admin
Password:{pasword}
Last login: Fri Apr 8 05:04:49 UTC 2016 on ttyS1
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5506 v6.0.0 (build 1005)
>
[/box]
You can then add the FMC as a manager, you will need to supply a registration key.
[box]
> configure manager add 10.9.20.25 password123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.
[/box]
Register SFR with FMC via ASDM
Connect to the ASDM > Configuration > ASA FirePOWER Configuration > Integration >Remote Management > Add Manager.
Specify the IP of the FMC Appliance, and registration key > Save.
It should then say ‘pending registration’.
Configure the FirePOWER Management Appliance to Accept the SFR Registration
Provide the IP of the SFR module, a display name, the registration key you used above. If you have setup a group you can use it and select your Access Control Policy (dont panic if you have not configured one yet) > Register.
It can take a while, but eventually it should register like so;
Problems
Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible,and that the network is not blocking the connection.
Had this problem for a while, (Credit to Craig Paolozzi for finding the fix.) Both the SFR, and the FMC console needed static routes adding to them (even though they could ping each other!) Pointing to each other.
Related Articles, References, Credits, or External Links
If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?
Solution
Change the FirePOWER Module IP Address
Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).
[box]
Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
GRAINGER-SFR login: admin
Password:{your password}
Last login: Thu Apr 7 08:11:00 UTC 2016 on pts/0
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)
> show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 00:C8:8B:C1:0E:0C
IPv4 Address : 192.168.1.100
---------------------[ tunl0 ]----------------------
----------------------------------------------------
>
[/box]
To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;
If you attempt to perform an update on the FirePOWER services module in your firewall, you may see the following error;
Error
Installation Failed: Peer registration in progress.
Please retry in a few moments
I found myself in this situation because I’d attempted to register the firewall in the FirePOWER Management Center Appliance, and the process failed, (because the versions were different). So when I attempted to update the firewalls sfr module to match, it then fails because it’s waiting to register with the management center, (Catch 22).
Solution
Essentially you need to ‘kill’ the registration then, perform the upgrade and then attempt to add it as a managed device again. You can do this from within the ADSM. Configuration > ASA FirePOWER Configuration > Integration > Remote Management > Locate the registration and ‘Delete’.
Usually it says its ‘failed’, I’m assuming it’s referring to the peer registration itself, because it does get removed.
You can then attempt to do the upgrade, (which takes ages by the way!)
Note: I’ve also found you need to manually restart the sfr module when its complete. The upgrade takes ages on small firewalls like the 5506-X its a bit quicker on the larger firewalls like the 5515-X, but I would still leave the update running overnight and then restart the module in the morning.
Related Articles, References, Credits, or External Links