Routing traffic back from the ASA , in most cases you will have a static route (or routes) tied to the inside interface of the firewall. Or you may have dynamic routing if your network is a little more complex. But your FirePOWER module is essentially a small Linux box sat inside the firewall, it has its own network connection and maintains its own routing table.
You may have already noticed if your FirePOWER module is down or unreachable you will see an error like this;
Cannot connect to the ASA ForePOWER module
This means you can talk to the insider interface but not the FirePOWER module. If it’s misconfigured see the following article;
But what if you’re on a different network segment, and the ASA can talk to you but the SFR module can’t?
Solution
Adding a Static Route to the SFR Module
To put a static route on the SFR module you have to connect to it directly. Connect the firewall and then open a session with the module.
[box]
Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)
Sourcefire3D login: admin
Password: {your-password}
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
>
[/box]
You need to find what the SFR has called its management interface, usually it’s eth0 but let’s check;
[box]
>Show interfaces
--------------------[ outside ]---------------------
Physical Interface : GigabitEthernet1/1
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ inside ]---------------------
Physical Interface : GigabitEthernet1/2
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
----------------------[ DMZ ]-----------------------
Physical Interface : GigabitEthernet1/3
Type : ASA
Security Zone : None
Status : Enabled
Load Balancing Mode : N/A
---------------------[ cplane ]---------------------
IPv4 Address : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface : eth0
Type : Management
Status : Enabled
MDI/MDIX : Auto
MTU : 1500
MAC Address : 00:F2:AA:66:94:3F
IPv4 Address : 10.0.0.253
----------------------[ tun1 ]----------------------
IPv6 Address : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------
This takes ages! Seriously, if it’s late in the afternoon you might want to do this tomorrow morning, or leave the re-imaging running overnight. (Remember if you set the FirePOWER module to ‘fail-closed’, you will lose internet access, so you might want to change that to ‘fail-open’ as well).
The process is a LOT EASIER to do in the ASDM, I’m not usually an advocate of the GUI, but if you can access the FirePOWER settings that way, it will do all the hard work for you, (see below).
Note: This ASDM upgrade will fail if the module is being managed by the FirePOWER Management center (FireSIGHT), you can update it from there, or remove the peer association, then update it.
Normally I only have to do this if something’s gone wrong, and I can’t contact the module, or I’ve go a lot of them to do, and I don’t have direct management access. This process works on the ‘baby ASA’s,’ i.e 5506-X and 5508-X, and also on the larger models i.e 5512-X upwards (but NOT the 5585-X, that has a hw-module not a sw-module).
Solution
Before you start you need three things;
A Boot Image file (i.e. asasfr-5500x-boot-6.0.0-1005.img) – download from Cisco.
A Firepower Software Package (i.e. asasfr-sys-6.0.0-1005.pkg) this is a BIG file (over a Gigabyte) – download from Cisco.
Petes-ASA(config)# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr FirePOWER Services Software Module ASA5506 JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER UP 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr UP Sys Not Applicable
Petes-ASA(config)#
[/box]
Download the boot image from your web server into the ‘flash’ memory in the parent firewall.
[box]
Petes-ASA(config)# copy http flash
Address or name of remote host []? 10.3.0.84
Source filename []? asasfr-5500x-boot-6.3.0-3.img
Destination filename [asasfr-5500x-boot-6.0.0-1005.img]? {Enter}
Accessing http://10.3.0.84/asasfr-5500x-boot-6.3.0-3.img...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asasfr-5500x-boot-6.3.0-3.img...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
INFO: No digital signature found
41848832 bytes copied in 5.20 secs (8369766 bytes/sec)
[/box]
Then set that file as the boot image for the sourcefire module, and tell the module to perform a ‘recovery boot’.
[box]
Petes-ASA(config)# sw-module module sfr recover configure image disk0:/asasfr-5500x-boot-6.4.0-1.img
Petes-ASA(config)# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
several minutes.
Recover module sfr? [confirm]{Enter}
Recover issued for module sfr.
[/box]
Now it looks like nothing is happening, but the SFR module will restart with the recovery/boot image, you can see a little of what’s going on if you issue a debug command on the module,
[box]
Petes-ASA(config)# debug module-boot
debug module-boot enabled at level 1
IF YOU LOOK AT THE MODULES STATUS IT WILL SAY 'RECOVER'
Petes-ASA(config)# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr FirePOWER Services Software Module ASA5506 JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Not Applicable 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Recover Not Applicable
SAMPLE DEBUG OUTPUT
Mod-sfr 657> *** EVENT: Disk Image created successfully.
Mod-sfr 658> *** TIME: 07:05:36 GMT/BST Mar 1 2016
Mod-sfr 659> ***
Mod-sfr 660> ***
Mod-sfr 661> *** EVENT: Start Parameters: Image: /mnt/disk0/vm/vm_1.img, ISO: -cdrom /mnt/disk0
Mod-sfr 662> /asasfr-5500x-boot-6.4.0-1.img, Num CPUs: 3, RAM: 2266MB, Mgmt MAC: 00:F2:8B:FB
Mod-sfr 663> :FB:C7, CP MAC: 00:00:00:02:00:01, HDD: -drive file=/dev/sda,cache=none,if=virtio,
Mod-sfr 664> De
Mod-sfr 665> ***
<—Output Removed for the Sake of Brevity—>
Mod-sfr 50> Starting Advanced Configuration and Power Interface daemon: acpid.
Mod-sfr 51> acpid: starting up with proc fs
Mod-sfr 52> acpid: opendir(/etc/acpi/events): No such file or directory
Mod-sfr 53> starting Busybox inetd: inetd... done.
Mod-sfr 54> Starting ntpd: done
Mod-sfr 55> Starting syslogd/klogd: done
[/box]
This would be a good time to go get a coffee, it doesn’t take that long, the documentation at Cisco says 5 minutes, I’d wait at least 10! You then need to login to the SFR module and give it a basic config;
[box]
Petes-ASA(config)# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco FirePOWER Services Boot Image 6.4.0
asasfr login: admin
Password: Admin123
Cisco FirePOWER Services Boot 6.4.0 (1)
Type ? for list of commands
asasfr-boot>setup
Welcome to Cisco FirePOWER Services Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asasfr]: Firepower-Module
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: 192.168.1.253
Enter the netmask [255.255.255.0]: 255.255.255.0
Enter the gateway [192.168.8.1]: 192.168.1.254
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: 192.168.1.10
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: Y
Enter the local domain name: petenetlive.com
Do you want to configure Search domains? (y/n) [n]: Y
Enter the comma separated list for search domains: petenetlive.com
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 194.35.252.7,130.88.202.49,93.93.131.118
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname:Firepower-Module
Management Interface Configuration
IPv4 Configuration:static
IP Address:192.168.1.253
Netmask:255.255.25.0
Gateway:192.168.1.254
IPv6 Configuration:Stateless autoconfiguration
DNS Configuration:
Domain:petenetlive.com
Search:petenetlive.com
DNS Server:10.3.0.2
NTP configuration: 194.35.252.7[4C130.88.202.49 93.93.131.118
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...{Enter}
[/box]
Now you can install the software package on the SFR module. Note: the URL has TWO forward slashes in it not one, (Cisco update your documentation!)
UPDATE: (Thanks to Eli Davis) To avoid having to wait to confirm with the following step, use the ‘no confirm’ keyword. i.e. “system install noconfirm http://10.3.0.84/asasfr-sys-6.0.0-1005.pkg”.
WARNING You might want to set the SSH timeout to 45 minutes before you do this, or it will keep logging you out while you are waiting!
[box]
asasfr-boot>system install noconfirm http://10.3.0.84/asasfr-sys-6.4.0-102.pkg
Verifying. ..
Downloading. ..
Extracting. ..
Package Detail
Description:Cisco ASA-SFR 6.4.0-102 System Install
Requires reboot:Yes
Do you want to continue with upgrade? [y]: Y
Warning: Please do not interrupt the process or turn off the system.
Doing so might leave system in unusable state.
<——Output Removed for the Sake of Brevity——>
Mod-sfr 61> login: [ 2498.828291] sd 0:0:0:0: [sda] 6291456 512-byte hardware sectors: (3.22 G
Mod-sfr 62> B/3.00 GiB)
Mod-sfr 63> [ 2498.832675] sd 0:0:0:0: [sda] Write Protect is off
Mod-sfr 64> [ 2498.835298] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't
Mod-sfr 65> support DPO or FUA
Mod-sfr 808> ************ Attention *********
Mod-sfr 809> Initializing the configuration database. Depending on available
Mod-sfr 810> system resources (CPU, memory, and disk), this may take 30 minutes
Mod-sfr 811> or more to complete.
Mod-sfr 812> ************ Attention *********
Mod-sfr 813> Executing S10database
Console session with module sfr terminated.
[/box]
May take 30 minutes! I waited 45 then drove 8 miles home reconnected and it was still going, (it’s a lot faster on the larger firewalls.) Just keep an eye on the status it will change from recover to up when its complete
[box]
Petes-ASA(config)#show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr Unknown N/A JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Recover Not Applicable
WAIT AGES UNTIL...
Petes-ASA# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with SW, 8GE Data, 1GE Mgmt, AC ASA5506 JAD200XXXXX
sfr FirePOWER Services Software Module ASA5506 JAD200XXXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00f2.8bfb.fbc8 to 00f2.8bfb.fbd1 1.1 1.1.8 9.5(2)2
sfr 00f2.8bfb.fbc7 to 00f2.8bfb.fbc7 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.4.0-102
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr UpUp
[/box]
Now you need to connect to the SFR and configure it, (yes again).
[box]
Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v6.0.0 (build 1005)
firepower login: admin
Password: Admin123
Last login: Tue Mar 1 10:08:16 UTC 2016 on pts/0
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.4.0 (build 102)
Cisco ASA5506 v6.0.0 (build 1005)
Last login: Tue Mar 1 10:01:01 UTC 2016 on cron
Last login: Tue Mar 1 10:08:16 UTC 2016 on pts/0
You must accept the EULA to continue.
Press to display the EULA: {Enter}
END USER LICENSE AGREEMENT
IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY
IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR EQUIPMENT
FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU REPRESENT
(COLLECTIVELY, THE "CUSTOMER") HAVE BEEN REGISTERED AS THE END USER FOR THE
--Output Removed for the Sake of Brevity - Press Space Bar (A LOT!)--
Please enter 'YES' or press to AGREE to the EULA: YES
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: {Enter}
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.123
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.1.254
Enter a fully qualified hostname for this system [firepower]: Firepower-Module
Enter a comma-separated list of DNS servers or 'none' []: 192.168.1.10
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Creating default Identity Policy.
Creating default SSL Policy.
Update policy deployment information
- add device configuration
- add network discovery
- add system policy
- add access control policy
- applying access control policy
You can register the sensor to a Firepower Management Center and use the
Firepower Management Center to manage it. Note that registering the sensor
to a Firepower Management Center disables on-sensor Firepower Services
management capabilities.
When registering the sensor to a Firepower Management Center, a unique
alphanumeric registration key is always required. In most cases, to register
a sensor to a Firepower Management Center, you must provide the hostname or
the IP address along with the registration key.
'configure manager add [hostname | ip address ] [registration key ]'
However, if the sensor and the Firepower Management Center are separated by a
NAT device, you must enter a unique NAT ID, along with the unique registration
key.
'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'
Later, using the web interface on the Firepower Management Center, you must
use the same registration key and, if necessary, the same NAT ID when you add
this sensor to the Firepower Management Center.
> exit
Remote card closed command session. Press any key to continue.
Command session with module sfr terminated.
Petes-ASA#
[/box]
Back at the firewall prompt make sure you can ping it, (you did put a cable in the management interface didn’t you?)
[box]
Petes-ASA# ping 192.168.1.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Petes-ASA# wr mem
Building configuration...
Cryptochecksum: 6bcde85c dc7a074d 8e22978c 0620c211
7149 bytes copied in 0.350 secs
[OK]
Petes-ASA#
If you attempt to perform an update on the FirePOWER services module in your firewall, you may see the following error;
Error
Installation Failed: Peer registration in progress.
Please retry in a few moments
I found myself in this situation because I’d attempted to register the firewall in the FirePOWER Management Center Appliance, and the process failed, (because the versions were different). So when I attempted to update the firewalls sfr module to match, it then fails because it’s waiting to register with the management center, (Catch 22).
Solution
Essentially you need to ‘kill’ the registration then, perform the upgrade and then attempt to add it as a managed device again. You can do this from within the ADSM. Configuration > ASA FirePOWER Configuration > Integration > Remote Management > Locate the registration and ‘Delete’.
Usually it says its ‘failed’, I’m assuming it’s referring to the peer registration itself, because it does get removed.
You can then attempt to do the upgrade, (which takes ages by the way!)
Note: I’ve also found you need to manually restart the sfr module when its complete. The upgrade takes ages on small firewalls like the 5506-X its a bit quicker on the larger firewalls like the 5515-X, but I would still leave the update running overnight and then restart the module in the morning.
Related Articles, References, Credits, or External Links
Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance.
Related Articles, References, Credits, or External Links
*UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed from the ASDM.
Solution
1. The first thing to do is cable the management interface and the interface you are going to use as the ‘inside’ (LAN) into the same network (VLAN).
2. The next step might seem strange if you are used to working with Cisco firewalls, but you need to make sure there is no IP address configured on the management interface. Try to think of it as just the hole that the FirePOWER services module (which will get its own IP) speaks out though.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# interface Management1/1
Petes-ASA(config-if)# no nameif
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
Petes-ASA(config-if)# no security-level
Petes-ASA(config-if)# no ip address
[/box]
3. So it should look like this;
[box]
Petes-ASA(config-if)# show run
: Saved
ASA Version 9.3(2)2
!
----Output removed for the sake of brevity----
!
interface Management1/1
management-only
no nameif
no security-level
!
----Output removed for the sake of brevity----
[/box]
4. Lets make sure the FirePOWER service module is ‘up’ and healthy.
[box]
Petes-ASA(config)# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD19090XXX
sfr FirePOWER Services Software Module ASA5506 JAD19090XXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 a46c.2a99.eec5 to a46c.2a99.eece 1.0 1.1.1 9.3(2)2
sfr a46c.2a99.eec4 to a46c.2a99.eec4 N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
[/box]
5. The SFR module is actually a Linux box that’s running within the firewall, to connect to it you issue a ‘session sfr’ command.
Default Username: admin
Default Password: Sourcefire (capital S)
Default Password (after version 6.0.0): Admin123 (capital A)
As this is the first time you have entered the SFR you need to page down (press space) though the sizable EULA, then accept it.
[box]
Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)
Sourcefire3D login: admin
Password: Sourcefire
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY
----Output removed for the sake of brevity----
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.
----Output removed for the sake of brevity----
Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES
[/box]
6. Set a new password.
[box]
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
[/box]
7. Set up all the IP and DNS settings, then exit from the module session.
[box]
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.100.22
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: SFire
Enter a comma-separated list of DNS servers or 'none' []: 192.168.100.10,192.168.100.11
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com,pnl.net
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Applying 'Default Allow All Traffic' access control policy.
You can register the sensor to a Defense Center and use the Defense Center
----Output removed for the sake of brevity----
sensor to the Defense Center.
> exit
Remote card closed command session. Press any key to continue.
[/box]
8. Now you need to ‘send’ traffic though the module, in this case I’m going to send all IP traffic though, I’m also going to set it to ‘fail open’, If you set it to fail closed then traffic will cease to flow though the firewall if the FirePOWER services module goes off-line. I’m making the assumption you have a default policy-map applied.
[box]
Petes-ASA(config)# access-list SFR extended permit ip any any
Petes-ASA(config)# class-map SFR
Petes-ASA(config-cmap)# match access-list SFR
Petes-ASA(config-cmap)# exit
[/box]
9. Add that new class-map to the default policy-map.
WARNING: If you are going to set ‘fail-close‘ then make sure your SFR module is operating normally, or you will cause downtime, best to do this in a maintenance window!)
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: 72c138e3 1fa6ec32 31c35497 621cff02
35819 bytes copied in 0.210 secs
[OK]
[/box]
11. At this point the firewall should be able to ping the management IP of the SFR module.
[box]
Petes-ASA# ping 192.168.100.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.22, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Petes-ASA#
[/box]
12. Now when you connect to the ASDM you can manage the FirePOWER services module.Note: I have seen some firewalls that flatly refuse to connect to the Firepower Services Module, and give an error ‘unable to connect on port 443’ every time you launch ASDM. I just re-image the module and load in a fresh install (40 mins to an hour), and start again.
Code to Copy & Paste
If you are lazy like me!
[box]
access-list ACL-FirePOWER extended permit ip any any
class-map CM-SFR
match access-list ACL-FirePOWER
exit
policy-map global_policy
class CM-SFR
sfr fail-open
exit
exit
write mem
[/box]
Note If you get an unable to connect error see the following article;
13. I suggest you update everything first, the ASA will configure an access control policy set to allow and inspect all traffic by default, which we will edit, set everything to update on a schedule, (rule updates and geolocation info).
Cisco FirePOWER Services Adding Licences (ASDM)
In the box with the firewall, you will have an envelope, you don’t need to open it (as below) because the PAK number you need is printed on the outside anyway. This is the firewalls CONTROL LICENCE, it allows it to be managed, we will install it into the ASDM, if you have a SourceFIRE appliance to manage the firewall you would install it there. You need two bits of information the PAK and the LICENCE KEY of the FirePOWER module, (See Below).
The Licence Key is the MAC address of the Module, (Not the ASA). You can find it at Configuration > ASA FirePOWER Configuration > Licence. This is also where you will add all the licences. Go to www.cisco.com/go/licence and register the licence (and any additional licences i.e. AMP, Web filtering, etc.)
The Licence(s) will be emailed to you open them in a text editor and copy the text of each licence. You can see I’ve indicated below what you should be copying.
Paste that into the ASDM > Submit Licence.
It should say success, if it fails you’ve pasted to much text, or there’s a problem with the licence.
Review you licences, here Ive added AMP and web filtering but Ive yet to add the control licence. If you don’t add the control licence then when you try and edit the access control policy it will say you need a PROTECTION LICENCE (confusingly!)
FirePOWER Services Setup IPS
Disclaimer: These settings, (and allotters below,) are to get you up and running, As with any security device, you need to tune settings accordingly. Please don’t follow these instructions, then email me with complaints that you been attacked by ISIS/Scammers/Bots etc.
You get an IPS/IDS Licence with any of the subscription based licences, its less hassle to set this up before the the access control policy. Configuration > ASA FirePOWER Configuration > Policies > Intrusion Policy > Create Policy > Give it a name > I tend to use ‘Balanced Security and connectivity’ look at the other options and choose whichever you prefer > Create and Edit Policy.
Give the policy a name > Commit changes (I accept all the defaults).
FirePOWER Services Enable Malware Inspection and Protection
Note: Obviously this needs you to have added an AMP Licence!
Configuration > ASA FirePOWER Configuration > Policies > Intrusion Policy > Files > New File Policy > Give it a name > Store FirePOWER Changes.
Add new file rule > I add everything > and Set it to ‘Block Malware’ > Store FirePOWER Changes.
“Store ASA FirePOWER Changes”.
Warning: Nothing will be inspected, until you add this file policy to an access control policy.
ASA FirePOWER Services Edit / Create Access Control Policy
I renamed the default policy, Note: Even though I’ve called it ‘Base-Access-Control-Policy’ you can only apply one policy, you just add different rules to the policy as required. Add Rule.
In Source Networks > Add in ‘Private Networks’ (See Warning Below).
Inspection Tab > Add in the IPS and file policy you created above (That’s why I’ve done it in this order).
I set it to log at the end of the connection > Add.
“Store ASA FirePOWER Changes”.
FirePOWER Private Networks Warning
Private networks only cover RFC1918 addresses, if you LAN/DMZ etc subnets are different you should create a new Network object, then add the subnets for your network. If you do this, then substitute your network object every time I mention the Private Networks object.
Blocking a Particular URL with FirePOWER Services
Even if you don’t have a Web Filtering licence you can block particular URL’s here Im going to block access to Facebook. Configuration > ASA FirePOWER Configuration > Object Management > URL > Individual Objects > Add URL > Note Im adding http and https.
Then add a rule to your existing access control policy ABOVE the permit all rule, (they are processed like ACLS from the top down). Set the source network to your private subnets.
On the URLs tab add in your URL objects and set the action to block with reset, or Interactive block with reset if you want to let the users proceed to Facebook after a warning.
Note: If you have a Web filtering Licence you can select ‘Social Networking’ from the Categories tab, and that would also block Facebook, and Twitter etc.
ASA FirePOWER Services Commit and Deploy The Changes
FirePOWER services behaves the same on-box as it does when you use the SourceFIRE Appliance, you can make changes but nothing gets deployed until you commit the changes. If you have made a change then there will be a ‘Store ASA FirePOWER services button active. Then you need to select File > Deploy FirePOWER Changes.
Note: You will only see the Deploy option on SFR modules running 6.0.0 or newer.
Deploy.
Even now its not deployed, it takes a while, to see progress navigate to Monitoring > ASA FirePOWER Monitoring > Task Status > It will probably have a ‘running’ task.
Wait until the policy deployment says completed before testing.
Related Articles, References, Credits, or External Links
I’ve only just recently started to work with these, the advantage of them is they are great for SOHO and SMB, and they don’t need additional SSD drives installing.
Note: This also procedure works on the larger ASA5500-X firewalls that have Firepower installed on an internal SSD drive, (i.e. 5512,5515,5525, and 5545 etc.)
While getting them to work with a Sourcefire appliance, I had to ‘bounce’ the module a few times.
Note: the following procedure will not affect traffic flowing through the firewall unless you have your SFR module set to ‘fail-closed’.
Solution
1. First things first, check the status of the module.
[box]
Petes-ASA> enable
Password: *******
Petes-ASA# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD1912XXXX
sfr FirePOWER Services Software Module ASA5506 JAD1912XXXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 a46c.2a99.dfbe to a46c.2a99.eeee 1.0 1.1.1 9.3(2)2
sfr a46c.2a99.dfbd to a46c.2a99.ffff N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
[/box]
2. To reload the module issue the following command;
3. It usually only takes a couple of minutes but you can use the show module command to keep an eye on it.
[box]
Petes-ASA# show module-----Output removed for the sake of brevity----
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Reload Not Applicable-----Output removed for the sake of brevity----
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Init Not Applicable
-----Output removed for the sake of brevity----
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
[/box]
Related Articles, References, Credits, or External Links