Cisco FirePOWER User Agent – Use With the FirePOWER Management Console

KB ID 0001179 

Problem

FirePOWER Management Center, will give you a wealth of information on traffic/threats etc. Usually it will tell you what IP the offenders are on, but if you want to know what a USER is doing, then that means you have to look though logs see who had what IP, at what time etc.

So you can install the FirePOWER User Agent on a machine, (this can be a client machine, though I usually put it on a member server). You then tell the the user agent to monitor your active directory server(s) and it keeps a record of which user is where, which it reports back to the FMC for its dashboards and logs.

Note: This is for Version 6.0.0

 You will need to create a user in your domain to query AD with, (just a member of domain users is fine). I typically use svc_firepower as the username.

Solution

Your first challenge is to find the software, you would think it would be with the firewalls or the appliance but no!

In the FMC > System > Integration  >Identity Sources > User Agent  > New Agent > Supply the IP of the server that you are going to install the agent on > OK  > Save.

On the DOMAIN CONTROLLER(S) that you will point the agent at, make sure WMI is open on the firewall

On the DOMAIN CONTROLLER(S) that you will point the agent at, run wmimgmt.msc > WMI Control Local > Properties > Security > Root > cimv2 > Security.

Grant your firepower user Remote Enable > Apply > OK.

On the DOMAIN CONTROLLER(S) that you will point the agent at, run comexp.msc > Console root > Computers > My Computer > Properties > COM Security > ‘Launch and Activation Permissions’ Section > Edit Limits.

Grant your FirePOWER account the Remote Launch and Remote Activation permissions > Apply > OK.

On the Default Domain Controllers Group Policy  > Computer configuration >Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and security log  >Add in your FirePOWER user.

Note: Allow time for the policy to apply, (or run ‘gpupdate /force‘, or simply force the policy from the GPMC.msc console, (if your domain is 2012)).

On the server/machine that you want to install the agent on, run setup.exe (1), if you run setup.msi (2) then only the agent is installed and it will error if you try and launch it.

Open the agent and add in your domain controllers.

Note: Sometimes, you may have the following problem;

FirePOWER Agent – Real-Time Status ‘Unavailable’

Then add in the FMC Management details, go and have a coffee, and check everything has gone green.

Note: If managing FirePOWER ‘on-board’, (i.e. though the ASDM.) Enter the IP address of the SFR module instead!)

Finally ensure in the FirePOWER Management Center > Policies > Network Discovery > Users  > Ensure all the methods are selected.

Then on the ‘Networks’ tab > Ensure that your rule has ‘Users’ selected.

Related Articles, References, Credits, or External Links

Original article written  27/04/16

Deploy Cisco FirePOWER Management Center (Appliance)

KB ID 0001263

Problem

You have been able to manage your firewalls Internal SFR module for  while using the ASDM

Setup FirePOWER Services (for ASDM)

For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC  (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version).

This lets you create policies centrally and then deploy them to your devices in bulk.

Solution

Deploy the FirePOWER Management Center Appliance

Obviously before you start you need to have VMware (ESX or vCenter). With 250GB of storage free, (you can deploy it thin provisioned). You will also need to allocate 8GB of RAM and 4 virtual CPUs. Whichever network (or VMware port Group) you connect the appliance to it needs to have IP connectivity to the devices you intend to manage.

Download the FMC Appliance: Be aware it downloads in tar.gz format so on a Windows machine you will need something like 7Zip to uncompress the files. You WONT find the file under the firewalls, they are listed under;

Downloads > Produces > Security > Firewalls > Firewall Management > Firepower Management Center Virtual Appliance

Make Sure: You download the same version that is installed on the modules you want to manage! (‘show module’ on the ASA will yell you).

Get the files extracted and on a machine that you can access your VMware infrastructure from;

The appliance comes in OVF format if you are unsure how to import an OVF file see the following article;

VMware vSphere – How to Import and Export OVF and OVA Files

You will need to accept the EULA, then set the admin password, and some basic IP settings.

I’ve got IPv6 disabled, if you want to address the appliance with IPv6 enter the details here.

Even after the appliance has been imported and powered on it can take 20-30 minutes before you can log on. At this point I would go and do something else. If you really must, then open a ‘console’ session and wait until the logon prompt is shown. You can then logon to the web portal.

Go to System > Updates > Download and install any updates > Visit both the ‘Rule Updates’ and the ‘Geolocation Updates’ tabs and set a time to download them.

Don’t Install the licences Just Yet! Add your devices to the FMC first, then if there’s a problem and you need to rebuild/redeploy, you don’t have to go cap in hand to Cisco licensing to get the licences re-armed. To add the SFR devices see the following article;

Cisco Add FirePOWER Module to FirePOWER Management Center

Network Discovery: Older version of the FMC used to only look for RFC 1918  IP ranges, This was changed at some point to 0.0.0.0/0 so you couldn’t misconfigure the system by having a private address space internally for example. This was a good idea but Ive seen some firewalls fall over trying to run discovery on every IP address they see!  So lets manually add in our subnets. Objects > Object Management > Add Network > Add Object > Add one for you internal network(s).

Policies > Network Discovery > Remove the 0.0.0.0 Rule.

Create a new discovery rule using just your subnet(s).

 

Adding Licences To FirePOWER Management Center

You used to have to licence the appliance itself, after version 6 you don’t need to do that, if you have a licence and you try and apply it nothing happens and you just see this message;

Note: FireSIGHT is the old name for FirePOWER Management Center.

What Licences do I need to Add? Your Next Generation Firewalls now come with a ‘CONTROL LICENSE‘ in the box, it is in a large white card envelope, you don’t need to open it the number you need is on the front of the envelope. You add a control licence for every device you want to manage (they do not expire).

System > Licences > Classic Licenses > You need to take a note of the ‘Licence Key’, (which is the MAC address of the appliance with a 66 in front of it). This is the serial number you need to enter on the Cisco licensing portal.

When you get the licence back, if you open it in a text editor, it will look like this (its essentially a digital certificate). Copy everything from ‘— BEGIN‘ to ‘License —‘ 

Paste in the text > Submit License.

Repeat for each licence (IDS, AMP, URL Filtering ,etc)

You will also need to allocate the licenses to devices. Devices > Device Management Select the Device in question > Edit.

Device > License Section >Edit > Allocate accordingly.

Configuring FirePOWER Intrusion Policy

To use an intrusion policy the devices each need a ‘Protection‘ licence. Note: You get a protection licence now automatically when you add a CONTROL licence, but you still need to pay a subscription to legally obtain the updates.

Policies > Access control > Intrusion > Create Policy.

Give the policy a recognisable name > Create and Edit policy.

The policy it creates is based on the ‘Balances Security and Connectivity’ Template. You might want to add a few extra rules > Rules > Blacklist > Select All.

Rule State > Drop and Generate Events.

Repeat for ‘Malware’. Note: This does NOT require and AMP licence@

Repeat for  PUA (Probably Unwanted Applications).

Repeat for ‘Indicator Compromise‘.

Repeat for ‘Exploit Kit‘.

Search for ‘1201’ and locate the ‘INDICATOR-COMPROMISE 403 Forbidden’ rule and DISABLE IT.

Policy Information > Commit Changes > OK.

Note: To be used, the Intrusion policy needs to be declared in an Access control policy (or set as a Default Action).

Also in the Access Policy set the logging to ‘Log at the end of connection‘.

As mentioned above you can also set it as the ‘Default Action‘.

Configuring FirePOWER AMP and File Policy

You need an AMP, (subscription based licence) to enable the ‘Malware Cloud Lookup, or Block Malware‘ Actions, but you can have a file policy and block specific file types.

Polices > Access Control > Malware and File > New File Policy.

Give the policy a name you will remember > Save.

Action = Malware Cloud lookup > Add in the files you want to scan > Below I’ve set it to store unknown files > Save.

Then create another rule below that that detects all files.

As above the file policy wont be applied to anything unless you specify it in an access policy.

In the rule also set the logging to ‘log at the end of connection’.

 

Configuring FirePOWER URL Filtering Policy

You need to have a URL filtering licence allocated to the devices you want to use this policy on.

Unlike File policies and Intrusion policies, URL filtering is configured directly on your Access Control policy > Add Rule.

Here’s an example of blocking some categories you don’t want viable in tour organisation.

In a rule that only has URL filtering set the login to ‘Log at the beginning of the conneciton‘.

 

When done, don’t forget to ‘Deploy‘ the new policy to your managed devices. Deploy > Select Devices > Deploy.

hen Related Articles, References, Credits, or External Links

NA

Cisco FirePOWER – Update Fails ‘Peer Registration Failed: Registration in Progress’

KB ID 0001162 

Problem

If you attempt to perform an update on the FirePOWER services module in your firewall, you may see the following error;

Error
Installation Failed: Peer registration in progress. 
Please retry in a few moments

I found myself in this situation because I’d attempted to register the firewall in the FirePOWER Management Center Appliance, and the process failed, (because the versions were different). So when I attempted to update the firewalls sfr module to match, it then fails because it’s waiting to register with the management center, (Catch 22).

Solution

Essentially you need to ‘kill’ the registration then, perform the upgrade and then attempt to add it as a managed device again. You can do this from within the ADSM. Configuration > ASA FirePOWER Configuration > Integration  > Remote Management > Locate the registration and ‘Delete’.

Usually it says its ‘failed’, I’m assuming it’s referring to the peer registration itself, because it does get removed.

You can then attempt to do the upgrade, (which takes ages by the way!)

Note: I’ve also found you need to manually restart the sfr module when its complete. The upgrade takes ages on small firewalls like the 5506-X its a bit quicker on the larger firewalls like the 5515-X, but I would still leave the update running overnight and then restart the module in the morning.

Related Articles, References, Credits, or External Links

NA