If there’s one thing thats grown on me it’s PowerShell, After the last few versions of Exchange you can’t really escape it. So now we have so many clients with their Exchange in Office 365. The ability to connect to that, and use all your usual Exchange commandlets is a bonus!
WARNING: This process may end up with you getting an “Access is denied” error, if you are using modern authenticiction, or MFA. If so use this articleinstead.
Solution
If you haven’t already done so, you need to ‘slacken‘ your signing policy, (a little) before proceeding;
[box]Set-ExecutionPolicy RemoteSigned[/box]
Now to access Exchange online you need to be able to authenticate to it, the best way to do that is to ‘cache’ your logon credentials. (Unless you have ADFS Federation then you can skip this step). To enter your O365 creds execute the following command;
Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance.
Related Articles, References, Credits, or External Links
*UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed from the ASDM.
Solution
1. The first thing to do is cable the management interface and the interface you are going to use as the ‘inside’ (LAN) into the same network (VLAN).
2. The next step might seem strange if you are used to working with Cisco firewalls, but you need to make sure there is no IP address configured on the management interface. Try to think of it as just the hole that the FirePOWER services module (which will get its own IP) speaks out though.
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# interface Management1/1
Petes-ASA(config-if)# no nameif
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
Petes-ASA(config-if)# no security-level
Petes-ASA(config-if)# no ip address
[/box]
3. So it should look like this;
[box]
Petes-ASA(config-if)# show run
: Saved
ASA Version 9.3(2)2
!
----Output removed for the sake of brevity----
!
interface Management1/1
management-only
no nameif
no security-level
!
----Output removed for the sake of brevity----
[/box]
4. Lets make sure the FirePOWER service module is ‘up’ and healthy.
[box]
Petes-ASA(config)# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD19090XXX
sfr FirePOWER Services Software Module ASA5506 JAD19090XXX
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 a46c.2a99.eec5 to a46c.2a99.eece 1.0 1.1.1 9.3(2)2
sfr a46c.2a99.eec4 to a46c.2a99.eec4 N/A N/A 5.4.1-211
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 5.4.1-211
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
[/box]
5. The SFR module is actually a Linux box that’s running within the firewall, to connect to it you issue a ‘session sfr’ command.
Default Username: admin
Default Password: Sourcefire (capital S)
Default Password (after version 6.0.0): Admin123 (capital A)
As this is the first time you have entered the SFR you need to page down (press space) though the sizable EULA, then accept it.
[box]
Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)
Sourcefire3D login: admin
Password: Sourcefire
Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY
----Output removed for the sake of brevity----
Product warranty terms and other information applicable to Cisco products are
available at the following URL: http://www.cisco.com/go/warranty.
----Output removed for the sake of brevity----
Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES
[/box]
6. Set a new password.
[box]
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password: Password123
Confirm new password: Password123
[/box]
7. Set up all the IP and DNS settings, then exit from the module session.
[box]
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.100.22
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: SFire
Enter a comma-separated list of DNS servers or 'none' []: 192.168.100.10,192.168.100.11
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com,pnl.net
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Applying 'Default Allow All Traffic' access control policy.
You can register the sensor to a Defense Center and use the Defense Center
----Output removed for the sake of brevity----
sensor to the Defense Center.
> exit
Remote card closed command session. Press any key to continue.
[/box]
8. Now you need to ‘send’ traffic though the module, in this case I’m going to send all IP traffic though, I’m also going to set it to ‘fail open’, If you set it to fail closed then traffic will cease to flow though the firewall if the FirePOWER services module goes off-line. I’m making the assumption you have a default policy-map applied.
[box]
Petes-ASA(config)# access-list SFR extended permit ip any any
Petes-ASA(config)# class-map SFR
Petes-ASA(config-cmap)# match access-list SFR
Petes-ASA(config-cmap)# exit
[/box]
9. Add that new class-map to the default policy-map.
WARNING: If you are going to set ‘fail-close‘ then make sure your SFR module is operating normally, or you will cause downtime, best to do this in a maintenance window!)
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: 72c138e3 1fa6ec32 31c35497 621cff02
35819 bytes copied in 0.210 secs
[OK]
[/box]
11. At this point the firewall should be able to ping the management IP of the SFR module.
[box]
Petes-ASA# ping 192.168.100.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.22, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Petes-ASA#
[/box]
12. Now when you connect to the ASDM you can manage the FirePOWER services module.Note: I have seen some firewalls that flatly refuse to connect to the Firepower Services Module, and give an error ‘unable to connect on port 443’ every time you launch ASDM. I just re-image the module and load in a fresh install (40 mins to an hour), and start again.
Code to Copy & Paste
If you are lazy like me!
[box]
access-list ACL-FirePOWER extended permit ip any any
class-map CM-SFR
match access-list ACL-FirePOWER
exit
policy-map global_policy
class CM-SFR
sfr fail-open
exit
exit
write mem
[/box]
Note If you get an unable to connect error see the following article;
13. I suggest you update everything first, the ASA will configure an access control policy set to allow and inspect all traffic by default, which we will edit, set everything to update on a schedule, (rule updates and geolocation info).
Cisco FirePOWER Services Adding Licences (ASDM)
In the box with the firewall, you will have an envelope, you don’t need to open it (as below) because the PAK number you need is printed on the outside anyway. This is the firewalls CONTROL LICENCE, it allows it to be managed, we will install it into the ASDM, if you have a SourceFIRE appliance to manage the firewall you would install it there. You need two bits of information the PAK and the LICENCE KEY of the FirePOWER module, (See Below).
The Licence Key is the MAC address of the Module, (Not the ASA). You can find it at Configuration > ASA FirePOWER Configuration > Licence. This is also where you will add all the licences. Go to www.cisco.com/go/licence and register the licence (and any additional licences i.e. AMP, Web filtering, etc.)
The Licence(s) will be emailed to you open them in a text editor and copy the text of each licence. You can see I’ve indicated below what you should be copying.
Paste that into the ASDM > Submit Licence.
It should say success, if it fails you’ve pasted to much text, or there’s a problem with the licence.
Review you licences, here Ive added AMP and web filtering but Ive yet to add the control licence. If you don’t add the control licence then when you try and edit the access control policy it will say you need a PROTECTION LICENCE (confusingly!)
FirePOWER Services Setup IPS
Disclaimer: These settings, (and allotters below,) are to get you up and running, As with any security device, you need to tune settings accordingly. Please don’t follow these instructions, then email me with complaints that you been attacked by ISIS/Scammers/Bots etc.
You get an IPS/IDS Licence with any of the subscription based licences, its less hassle to set this up before the the access control policy. Configuration > ASA FirePOWER Configuration > Policies > Intrusion Policy > Create Policy > Give it a name > I tend to use ‘Balanced Security and connectivity’ look at the other options and choose whichever you prefer > Create and Edit Policy.
Give the policy a name > Commit changes (I accept all the defaults).
FirePOWER Services Enable Malware Inspection and Protection
Note: Obviously this needs you to have added an AMP Licence!
Configuration > ASA FirePOWER Configuration > Policies > Intrusion Policy > Files > New File Policy > Give it a name > Store FirePOWER Changes.
Add new file rule > I add everything > and Set it to ‘Block Malware’ > Store FirePOWER Changes.
“Store ASA FirePOWER Changes”.
Warning: Nothing will be inspected, until you add this file policy to an access control policy.
ASA FirePOWER Services Edit / Create Access Control Policy
I renamed the default policy, Note: Even though I’ve called it ‘Base-Access-Control-Policy’ you can only apply one policy, you just add different rules to the policy as required. Add Rule.
In Source Networks > Add in ‘Private Networks’ (See Warning Below).
Inspection Tab > Add in the IPS and file policy you created above (That’s why I’ve done it in this order).
I set it to log at the end of the connection > Add.
“Store ASA FirePOWER Changes”.
FirePOWER Private Networks Warning
Private networks only cover RFC1918 addresses, if you LAN/DMZ etc subnets are different you should create a new Network object, then add the subnets for your network. If you do this, then substitute your network object every time I mention the Private Networks object.
Blocking a Particular URL with FirePOWER Services
Even if you don’t have a Web Filtering licence you can block particular URL’s here Im going to block access to Facebook. Configuration > ASA FirePOWER Configuration > Object Management > URL > Individual Objects > Add URL > Note Im adding http and https.
Then add a rule to your existing access control policy ABOVE the permit all rule, (they are processed like ACLS from the top down). Set the source network to your private subnets.
On the URLs tab add in your URL objects and set the action to block with reset, or Interactive block with reset if you want to let the users proceed to Facebook after a warning.
Note: If you have a Web filtering Licence you can select ‘Social Networking’ from the Categories tab, and that would also block Facebook, and Twitter etc.
ASA FirePOWER Services Commit and Deploy The Changes
FirePOWER services behaves the same on-box as it does when you use the SourceFIRE Appliance, you can make changes but nothing gets deployed until you commit the changes. If you have made a change then there will be a ‘Store ASA FirePOWER services button active. Then you need to select File > Deploy FirePOWER Changes.
Note: You will only see the Deploy option on SFR modules running 6.0.0 or newer.
Deploy.
Even now its not deployed, it takes a while, to see progress navigate to Monitoring > ASA FirePOWER Monitoring > Task Status > It will probably have a ‘running’ task.
Wait until the policy deployment says completed before testing.
Related Articles, References, Credits, or External Links
I’ve had to do a rollout of Remote Desktop Services on Server 2012 R2, and publish it with Active Directory Federation Services and Web Application Proxy. I’m a little rusty on RDS and needed to deploy a few roles, so for my proof of concept I deployed RDS on TWO servers. Below is a run though and my notes on deploying RDS ONLY (I’ll put the links to other articles at the bottom of this post as I write them).
Solution
To save yourself some hassle, visit every server that will be in the Remote Desktop Server deployment, and add all the others into each others ‘server manager’ console.
Manage > Add Roles and Features > Next > Remote Desktop Services Installation > Next.
Standard Deployment. Note: If you choose Quick Start it puts all the roles on one server > Next.
Session-based desktop deployment > Next.
Next.
Select the server that will host the Connection Broker Rule and add it > Next.
Add the server that will host the Remote Desktop Web Access role > Next.
Add the server that will host the Remote Desktop Session Host role > Next.
Tick the ‘restart the destination server automatically if required’ > Deploy.
Finish. (Note: There will be a licensing error, we will address that in a minute).
In Server Manager > Remote Desktop Services > Overview > Note: There are two options yet to be configured, (shown in green). Select ‘RD Gateway’.
Add in the server that will host the RD Gateway role > Next.
Add in the public name of the RD Gateway server, this will generate a self signed certificate, (you can replace this with a proper one later).
Add.
Close
Now Add RD Licensing.
Add in the server that will host the licensing role > Next.
Add
Close
All the nodes should now be displayed..
In production you would now add your Remote Desktop Licences, If you don’t, the whole thing will run for 120 days, (though it continues to nag you about adding licences). I’m content with the 120 day licence for my test deployment. But I will still ‘Activate’ my licensing server.
Follow the instructions
Now you need to create a ‘Collection‘, this is a group of host servers that host applications you can publish. Server Manager > Remote Desktop Services > Collection > Task > Create Session Collection.
Next.
Give the collection a name > Next.
Add in the server(s) running the RD Host role that will be included in this collection > Next.
Select the user groups that you want to grant access to. Here Im simply using the domain users group > Next.
If you want to deploy ‘profile disks’ enter a UNC path to the share > Next.
Create.
Close.
To actually publish applications, select the collection you just created > RemoteApp Programs > Tasks >Publish RemoteApp Programs.
Select the applications, (or add them in if they are not displayed) > Next.
Publish.
Note: You can change certificates from within Server Manger, but I prefer the manual approach, on the RD Gateway Server > Launch the IIS Manager > Select the server > Server Certificates.
Import > Import your publicly signed certificate, (you can use a self signed certificate but DON’T FORGET your remote client needs to be able to check your CRL, and trust your issuing CA if you do).
Sites > Default Web Site > Edit Bindings.
Select ‘https’ > Edit > Add in your certificate > OK > Close.
Bounce the services with an ‘iisreset‘ command.
Update 070316 You also will need to restart the Remote Desktop Services Service!
Connect to the server on the https://{FQDN}/RDWeb address, and you can check the correct certificate is used.
You should now be able to log into Remote Desktop Services Web Access.
Related Articles, References, Credits, or External Links
When looking at a router, switch or firewall running config, it will usually display a page at a time, you can page down with the space bar, or line down with the Enter/Return key.
Normally that’s fine, but what if you want to capture (take a quick backup,) of the config?
If you do that, and page down you get a copy of the config that looks like this;
–More–
Yes, you can delete them, but in a big config that can take time, how about making the config scroll right to the end without the breaks/pauses.
Solution
Cisco ASA Disable Paging
On a firewall that’s done with a pager command, normally a firewall config will display 25 lines at a time, to get it to scroll straight to the end set the pager length to zero.
[box]
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password:*********
Petes-ASA# configure terminal
Petes-ASA(config)# pager 0
Petes-ASA(config)#
[/box]
Tip: If you want to take a copy of a firewall config it will blank, (replace with asterisks) the VPN shared secrets and failover keys, you can suppress that from happening, and show the hidden values with the following command;
[box]
Petes-ASA(config)# more system:running-config
[/box]
To return it back to pausing every 25 lines and giving the <— More —> prompt again.
[box]
Petes-ASA(config)# pager 25
[/box]
Cisco Router / Switch IOS Terminal Length
On IOS the default is 24 lines at a time (show terminal will tell you). You can change this by changing the terminal length. Note: This is NOT a global configuration command.
[box]
Petes-Router#terminal length 0
[/box]
To reset it, and get the –More– prompt back again;
[box]
Petes-Router#terminal length 24
[/box]
Related Articles, References, Credits, or External Links
