Cisco SFR Cant Ping its Default Gateway?

KB ID 0001575

Problem

This is a strange one? I was deploying FirePOWER to a pair of ASA 5550-8-X firewalls in Active / Standby failover last week. After each SFR was updated (via ASDM.) I could no longer ‘ping it’, the SFR itself could ping everything on the same VLAN, APART from its own default gateway, (which was an SVI on the Cisco 3750 switch it was connected to).

This happened every time I updated the SFR, (or re-imaged it.) Then after an hour or so it was fine?

Solution

If I connected to the switch that the SFR, (and firewall) was connected to, I could NOT ping the SFR. The interface was up/up on the switch, and the firewalls Management interface was also up/up.

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

[/box]

I did notice it was in the ARP table though, (with the correct MAC address), So I manually removed it;

[box]

Petes-3750#clear ip arp 10.2.1.252

[/box]

Then it was fine?

[box]

Petes-3750#ping 10.2.1.252

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.1.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

[/box]

Now the ASDM would connect fine without complaining about the FirePOWER module.

Related Articles, References, Credits, or External Links

NA

Updating FirePOWER Module (From ASDM)

KB ID 0001348 

Problem

Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.

Like So; Re-Image and Update the Cisco FirePOWER Services Module

This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.

Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).

Solution

First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;

Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.

The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)

Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.

Upload your update, (this can take a while).

When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).

Note: This is a reboot of the FirePOWER module, NOT the Firewall.

You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or  newer (which shows a nice progress bar). So;

  1. Don’t panic: it looks like it’s crashed for hours – it’s fine.
  2. There are other things you can look at if you’re nervous.

Monitoring FirePOWER upgrades

What I like to do is SSH into the firewall and issue the following command;

[box]debug module-boot[/box]

Then you can (after a long pause of nothing appearing to happen!) see what is going on.

You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.

If you are currently running 6.1.0 or above you get this which is a little better.

Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.

Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!

[box]

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b90  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Unresponsive       Not Applicable

MANY HOURS LATER

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b79  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70  N/A          N/A          6.0.1-29

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.0.1-29

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

[/box]

Related Articles, References, Credits, or External Links

NA

FirePOWER – ‘DataPlaneInterface0’ is not receiving and packets

KB ID 0001344 

Problem

While replacing a FirePOWER Management console, I got this error;

Interface Status
Interface ‘DataPlaneInterface0’ is not receiving any packets

 

Solution

A look a the health monitor showed me the same thing;

Firstly, common sense dictates, that this is a live firewall and traffic is actually flowing though it? In my case the traffic simply needed to be ‘sent though’ the module. Execute the following, (or check for the presence of matching configuration);

[box]

access-list ACL-FirePOWER extended permit ip any any
class-map CM-SFR
 match access-list ACL-FirePOWER
 exit
policy-map global_policy 
 class CM-SFR
  sfr fail-open
exit
exit
write mem

[/box]

Note: Here I’m assuming you want to ‘fail-open’ i.e. not block traffic if the FirePOWER module fails, and you are inspecting ‘inline’ (not passively).

Then apply the cup of coffee rule, and ensure some traffic is sent via the firewall.

Failover (Active / Standby) Firewalls and FirePOWER

As pointed out (below, thanks Marvin) If you have an active/standby failover firewall pair, you will also see this error from the SFR module in the standby firewall. Which makes sense because this firewall is not passing any traffic!

Related Articles, References, Credits, or External Links

NA

Cisco Add FirePOWER Module to FirePOWER Management Center

KB ID 0001178 

Problem

If you only have one FirePOWER service module you can now manage it from the ASDM;

ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)

But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center). 

WARNING:  If you are going to use FMC DON’T register your licences in the ASDM, they all need to be registered in the FMC.

 

Solution

Before you can register the SFR module in the FMC, you need to have set it up, and have ran though the initial setup. The process is the same if you intend to use the ASDM or the FMC. You can then choose whether to register from command line in the SFR, or via the ASDM.

Register SFR with FMC via Command Line

Connect to the parent firewall and open a session with the sfr module;

[box]

PETES-ASA# session sfr
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

PETES-SFR login: admin
Password:{pasword}
Last login: Fri Apr  8 05:04:49 UTC 2016 on ttyS1

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.0.0 (build 258)
Cisco ASA5506 v6.0.0 (build 1005)

> 

[/box]

You can then add the FMC as a manager, you will need to supply a registration key.

[box]

> configure manager add 10.9.20.25 password123
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

[/box]

Register SFR with FMC via ASDM

Connect to the ASDM > Configuration > ASA FirePOWER Configuration > Integration  >Remote Management > Add Manager.

Specify the IP of the FMC Appliance, and registration key > Save.

It should then say ‘pending registration’.

Configure the FirePOWER Management Appliance to Accept the SFR Registration 

Log into FMC > Devices > Device Management > Add Device.

Provide the IP of the SFR module, a display name, the registration key you used above. If you have setup a group you can use it and select your Access Control Policy (dont panic if you have not configured one yet) > Register.

It can take a while, but eventually it should register like so;

Problems

Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible,and that the network is not blocking the connection.

Had this problem for a while, (Credit to Craig Paolozzi for finding the fix.) Both the SFR, and the FMC console needed static routes adding to them (even though they could ping each other!) Pointing to each other.

Related Articles, References, Credits, or External Links

NA

Cisco Firepower Services – Change IP and DNS Addresses

KB ID 0001173 

Problem

If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it?

 

Solution

Change the FirePOWER Module IP Address

Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check).

[box]

Petes-ASA# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.


GRAINGER-SFR login: admin
Password:{your password}
Last login: Thu Apr  7 08:11:00 UTC 2016 on pts/0

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)
Cisco ASA5506 v5.4.1 (build 211)

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.100
---------------------[ tunl0 ]----------------------
----------------------------------------------------
>

[/box]

To change the IP you need to supply the IP address, subnet mask, default gateway, and physical interface like so;

[box]

> configure network ipv4 manual 192.168.1.99 255.255.255.0 192.168.1.1 eth0
Setting IPv4 network configuration.
Network settings changed.

[/box]

You can check its worked with a ‘show interfaces command’.

[box]

> show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
---------------------[ tunl0 ]----------------------
----------------------------------------------------

>

[/box]

Or you can use the ‘show interfaces {interface-name}‘ command.

[box]

> show interfaces eth0
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:C8:8B:C1:0E:0C
IPv4 Address              : 192.168.1.99
IPv4 Broadcast            : 192.168.1.255
RX Packets                : 261
RX Errors                 : 0
RX Drops                  : 0
RX Overruns               : 0
RX Frame                  : 0
TX Packets                : 214
TX Errors                 : 0
TX Drops                  : 0
TX Overruns               : 0
TX Carrier                : 0
Collisions                : 0
----------------------------------------------------


[/box]

Change the FirePOWER Module IP Address

This is a little more convoluted, there is a command to do this, Note: You can enter multiple servers separated by commas.

[box]

> configure network dns servers 8.8.8.8,8.8.4.4

[/box]

But you also need to restart the nscd daemon in the underlying linux, to do that you need to get into ‘expert mode’.

[box]

> expert

admin@PETES-SFR:~$ sudo /etc/rc.d/init.d/nscd restart

Password:{Enter Your Password}

Stopping nscd…                                                     [  OK  ]

Starting nscd…                                                       [  OK  ]

admin@PETES-SFR:~$

[/box]

Related Articles, References, Credits, or External Links

Cisco FirePOWER – Adding a Static Route

Cisco FirePOWER – Adding a Static Route

KB ID 0001172

Problem

Routing traffic back from the ASA , in most cases you will have a static route (or routes) tied to the inside interface of the firewall. Or you may have dynamic routing if your network is a little more complex. But your FirePOWER module is essentially a small Linux box sat inside the firewall, it has its own network connection and maintains its own routing table.

You may have already noticed if your FirePOWER module is down or unreachable you will see an error like this;

Cannot connect to the ASA ForePOWER module

This means you can talk to the insider interface but not the FirePOWER module. If it’s misconfigured see the following article;

ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM)

But what if you’re on a different network segment, and the ASA can talk to you but the SFR module can’t?

Solution

Adding a Static Route to the SFR Module

To put a static route on the SFR module you have to connect to it directly. Connect the firewall and then open a session with the module.

[box]

Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)

Sourcefire3D login: admin

Password: {your-password}

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

>

[/box]

You need to find what the SFR has called its management interface, usually it’s eth0 but let’s check;

[box]

>Show interfaces
--------------------[ outside ]---------------------
Physical Interface        : GigabitEthernet1/1
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ inside ]---------------------
Physical Interface        : GigabitEthernet1/2
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
----------------------[ DMZ ]-----------------------
Physical Interface        : GigabitEthernet1/3
Type                      : ASA
Security Zone             : None
Status                    : Enabled
Load Balancing Mode       : N/A
---------------------[ cplane ]---------------------
IPv4 Address              : 127.0.2.1
----------------------[ eth0 ]----------------------
Physical Interface        : eth0
Type                      : Management
Status                    : Enabled
MDI/MDIX                  : Auto
MTU                       : 1500
MAC Address               : 00:F2:AA:66:94:3F
IPv4 Address              : 10.0.0.253
----------------------[ tun1 ]----------------------
IPv6 Address              : fdcc::bd:0:ffff:a9fe:1/64
---------------------[ tunl0 ]----------------------
----------------------------------------------------

[/box]

Now you can ad in your static route(s).

[box]

> configure network static-routes ipv4 add eth0 192.168.100.0 255.255.255.0 10.0.0.1
Configuration updated successfully

[/box]

To delete a static route;

configure network static-routes ipv4 delete interface destination netmask gateway 

Add a Static Route to the FirePOWER Management Console

To do the same on an FMC appliance, System > Configuration > Management Interface > IPv4 Routes > Add.

To do the same from command line on the appliance, use the following commands;

[box]

sudo su
cd /etc/sysconfig/network-devices
touch ifcfg-static-routes
echo 'eth0 ipv4 192.168.10.0 255.255.255.0 192.168.1.1’ >> /etc/sysconfig/network-devices/ifcfg-static-routes
/etc/rc.d/init.d/routes restart

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco FirePOWER – Update Fails ‘Peer Registration Failed: Registration in Progress’

KB ID 0001162 

Problem

If you attempt to perform an update on the FirePOWER services module in your firewall, you may see the following error;

Error
Installation Failed: Peer registration in progress. 
Please retry in a few moments

I found myself in this situation because I’d attempted to register the firewall in the FirePOWER Management Center Appliance, and the process failed, (because the versions were different). So when I attempted to update the firewalls sfr module to match, it then fails because it’s waiting to register with the management center, (Catch 22).

Solution

Essentially you need to ‘kill’ the registration then, perform the upgrade and then attempt to add it as a managed device again. You can do this from within the ADSM. Configuration > ASA FirePOWER Configuration > Integration  > Remote Management > Locate the registration and ‘Delete’.

Usually it says its ‘failed’, I’m assuming it’s referring to the peer registration itself, because it does get removed.

You can then attempt to do the upgrade, (which takes ages by the way!)

Note: I’ve also found you need to manually restart the sfr module when its complete. The upgrade takes ages on small firewalls like the 5506-X its a bit quicker on the larger firewalls like the 5515-X, but I would still leave the update running overnight and then restart the module in the morning.

Related Articles, References, Credits, or External Links

NA

ASA Setup FirePOWER Services (for ASDM)

KB ID 0001107 

Problem

Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance.

Related Articles, References, Credits, or External Links

*UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed from the ASDM.

Solution

1. The first thing to do is cable the management interface and the interface you are going to use as the ‘inside’ (LAN) into the same network (VLAN).

2. The next step might seem strange if you are used to working with Cisco firewalls, but you need to make sure there is no IP address configured on the management interface. Try to think of it as just the hole that the FirePOWER services module (which will get its own IP) speaks out though.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# interface Management1/1
Petes-ASA(config-if)# no nameif
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
Petes-ASA(config-if)# no security-level
Petes-ASA(config-if)# no ip address 

[/box]

3. So it should look like this;

[box]

Petes-ASA(config-if)# show run
: Saved

ASA Version 9.3(2)2
!
----Output removed for the sake of brevity----
!
interface Management1/1
management-only
no nameif
no security-level
!
----Output removed for the sake of brevity---- 

[/box]

4. Lets make sure the FirePOWER service module is ‘up’ and healthy.

[box]

Petes-ASA(config)# show module 


Mod  Card Type                                    Model              Serial No.

---- -------------------------------------------- ------------------ -----------

   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD19090XXX

 sfr FirePOWER Services Software Module           ASA5506            JAD19090XXX


Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version

---- --------------------------------- ------------ ------------ ---------------

   1 a46c.2a99.eec5 to a46c.2a99.eece  1.0          1.1.1        9.3(2)2

 sfr a46c.2a99.eec4 to a46c.2a99.eec4  N/A          N/A          5.4.1-211


Mod  SSM Application Name           Status           SSM Application Version

---- ------------------------------ ---------------- --------------------------

 sfr ASA FirePOWER                  Up               5.4.1-211


Mod  Status             Data Plane Status     Compatibility

---- ------------------ --------------------- -------------

   1 Up Sys             Not Applicable

 sfr Up                 Up

[/box]

5. The SFR module is actually a Linux box that’s running within the firewall, to connect to it you issue a ‘session sfr’ command.

  • Default Username: admin
  • Default Password: Sourcefire (capital S)
  • Default Password (after version 6.0.0): Admin123 (capital A)

As this is the first time you have entered the SFR you need to page down (press space) though the sizable EULA, then accept it.

[box]

Petes-ASA(config)# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506 v5.4.1 (build 211)

Sourcefire3D login: admin

Password: Sourcefire

Copyright 2004-2015, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Linux OS v5.4.1 (build 12)

Cisco ASA5506 v5.4.1 (build 211)

You must accept the EULA to continue.

Press <ENTER> to display the EULA:

END USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY

----Output removed for the sake of brevity---- 

Product warranty terms and other information applicable to Cisco products are

available at the following URL: http://www.cisco.com/go/warranty.
----Output removed for the sake of brevity---- 

Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES

[/box]

6. Set a new password.

[box]

System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.

Enter new password: Password123

Confirm new password: Password123

[/box]

7. Set up all the IP and DNS settings, then exit from the module session.

[box]

You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.

Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.100.22
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 192.168.100.1
Enter a fully qualified hostname for this system [Sourcefire3D]: SFire
Enter a comma-separated list of DNS servers or 'none' []: 192.168.100.10,192.168.100.11
Enter a comma-separated list of search domains or 'none' [example.net]: petenetlive.com,pnl.net

If your networking information has changed, you will need to reconnect.

For HTTP Proxy configuration, run 'configure network http-proxy'

Applying 'Default Allow All Traffic' access control policy.
You can register the sensor to a Defense Center and use the Defense Center

----Output removed for the sake of brevity---- 

sensor to the Defense Center.

> exit

Remote card closed command session. Press any key to continue.

[/box]

8. Now you need to ‘send’ traffic though the module, in this case I’m going to send all IP traffic though, I’m also going to set it to ‘fail open’, If you set it to fail closed then traffic will cease to flow though the firewall if the FirePOWER services module goes off-line. I’m making the assumption you have a default policy-map applied.

[box]

Petes-ASA(config)# access-list SFR extended permit ip any any
Petes-ASA(config)# class-map SFR
Petes-ASA(config-cmap)# match access-list SFR
Petes-ASA(config-cmap)# exit

[/box]

9. Add that new class-map to the default policy-map.

WARNING: If you are going to set ‘fail-close‘ then make sure your SFR module is operating normally, or you will cause downtime, best to do this in a maintenance window!)

[box]

Petes-ASA(config)# policy-map global_policy 
Petes-ASA(config-pmap)# class SFR
Petes-ASA(config-pmap-c)# sfr fail-open
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit

[/box]

10. Save the changes.

[box]

Petes-ASA(config)# write mem
Building configuration...

Cryptochecksum: 72c138e3 1fa6ec32 31c35497 621cff02

35819 bytes copied in 0.210 secs

[OK]

[/box]

11. At this point the firewall should be able to ping the management IP of the SFR module.

[box]

Petes-ASA# ping 192.168.100.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Petes-ASA#

[/box]

12. Now when you connect to the ASDM you can manage the FirePOWER services module.Note: I have seen some firewalls that flatly refuse to connect to the Firepower Services Module, and give an error ‘unable to connect on port 443’ every time you launch ASDM. I just re-image the module and load in a fresh install (40 mins to an hour), and start again.

Code to Copy & Paste

If you are lazy like me!

[box]

access-list ACL-FirePOWER extended permit ip any any
 class-map CM-SFR
 match access-list ACL-FirePOWER
 exit
policy-map global_policy 
 class CM-SFR
 sfr fail-open
 exit
 exit
write mem

[/box]

Note If you get an unable to connect error see the following article;

Cisco – Cannot Connect to the ASA FirePOWER Module

13. I suggest you update everything first, the ASA will configure an access control policy set to allow and inspect all traffic by default, which we will edit, set everything to update on a schedule, (rule updates and geolocation info).

Cisco FirePOWER Services Adding Licences (ASDM)

In the box with the firewall, you will have an envelope, you don’t need to open it (as below) because the PAK number you need is printed on the outside anyway. This is the firewalls CONTROL LICENCE, it allows it to be managed, we will install it into the ASDM, if you have a SourceFIRE appliance to manage the firewall you would install it there. You need two  bits of information the PAK and the LICENCE KEY of the FirePOWER module, (See Below).

The Licence Key is the MAC address of the Module, (Not the ASA). You can find it at Configuration > ASA FirePOWER Configuration > Licence. This is also where you will add all the licences. Go to www.cisco.com/go/licence and register the licence (and any additional licences i.e. AMP, Web filtering, etc.)

The Licence(s) will be emailed to you open them in a text editor and copy the text of each licence. You can see I’ve indicated below what you should be copying.

Paste that into the ASDM > Submit Licence.

It should say success, if it fails you’ve pasted to much text, or there’s a problem with the licence.

Review you licences, here Ive added AMP and web filtering but Ive yet to add the control licence. If you don’t add the control licence then when you try and edit the access control policy it will say you need a PROTECTION LICENCE (confusingly!)

FirePOWER Services Setup IPS

Disclaimer: These settings, (and allotters below,) are to get you up and running, As with any security device, you need to tune settings accordingly. Please don’t follow these instructions, then email me with complaints that you been attacked by ISIS/Scammers/Bots etc.

You get an IPS/IDS Licence with any of the subscription based licences, its less hassle to set this up before the the access control policy. Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Create Policy > Give it a name > I tend to use ‘Balanced Security and connectivity’ look at the other options and choose whichever you prefer > Create and Edit Policy.

Give the policy a name > Commit changes (I accept all the defaults).

FirePOWER Services Enable Malware Inspection and Protection

Note: Obviously this needs you to have added an AMP Licence!

 Configuration > ASA FirePOWER Configuration  > Policies > Intrusion Policy  > Files > New File Policy > Give it a name > Store FirePOWER Changes.

Add new file rule > I add everything  > and Set it to ‘Block Malware’ > Store FirePOWER Changes.

“Store ASA FirePOWER Changes”.

Warning: Nothing will be inspected, until you add this file policy to an access control policy.

ASA FirePOWER Services Edit / Create Access Control Policy

I renamed the default policy, Note: Even though I’ve called it ‘Base-Access-Control-Policy’ you can only apply one policy, you just add different rules to the policy as required. Add Rule.

In Source Networks > Add in ‘Private Networks’ (See Warning Below).

Inspection Tab > Add in the IPS and file policy you created above (That’s why I’ve done it in this order).

I set it to log at the end of the connection  > Add.

“Store ASA FirePOWER Changes”.

FirePOWER Private Networks Warning

Private networks only cover RFC1918 addresses, if you LAN/DMZ etc subnets are different you should create a new Network object, then add the subnets for your network. If you do this, then substitute your network object every time I mention the Private Networks object.

Blocking a Particular URL with FirePOWER Services

Even if you don’t have a Web Filtering licence you can block particular URL’s here Im going to block access to Facebook.  Configuration > ASA FirePOWER Configuration  > Object Management > URL > Individual Objects > Add URL > Note Im adding http and https.

Then add a rule to your existing access control policy ABOVE the permit all rule, (they are processed like ACLS from the top down). Set the source network to your private subnets.

On the URLs tab add in your URL objects and set the action to block with reset, or Interactive block with reset if you want to let the users proceed to Facebook after a warning.

Note: If you have a Web filtering Licence you can select ‘Social Networking’ from the Categories tab, and that would also block Facebook, and Twitter etc.

ASA FirePOWER Services Commit and Deploy The Changes

FirePOWER services behaves the same on-box as it does when you use the SourceFIRE Appliance, you can make changes but nothing gets deployed until you commit the changes. If you have made a change then there will be a ‘Store ASA FirePOWER services button active. Then you need to select File > Deploy FirePOWER Changes.

Note: You will only see the Deploy option on SFR modules running 6.0.0 or newer.

Deploy.

Even now its not deployed, it takes a while, to see progress navigate to Monitoring > ASA FirePOWER Monitoring > Task Status > It will probably have a ‘running’ task.

Wait until the policy deployment says completed before testing.

Related Articles, References, Credits, or External Links

Originally Published 17/11/15

Thanks to Eli Davis for the feedback.

Cisco ASA 5506-X / 5508-X Restart the FirePOWER Service Module

Cisco ASA 5500-X Restart the FirePOWER Service Module

KB ID 0001101 

Problem

I’ve only just recently started to work with these, the advantage of them is they are great for SOHO and SMB, and they don’t need additional SSD drives installing.

Note: This also procedure works on the larger ASA5500-X firewalls that have Firepower installed on an internal SSD drive, (i.e. 5512,5515,5525, and 5545 etc.)

While getting them to work with a Sourcefire appliance, I had to ‘bounce’ the module a few times.

Note: the following procedure will not affect traffic flowing through the firewall unless you have your SFR module set to ‘fail-closed’.

Solution

1. First things first, check the status of the module.

[box]

Petes-ASA> enable
Password: *******
Petes-ASA# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506            JAD1912XXXX
 sfr FirePOWER Services Software Module           ASA5506            JAD1912XXXX

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 a46c.2a99.dfbe to a46c.2a99.eeee  1.0          1.1.1        9.3(2)2
 sfr a46c.2a99.dfbd to a46c.2a99.ffff  N/A          N/A          5.4.1-211

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               5.4.1-211

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up               Up

[/box]

2. To reload the module issue the following command;

[box]

Petes-ASA# sw-module module sfr reload

Reload module sfr? [confirm] {Enter}
Reload issued for module sfr.
Petes-ASA#

[/box]

3. It usually only takes a couple of minutes but you can use the show module command to keep an eye on it.

[box]

Petes-ASA# show module
-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Reload             Not Applicable
-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Init             Not Applicable


-----Output removed for the sake of brevity----

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up               Up

[/box]

 

Related Articles, References, Credits, or External Links

NA