Go to the top

Configuring Cisco NGIPS – ASA with Firepower and FMC

Ziaul / ASA, Firepower, Network Security /
Firepower-FMC

Cisco Firepower Management Center (FMC):   

Cisco Firepower Management Center (formerly FireSIGHT Management Center) is the administrative nerve center for Cisco security products running on a number of different platforms. It provides complete and unified management of firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. The Management Center is the centralised point for event and policy management for security products. FMC do not block traffic itself rather manages the policies and updates and push to the firepower sensors which can block traffic. In the event of failure of FMC, traffic will transverse the network as usual with IPS enables but as per the last update received from FMC.

FMC - Sensors

Installing vFMC on ESXI: 

  • Download the FMC appliance from Cisco. Ensure its the main release, not patch release. The file extension is .tar.gz. Example:
Cisco_Firepower_Management_Center_Virtual_VMware-6.2.3-83.tar.gz
  • Extract with 7Zip which will give a file with .tar and extract again. There will now be 5 files in total.
  • On Esxi, deploy as a template -> Choose 3 files which don’t have extension as .tar and .tar.gz -> follow the prompt -> Review details, Storage and Networks -> Customise Template with only IP address, Netmask and Gateway -> Finish

Wait approximately 20 minutes for installation

  • Login via https using IP address configured and go through initial setup as necessary (all can be configured later)
  • Apply

Wait approximately 5 – 8 minutes for configuration

 

Licensing FMC:  

  • Smart Licensing
  • Classic Licensing

A mandatory license that would need to be installed is control and protection license (comes under 1 license file). NGFW – ASA with Firepower will be shipped with this out of the box.

 

Configuring FMC:  

  • All platform specific configurations related to FMC are done under System -> Configurations. Good to configure the below:
    • Access List – Configure an access list for what networks and ports can access the FMC
    • Login Banner – Configure a login banner for people who will be logging into the FMC
    • Email Notification – For receiving updates and reports (configured separately) via email
    • Information – Configure a name for of the FMC.
    • Management Interface – To configure hostname, domain, DNS, proxy etc.
    • Snmp – Configure snmpv3
    • Time Sync – Configute NTP
  • User settings are under System -> Users. Note: User will need to exist locally and username will have to match when external authentication is used and a role must be assigned.
  • Scheduling automated cron jobs can be done under Tools -> Scheduling
    • Nightly Backup PM – Backup – 01/01/2018 23:00 – Every Day
    • Download Updates AM – Download Latest Update –  01/01/2018 04:00 – Every Day
    • Deploy Vulnerability DB AM – Install Latest Update (FMC) – 01/01/2018 05:30 – Every Day
    • Deploy Policies AM – Deploy Policies –  01/01/2018 06:30 – Every Day
    • Deploy URL Filter DB AM – Update URL Filtering Database –  01/01/2018 07:00 – Every Day

Worth going through all the tabs under System and configure as per the requirement of the environment.

 

Configuring Firepower (SFR) Module on ASA:

  • Login to ASA and then open a session to SFR.

session sfr

  • Perform prompted initial configuration when logged in the first time.

Default username: admin

Password: Admin123

  • Check SFR version matches the version of FMC. If not, the SFR module would need to be re-imaged.

show version

  • Register the device to be administered by Firepower Management Center.

configure manager add 192.0.2.2 cisco1234

 

Adding  Firepower Sensors to FMC: 

  • In FMC under Devices -> Add -> Device, complete relevant details and tick licensing boxes that apply.
  • Create an Access Control Policy. Recommended setting the policy as Network Discovery which put the sensors in monitor mode so that it can learn the environment. It can then be changed to Intrusion Prevention at a later date which will start blocking malicious traffic.
  • When managing sensors that are deployed as Active/Standby HA mode in ASA, the secondary in the group does not communicate on the inside interface, so the device will start issuing the below critical alert. To resolve the issue, Interface Status can be set to Off under Health -> Policy -> Interface Status -> Off -> Save Policy and Exit.

“DataplaneInterface0 is not receiving packets”

  • Create a Platform Settings Policy under Devices -> Platform Settings -> New Policy -> Firepower Settings. This will ensure synchronized setting across the platform i.e. FMC and Sensors. Apply the Policy by clicking the green tick -> Select all -> Apply

 

Send Traffic through SFR Module: 

Create an access list on ASA for traffic to be inspected.  The attribute for SFR will be set to ‘fail open’ as if fail closed is set,  then traffic will cease to flow through the firewall when the FirePOWER services module goes off-line.

access-list ACL_XXX-IPSINSPECT extended permit ip any any
class-map CM_XXX-IPSINSPECT
match access-list ACL_XXX-IPSINSPECT
policy-map global_policy
class CM_XXX-IPSINSPECT
sfr fail-open
!
write memory

 

 

Crib Sheets:

 

References:

 

Leave a Comment