Friday, April 19, 2019

Configuring Devices in Cisco FMC

Before you can manage a Firepower System device, you must set up a two-way, SSL-encrypted communication channel between the device and the Firepower Management Center. The appliances use the channel to share configuration and event information. High availability peers also use the channel, which is by default on port 8305/tcp.

To enable communications between two appliances, you must provide a way for the appliances to recognize each other. There are three criteria the Firepower System uses when allowing communications:

* The hostname or IP address of the appliance with which you are trying to establish communication.

* In NAT environments, even if the other appliance does not have a routable address, you must provide a hostname or an IP address either when you are configuring remote management, or when you are adding the managed appliance.

* A self-generated alphanumeric registration key up to 37 characters in length that identifies the connection.

* An optional unique alphanumeric NAT ID that can help the Firepower System establish communications in a NAT environment.

* The NAT ID must be unique among all NAT IDs used to register managed appliances.


Connect to the FirePOWER module CLI using the session sfr ASA privilege exec command.

ASA5506W-X# session sfr
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.

ASA5506X-FP login: admin
Password:
Last login: Tue Nov 20 05:14:43 UTC 2018 on ttyS1

Copyright 2004-2018, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco ASA5506W v6.2.3 (build 83)

Last login: Tue Mar 12 08:01:01 UTC 2019 on cron

> system support ping 192.168.1.200      // VERIFY CONNECTIVITY TO FMC
Last login: Tue Mar 12 08:32:17 UTC 2019 on pts/0
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
64 bytes from 192.168.1.200: icmp_req=1 ttl=64 time=4.42 ms
64 bytes from 192.168.1.200: icmp_req=2 ttl=64 time=0.998 ms
64 bytes from 192.168.1.200: icmp_req=3 ttl=64 time=1.03 ms
64 bytes from 192.168.1.200: icmp_req=4 ttl=64 time=0.996 ms
64 bytes from 192.168.1.200: icmp_req=5 ttl=64 time=3.78 ms
^C
--- 192.168.1.200 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.996/2.247/4.420/1.528 ms

> configure manager add 192.168.1.200 cisco      // ADD FMC IP; USE THE SAME REGISTRATION KEY ON FMC
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

> show managers
Host                      : 192.168.1.200
Registration Key          : ****
Registration              : pending
RPC Status                :


To add a device in FMC, go to Devices > Device Management > Add.
 

You can optionally create a Group if managing several devices.


Fill in the device info and create a dummy policy in order to complete the device registration. Skip the Unique ID if the FMC is not behind any NAT device.


Temporarily create a new Policy (if this is the initial device added) > select Note for Base Policy > click Network Discovery > Save.
 

Once you tick Protection license, the Control, Malware and URL Filtering will be available (except VPN). Click Register.


Adding the device (or sensor) will take a couple of minutes.


Notice the green check icon which indicates the device was successfully added.



You can verify the ASA FirePOWER registration status using the show managers command.

> show managers
Type                      : Manager
Host                      : 192.168.1.200
Registration              : Completed


To check if Health Policy is applied to the ASA FirePOWER device, go to Health > Policy.
 

The FMC automatically applied the configured Health Policy to the ASA FirePOWER device (Applied To: 2 appliances). Click on the green check icon (Apply) to verify.



To view device information go to Devices > Device Management > Edit (pencil icon).





If you need to remove the FMC (manager), you can use the configure manager delete command on the FirePOWER module CLI:

> configure manager delete

> show managers
No managers configured.

Friday, April 12, 2019

Configuring Cisco FMC 6.2.3 Updates, Licenses and Health Policy

There are two types of FMC Licenses: Classic (or Traditional) and Smart License.

The Classic License is the older form of license at Cisco and requires a product authorization key (PAK) to activate and are non-transferrable between devices. They are used by 7000 and 8000 Series devices, ASA FirePOWER modules, and NGIPSv.

The Cisco Smart Licensing is the newer form of license at Cisco. It allows you to manage a pool of licenses centrally. Unlike Classic licenses, Smart Licenses are not tied to a specific serial number or PAK. You activate a Smart License from the Firepower Management Center or the Firepower Device Manager. Your Smart Account holds the Smart Licenses that your company has purchased. Licenses must be in your Smart Account before you can see them in the Smart Software Manager (CSSM) and consume them. Your Cisco account representative or authorized reseller deposits your purchased licenses to your Smart Account, and may create your Smart Account for you. 


To perform FMC OS (apply any minor or major patches) and Vulnerability Database (VDB) update, go to Updates > Product Updates. Make sure the FMC has Internet connectivity to the Cisco cloud.

Notice there's No updates available. You can either manually upload the patch by clicking + Upload Update or retrieve it from Cisco cloud by clicking Download updates.


I've clicked Download updates in this case. This will take about 10 minutes depending on your FMC specs, the available updates on Cisco cloud and Internet speed.

Notice there are two Product Updates. I'll just install the Sourcefire Vulnerability and Fingerprint Database Updates since it's doesn't require a reboot. Click Install.
 


Tick the FMC appliance. A pop-up message or warning will appear saying the operation might interrupt traffic inspection. Click OK > Install.

It's best practice to perform FMC updates in a change window and with low user traffic (usually at midnight).
 

You can verify the installation status by clicking on the green check icon beside the Deploy tab.




A Task Notification will be displayed saying the update was Successfully Installed


To perform FMC rule update (IPS/Snort), go to System > Updates > Rule Updates.

You can also manually apply a one-time Rule Update by clicking Rule update or text rule file to upload and install > Browse for the file > Import.

Or you can click Download new rule update from the Support Site > Import.

You can also tick Enable Recurring Rule Update Import from the Support Site and schedule the Import Frequency. I set the Recurring Rule Update Import from Cisco cloud every Saturday 12am.

I didn't tick or enable Policy Deploy. It's best practice to read the release notes first and test the new rules before deploying in production. Click Save.
 



To perform FMC Geolocation Database (GeoDB) for identifying routable (public) IP address, go to System > Updates > Geolocation Updates. Notice the Running geolocation update version: None

Like the Rule Update, you can manually Upload and install geolocation update > Browse the file > Import.

Or perform a one-time geolocation update: tick Download and install geolocation update from the Support Site > Import.

Notice the note that geolocation database updates may be large and can take up to 45 minutes.

You can also perform Recurring Geolocation Updates: tick Enable Recurring Weekly Updates from the Support Site > under Update Start Time choose the day and time. Click Save.
 



Verify FMC task by clicking the green check icon.



It took me around 31 hours to install the geolocation database (due to my low VM specs). It's best practice to perform this task in a change window and at midnight where there's low traffic usage.


You can download a demo license (L-5506W-TAMC-E45D) for the Cisco ASA5506W-X FirePOWER from the Cisco Licensing Portal in order to enable the URL Filtering and Malware features.



To get FMC License Key go to System > Licenses > Classic Licenses (for ASA with FirePOWER module)


Click Add New License



You can ask Cisco TAC for the Protect+Control license for free. Make sure to provide TAC the ASA Model Info (ASA5506W in this case).

I was initially provided with a wrong PROTECT+CONTROL License for an ASA5506 and wasn't able to apply Application Control Policy rules. Copy and paste the license key > Submit License

Click Return to License Page (at the very bottom).




You should see a count of one (1) under Protection and Control Licenses. Click Add New License

Copy and paste URLFilter and Submit License.



Do the same steps for MALWARE License.


TAC sent me the wrong PROTECTION+CONTROL License for the ASA5506 (without W) twice and was given the correct PROTECTION+CONTROL License the ASA5506W but with a quantity of two.


To monitor FMCv appliance System Health, go to System > Health > Monitor.


You can view a Status Summary (with Count) of the FMCv appliance.


To modify the Health Policy, go to System > Health > Policy.


There's an initial Health Policy (file name is when the FMC first booted up) > click edit (pencil icon) on the right.


Rename the initial Health Policy name (FMCv_HEALTH_POLICY in this case). I'll just show the rest of the Health Policy options and leave the default value.


































Click Save Policy and Exit towards the bottom of the page.



Notice the policy is out-of-date. You need to apply the new or edited Health Policy by clicking Apply (check icon) on the right.


Tick the FMCv appliance > Apply.


A pop-up message will show the Health Policy was applied successfully. Just refresh the web browser (or hit F5).



To view Health Event logs, go to System > Health > Events.



To temporarily disable Health Event/monitoring (if performing a System maintenance), go to System > Health > Blacklist.


Tick the FMC appliance > click Blacklist Selected Devices.


To create Health Alerts via email, SNMP, Syslog, etc, go to System > Health > Monitor Alerts.



To view System-related Audit logs, to go System > Monitoring > Audit.



To view Syslog, go to System > Monitoring > Syslog.



To view FMC appliance/system statistics, go to System > Monitoring > Statistics.