Cisco ASA FirepowerFirepower Module

ASA with Firepower Module• The ASA Firepower module supplies next-generation firewall services,

including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).You can use the module in single or multiple context mode, and in routed or transparent mode.

• The module is also known as ASA SFR.• Although the module has a basic command line interface (CLI) for

initial configuration and troubleshooting, you configure the security policy on the device using a separate application, Firesight Management Center, which can be hosted on a separate Firesight Management Center appliance or as a virtual appliance running on a VMware server. (Firesight Management Center is also known as Defense Center.)

• For ASA Firepower running on ASA 5506-X devices, you can optionally configure the device using ASDM rather than Firesight Management Center

Inline Mode• In inline mode, traffic goes through the firewall checks before being

forwarded to the ASA Firepower module. When you identify traffic for ASA Firepower inspection on the ASA, traffic flows through the ASA and the module as follows:

• 1. Traffic enters the ASA.• 2. Incoming VPN traffic is decrypted.• 3. Firewall policies are applied.• 4. Traffic is sent to the ASA Firepower module.• 5. The ASA Firepower module applies its security policy to the traffic, and

takes appropriate actions.• 6. Valid traffic is sent back to the ASA; the ASA Firepower module might

block some traffic according to its security policy, and that traffic is not passed on.

• 7. Outgoing VPN traffic is encrypted.• 8. Traffic exits the ASA.

Inline tap Monitor-only mode• This mode sends a duplicate stream of traffic to

the ASA Firepower module for monitoring purposes only. The module applies the security policy to the traffic and lets you know what it would have done if it were operating in inline mode; for example, traffic might be marked “would have dropped” in events. You can use this information for traffic analysis and to help you decide if inline mode is desirable.

Passive monitor-only Forwarding mode•  ASA Firepower module as a pure Intrusion Detection System

(IDS), where there is no impact on the traffic at all, we can configure a traffic forwarding interface. A traffic forwarding interface sends all received traffic directly to the ASA Firepower module without any ASA processing.

• The module applies the security policy to the traffic and lets you know what it would have done if it were operating in inline mode; for example, traffic might be marked “would have dropped” in events. You can use this information for traffic analysis and to help you decide if inline mode is desirable.

• Traffic in this setup is never forwarded: neither the module nor the ASA sends the traffic on to its ultimate destination. You must operate the ASA in single context and transparent modes to use this configuration

Initial Configuration• 1. Enter the CLI of the ASA. • If any other module is installed, 1st uninstall it like below. • hostname# sw-module module ips shutdown hostname# sw-module module ips

uninstall hostname# reload

• Then install the SFR initial image from the below command. • hostname# sw-module module sfr recover configure image disk0:file_path

hostname# sw-module module sfr recover configure image disk0:asasfr-5500x-boot-5.3.1-58.img (if not there in the ASA by default, install from the Cisco site and upload to the ASA in disk0)

• 2. Load the image using: • hostname# sw-module module sfr recover boot • Once that is done, Session to the image to get the Sourcefire command line (login in

with user admin and password Admin123) • hostname# session sfr console • Type setup and configure the basic settings and then install the system package of

Sourcefire using. • system install tftp://IP-addr/asasfr-sys-5.3.1-44.pkg • (Download the package and keep it ready to be uploaded from the tftp or the ftp or

the http)

• • 3. Once done, session to the Sourcefire within ASA console using session

sfr in the ASA command line. Login with the user admin and password Sourcefire. Complete the system configuration.

• Specify the Firesight management IP address (installation process below) using the following command. Note you need the IP address and the key. You will need this later when you add this to the Firesight management.

Configure manager add <ip address> <KEY>• At this point, all future steps are done within the Firesight management.

• 4. Now you need to build the Firesight management. You will need to download Virtual Firesight / Defense center for VMWare, which will be a .tar.gz files. Have to unzip the .gz followed by untaring it. You should end up with a .vmdk file. Deploy the .OVF file in ESXI and set basic network configuration.

• Once the OVA is deployed, open the console and login with admin and Sourcefire and give the below command to set the IP and the gateway and then access from the browser.

• sudo /usr/local/sf/bin/configure-network

• 5. The ASA with Sourcefire has 4 license offerings to be installed under System->Licenses.

• Go to System Licenses Add new License • Take the license key from here and put it on the cisco

license portal and generate it on your given PAK and then apply it.

• 6. At this point, you should be able to add the Firepower services from the ASA. Go in the management GUI to Devices->Device Management, click the Add button and select Add Device. You will be asked to give the IP address of the Sourcefire IP inside the ASA and the key you made up for the Registration Key spot. You can check which licenses you want to apply assuming you loaded some in prior to this and click add.

• 7. There are other steps to setting up FireSIGHT such as building access control policies, enabling network discovery to see what’s on the network and so on (discovery found under Policies-> Network Discovery then adding a rule to specify the entire network). Before doing that, you should go back to your ASA and configure traffic to redirect through the firepower component of the ASA.

• NOTE: Without redirecting traffic through Sourcefire, the ASA will just act as a firewall meaning traffic will not be seen by the Sourcefire software inside.

• 8. Access ASDM and select Configuration > Firewall > Service Policy Rules. Next select Add > Add Service Policy Rule. Click Next. The Add Service Policy Rule Wizard – Traffic Classification Criteria dialog box appears. Provide the basic info and on the next page select the ASA Firepower Inspection tab. check the Enable ASA Firepower for this traffic flow check box. Select if you want to permit traffic if Sourcefire fails. Click finish.

• Alternatively you can use the below commands from the ASA CLI to redirect the specific or all the traffic to the DC.

• Class-map global-class • Match any • policy-map global_policy • Class global-class • sfr fail-open

SOURCEFIRE USER-AGENT• A. Download link for the SFR user agent: Link

• 1. Download the User Agent setup file (Sourcefire_User_Agent_2.2-9_Setup.zip) from the Support Site.

• 2. Copy the setup file to the Windows computer where you want to install the agent and unpack the file. The agent requires 3 MB free on the hard drive for installation. Cisco recommends you allocate 4 GB on the hard drive for the agent local database.

• 3. Open the setup executable file (Sourcefire_User_Agent_2.2-9_Setup.exe). • 4. If you do not have both Microsoft .NET Framework Version 4.0 Client Profile and

SQL CE Version 3.5 installed on the Windows computer where you install the agent, you are prompted to download the appropriate files. Download and install the files.

• 5. Follow the prompts in the wizard to install the agent. • You can install an agent on any Microsoft Windows Vista, Microsoft Windows 7,

Microsoft Windows 8, and Microsoft Windows Server 2003, Microsoft Windows Server 2008, or Microsoft Windows Server 2012 computer with TCP/IP access to the Microsoft Active Directory servers you want to monitor. You can also install on an Active Directory server running one of the supported operating systems.

• B. After the user agent is installed on your AD perform the below steps for the UA to receive the data and send to DC.

• 1. To verify the Active Directory server is logging login data:

• a. On the Active Directory server, select Start > All Programs > Administrative Tools > Event Viewer.

• b. Select Windows Logs > Security. If logging is enabled, the Security log displays.

• c. If logging is disabled, see http://technet.microsoft.com/en-us/library/cc779487(v=ws.10).aspx for information on enabling security logging.

• 2. To allow the agent to communicate with the Active Directory server:

• a) Enable the Remote Administration firewall rule on the Active Directory server. You have the following options:

• b) If the Active Directory server is running Windows Server 2003, see

• http://technet.microsoft.com/en-us/library/cc738900%28v=ws.10%29.aspx for more information.

• c) If the Active Directory server is running Windows Server 2008 or Windows Server 2012, see

• http://msdn.microsoft.com/en-us/library/aa822854%28VS.85%29.aspx for more information.

• 3. To grant the agent permission to retrieve login data:

• a) Enable RPC on the Active Directory server for the user. You have the following options: • If the Active Directory server is running Windows Server 2008 R2 or Windows Server 2012, and the user is not a member of the Administrators group, grant the user DCOM remote access, remote launch, and activation permissions. See http://msdn.microsoft.com/en-us/library/Aa393266.aspx for more information.

• b) If the Active Directory server is running any other supported version of Microsoft Windows, RPC is already enabled.

• 4. To grant the agent permission to retrieve logoff data:

• a) Grant the created user Administrator privileges to ensure the user can log into all workstations that authenticate against the Active Directory server.

• 5. To grant the agent permission to access the security logs:

• a) Grant the created user full permissions to the WMI Root/CIMV2 namespace on the Active Directory server. See http://technet.microsoft.com/en-us/library/cc787533%28v=WS.10%29.aspx for more information.

• 6. Enable the below said option. • a. Windows Settings > Security Settings > Local Policy Configuration

> Audit Policy > Audit Logon/Logoff > Success • b. Windows Settings > Security Settings > Advanced Audit Policy

Configuration > Audit Policy > Audit Logon/Logoff > Success • Note: After all the changes- Update the group policy.

• 1. Open the UA window.

• 2. Go to AD servers and add your AD. If the UA is installed in the AD then give localhost as the IP otherwise give the real IP address of the AD and login details.

• 3. On the Sourcefire DC Tab add the DC IP.

• 4. Tick show debug and log messages option and save.

Management Center

Dashboard

Rule Set

Access Control policy

Network Discovery Policy

Intrusion Policy

File Policy

Device Management

Management Center License

Connection Logs

Thank you