To operate a FirePOWER Module in a Cisco ASA there are specific steps that must be followed to allow communication with the FireSIGHT management center. This article details that process.
The Cisco Adaptive Security Appliance (ASA) can run a software or hardware module known as FirePOWER or SFR (short for Sourcefire) module. The FirePOWER module for the Cisco ASA provides several next-generation firewall services. In fact, some of its capabilities directly overlap with what the ASA can do on its own. Without going into the details, I will say this: If you have FirePOWER module, I would recommend using its features rather than the ASA's, as the FirePOWER module is centrally configured and tends to get more frequent updates.
The FirePOWER module makes decisions on what traffic is good and bad, but it's the ASA that enforces the decision. So we first need to send traffic to FirePOWER so it can make those decisions, and second, we need to have a policy on the FirePOWER module that gives it decisions to make. The thing is, the FirePOWER requires that we use a management center known as the FireSIGHT Management Center (FMC) to configure it. In this post I'll show you how to get FirePOWER registered with a management center. In this case we are using the Virtual FireSIGHT Management Center.
Virtual FireSIGHT Management Center
The Virtual FireSIGHT Management Center (FMC) can be downloaded from Cisco and deployed as an open virtual application (OVA) in your VMware environment. Once deployed, there is a bit of setup that you need to do on the virtual appliance, but once you log into the web interface, you can set the system policy as well as the IPS policies, file policies, and so on. In terms of the FMC, the FirePOWER is known as a managed device. You'll need to add the managed device to the FMC and assign a license. Yep, everything gets a license. In the following image you can see the ASA being added to the FMC. When you add the ASA it will consume the licenses you select.
Note: The licensing process for an ASA is not the most clear-cut method. You will need to generate a PAK file and submit that to Cisco. That PAK, along with the license number from the FMC ,will generate the Protect & Control license which is perpetual. From there you will need to additionally license IPS and URL filtering. For details on how to license an ASA for FirePOWER services, see the user guide.
FirePOWER module configuration
I'm going to assume that you have an ASA that is already configured and has the basics of network connectivity already established. This includes network address translation and routing along with anything else that makes your ASA tick. Additionally, there are some slight differences between the hardware model of the ASA and how communication for the FirePOWER module works. The big takeaway here is that the management interface of the ASA is used to communicate with the FMC. This is a management-only interface that does not route traffic, so you'll point to a gateway and the FMC needs to be reachable on that network.
The command line interface of the FirePOWER module is limited. It resembles a Linux shell and there really isn't much to do there. The configuration on the FirePOWER module requires the following command:
> configure manager add <hostname | IPv4_address | IPv6_address | DONTRESOLVE> reg_key <nat_id>
For example, my demo environment would be configured like this:
> configure manager add 172.16.20.10 cisco123 Manager successfully configured.
This command defines the address or hostname of the FMC. You can look at this as an access rule that says; "This manager is allowed to talk to me and I will apply whatever configuration it says." We can verify the manager configuration by issuing the following command:
> show managers Host : 172.16.20.10 Registration Key : cisco123 Registration : pending RPC Status :
As mentioned previously in this article, you must also add the SFR to the FMC and assign a license.
Adding a device to FMC and applying basic policy
You'll first need to log into the FMC:
Once logged in you need to navigate to Devices>Device Management.
Next Click Add>Add Device.
Enter the required information and select Default Access Control Policy. This will apply a default access control policy to the module so that something is getting filtered once the ASA sends traffic to the module.
Now select the licenses you want to apply. By first selecting Protection, the remaining check boxes become active if you have available licenses for them.
Click Register and the device is added to the FMC and basic policy is applied to the module. The next bit of configuration is to forward traffic to the module for inspection.
If you don't have the same version FMC as the module you will get an error so be sure to watch your versions:
Forward traffic for inspection
To forward traffic to the module you use a policy-map. Apply the following configuration to the ASA CLI, not the module:
policy-map FP-Policy class class-default sfr fail-open service-policy FP-Policy interface inside
Once applied, traffic on the inside interface will be sent to the module for inspection.
At this point you're in business and the FireSIGHT management center is watching the traffic that passes through the module. You'll get some decent reporting, and as far as protection to the network goes, it's pretty extensive. And while there's still much more to learn about the FirePOWER module and FireSIGHT management center, this gets you a basic configuration that provides some general protection. As time goes by, you'll likely want to customize the policies and that's all done in the FMC.