I finally received a brand new ASA5506 and thought I would share my experience along with the new FirePOWER ASDM GUI. For those that are not aware of this release or the ASA series, the history goes like this. Cisco released the VPN concentrator and PIX firewall a long time ago. Eventually those technologies were consolidated into the Adaptive Security Appliance (ASA) series of appliances. The smallest 1st generation ASA is the 5505 that has been around for a long time and designed for small offices or home networks (shown in the above picture on the right). Cisco released a new line of ASA appliances known as the X series however didn’t release a replacement for the 5505 until this past March. That replacement is the ASA5506 (the black appliance on the left).
The value of the 5506 compared to the 5505 is it can run the new FirePOWER technology just like all other versions of ASAx series appliances (more on that HERE). FirePOWER gives you Application Visibility and Control, Enterprise level IPS, URL filtering and end to end breach detection from network to endpoint. You also don’t have to buy any physical models like the first generation of ASA hardware since the X series has a virtual space that hosts these new features. This is similar to hosting virtual systems within hardware. Details on the ASA5506 and the rest of the ASAx series can be found HERE.
NOTE: The major new feature with this platform release is ASDM can manage certain FirePOWER features so you don’t have to own FireSIGHT management center. I’ll show the new ASDM interface in this post.
So the first thing I did after unboxing the 5506 was compare it to the 5505. As you can see from the pictures, the 5506 is slightly longer and “batman” black as I like to call its color. It does not have a fan so it’s silent when powered up. The power adapter is different from the 5505 however it takes a standard power cable so at least you don’t need that funky three prong power cable anymore. The next images show comparing a 5505 and 5506 power adapter. The 5506 is the white end one. The power cable is standard stuff.
Next I powered it up. Its crazy how quite it is. After a minute or two I plugged in a console cable and configured the 5506 for my network. Here is a youtube video covering the basic steps to configured a ASA using command line so you can access the GUI management known as ASDM found HERE. For my deployment, I’m going transparent mode so my ASA with FirerPOWER can act as a security assessment tool reading data off of a SPAN port. This means my management interface will have a IP address however the interface monitoring traffic from a SPAN port will use the following commands.
- interface gigbit1/1
- no nameif
- traffic-forward sfr monitor-only
- no shut
Once inside ASDM, I noticed the interface is similar to the previous versions however the FirePOWER service tab is already there and ready to be accessed.
When I click the tab, I see the following warning message stating I need to either configure the FirePOWER system locally or use a external manager.
Before messing with FirePOWER, I went ahead and used the ASDM upgrade wizard to upgrade to the latest 9.3.3 ASA version and ASDM 7.4. This took about 5 minutes to complete including the reboot.
Next I want to enable FirePOWER. From the command line I can type session sfr to bring up the FirePOWER module that runs inside the ASA. It has its own command line, CPU, etc. and is already installed but needs to be configured. The login for the ASA5506 FP is username admin and password Sourcefire. Once inside, a wizard walks me through the basic network setup of the sourcefire model. Once complete, when I look back at ASDM, the FirePOWER tabs appear but I’m not seeing data yet.
Next I need to license the FirePOWER features. I find this by going under configuration and selecting Licenses. I can apply licenses just like when licensing a FirePOWER appliance using the FireSIGHT manager but from ASDM. I applied a URL and AMP license. All configuration options for the FirePOWER features are found on the left tab titled ASA FirePOWER configuration.
Next I can click updates and apply all updates to the system. For those that are familiar with configuring FirePOWER using FireSIGHT manager, this should very familiar. I can see the tasks as it updates the signatures, geo location and system update from 5.4.0 to 5.4.1 by clicking the Task Status link. The 5.4.1 update took about 40 mins to complete.
From here I can setup a URL policy to block or monitor websites, a IPS policy to look for threats and File policy to look for day zero breaches on my network. The next screenshot shows the IPS configuration listing thousands of IPS rules. I tuned mine for things like Malware, botnets, etc. Again those familiar with configuring FireSIGHT will see this is very similar looking. This is a enterprise level IPS with many tuning options.
The file policies are for what goes to the cloud and what is looked at locally for day zero detection. This means every file seen by my ASA will be giving a hash and evaluated through the cloud and locally for malicious behavior.
I went ahead and set it up to monitor for any adult, gambling, hate and a few other website categories. I also tuned it to know what is my internal network verses outside networks. Once my policies were setup, the last step was setting up the ASA to use a policy map to send traffic from the ASA through the FirePOWER solution. This is done by creating a global policy map, selecting all traffic, click the ASA FirePOWER Inspection tab and enabling the traffic flow through the FirePOWER function. Notice you can set it to fail open or closed.
Once traffic is flowing, I can go back to the main ASDM dashboard and check out the traffic being seen by my ASA 5506 running FirePOWER as a transparent network tap. Pretty cool stuff. The next screenshot is using the ASDM FirePOWER dashboard to get an idea of what type of traffic is being seen on my network after running for a few minutes.