Configure Cisco ASA5506 For Proof Of Value With FirePOWER 6.0

This post will cover how to use a ASA5506 to test FirePOWER functions only using ASDM and command line. Best practices is to leverage a centralized manager however some people have asked if its possible to use the new ASDM management functions meaning performing a Proof of Value (POV) only using a single Cisco ASA5506. The steps will be similar to the recommended way however all management will happen in ASDM.

I posted about setting up a standard FirePOWER POV HERE. Using the standard approach IE having a separate manager offers more functions such as the built in vulnerability scanner and auto IPS tuning. Also the list price for a VM manager for up to two ASAs is dirt cheap. Regardless, some may want to stick with the ASDM manager. For those people, this post is for you. To summarize what is required, the following should be used.

  1. Cisco ASA5506 with the latest ASA software. I use (9.52) at the time of writing
  2. FirePOWER 6.0 however 5.4 would work as well. Any version prior to this does not have the ASDM built in FirePOWER management capabilities. Also note 5.4 ASDM functionality is only available in a few models while the remaining ASA models have FirePOWER functionality in ASDM starting with 6.0.
  3. The latest ASDM software. I use 7.52 at the time of writing.

Start off by powering up the ASA5506. Follow the guide to get access to ASDM. Here is a post on that HERE. Once in ASDM, you can use the Startup Wizard to get basic network access.

wizards1From there, use the upgrade tool that leverages your existing Cisco CCO account to upgrade both the ASA and ASDM software to the latest version.

upgradewizard1Now you need to install the FirePOWER software if it already isn’t setup. Follow this blog post regarding a new install HERE. Follow this blog post if you are running 5.4 and need to upgrade to 6.0 HERE.

At this point, you should see FirePOWER running on your ASA. I will point out one lesson learned from installing a new FirePOWER 6.0 setup on a 5506 is there is a LONG delay after you install the core .pkg software. For my lab, I first installed the .img software and when consoling to the FirePOWER software, I found there was a 5-10 minute delay before I could configure things. Next I setup the network and installed the actual FirePOWER system software IE the .pkg software. When I consoled into that after it installed, it hung for around an hour before it finally prompted me with the configuration page. Be aware of that delay and don’t reboot it or you will have to do the entire process again. I only experienced this on my 5506 and have only done this on a single 5506. Other model sizes I installed /upgraded didn’t do this and I don’t have another 5506 so not sure is this is just something weird with my ASA5506.

Once the FirePOWER system reboots, you should be able to access ASDM and see that the FirePOWER tabs are included on the dashboard. firepowerTabsFrom here you can either follow my blog post on setting up FirePOWER using the centralized manager or go with ASDM. If you go with the centralized manager, you won’t be able to configure FirePOWER features with ASDM and should stop reading this post from here on. Lets go with ASDM for this post.

Click the Configuration Tab and you should see the ASA FirePOWER Configuration tab is now available. Click that.

ASDM_FirePOWER1Now you will see FirePOWER options on the action window. Click Updates under Local to see options.

FirePOWERASDM2There will be three tabs for updates. The first is minor updates. Anything major such as upgrading from 5.4 to 6.0 will not show here however minor updates such as 6.0 to 6.01 would appear as well as other types of updates. See available updates by clicking the Download Update button. In my example, I brought up the Vulnerability and Fingerprint Database. Click the package button to install any updates. They will appear in the task window. Next click the Rule Updates tab and set a time for ongoing updates as well as click the Download new rule updates from support site to get a update now. Lastly, click the Geolocation Updates tab and do the same IE set a on going update time as well as update it now.

FirePOWERASDM3Once things are updated, next click the License option found under the Updates option on the left window. If you are not licensed, click the Add New License button. You will need to use the manager license key to have keys generated by Cisco if you are doing temporary testing (see this blog post for more info HERE). Once licensed, you should see something like showing which licenses your ASA5506 is setup for. FirePOWERASA6Next click the Policies tab on the left and select Intrusion Policy then Intrusion Policy. This is where you create a IDS/IPS policy. ASAFirePOWER10Click the Create Policy button and give it a name. The default balance of security and connectivity is a good starting point. You can tune the IPS by clicking the rules tab. For example, you can searching for malware to bring up those rules, click the green arrow to bring up options and select Drop and Generate Events. Do the same for blacklist, PUA, Indicator of Compromise, and Exploit Kit. Click back to the Policy Information and apply your changes.

ASAFirePOWER20Now that your IPS policy is ready, lets setup a AMP policy IE detecting day zeros. Start with selecting Files found under the Intrusion Policy option on the left. This should be blank so click New File policy to create a new policy. Give it a name and click OK. Now click Add File Rule. For the first rule, we will select the action of Detecting Files. Next you will select each File Type Category and select the top option for all File Types so we get all file types added. The next example should be how it looks once configured. FirePOWERTestPolicy1Apply that and now lets crate a second file rule by again clicking Add File Rule. This time we will do the same thing however use the action of Malware Cloud Lookup. Go through getting all file types added and save that. Now you should have two file rules under your file policy as shown. TestFIlePolicy2Now lets create an Access Control Policy by selecting that on the left tab under Policies. Click the Add Rule button to bring up access control options. The first rule will be created just to trigger application and URL data. Set the action as Monitor and click the URL tab. Select any category and click save. Again, the idea is just to trigger the ASA to capture data at this point. FirePOWERAccessControl1Now lets create a new rule that leverages our IDS/IPS and AMP policies. Leave the Action as allow and select the Inspection tab. Choose the IPS policy you created for the Intrusion Policy and AMP policy you crated for the File Policy. Click the Logging tab and select to log at the End of Connection. Click save.

ASAAccessRule20Now click Store ASA FirePOWER Changes found at the bottom of the access control page. You screen should look like this. ASAFirePOWERAccesscontrol30Next lets define your network you will be evaluating. Select the Object management option on the left, select Network and select Individual Objects. The default setting will have a few generic networks. Click the pencil to edit this. Give it a name and delete the existing networks. Add only your inside networks. This way FirePOWER will consider these inside addresses while everything will be considered the outside. Here is an example of adding the network. FirePOWERObject1This should give you a basic configuration to test your ASA with FirePOWER. There are different deployment methods to get data through the solution. One option is using a passive approach by placing the ASA into a Transparent firewall configuration. With this approach, you would provide a single IP address to the management interface needed to hit ASDM and setup a interface to be a enabled for reading from a switch port setup as a tap. FirePOWER would have its own IP address so make sure those are there or you won’t be able to manage everything in ASDM. The advantages of this approach is you can stick the ASA onto a network and see data without interrupting anything. The disadvantage is you can’t block anything since you are just viewing a copy of network traffic. Here is a diagram of this design. TransparentFirewallDeploymentThe other approach is going with a inline deployment. This requires setting up your inside and outside address and making sure you properly move traffic through the ASA. The advantage is you can block things however make sure to start with testing in a lab verses doing this POV on system with active users.

Happy testing.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.