Cisco FirePOWER Services for the ASA

By in
72
Cisco FirePOWER Services for the ASA

Cisco Fire Power Services Module’s Configuration to Get Start

Most ASA platforms purchased now have the Cisco Fire Power Services module shipped with them. This will give you the extra security the ASA platform itself doesn’t provide such as IPS/IDS,  Advanced Malware Prevention (AMP), and URL Filtering. Purchase these licenses to use them after the free 90-day trial version. Even without these licenses, you’re able to monitor and see traffic on the Fire Power Management Center to view what is happening on your network.

If you decide you want to use the Fire Power Services Software Module, it will require some configuration to get it working. Upgrade the SFR to a good, and stable version. Use the ASDM to manage the Fire Power Services module or the Firepower Management Center Virtual Appliance.

Divert traffic from the ASA to the Fire Power.

a) configure an access-list to define and send all traffic from ASA to the Fire Power:

access-list FIREPOWER-TRAFFIC extended permit IP any any

 

b) Define the class-map and use the access-list configured in the previous step:

class-map global-class

description Traffic to Send to Fire Power for Analysis

match access-list FIREPOWER-TRAFFIC

 

c) policy-map global_policy

class global-class

sfr fail-open (→ configuring the IPS for inline mode (( this is the normal operation))

 

d) service-policy global_policy global  -> make sure this is applied globally.


Accessing the Cisco Fire Power Management Center through the GUI:

Access it  by using the Web GUI by going to https://x.x.x

 

After logging in, you can add the SFR by going to Devices -> Device Management -> Add Device and enter the IP address, registration key, choose the based Access Control Policy. See the snapshots below for the fields required:

Cisco FirePOWER Services - Add a Device

 

 

 

 

 

The Firepower Services has a default base policy that can be used for basic monitoring and to get started.  Define security zones for the interfaces after a device is added under the Interfaces’ tab. See below snapshot:

Cisco FirePOWER Services - Interfaces Configuration

 

 

 

 

 

Deploy the changes by selecting “Deploy”, select the target device, and hit “deploy” at the bottom of the screen.

We just gave you some initial configuration to get the Cisco Fire Power services module to monitor traffic and to analyze the traffic going through the Fire Power module.

Contact us here for any questions that you may have about this blog.

54321
(0 votes. Average 0 of 5)
Leave a reply

Your email address will not be published. Required fields are marked *