Cisco Secure Firewall ASDM Configuration Guide

Category
Networking
Type
Configuration Guide

This manual is also suitable for

Cisco ASA with FirePOWER Services Local Management Configuration
Guide, Version 6.6
First Published: 2020-03-24
Last Modified: 2020-03-24
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL
RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the
UNIX operating system. All rights reserved. Copyright ©1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED
SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS
OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
©2020 Cisco Systems, Inc. All rights reserved.
CHAPTER 1
Get Started Using ASA with FirePOWER Services
The Cisco ASA FirePOWER module can be deployed on select Cisco ASA 5500-X series appliances. For detailed
information, see the
Cisco Firepower Compatibility Guide
. The module is designed to help you handle network
traffic in a way that complies with your organization’s security policy.
This guide provides information about configuration of the features and functionality of the ASA FirePOWER
module, accessible using the Adaptive Security Device Manager (ASDM).
Alternatively, to manage an ASA with FirePOWER Services device using the Firepower Management Center,
see the
Cisco Firepower Management Center Configuration Guide
.
•Quick Start: Basic Setup, on page 1
•ASA With FirePOWER Services Devices, on page 4
•ASA With FirePOWER Services Features, on page 4
•Firepower Online Help and Documentation, on page 6
•Firepower System IP Address Conventions, on page 7
•Additional Resources, on page 7
Quick Start: Basic Setup
To get started setting up your ASA with FirePOWER Services device, see the Cisco ASA FirePOWER Module
Quick Start Guide. The Quick Start Guide walks you through the entire setup process, including:
1. Deploy ASA with FirePOWER Services.
Skip the section on registering ASA with FirePOWER Services with Firepower Management Center to manage
ASA with FirePOWER Services using ASDM.
Note
You can manage any particular appliance using either the Firepower Management Center or using ADSM but
not both.
Switching management methods erases the existing appliance configuration
.
Caution
2. Start ASDM.
3. Configure ASA with FirePOWER Services.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
1
Set Up Policy and Basic Configuration
Before you begin
Initially configure the ASA with FirePOWER Services module as discussed in Quick Start: Basic Setup, on page
1.
Step 1 Start ASDM and log in to the ASA with FirePOWER Services module as discussed in its Quick Start Guide.
Step 2 In the top navigation bar, click Configuration.
Step 3 On the side navigation bar, click ASA FirePOWER Configuration.
The configuration page is displayed as follows.
Step 4 Create the access control policy as discussed in Creating a Basic Access Control Policy, on page 65.
a) Expand Policies.
b) Click Access Control Policy.
c) Click ASA with FirePOWER.
The policy page is displayed as follows.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
2
Get Started Using ASA with FirePOWER Services
Set Up Policy and Basic Configuration
d) In most cases, for Default Action, we recommend choosing Intrusion Prevention: Balanced Security and Connectivity.
Step 5 Customize other common settings:
a) Managing ASA FirePOWER Module Interfaces
b) Configuring the Access List for Your Appliance
c) Viewing and Modifying the Appliance Information
d) To use Advanced Malware Protection, Enabling Cloud Communications
e) Stream logs to a Creating a Syslog Alert Response or Creating an SNMP Alert Response using external alerts
f) Automating Backup Jobs
g) Automating Software Downloads
h) Automating Software Installs
i) Using Recurring Rule Updates
j) Automating URL Filtering Updates
k) Automating Geolocation Database Updates
What to do next
Configure ASA options as discussed in the Cisco Adaptive Security Device Manager Configuration Guides.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
3
Get Started Using ASA with FirePOWER Services
Set Up Policy and Basic Configuration
ASA With FirePOWER Services Devices
ASA with FirePOWER Services devices are also referred to as
Next Generation Intrusion Prevention (NGIPS)
devices. These devices run NGIPS software on an ASA device.
The ASA device provides the first-line system policy, then passes traffic to an ASA FirePOWER module for
discovery and access control.
ASA FirePOWER has a user interface and a command line interface (CLI) unique to the ASA platform. You use
these ASA-specific tools to install the system and to perform other platform-specific administrative tasks.
ASA FirePOWER does not support the following Firepower features:
•Features for Firepower hardware: Use the ASA CLI and ASDM to configure device high availability,
stacking, switching, routing, VPN, NAT, and so on. See the ASA documentation for more information.
•Interface configuration: You
cannot
use the Firepower Management Center web interface to configure
ASA FirePOWER interfaces. The Firepower Management Center does not display ASA interfaces when
the ASA FirePOWER is deployed in SPAN port mode.
•Process management: You
cannot
use the Firepower Management Center to shut down, restart, or
otherwise manage ASA FirePOWER processes.
ASA With FirePOWER Services Features
This section lists some commonly used ASA With FirePOWER Services features.
Appliance and System Management Features
To locate unfamiliar documents, see the documentation roadmap.
As discussed in...Configure...If you want to...
Using Backup and Restore, on page
503
Backup and restoreBack up data on your appliance
Updating ASA FirePOWER Module
Software, on page 475
Software updatesUpgrade to a new software version
•Cisco ASA and Firepower
Threat Defense Reimage
Guide
•Section on reimaging the
FirePOWER module in the
Cisco Adaptive Security
Device Manager Configuration
Guides
Restore to factory defaults
(reimage)
Baseline your appliance
Cisco Adaptive Security Device
Manager Configuration Guides
High availabilityEnsure continuity of appliance
operations
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
4
Get Started Using ASA with FirePOWER Services
ASA With FirePOWER Services Devices
As discussed in...Configure...If you want to...
Understanding Update Types, on
page 475
Vulnerability Database (VDB)
updates, intrusion rule updates, or
Geolocation Database (GeoDB)
updates
Update the VDB, intrusion rule
updates, or GeoDB on your
appliance
Understanding Licensing, on page
469
LicensingApply licenses in order to take
advantage of license-controlled
functionality
ASDM Configuration GuidesRoutingConfigure a device to route traffic
between two or more interfaces
Cisco Adaptive Security Device
Manager Configuration Guides
Network Address Translation (NAT)Translate private addresses into
public addresses for internet
connections
Features for Detecting, Preventing, and Processing Potential Threats
To locate unfamiliar documents, see the documentation roadmap.
As discussed in...Configure...If you want to...
Getting Started with Access Control
Policies, on page 63
Access control policy, the parent
of several other policies
Inspect, log, and take action on
network traffic
Choosing a Security Intelligence
Strategy, on page 84
Security Intelligence in your access
control policy
Block connections to or from IP
addresses, URLs, and/or domain
names
About Intrusion Policies, on page
277
Intrusion policyMonitor malicious traffic and
intrusions on your network
Understanding Traffic Decryption,
on page 165
SSL policyBlock encrypted traffic without
inspection
Inspect encrypted or decrypted
traffic
Controlling Traffic Using Intrusion
and File Policies, on page 135
File policyAllow or block files on your network
Introduction to Identity Data, on
page 327
User awareness, user identity,
identity policies
Configure passive or active user
authentication to perform user
awareness and user control
Integration with External Tools
To locate unfamiliar documents, see the documentation roadmap.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
5
Get Started Using ASA with FirePOWER Services
Features for Detecting, Preventing, and Processing Potential Threats
As discussed in...Configure...If you want to...
Understanding Advanced Device
Settings, on page 10
eStreamer integrationStream event data to a
custom-developed client
application
Firepower Online Help and Documentation
You can reach the online help from the web interface:
•By clicking the context-sensitive help link on each page
•By choosing Help >Online
You can find additional documentation related to the Firepower system using the documentation roadmap:
http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.
Related Documentation
The documents listed in this section might be helpful when configuring your ASA with FirePOWER Services
appliance.
Hardware Guides and Data Sheets
The following guides provide more information about ASA with FirePOWER Services hardware.
•https://www.cisco.com/c/en/us/support/security/asa-firepower-services/
tsd-products-support-series-home.html
•https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/
tsd-products-support-series-home.html
•https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html
For More Details
Some topics are not included in this guide because they are covered in more detail in the Firepower Management
Center Configuration Guide. The following table lists these topics; for additional information not covered in
this guide, see also Related Documentation, on page 6
See the FMC Configuration Guide
part
>
chapter
For more information about...
Access Control >Access Control RulesAccess control rules
Intrusion Detection and Prevention >Getting Started
with Intrusion Policies
Intrusion policies
System Monitoring and Troubleshooting >
Troubleshooting the System
Troubleshooting tools
Discovery and Identity >Create and Manage RealmsRealms for user control
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
6
Get Started Using ASA with FirePOWER Services
Firepower Online Help and Documentation
See the FMC Configuration Guide
part
>
chapter
For more information about...
Discovery and Identity >Create and Manage Identity
Policies
Identity policies
Deployment Management >Reusable ObjectsInternal Certificate Authorities (CAs)
Deployment Management >Reusable ObjectsTrusted CAs
Deployment Management >Reusable ObjectsGeolocation database updates
Supported Devices Statements in the Documentation
The Supported Devices statement at the beginning of a chapter or topic indicates that a feature is supported
only on the specified device series, family, or model. For example, many features are supported only on
Firepower Threat Defense devices.
For more information on platforms supported by this release, see the release notes.
Access Statements in the Documentation
The Access statement at the beginning of each procedure in this documentation indicates the predefined user
roles required to perform the procedure. Any of the listed roles can perform the procedure.
Users with custom roles may have permission sets that differ from those of the predefined roles. When a
predefined role is used to indicate access requirements for a procedure, a custom role with similar permissions
also has access. Some users with custom roles may use slightly different menu paths to reach configuration
pages. For example, users who have a custom role with only intrusion policy privileges access the network
analysis policy via the intrusion policy instead of the standard path through the access control policy.
Firepower System IP Address Conventions
You can use IPv4 Classless Inter-Domain Routing (CIDR) notation and the similar IPv6 prefix length notation
to define address blocks in many places in the Firepower System.
When you use CIDR or prefix length notation to specify a block of IP addresses, the Firepower System uses
only the portion of the network IP address specified by the mask or prefix length. For example, if you type
10.1.2.3/8, the Firepower System uses 10.0.0.0/8.
In other words, although Cisco recommends the standard method of using a network IP address on the bit
boundary when using CIDR or prefix length notation, the Firepower System does not require it.
Additional Resources
The Firewalls Community is an exhaustive repository of reference material that complements our extensive
documentation. This includes links to 3D models of our hardware, hardware configuration selector, product
collateral, configuration examples, troubleshooting tech notes, training videos, lab and Cisco Live sessions,
social media channels, Cisco Blogs and all the documentation published by the Technical Publications team.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
7
Get Started Using ASA with FirePOWER Services
Supported Devices Statements in the Documentation
Some of the individuals posting to community sites or video sharing sites, including the moderators, work for
Cisco Systems. Opinions expressed on those sites and in any corresponding comments are the personal
opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is
not meant to be an endorsement or representation by Cisco or any other party.
Some of the videos, technical notes, and reference material in the Firewalls Community points to older versions
of the Firepower Management Center. Your version of the Firepower Management Center and the version
referenced in the videos or technical notes might have differences in the user interface that cause the
procedures not to be identical.
Note
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
8
Get Started Using ASA with FirePOWER Services
Additional Resources
CHAPTER 2
Managing Device Configuration
The Device Management page allows you to manage the device and interface configurations for the ASA
FirePOWER module.
If you configure the ASA in a failover pair, the ASA FirePOWER configuration does not automatically synchronize
with the ASA FirePOWER module on the secondary device. You must manually export the ASA FirePOWER
configuration from the primary and import it into the secondary every time you make a change.
Caution
•Editing Device Configuration, on page 9
•Managing ASA FirePOWER Module Interfaces, on page 11
•Applying Changes to Device Configuration, on page 12
•Configuring Remote Management, on page 13
Editing Device Configuration
The Device tab of the Device Management page displays detailed device configuration and information, as it
applies to the ASA FirePOWER module. It also allows you to make changes to some parts of device configuration,
such as changing the displayed module name and modifying management settings.
Editing General Device Configuration
License: Any
The General section of the Device tab shows the module name, which you can change.
To edit general device configuration:
Step 1 Click Configuration >ASA FirePOWER Configuration >Device Management >Device.
The Device page is displayed.
Step 2 Next to the General section, click (edit).
Step 3 In the Name field, enter a new assigned name for the module. You can enter alphanumeric characters and special
characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.
Step 4 Click Save.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
9
The changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying
Changes to Device Configuration, on page 12 for more information.
Viewing Device System Settings
License: Any
The System section of the Device tab displays a read-only table of system information, as described in the
following table.
Table 1: System Section Table Fields
DescriptionField
The model name and number for the device.Model
The serial number of the chassis of the device.Serial
The current system time of the device.Time
The version of the software currently installed on the ASA FirePOWER module.Version
A link to the system policy currently applied to the ASA FirePOWER module.Policy
Understanding Advanced Device Settings
The Advanced section of the Device tab displays advanced configuration settings, as described in the following
table.
Table 2: Advanced Section Table Fields
DescriptionField
The state of Automatic Application Bypass on the module.Application
Bypass
The Automatic Application Bypass threshold, in milliseconds.Bypass Threshold
You can use the Advanced section to edit any of these settings. See the following sections for more information:
Automatic Application Bypass
License: Any
The Automatic Application Bypass (AAB) feature limits the time allowed to process packets through an interface
and allows packets to bypass detection if the time is exceeded. The feature functions with any deployment;
however, it is most valuable in inline deployments.
You balance packet processing delays with your network’s tolerance for packet latency. When a malfunction
within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
10
Managing Device Configuration
Viewing Device System Settings
causes Snort to restart within ten minutes of the failure, and generates troubleshoot data that can be analyzed
to investigate the cause of the excessive processing time.
You can change the bypass threshold if the option is selected. The default setting is 3000 milliseconds (ms).
The valid range is from 250 ms to 60,000 ms.
AAB is activated only when an excessive amount of time is spent processing a single packet. If AAB engages,
the system kills all Snort processes.
Note
For more information about enabling Automatic Application Bypass and setting the bypass threshold, see
Editing Advanced Device Settings, on page 11.
Editing Advanced Device Settings
You can use the Advanced section of the Devices tab to modify the Automatic Application Bypass.
To modify advanced device settings:
Step 1 Select Configuration >ASA FirePOWER Configuration >Device Management >Device.
The Device page appears.
Step 2 Next to the Advanced section, click the edit icon ( ) .
The Advanced pop-up window appears.
Step 3 Optionally, select Automatic Application Bypass if your network is sensitive to latency. Automatic Application Bypass is
most useful in inline deployments. For more information, see Automatic Application Bypass, on page 10.
Step 4 When you select the Automatic Application Bypass option, you can type a Bypass Threshold in milliseconds (ms). The
default setting is 3000 ms and the valid range is from 250 ms to 60,000 ms.
Step 5 Click Save.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying
Changes to Device Configuration, on page 12 for more information.
Managing ASA FirePOWER Module Interfaces
License: Control, Protection
When editing an ASA FirePOWER interface, you can configure only the interface’s security zone from the ASA
FirePOWER module. See Working with Security Zones, on page 49 for more information.
You configure interfaces using ASDM and CLI.
To edit an ASA FirePOWER Interface:
Step 1 Select Configuration >ASA FirePOWER Configuration >Device Management >Interfaces .
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
11
Managing Device Configuration
Editing Advanced Device Settings
The Interfaces page appears.
Step 2 Next to the interface you want to edit, click the edit icon ( ).
The Edit Interface pop-up window appears.
Step 3 From the Security Zone drop-down list, select an existing security zone or select New to add a new security zone.
Step 4 Click Store ASA FirePOWER Changes.
The security zone is configured. Note that your changes do not take effect until you apply the device configuration; see
Applying Changes to Device Configuration, on page 12 for more information.
Applying Changes to Device Configuration
License: Any
After you make changes to the ASA FirePOWER configuration of a device, you must apply the changes before
they take effect throughout the module. Note that the device must have unapplied changes or this option
remains disabled.
Note that if you edit interfaces and reapply a device policy, Snort restarts for all interface instances on the
device, not just those that you edited.
To apply changes to the device:
Step 1 Select Configuration >ASA FirePOWER Configuration >Device Management >Device or Configuration >ASA FirePOWER
Configuration >Device Management >Interfaces.
The Device Management page appears.
Step 2 Click Apply ASA FirePOWER Changes.
Step 3 When prompted, click Apply.
The device changes are applied.
Optionally, from the Apply Device Changes dialog box, click View Changes. The Device Management Revision
Comparison Report page appears in a new window. For more information, see Using the Device Management
Revision Comparison Report, on page 12.
Tip
Step 4 Click OK.
You are returned to the Device Management page.
Using the Device Management Revision Comparison Report
License: Any
A device management comparison report allows you to view the changes you have made to an appliance
before you apply them. The report displays all differences between the current appliance configuration and
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
12
Managing Device Configuration
Applying Changes to Device Configuration
the proposed appliance configuration. This gives you an opportunity to discover any potential configuration
errors.
To compare appliance changes before applying them:
Step 1 Select Configuration>ASA FirePOWER Configuration >Device Management >Device or Configuration >ASA FirePOWER
Configuration >Device Management >Interfaces .
The Device Management page appears.
Step 2 Click Apply Changes.
The Apply Device Changes pop-up window appears. Note that the appliance must have unapplied changes or the Apply
Changes button remains disabled.
Step 3 Click View Changes.
The Device Management Revision Comparison Report page appears in a new window.
Step 4 Click Previous and Next to scroll through the differences between the current appliance configuration and the proposed
appliance configuration.
Step 5 Optionally, click Comparison Report to produce a PDF version of the report.
Configuring Remote Management
License: Any
Before you can manage one Firepower system appliance with another, you must set up a two-way,
SSL-encrypted communication channel between the two appliances. The appliances use the channel to share
configuration and event information. High availability peers also use the channel, which is by default on port
8305/tcp.
You must configure remote management on the appliance that will be managed; that is, on the device that you
want to manage with a Firepower Management Center. After you configure remote management, you can use
the managing appliance’s web interface to add the managed appliance to your deployment.
After you establish remote management and register the Cisco ASA with FirePOWER Services with a Firepower
Management Center, you must manage the ASA FirePOWER module from the Firepower Management Center
instead of from ASDM. You cannot remotely manage the Cisco ASA with FirePOWER Services with the ASDM
console after the appliance is registered to a Firepower Management Center.
Note
To enable communications between two appliances, you must provide a way for the appliances to recognize
each other. There are three criteria the Firepower system uses when allowing communications:
•the hostname or IP address of the appliance with which you are trying to establish communication
In NAT environments, even if the other appliance does not have a routable address, you must provide a
hostname or an IP address either when you are configuring remote management, or when you are adding the
managed appliance.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
13
Managing Device Configuration
Configuring Remote Management
•a self-generated alphanumeric registration key up to 37 characters in length that identifies the connection
•an optional unique alphanumeric NAT ID that can help the Firepower system establish communications
in a NAT environment
The NAT ID must be unique among all NAT IDs used to register managed appliances.
When you register a managed device to a Firepower Management Center, the access control policy you select
applies to the device. However, if you do not enable licenses for the device required by features used in the
access control policy you select, the access control policy apply fails.
To configure remote management of the local appliance:
Access: Admin
Step 1 Select Configuration >ASA FirePOWER Configuration >Integration >Remote Management.
The Remote Management page appears.
Step 2 Click Add Manager.
The Add Remote Management page appears.
Step 3 In the Management Host field, type the IP address or the hostname of the appliance that you want to use to manage this
appliance.
The hostname is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.
In a NAT environment, you do not need to specify an IP address or hostname here if you plan to specify it when you add
the managed appliance. In this case, the Firepower system uses the NAT ID you will provide later to identify the remote
manager on the managed ASA FirePOWER module interface.
Use a hostname rather than an IP address if your network uses DHCP to assign IP addresses.
Caution
Step 4 In the Registration Key field, type the registration key that you want to use to set up communications between appliances.
Step 5 For NAT environments, in the Unique NAT ID field, type a unique alphanumeric NAT ID that you want to use to set up
communications between appliances.
Step 6 Click Save.
After the appliances confirm that they can communicate with each other, the Pending Registration status appears.
Step 7 Use the managing appliance’s web user interface to add this appliance to your deployment.
When enabling remote management of a device, in some high availability deployments that use NAT, you may
also need to add the secondary Firepower Management Center as a manager. For more information, contact
Support.
Note
Editing Remote Management
License: Any
Use the following procedure to edit the hostname or IP address of the managing appliance. You can also
change the display name of the managing appliance, which is a name only used within the context of the
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
14
Managing Device Configuration
Editing Remote Management
Firepower system. Although you can use the hostname as the display name of the appliance, entering a different
display name does not change the hostname.
To edit remote management:
Access: Admin
Step 1 Select Configuration >ASA FirePOWER Configuration >Integration >Remote Management.
The Remote Management page appears.
Step 2 Click the edit icon ( ) next to the manager for which you want to edit remote management settings.
The Edit Remote Management page appears.
Step 3 In the Name field, change the display name of the managing appliance.
Step 4 In the Host field, change the IP address or the hostname of the managing appliance.
The hostname is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.
Step 5 Click Save.
Your changes are saved.
Configuring eStreamer on the eStreamer Server
License: FireSIGHT + Protection
Before the appliance you want to use as an eStreamer server can begin streaming eStreamer events to an
external client, you must configure the eStreamer server to send events to clients, provide information about
the client, and generate a set of authentication credentials to use when establishing communication.
Configuring eStreamer Event Types
You can control which types of events the eStreamer server is able to transmit to clients that request them.
Available event types on either a managed device or a Firepower Management Center are:
•Intrusion events
•Intrusion event packet data
•Intrusion event extra data
To configure the types of events transmitted by eStreamer:
Step 1 Select Configuration >ASA FirePOWER Configuration >Integration >eStreamer.
The eStreamer Event Configuration page appears.
Step 2 Under eStreamer Event Configuration, select the check boxes next to the types of events you want eStreamer to forward
to requesting clients.
You can select any or all of the following on a managed device or Firepower Management Center:
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
15
Managing Device Configuration
Configuring eStreamer on the eStreamer Server
•Intrusion Events to transmit intrusion events.
•Intrusion Event Packet Data to transmit packets associated with intrusion events.
•Intrusion Event Extra Data to transmit additional data associated with an intrusion event such as the originating IP
addresses of a client connecting to a web server through an HTTP proxy or load balancer.
Note that this controls which events the eStreamer server can transmit. Your client must still specifically request
the types of events you want it to receive in the request message it sends to the eStreamer server. For more
information, see the Firepower system eStreamer
Integration Guide
.
Note
Step 3 Click Save.
Adding Authentication for eStreamer Clients
Before eStreamer can send eStreamer events to a client, you must add the client to the eStreamer server’s
peers database from the eStreamer page. You must also copy the authentication certificate generated by the
eStreamer server to the client.
To add an eStreamer client:
Step 1 Select Configuration >ASA FirePOWER Configuration >Integration >Remote Management.
The Registration page appears.
Step 2 Select the eStreamer tab.
The eStreamer page appears.
Step 3 Click Create Client.
The Create Client page appears.
Step 4 In the Hostname field, enter the host name or IP address of the host running the eStreamer client.
If you use a host name, the eStreamer server must be able to resolve the host to an IP address. If you have not
configured DNS resolution, you should configure it first or use an IP address.
Note
Step 5 If you want to encrypt the certificate file, enter a password in the Password field.
Step 6 Click Save.
The eStreamer server now allows the host to access port 8302 on the eStreamer server and creates an authentication
certificate to use during client-server authentication. The eStreamer page reappears, with the new client listed under
Hostname.
Step 7 Click the download icon ( ) next to the client hostname to download the certificate file.
Step 8 Save the certificate file to the appropriate directory used by your client for SSL authentication.
The client can now connect to the eStreamer server. You do not need to restart the eStreamer service.
To revoke access for a client, click the delete icon ( ) next to the host you want to remove. Note that you do
not need to restart the eStreamer service; access is revoked immediately.
Tip
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
16
Managing Device Configuration
Adding Authentication for eStreamer Clients
CHAPTER 3
Managing Reusable Objects
For increased flexibility and ease of use, the ASA FirePOWER module allows you to create named objects,
which are reusable configurations that associate a name with a value so that when you want to use that value,
you can use the named object instead.
You can create the following types of objects:
•Network based objects that represent IP addresses and networks, port/protocol pairs, security zones,
and origin/destination country (geolocation)
•Objects that help you handle unencrypted and decrypted traffic, including Security Intelligence feeds
and lists, application filters, URLs, file lists, and intrusion policy variable sets
You can use these objects in various places in the ASA FirePOWER module, including access control policies,
network analysis policies, intrusion policies, reports, dashboards, and so on.
Grouping objects allows you to reference multiple objects with a single configuration. You can group network,
port, and URL, and public key infrastructure (PKI) objects.
In most cases, editing an object used in a policy requires redeploying your configuration for your changes to
take effect.
Note
•Using the Object Manager, on page 18
•Working with Network Objects, on page 19
•Working with Security Intelligence Lists and Feeds, on page 20
•Working with Port Objects, on page 25
•Working with URL Objects, on page 26
•Working with Application Filters, on page 27
•Working with Variable Sets, on page 29
•Working with Sinkhole Objects, on page 45
•Working with File List, on page 45
•Working with Security Zones, on page 49
•Working with Cipher Suite Lists, on page 50
•Working with Distinguished Name Objects, on page 51
•Working with PKI Objects, on page 53
•Working with Geolocation Objects, on page 60
•Working with Security Group Tag Objects, on page 61
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
17
Using the Object Manager
License: Any
Create and manage objects, including application filters, variable sets, and security zones, using the object
manager (Configuration >ASA FirePOWER Configuration >Object Management ). You can group network,
port, and URL and PKI objects; you can also sort, filter, and browse the list of objects and object groups.
Grouping Objects
License: Any
You can group network, port, PKI, and URL objects. The system allows you to use objects and object groups
interchangeably. For example, anywhere you would use a port object, you can also use a port object group.
Objects and object groups of the same type cannot have the same name.
When you edit an object group used in a policy (for example, a network object group used in an access control
policy), you must redeploy the configuration for your changes to take effect; see Deploying Configuration
Changes, on page 73.
Deleting a group does not delete the objects in the group, just their association with each other. Additionally,
you cannot delete a group that is in use. For example, you cannot delete a URL group that you are using in a
URL condition in a saved access control policy.
To group reusable objects:
Step 1 Choose Configuration >ASA FirePOWER Configuration >Object Management.
Step 2 Under the type of Network,Port,URL,PKI,orDistinguished Name object you want to group, choose Object Groups.
Step 3 Click the Add button that corresponds with the object you want to group.
Step 4 Enter a Name for the group. You can use any printable standard ASCII characters except curly braces ({}).
Step 5 Choose one or more objects and click Add.
•Use Shift and Ctrl to choose multiple objects, or right click and Select All.
•Use the filter field ( ) to search for existing objects to include, which updates as you type to display matching items.
Click the reload icon ( ) above the search field or click the clear icon ( ) in the search field to clear the search
string.
•Click the add icon ( ) to create objects on the fly if no existing objects meet your needs.
Step 6 Click Store ASA FirePOWER Changes.
Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.6
18
Managing Reusable Objects
Using the Object Manager
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179
  • Page 180 180
  • Page 181 181
  • Page 182 182
  • Page 183 183
  • Page 184 184
  • Page 185 185
  • Page 186 186
  • Page 187 187
  • Page 188 188
  • Page 189 189
  • Page 190 190
  • Page 191 191
  • Page 192 192
  • Page 193 193
  • Page 194 194
  • Page 195 195
  • Page 196 196
  • Page 197 197
  • Page 198 198
  • Page 199 199
  • Page 200 200
  • Page 201 201
  • Page 202 202
  • Page 203 203
  • Page 204 204
  • Page 205 205
  • Page 206 206
  • Page 207 207
  • Page 208 208
  • Page 209 209
  • Page 210 210
  • Page 211 211
  • Page 212 212
  • Page 213 213
  • Page 214 214
  • Page 215 215
  • Page 216 216
  • Page 217 217
  • Page 218 218
  • Page 219 219
  • Page 220 220
  • Page 221 221
  • Page 222 222
  • Page 223 223
  • Page 224 224
  • Page 225 225
  • Page 226 226
  • Page 227 227
  • Page 228 228
  • Page 229 229
  • Page 230 230
  • Page 231 231
  • Page 232 232
  • Page 233 233
  • Page 234 234
  • Page 235 235
  • Page 236 236
  • Page 237 237
  • Page 238 238
  • Page 239 239
  • Page 240 240
  • Page 241 241
  • Page 242 242
  • Page 243 243
  • Page 244 244
  • Page 245 245
  • Page 246 246
  • Page 247 247
  • Page 248 248
  • Page 249 249
  • Page 250 250
  • Page 251 251
  • Page 252 252
  • Page 253 253
  • Page 254 254
  • Page 255 255
  • Page 256 256
  • Page 257 257
  • Page 258 258
  • Page 259 259
  • Page 260 260
  • Page 261 261
  • Page 262 262
  • Page 263 263
  • Page 264 264
  • Page 265 265
  • Page 266 266
  • Page 267 267
  • Page 268 268
  • Page 269 269
  • Page 270 270
  • Page 271 271
  • Page 272 272
  • Page 273 273
  • Page 274 274
  • Page 275 275
  • Page 276 276
  • Page 277 277
  • Page 278 278
  • Page 279 279
  • Page 280 280
  • Page 281 281
  • Page 282 282
  • Page 283 283
  • Page 284 284
  • Page 285 285
  • Page 286 286
  • Page 287 287
  • Page 288 288
  • Page 289 289
  • Page 290 290
  • Page 291 291
  • Page 292 292
  • Page 293 293
  • Page 294 294
  • Page 295 295
  • Page 296 296
  • Page 297 297
  • Page 298 298
  • Page 299 299
  • Page 300 300
  • Page 301 301
  • Page 302 302
  • Page 303 303
  • Page 304 304
  • Page 305 305
  • Page 306 306
  • Page 307 307
  • Page 308 308
  • Page 309 309
  • Page 310 310
  • Page 311 311
  • Page 312 312
  • Page 313 313
  • Page 314 314
  • Page 315 315
  • Page 316 316
  • Page 317 317
  • Page 318 318
  • Page 319 319
  • Page 320 320
  • Page 321 321
  • Page 322 322
  • Page 323 323
  • Page 324 324
  • Page 325 325
  • Page 326 326
  • Page 327 327
  • Page 328 328
  • Page 329 329
  • Page 330 330
  • Page 331 331
  • Page 332 332
  • Page 333 333
  • Page 334 334
  • Page 335 335
  • Page 336 336
  • Page 337 337
  • Page 338 338
  • Page 339 339
  • Page 340 340
  • Page 341 341
  • Page 342 342
  • Page 343 343
  • Page 344 344
  • Page 345 345
  • Page 346 346
  • Page 347 347
  • Page 348 348
  • Page 349 349
  • Page 350 350
  • Page 351 351
  • Page 352 352
  • Page 353 353
  • Page 354 354
  • Page 355 355
  • Page 356 356
  • Page 357 357
  • Page 358 358
  • Page 359 359
  • Page 360 360
  • Page 361 361
  • Page 362 362
  • Page 363 363
  • Page 364 364
  • Page 365 365
  • Page 366 366
  • Page 367 367
  • Page 368 368
  • Page 369 369
  • Page 370 370
  • Page 371 371
  • Page 372 372
  • Page 373 373
  • Page 374 374
  • Page 375 375
  • Page 376 376
  • Page 377 377
  • Page 378 378
  • Page 379 379
  • Page 380 380
  • Page 381 381
  • Page 382 382
  • Page 383 383
  • Page 384 384
  • Page 385 385
  • Page 386 386
  • Page 387 387
  • Page 388 388
  • Page 389 389
  • Page 390 390
  • Page 391 391
  • Page 392 392
  • Page 393 393
  • Page 394 394
  • Page 395 395
  • Page 396 396
  • Page 397 397
  • Page 398 398
  • Page 399 399
  • Page 400 400
  • Page 401 401
  • Page 402 402
  • Page 403 403
  • Page 404 404
  • Page 405 405
  • Page 406 406
  • Page 407 407
  • Page 408 408
  • Page 409 409
  • Page 410 410
  • Page 411 411
  • Page 412 412
  • Page 413 413
  • Page 414 414
  • Page 415 415
  • Page 416 416
  • Page 417 417
  • Page 418 418
  • Page 419 419
  • Page 420 420
  • Page 421 421
  • Page 422 422
  • Page 423 423
  • Page 424 424
  • Page 425 425
  • Page 426 426
  • Page 427 427
  • Page 428 428
  • Page 429 429
  • Page 430 430
  • Page 431 431
  • Page 432 432
  • Page 433 433
  • Page 434 434
  • Page 435 435
  • Page 436 436
  • Page 437 437
  • Page 438 438
  • Page 439 439
  • Page 440 440
  • Page 441 441
  • Page 442 442
  • Page 443 443
  • Page 444 444
  • Page 445 445
  • Page 446 446
  • Page 447 447
  • Page 448 448
  • Page 449 449
  • Page 450 450
  • Page 451 451
  • Page 452 452
  • Page 453 453
  • Page 454 454
  • Page 455 455
  • Page 456 456
  • Page 457 457
  • Page 458 458
  • Page 459 459
  • Page 460 460
  • Page 461 461
  • Page 462 462
  • Page 463 463
  • Page 464 464
  • Page 465 465
  • Page 466 466
  • Page 467 467
  • Page 468 468
  • Page 469 469
  • Page 470 470
  • Page 471 471
  • Page 472 472
  • Page 473 473
  • Page 474 474
  • Page 475 475
  • Page 476 476
  • Page 477 477
  • Page 478 478
  • Page 479 479
  • Page 480 480
  • Page 481 481
  • Page 482 482
  • Page 483 483
  • Page 484 484
  • Page 485 485
  • Page 486 486
  • Page 487 487
  • Page 488 488
  • Page 489 489
  • Page 490 490
  • Page 491 491
  • Page 492 492
  • Page 493 493
  • Page 494 494
  • Page 495 495
  • Page 496 496
  • Page 497 497
  • Page 498 498
  • Page 499 499
  • Page 500 500
  • Page 501 501
  • Page 502 502
  • Page 503 503
  • Page 504 504
  • Page 505 505
  • Page 506 506
  • Page 507 507
  • Page 508 508
  • Page 509 509
  • Page 510 510
  • Page 511 511
  • Page 512 512
  • Page 513 513
  • Page 514 514
  • Page 515 515
  • Page 516 516
  • Page 517 517
  • Page 518 518
  • Page 519 519
  • Page 520 520
  • Page 521 521
  • Page 522 522
  • Page 523 523
  • Page 524 524

Cisco Secure Firewall ASDM Configuration Guide

Category
Networking
Type
Configuration Guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI