Cisco Fire Power Services Module’s Configuration to Get Start
Most ASA platforms purchased now have the Cisco Fire Power Services module shipped with them. This will give you the extra security the ASA platform itself doesn’t provide such as IPS/IDS, Advanced Malware Prevention (AMP), and URL Filtering. Purchase these licenses to use them after the free 90-day trial version. Even without these licenses, you’re able to monitor and see traffic on the Fire Power Management Center to view what is happening on your network.
If you decide you want to use the Fire Power Services Software Module, it will require some configuration to get it working. Upgrade the SFR to a good, and stable version. Use the ASDM to manage the Fire Power Services module or the Firepower Management Center Virtual Appliance.
Divert traffic from the ASA to the Fire Power.
a) configure an access-list to define and send all traffic from ASA to the Fire Power:
access-list FIREPOWER-TRAFFIC extended permit IP any any
b) Define the class-map and use the access-list configured in the previous step:
description Traffic to Send to Fire Power for Analysis
match access-list FIREPOWER-TRAFFIC
c) policy-map global_policy
sfr fail-open (→ configuring the IPS for inline mode (( this is the normal operation))
d) service-policy global_policy global -> make sure this is applied globally.
Accessing the Cisco Fire Power Management Center through the GUI:
Access it by using the Web GUI by going to https://x.x.x
After logging in, you can add the SFR by going to Devices -> Device Management -> Add Device and enter the IP address, registration key, choose the based Access Control Policy. See the snapshots below for the fields required:
The Firepower Services has a default base policy that can be used for basic monitoring and to get started. Define security zones for the interfaces after a device is added under the Interfaces’ tab. See below snapshot:
Deploy the changes by selecting “Deploy”, select the target device, and hit “deploy” at the bottom of the screen.
We just gave you some initial configuration to get the Cisco Fire Power services module to monitor traffic and to analyze the traffic going through the Fire Power module.
Contact us here for any questions that you may have about this blog.