Firepower Best Practices: Configuration Menu and Updates.
post by: Moses Frost
As people who are purchasing Cisco Firepower gear get more invested in the product many of the legacy Cisco customers have come to me and asked me about Firepower Best Practices. What I find however is that the answers to those questions are ‘it depends’. It may sound weird, but there is no scientifically salient way to enable every feature. The purpose of this series of posts is to get people familiar with Firepower and Firepower Services. These series of articles covers version 6.x of the product.
Up and Running with Firepower: Configuration Menu and Updates.
Firepower is the brand name for several things, Firepower comes as a Standalone IPS, as an Sensor on an ASA integrated, as well as a unified all in one system that merges the ASA with the Firepower Software. Let’s begin with how you setup and deploy the manager which ends up being where the majority of the work is. When first setting up Firepower 6, the first and most important thing to do is set your sizing requirements. If you happen to be using a Virtual Manager make sure that you get as much memory as possible on the box. I would recommend that at least you attempt to put 16GB to 32GB of RAM.
Here is my simple cheat sheet of items.
First question I get is what Internet connectivity is needed to run the unit. This is the guide most people refer to:
I believe this guide is a bit to complicated to understand, here is a better way to visualize it because it’s not so clear how it works at first blush. The Firepower management center is involved heavily in things like policy management but as well as the AMP part. You could run all of this without cloud communications but you would lose some capabilities like:
- Dynamic URL Categorization
- Advanced Malware Hash Lookups
- Dynamic IP/URL/FQDN/DNS Reputation
Here are also a couple of items to enable.
- System Menu -> Configuration Menu -> Remote Storage Device. Setup your Remote Storage Device to be SMB or NFS or something of the like.
- System Menu ->Configuration Menu -> Change Reconciliation. Turn this on so that you have change control logged.
- System Menu ->Configuration Menu -> Access List. Because right now any one can hit 80/443 to your Manager. I would limit it to the furthest you can. You may have a range for IT, or you may have a range for your network. For example it could be 10.10.10.0/24 or at least 10.0.0.0/8. I don't think you want to possibility of the internet hitting your manager ever?
- System Menu ->Configuration Menu -> Time Synchronization. Make sure you set this to either your Stratum 1 server, or any other servers that synchronize time in your environment. It is critical that the sensor and the manager have the same time, but as good habit all of your systems should keep the same time period.
- For VM Systems: System Menu ->Configuration Menu -> VMware Tools -> Enable VMware Tools. Just good practice.
There are other options in there to explore like email addresses for notifications, Syslog servers setup, but those options can be explored at a later time.
The next topic is that of updates. Some updates are simple to add, because they have built-in scheduling like those below.
In the System -> Updates -> Rule Updates Menu the scheduler is visible as well as in the Geolocation menu. There is however one other menu item that is not automatic. This option is called the VDB. The Vulnerability Database Update will update the system against the latest CVE’s that come down and provide accuracy when fingerprinting hosts which we will get into later. The VDB is not automated so we must automate its installation ourselves and we can do that using the scheduler.
The above shows how you can very easily go into the System menu, Under Tools -> Scheduling and add a new task. Explore the options in this menu because you would be very surprised to see all the different automated scheduled actions you could have.
This is a 2 Step Process to full work. It is important that you use recurring. If you want these actions to keep happening the default is once.
Step 1. Is shown above, Download the Latest Updates and you want to give the system time to do this, you can even say do it a day before, a week before, etc. This update happens at a somewhat ad-hoc basis and not very often so timing isn’t as important as the rule updates.
Step 2. Which I will show below is to actually install the VDB update on the manager. This is important because you will need to do this to actually make sure of the downloaded database.
That concludes this post on up and running with Firepower. Please stay tuned for more notes, feedback, tips, and tricks! If you enjoy these series of posts, I encourage you to Subscribe.