Introduction to Cisco Firepower Threat Defense (FTD) on ASA 5500-X

This week I’m working on testing out the new Firepower Thread Defense (FTD) 6.1 image for the ASA 5500-X, and hopefully getting familiar with how things work in the new setup. One of the things I’m most excited about is the onboard management interface — this is an HTML based interface that no longer requires ASDM, which is a huge step in the right direction, in my opinion.

I’m going to go cover the reimage process and see what a box looks like from a fresh start, as well as give some overviews of the management interface and the CLI. I’ll try not to dig too deep in this introduction but I’m hoping to provide a lot of screenshots of various screens and things I notice during the setup.

For your reference, you can find the 6.1.0 release notes here, and the Firepower Threat Defense 6.1.0 Configuration Guide here.

Reimaging

I’ll cover the gist of the reimage process now, but you can find the full instructions here.

The big thing to note during the reimage, is that it will wipe out everything you have on your device — configuration, ASA/ASDM images, Anyconnect packages — everything. So be sure to backup anything you want to keep.

To complete the reimage you’ll need console access to your ASA, a TFTP server, and the FTD cdisk file for your platform.

Let’s get started.

  1. Verify your hardware is the correct ROMMON version. FTD requires minimum version of 1.1.8. You can verify this using the show module command. Look at the Fw Version value.
    5515-X# sh module
    
    Mod  Card Type                                    Model              Serial No.
    ---- -------------------------------------------- ------------------ -----------
    0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515            XXX
    ...
    
    Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
    ---- --------------------------------- ------------ ------------ ---------------
    0 84b8.022a.133f to 84b8.022a.1346  1.0          2.1(9)8      9.4(2)6
    
  2. Reload your ASA
  3. Interrupt the boot process by pressing ESC when prompted.
  4. In ROMMON, configure your network settings:
    rommon #0> interface gigabitethernet0/1
    rommon #1> address 10.2.3.11
    rommon #2> server 10.2.3.135
    rommon #3> gateway 10.2.3.135
    rommon #4> file ftd-boot-9.6.2.0.cdisk
    rommon #5> set
    
  5. Confirm your settings and commit the changes using the sync command
    rommon #6> sync
    
  6. Initiate the image download using the tftpdnld command:
    rommon #7> tftpdnld
    
  7. After the downloaded, the device will load the image and you’ll be at an FTD Boot console. From here use the setup command to configure the basic parameters for your box (Hostname, address, gateway, DNS, NTP).
  8. The last step is to download and install the actual FTD install package.
    > system install noconfirm http://10.2.3.135:8080/ftd-6.1.0-330.pkg
    

    The documentation says this step could take up to 30 minutes, but mine finished in less time.

Configuring the ASA using Firepower Device Manager

Once the box is back online, we’re now ready to test out the new onboard management interface, Firepower Device Manager. Browsing to the management address, we’re presented with a screen that almost brings a tear to my eyes:

asa-ftd-screenshot-1

Finally! After so many years of fighting with ASDM and trying to find the right Java version, we’re finally able to use a built in web interface. Ignore any limitations with the available functionality in FDM for now — just savor the moment.

The default login is admin and Admin123

After login we’re have to go through an initial setup wizard.

asa-ftd-screenshot-2

That’s fine, I guess, so let’s move through it. I’ll select Gig0/5 as my outside interface since I don’t have it hooked up to anything but the LAN right now.

asa-ftd-screenshot-3

Next we’ll setup the outside interface addresses for IPv4 and IPv6:

asa-ftd-screenshot-4

And the Management interface DNS. I choose DHCP during the CLI setup, so this info was already populated for me. All I did was change the hostname.

asa-ftd-screenshot-5

Click Next and wait patiently….

asa-ftd-screenshot-6

Uh oh, bold red text is bad, right?

asa-ftd-screenshot-7

Ok, fine. So it really wants to be able to talk to the outside world during the setup. My test box is remote, and since I only had 2 interfaces connected, I figured I would configure the box without an internet connection for now. Guess FDM had other ideas. So I’ll go back and change the outside interface to be Gig0/0, and we’ll leave the inside disconnected.

I went back through the last couple of screens after changing the outside interface, and was then asked to configure NTP:

asa-ftd-screenshot-8-configure-ntp

Now we get to the licensing page. It looks like FTD will only use Smart Licenses, so I’ll be sure to familiarize myself with that in the very near future. For now I’ll use the 90-day eval license.

asa-ftd-screenshot-9-use-smart-licensing-or-else

And bingo, we’re ready to rock and roll!

asa-ftd-screenshot-10-ready-to-go-whats-next

The Dashboard

After the confirmation window, we land at the device dashboard:

asa-ftd-screenshot-11-device-dashboard

There’s not much to say about this. It’s got a nice clean look, and it gives you quick access to most of the basic settings on your box. I would compare it to the Device Setup and Device Management sections from ASDM.

Monitoring Menu

asa-ftd-screenshot-15-monitoring

The System Dashboard within the monitoring menu is really similar to the ASDM landing page — you have some graphs of throughput, CPU, and Memory, as well as event counts and Disk usage. My test box doesn’t have anything connected to it, unfortunately, so I have to apologize since my screenshots won’t be showing much more than the layout.

If you look down the menu on the left side of the screen, you’ll see the Firepower categories. This is the same info you would see in the Firepower Management Center (FMC) console, or your Firepower Dashboards within ASDM if you’re running it direclty on the box.

Policies Menu

When you click on the Policies menu item, you land on the Access Control page. This is where you will build your policies for allowing/denying traffic and is analagous to the ASDM Access Rules page. There is a default rule already installed (part of the initial setup process) allowing all traffic from inside to outside.

asa-ftd-screenshot-14-access-control

You’ll quickly notice that much like other sections in the management interface, the access rule page feels a bit like the FMC, or even like the Palo Alto firewall interface, for those of you who are familiar with PA. The similarities are even more apparent when you add an access rule:

asa-ftd-screenshot-17-access-rule

Clicking on the NAT item, you’ll see the default NAT rule that was also added during the intial setup:

asa-ftd-screenshot-18-default-nat-rule

Adding a new NAT rule is just as easy as it was in ASDM, although now you are required to create objects for everything:

asa-ftd-screenshot-19-nat-rule-example

asa-ftd-screenshot-20-nat-rule-options-example

Something to note here that differs from ASDM — hovering over objects does not reveal the IP address of the object, only the object name again.

The last page under the Policies menu is Identity and this is where you configure policies on obtaining user identity information.

The first thing to do here is define where you will pull identity information. You can choose between Active Directory or … Active Directory. AD is currently the only supported server type, and you’re only allowed to configure one server here.

asa-ftd-screenshot-21-identity-server-configuration

Once you have a Directory Server configured you can add identity policy rules. The two types of Authentication available are Active and No Auth. Active Authentication is only used on HTTP traffic, per this note in the help documentation:

Keep in mind that regardless of your rule configuration, active authentication is performed on HTTP traffic only. Thus, you do not need to create rules to exclude non-HTTP traffic from active authentication. You can simply apply an active authentication rule to all sources and destinations if you want to get user identity information for all HTTP traffic.

Another thing to note from the help documentation is that Identity policies don’t actually block traffic — they’re used for gathering information only.

I won’t dig too deep into this right now, but there are two types of Active Authentication – HTTP and HTTP response, and one transparent method that uses integrated windows Authentication.

Objects Menu

Moving over to the objects menu, you’ll see that this is a very familiar space where we can define our host/network objects, port/port group objects, and security zones. The only thing to notice here is that we can configure application filter, URL, and geolocation objects for use in access control rules.

asa-ftd-screenshot-22-objects-menu

One final note about the Policies and Objects menus, is that much like ASDM, changes are queued for delivery to the device. As you begin making changes, you’ll noticean icon on the top bar with an orange dot:

asa-ftd-screenshot-23-ready-to-deploy

Seems simple enough — queue changes to deliver them in bulk – got it. One thing I couldn’t find, however, was a cancel or reset changes button. So at this point in time it appears that changes made through the FTD interface are a one way street — better make sure you backed up your config before you started messing around with things.

On the plus side though, after the deployment is completed you can see a record of the changes that were made:

asa-ftd-screenshot-24-deployment-summary

The CLI

The beloved ASA CLI has also changed with the FTD image. After you first login, you can see that we are no longer in Kansas, er, in ASA land anymore. Instead, we’re running the Cisco Fire Linux OS:

    Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.
    Cisco is a registered trademark of Cisco Systems, Inc.
    All other trademarks are property of their respective owners.

    Cisco Fire Linux OS v6.1.0 (build 37)
    Cisco ASA5515-X Threat Defense v6.1.0 (build 330)

    >

At first glance things appear pretty similar — you can still run most of your show commands, including:

  • Viewing translations
          > show xlate
            1 in use, 1 most used
            Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
               s - static, T - twice, N - net-to-net
            NAT from outside:0.0.0.0/0 to any:0.0.0.0/0
                flags sIT idle 51:12:07 timeout 0:00:00
    
  • connections
    > show conn all
    8 in use, 14 most used
    
    UDP outside  0.0.0.0:68 NP Identity Ifc  255.255.255.255:67, idle 0:01:23, bytes 300, flags -
    UDP outside  10.2.3.102:68 NP Identity Ifc  255.255.255.255:67, idle 0:01:07, bytes 600, flags -
    UDP outside  10.2.3.97:68 NP Identity Ifc  255.255.255.255:67, idle 0:00:40, bytes 900, flags -
    UDP outside  10.2.3.47:68 NP Identity Ifc  255.255.255.255:67, idle 0:00:37, bytes 900, flags -
    UDP outside  10.2.3.147:68 NP Identity Ifc  255.255.255.255:67, idle 0:01:19, bytes 900, flags -
    
  • routes
    > show route
    
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
        ia - IS-IS inter area, * - candidate default, U - per-user static route
        o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 10.2.0.254 to network 0.0.0.0
    
    S*       0.0.0.0 0.0.0.0 [1/0] via 10.2.0.254, outside
    C        10.2.0.0 255.255.248.0 is directly connected, outside
    

and much, much more!

Suffice it to say that a lot of what you’re used to seeing from the CLI is still available as it relates to viewing your setup and troubleshooting. The big gotcha, however, is that it appears you can’t easily make changes from the CLI. There is no configure terminal any more, and the configuration commands left available to you are minimal:

> configure
  disable-https-access   Disable https access
  disable-ssh-access     Disable ssh access
  firewall               Change to Firewall Configuration Mode
  high-availability      Change to Configure High-Availability Mode
  https-access-list      Configure the https access list
  log-events-to-ramdisk  Configure Logging of Events to disk
  manager                Change to Manager Configuration Mode
  network                Change to Network Configuration Mode
  password               Change password
  ssh-access-list        Configure the ssh access list
  ssl-protocol           Configure SSL protocols for https web access.
  user                   Change to User Configuration Mode

Some of the available configure commands are a bit misleading as well. For example, configure firewall does not allow you to actually change anything about the firewall other than routed or transparent mode. Clearly the goal here is to get you out of the CLI and back into the Web interface. In fact, I wasn’t able to find anything really useful to configure from the CLI — just basic items that you would use to setup the box in the first place. If I find any more useful details I’ll update this post, but for now I’ll just assume that CLI is for troubleshooting only, and all configuration should be done from the GUI.

My Observations

First of all, I love the direction this is going and have wondered for years why Cisco stayed with ASDM given that the competitors are using built-in interfaces. That being said, I also realize and acknowledge that it takes a lot of effort to move away from a management tool like ASDM. I was at Cisco Live this year in Las Vegas, and the ASDM angst was palpable. In fact, when FTD was mentioned in one of my sessions, the crowd went wild when the presenter made the comment that there was no more ASDM in FTD. Many of us have years of experience with ASA’s (or even PIX), so ASDM is very comfortable to us, but it’s hard to deny the anguish it has caused over the years.

As for Firepower Threat Defense itself, it’s a great start and I can’t wait to see what the next releases bring. I’m calmly reminding myself that this is the dot zero first 6.1 release of FTD. Things take time, and the best things take more time.

4 thoughts on “Introduction to Cisco Firepower Threat Defense (FTD) on ASA 5500-X

  1. This isn’t the dot 0 release. It’s the version 6 release! I’ve rarely met anyone who liked the ASDM. Most people I know (100+?) use the CLI to admin the firewall. In the FTD they removed that ability from us. If you were in Cisco Live and they said “We’re getting rid of ASDM AND the CLI” there would have been riots.

    • Ok, you got me on that one. It’s true that it’s the 6.1 release, but it’s the 6.1.0 release, and I believe it’s the first that provides the entirely new management interface for ASA. That’s all I meant there.

      I also agree with you that if Cisco had mentioned the fact that the CLI would largely be disappearing, the applause probably wouldn’t been more restrained. Instead, we the people heard what we wanted and forgot to ask follow up questions 🙂

  2. I just got one here, a ASA-5506-FTD-K9. It is like a Meraki, very few options kinda playskool like. I have more options with my TPLink router I got from Walmart, kid you not. Without the overpriced subscriptions it does nothing. No more packet captures linking to wireshark, no debugs, nothing! This is crazy basic.

  3. Pingback: Cisco FTD 6.2 – With Firepower Device Manager – Staffeldt.Net

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s