Firepower Dns Policy

Posted on |



Symptom: False warning is seen for DNS policy rule in which the source network list contains a valid network group of literal IP addresses.Conditions: A Firepower Management Center with DNS policy defined in which a rule contains a network group with literal IP Addresses. Solved: Hi All, I'm in the process of configuring an FMC intrusion policy for all of my remote sites and I have a couple of questions regarding recommendations that I cant find a solid answer to. I have a single intrusion policy and I have enabled. Cisco firepower is sending dns queries to open DNS 208.67.22.

KB ID 0001107

Problem

Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance.

Related Articles, References, Credits, or External Links

*UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed from the ASDM.

Solution

1. The first thing to do is cable the management interface and the interface you are going to use as the ‘inside’ (LAN) into the same network (VLAN).

2. The next step might seem strange if you are used to working with Cisco firewalls, but you need to make sure there is no IP address configured on the management interface. Try to think of it as just the hole that the FirePOWER services module (which will get its own IP) speaks out though.

System

3. So it should look like this;

4. Lets make sure the FirePOWER service module is ‘up’ and healthy.

5. The SFR module is actually a Linux box that’s running within the firewall, to connect to it you issue a ‘session sfr’ command.

  • Default Username: admin
  • Default Password: Sourcefire (capital S)
  • Default Password (after version 6.0.0): Admin123 (capital A)

As this is the first time you have entered the SFR you need to page down (press space) though the sizable EULA, then accept it.

6. Set a new password.

7. Set up all the IP and DNS settings, then exit from the module session.

8. Now you need to ‘send’ traffic though the module, in this case I’m going to send all IP traffic though, I’m also going to set it to ‘fail open’, If you set it to fail closed then traffic will cease to flow though the firewall if the FirePOWER services module goes off-line. I’m making the assumption you have a default policy-map applied.

9. Add that new class-map to the default policy-map.

WARNING: If you are going to set ‘fail-close‘ then make sure your SFR module is operating normally, or you will cause downtime, best to do this in a maintenance window!)

10. Save the changes.

11. At this point the firewall should be able to ping the management IP of the SFR module.

12. Now when you connect to the ASDM you can manage the FirePOWER services module.Note: I have seen some firewalls that flatly refuse to connect to the Firepower Services Module, and give an error ‘unable to connect on port 443’ every time you launch ASDM. I just re-image the module and load in a fresh install (40 mins to an hour), and start again.

Code to Copy & Paste

If you are lazy like me!

Note If you get an unable to connect error see the following article;

13. I suggest you update everything first, the ASA will configure an access control policy set to allow and inspect all traffic by default, which we will edit, set everything to update on a schedule, (rule updates and geolocation info).

Cisco FirePOWER Services Adding Licences (ASDM)

In the box with the firewall, you will have an envelope, you don’t need to open it (as below) because the PAK number you need is printed on the outside anyway. This is the firewalls CONTROL LICENCE, it allows it to be managed, we will install it into the ASDM, if you have a SourceFIRE appliance to manage the firewall you would install it there. You need two bits of information the PAK and the LICENCE KEY of the FirePOWER module, (See Below).

The Licence Key is the MAC address of the Module, (Not the ASA). You can find it at Configuration > ASA FirePOWER Configuration > Licence. This is also where you will add all the licences. Go to www.cisco.com/go/licence and register the licence (and any additional licences i.e. AMP, Web filtering, etc.)

The Licence(s) will be emailed to you open them in a text editor and copy the text of each licence. You can see I’ve indicated below what you should be copying.

Paste that into the ASDM > Submit Licence.

It should say success, if it fails you’ve pasted to much text, or there’s a problem with the licence.

Review you licences, here Ive added AMP and web filtering but Ive yet to add the control licence. If you don’t add the control licence then when you try and edit the access control policy it will say you need a PROTECTION LICENCE (confusingly!)

FirePOWER Services Setup IPS

Disclaimer: These settings, (and allotters below,) are to get you up and running, As with any security device, you need to tune settings accordingly. Please don’t follow these instructions, then email me with complaints that you been attacked by ISIS/Scammers/Bots etc.

You get an IPS/IDS Licence with any of the subscription based licences, its less hassle to set this up before the the access control policy. Configuration > ASA FirePOWER Configuration > Policies > Intrusion Policy > Create Policy > Give it a name > I tend to use ‘Balanced Security and connectivity’ look at the other options and choose whichever you prefer > Create and Edit Policy.

Give the policy a name > Commit changes (I accept all the defaults).

FirePOWER Services Enable Malware Inspection and Protection

Note: Obviously this needs you to have added an AMP Licence!

Configuration > ASA FirePOWER Configuration > Policies > Intrusion Policy > Files > New File Policy > Give it a name > Store FirePOWER Changes.

Add new file rule > I add everything > and Set it to ‘Block Malware’ > Store FirePOWER Changes.

“Store ASA FirePOWER Changes”.

Warning: Nothing will be inspected, until you add this file policy to an access control policy.

ASA FirePOWER Services Edit / Create Access Control Policy

Firepower Dns Policy Failed

I renamed the default policy, Note: Even though I’ve called it ‘Base-Access-Control-Policy’ you can only apply one policy, you just add different rules to the policy as required. Add Rule.

In Source Networks > Add in ‘Private Networks’ (See Warning Below).

Inspection Tab > Add in the IPS and file policy you created above (That’s why I’ve done it in this order).

I set it to log at the end of the connection > Add.

“Store ASA FirePOWER Changes”.

FirePOWER Private Networks Warning

Private networks only cover RFC1918 addresses, if you LAN/DMZ etc subnets are different you should create a new Network object, then add the subnets for your network. If you do this, then substitute your network object every time I mention the Private Networks object.

Blocking a Particular URL with FirePOWER Services

Even if you don’t have a Web Filtering licence you can block particular URL’s here Im going to block access to Facebook. Configuration > ASA FirePOWER Configuration > Object Management > URL > Individual Objects > Add URL > Note Im adding http and https.

Then add a rule to your existing access control policy ABOVE the permit all rule, (they are processed like ACLS from the top down). Set the source network to your private subnets.

On the URLs tab add in your URL objects and set the action to block with reset, or Interactive block with reset if you want to let the users proceed to Facebook after a warning.

Policy

Note: If you have a Web filtering Licence you can select ‘Social Networking’ from the Categories tab, and that would also block Facebook, and Twitter etc.

Firepower

ASA FirePOWER Services Commit and Deploy The Changes

FirePOWER services behaves the same on-box as it does when you use the SourceFIRE Appliance, you can make changes but nothing gets deployed until you commit the changes. If you have made a change then there will be a ‘Store ASA FirePOWER services button active. Then you need to select File > Deploy FirePOWER Changes.

Note: You will only see the Deploy option on SFR modules running 6.0.0 or newer.

Deploy.

Even now its not deployed, it takes a while, to see progress navigate to Monitoring > ASA FirePOWER Monitoring > Task Status > It will probably have a ‘running’ task.

Wait until the policy deployment says completed before testing.

Related Articles, References, Credits, or External Links

Originally Published 17/11/15

Thanks to Eli Davis for the feedback.

Customers and students always ask me how to see what is in the Firepower objects updated by the Cisco feed, so this blog will show you how to find this information.

Firepower Dns Policy Download

Security Intelligence is an object category that contains three different types of objects. These are:

  1. Network
  2. DNS
  3. URL

You can find and manage all the feeds in the Objects page:

The Objects are implemented in the Access Control Policy under the Security Intelligence tab:

Finding the IP addresses in the for the Network Lists and Feeds objects

Nicely, this one is pretty easy. Go to Talosintelligence.com and click on Reputation Center and then IP Blacklist Download

The huge list of IP’s in the Network objects will appear. Now press CNTL-A and then CNTL-C.

Open Notepad on your desktop and then press CNTL-V and the list will populate into your Notepad; save the file.

Now you can just use those IP’s to test your SI lists by pasting these IP’s into a browser from an inside host.

Firepower Dns Policy Failed

Finding the URL and DNS addresses in the URL and DNS Lists and Feeds objects

Inside the ACP Security Intelligence tab, you can hover over one of the Network, DNS or URL categories. A pop up will indicate how many entries are currently in this category.

That’s great, but what about the actual entries in each of these objects?

Firepower Dns Policy Definition

To find these you must SSH to either a FTD device or the FMC. You will find the three types of security intelligence entries in the following three locations:

  • Network/var/sf/iprep_download
  • DNS/var/sf/sidns_download
  • URL/var/sf/siurl_download

Here you will find separate text files for each security intelligence category. You will also find text files for any of your custom feeds as well.

Here is an example of finding the DNS feed file by using: cd /var/sf/sidns_download and then listing the files using ls

The files have unrecognizable UUID (Universally Unique IDentifier) names but if you use cat, head or tail to look at their contents you will see they are simply text files. Each one contains the name of the list as a comment in the first line.

Firepower Dns Policy System

Using this technique you can find out the contents of any of the security intelligence download files for each of the three categories. One huge caveat however, these files are updated frequently. Depending on the update frequency you have selected, an entry that was here 5 minutes ago may be gone now. If you’re trying to troubleshoot an issue or predict whether a given IP, domain or URL will be blocked this may not be a viable technique.