Firesight 54 Pov Guide

Cisco dCloud
Cisco FireSIGHT System 5.4 Proof of Value v1

Last Updated: 24-SEP-2015
About This Cisco Solution

The Cisco FireSIGHT System 5.4 Proof of Value (POV) guide helps explain the POV process and accelerate the migration of
legacy ASA or competitive security appliances to the ASA 5500-X series Firewall with FirePOWER Services. This document
provides information on the POV process, training, software download, installation, licensing, initial configuration, customer
deployment, risk report generation, and device sanitization.
This POV eases installation, as everything in dCloud is configured and licensed for FireSIGHT System.
The following is an overview of the POV:
• Schedule dCloud FireSIGHT System PoV.
• (Optional) Contact dCloud support to extend scheduling past 5 days, if necessary. Maximum time allowed is 30 days.
Support will only require the customer name where this is deployed and the extension will take place.
• Install/Upgrade ASA and/or FirePOWER appliance.
• Add FirePOWER appliance to FireSIGHT System Management Center. Upgrade and apply necessary policies.
• (Optional) Add customer Active Directory and DNS information into FireSIGHT System Management Center.
• Let system collect data for necessary period of time.
• Export FireSIGHT System findings into executive reports and present to customer.
For more on collecting information, see Appendix A: Win Criteria and Appendix B: Data Collection Worksheet.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 36
Cisco dCloud
About this FireSIGHT System 5.4 PoV

The Cisco FireSIGHT System 5.4 PoV v1 includes
• Deployment Topology
• Software Download
• dCloud Endpoint Router Changes
• Installation
• Risk Report Generation
• Device Sanitation
Demonstration Topology
This demonstration includes hardware and VM components. All of the components are fully configurable using the administrative
level account. Administrative account details are included in the script steps where relevant.
Figure 1. Demo Topology
Cisco dCloud
Demonstration Preparation
BEFORE DEMONSTRATING
We strongly recommend that you go through this process at least once, before presenting in front of a live audience. This will allow
you to become familiar with the structure of the document and the demonstration.
PREPARATION IS KEY TO A SUCCESSFUL CUSTOMER PRESENTATION.
Follow the steps below to schedule your demonstration and configure your demonstration environment.
1. Browse to dcloud.cisco.com, select the location closest to you, and then login with your Cisco.com credentials.
2. Schedule a demonstration [Show Me How].
3. Test your connection from the demonstration location before performing any scenario. [Show Me How]
4. Verify your demonstration has a status of Active under My Demonstrations on the My Dashboard page in the dCloud UI.
• It may take up to 15 minutes for your demonstration to become active.
NOTE: Each section of the POV details additional connection and preparation information, if necessary.
Cisco dCloud
POV Process
A POV is a customer engagement that demonstrates unique business value during an on-site engagement. The POV process
requires a scoping exercise to identify win criteria for a customer. Win criteria is used to focus the on-site engagement on the
solution elements that are most important to a particular customer. Appendix A: Win Criteria includes scoping questions to help
establish win criteria for the FireSIGHT System POVs.
There are two types of POV:
• Tactical— leverages available hardware, usually over 30 days or less.
• Strategic—addresses the larger customer business outcomes and leverages appliances that deliver the desired
performance of the customer. Can extend over 30 days, if required by the customer.
Most partner-executed POVs will be tactical, leveraging FirePOWER Services for ASA seed or NFR units and virtual FireSIGHT
System Management Center (FSMC).
Tactical POVs help to ensure an efficient delivery of a professional evaluation of the solution. All customer configurations are
implemented prior to arriving on site, based on pre-defined customer evaluation data. Customer data includes network,
management, span configuration, active directory and rack and power data. For a worksheet to collect this information, see
Appendix B: Data Collection Worksheet.
This guide provides general best practices, and includes system installation and configuration steps for a partner executed POV. A
successful POV is defined prior to going on-site, and win criteria is unique for each customer. Edit any configuration items as
required to establish unique business value for your customer.
NOTE: Complete all of the following sections together for the system to work properly during a customer evaluation. If you miss
any part of this configuration, the system will not collect the desired information. Follow the instructions carefully and submit any
feedback to dcloud-support@cisco.com.
Training
It is strongly recommended that you complete the following e-learning modules before attempting to install the software or perform
an evaluation. The training is available on the Partner Education Connection via the Security Partner Community.
• Network Threat Pre-Sales SE Stage 2: https://communities.cisco.com/docs/DOC-57815
• FirePOWER Services for ASA Tech Talk Recordings: https://communities.cisco.com/docs/DOC-30977
Cisco dCloud
Deployment Topology
The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation IPS (NGIPS), Application
Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP). You can use the module in single or multiple
context mode, and in routed or transparent mode. Although the module has a basic command line interface (CLI) for initial
configuration and troubleshooting, you configure the security policy on the device using a separate application, FireSIGHT System
Management Center (previously known as Defense Center), which will be hosted in your running dCloud session.
The ASA FirePOWER module runs a separate application from the ASA. The module can be a hardware module (on the ASA
5585-X) or a software module (5506-X through 5555-X). You can configure the device in either a passive (monitor only) or inline
deployment.
• Inline Deployment—In an inline deployment, the actual traffic is sent to the device, and the device’s policy affects what
happens to the traffic. After dropping undesired traffic and taking any other actions applied by policies, the traffic is
returned to the ASA for further processing and transmission.
• Passive Deployment—In a passive deployment, a copy of the traffic is sent to the device, but it is not returned to the ASA.
Passive mode lets you see what the device would have done to traffic, and lets you evaluate the content of the traffic,
without impacting the network.
The ASA FirePOWER module connects to a FireSIGHT System Management Center (FSMC). In this dCloud Proof of Value,
dCloud hosts the FSMC, which is already fully configured, licensed, and updated. The ASA FirePOWER module can be connected
back to dCloud by a dCloud endpoint router or public NAT/PAT provided by the customer’s Internet connection.
The Cisco NGIPS Virtual Appliance (previously known as Sourcefire 3D Virtual Sensor) can be used if the customer has a VMware
virtual environment and is able to setup monitoring via SPAN or other method. If the virtual appliance is used, public NAT or PAT
must be used for the communication back to the FireSIGHT System Management Center.
NOTE: You need to change the FireSIGHT System Management Center Communication port on the ASA FirePOWER module or
Virtual FirePOWER Managed Device from its default port to 8443 before any managed device, ASA or virtual, can be added to
FSMC. Command example: configure network management-port 8443.
To minimize risk or disruption to the customer environment while providing the most value, passive deployments are recommended
for FireSIGHT System POVs. Accomplish this by configuring a span port on a Cisco switch in the customer environment and
configuring the ASA with FirePOWER Services in Monitor Only Mode.
NOTE: There are multiple network locations for the POV with their own caveats, benefits and challenges. Consider these options
when placing your ASA with FirePOWER Services or Virtual Device on a customer network. For the ultimate best deployment
multiple FirePOWER appliances or Virtual Sensors can be placed in different locations for best visibility and context.
Cisco dCloud
Wiring Diagrams
dCloud Endpoint Router and ASA with FirePOWER Services
This design is the model followed in this guide. This requires an ASA with FirePOWER device and a dCloud Endpoint Router. The
Cisco Endpoint Router builds a VPN connection back to dCloud from inside the customer network. The Cisco FirePOWER module
is placed behind the endpoint router and communicates back to the dCloud hosted FireSIGHT System Management Center over
the VPN.
Requirements:
• TCP Port 443 open through customer firewall for EZVPN.
• If using the customer’s Active Directory for user context (Optional).
o Two separate IP subnets must be available. One will be used for the outside interface of the Endpoint Router
and one will be used for the connection to the internal network where the Active Directory Server is reachable.
o Customer must be willing to add a Windows static route on their Active Directory server, which will point to the
dCloud endpoint router for the dCloud hosted subnets.
• User customer network cannot be in the 198.18.128.x/18 subnet.
Figure 2. dCloud Endpoint Router and ASA with FirePOWER Services
Cisco dCloud
ASA with FirePOWER Services and public IP
This design is the model used if no dCloud Endpoint router is available. This requires an ASA with FirePOWER device and NAT
mappings on the customer firewall. The Cisco FirePOWER module is placed behind the customer firewall and communicates using
NAT to the dCloud hosted FireSIGHT System Management Center. A second NAT is used for Active Directory Integration if
desired.
Requirements:
• One Required 1-to-1 NAT or PAT on customer firewall. If PAT is used, TCP port 8443 must be forwarded to the
management IP of the FirePOWER module. Also, the outbound masquerade IP must match inbound PAT IP Address.
• (Optional) One 1-to-1 NAT or PAT for Active Directory Connection.
Figure 3. ASA with FirePOWER Services and public IP
Cisco dCloud
Virtual FirePOWER Device and public IP
This design is the model used if the customer is running a virtual environment. This requires Installation of a Virtual FirePOWER
appliance in the customer’s virtual environment and NAT mappings on the customer firewall. The Cisco Virtual FirePOWER device
is placed behind the customer firewall and communicates using NAT to the dCloud hosted FireSIGHT System Management
Center. A second NAT is used for Active Directory Integration if desired.
Requirements:
• One required 1-to-1 NAT or PAT on customer firewall. If PAT is used, TCP port 8443 must be forwarded to the
management IP of the FirePOWER module. Also, the outbound masquerade IP must match inbound PAT IP Address.
• (Optional) One 1-to-1 NAT or PAT for Active Directory Connection.
Figure 4. Virtual FirePOWER Device and public IP
Cisco dCloud
PoV Device Placement Locations

Internet Perimeter – Ingress/Egress to core network
Best Placement:
• Internal to a network firewall.
Traffic Collection Methods:
• Tap or SPAN. SPAN ports are common. Ensure that you are collecting all TX/RX activity on the link to the outbound
firewall.
Caveats:
• Ensure that the ASA is internal to a NAT gateway for best IP visibility.
• If there is some type of proxy device placement internal to the proxy is preferred. Otherwise event resolution to internal
hosts will be dramatically skewed.
Benefits:
• Visibility of inbound threats and malware detections.
• Visibility of outbound indications of compromise (IoC).
• Visibility of Internet facing applications that users may wish to control.
• GeoIP, Security Intelligence (IP reputation), and URL data will be captured.
Challenges:
• FireSIGHT visibility will be limited to internet ingress/egress traffic. This means that hosts that are not regularly interacting
with the internet will not be profiled. This can impact the value demonstrated in FireSIGHT rule recommendations and
Impact Flags for IPS event reduction.
Network Segmented Zone – DMZ / Server Farm
Best Placement:
• Zone dedicated to a server farm, DMZ, on specialized network segment.
• Tap or SPAN. SPAN ports are common. Ensure that you are collecting all TX/RX activity on the link to the outbound
router. More contextual data will be available if the server farms DMZ can SPAN all traffic in the broadcast domain.
Caveats:
• Ensure that the ASA is internal to a NAT gateway for best IP visibility.
• If there is a proxy device, place the ASA internal to the proxy. Otherwise event resolution to internal hosts will be
dramatically skewed.
• Some customers may deploy load balancers. If possible, place the ASA internal to the load balancer or monitor the
activity from the entire switch. This ensures threat detections are seen against specific hosts.
Cisco dCloud
Benefits:
• Visibility of inbound threats, IOCs, malware, applications, GeoIP reputation, and Security Intelligence for the server farm.
• For internal or back-office server farm, ASA can visualize and profile internal assets as they interact with the server farm.
Challenges:
• Threat and application data may be limited because of the specialization of the server farm.
Core Switch
Best Placement:
• On a SPAN that can capture traffic representative to user activity across the network.
• SPAN (taps are not recommended). Select enough links or VLANs to get a fair representation of network activity.
Caveats:
• Not all network environments may have a SPAN port available.
• Ensure that SPAN can either accommodate the volume of traffic being passed out the interface and that the switch has
the computing resources to SPAN a broad enough spectrum of traffic.
• In some environments, traffic can be missed when spanning VLANs. This is common on Internet ingress and egress
traffic. Egress traffic carries the VLAN tag, but ingress traffic may not yet have the tag.
Benefits:
• Benefits are similar to Internet perimeter placement.
• Visibility of internal host-to-host interactions which provides visibility to internal threat propagation.
• Significantly improved FireSIGHT contextualization. Host profiles will be built not just on internet facing traffic, but on all of
the communications used by internal hosts.
Challenges:
• Depending on SPAN configuration you may not have visibility of internet ingress and egress traffic.
• Internal threat propagation visibility may be limited if there is no current outbreak event or internet egress traffic is not
being captured.
• GeoIP, URL, and Security Intelligence events may be limited if there is no internet ingress and egress visibility.
Recommendation
The best deployment is one that gives visibility of both internet facing and internal segments. The two elements allow for good
threat visibility and network context.
If possible, receive traffic from:
• A SPAN port that includes internet ingress and egress traffic and some VLANs that may include a back-office server farm
or active users.
• Multiple SPAN ports for internet and internal traffic.
• A combination of TAPs for internet ingress/egress traffic, and SPAN ports for internal traffic.
Cisco dCloud
Software Download
This guide focuses on downloading required software for an ASA 5515-X with FirePOWER Services and a dCloud running
session. There are many possible software requirements. While the information below serves as an example of a common
configuration for a dCloud POV, you are encouraged to adjust the process outlined below as required to match your hardware
specifications.
Using the dCloud running session, many of the software packages are provided for ease of deployment. However, not all versions
of code are available within the demo and may require direct download from Cisco.com. If you are unable to access any software
due to entitlement, open a special file publish case with partner help following the instructions listed at
https://communities.cisco.com/docs/DOC-55301.
For direct Cisco.com download guidance, see Appendix C: Cisco.com Direct Software Download Instructions.
For best performance, FirePOWER Services for ASA requires system software 9.4(1) or later. For additional information on
migration paths and upgrade dependencies, please refer to the following link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/upgrade/upgrade92.html.
dCloud Endpoint Router Changes

Using the dCloud Endpoint Router is the easiest solution with minimal customer network impact. You will change the configuration
of the dCloud endpoint router slightly for this FirePOWER PoV. This guide assumes you have an already functioning, fully
configured dCloud endpoint router.
To configure an endpoint router, see the help page located at https://dcloud-cms.cisco.com/help.
Router Changes Needed:
1. Backup the current configuration for later use.

kit-XXXX#copy startup-config flash:backup.config
2. Remove Service Policy that breaks FirePOWER/FireSIGHT Communication.

kit-1678#conf t
kit-1678(config)#interface vlan 10
kit-1678(config-if)#no service-policy output QOS
kit-1678(config-if)#end
kit-1678#write memory
Building configuration...
[OK]
NOTE: Steps 3 through 6 are optional, and are required only if adding customer site Active Directory into POV.
3. Active Directory Server NAT Configuration.

kit-1678# conf t
kit-1678(config)# interface Vlan200
kit-1678(config-if)# description Customer Network
kit-1678(config-if)# ip address <Customer Network IP>
kit-1678(config-if)# ip nat inside
kit-1678(config-if)# ip virtual-reassembly in
kit-1678(config-if)# ip tcp adjust-mss 1000
kit-1678(config-if)# no autostate
kit-1678(config-if)# exit
Cisco dCloud
4. Find Endpoint Kit Vlan 100 IP Address.

kit-1678(config)#do show ip interface brief vlan 100
Interface IP-Address OK? Method Status Protocol
Vlan100 10.65.104.209 YES NVRAM up
5. Configure Static NAT.

kit-1678(config)# ip nat inside source static <Active Directory Server IP> <Vlan 100 IP Address +1>
Example: ip nat inside source static 192.168.168.104 10.65.104.210
kit-1678(config-if)#end
kit-1678#write memory
Building configuration...
[OK]
6. Add Static Route to Active Directory Server. This will route traffic destined to the FireSIGHT System Management Center to
the dCloud Endpoint Router. Open Windows command prompt and type:
route add 198.18.128.0 mask 255.255.192.0 <Endpoint Router vlan 200 IP>
NOTE: The following ASA setup preparations can be performed at the most convenient location, whether a customer site or a non-
customer site.
Installation
Confirm Health of Solid-State Drive (SSD)
Prior to installation, confirm the health of the solid-state drive (SSD) within your 5515-X.
1. Power on the ASA and access the command line.
2. Enter the show inventory command and confirm the presence of the 128 GB SSD storage device
ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V01 , SN: FGH123456A1
Name: "Storage Device 1", DESCR: "Unigen 128 GB SSD MLC, Model Number: UGB88RRA128HM3-EMY-DID"
PID: N/A , VID: N/A , SN: 12345678900
3. If the SSD is not recognized, consider the following:
• The SSD drive may not be inserted properly. Ensure the SSD drive is properly inserted and secured via the handle. With
the ASA powered off, pull the SSD drive out and re-insert it.
• The SSD drive may have failed. A healthy SSD drive will show a solid green LED next to the SSD. In the event of a
failure, contact Cisco TAC for a replacement (if you have an active service contract).
Cisco dCloud
Uninstalling Existing IPS or CX Software (If Required)

If you purchased the ASA with FirePOWER Services, the module software and required solid-state drives (SSDs) came pre-
installed and you can skip to the next section.
If you purchased the ASA with IPS or CX, you need to uninstall the old services before installing FirePOWER services. The Cisco
ASA can only run a single software module at a time so you must shut down any other software module that may be running.
1. Access the ASA command line and follow the procedures below. The commands will shut down the ips module, uninstall the
IPS module, and then reload the ASA.
ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload
NOTE: If you need to remove CX, follow the same steps, but use cxsc in each command instead of ips.
ASA 5515-X System Software

The following instructions use a running dCloud session to transfer files. If the files needed for your device type are not available in
the demo session, extra steps may be required to transfer the Cisco.com directly-downloaded files to the ASA Firewall. Extra
downloaded files can be place in dCloud on WKST1.
NOTE: If extra files are downloaded to the C:\Users\Administrator\Downloads directory, they are accessible via FTP similarly to the
following steps.
1. For consistency, install the ASA 5515-X system software based on the factory-default configuration. If the ASA is not running
the factory-default configuration, enter the following commands.
ciscoasa# copy /noconfirm running-config disk0:/backup.config
ciscoasa# config t
ciscoasa(config)# config factory-default
2. Place the firewall in transparent mode and configure the management interface based to receive a DHCP address from the
dCloud Endpoint Router.
ciscoasa(config)# firewall transparent
ciscoasa(config)# interface management 0/0
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address dhcp setroute
ciscoasa(config-if)# no shut
3. Additional configuration items help to ensure full network connectivity and establish a system password.
ciscoasa(config)# enable password <Password>
ciscoasa(config)# clock timezone <TimeZone> <Hours offset from UTC>
ciscoasa(config)# ntp server 198.18.128.1 prefer
ciscoasa(config)# sysopt noproxyarp management
ciscoasa(config)# dns domain-lookup management
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 198.18.133.1
ciscoasa(config-dns-server-group)# exit
ciscoasa(config)# http server enable
ciscoasa(config)# http 0 0 management
Cisco dCloud
4. Configure an interface to receive the SPAN traffic and forward it to the FirePOWER module.
ciscoasa# conf t
ciscoasa(config)# interface gigabitEthernet 0/1
ciscoasa(config-if)# no nameif
ciscoasa(config-if)# traffic-forward sfr monitor-only
ciscoasa(config-if)# no shut
5. After completing the previous steps, you should have IP connectivity to the ASA to the dCloud Endpoint Router. Now,
configure SSH access to the ASA.
ciscoasa(config)# username <user> password <Password> privilege 15
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 management
ciscoasa(config)# ssh timeout 60
ciscoasa(config)# crypto key generate rsa general-keys
ciscoasa(config)# exit
ciscoasa# wr mem
6. Verify Connectivity through the dCloud Endpoint Router back to dCloud.

ciscoasa# ping 198.18.133.36
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.18.133.36, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/50 ms
7. Copy the software images from dCloud FTP server to ASA Firewall. Enter the following commands to download the files to the
ASA.
ciscoasa# copy /noconfirm ftp://admin:C1sco12345@198.18.133.36/asa941-smp-k8.bin flash:
ciscoasa# copy /noconfirm ftp://admin:C1sco12345@198.18.133.36/asdm-743.bin flash:
ciscoasa# copy /noconfirm ftp://admin:C1sco12345@198.18.133.36/asasfr-5500x-boot-5.4.0-763.img flash:
8. Use the show flash command to verify the file downloads. Change the boot system and asdm image files and save the
configuration before device reload.
ciscoasa# sh flash
--#-- --length-- -----date/time------ path
122 41598976 Jun 10 2015 09:25:20 asasfr-5500x-boot-5.4.0-763.img
127 69709824 Jul 17 2015 11:00:03 asa941-smp-k8.bin
133 24810876 Jul 17 2015 11:03:44 asdm-743.bin
ciscoasa# conf t
ciscoasa(config)# boot system flash:asa941-smp-k8.bin
ciscoasa(config)# asdm image flash:asdm-743.bin
ciscoasa(config)# end
ciscoasa# write memory
ciscoasa# reload noconfirm
9. After the ASA reloads, use the show version command to verify the software image installation.
ciscoasa> en
Password: **********
ciscoasa# show version | include Software
Cisco Adaptive Security Appliance Software Version 9.4(1)
ciscoasa# sh version | include Manager
Device Manager Version 7.4(3)
Cisco dCloud
FirePOWER Services for ASA

1. In previous steps, we loaded the FirePOWER services for ASA boot image. Begin by setting the module boot location in the
ASA and loading the boot image.
ciscoasa# sw-module module sfr recover configure image flash: asasfr-5500x-boot-5.4.0-763.img
ciscoasa# sw-module module sfr recover boot
Module sfr will be recovered. This may erase all configuration and all data
on that device and attempt to download/install a new image for it. This may take
several minutes.
Recover module sfr? [confirm]

Recover issued for module sfr.
2. Wait approximately 5-10 minutes for the ASA FirePOWER module to boot up.
3. Open a console session to the FirePOWER Services boot image. After opening the session, press ENTER for the login
prompt, with the username admin and the password Admin123.
ciscoasa# session sfr console
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
<Return>
Cisco ASA SFR Boot Image 5.4.0
asasfr login: admin

Password: Admin123
NOTE: If the module is not fully loaded, the session command will fail with a message about not being able to connect over ttyS1
or ERROR: Failed opening console session with module sfr. Module is in “Recover” state. Please try again later. If this
happens, try again in a few minutes.
4. Use the setup command to prepare the system for software package installation. The SFR will get DHCP address from
dCloud Endpoint Router.
asasfr-boot>setup
Welcome to SFR Setup
[hit Ctrl-C to abort]
Default values are inside []
Enter a hostname [asasfr]: asasfr

Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: Y
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: 198.18.128.1
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname: asasfr
Management Interface Configuration
IPv4 Configuration: dhcp
IPv6 Configuration: Stateless autoconfiguration

NTP configuration:
198.18.128.1
CAUTION:
You have selected DHCP. The system will stop functioning correctly if DHCP
changes the assigned address due to lease expiration or other reasons.
Cisco dCloud
We suggest you use static addressing instead.
CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a global address
based on network prefix and a device identifier. Although this address is unlikely
to change, if it does change, the system will stop functioning correctly.
We suggest you use static addressing instead.
Apply the changes?(y,n) [Y]: Y

Configuration saved successfully!
Applying...
Restarting network services...
Restarting NTP service...
Done.
Press ENTER to continue...
asasfr-boot>
5. Verify the IP connectivity back to dCloud and use the system install command to install the system software image.
NOTE: When installation is complete, the system will reboot. Clicking Return during installation automatically causes the SFR to
reboot when complete. If a response do not return in a reasonable time, the upgrade will automatically cancel. This process may
take 20 minutes or more depending on Internet connection speeds.
asasfr-boot>ping 198.18.133.36
PING 198.18.133.36 (198.18.133.36): 56 data bytes
64 bytes from 198.18.133.36: seq=0 ttl=124 time=33.735 ms
64 bytes from 198.18.133.36: seq=1 ttl=124 time=35.768 ms
--- 198.18.133.36 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 30.084/32.986/36.308 ms
<Ctrl-C>
asasfr-boot>system install ftp://admin:C1sco12345@198.18.133.36/asasfr-sys-5.4.0-764.pkg
Verifying
Downloading ..
Extracting..
Package Detail
Description: Cisco ASA-SFR 5.4.0-764 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]:Y

Starting upgrade process…
Populating new system image
<Return>
<Return>
Reboot is required to complete the upgrade. Press ‘Enter’ to reboot the system.
Reloading..
6. Allow 5-10 minutes for the newly installed FirePOWER Services modules to startup.
Cisco dCloud
7. Open a session to the module and login with the default username of admin and password of Sourcefire.
NOTE: You will see a different login prompt because you are logging into a fully functional module.
ciscoasa# session sfr console
Opening command session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
<return>
Sourcefire ASA5515 v5.4.0 (build 764)
Sourcefire3D login: admin
Password: Sourcefire
8. Continue with the system installation process as prompted. You must first read and accept the EULA. Then, change the admin
password and configure IP addresses and other settings as prompted.
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENT
IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY
IMPORTANT THAT YOU CHECK THAT YOU ARE …
Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES
System initialization in progress. Please stand by.

You must change the password for 'admin' to continue.
Enter new password: <New Password>
Confirm new password: <New Password>
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]: N
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]: dhcp
If your networking information has changed, you will need to reconnect.
Interface eth1 speed is set to 'autoneg' at /usr/local/sf/lib/perl/5.10.1/SF/NetworkConf/NetworkSettings.pm
line 2095.
For HTTP Proxy configuration, run 'configure network http-proxy'
9. Complete the command line configuration by identifying the FireSIGHT System Management Center that will manage the
FirePOWER Services for ASA module. The registration key is arbitrary, but must match the key created during FireSIGHT
System Management Center setup. You must change the FireSIGHT System Management Center channel to match this
dCloud environment.
NOTE: If using a design that requires a public IP and NAT setup at the customer site, you must use the public IP for the FireSIGHT
System Management Center instead of the private IP noted below. Public IP information is found in the session details tab of the
running dCloud session.
> configure network management-port 8443
Management port changed to 8443.
> configure manager add 198.18.133.10 C1sco12345 12345
configure manager add <host> <key> [nat-id]
Cisco dCloud
10. Collect the ASA SFR IP Address and note for next task.
> show network
===============[ System Information ]===============
Hostname : Sourcefire3D
Domains : dcloud.cisco.com
DNS Servers : 10.64.104.209
Management port : 8443
IPv4 Default route
Gateway : 10.64.104.209
======================[ eth0 ]======================

State : Enabled
Channels : Management & Events
Mode :
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : D4:8C:B5:4E:69:54
----------------------[ IPv4 ]----------------------
Configuration : DHCP
Address : 10.64.104.213
Netmask : 255.255.255.240
Broadcast : 10.64.104.223
----------------------[ IPv6 ]----------------------
Configuration : Disabled
11. Click <Cltr-shift-6, x> to return to Cisco ASA command line.
Add ASA SFR to FireSIGHT System Management Center

1. From the Session Details of your active demo session, locate the Public Address.
2. In a browser on your local device, open an HTTPS session to the Public Address.
3. Login with the credentials from the Session Details tab of your Active session.
Figure 5. Session Details
Cisco dCloud
4. Click Sign in.
5. To add your FirePOWER Services for ASA sensor to the FireSIGHT System Management Center, navigate to Devices >
Device Management.
6. Select Add > Add Device from the top right.
7. Fill in the required information to match your customer environment and click Register.
NOTE: The IP address, registration key, and NAT ID were configured in the previous step, and must match. The FireSIGHT
System Management Center contacts the FirePOWER Services for ASA Module and adds it as a managed device. If the device
does not add successfully, confirm that the registration keys match, the software versions are compatible, and that a network
device is not blocking the connection.
If using a design that requires a public IP and NAT setup at the customer site, the IP address entered when adding the device to
the FireSIGHT System Management Center must be the customer provided public IP instead of the private IP used below.
Figure 6. Device Management
Figure 7. Add Device
Cisco dCloud
8. Confirm that your FirePOWER Services module is now listed on the device management page and has licenses installed.
Figure 8. Devices
9. Now apply the System Policy and Health Policies to the device. Navigate to System > Local > System Policy.
Figure 9. System Policy
10. Click the green check icon to apply the policy Cisco PoV System Policy.
Figure 10. Cisco PoV System Policy
11. Select all devices and click Apply.
Figure 11. Click Apply
Cisco dCloud
12. Select Health > Health Policy.
Figure 12. Health Policy
13. Click the green check icon to apply the policy Cisco PoV Health Policy.
14. Select all devices and click Apply.
Figure 13. Click Apply
15. Verify that you are running the latest FirePOWER System patch by selecting System > Updates.
16. If necessary, select the update that applies to your device.
• The Cisco Network Sensor Patch applies to Cisco ASA FirePOWER devices.
• The Sourcefire 3D Device Virtual64 VMware Patch applies to virtual FirePOWER devices.
17. Click the icon to install the correct patch for your system.
18. Select the checkbox next to your FireSIGHT System MC and click Install.
Cisco dCloud
19. You can view the status of any upgrade on the System > Monitoring > Task Status screen. This upgrade process may take
30 minutes to 4 hours depending on the type of physical device and Internet connection speeds.
Figure 14. Monitoring > Task Status
20. Once the system upgrade is complete and the correct customer SPAN port is configured you can let the system continue for
the set period of time. You can access the customer ASA and FirePOWER Sensor from the dCloud host FireSIGHT System
Management Center without returning onsite.
If desired, you can also share the dCloud Cisco Proof of Value session with the customer for their access. Click Share a Session
for more information.
Cisco dCloud
(Optional) Customer Active Directory and DNS settings

Optionally, you can add the customers Active Directory server into the FireSIGHT System Management Center. This adds
additional user and hostname context, but is NOT required to complete the POV. You will need to enter the configured NAT IP
address of the customer Active Directory Server on the dCloud Endpoint Router to complete the connection.
1. Select Policies > Users. You can then Add the LDAP connection and Add User Agent. Download the Sourcefire User
agent Windows installation file from the dCloud FTP server and install it on the Customers Active Directory Server.
FTP Server IP: 198.18.133.36
Username: admin
Password: C1sco12345
Installation file(s): Sourcefire_User_Agent_2.2-18.zip
Figure 15. Policies > Users
(Optional) Additional Settings

The FirePOWER console is highly configurable. You can update settings to make the interface more useable for the POV. dCloud
provides you complete administrative access to the system, allowing you to adjust based on individual customer requirements and
best practices for POVs.
1. Navigate to Admin > User Preferences and choose the Event View Settings tab. Under Default Intrusion Workflow, select
Event-Specific from the dropdown. Scroll to the bottom of this page and click Save.
Figure 16. Event View Settings
Cisco dCloud
2. Next, select the Dashboard Settings Tab. Change the default to Detailed Dashboard and click Save.
Figure 17. Dashboard Settings
3. Then, select the Time Zone Preference Tab. Update the time zone to reflect the Customer’s home time zone and click Save.
Figure 18. Time Zone Preference
Cisco dCloud
Risk Report Generation

After letting the system run for the pre-defined evaluation period, you can begin to collect the Risk Report data. The process
involves running the evaluation report script and importing the data directly into a spr1eadsheet to prepare the reports.
1. Connect to WKST1 using one of the following options:
• Using Cisco AnyConnect (Highly Recommended) [Show Me How] and a local RDP client. [Show Me How].
o Log in with the following credentials: IP Address: 198.18.133.36, Username: wkst1\administrator, Password:
C1sco12345
• Using the Cisco dCloud Remote Desktop client. [Show Me How].
2. Open Putty.exe from the Desktop.
3. Select the FSMC saved connection, using the session details as login information. An SSH connection opens to the
FireSIGHT System Management Center.
Figure 19. Session Details
4. Enter cd /Volume/home/admin to change to the SF reports folder.
5. Enter ls to show the folders and files located here. There is one script in this folder, sf_eval.pl that you will run twice. The first
run will fill out all the relevant contact data for the reports. The second run will generate the reports.
admin@VirtualDC64:~sf_eval$ ls
SF sf_eval.pl
admin@VirtualDC64:~sf_eval$ sf_eval.pl
[*] WARNING – No configuration file found
“/Volume/home/admin/report.conf” Starting interview process to create
a new configuration file.
1) Enter company name [Evaluator]:
2) Enter the author name to show on the report title page [Your Name]:
3) Enter the evaluators email address [company@company.com]:
4) Anonymize data? (This will remove any user names and ip addresses from report) [n]:
5) Enter the Partner name [Cisco Preferred Partner]:
6) Enter the Cisco technical contact email address, must be a valid @cisco.com email address []:
7) Enter the Partner contact email address [partner_se@company.com]:
8) Enter a default report type (network, malware, attack, or all) [all]:
[*] Configuration complete:

Run again to generate a report
admin@VirtualDC64; `/sf_eval$
Cisco dCloud
admin@VirtualDC64:~/sf_eval$ sf_eval.pl
**********************************************************
*Cisco Evaluation Risk Reports – version 3.2.4
For help, see –help
[*] Configuration
-Company name : Evaluator
-Report Type : Collection of all Risk Reports
-Cisco SE : billo@cisco.com
-Partner SE : partner_se@company.com
-Author : Your name
-Remove User IDs & IPs : n
-Report period : 14 days
-Report start time : Wed Nov 19 21:43:36 2014
-Report end time : Wed Dec 3 21:43:36 2014
This tool will generate the data required to build a Cisco PoV Risk Report. The output is for use in
conjunction with a series of template files available to trained Cisco Preferred channel partners and
Security Engineers. For help and support with this tool contact your local Cisco Channel Security Engineer.
Use of this tool on a heavily burdened FireSIGHT Management Center may impact event processing.
[*] Type “y” or “yes” to generate a Collection of all Risk Reports:y
Press ENTER to continue
…output omitted
[*] Saved local copy to /var/tmp/evladata_network_1417643016.tsv – OK
6. Once complete, there will be three files created in the /var/tmp/ directory. Enter cd /var/tmp to change to that new directory.
7. Entering ls *.tsv to verify that the files are present.

admin@VirtualDC64:~/sf_eval$ cd /var/tmp/
admin@VirtualDC64:/var/tmp$ ls *.tsv
evaldata_attack_1417643016.tsv
evaldata_malware_1417643016.tsv
evaldata_network_1417643016.tsv
8. Copy the .tsv files to your local system by running the Report Transfer applet on the Workstation1 desktop. This will copy the
files to the local desktop automatically.
9. You can now begin the process of building reports from the spreadsheet templates. Open the Network-Eval-Template.xlsx
file on the desktop.
Figure 20. Network-Eval-Template
Cisco dCloud
10. Using Microsoft Office, open the evaldata_network_XXXXXXXXXX.tsv file on the desktop:
a. Select file > open.
b. Click Computer and Browse.
c. Click the drop down and select All Files.
d. Open the evaldata_network_XXXXXXXXXX.tsv file on the desktop.
Figure 21. File Open
Figure 22. Browse
Cisco dCloud
11. Click Finish on the Text Import Wizard.
Figure 23. Text Import Wizard
12. Select the arrow in the top left to highlight all data.
13. Copy the contents to the clipboard.
Figure 24. Clipboard
Cisco dCloud
14. Return to the Network-eval-Template.xlsx and paste the contents from the clipboard into the Paste worksheet.
Figure 25. Paste
Cisco dCloud
15. Select the Report tab (worksheet) where you will find your customized executive Risk Report.
NOTE: When running a risk report, you may have to adjust the page spacing and row height on the report tab so that they align
properly prior to printing to a PDF for customer delivery.
Figure 26. Network Risk Report
Cisco dCloud
16. Select File > Print and Select the CutePDF Writer printer. Ensure that you only convert the active sheet.
NOTE: You can provide a PDF to your customer but cannot share the spreadsheet file with customers.
17. Click Print.
Figure 27. Print
18. In the Save As window, select the Administrator > Downloads (C:\Users\Administrator\Downloads) folder. Change the
report name, as necessary.
19. Repeat this process for the Attack and Malware reports. Once complete you can access these PDF reports and transfer to
your local computer.
20. Download the files to your local computer system using any ftp client to your local computer.
NOTE: You must be connected to the dCloud Anyconnect VPN in order to access the intenal FTP server hosted on Wkst1.
FTP Server IP: 198.18.133.36
Username: admin
Password: C1sco12345
21. Share these reports and your findings with the customer at the POV close-out meeting.
Cisco dCloud
Device Sanitization
After a successful dCloud executed POV, your dCloud demo session will automatically end at time expiration. You can also
manually end your active session.
NOTE: All data must be exported and verified before ending your session.
By ending your dCloud POV session, all data stored within the demo is lost. This dCloud demo does NOT allow demo saving, in
order to prohibit storing customer data past POV use.
1. The customer data on the ASA FirePOWER module is deleted when you uninstall the software on the FirePOWER module.
Enter the following command to complete the process.
ciscoasa# sw-module module sfr shutdown
ciscoasa# sw-module module sfr uninstall
ciscoasa# reload
2. As part of the POV, you also entered configuration information based on the customer’s environment. To delete the
configuration items, revert the ASA configuration to the factory-defaults. Enter the follow commands to complete the process.
ciscoasa# copy /noconfirm running-config disk0:/pov_backup.config
ciscoasa# config t
ciscoasa(config)# config factory-default
Next Steps
This completes the Cisco FirePOWER Services for ASA Acceleration program guide. For additional support, select Support on the
https://dcloud.cisco.com homepage.
Below are some key training resources to meet the program requirements and continue your education.
• Voice of the Engineer: FirePOWER Services for ASA 5.3 Launch and SMB
https://communities.cisco.com/docs/DOC-30718
• FirePOWER Services for ASA: Tech Talks
• SE Security Sales Enablement
• FirePOWER Services for ASA POV Cisco Funded Network Assessment
Cisco dCloud
Appendix A: Win Criteria

Define Win criteria before a partner executed POV begins so that you are able to quickly demonstrate unique business value to the
customer during the on-site engagement. This process focuses the engagement on the solution elements that are most important
to the customer. The worksheet below serves as a starting point to develop win criteria for a Tactical Partner Executed POV and
can be adjusted for a Strategic POV, or as required based on dialogue with your customer.
Circle Yes or No for each Win Criteria below based on your customer’s response to the question.
Visibility: Do you want to have a better understanding of the types of devices on your network and the applications they are
running? Yes / No
Threat: Are you concerned about bad actors in your environment and the threat that they pose to other internal systems? Yes / No
Automation: Would you like to reduce the strain on your security analysts while arrive at a faster resolution of intrusion
information? Yes / No
Reputation: Do you value a robust reputation service that helps to limit traffic to known bad websites and actors on the Internet?
Yes / No
Malware Detection: Would you like to implement network malware detection with file reputation, sandboxing, and retrospection?
Yes / No
File Blocking: Do you value visibility of file types entering your environment with the capability to block files before an attack by
type, protocol, or transfer direction? Yes / No
Application Control: Are you interested in granular control of applications that helps maximize productivity and reduce the attack
surface? Yes / No
rd
Cross product integration: Would you be interested in using the eStreamer API to share host and event data with 3 partner
applications such as SIEM and integrate with systems such as Cisco ISE? Yes / No
What compelling factors are driving this engagement? __________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Cisco dCloud
Appendix B: Data Collection Worksheet

Thank you for giving Cisco the opportunity to demonstrate the security posture of your network using FirePOWER Services for
ASA. Please provide the following information to prepare for the evaluation.
1. Local Time Zone _______________________________________
2. IP Addresses
dCloud Hop Workstation -- 198.18.133.36 Administrator/C1sco12345
FireSIGHT Management Center Internal IP – 198.18.133.10 (Public IP, username, and password is unique per dCloud session)
3. Active Directory/DNS Server if local lookup is preferred? _________________ NAT _________________
4. ASA and FirePOWER Passwords? ___________________________________________________
5. SPAN Port configuration
6. Is there a SPAN already set up that can see the traffic from the evaluated networks? Which port?
_______________________________________________________________________________
7. If no to the above, what type of switch will the system be attached to?
_______________________________________________________________________________
8. SPAN will be configured using Source Interface or Source VLANs. List sources below
_______________________________________________________________________________
_______________________________________________________________________________
9. Desired Rack and Power configuration. What type of AC power is required? __________________
_______________________________________________________________________________
10. Length of Evaluation ______________________________________________________________
Cisco dCloud
Appendix C: Cisco.com Direct Software Download Instructions

NOTE: This is only required if you are not using an endpoint router.
1. To download the ASA system software, go to http://software.cisco.com/download/navigator.html. This will present the
Downloads Home > Products pane.
2. Navigate to Downloads Home > Products > Security > Firewalls > Adaptive Security Appliances (ASA) > ASA 5500-X
Series Next-Generation Firewalls > ASA 5515-X Adaptive Security Appliance > Software on Chassis.
Figure 28. Download Software
3. Select each of the following options and download the versions listed below or later.
• Adaptive Security Appliance (ASA) Device Manager: 7.4.3 (asdm-743.bin)
• Adaptive Security Appliance (ASA) Software: 9.4.1 (asa941-smp-k8.bin)
4. Select the Adaptive Security Appliance (ASA) breadcrumb. Continue navigating to Downloads Home > Products > Security
> Firewalls > Adaptive Security Appliances (ASA) > ASA with FirePOWER Services > ASA 5515-X with FirePOWER
Services.
Cisco dCloud
5. As required, expand the All Releases drop-down in the left hand pane to select a link such as 5.4.0 that provides an option to
download the software below. Select each of the following options and download the versions listed below or later.
• Cisco ASA with FirePOWER Services Boot Image (asasfr-5500x-boot-5.4.0-763.img)
• Cisco ASA with FirePOWER Services Install Package (asasfr-sys-5.4.0-764.pkg)
Figure 29. Releases
NOTE: If you are unable to access the software due to entitlement, engage with your Cisco alliance manager to associate your
CCO account with your company to grant partner-level CCO access. If you are still unable to access the software, open a case
with partner help using the instructions here: https://communities.cisco.com/docs/DOC-55301.

Firesight 54 Pov Guide

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Firesight 54 Pov Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco dCloud

Cisco FireSIGHT System 5.4 Proof of Value v1

About This Cisco Solution

The following is an overview of the POV:

• Schedule dCloud FireSIGHT System PoV.

• Install/Upgrade ASA and/or FirePOWER appliance.

• Let system collect data for necessary period of time.

About this FireSIGHT System 5.4 PoV

• dCloud Endpoint Router Changes

• Risk Report Generation

Figure 1. Demo Topology

PREPARATION IS KEY TO A SUCCESSFUL CUSTOMER PRESENTATION.

2. Schedule a demonstration [Show Me How].

• It may take up to 15 minutes for your demonstration to become active.

There are two types of POV:

• Tactical— leverages available hardware, usually over 30 days or less.

• Network Threat Pre-Sales SE Stage 2: https://communities.cisco.com/docs/DOC-57815

• FirePOWER Services for ASA Tech Talk Recordings: https://communities.cisco.com/docs/DOC-30977

• TCP Port 443 open through customer firewall for EZVPN.

• If using the customer’s Active Directory for user context (Optional).

• User customer network cannot be in the 198.18.128.x/18 subnet.

Figure 2. dCloud Endpoint Router and ASA with FirePOWER Services

ASA with FirePOWER Services and public IP

• (Optional) One 1-to-1 NAT or PAT for Active Directory Connection.

Figure 3. ASA with FirePOWER Services and public IP

Virtual FirePOWER Device and public IP

• (Optional) One 1-to-1 NAT or PAT for Active Directory Connection.

Figure 4. Virtual FirePOWER Device and public IP

PoV Device Placement Locations

• Internal to a network firewall.

Traffic Collection Methods:

• Visibility of inbound threats and malware detections.

• Visibility of outbound indications of compromise (IoC).

• Visibility of Internet facing applications that users may wish to control.

Network Segmented Zone – DMZ / Server Farm

• Zone dedicated to a server farm, DMZ, on specialized network segment.

Traffic Collection Methods:

Traffic Collection Methods:

• Not all network environments may have a SPAN port available.

• Benefits are similar to Internet perimeter placement.

If possible, receive traffic from:

• Multiple SPAN ports for internet and internal traffic.

dCloud Endpoint Router Changes

To configure an endpoint router, see the help page located at https://dcloud-cms.cisco.com/help.

Router Changes Needed:

1. Backup the current configuration for later use.

2. Remove Service Policy that breaks FirePOWER/FireSIGHT Communication.

3. Active Directory Server NAT Configuration.

4. Find Endpoint Kit Vlan 100 IP Address.

5. Configure Static NAT.

1. Power on the ASA and access the command line.

3. If the SSD is not recognized, consider the following:

Uninstalling Existing IPS or CX Software (If Required)

ASA 5515-X System Software

6. Verify Connectivity through the dCloud Endpoint Router back to dCloud.

FirePOWER Services for ASA

Recover module sfr? [confirm]

asasfr login: admin

Enter a hostname [asasfr]: asasfr

IPv4 Configuration: dhcp

IPv6 Configuration: Stateless autoconfiguration

We suggest you use static addressing instead.

Apply the changes?(y,n) [Y]: Y

Do you want to continue with upgrade? [y]:Y

3. Active Directory/DNS Server if local lookup is preferred? _ NAT _