Installing Cisco FireSIGHT virtual appliance

It’s time now to install a Cisco FireSIGHT or Defense Center. This server is used to manage one or more FirePOWER services. Remember, we are still talking about ASA and its modules.

This Defense Center or DC, can be a physical box or a virtual appliance running on VMware ESXi hypervisor. We will deal with virtual appliance here.

First of all, the requirements:

  • 4 vCPU
  • 4 GB RAM
  • 250 GB HDD
  • 1 vNIC

We don’t have to create virtual machine with these requirements, because one will be created by deploying an OVF template. We have to download appropriate archive file from Cisco’s site and extract it to produce the file that *is* the OVF file, but with no extension. For example, Sourcefire_Defense_Center_Virtual64_VMware-5.3.1-152. Now we log in to our Virtual Center and start the Deploy OVF Template wizard. We select appropriate file and click Next. We give our VM a name and select appropriate data center. Then a cluster needs to be selected and a host within that cluster on which the DC will run initially. We can specify the resource pool if we want and select a data store on which the virtual machine files will be stored. In the next step we could use thick provision disk, which is the default option and will consume all 250GB of storage space right away. We will use thin provision disk and let the consumed storage space grow with time. Finally, we select appropriate virtual network. We can review our choices, click finish and wait for virtual machine to deploy. After the deployment is completed, we power on the VM.

firesight4

LILO boot. It’s been a while 🙂

The system will do some stuff now, such as configuring a database, which could take some time.

While this is cooking, let me say that the licensing model is per device that this DC will manage. There are two special bundles for managing two or up to ten SFR modules. We will deal with licensing later in this blog.

When we are presented with “Sourcefire3D login:” prompt, we use credentials admin/Sourcefire. First order of business now is setting the IP parameters up. In order to do this, we must execute the following command, which basically executes the network setup script as super user:  “sudo /usr/local/sf/bin/configure-network“. We give the super user password, which is again Sourcefire and answer to several questions:

Do you wish to configure IPv4? (y or n) y
Management IP address? [192.168.45.45] 10.10.10.167
Management netmask? [255.255.255.0]
Management default gateway? 10.10.10.1
Management IP address?              10.10.10.167
Management netmask?                  255.255.255.0
Management default gateway?     10.10.10.1
Are these settings correct? (y or n) y
Do you wish to configure IPv6? (y or n) n

Now we are ready to access the Defense Center by going to https: //10.10.10.167 and proceed from there.

Here is our login page:

firesight5

Our credentials are still admin/Sourcefire. After we log in, we must change our password, and we have the opportunity to change some of our IP parameters. We also have to accept the EULA.

firesight6

firesight7

firesight8

The three screenshots from above are from the same web page. These are the only things we will change for now. When we accept the EULA, we click Apply.

Now, we need to apply the license to our Defense Center. We select the System menu from the right top and select Licenses, then “Add New License“:

firesight9

Please note the “License Key” in the form aa:bb:cc:dd:ee:ff:gg. We need to send this key to our partner in order to obtain valid license.

Before we actually apply license, let’s briefly describe types of licenses available for FirePOWER services.

licensing

We can see that we have five licensing models for SFR modules. The license is subscription based, which means that by purchasing the license we actually lease the right to use the features covered by the license for one, three or five years. Also we must have in mind that each license is bound to specific ASA model. So, if we buy/lease the license for 5525-X, this license will not be valid for other ASA boxes. Let’s focus on ASA5525-X model. Having the above picture in mind, we have the following licenses:

  • L-ASA5525-URL-1Y
  • L-ASA5525-URL-3Y
  • L-ASA5525-URL-5Y

These URL licenses provide us with URL filtering capabilities for one, three or five years.

  • L-ASA5525-TA-1Y
  • L-ASA5525-TA-3Y
  • L-ASA5525-TA-5Y

The TA license enables the IPS capabilities of SFR module.

  • L-ASA5525-TAC-1Y
  • L-ASA5525-TAC-3Y
  • L-ASA5525-TAC-5Y

The TAC enables the IPS plus the URL filtering.

  • L-ASA5525-TAM-1Y
  • L-ASA5525-TAM-3Y
  • L-ASA5525-TAM-5Y

The TAM provides us with the IPS capabilities and adds the AMP or Advanced Malware Protection functions.

  • L-ASA5525-TAMC-1Y
  • L-ASA5525-TAMC-3Y
  • L-ASA5525-TAMC-5Y

Finally, the TAMC provides us with IPS, AMP and URL capabilities.

We must have in mind that all licenses include the AVC or Application Visibility Control functions, which allows us to recognize specific applications, not only HTTP, but rather applications with more granularity (Dropbox, Facebook, Facebook-Games, …). Also we can see from the picture above, that for some capabilities the IPS is mandatory. For example, we can’t have the AMP without the IPS. The only exception here is the URL license. We can have the URL without IPS. I think that the picture from above is self explanatory.

As for the Defense Center, in virtual world, we have two bundles. One which manages up to two SFR modules and one for up to ten:

  • CON-SAU-VMWSW2
  • CON-SAU-VMWSW10

When we receive the .LIC files, we open the Defense Center and from the right top, we select System->Licenses->Add New License. We need to apply the license for the Defense Center itself, as well as all licenses for our SFR modules. In our example, we have one DC that can manage up to ten SFR modules, and we have four ASA 5525-X SFR modules. So, we have one license file for DC and one TAM license file for four 5525-X SFR modules. We apply the licenses for DC and SFR the same way. We open the .LIC file, which is a plain text file, and copy/paste portion of the file like depicted in the screenshot:

enterlicense

After we applied our licenses, we can verify our license status:

licensing1

We can see that we have four unassigned SFR licenses that are TAM licenses. We must now assign license to each of our SFR modules. One way of doing this is to select valid license while registering the SFR module to the Defense Center:

licensing3

Another way is for modules already registered to DC, but unlicensed. We click Devices menu, then select the module we want to license, and click a little yellow pencil icon on the right. Then under the Device tab, under License section, we click the yellow pencil again. By the way, this yellow pencil is for edit what ever we can edit within the DC. Then we select applicable license:

licensing2

By clicking Protection and Malware, we are enabling TAM capabilities. Control license is optional and is used for creating access policies based on users from Active Directory, instead of IP addresses. More on this later.

So, where do we go from here? Next time we will continue to explore the FirePOWER by creating and applying the basic policies.

 

Thanks for reading.

 

Advertisements
This entry was posted in Cisco, FirePOWER, Security and tagged , , , . Bookmark the permalink.

9 Responses to Installing Cisco FireSIGHT virtual appliance

  1. mikgruff says:

    This is really great. Thanks. Would you consider an article on tuning FirePower?

  2. Pingback: Sourcefire Access Control Policies – Part One | popravak

  3. Nav says:

    As per cisco licensing document http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Licensing.html

    there are 4 licenses

    . Protection : IPS
    , Malware
    . Control : AVC
    . URL

    and for each license Protection license is mandatory otherwise that license will not be activated.
    which negates ur comment

    ” We can have the URL without IPS “

    • Sasa says:

      Well, according to Cisco marketing slide given in this post, there are URL, TA, TAC, TAM and TAMC license models. Clearly URL model does not require IPS license.

  4. RK says:

    Is it possible or problematic to add additional cores to the VMware server to increase performance?

  5. Dirk Melvin says:

    Why is it I can’t find specific specs? Yes, 4-8 CPUs but what speed? It won’t do any good if I have a host with 1.8GHz CPUs, but this requires 4-8 4GHz CPUs.

  6. naumanrahim says:

    Hi, Can you please tell me the procedure to recover the password for firesight manager. I am unable to login and tried to search a lot on resetting the password. Please help. Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s