Upgrading Firepower1010 to 6.5

Upgrading Firepower1010 to 6.5

The Cisco FirePower 1010 appliance (FP1010, successor to the ASA5506 which can run FTD 6.3 and higher) has finally become available. As I am relocating to a new home, it was time to replace my trusty 5506-X with the FP1010 and get a new fresh start with FTD. Since FTD 6.5 is just out, and it enables the switchports on the FP1010, it was time to upgrade the appliance. In this post I will share my method of upgrading the FP1010 to the latest version, 6.5. 

Time to get started with the upgrade. In this blog post I assume the FP1010 appliance has never been booted and has just been unboxed. You need to have the following items

  • Laptop with FTP/SCP/SFTP server (TFTP is possible, I had issues with USB); I used my MacBookPro for this
  • Laptop connected to the management interface of the FP1010
  • The upgrade image, in my case: cisco-ftd-fp1k.6.5.0-115.SPA

Once you have everything ready, the following steps can be used to upgrade the FP1010 appliance:

Firepower architecture

Firepower appliances are really a different platform to the trusty old ASA platform. One of the architectural differences is that the appliance is running FXOS as the operating system and the security services you want to run (FTD or ASA) are installed as an instance. I think the best to compare it with is VMWare and running virtual services. FXOS looks a lot in its command set to the NFVIS operating system that runs on the ENCS series. It is based on the UCS platform and uses quite a different CLI then you are familiar with in the ASA world. 

The larger appliances (FP4100 and FP9300) FXOS and the security instances are separated, which means that you first configure FXOS and then you can load the security instance on it. The smaller Firepower appliances, such as the FP2100, FP1100 and the FP1000 series have FXOS and the security instance bundled in a single release. This means that you always run a specific FXOS system with a specific ASA or FTD version.

1.  Connect the console of the FP1010 to the laptop and power on the appliance
2.  Connect a network cable from the mgmt interface to your laptop

3.  Wait until the FP1010 is booted. Once it’s booted, the console will show:

firepower#

4.  Type the command “connect ftd” and run through the initial setup wizard. If you do not accept the EULA and run through the setup, somehow the network is not working as expected and you cannot download the software. And yes, that took me some hours to figure out…

You must accept the EULA to continue.Press <ENTER> to display the EULA:
 
End User License Agreement

Effective: May 22, 2017

*** SNIP***
Please enter 'YES' or press  to AGREE to the EULA: YES

System initialization in progress.  Please stand by.
You must change the password for 'admin' to continue.
Enter new password:
Confirm new password:
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]:
Enter an IPv4 netmask for the management interface [255.255.255.0]:
Enter the IPv4 default gateway for the management interface [data-interfaces]:
Enter a fully qualified hostname for this system [firepower]:
Enter a comma-separated list of DNS servers or 'none' [208.67.222.222,208.67.220.220]:
Enter a comma-separated list of search domains or 'none' []:
If your networking information has changed, you will need to reconnect.

Setting DNS servers: 208.67.222.222 208.67.220.220
No domain name specified to configure.
Setting hostname as firepower
DHCP server is enabled with pool: 192.168.45.46-192.168.45.254. You may disable with configure network ipv4 dhcp-server-disable
Setting static IPv4: 192.168.45.45 netmask: 255.255.255.0 gateway: data on management0
Updating routing tables, please wait...
All configurations applied to the system. Took 3 Seconds.
Saving a copy of running network configuration to local disk.
For HTTP Proxy configuration, run 'configure network http-proxy'

Manage the device locally? (yes/no) [yes]: yes
Configuring firewall mode to routed


Update policy deployment information
    - add device configuration
Successfully performed firstboot initial configuration steps for Firepower Device Manager for Firepower Threat Defense.

5.  After the setup, the console will have a very empty prompt: “>” Now type exit The prompt will now look like firepower# 

6. This means you are now in FXOS , this looks like UCS CIMC software, so it is a bit different.
Enter the command scope firmware , the prompt will show

firepower /firmware
7. Check the IP address of your laptop and initiate the software download via the command structure

download image sftp://userid@iplaptop/path/to-image/cisco-ftd-fp1k.6.5.0-115.SPA

I have used

download image sftp://myuserid@192.168.45.46/Users/myuserid/Downloads/cisco-ftd-fp1k.6.5.0-115.SPA

The console will now prompt for your password and then it will initiate a download task:

firepower /firmware # download image scp://myuserid@192.1687.45.46:/Users/myuserid/Downloads/cisco-ftd-fp1k.6.5.0-115.SPA
Password:
Please use the command 'show download-task' or 'show download-task detail' to check download progress.

You can use the “show download-task detail” to show the details, which has output like

Download task:
File Name: cisco-ftd-fp1k.6.5.0-115.SPA
Protocol: Sftp
Server: 192.168.45.46
Port: 0
Userid: myuserId
Path: /Users/myuserId/Downloads
Downloaded Image Size (KB): 59264
Time stamp: 2019-10-07T06:48:09.268
State: Downloading
Status: Downloading the image
Transfer Rate (KB/s): 29632.000000
Current Task: downloading image cisco-ftd-fp1k.6.5.0-115.SPA from 192.168.45
.46(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:Local)

However, if there is a failure, it will only show “failed“. I found out that the command

show event provides much more information, but requires a bit decoding. The following output is from a successful download:
Creation Time            ID       Code     Description
------------------------ -------- -------- -----------
2019-10-07T06:48:09.269     27339 E4195702 [FSM:STAGE:END]: (FSM-STAGE:sam:dme:F
irmwareDownloaderDownload:begin)
2019-10-07T06:48:09.269     27340 E4195703 [FSM:STAGE:END]: checking pending man
agement network config(FSM-STAGE:sam:dme:FirmwareDownloaderDownload:CheckPending
NetworkConfig)
2019-10-07T06:48:09.269     27341 E4195704 [FSM:STAGE:ASYNC]: downloading image
cisco-ftd-fp1k.6.5.0-115.SPA from 192.168.45.46(FSM-STAGE:sam:dme:FirmwareDownlo
aderDownload:Local)
But if there is a failure, it would look a bit more like this

 

2019-10-07T06:47:40.120     27329 E4195706 [FSM:STAGE:REMOTE-ERROR]: Result: end
-point-failed Code: ERR-DNLD-no-file Message: No such file#(sam:dme:FirmwareDown
loaderDownload:DeleteLocal)

It tells you it couldn’t find the file. The show event is quite handy.
Once the download is completed, the show detail command would look like this:

Download task:
    File Name: cisco-ftd-fp1k.6.5.0-115.SPA
    Protocol: Sftp
    Server: 192.168.45.46
    Port: 0
    Userid: nefkensp
    Path: /Users/nefkensp/Downloads
    Downloaded Image Size (KB): 1031174
    Time stamp: 2019-10-07T06:48:09.268
    State: Downloading
    Status: validating and unpacking the image
    Transfer Rate (KB/s): 32224.187500
    Current Task: unpacking image cisco-ftd-fp1k.6.5.0-115.SPA on primary(FSM-ST

8.  Now that the software is downloaded, it is time to validate if the package is available. Use the command show package to check for that:

firepower /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-ftd-fp1k.6.4.0-102.SPA 6.4.0-102
cisco-ftd-fp1k.6.5.0-115.SPA 6.5.0-115

9.  Now as the package is available, let’s install it. Go to the subscope auto-install:

firepower /firmware # scope auto-install
firepower /firmware/auto-install # 
 

10.  and install the package via the install security-pack version command:

firepower /firmware/auto-install # install security-pack version 6.5.0-115 
The system is currently installed with security software package 6.4.0-102, which has:
   - The platform version: 2.6.1.133
   - The CSP (ftd) version: 6.4.0.102
If you proceed with the upgrade 6.5.0-115, it will do the following:
   - upgrade to the new platform version 2.7.1.107
During the upgrade, the system will be reboot

Do you want to proceed ? (yes/no):yes

This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup

Do you want to proceed? (yes/no):yes

Triggered the install of software package version 6.5.0-115
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command. 

11. Now let’s wait for the upgrade or use the “show” command to check the status:

firepower /firmware/auto-install # show

Firmware Auto-Install:
    Package-Vers Oper State                   Upgrade State
    ------------ ---------------------------- -------------
    6.5.0-115    Scheduled                    Ready
firepower /firmware/auto-install #

12.  And after waiting for some 20-30 minutes, FTD has been upgraded. Congratulations!

Upgrading Firepower1010 to 6.5

Assigning a single IPv6 address to devices

I have been running IPv6 and IPv4 concurrently. At Cisco Live San Diego 2019  I shared some of my experiences with Jeffry Handal (I met him initially at CiscoLive Barcelona 2019)  and somewhow we ended up talking about IPv6 and how by default you receive multiple IPv6 addresses. To me, that was one of my frustrations, so my network is setup in such a way that it only assigns a single IPv6 address. It appears that such a setup is not very common. So I would like to share with you how my IPv6 network is configured.

My network consists of an ASA firewall (soon to be replaced with the FirePower 1010), a 3560 compact switch that acts as L3 switch, and a Catalyst 9800 Wireless Controller (yep, moved from Mobility Express to the Cat9k wireless IOS-XE). The figure below shows my network topology.

In this network setup, the 3560 acts as L3 switch and DHCP server (both IPv4 and IPv6). It is absolutely possible to use an external DHCP server and use helpers instead. But for my home network that is, well, not necessary. The configuration on the client VLAN is shown below:

interface Vlan300
 description clients
 ip address 192.168.1.1 255.255.255.0
 ipv6 address FE80::300 link-local
 ipv6 address 2001: db8:face:300::1/64
 ipv6 enable
 ipv6 nd prefix 2001:db8:face:300::/64 300 300 no-autoconfig
 ipv6 nd managed-config-flag
 ipv6 nd router-preference High
 ipv6 nd ra interval 30
 ipv6 dhcp server clients-300 rapid-commit
end

By setting the managed-config-flag and disabling auto-config on the prefix I effectively state that my switch is the only router and device allowed to assign and distribute IPv6 addresses. I effectively disable every auto-magic feature within IPv6 except DHCPv6. The configuration I use for that DHCPv6 server is defined below:

ipv6 dhcp database flash:dhcpv6-db
ipv6 dhcp pool clients-300
 address prefix 2001:db8:face:300::/64 lifetime 86400 86400
 link-address 2001:db8:face:300::/64
 dns-server 2620:119:35::35
 dns-server 2620:119:53::53
 domain-name clients.nefkens.net
!

Using this configuration all my devices (and yes, Jeffry told me that Android devices do not support DHCPv6 so go complain at Google for that) receive a single IPv6 address, as can be shown in the screen shot below.

Although it might not be common, it is very much possible to use DHCPv6 and only assign a single IPv6 address to each device. It will make your life for troubleshooting or looking at management systems, such as Firepower Management Center, DNA Center, or Syslog server a lot easier.

Deploying a Cisco Mobility Express network

Deploying a Cisco Mobility Express network

My wireless network has been based on a WLC2504 controller with two 2602 AP’s. The network has been running quite well, with of course the caveats that came with the different WLC releases. With the maturity of Mobility Express (ME), the need for a dedicated controller for such as small sized wireless network has basically become obsolete as one of the AP’s becomes the master controller in the network. I was able to acquire 2 1852 AP’s with ME, time to upgrade my wireless network to 802.11ac with ME..
(more…)

FTD 6.2 and Remote Access VPN (anyconnect) configuration

FTD 6.2 and Remote Access VPN (anyconnect) configuration

With Firepower Threat Defense (FTD) version 6.2 Cisco has introduced the remote access VPN functionality from the ASA firewall software. For an overview of the differences, you could read a previous post. With FTD 6.2.2 (released in september) this feature is now also avaialble on the ASA platforms. With a week of PTO planned, it was time to configure and test RA VPN on my home environment. (more…)

Upgrading Firepower1010 to 6.5

FTD access policy behaviour

In a previous blog, I’ve written about the differences between Firepower Threat Defense and ASA software. And although the basic OS appears to be ASA with Snort set in between ASA ingress and egress, some basic concepts of the ASA (or actually the PIX) have disappeared in FTD. And it will have an impact once you migrate from ASA (with or without firepower) to FTD devices..
The Cisco ASA firewall has implemented the concept of security levels on interfaces. Each interface must have an interface name and interface level (IP-address is only necessary if you use routed or IRB interfaces). The concept for this is quite easy, let’s take the basic ASA edge deployment into mind.

With interface security levels the ASA keeps two principles into mind when a packet comes into the firewall for a new connection:

  • Traffic is always allowed from a higher security level to a lower security level, unless an access-list prohibts this
  • Traffic is never allowed from a lower security level to a higher security level, unless there is an access-list explicitly permitting the traffic and a static translation is created

So, in this example, the client with internal IP 10.1.1.10 is allowed to go outbound to the webserver on the Internet, but unless you configure a specific access-list, traffic is not allowed from the Internet to the inside mail server.
If you then take into account that IOS/PIX/ASA access-lists always have an implicit deny ip any any statement in the access-list, so even if you configure an access-list (except of course permit ip any any), traffic will be blocked by that implicit match. So it’s relatively easy to tie down the traffic flows, right?

In FTD things are working quite differently.. In FTD there is not really the concept of an access list with an implicitly deny any any. Within FTD, an access policy is used to define the policies that need to be applied to one or more FTD devices. One or more rules, which are run sequentially, combined define the access policy. Each rule in itself contains several elements that can be combined to define the policy rule. Each rule consists following elements:

Element Description
source zone(s) Within FTD it is possible to logically combine different interfaces into a single zone. One or more zones can be used as selection criteria
destination zone(s) Also one or more destination zones can be used as selection criteria, for example the “outside” zone
source network(s) This is the classic selection criteria for a layer3 firewall, based on one or more source IP networks.
destination network(s) This is the classic selection criteria for a layer3 firewall, based on one or more destination IP networks.
VLAN’s It is possible to match traffic based on the vlan tag
Users This is part of the next generation firewall that is inside FTD, per user (or group) policy rules can be matched
Applications Also part of the next generation firewall, in which a lot of applications are already defined. It is also possible to define custom applications using openAppID as well
Source port(s) Classic criteria for the source ports. Within FTD there is a default group called “high ports” that you can use for client connections
Destination port(s) Classic match criteria for the destination ports. It is possible to use one or more ports to match on, or use a port group.It is possible to mix and match UDP, ICMP, ICMP6, TCP, etc in a single match statement
ISE/SGT attributes This is used if you have a pxGrid ISE integration with FirePower and wish to match on scalabale group tags
URL Categories This is also part of the next generation firewall feature set, in which you can use URL categories (like advertisment, Phishing, etc) to match traffic on. It is a recommended from Cisco not to combine these URL categories together with the application matching statement.
File Policy This option (within the rule details) specifies which file detection policy is to be used in AMP for networks.
IPS Policy (with variable set) It is possible to define different Intrusion Policies within FMC. Within a specific rule it is possible to set a custom IPS signature policy.
Action The resulting action that FTD will take when the packet is matching this rule.

 

FTD Policy actions

There are different actions that FTD can take once a packet has matched the access rule, being

Action Description
Allow This traffic
Trust Trust this traffic and do not send it to Snort for inspection.
Monitor Monitor this traffic, apply inspection, but do not discard packets (drop)
Block Block this packet. Be aware, if used on a TCP connection,  the client will do retries
Block with reset Block this packet and send TCP resets to client and server to reset this packet
Interactive Block This is similar as the block action, but FTD will respond back with a web page that provides feedback to the block
Interactive Block with Reset This is similar as the block with reset action, but FTD will respond back with a web page that provides feedback to the block

For grouping purposes it is possible to group access rules together. Using this approach, it is a very flexible and powerfull mechanism to define the policy. It is a single policy for both ingress and egress traffic, so double access list policies are not required anymore, which is a great benefit. Also, rules are run through sequentially, so after a packet matches the rule, the specific actions are executed.

But what happens if no rule inside the policy is matched? Well, then the default Action comes into play. As soon as you create a new access policy, FMC asks what the default action will be of the new policy

Block all traffic Just block all traffic, similar to the implicit deny any any
Intrusion prevention Allow traffic, but do run it through Snort for inspection
Network discovery Allow traffic for discovery of users, applications and hosts on the network

Within a Firepower on ASA rule, I usually choose the “Intrusion Prevention” or “network discovery” rule, as there is still a firewall outside the FirePower module that has access-lists as well.

But in FTD that is not true!! If you choose “network discovery” or “intrusion prevention“, you will basically allow alltraffic to traverse through the firewall as the interface security levels are in essence equal. So it is then basically a router with some security power! I ran into this issue when I converted a Firepower on ASA device to FTD recently. This is something you have to be aware off.

If you want to change this behaviour in an access policy at a later stage, just go into the access policy and click the pull down menu at the bottom of the policy and select “Access control: Block All Traffic”

So in summary, if you start working with FTD and come from an ASA background, make sure your that you define the access rules both ways and have explicit block rules in your access policy. Either via the default action or per traffic-flow in a category.