You are on page 1of 66

Cisco FirePOWER Services for ASA

Proof of Value (POV) Best Practices

Global Security Sales Organization (GSSO)


Channel Engineering
May 28, 2015
Cisco FirePOWER Services for ASA POV Best Practices

Table of Contents

1 Introduction ................................................................................................................................ 3
2 POV Process................................................................................................................................. 3
3 Training ........................................................................................................................................ 4
4 Deployment ................................................................................................................................. 4
5 Software Download .................................................................................................................. 7
6 Installation .................................................................................................................................. 8
6.1 Confirm Health of Solid State Drive (SSD) ......................................................................................... 9
6.2 Uninstalling Existing IPS or CX Software (If Required) .................................................................... 10
6.3 ASA 5515-X System Software.......................................................................................................... 10
6.4 FirePOWER Services for ASA ........................................................................................................... 13
6.5 FireSIGHT MC .................................................................................................................................. 17

7 Licensing .................................................................................................................................... 27
8 FireSIGHT Configuration ...................................................................................................... 30
8.1 System Policy .................................................................................................................................. 30
8.2 Health Policy ................................................................................................................................... 32
8.3 Network Discovery .......................................................................................................................... 33
8.4 Intrusion Policy................................................................................................................................ 36
8.5 File Policy ........................................................................................................................................ 40
8.6 Access Control Policy ...................................................................................................................... 41
8.7 Additional Settings .......................................................................................................................... 48

9 Risk Report Generation ........................................................................................................ 53


10 Device Sanitization ................................................................................................................. 62
11 Next Steps................................................................................................................................... 64
12 Appendix A: Win Criteria ...................................................................................................... 65
13 Appendix B: Data Collection Worksheet ......................................................................... 66

2
Cisco FirePOWER Services for ASA POV Best Practices

1 Introduction

The Cisco Global Security Sales Organization (GSSO) is pleased to announce the FY15 FirePOWER
Services for ASA Proof of Value (POV) Best Practices guide. Cisco is providing this documentation to help
explain the POV process and accelerate the migration of legacy ASA or competitive security appliances
to the ASA 5500-X series Firewall with FirePOWER Services. This document provides information on the
POV process, training, software download, installation, licensing, initial configuration, customer
deployment, risk report generation, and device sanitization.

2 POV Process

A POV is a customer engagement that demonstrates unique business value during an on-site
engagement. The POV process requires a scoping exercise to identify win criteria for a customer. Win
criteria is used to focus the on-site engagement on the solution elements that are most important to a
particular customer. Appendix A includes scoping questions to help establish win criteria for FirePOWER
Services for ASA POVs.

There are two types of POV, tactical and strategic. One key differentiator between these POV types is
that a tactical POV leverages available hardware, while a strategic POV is designed to address the larger
customer business outcomes and leverages appliances that deliver the desired performance of the
customer. Another key differentiator is that a tactical POV is usually 45-days or less and a strategic POV
can be longer as dictated by customer requirements. Most partner executed POVs will be tactical
leveraging FirePOWER Services for ASA seed or NFR units and virtual FireSIGHT Management Centers
(MCs).

Tactical POVs help to ensure an efficient delivery of a professional evaluation of the solution. All
customer configurations should be implemented prior to arriving on site based on pre-defined customer
evaluation data. Customer data includes network, management, span configuration, active directory and
rack and power data. A worksheet to collect this information is available in Appendix B.

The following sections cover system installation and configuration steps for a partner executed POV.
Keep in mind that a successful POV is defined prior to going on-site and win criteria is unique for each
customer. This guide provides general best practices, but you should edit any configuration items as
required to establish unique business value for your customer.

All of the following sections must be completed together for the system to work properly during your
customer evaluation. If you miss any one part of this configuration your system will not collect the
desired information and the evaluation may not be successful. Follow the instructions carefully and
submit any feedback to asa-assess@external.cisco.com.

3
Cisco FirePOWER Services for ASA POV Best Practices

3 Training

The following e-learning modules are strongly recommended before you try to install the software or
perform an evaluation. The training is available on the Partner Education Connection via the Security
Partner Community.
ASA Firewall and Next Generation IPS Training and COLT Exams
https://communities.cisco.com/docs/DOC-55046
FirePOWER Services for ASA Tech Talk Recordings
https://communities.cisco.com/docs/DOC-30977

4 Deployment

The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation IPS
(NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).
You can use the module in single or multiple context mode, and in routed or transparent mode.
Although the module has a basic command line interface (CLI) for initial configuration and
troubleshooting, you configure the security policy on the device using a separate application, FireSIGHT
Management Center, which can be hosted on a separate FireSIGHT Management Center appliance or as
a virtual appliance running on a VMware server. (FireSIGHT Management Center was previously known
as Defense Center.)

The ASA FirePOWER module runs a separate application from the ASA. The module can be a hardware
module (on the ASA 5585-X) or a software module (5512-X through 5555-X). You can configure the
device in either a passive (monitor only) or inline deployment.
In an inline deployment, the actual traffic is sent to the device, and the devices policy affects
what happens to the traffic. After dropping undesired traffic and taking any other actions
applied by policy, the traffic is returned to the ASA for further processing and transmission.
In a passive deployment, a copy of the traffic is sent to the device, but it is not returned to the
ASA. Passive mode lets you see what the device would have done to traffic, and lets you
evaluate the content of the traffic, without impacting the network.

4
Cisco FirePOWER Services for ASA POV Best Practices

To minimize risk or disruption to the customer environment while providing the most value, passive
deployments are recommended for Partner Executed POVs. This can be accomplished by configuring a
span port on a Cisco switch in the customer environment and configuring the ASA with FirePOWER
Services in Monitor Only Mode.

There are multiple network locations for the POV with their own caveats, benefits and challenges.
Consider these options when placing your ASA with FirePOWER Services on a customer network.

A. Internet Perimeter Ingress/Egress to core network


Best Placement: Internal to a network firewall.
Traffic Collection Methods: Tap or SPAN. SPAN ports are common. Ensure that you are collecting all
TX/RX activity on the link to the outbound firewall.
Caveats:
Ensure that the ASA is internal to a NAT gateway for best IP visibility.
If there is some type of proxy device placement internal to the proxy is preferred. Otherwise
event resolution to internal hosts will be dramatically skewed.
Benefits:
Visibility of inbound threats and malware detections
Visibility of outbound indications of compromise (IoC)
Visibility of Internet facing applications that users may wish to control
GeoIP, Security Intelligence (IP reputation), and URL data will be captured
Challenges:
FireSIGHT visibility will be limited to internet ingress/egress traffic. This means that hosts that
are not regularly interacting with the internet will not be profiled. This can impact the value
demonstrated in FireSIGHT rule recommendations and Impact Flags for IPS event reduction.

5
Cisco FirePOWER Services for ASA POV Best Practices

B. Network Segmented Zone DMZ / Server Farm


Best Placement: Zone dedicated to a server farm, DMZ, on specialized network segment.
Traffic Collection Methods: Tap or SPAN. SPAN ports are common. Ensure that you are collecting all
TX/RX activity on the link to the outbound router. More contextual data will be available if the server
farms DMZ can SPAN all traffic in the broadcast domain.
Caveats:
Ensure that the ASA is internal to a NAT gateway for best IP visibility.
If there is a proxy device, place the ASA internal to the proxy. Otherwise event resolution to
internal hosts will be dramatically skewed.
Some customers may deploy load balancers. If possible, place the ASA internal to the load
balancer or monitor the activity from the entire switch. This ensures threat detections are seen
against specific hosts.
Benefits:
Visibility of inbound threats, IOCs, malware, applications, GeoIP reputation, and Security
Intelligence related to the server farm.
If this is an internal or back-office server farm, that ASA will be able to visualize and profile other
internal assets as they interact with the server farm.
Challenges:
Threat and application data may be limited because of the specialization of the server farm.

C. Core Switch
Best Placement: On a SPAN that can capture traffic representative to user activity across the network.
Traffic Collection Methods: SPAN (taps are not recommended). Select enough links or VLANs to get a fair
representation of network activity.
Caveats:
Not all network environments may have a SPAN port available.
Ensure that SPAN can either accommodate the volume of traffic being passed out the interface
and that the switch has the computing resources to SPAN a broad enough spectrum of traffic.
In some environments, traffic can be missed when spanning VLANs. This is common on Internet
ingress and egress traffic. Egress traffic carries the VLAN tag, but ingress traffic may not yet have
the tag.
Benefits:
Benefits are similar to Internet perimeter placement
Visibility of internal host-to-host interactions which provides visibility to internal threat
propagation
Significantly improved FireSIGHT contextualization. Host profiles will be built not just on internet
facing traffic, but on all of the communications used by internal hosts

6
Cisco FirePOWER Services for ASA POV Best Practices

Challenges:
Depending on SPAN configuration you may not have visibility of internet ingress and egress
traffic
Internal threat propagation visibility may be limited if there is no current outbreak event or
internet egress traffic is not being captured
GeoIP, URL, and Security Intelligence events may be limited if there is no internet ingress and
egress visibility
Recommendation
The best deployment is one that gives visibility of both internet facing and internal segments. The two
elements allow for good threat visibility and network context.
If possible, receive traffic from:
A SPAN port that includes internet ingress and egress traffic and some VLANs that may include a
back-office server farm or active users
Multiple SPAN ports for internet and internal traffic
A combination of TAPs for internet ingress and egress traffic and SPAN ports for internal traffic.

5 Software Download

The instructions that follow demonstrate how to pull down required software for an ASA 5515-X with
FirePOWER Services and a virtual FireSIGHT MC. There are many possible software requirements and
the information below serves as an example of a common configuration for a partner executed POV.
Please adjust the process outlined below as required to match your hardware specifications.

If you are unable to access any software due to entitlement, engage with your Cisco alliance manager
and associate your CCO account with your company to grant partner-level CCO access. If you are still
unable to access the software, your partner account team will be able to provide required software
through the special file publish process.

For best performance, FirePOWER Services for ASA requires system software 9.2(2) or later. For
additional information on migration paths and upgrade dependencies, please refer to the following link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/upgrade/upgrade92.html.

7
Cisco FirePOWER Services for ASA POV Best Practices

To download the ASA system software, go to http://software.cisco.com/download/navigator.html. This


will present the Downloads Home > Products pane. Continue to navigate to Downloads Home >
Products > Security > Firewalls > Adaptive Security Appliances (ASA) > ASA 5500-X Series Next-
Generation Firewalls > ASA 5515-X Adaptive Security Appliance > Software on Chassis.

Select each of the following options and download the versions listed below or later.
Adaptive Security Appliance (ASA) Device Manager: 7.3.3 (asdm-733.bin)
Adaptive Security Appliance (ASA) Software: 9.2.3.SMP (asa923-smp-k8.bin)

Then, select the Adaptive Security Appliance (ASA) breadcrumb. Continue navigating to Downloads
Home > Products > Security > Firewalls > Adaptive Security Appliances (ASA) > ASA with FirePOWER
Services > ASA 5515-X with FirePOWER Services. As required, expand the All Releases drop-down in the
left hand pane to select a link such as 5.4.0 that provides an option to download the software below.
Select each of the following options and download the versions listed below or later.
Cisco ASA with FirePOWER Services Boot Image (asasfr-5500x-boot-5.4.0-763.img)
Cisco ASA with FirePOWER Services Install Package (asafr-sys-5.4.0-763.pkg)

8
Cisco FirePOWER Services for ASA POV Best Practices

Next, select the Security breadcrumb. Continue navigating to Downloads Home > Products > Security >
Next Generation Intrusion Prevention System (NGIPS) > FireSIGHT Management Center Virtual
Appliance > FireSIGHT System Software. As required, expand the All Releases drop-down in the left hand
pane to select a link such as 5.4 that provides an option to download the software below. Select the
following options and download the versions listed below or later.
FireSIGHT Virtual Defense Center for VMWare Package Installer
(Sourcefire_Defense_Center_Virtual64_VMware-5.4.0-763.tar.gz)

If you are unable to access the software due to entitlement, engage with your Cisco alliance manager to
associate your CCO account with your company to grant partner-level CCO access. If you are still unable
to access the software, open a case with partner help using the instructions here:
https://communities.cisco.com/docs/DOC-55301.

6 Installation

6.1 Confirm Health of Solid State Drive (SSD)

Prior to installation, confirm the health of the solid state drive (SSD) within your 5515-X. Power on the
ASA and access the command line. Enter the show inventory command and confirm the presence of the
128 GB SSD storage device
ciscoasa# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE
Mgmt, AC"
PID: ASA5515 , VID: V01 , SN: FGH123456A1

Name: "Storage Device 1", DESCR: "Unigen 128 GB SSD MLC, Model
Number: UGB88RRA128HM3-EMY-DID"
PID: N/A , VID: N/A , SN: 12345678900

If the SSD is not recognized, consider the following:


The SSD drive may not be inserted properly. Ensure the SSD drive is properly inserted and
secured via the handle. With the ASA powered off, pull the SSD drive out and re-insert it.
The SSD drive may have failed. A healthy SSD drive will show a solid green LED next to the SSD.
In the event of a failure, contact Cisco TAC for a replacement

9
Cisco FirePOWER Services for ASA POV Best Practices

6.2 Uninstalling Existing IPS or CX Software (If Required)

If you purchased the ASA with FirePOWER Services, the module software and required solid state drives
(SSDs) came pre-installed and you can skip to the next section. If you purchased the ASA with IPS or CX,
you need to uninstall the old services before installing FirePOWER services. The Cisco ASA can only run a
single software module at a time so you must shut down any other software module that may be
running.

Access the ASA command line and follow the procedures below. The commands will shut down the ips
module, uninstall the IPS module, and then reload the ASA. If you need to remove CX, follow the same
steps, but use cxsc in each command instead of ips.
ciscoasa# sw-module module ips shutdown
ciscoasa# sw-module module ips uninstall
ciscoasa# reload

6.3 ASA 5515-X System Software

For consistency, we will install the ASA 5515-X system software based on the factory-default
configuration. If the ASA is not running the factory-default configuration, enter the following commands.
ciscoasa# copy /noconfirm running-config disk0:/backup.config
ciscoasa# config t
ciscoasa(config)# config factory-default

Next, place the firewall in transparent mode and configure the management interface based on the
network configuration information provided by the customer.
ciscoasa(config)# firewall transparent
ciscoasa(config)# interface management0/0
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address <ASA Management IP> <Netmask>
ciscoasa(config-if)# no shutdown

Additional configuration items will help to ensure full network connectivity and establish a
system password.

10
Cisco FirePOWER Services for ASA POV Best Practices

ciscoasa(config)# enable password <Password>


ciscoasa(config)# clock timezone <Timezone> <Hours offset from UTC>
ciscoasa(config)# clock set <hh:mm:ss> <Day> <Month> <Year>
ciscoasa(config)# sysopt noproxyarp management
ciscoasa(config)# dns domain-lookup management
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(configs-dns-server-group)# name-server <DNS IP>
ciscoasa(config)# exit
ciscoasa(config)# http server enable
ciscoasa(config)# http 0.0.0.0 0.0.0.0 management
ciscoasa(config)# route management 0 0 <Default Gateway>

After completing these steps, you should have IP connectivity to the ASA which can be verified by
pinging the ASA Management IP. Next configure SSH access to the ASA.
ciscoasa(config)# username <user> password <pass> privilege 15
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 management
ciscoasa(config)# ssh timeout 60
ciscoasa(config)# crypto key generate rsa general-keys
ciscoasa(config)# exit
ciscoasa(config)# write memory

Copy the previously downloaded software images to the management PC running a TFTP or an FTP
server with connectivity to the ASA. Enter the following commands to upload the files to the ASA.
ciscoasa# copy /noconfirm tftp://<TFTP IP>/asdm-731-101.bin
disk0:/asdm-731-101.bin
ciscoasa# copy /noconfirm tftp://<TFTP IP>/asa922-4-smp-k8.bin
disk0:/asa922-4-smp-k8.bin
ciscoasa# copy /noconfirm tftp://<TFTP IP>/asasfr-5500x-boot-5.3.1-
152.img disk0:/asasfr-5500x-boot-5.3.1-152.img

Use the show flash command to verify that the four files were successfully uploaded. Change the boot
system and asdm image files and save the configuration.
ciscoasa(config)# show flash
ciscoasa(config)# boot system disk0:/asa922-4-smp-k8.bin
ciscoasa(config)# asdm image disk0:/asdm-731-101.bin
ciscoasa(config)# write memory

Reload the ASA for the changes to take affect and confirm that that ASA is running the appropriate
software with the show version command.

11
Cisco FirePOWER Services for ASA POV Best Practices

ciscoasa# reload noconfirm


ciscoasa# show version | include Software
Cisco Adaptive Security Appliance Software Version 9.2(2)4

The last step is to configure an interface to receive the SPAN traffic and forward it to the FirePOWER
module.
ciscoasa(config)# interface gigabitethernet0/0
ciscoasa(config-if)# no nameif
ciscoasa(config-if)# traffic-forward sfr monitor-only
ciscoasa(config-if)# no shutdown

12
Cisco FirePOWER Services for ASA POV Best Practices

6.4 FirePOWER Services for ASA

We previously loaded the FirePOWER services for ASA boot image, so we will begin by setting the
module boot location in the ASA and loading the boot image.
ciscoasa# sw-module module sfr recover configure image
disk0:/asasfr-5500x-boot-5.3.1-152.img
ciscoasa# sw-module module sfr recover boot

Module sfr will be recovered. This may erase all configuration and
all data on that device and attempt to download/install a new image
for it. This may take several minutes.

Recover module sfr? [confirm]


Recover issued for module sfr.

Wait approximately 5-10 minutes for the ASA FirePOWER module to boot up and then open a console
session to the FirePOWER Services boot image. After opening the session, press enter to be prompted to
login. The default username is admin and the default password is Admin123. If the module is not fully
loaded, the session command will fail with a message about not being able to connect over ttyS1 OR
ERROR: Failed opening console session with module sfr. Module is in Recover state. Please try
again later. If this happens, try again in a few minutes.
ciscoasa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape sequence is 'CTRL-^X'.

Cisco ASA SFR Boot Image 5.3.1


asasfr login: admin
Password: Admin123

Use the setup command to install the system software package. Enter host name and other bootstrap
information based on the Data Collection Worksheet.

13
Cisco FirePOWER Services for ASA POV Best Practices

asasfr-boot> setup

Welcome to SFR Setup


[hit Ctrl-C to abort]
Default values are inside []

Enter a hostname [asasfr]: <asasfr>


Do you want to configure IPv4 address on management interface?(y/n)
[Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management
interface?(y/n) [N]: N
Enter an IPv4 address [192.168.8.8]: <FirePOWER Sensor Management IP>
Enter the netmask [255.255.255.0]: <Netmask>
Enter the gateway [192.168.8.1]:<Default Gateway>
Do you want to configure static IPv6 address on management
interface?(y/n) [N]: N
Stateless autoconfiguration will be enabled for IPv6 addresses.
Enter the primary DNS server IP address: <DNS Server>
Do you want to configure Secondary DNS Server? (y/n) [n]: N
Do you want to configure Local Domain Name? (y/n) [n]: N
Do you want to configure Search domains? (y/n) [n]: N
Do you want to enable the NTP service? [Y]: Y
Enter the NTP servers separated by commas: <NTP Server>
Do you want to enable the NTP symmetric key authentication? [N]: N
Please review the final configuration:
Hostname: asasfr
Management Interface Configuration

IPv4 Configuration: static


IP Address: X.X.X.X
Netmask: X.X.X.X
Gateway: X.X.X.X

IPv6 Configuration: Stateless autoconfiguration

DNS Configuration:
DNS Server: X.X.X.X

NTP configuration: X.X.X.X

CAUTION:
You have selected IPv6 stateless autoconfiguration, which assigns a
global address based on network prefix and a device identifier.
Although this address is unlikely to change, if it does change, the
system will stop functioning correctly. We suggest you use static
addressing instead.

Apply the changes?(y,n) [Y]: Y


Configuration saved successfully!
Applying...
Restarting network services...
Done.
Press ENTER to continue...
asasfr-boot>

14
Cisco FirePOWER Services for ASA POV Best Practices

Use the system install command to install the system software image. Note that the only supported
protocols are http, https, or ftp. When installation is complete, the system will reboot.
asasfr-boot> system install
ftp://<FTPusername:FTPpassword>@<FTP IP>/asasfr-sys-5.3.1-
152.pkg
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-SFR 5.3.1-152 System Install
Requires reboot: Yes

Do you want to continue with upgrade? [y]: Y


Warning: Please do not interrupt the process or turn off the
system.
Doing so might leave system in unusable state.

Upgrading
Starting upgrade process...
Populating new system image

Reboot is required to complete the upgrade. Press Enter to


reboot the system

Allow 20 minutes for application component installation and reboot the system when prompted.
Session to the module and login with the default username of admin and password of Sourcefire. You
will see a different login prompt because you are logging into a fully functional module.
ciscoasa# session sfr
asasfr login: admin
Opening command session with module sfr.
Connected to module sfr. Escape sequence is 'CTRL-^X'.

Sourcefire ASA5515 v5.3.1 (build 152)


Sourcefire3D login: admin
Password: Sourcefire

15
Cisco FirePOWER Services for ASA POV Best Practices

Continue with the system installation process as prompted. You must first read and accept the EULA.
Then, change the admin password and configure IP addresses and other settings as prompted.
Please enter YES or press <ENTER> to AGREE to EULA:YES

System initialization in progress. Please stand by.


You must change the password for 'admin' to continue.
Enter new password: <new password>
Confirm new password: <repeat password>
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: Y
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]:
<FirePOWER Sensor Management IP>
Enter an IPv4 netmask for the management interface [255.255.255.0]:
<Netmask>
Enter the IPv4 default gateway for the management interface []:
<Default Gateway>
Enter a fully qualified hostname for this system [Sourcefire3D]:
<hostname>
Enter a comma-separated list of DNS servers or 'none' []: <DNS Server>
Enter a comma-separated list of search domains or 'none' [example.net]:
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'

This sensor must be managed by a Defense Center. A unique alphanumeric


registration key is always required. In most cases, to register a sensor
to a Defense Center, you must provide the hostname or the IP address along
with the registration key. 'configure manager add [hostname | ip address ]
[registration key ]'

However, if the sensor and the Defense Center are separated by a NAT
device, you must enter a unique NAT ID, along with the unique registration
key. 'configure manager add DONTRESOLVE [registration key ] [ NAT ID ]'

Later, using the web interface on the Defense Center, you must use the
same registration key and, if necessary, the same NAT ID when you add this
sensor to the Defense Center.
>

Complete the command line configuration by identifying the FireSIGHT MC that will manage the
FirePOWER Services for ASA module. The registration key is arbitrary, but must match the key that will
be created during FireSIGHT MC setup. If there is a NAT boundary between the sensor and FireSIGHT
MC, the command will vary. Reference the product documentation for further details as required. In the
FireSIGHT MC configuration steps that follow, the registration key SourceFIRE123 is used.
> configure manager add <FireSIGHT MC IP> <Registration Key>
Manager successfully configured.

16
Cisco FirePOWER Services for ASA POV Best Practices

6.5 FireSIGHT MC

To prepare for the POV and license request, partners need to have a FireSIGHT Management
Center (MC) installed. The software was downloaded in a previous step and this section will
cover how to complete the installation. The instructions that follow assume you are installing on
a VMWare ESXi host.

The compressed archive (tar.gz) downloaded contains the following files.


Open Virtual Format (.ovf) template containing -ESXi- in the file name
Open Virtual Format (.ovf) template containing -VI- in the file name
Manifest File (.mf) containing -ESXi- in the file name
Manifest File (.mf) containing -VI- in the file name
Virtual Machine Disk (.vmdk)

Un-compress the archive into a local directory on a client with access to the ESXi host using a file archive
utility such 7-Zip. Launch the vSphere client and select File > Deploy OVF Template.

Browse to the location of the archive and select the OVF. Be sure to select the ESXI OVF, not the
VI file. The files you are using may be newer than what is in the screen shot included here.

17
Cisco FirePOWER Services for ASA POV Best Practices

Click Next to continue deploying the OVF Template. Provide a name for the Virtual Machine and click
Next.

On the next screen, change the selection to Thin Provision. Thick provisioning pre-allocates hard drive
space, but provides no performance benefit over thin provisioning. Thin provisioning does not pre-
allocate disk space which maintains performance while maximizing use of available storage.

18
Cisco FirePOWER Services for ASA POV Best Practices

Select the appropriate destination network from the inventory and click Next. Confirm the OVF
Template settings and click Finish.

The Virtual Machine will deploy in about 5 minutes depending on the ESXi host and client machine
hardware specifications and network connection.

19
Cisco FirePOWER Services for ASA POV Best Practices

Once the virtual machines is deployed successfully, select it in the left hand pane and click

Upon initial startup, the FireSIGHT MC will go complete the bootstrap and initial configuration process.
Setup can take 30 minutes or more. Select the Console tab in your ESXi host to view the progress.

By default, the FireSIGHT MC uses an IP address of 192.168.45.45. You can choose to communicate with
the MC using that IP address to provide the initial configuration (such as changing the IP address), or you
can choose to run a script to modify the network configuration. For the purpose of this documentation,
we will utilize the script to modify these parameters.

After the initialization process completes, log into the virtual FireSIGHT MC at the VMware console using
admin as the username and Sourcefire as the password. If you need to return your cursor to the host
operating system press Ctrl-Alt. At the admin prompt, run the following script, utilizing sudo:
sudo /usr/local/sf/bin/configure-network

You will be prompted by the operating system, for a valid sudo password. Enter Sourcefire as the
password. Configure IPv4 management settings and confirm that your settings are correct by typing y. If
you entered settings incorrectly, type n at the prompt and press Enter, to re-run the script.

20
Cisco FirePOWER Services for ASA POV Best Practices

Connect to the FireSIGHT MC by launching a web browser and navigating to https://<FireSIGHT MC IP>.
Login with the credential admin / Sourcefire.

Change the password if desired.

21
Cisco FirePOWER Services for ASA POV Best Practices

Modify the network settings to match the customer network. Take note of the IPv4 management IP
address as this will be the address you utilize to log in to the FireSIGHT MC.

Set the time servers to an NTP server that can be accessed by the FireSIGHT MC. Time is a critical
component of the FireSIGHT MC, ASA, and sensors, as it is used in correlation, reporting, and many
other areas. Modify the Display Time Zone to match your applicable region.

Select the checkboxes to Install Now and Enable Recurring Rule Update Imports.

For geolocation updates, select the checkboxes to Install Now and Enable Recurring Weekly Updates.

For geolocation updates, select the checkbox to Enable Automatic Backups.

22
Cisco FirePOWER Services for ASA POV Best Practices

In the License Settings, capture your License Key. This will be required to submit the License Request to
partner help.

In the device registration section, you will configure (pre-register) the Cisco ASA with FirePOWER
services to communicate with the FireSIGHT MC. Enter the IP address of the Cisco ASAs FirePOWER
services module. Important, this is NOT the Management IP address of the ASA firewall. The registration
key must match the key configured on the ASA FirePOWER Services module. Once entered, click Add.

Read and agree to the End User License Agreement, by selecting the checkbox next to I have read and
agree to the End User License Agreement. Double check your settings and then click Apply to confirm
the changes.

23
Cisco FirePOWER Services for ASA POV Best Practices

To confirm that your FirePOWER Services for ASA sensor was successfully added to the FireSIGHT MC,
navigate to Devices > Device Management. If your device is not listed, select Add > Add Device from the
top right.

Fill in the required information to match your customer environment and click Register. The FireSIGHT
MC will contact your FirePOWER Services for ASA Module and add it as a managed device. If the device
is not added successfully, confirm that the registration keys match, the software versions are
compatible, and that a network device is not blocking the connection.

Confirm that your FirePOWER Services module is now listed on the device management page.

24
Cisco FirePOWER Services for ASA POV Best Practices

Verify that you are running the latest FireSIGHT MC version and patch by going to System > Updates. If
you see an Update listed click the icon to install it.

Select the checkbox next to your FireSIGHT MC and click Install.

25
Cisco FirePOWER Services for ASA POV Best Practices

You can view the status of any upgrade on the System > Monitoring > Task Status screen.

After all updates are complete, it is helpful to create a snapshot of your FireSIGHT MC. Snapshots enable
an administrator to revert to a previous state at any time in the future. This is useful so that the MC can
be reverted to this clean state after a customer engagement and prepared for the next partner executed
POV.

Prior to taking snapshots, it is a best practice to power down virtual machines. Use the native OS when
possible to ensure minimum disruption. Once a VM is powered down, use the vSphere client to take a
snapshot. Navigate to Home > Inventory > Inventory and select the appropriate VM. From the toolbar,
select the Take Snapshot button. In the pop-up window enter a Name and click OK. More
information about snapshot best practices is available in VMware documentation.

26
Cisco FirePOWER Services for ASA POV Best Practices

7 Licensing

Cisco Partner Help provides free FirePOWER licenses to partners for POVs and technical enablement.
Partners must provide a deal ID and customer name to request a Partner Executed POV license. After
finding a Partner Executed POV customer opportunity for FirePOWER Services for ASA, partners will
register it in CCW.

Partners will need the FireSIGHT MC License Key prior to initiating the License Request. On the
FireSIGHT MC, select System > Licenses.

Click Add New License and note the License Key of your FireSIGHT MC. This will be required to request
activation keys for the FireSIGHT MC and the FirePOWER Services for ASA module.

View the instructions in the guide available here to request activation keys from Partner:
https://communities.cisco.com/docs/DOC-55301

27
Cisco FirePOWER Services for ASA POV Best Practices

Once you receive the activation keys from partner help return to System > Licenses and click Add New
License. Paste each license in the text box one at a time and click Submit License for each.

When complete you should have licenses for Protection/Control, Malware, URL Filtering, and FireSIGHT
Host/FireSIGHT User.

28
Cisco FirePOWER Services for ASA POV Best Practices

Return to Devices > Devices Management and select the IP address of your FirePOWER Services for ASA
module. Ensure that the Device tab is highlighted and click the pencil to edit the license information.

Select the checkboxes for Protection, Control, Malware, and URL Filtering and click Save. Confirm that
your FirePOWER module is now fully licensed and click Apply Changes.

29
Cisco FirePOWER Services for ASA POV Best Practices

8 FireSIGHT Configuration

8.1 System Policy

The System Policy will set items like NTP, Email Notifications, and time sync between the FireSIGHT
manager and the FirePOWER Services module system. Time synchronization is a critical component of
the FirePOWER architecture so events can be seen accurately.

Access the FireSIGHT MC and select System > Local > System Policy. Then choose Create Policy.

Choose the option to Copy the Initial_System_Policy, and give the new policy a name that better reflects
the POV. Click Create.

30
Cisco FirePOWER Services for ASA POV Best Practices

Choose Time Synchronization on the left hand side of the Edit Policy screen. Cisco currently provides
NTP services via several locations such as 0.sourcefire.pool.ntp.org and 1.sourcefire.pool.ntp.org. Select
one of these or another reliable time server. In the Supported Platforms section, select the radio button
to Set My Clock Via NTP from the Defense Center. This will ensure that the ASA with FirePOWER queries
the FireSIGHT MC for its time and that the two systems stay in sync. Click on Save Policy and Exit.

Click to the right of the new policy and then click Apply. Select the checkbox next to the FirePOWER
module and FireSIGHT MC to assign it to both devices.

31
Cisco FirePOWER Services for ASA POV Best Practices

8.2 Health Policy

The Health Policy is a collection of health module settings you apply to an appliance to define the
criteria that the FireSIGHT Manager uses when checking the health of the appliance. When you create
health policies, you choose which tests to run to determine appliance health.

Access the FireSIGHT MC and select Health > Health Policy. Then choose Create Policy.

Select the option to Copy the Initial_Health_Policy, and give the new policy a name that better reflects
the POV. Click Save.

The desired policy feature checks will be enabled by default. Click to the right of the new policy.
Select the checkboxes next to the FirePOWER module and FireSIGHT MC to assign it to both devices and
then click Apply.

32
Cisco FirePOWER Services for ASA POV Best Practices

8.3 Network Discovery

To enter network objects choose Objects > Object Management.

Choose Add Network and enter a name of Evaluation Networks. Enter the customer network subnets in
the Network address box. List each networks with CIDR mask notation and click Add. Confirm the
networks were added correctly and click Save. The information here will be the foundation for the
intrusion policy and is the one component that will be unique for each customer.

33
Cisco FirePOWER Services for ASA POV Best Practices

Next, add the network just created (Evaluation Networks) to the variable set. On the left side click
Variable Set, then click on the pencil icon to edit the Default Set.

Scroll down to the HOME_NET variable and choose edit. Select Evaluation Network created in the
previous step and add click Include to add the network to the Included Networks column. If the
customer identified any excluded networks on the Data Collection Worksheet, manually add them into
the Excluded Networks that should not be scanned. Click Save to be returned to the Edit Variable Set
Default Set. Click Save again and click Yes to confirm the warning.

The next step is to configure network discovery, a component of the FireSIGHT System that uses
managed devices to monitor the network and provide you with a complete, persistent view. Network
discovery determines the number and types of hosts (including network devices and mobile devices) on
the customer network, as well as information about the operating systems, active applications, and
open ports on those hosts.

34
Cisco FirePOWER Services for ASA POV Best Practices

Navigate to Policies > Network Discovery and select the pencil to edit the default.

Click the trash can icon to remove the 0.0.0.0/8 network from the default policy and choose Save.

Still on the Networks tab, select Add Rule. Select the Host and Users checkboxes and add Evaluation
Networks to the right hand pane. Verify that the action is discover and click Save.

35
Cisco FirePOWER Services for ASA POV Best Practices

FireSIGHT will identify the configuration is out of date on 1 targeted device. Click Apply and confirm that
you want to apply Network Discovery Policy to all active devices. That status will change to Applying to
all targeted devices when in progress and to Up to date on all targeted devices when complete.

8.4 Intrusion Policy

Navigate to Policies > Intrusion > Intrusion Policy. You should see the two default policies in the list.

Click the pencil to edit the Initial Passive Policy VirtualDC64. Change the name and description to
Evaluation Policy. Ensure that the Drop when Inline checkbox is not selected and that the Base Policy of
Balanced Security and Connectivity is chosen. Do not click Commit Changes yet.

36
Cisco FirePOWER Services for ASA POV Best Practices

While in the Intrusion Policy Screen, select Rules in the left pane. When you select rule, you will see
numerous categories and rules as shown below.

On the Rules page, type malware into the filter and hit return. The specific rules for Malware should
appear. Select the checkbox next to GID to select all malware rules.

Select the Rule State drop-down and choose Drop and Generate events. Since this is a passive
deployment, traffic will not be dropped, but the FireSIGHT MC will show what would have been dropped
in an inline deployment. This is a critical piece for the customer to understand the accuracy of the
solution.

37
Cisco FirePOWER Services for ASA POV Best Practices

On the Rules page, type blacklist into the filter and hit return. Select the checkbox next to the GID to
select all blacklist rules. Select the Rule State drop-down and choose Drop and Generate events.

Complete the same process searching for PUA, Indicator of Compromise, and Exploit Kit.

38
Cisco FirePOWER Services for ASA POV Best Practices

Search for 1201 in the filter and hit return. Select the checkbox next to the INDICATOR-COMPROMISE
403 Forbidden. Select the Rule State drop-down and choose Disable.

Click the yellow triangle next to Policy Information. On the Policy Information screen, you should see
a large number of rules that are set to drop and generate events. Once again, since this system is being
deployed in a passive state, nothing will actually be dropped. Verify that the Drop When Inline checkbox
is clear and click on Commit Changes.

39
Cisco FirePOWER Services for ASA POV Best Practices

8.5 File Policy

Next, we will configure the file policy which the system uses to perform file control and advanced
malware protection. Populated by file rules, a file policy is invoked by an access control rule within an
access control policy.

Navigate to Policies > Files. Click on the New File Policy button to create a new File Policy.

Provide a name of Evaluation File Policy and click Save.

Next, click the Add File Rule button. The Add File Rule page will appear. The default action is to detect
files, leave this unchanged. Under File Type Categories, select all the options and then click Add to add
them to the Selected File Categories and Types section. Click Save.

40
Cisco FirePOWER Services for ASA POV Best Practices

Click on the Add File Rule button again. This time, change the action to Malware Cloud Lookup. Under
the Malware Cloud Lookup action, select the options Spero Analysis for MSEXE and Dynamic Analysis.
Under the Store Files option, select the dialog box Unknown. Finally, for the File Type Categories,
choose Office Documents, Executables, PDF files, and Dynamic Analysis Capable. Once selected, click
Add to add them to the Selected File Categories and Types section. Confirm your setting and click Save.

Your File Policy should now match the graphic below. Click Save to confirm your changes.

8.6 Access Control Policy

The Access Control Policy is the vehicle used to apply all of the previous changes made to the
FirePOWER module. To start, navigate to Policies > Access Control.

41
Cisco FirePOWER Services for ASA POV Best Practices

Click on the New Policy button. Provide a name for the policy such as Evaluation Access Control. Select,
Intrusion Prevention as the Default Action. Under Targeted Devices, select the ASA FirePOWER sensor
and choose Add to Policy to add it to the Selected Devices in the right hand pane. Click Save.

The Access Policy Editor will now appear. Select the Add Rule button.

42
Cisco FirePOWER Services for ASA POV Best Practices

Name the rule URL Monitor and change the Action to Monitor. Select the URLs tab. From the Categories
and URLs section, choose a URL category from the left pane such as Alcohol and Tobacco. It isnt
important which category to choose, as this process will enable the URL checking of all URLs. Click on
Add to Rule to add this rule to the Selected URLs list in the right pane. Once confirmed, click Add.

Click Add Rule again. Name the rule Threat Inspection.

43
Cisco FirePOWER Services for ASA POV Best Practices

Select the Inspection tab on the right. In the Intrusion Policy dropdown, select the User Created Policy,
Evaluation Policy. In the File Policy dropdown, select Evaluation File Policy.

Select the Logging tab on the right. Select the checkbox for Log at End of Connection. When complete,
click Add.

44
Cisco FirePOWER Services for ASA POV Best Practices

You will be taken back to the Rules Editor. Click Save.

In the Default Action row below the Rules, select Intrusion Prevention: Evaluation Policy. Then select
the logging icon to proceed.

On the Logging screen, select the checkbox for Log at End of Connection and confirm that the Send
Connection Events to: Defense Center checkbox is selected. Then, click OK.

Select the Targets Tab and verify that your FirePOWER sensor is in the right pane. If not, highlight the
sensor then click Add to Policy.

45
Cisco FirePOWER Services for ASA POV Best Practices

Next, select the Security Intelligence Tab. From the Available Objects pane on the left, group-select
multiple items by selecting the first item, Attackers, holding the shift key down and selecting
Tor_exit_node. Do not select Global Blacklist, Global Whitelist, or Evaluation Network. Then click Add to
Blacklist. Then, select the logging icon above Blacklist on the right.

On Blacklist Options, select the checkbox for Log Connections and confirm that the Send Connection
Events to: Defense Center checkbox is selected. Then, click OK.

46
Cisco FirePOWER Services for ASA POV Best Practices

Still in the Security Intelligence configuration, you will need to change the Blacklist items to Monitor-
only (do-not-block). In the Blacklist pane, right-click Each Item Individually (except for Global Blacklist),
and change its option to Monitor-only (do not block). As you proceed, you will see the icon change from
a red X to a green arrow.

Finally, click on Save and Apply in the top right corner. A dialogue box will display, asking you to apply
the access control policy. Click on Apply All.

Since we are sending SPAN traffic to our FirePOWER Module on a monitor-only interface, you will
receive an alert that there are no active interfaces configured. This is expected and you can click OK to
continue.

47
Cisco FirePOWER Services for ASA POV Best Practices

8.7 Additional Settings

The FirePOWER console is highly configurable. You can update the following settings to make the
interface more useable for the POV. Feel free to adjust based on customer requirements and best
practices that you develop for POVs.

Navigate to Admin > User Preferences and choose the Event View Settings tab. Under Default Intrusion
Workflow, select Event-Specific from the dropdown. Scroll to the bottom of this page and click Save.

Next, select the Dashboard Settings Tab. Change the default to Detailed Dashboard and click Save.

48
Cisco FirePOWER Services for ASA POV Best Practices

Then, select the Time Zone Preference Tab. Update the time zone to reflect the Customers home time
zone and click Save.

Lastly, select the Home Page Tab. Change the Opening Screen to Context Explorer. Click Save.

Additionally, the Cisco team has created a set of custom dashboards and workflows that maximize the
impact of the evaluation. These same dashboards and workflows have been integrated in dCloud. The
files required to customize the dashboards are available by contacting the program team at asa-
assess@external.cisco.com. Download the Custom_Dashboard.sfo file to a local drive to begin.

On your FireSIGHT MC navigate to System > Tools > Import / Export to begin.

Select Upload Package. Click Choose File and select Custom_Dashboard.sfo from your local drive. Then
click Upload.

49
Cisco FirePOWER Services for ASA POV Best Practices

You should be presented with a screen that provides info about the custom information. Select all of the
checkboxes and click Import.

You will likely receive conflict messages because of previous data. Keep the default selection, Keep
Existing, which prevents overwrite of a previous import. Click Import again. You should now receive a
Success message and there will be multiple new objects added.

50
Cisco FirePOWER Services for ASA POV Best Practices

To verify that the import was successful, go to Overview / Dashboards. You should see an object called
Context Based Verified Threats. This is an indication that the system is now running with the optimal
workflows and dashboards for customer evaluation.

51
Cisco FirePOWER Services for ASA POV Best Practices

After all initial FireSIGHT configuration is complete; it is helpful to create a snapshot of your FireSIGHT
MC. Snapshots enable an administrator to revert to a previous state at any time in the future. This is
useful so that the MC can be reverted to this clean state after a customer engagement and prepared for
the next partner executed POV. Once the FireSIGHT MC VM is powered down, use the vSphere client to
take a snapshot. Navigate to Home > Inventory > Inventory and select the VM. From the toolbar, select
the Take Snapshot button. In the pop-up window enter a Name and click OK.

52
Cisco FirePOWER Services for ASA POV Best Practices

9 Risk Report Generation

After letting the system run for the pre-defined evaluation period, you can begin to collect the Risk
Report data. The process involves running the evaluation report script and importing the data directly
into an excel spreadsheet to prepare the reports. Send an email to asa-assess@external.cisco.com to
request the download location for the current Risk Report scripts. You will download sf_eval.tgz, Attach-
Eval-Template, Malware-Eval-Template, and Network-Eval-Template to your local file system.

Setup an SCP session to your FireSIGHT MC using a utility such as WinSCP. Copy the sf_eval.tgz file from
your local drive to the FireSIGHT MC.

Open your vSphere Client and access the console tab of your FireSIGHT MC VM. Login with the
credentials created in the FireSIGHT MC Installation section.

53
Cisco FirePOWER Services for ASA POV Best Practices

Enter the following commands to extract the script


admin@VirtualDC64:~$ ls sf_eval.tgz
sf_eval.tgz
admin@VirtualDC64:~$ tar -zxvf sf_eval.tgz
./._sf_eval
sf_eval/
sf_eval/._.DS_Store
sf_eval/.DS_Store
sf_eval/._SF
sf_eval/SF/
sf_eval/._sf_eval.pl
sf_eval/sf_eval.pl
sf_eval/SF/._.DS_Store
sf_eval/SF/.DS_Store
sf_eval/SF/._EVAL
sf_eval/SF/EVAL/
sf_eval/SF/EVAL/._Config.pm
sf_eval/SF/EVAL/Config.pm
sf_eval/SF/EVAL/._DB.pm
sf_eval/SF/EVAL/DB.pm
sf_eval/SF/EVAL/._Firesight.pm
sf_eval/SF/EVAL/Firesight.pm
sf_eval/SF/EVAL/._Ips.pm
sf_eval/SF/EVAL/Ips.pm
sf_eval/SF/EVAL/._Malware.pm
sf_eval/SF/EVAL/Malware.pm
sf_eval/SF/EVAL/Sandbox.pm

Change the directory to the /sf_eval folder. There is one script in this folder, sf_eval.pl that you will run
twice. The first run will fill out all the relevant contact data for the reports.
admin@VirtualDC64:~$ cd sf_eval
admin@VirtualDC64:~/sf_eval$ ls
SF sf_eval.pl
admin@VirtualDC64:~/sf_eval$ sf_eval.pl
[*] WARNING No configuration file found
/Volume/home/admin/report.conf Starting interview process to create
a new configuration file.
1) Enter company name [Evaluator]:
2) Enter the author name to show on the report title page [Your
Name]:
3) Enter the evaluators email address? [customer@company.com]:
4) Anonymize data? (This will remove any user names and ip addresses
from report) [n]:
5) Enter the Partner Name [Cisco Preferred Partner]:
6) Enter the Cisco technical contact email address, must be a valid
@cisco.com email address []:
7) Enter the Partner contact email address [partner_se@company.com]:
8)Enter a default report type (network, malware, attack, or all)
[all}:

[*] Configuration complete:


Run again to generate a report
admin@VirtualDC64:~/sf_eval$

54
Cisco FirePOWER Services for ASA POV Best Practices

The second run will generate the reports.


admin@VirtualDC64:~/sf_eval$ sf_eval.pl
**********************************************************
*Cisco Evaluation Risk Reports version 3.2.4
For help, see help

[*] Configuration
-Company name : Evaluator
-Report Type : Collection of all Risk Reports
-Cisco SE : billo@cisco.com
-Partner SE : partner_se@company.com
-Author : Your name
-Remove User IDs & IPs : n
-Report period : 14 days
-Report start time : Wed Nov 19 21:43:36 2014
-Report end time : Wed Dec 3 21:43:36 2014

This tool will generate the data required to build a Cisco PoV Risk
Report. The output is for use in conjunction with a series of
template files available to trained Cisco Preferred channel partners
and Security Engineers. For help and support with this tool contact
your local Cisco Channel Security Engineer. Use of this tool on a
heavily burdened FireSIGHT Management Center may impact event
processing.

[*] Type y or yes to generate a Collection of all Risk Reports:y


Press ENTER to continue

output omitted

[*] Saved local copy to /var/tmp/evladata_network_1417643016.tsv - OK


admin@VirtualDC64:~/sf_eval$

Once complete, there will be three files created in the /var/tmp/ directory. Change to that new
directory and verify that the files are present.
admin@VirtualDC64:~/sf_eval$ cd /var/tmp/
admin@VirtualDC64:/var/tmp$ ls
output omitted
evaldata_attack_1417643016.tsv
evaldata_malware_1417643016.tsv
evaldata_network_1417643016.tsv
output omitted
admin@VirtualDC64:/var/tmp$

55
Cisco FirePOWER Services for ASA POV Best Practices

Next, you will copy the three .tsv files to your local system. You can copy them using WinSCP and
navigating to the /var/tmp folder

You can also run an SCP server such as Copssh to receive the files.
admin@VirtualDC64:/var/tmp$ scp ./*.tsv bill@10.10.200.54:
bill@10.10.200.54s password:
Password:
evaldata_attack_1417643016.tsv
evaldata_malware_1417643016.tsv
evaldata_network_1417643016.tsv
admin@VirtualDC64:/var/tmp$

56
Cisco FirePOWER Services for ASA POV Best Practices

Once the files are on your local system, you can begin the process of building reports from the Excel
templates. Open the Network-Eval-Template.xlsx file.

57
Cisco FirePOWER Services for ASA POV Best Practices

Next, open the evaldata_network_XXXXXXXXXX.tsv file in Microsoft Excel and select the arrow in the
top left to highlight all data. Copy the contents to the clipboard.

58
Cisco FirePOWER Services for ASA POV Best Practices

Return to the Network-eval-Template.xlsx and paste the contents from the clipboard into the Paste
worksheet

59
Cisco FirePOWER Services for ASA POV Best Practices

Select the Report tab where you will find your customized Risk Report.

60
Cisco FirePOWER Services for ASA POV Best Practices

Select File > Save as and rename the Excel file so that you do not change the original file. If you
accidentally make changes to the Excel file, download a fresh copy for your next customer engagement.
Then, select File > Save as Adobe PDF or print the report to PDF in another manner. Ensure that you
only convert the active sheet. It is important that you provide a PDF with your customer because the
excel file is not to be shared with customers.

Repeat this process for the Attack and Malware reports. Share these reports and your findings with the
customer at the POV close-out meeting.

61
Cisco FirePOWER Services for ASA POV Best Practices

10 Device Sanitization

After a successful partner executed POV, you will need to purge the customer data to prepare for the
next POV. The procedures below may vary based on the deployment and ESXi host used, but they
provide general guidelines that you can leverage as desired.

On the FireSIGHT MC, you can simply revert to the snapshot that was created prior to completing the
customer evaluation. To do so, use the vSphere client. Navigate to Home > Inventory > Inventory and
select the VM. From the toolbar, select the Snapshot Manager button. In the pop-up select the
snapshot you would like to revert to and click Go to.

If you revert to the Baseline snapshot, you will need to complete the FireSIGHT MC configuration steps
again. If you revert to the POV Ready snapshot, the FireSIGHT MC will be configured, but you will need
to adjust IP and Network Discovery settings. In both cases, you need to request and load new POV
licenses. It is important to register each opportunity in CCW and request licenses from Partner Help for
each engagement to ensure proper tracking of Partner Executed POVs and illustrate partner, trained SE,
and program value: https://communities.cisco.com/docs/DOC-55301

62
Cisco FirePOWER Services for ASA POV Best Practices

If you ran the FireSIGHT MC on the customers ESXi host, you can have them simply delete the VM from
the inventory. To do so, use the vSphere client. Navigate to Home > Inventory > Inventory and right-
click on the VM. From the menu select, Delete from Disk.

The customer data on the ASA FirePOWER module is deleted when you uninstall the software on the
FirePOWER module. Enter the following command to complete the process.
ciscoasa# sw-module module sfr shutdown
ciscoasa# sw-module module sfr uninstall
ciscoasa# reload

As part of the POV, you also entered configuration information based on the customers environment.
To delete the configuration items, you can revert the ASA configuration to the factory-defaults. Enter
the follow commands to complete the process.
ciscoasa# copy /noconfirm running-config disk0:/backup.config
ciscoasa# config t
ciscoasa(config)# config factory-default

63
Cisco FirePOWER Services for ASA POV Best Practices

11 Next Steps

This completes the Cisco FirePOWER Services for ASA Acceleration program guide. For additional
support, send requests to asa-assess@external.cisco.com.

Below are some key resources to meet the program requirements and continue your education.

Voice of the Engineer: FirePOWER Services for ASA 5.3 Launch


https://communities.cisco.com/docs/DOC-30718
FirePOWER Services for ASA 1-day: Technical Training
https://communities.cisco.com/docs/DOC-53979
SE Security Sales Enablement
http://tools.cisco.com/pecx/login?URL=searchCurricula?LOID=475254
FirePOWER Services for ASA -day: Sales Training
https://communities.cisco.com/docs/DOC-53978
AM Security Sales Enablement
http://tools.cisco.com/pecx/login?URL=searchCurricula?LOID=475253
Sourcefire Information for Partners
https://communities.cisco.com/docs/DOC-51132
Proof of Value Training: Architectures > Security > Cisco Advanced Security Training >
Systems Engineers http://cisco.partnerelearning.com/Saba/Web/Main
SIRE Network Assessment Program Site
http://www.cisco-sire.com

64
Appendix A: Win Criteria
Customer Name

Win criteria needs to be defined before a partner executed POV begins so that you are able to quickly
demonstrate unique business value to the customer during the on-site engagement. This process focuses the
engagement on the solution elements that are most important to the customer. The worksheet below serves
as a starting point to develop win criteria for a Tactical Partner Executed POV and can be adjusted as required
based on dialogue with your customer.

Prioritize each Win Criteria in order from 1 8 with one being most important and eight being
least important based on your customers priorities.
8
Visibility
Do you want to have a better understanding of the types of devices on your network and the applications they
are running?

Threat 8
Are you concerned about bad actors in your environment and the threat that they pose to other internal
systems?

Automation 8
Would you like to reduce the strain on your security analysts while arrive at a faster resolution of intrusion
information?

Reputation 8
Do you value a robust reputation service that helps to limit traffic to known bad websites and actors on the
Internet?

Malware Detection 8
Would you like to implement network malware detection with file reputation, sandboxing, and retrospection?

File Blocking 8
Do you value visibility of file types entering your environment with the capability to block files before an
attack by type, protocol, or transfer direction?

Application Control 8
Are you interested in granular control of applications that helps maximize productivity and reduce the attack
surface?

8
Cross product integration
Would you be interested in using the eStreamer API to share host and event data with third partner
applications such as SIEM and integrate with systems such as Cisco ISE?

What compelling factors are driving this engagement?


Cisco FirePOWER Services for ASA POV Best Practices

13 Appendix B: Data Collection Worksheet

Thank you for giving Cisco the opportunity to demonstrate the security posture of your network using
FirePOWER Services for ASA. Please provide the following information to prepare for the evaluation.

1. Network range(s) to be part of the evaluation. Please provide the smallest NETMASKs possible in CIDR
format (e.g. 10.100.0.0/16 instead of 10.100.1.0/24, 10.100.2.0/24, etc.)
_______________________________________ ______________________________________
_______________________________________ ______________________________________
_______________________________________ ______________________________________

2. Networks within these ranges that should be excluded from the above. (Note that this is a non-
intrusive observatory system and will not footprint any of your hosts.)
_______________________________________ ______________________________________
_______________________________________ ______________________________________

3. Local Time Zone _______________________________________

4. IP Addresses All should be on the same local subnet.


Management IP for FireSIGHT Management Center (MC) _____________________
(requires Internet Access)
Management IP for FirePOWER sensor _____________________
(preferred to be on same subnet as FireSIGHT MC)
Management IP for ASA _____________________
Netmask _____________________ Default Gateway _____________________
(Optional) Management IP Address for ESXi Server _____________________
(Optional) DNS Servers if local lookup is preferred? _____________________ _____________________

5. SPAN Port configuration


Is there a SPAN already set up that can see the traffic from the evaluated networks? Which port?
_______________________________________________________________________________
If no to the above, what type of switch will the system be attached to?
_______________________________________________________________________________
SPAN will be configured using Source Interface or Source VLANs. List sources below
_______________________________________________________________________________
_______________________________________________________________________________

6. Desired Rack and Power configuration. What type of AC power is required?

7. Length of Evaluation _____________________

66

You might also like