Once you have your SFR module installed and linked to the FireSight Management Center, you can begin bringing the system up to speed. Keep in mind that any report templates that you may have exported from other sites require the same Firepower version in order to import. For example, a report generated at version 6.1.0 cannot be imported by a system at version 6.1.0.1. After your FMC is set up and seeing data from the firewall, let Firepower run in monitor-only mode for approximately 1-2 weeks after your last change.
If your firewall is on a valid Cisco contract, it is often helpful to create a support case. However, they will typically require you to be specific with your inquiry. Once you have them on the phone, don’t be afraid to branch out slightly and ask questions. Respect that they are trying to solve your problem quickly and efficiently, but you can often receive valuable information about other topics if you’re polite.
Another note on Cisco support: I typically do not generate Firepower “troubleshoot files” as these contain sensitive information (i.e., SSH keys and IP schemes) that I do not want leaving my environments. When creating a case, be upfront about skipping this step and simply request a webex instead.
Here is a list of setup tasks that I go through before removing monitor-only mode from the firewall, or in other words, “going live.” These are not necessarily in any order, but I’ll try to put any prerequisite tasks first.
- Link the managed devices (ASAs) to the FMC.
- Create any groupings now.
- Add any licenses.
- Apply updates: FMC, SFR, VDB, URL, CRL, etc.
- Define security zones, i.e., firewall interfaces.
- Define $Home_Net.
- Install the Sourcefire User Agent.
- I usually put it on a domain controller, then point it toward itself and other domain controllers.
- Set up the mail relay server.
- Create yourself a unique user instead of admin and change your display preferences.
- Set up email and syslog event notifications for impact flags, discovery events, etc.
- Create your realm and identity policy.
- Download users and groups.
- Add a health policy.
- Create a File policy.
- Create an Intrusion policy.
- Add your internal network to the Network Discovery policy.
- Enable application detection.
- Enable “capture banners.”
- Add feed lists to the DNS policy.
- Create an Access Control policy.
- Add security intelligence feed lists.
- Create an HTML block page.
- Create or import reports.
- Configure backup settings.
- Add scheduled recurring tasks.
- Optional: Enable change reconciliation reports.
As you can see, there are many tasks involved in preparing your Firepower system. In upcoming posts, I will go into more detail on each step. Until then, feel free to contact me either here in the comments, or via email at techitw.wp@gmail.com.
Thanks for reading,
Dan
In the Works 