Check out my Firepower book, videos or take my Firepower class at www.lammle.com/firepower
if you are upgrading or installing a Cisco Firepower module either on an ASA, ISR router or Meraki firewall, or even installing an appliance, then you need to consider these five important questions before you start:
1. Fail open/fail closed?
If you’re on an ASA you need to make a map-class, then put this in your global_policy or other policy container. If the FP module becomes unresponsive, do you allow traffic through uninspected? Then choose fail-open. If you want to drop all traffic until it can be inspected then choose fail-closed.
2. Transfer packets?
When you add a device into your FMC, under the advanced pull down is a check mark for Transferring packets (also under the device tab after the device is installed into the FMC). You typically will leave this on, which is the default, which means that the payload of each packet sent through the managed device is transferred and stored on the FMC. You want to allow this so you can do analysis on the files you receive, as well as send them to Talos for Dynamic Analysis. However, if you have many devices across WAN links coming back to a single virtual FMC, then the overhead might slow down your FMC responses. You can disable this on individual managed devices for remote locations if needed. Your other option, depending on your situation, is to change out your virtual FMC for a faster, expensive appliance such as the awesome 4100 series, if money is no problem for you.
3. Application bypass?
This is configured under the device configuration, under the Device tab. This is basically set to security over connectivity by default, meaning that if a file comes into a managed devices and is being compared to a snort rule, and the rule take more than 3 seconds (by default) to determine what to do, then you can allow the file through without inspection from that rule, but default is to let the file wait! If enabled, the snort rule in question is disabled for 5 minutes (by default), and then reenabled to try again next time.
4. Inspect/or allow archives?
In your file policy advanced tab, archive files are not inspected by default. If your file policy denies archives then this is irrelevant. If like most of my customers you want archives (.zip’s etc), then you wan to enable this, as well as drop any password or encrypted archives.
5. Inspect traffic during policy apply
This is a good one! If you have an appliance and not an ASA, ISR Router or Meraki firewall, then this isn’t that important as appliances are very fast when it comes to applying your ACP. However, ASA’s are not as fast, and I’ve seen some installations that can take 10 minutes to update! You can see this to not allow uninspected files during this time, or stop all traffic, which typically brings your network to a halt. This depends on your organization. Most of my customers let files through and take their chances, but not all.
Although there are a lot of possible other considerations during your install, I find that these five are always on the list when configuring a device into my FMC.
Check out my videos or take my Firepower class at www.lammle.com/firepower