This is a follow up blog from my initial writeup on the release of Cisco Firepower/FTD 6.4 code release.
I mention in that blog that I had class that week and was going to thoroughly test the new 6.4 code, and then write a new blog on my recommendations, so here we are.
To cut to the chase, meaning that if your busy and don’t want to read anymore, just don’t upgrade or install 6.4 code yet, wait for 220.127.116.11. Also, it’s worth stating that you should never install a “.0” code if possible.
UPDATE 5/16/19: 18.104.22.168 came out and has solved a couple of the issues addressed in this post. Will update this again once this is confirmed.
Update 5/16/19: I have confirmed that the new 22.214.171.124 patch has indeed fixed the firepower discovery issue with the new FMC installs
Here is a Concerning Issue:
In my six-years of almost full-time work on Sourcefire/Cisco Firepower, I have never seen a problem with RUA/RNA, FireSIGHT, or what we now just call Firepower Network Discovery, and I can almost guarantee no one else has either. Cisco Firepower/FTD code 6.4 seems to have broken that winning streak.
Update: see cisco bug CSCvp59960 (Sev 3)
In the screen shot below, I am showing the three Cisco created objects that I use or you can use in your Networks configuration of network discovery. (No, I did not use all three at the same time, I am just showing you the three I tested with individually for brevity).
Once deployed, go Analysis>Host>Network Map notice that there are no hosts present. This shocked and amazed me (I might have said WTF out loud too)! We tested this and tested this to make sure we weren’t making a mistake, but screwing up the easiest policy in Firepower is not easy to do! Usually, you’ll get data whether you like it or not…
Below, you can see the three manual configuration that we tried, again, all configured and deployed separately. When we deployed the Enterprise group, immediately hosts showed up. We also then tested typing in manually quad zeros, and then the 10.0.0.0/8 manually as well; every time we tested a manual object, Firepower starting worked as it always has…
Here we used a manually created network configuration in Firepower and hosts immediately showed up!
Solution? Use a manually created object, or just don’t upgrade to 6.4 yet.
Is the Juice of Upgrading to 6.4 worth the Squeeze?
From the ACP, you can click on Analyze Hit Counts, and then choose your 6.4 FTD devices and get hit counts via a the GUI. If you click on the rule name, it takes you to the rule itself, and if you click on the magnifying glass it opens and edits the rule. Useful. Maybe not worth the upgrade since you could always use the show acccess-list-config FTD command and get much more information than this provides…but hey, people love their GUI…
However, I’d rather just have a column in the ACP rules that shows you the hit count, for example put this where the Comment count is listed now (that now one gives a damn about), as shown here:
In addition, Cisco was also touting the new FTD command “show rule hits” at the CLI…however, this one made me scratch my head. Looking at the output below of the show rule hits command- that I first had to copy into notepad, so I could then compare the Rule ID to the actual ACP rule set. Seriously.
Remember, you could have always just typed in show access-list, as I did here, and see the hit counts as well…but, it’s not a GUI, true.
Possibly Cosmetic Issue or just plain odd…
When configuring the File/Malware policy with the same exact configuration that I’ve deployed for year, this error message popped up.
Update: please see Cisco bug CSCvp60050 (Sev 4)
I actually thought they had done some work on the new File policy, but no, just press OK here and the rule takes the commands, as it always has. We could find no issues with this, other than possibly a cosmetic message.
After mentioning this in the last blog, this really needs to be understood:
What Cisco doesn’t tell you here is that once you enable the File and Malware Settings in the global logging tab, you still need to go into Devices>Platform Settings>Syslog and configure the MID’s 430004 and 430005 into the Event List to make this work; and you might as well turn on 430001 (identifies an intrusion event), 430002 (identifies a connection event logged at the beginning of the connection) and 430003 (identifies a connection event logged at the end of the connection) well you’re at it. There is no documentation that tells you that you need this configuration!
Cisco just added these MID’s to the documentation: Cisco Firepower Syslog event messages
The Object Usage screen in Objects, starting in 6.4 is somewhat helpful for telling you the policy an Object is used in, however, it would be nice if it listed the rule number as well.
Also, there are some random issues that I ran into when creating rules: as in that it wouldn’t take the rule, and the Monitor rule wouldn’t, well, log. I can’t reproduce those on command though…also, 6.4 code breaks WCCP.
Lastly, I mentioned in my previous blog that Cisco is moving from Brightcloud to Talos categories for SI and URL’s. This has been delayed until 6.5 code now. Not an issue, just a heads up…
Can’t wait to see what 126.96.36.199 brings us…