Version 6.0.1 of firepower

Hello guys

I recently updated my power of fire ASA 5506 version 6.0.1-29 and I can no longer see the users active directory, I have searched for this thing and I found this link set up the Active Directory integration with the device of firepower , but is not help because I don't want a captive portal authentication in my environment and I don't even see users in the access control policy (he gives me a warning triangle indicates that I do with identity politics), so I tried to create the identity strategy but he needs a self-signed certificate and I did it but when the storage of the certificate, it gives me this error (could not validate EO based Cert: System (/ usr/bin/openssl rsa-outform pem - inform pem-in/tmp/SIrNBopGd5-passin' file:/tmp/Jd8gZivkm_-sortie/tmp/A4qZjXp0YY) Failed) and now I'm really stuck here I don't know what to do... Please help :/

Hello

This occurs when the key used is not encrypted by password. Try:

Encrypt the key with a password, and then import the certificate and key.

Kind regards

Aastha Bhardwaj

Rate if this is useful!

Tags: Cisco Security

Similar Questions

  • Decrypting SSL single engine related search traffic

    In the new version of the 6.1 firepower, you can activate SafeSearch to restrict search results.  The only problem is that you must use SSL,

    6.1 release notes

    Note that SSL decryption policies must be configured for two of these features runs, mainly because most of the search engines are now using SSL encryption.

    We recently had the SSL decryption enabled, and it broke the modules of firepower.  By TAC, told us only 5545 with modules could not handle the amount of SSL decryption, we were doing.  So in the end we did not really need to keep being lost due to the performance SSL decryption.

    "SafeSearch" is a feature as an educational institution we have lit.  Is their a way to send just the search engine related traffic via SSL policy for decryption and 'do not read' all other traffic?

    Yes. It is generally recommended that a policy of decrypting SSL be limited to sites that you really need to decipher for just the reason you have met.

    We would do that in your example using an SSL policy application rule.

    Configuration guide for reference:

    http://www.Cisco.com/c/en/us/TD/docs/security/firepower/610/configuratio...

    Screenshot of example (open in a new tab to zoom in):

  • CISCO ASA 5515 WITH THE VERSION OF FIREPOWER

    ASA 5515 service with the power of fire. Can be managed with ASDM firepower. ?

    Anyone suggests Versions for firepower, ASDM, ASA?

    Kindly help

    You will find it useful to install the Module of firepower on ASA for the management of the premises:

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/Quick_Start/SFR/firepo...

    Thank you

    Guillaume

    Rate if this can help!

  • Cisco Firepower 4110 Clustering with ASA and DFT

    Hi all

    We have a pair of Cisco 4110 firepower devices and have them clustered for the ASA Security Module.

    There seems to be no option to add an additional logical device for the threat of fire power defence Module, so can only assume this is not supported in an active/active state.

    More on the SAA Module there is no tab of remote access VPN Configuration.

    So my question is how to incorporate the functionality of defense threat in the ASA, I suppose that this would be by the engine unloading in the advanced settings, but requires the SAA be in Active mode / standby and the power of fire threat defense logical device will be available?

    Second question is it would have been better buy the Cisco ASA 5585 X with the Module of firepower in support of all the regular features of the SAA as well as traffic inspection unloading to the module of firepower?

    I found some documentation on the Cisco site, but tend to lose sight of where the reference to FTD and not be supported of the Clustering or RAS VPN not supported by ASA or FXOS docs, so I was hoping for some insight on here.

    Appreciate any clarity around the support of devices 4110 of the firepower and configuration of the FTD and ASA combines the features supported.

    We run ASA v9.6 (2) and FXOS 2.0.1 (86).

    Thanks in advance.

    Mark

    On a firepower 4100 Series chassis, you can run a single logical unit. Several logical devices are supported only on the 9300 firepower that supports up to 3 modules of security.

    So choosing between types of module ASA and DFT (or technically you can also deploy the RADware vDefense Pro but it is mainly for service providers).

    One or the other and never the two.

    The module of the SAA supports remote access VPN over 4110 of firepower. I put one in place personally nothing this month. Have you recorded the chassis with the smart licence and applied ASA licenses (basic an and 3DES / AES)?

    The ASA modules take supported the HA and inter-chassis clustering on the 4100 series hardware.

    If you run picture FTD, there is currently no support for remote access VPN. It is a high priority position of roadmap for a future version (post - 6.2). FTD does not currently support the chassis inter cluster but that should be in version 6.2.

  • Cannot change the access policy (firepower 6.1)

    Hello

    I use the Service Module of firepower on ASA5525 and MC, firepower, the two version 6.1.

    After the upgrade to version 6.1, I can't save any changes on my access policy. I always get a message "error saving data - another operation by another user has prevented this operation. Please try again after some time.
    I am the only on access to the MC, there is no task that is running and I tried to reload the MC, but I got the same error.

    Please, did anyone see that? This could be the cause?

    Thank you.

    I solved the problem by replacing all the objects 'Private network' by 'IPv4-private-All-RFC1918.

  • Firepower does not work when using the Active Directory group as a rule filter access control

    I am PoV of Cisco ASA with the power of fire with my client. I would like to integrate the power of fire to MS Active Directory. Everything seems to work properly.

    -Fire power user agent installation to complete successfully. Connection to AD work fine. The newspaper is GREEN.

    -J' created a Kingdom in FireSight and you can download users and groups from Active Directory.

    -J' created a politics of identity with passive authentication (using the field I created)

    -Can I use the AD account "user" as a filter in access control rule and it work very well.

    However, if I create the rule of access control with AD Group', the rule never get match. I'm sure that the user that I test is a member of the group. Connection event show the system to ignore this rule and the traffic is blocked by the default action below. It doesn't look like the firepower doesn't know that the user belongs to the group.

    I use

    -User agent firepower for Active Directory v2.3 build 10.

    -ASA 5515 software Version 9.5 (2)

    -Fire version 6.0.0 - 1005 power module

    -Firepower for VMWare Management Center

    Any suggestion would be appreciated. Thanks in advance.

    Hello

    You should check the download user under domain option. Download the users once belonging to a group is specified on the ad and then test the connection.

    Thank you

    Yogesh

  • Upgrade to version 6.0 SourceFire Module questions

    We have just implemented SourceFire Module version 5.4.1 on our ASA recently, but want to upgrade to version 6.0. I've been through Notes version 6.0 for the upgrade, which are dated to November 2015, but had a few questions that I was hoping someone here could answer:

    -Our FireSIGHT Management Center is a virtual appliance of 64-bit. Can we install version 6.0 on a virtual appliance VMWare running on EXSi 6.0? The only issue date list 5.1 and 5.5 ESXi ESXi.

    -Should what files I use for the update? The Release Notes say to use "SourceFire_3d_Defense_Center_S3_upgrade - 6.0.0 - 1005.sh. My choice on Cisco's Support site are: asasfr-sys - 6.0.0 - 1005.pkg, asasfr-5500 x-boot - 6.0.0 - 1005.img and Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh. I guess the sys-asasfr - 1005.pkg - 6.0.0 is for CME, and the Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh is for the ASAs.Is that right?

    -How long will the update for FMC and ASAs? The ASA is a 5516 x and the release notes look like they say that the update will take about 41 minutes.

    ESXi 6.0 is not officially supported so that your experience may vary. If you get stuck, you may TAC by telling you that you're on your own.

    "Cisco_Network_Sensor_Upgrade - 6.0.0 - 1005.sh" is used to upgrade the fire ASA power module in the Manager of firepower.

    If you were a fabricated construction or reimage then you would use the boot images and sys respectively.

    41 minutes for CME is right. As mentioned Philip, 2 hours is a better estimate of the ASA module, especially on a smaller area as the X 5516.

  • I do not have "Firepower of ASA Configuration" menu in ASDM

    Hello

    I do not have "Firepower of ASA Configuration" menu in ASDM.

    I already configured IP to the management port 0/0 10.226.24.181 also to the 10.226.24.130 of the SFP Manager.

    I can ping 10.226.24.130 ASA CLI and have tab in ASDM (with https://No DC configured the button).

    You can see in attachment

    Help, please

    You have an ASA 5525 - X and the module of firepower is 5.3.1 - 152. To manage the power light module on that platform via ASDM requires the runtime current software 6.0 or later version (and your ASDM must be 7.5 (1.112) or later version).

    Reference: http://www.cisco.com/c/en/us/td/docs/security/asdm/7_5/release/notes/rn7...

    If you want to upgrade the module of 5.3 to 6.0 and you do not have fire power manager, then the way ahead is to reimage using the 6.0 system images and boot. This procedure is illustrated below:

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-firepower-service...

    You need the images available here:

    https://software.Cisco.com/download/release.html?mdfid=286271172&flowid=...

    Expand the tree on the left and look under all versions 6.0 > 6.0.0. Use the files asasfr-5500 x-boot - 6.0.0 - 1005.img and asasfr-sys - 6.0.0 - 1005.pkg.

    After getting it to work, you should also update further the the latest version (currently 6.0.1).)

  • Adding firepower of Services one ASA existing 5515 x

    I have a 5515cx ASA existing with an SSD.

    Material: ASA5515, 8192 MB RAM, 3059 MHz Clarkdale, CPU 1 CPU (4 cores) ASA: 4096 MB of RAM, 1 CPU (1 core)
    Internal ATA Compact Flash, 8192MB
    BIOS Flash MX25L6445E @ 0xffbb0000, 8192 KB

    Hardware encryption device: edge Cisco ASA Crypto Accelerator (revision 0 x 1)
    Start firmware: CNPx-MC-BOOT - 2.00
    SSL/IKE firmware: CNPx-MC-SSL-SB-PLUS-0005
    IPSec firmware: CNPx-MC-IPSEC-HAND-0026
    Number of Accelerators: 1
    Baseboard Management Controller (revision 0 x 1) Firmware Version: 2.4

    How can I determine if the power of Fire Services are an option for this device?  For example: Cisco IPS of firepower ASA5515, Apps, AMP and URL 3 yr Subscription (L-ASA5515-TAMÁS-3Y).

    I also have a 170 WSA I am considering upgrading to WAS S190 material as an alternative.  I know that the ASO is not a firewall, and the combination of the two is perhaps more appropriate.

    Thank you

    Mark

    Hi Mark,

    You have installed the firepower on the SAA module or you have to install the same?

    If you have obtained the licenses for the module, then you can go ahead and install the module and redirect the

    traffic for the purpose of inspection, as shown below in the document:

    https://www.Cisco.com/c/en/us/support/docs/security/ASA-firepower-servic...

    rate if this can help.

    Thank you

    Ankita

  • ASA stable for the firepower 6.0.1 software recommendation

    Hi all

    I need to install 2 x 5525 in a Cluster for firepower. We will use the most recent version of firepower and now I would like to know your recommendations for the more stable/better Version of the Cisco ASA software to use. We have no specific requirements for the featureset, the firewall itself will be the gateway for production networks and must protect the traffic to and from this network. No VPN will be used, no dynamic routing. The software should be a stable release, which is known to work very well with the firepower 6.0.1.

    I see in the documentation of the firepower 6.0.1 (http://www.cisco.com/c/en/us/td/docs/security/firepower/601/relnotes/fir...) We need to at least: "running ASA version 9.4 (2), 9.5 (2) or 9.6 1.

    It would be great, if someone could share its recommendation on which software, I should go for. On a x 5506 in my lab I m currently using 9.5.2 and I didn t face no problems so far.

    Another question about the firepower upgrade process. As described in the manuals of firepower, initially the CMF must be updated, then the Module of firepower on the Cisco ASA follows. What is the best way to update the Module of firepower on the ASA to use FMC? What is the average recommenend? Or can I also place the firepower module Services in the CLI without losing its configuration?

    Best regards

    Sebastian

    Hello team,

    I checked the errors and confirmed that the error may occur if there is an object in the EO tables whose revision is exceeded. For this we need the help of the Cisco TAC to trace the problem to the engineering team and get a fix. You are not supposed to change whatever it considers either with arrays of EO. So be sure that you contact the Cisco TAC.

    Rate if my message will help.

    Concerning

    jetsy

  • Configure the module of firepower ASA IP address

    Hello

    today I tried to configure the IP address of the late ASA power module. But unfortunately I failed. The firewall is in the direction of the situation and also do have not any router on the LAN. So, I stop the management interface and configure the IP of firepower on the network server management. But unfortunately I can not ping the gateway IP address that is actually one of the interface of the firewall. It is the series x 5525 firewall. So this isn't a any interface dedicated to management of firepower. It would be nice to know where I made the mistake? I recharge and recovery of the module and I consider the State as always state of recovery. So my question is looking for there is a problem with the module itself?

    Module status

    SH module

    Model serial number of map mod
    ---- -------------------------------------------- ------------------ -----------
    0 ASA 5525 - X with SW, GE, 1 GE Mgmt, AC 8 data
    IPS unknown n/a
    cxsc unknown n/a
    SFR unknown n/a

    MAC mod Fw Sw Version Version Version Hw address range
    ---- --------------------------------- ------------ ------------ ---------------
    0 f  1.0                                                2.1(9)8      9.2(3)
    ips                                                         N/A          N/A
    cxsc                                                       N/A          N/A
    sfr                                                         N/A          N/A

    The Application name of the SSM status Version of the Application of SSM mod
    ---- ------------------------------ ---------------- --------------------------
    IPS unknown current Image number does not apply
    cxsc unknown No. current Image does not apply

    Data on the State of mod aircraft compatibility status
    ---- ------------------ --------------------- -------------
    0 to Sys does not apply
    IPS does not is not Applicable
    cxsc does not not Applicable
    SFR recover not Applicable

    Config firewall Interface

    #Interface IP-Address OK? Method State Protocol
    GigabitEthernet0/0 10.101.106.115 YES CONFIG upward upwards
    GigabitEthernet0/1 10.106.106.115 YES CONFIG upward upwards
    GigabitEthernet0/2 10.103.254.254 YES CONFIG upward upwards
    GigabitEthernet0/3 10.0.210.254 YES CONFIG upward upwards
    GigabitEthernet0/4 10.100.254.254 YES CONFIG upward upwards
    GigabitEthernet0/5 10.107.253.115 YES CONFIG upward upwards

    #interface GigabitEthernet0/1
    Speed 1000
    full duplex
    nameif Server
    security-level 70
    IP 10.106.106.115 255.255.0.0

    Fire power management configuration

    Host name: 1 Swiss francs
    Configuration Management Interface

    Configuration IPv4: static
    IP address: 10.106.251.253
    Network mask: 255.255.0.0
    Gateway: 10.106.106.115

    IPv6 configuration: Stateless autoconfiguration

    Configuration of DNS:
    Domain: XXX.local
    Search:
    XXX.local
    DNS server:
    10.101.251.2
    10.201.251.2

    Any help will be greatly appreciated.

    Thank you

    Sari

    Sari,

    Even if there is not a physical module services fire power management port, it uses Management0/0 port to connect to the module of SFR.  If you like on the same VLAN as your server VLAN on the SAA plug Management0/0 port on a switch that is sharing the network server VLAN and give the module SFR an IP address on the same subnet.

    Make sure that you remove the statement under interface Management0/0 nameif. Here is an example:

    interface Management0/0
    management only
    No nameif
    security-level 100
    no ip address

  • ASA 5545 firepower question X

    Hi all

    I have an urgent matter, I bougth 2 ASAs 5545 x with firepower, both ASAs Sourcefire inside of the Flash, but only has the State upwards.

    When I run the show module command,

    ASA1

    ==========================================================================================

    ciscoasa # sh module

    Model serial number of map mod
    ---- -------------------------------------------- ------------------ -----------
    0 ASA 5545 - X with SW, GE 8 data, 1 GE Mgmt ASA5545 FCH19207Y7G
    IPS unknown n/a FCH19207Y7G
    cxsc unknown n/a FCH19207Y7G
    SFR unknown n/a FCH19207Y7G

    MAC mod Fw Sw Version Version Version Hw address range
    ---- --------------------------------- ------------ ------------ ---------------
    d8b1.9040.ba11 0 to d8b1.9040.ba1a 1.0 9,0000 8 2,0000 4
    IPS d8b1.9040.ba0f to d8b1.9040.ba0f / o
    cxsc d8b1.9040.ba0f to d8b1.9040.ba0f / o
    SFR d8b1.9040.ba0f to d8b1.9040.ba0f / o

    The Application name of the SSM status Version of the Application of SSM mod
    ---- ------------------------------ ---------------- --------------------------
    IPS unknown current Image number does not apply
    cxsc unknown No. current Image does not apply

    Data on the State of mod aircraft compatibility status
    ---- ------------------ --------------------- -------------
    0 to Sys does not apply
    IPS does not is not Applicable
    cxsc does not not Applicable
    SFR does not not Applicable

    Mod name license status time remaining license
    ---- -------------- --------------- ---------------
    IPS IPS Module perpetual mobility

    =================================================================================

    ASA2

    ==========================================================================================

    ciscoasa # sh module

    Model serial number of map mod
    ---- -------------------------------------------- ------------------ -----------
    0 ASA 5545 - X with SW, GE 8 data, 1 GE Mgmt ASA5545 FCH19207Y7G
    IPS unknown n/a FCH19207Y7G
    cxsc unknown n/a FCH19207Y7G
    SFR FirePOWER Services Software Module ASA5545 FCH19207Y7G

    MAC mod Fw Sw Version Version Version Hw address range
    ---- --------------------------------- ------------ ------------ ---------------
    d8b1.9040.ba11 0 to d8b1.9040.ba1a 1.0 9,0000 8 2,0000 4
    IPS d8b1.9040.ba0f to d8b1.9040.ba0f / o
    cxsc d8b1.9040.ba0f to d8b1.9040.ba0f / o
    SFR d8b1.9040.ba0f at d8b1.9040.ba0f s/o s/o 5.3.1 - 152

    The Application name of the SSM status Version of the Application of SSM mod
    ---- ------------------------------ ---------------- --------------------------
    IPS unknown current Image number does not apply
    cxsc unknown No. current Image does not apply
     SFR ASA FirePOWER Up 5.3.1 - 152

    Data on the State of mod aircraft compatibility status
    ---- ------------------ --------------------- -------------
    0 to Sys does not apply
    IPS does not is not Applicable
    cxsc does not not Applicable
    SFR Up Up

    Mod name license status time remaining license
    ---- -------------- --------------- ---------------
    IPS IPS Module perpetual mobility

    =================================================================================

    I tried these commands to retrieve the firewall

    SW-module module sfr recover configure image disk0:asasfr - 5500 x-boot - 5.3.1 - 152.img
    SW-module module sfr recover boot

    The threshold of State the same thing, but I can connect to the module of firepower through console session sfr.

    Please can you help me?

    If you started the recovery image, you have a partial installation. You need to go in the module with the command of session and launch the installation. Once you have a Setup "bootstrap" in place, you can complete the recovery process by installing the full image.

    Something like this:

     ciscoasa# session sfr console Opening console session with module sfr. Connected to module sfr. Escape sequence is 'CTRL-^X'. Cisco ASA SFR Boot Image 5.3.1 asasfr login: admin Password: Admin123

    Then run the installation program, followed by 'system install' to load the full image (pkg) package as follows:

     asasfr-boot> system install ftp://@/asasfr-sys-5.3.1-152.pkg Verifying Downloading Extracting Package Detail Description: Cisco ASA-SFR 5.3.1-152 System Install Requires reboot: Yes Do you want to continue with upgrade? [y]: Y Warning: Please do not interrupt the process or turn off the system. Doing so might leave system in unusable state. Upgrading Starting upgrade process... Populating new system image Reboot is required

    Once you reboot, the module of sfr should show that up to. You can then connect back (using admin / Sourcefire), accept the EULA, and end with the re-definition of addressing, and then adding the definition of a Manager.

  • Block the Page - Asa Firepower

    Hello world

    Now I m working with an ASA 5506 X and Sourcefire module, by now it s works well, but I have a problem with the calibrated block page (Https response) only works with Internet Explorer and the other browser does, and Don t show also the http response when the page is running with securty (HTTPS).

    URL filtering policies are working correctly, the problem is that I can't see the block page that I customized with browsers like Mozilla or Chrome and when the page uses port 443.

    No one knows why this happens?

    Thanks for reading. :)

    Hello

    For Https Web sites, we will not receive a message block, it is because https with encrypted data and fire power module does not have the ability to decipher the encrypted traffic. Only the material fire power and now the latest version 6.0 Drambuie devices will have the ability to decrypt SSL traffic.

    Only FirePOWER series-3 device support SSL at the moment so, this is the expected behavior.

    Kind regards

    Aastha

    Rate if this can help!

  • Firepower ASA Web Proxy services

    I was wondering is it possible to configure the web proxy http and https on the SAA with services of firepower?

    Kind regards

    Caesar

    He inspects inline http and not as a proxy server.

    We have limited how much we can do with https because from the version current (5,4) we cannot SSL decryption on the modules of firepower.

    If you ask about the firepower modules itself, it is adjustable to use a proxy server for its external communication.

  • Firepower on 5506

    Dear friends!

    I installed a x 5506 on my company and I decide to upgrade the software of firepower to the 6.0 version, but it was impossible to migrate right version 6.0, then I did the upgrade to version 5.4.1.3 - 26, after I shuttle upgrade to version 6.0, didn t work.

    Now I m still with version 5.4.1.3 - 26 and when I try to access the firewall by using ASDM, the error msg appears, as you can see attach file and I can access functions of firepower than the status.

    The IP 192.168.13.251 is already set up on firepower.

    Anyone know what is the cause of this problem?

    Thank you

    Marcio

    Marcio,

    The failure of the upgrade may have damaged some of the necessary files. You may reimage software module.

    If you Smartnet open a TAC case. (You should have a Smartnet or well you wouldn't have the right to upgrade - right?)

    Otherwise the process is fairly well laid out here:

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-firepower-service...

    You must uninstall the current module first (explained earlier in the same document).

    Using this approach, you can start with 6.0 from a new installation.

    .

Maybe you are looking for