ASA FirePOWER Module User GuideVersion 5.4.1January 22, 2015
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TOCHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THISMANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANYPRODUCTS.
Cisco Systems, Inc.www.cisco.comCisco has more than 200 offices worldwide.Addresses, phone numbers, and fax numbersare listed on the Cisco website atwww.cisco.com/go/offices.
http://www.cisco.comhttp://www.cisco.com/go/offices
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THATSHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs publicdomain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITHALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUTLIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OFDEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCOOR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command displayoutput, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers inillustrative content is unintentional and coincidental.
2015 Cisco Systems, Inc. All rights reserved.
http://www.cisco.com/go/trademarks
C O N T E N T S
C H A P T E R 1 Introduction to the Cisco ASA FirePOWER Module 1-1
Introduction to the ASA FirePOWER Module 1-1
ASA FirePOWER Module Components 1-2Access Control 1-2Intrusion Detection and Prevention 1-2Advanced Malware Protection and File Control 1-3Application Programming Interfaces 1-3
License Conventions 1-3
IP Address Conventions 1-4
C H A P T E R 2 Managing Reusable Objects 2-1
Using the Object Manager 2-2Grouping Objects 2-2Browsing, Sorting, and Filtering Objects 2-3
Working with Network Objects 2-3
Working with Security Intelligence Lists and Feeds 2-4Working with the Global Whitelist and Blacklist 2-6Working with the Intelligence Feed 2-6Working with Custom Security Intelligence Feeds 2-7Manually Updating Security Intelligence Feeds 2-8Working with Custom Security Intelligence Lists 2-8
Working with Port Objects 2-9
Working with URL Objects 2-10
Working with Application Filters 2-11
Working with Variable Sets 2-13Optimizing Predefined Default Variables 2-14Understanding Variable Sets 2-16Managing Variable Sets 2-18Managing Variables 2-19Adding and Editing Variables 2-20Resetting Variables 2-26Linking Variable Sets to Intrusion Policies 2-27
iiiASA FirePOWER Module User Guide
Contents
Understanding Advanced Variables 2-27
Working with File Lists 2-28Uploading Multiple SHA-256 Values to a File List 2-29Uploading an Individual File to a File List 2-30Adding a SHA-256 Value to the File List 2-30Modifying Files on a File List 2-31Downloading a Source File from a File List 2-31
Working with Security Zones 2-32
Working with Geolocation Objects 2-33
C H A P T E R 3 Managing Device Configuration 3-1
Editing Device Configuration 3-1Editing General Device Configuration 3-1Viewing Device System Settings 3-2Understanding Advanced Device Settings 3-2Editing Advanced Device Settings 3-3
Managing ASA FirePOWER Module Interfaces 3-4
Applying Changes to Device Configuration 3-4Using the Device Management Revision Comparison Report 3-5
Configuring Remote Management 3-5Editing Remote Management 3-7Configuring eStreamer on the eStreamer Server 3-7
C H A P T E R 4 Getting Started with Access Control Policies 4-1
Access Control License and Role Requirements 4-2License Requirements for Access Control 4-2
Creating a Basic Access Control Policy 4-3Setting Default Handling and Inspection for Network Traffic 4-4
Managing Access Control Policies 4-6
Editing Access Control Policies 4-7
Understanding Out-of-Date Policy Warnings 4-9
Applying an Access Control Policy 4-10Applying a Complete Policy 4-11Applying Selected Policy Configurations 4-12
Troubleshooting Access Control Policies and Rules 4-13Simplifying Rules to Improve Performance 4-14Understanding Rule Preemption and Invalid Configuration Warnings 4-15Ordering Rules to Improve Performance and Avoid Preemption 4-16
ivASA FirePOWER Module User Guide
Contents
Generating a Report of Current Access Control Settings 4-17
Comparing Access Control Policies 4-18
C H A P T E R 5 Blacklisting Using Security Intelligence IP Address Reputation 5-1
Choosing a Security Intelligence Strategy 5-2
Building the Security Intelligence Whitelist and Blacklist 5-3Searching for Objects to Whitelist or Blacklist 5-5
C H A P T E R 6 Tuning Traffic Flow Using Access Control Rules 6-1
Creating and Editing Access Control Rules 6-2Specifying a Rule's Order of Evaluation 6-4Using Conditions to Specify the Traffic a Rule Handles 6-5Using Rule Actions to Determine Traffic Handling and Inspection 6-6Adding Comments to a Rule 6-10
Managing Access Control Rules in a Policy 6-11Searching Access Control Rules 6-12Enabling and Disabling Rules 6-12Changing a Rule's Position or Category 6-13
C H A P T E R 7 Controlling Traffic with Network-Based Rules 7-1
Controlling Traffic by Security Zone 7-1
Controlling Traffic by Network or Geographical Location 7-3
Controlling Traffic by Port and ICMP Codes 7-4
C H A P T E R 8 Controlling Traffic with Reputation-Based Rules 8-1
Controlling Application Traffic 8-2Matching Traffic with Application Filters 8-3Matching Traffic from Individual Applications 8-4Adding an Application Condition to an Access Control Rule 8-5Limitations to Application Control 8-6
Blocking URLs 8-7Performing Reputation-Based URL Blocking 8-8Performing Manual URL Blocking 8-10Limitations to URL Detection and Blocking 8-11Allowing Users to Bypass URL Blocks 8-12Displaying a Custom Web Page for Blocked URLs 8-14
vASA FirePOWER Module User Guide
Contents
C H A P T E R 9 Controlling Traffic Based on Users 9-1
Adding a User Condition to an Access Control Rule 9-2
Retrieving Access-Controlled Users and LDAP User Metadata 9-3Connecting to an LDAP Server for User Awareness and Control 9-3Updating User Control Parameters On-Demand 9-7Pausing Communications with an LDAP Server 9-7
Using User Agents to Report Active Directory Logins 9-8
C H A P T E R 10 Controlling Traffic Using Intrusion and File Policies 10-1
Inspecting Allowed Traffic For Intrusions and Malware 10-2Understanding File and Intrusion Inspection Order 10-2Configuring an Access Control Rule to Perform AMP or File Control 10-3Configuring an Access Control Rule to Perform Intrusion Prevention 10-4
Tuning Intrusion Prevention Performance 10-6Limiting Pattern Matching for Intrusions 10-6Overriding Regular Expression Limits for Intrusion Rules 10-7Limiting Intrusion Events Generated Per Packet 10-8Configuring Packet and Intrusion Rule Latency Thresholds 10-9Configuring Intrusion Performance Statistic Logging 10-15
Tuning File and Malware Inspection Performance and Storage 10-16
C H A P T E R 11 Understanding Network Analysis and Intrusion Policies 11-1
Understanding How Policies Examine Traffic For Intrusions 11-2Decoding, Normalizing, and Preprocessing: Network Analysis Policies 11-3Access Control Rules: Intrusion Policy Selection 11-4Intrusion Inspection: Intrusion Policies, Rules, and Variable Sets 11-5Intrusion Event Generation 11-6
Comparing System-Provided with Custom Policies 11-7Understanding the System-Provided Policies 11-8Benefits of Custom Policies 11-9Benefits of a Custom Network Analysis Policy 11-9Benefits of Custom Intrusion Policies 11-10Limitations of Custom Policies 11-11
Using the Navigation Panel 11-13
Resolving Conflicts and Committing Policy Changes 11-15
C H A P T E R 12 Using Layers in a Network Analysis or Intrusion Policy 12-1
Understanding the Layer Stack 12-1
viASA FirePOWER Module User Guide
Contents
Understanding the Base Layer 12-2
Managing Layers 12-5Adding a Layer 12-7Changing a Layer's Name and Description 12-7Moving, Copying, and Deleting Layers 12-8Merging Layers 12-8Sharing Layers Between Policies 12-9Configuri
