Blog

IP and Mobile Trends and Education

 

Dealing with Cisco Firepower Management Center (FMC) and Firepower sensor communication. Registration process.

Author:


16.04.2018

This post should help you to understand the Firepower sensor registration in FMC process and uncover the communication specifics between firepower components. I will also give you some additional hints what to check to verify the registration. In order to make troubleshooting easier there will be dedicated troubleshooting post later on.
 

1. High level diagrams of the communication

Firepower 1

 

2.Sensor and FMC configuration

To follow the registration process I will capture the traffic between these two devices.

 

configure manager add 192.168.0.200 CiscoKEY
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

 

Set the capture on the FMC:

 

$sudo su
root@FMC:/Volume/home/admin# tcpdump -c 200  port 8305 -n
HS_PACKET_BUFFER_SIZE is set to 4.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:53:35.363876 IP 192.168.0.201.59968 > 192.168.0.200.8305: Flags [S], seq 809749175, win 14600, options [mss 1460,sackOK,TS val 70783697 ecr 0,nop,wscale 7], length 0
11:53:35.363912 IP 192.168.0.200.8305 > 192.168.0.201.59968: Flags [R.], seq 0, ack 809749176, win 0, length 0
11:53:57.378569 IP 192.168.0.201.59544 > 192.168.0.200.8305: Flags [S], seq 884680013, win 14600, options [mss 1460,sackOK,TS val 70785899 ecr 0,nop,wscale 7], length 0
11:53:57.378597 IP 192.168.0.200.8305 > 192.168.0.201.59544: Flags [R.], seq 0, ack 884680014, win 0, length 0
11:54:19.388274 IP 192.168.0.201.35685 > 192.168.0.200.8305: Flags [S], seq 4095914441, win 14600, options [mss 1460,sackOK,TS val 70788100 ecr 0,nop,wscale 7], length 0
11:54:19.388315 IP 192.168.0.200.8305 > 192.168.0.201.35685: Flags [R.], seq 0, ack 4095914442, win 0, length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root@FMC:/Volume/home/admin#

 

FMC sends Reset TCP flags, on every SYN attempt of the FTD.

 

FMC device registration:

Go to Devices -> Device management -> add

Figure 1:

FMC Devices dashboard

 

Enter the sensor details and click on register. Be careful with the Registration key. It should be the same on the both devices.

 

Figure 2. Filling the sensor details.

FMC Add device widget

On the backplane I will sniff the connection again. This time I will capture the traffic on a pcap file and I will follow the communication on Wireshark. We see that the FMC initializes the communication to the sensor. Packet #3 SYN to 8305 originating from the FMC.

Figure 3

FMC and sensor Wireshark sniff

 
Now you can see your sensor added to the FMC.

Figure 4

FMC Device management  

3. When and how to use DONTRESOLVE option?

 

Dontresolve FMC

 

The FMC sends request which is NATed by an edge device (static NAT is required). The FTD receives the SYN but does not compare the IP with its configuration manager, but it compares the NAT ID. If the NAT ID is the same, then FTD accepts the request. Then show managers – shows UUID instead of IP address.

 

Example:

FTD>configure manager add DONTRESOLVE CiscoKEY CiscoNATID
> show managers
Type                      : Manager
Host                      : b1df2948-336c-11e8-8add-fdb0f922f231DONTRESOLVE
Registration              : Completed

 

FMC>

Figure 5

Dontresolve 2

 

If there is not a Static NAT record on the device in between, it is normal to see the following message. You must also define a ACL to permit the traffic.

Figure 6 – Error saying “Could not establish a connection with the sensor“.

Could not establish a connection with the sensor

 

In my lab, I will use ASAv to translate FTD management IP. On screenshot of the FTD console we can see that 192.168.0.200 initialized the connection to 1.1.1.11 on port 8305. Now there are no Reset TCP flags and the registration is done.

 

Figure 7 Registration to FMC is completed

FMC registration completed

 

4. How to check if FMC management port 8305 is open?

Firepower Management Center is a linux appliance by its nature. Frankly it is being called Cisco Fire Linux OS. This box communicates with its networks sensors (FTD, SFR, Firepower) through port 8305. To be sure that the registration process between the FMC and the sensor is established you may use basic Linux commands:

 

Cisco Fire Linux OS v6.2.2 (build 11)
Cisco Firepower Management Center for VMWare v6.2.2 (build 81)
admin@FMC:~$ netstat -an | grep 8305
admin@FMC:~$

 

If you see no output, it means the FMC does not communicate with sensors and it is not even attempting to communicate.

 

Once the FMC is configured to expect a new communication on port 8305, you can see the socket is open:

root@FMC:/Volume/home/admin# netstat -an |grep 8305
tcp        0      0 192.168.0.200:8305      0.0.0.0:*      LISTEN

 

5. How to delete a sensor?

It is highly recommended to delete a sensor from the FMC if you want to reimage it and add it again to the FMC. If you miss to delete the sensor you may hit problems while adding it again.

 

Devices->Device management -> trash bin icon of the sensor

Figure 8. Deleting sensor from FMC

Deleting sensor from FMC

 

Or you may want to deploy a new FMC and add your sensor to it? Then you may go to the FTD CLI and execute >configure manager delete

Figure 9

Deleting sensor from FMC - CLI

 

If you try to delete the manager from the FTD diretly, then you will see an error message:

> configure manager delete

Operation Failed.  Please unregister/delete the appliance from its manager, 192.168.0.200

 

It is important to know that the policy will be working even if the sensor is being deleted from the FMC. It handles the same access control policy until another FMC is registered and pushes its own policies.

 

Also important to know is that newly added sensor to the new FMC will fetch the policies from it. See Figure 2. You will see that you choose the ACP during the registration process.

 

This is how the Access control policies look like on the FTD:

show access-control-config

==================[ GeekyPolicy ]===================
Description : Geek
Default Action : Block
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Rule Hits : 1249
===[ Security Intelligence - Network Whitelist ]====
Name : Global-Whitelist (List)
IP Count : 0
Zone : any
===[ Security Intelligence - Network Blacklist ]====
Logging Configuration : Enabled
DC : Enabled

---------------------[ Block ]----------------------
Name : Malware (Feed)
Zone : any

Name : Tor_exit_node (Feed)
Zone : Outside_zone

Name : Global-Blacklist (List)
IP Count : 0
Zone : any

=====[ Security Intelligence - URL Whitelist ]======
Name : Global-Whitelist-for-URL (List)
URL Count : 0
Zone : any

=====[ Security Intelligence - URL Blacklist ]======
Logging Configuration : Enabled
DC : Enabled

 

---------------------[ Block ]----------------------
Name : Global-Blacklist-for-URL (List)
URL Count : 0
Zone : any

=======[ Security Intelligence - DNS Policy ]=======
Name : Default DNS Policy
Logging Configuration : Enabled
DC : Enabled

 

===============[ Rule Set: (User) ]================

-------------[ Rule: Allow_local_FTP ]--------------
Action : Allow
Intrusion Policy : FTP_inspect
ISE Metadata :

Source Networks : Inside_network (10.0.0.0/24)
IPv4-Private-192.168.0.0-16 (192.168.0.0/16)
Destination Networks : Inside_network (10.0.0.0/24)
IPv4-Private-192.168.0.0-16 (192.168.0.0/16)
Application : FTP (165)
Application : FTP Active (4002)
Application : FTP Data (166)
Application : FTP Passive (4003)
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Enabled
Comments
Username : admin
Timestamp : 50139-01-10 11:23:20
Message : Add file policy with detection of media files and report file names later
Safe Search : No
Rule Hits : 0
File Policy : Block_PDF_inspect_EXE_detect_media_store_archives
Variable Set : Custom_FTP_variable_set

--------------[ Rule: Block_Youtube ]---------------
Action : Block
ISE Metadata :

Application : YouTube (929)
Application : Youtube Upload (2107)
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits : 0
Variable Set : Default-Set

---------------[ Rule: Block_DIR.BG ]---------------
Action : Block
ISE Metadata :

URLs
URL Entry : dir.bg
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits : 0
Variable Set : Default-Set

------------[ Rule: Interactive_moreto ]------------
Action : Block-with-http-bypass
ISE Metadata :

URLs
URL Entry : moreto.net
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits : 0
Variable Set : Default-Set

----------------[ Rule: SSH_Allow ]-----------------
Action : Allow
ISE Metadata :

Source Networks : 10.0.0.14
10.0.0.13
Destination Networks : 192.168.0.200
Destination Ports : SSH (protocol 6, port 22)
Application : Filter: Ssh
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits : 0
Variable Set : Default-Set

-------------[ Rule: Inspect_browsers ]-------------
Action : Allow
Intrusion Policy : CyberGeeks_Snort_rules
ISE Metadata :

Source Networks : Inside_network (10.0.0.0/24)
Destination Ports : HTTP (protocol 6, port 80)
HTTPS (protocol 6, port 443)
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Enabled
Files : Enabled
Safe Search : No
Rule Hits : 0
File Policy : Block_PDF_inspect_EXE_detect_media_store_archives
Variable Set : Default-Set

-----------------[ Rule: TrustRDP ]-----------------
Action : Fast-path
ISE Metadata :

Source Networks : Inside_network (10.0.0.0/24)
OpenVPN_10.8.0.0 (10.8.0.0/16)
IPv4-Private-192.168.0.0-16 (192.168.0.0/16)
Application : RDP (803)
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits : 50
Variable Set : Default-Set

-------------------[ Rule: DNS ]--------------------
Action : Allow
ISE Metadata :

Application : DNS (617)
Application : OpenDNS (2704)
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits : 163
Variable Set : Default-Set

------------[ Rule: ICMP_IPS_test_zone ]------------
Action : Allow
Intrusion Policy : CyberGeeks_Snort_rules
ISE Metadata :

Destination Ports : ICMP_Geeky (protocol 1)
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits : 0
Variable Set : Custom_FTP_variable_set

===============[ Advanced Settings ]================
General Settings
Maximum URL Length : 1024
Interactive Block Bypass Timeout : 6
SSL Policy : DecryptMe
Do not retry URL cache miss lookup : No
Threat Intelligence Director Enabled: No
Inspect Traffic During Apply : Yes
Network Analysis and Intrusion Policies
Initial Intrusion Policy : No Rules Active
Initial Variable Set : Default-Set
Default Network Analysis Policy : Balanced Security and Connectivity
Files and Malware Settings
File Type Inspect Limit : 1460
Cloud Lookup Timeout : 2
Minimum File Capture Size : 6144
Maximum File Capture Size : 1048576
Min Dynamic Analysis Size : 6144
Max Dynamic Analysis Size : 1048576
Malware Detection Limit : 10485760
Transport/Network Layer Preprocessor Settings
Detection Settings
Ignore VLAN Tracking Connections : No
Maximum Active Responses : default
Minimum Response Seconds : default
Session Termination Log Threshold : 1048576
Detection Enhancement Settings
Adaptive Profile : Enabled
Attribute Update Interval : 5
Networks : 10.0.0.0/24, 192.168.0.0/24
Performance Settings
Event Queue
Maximum Queued Events : 5
Disable Reassembled Content Checks: False
Performance Statistics
Sample time (seconds) : 300
Minimum number of packets : 0
Summary : False
Log Session/Protocol Distribution : False
Regular Expression Limits
Match Recursion Limit : Default
Match Limit : Default
Rule Processing Configuration
Logged Events : 5
Maximum Queued Events : 8
Events Ordered By : Content Length
Intelligent Application Bypass Settings
State : Test
Bypassable Applications and Filters : 5 Applications/Filters
Drop Percentage : 3
Processor Utilization Percentage : 3
Latency-Based Performance Settings
Packet Handling : Enabled
Threshold (microseconds) : 256
Rule Handling
Violations Before Suspending Rule : 3
Threshold (microseconds) : 512
Suspension Time : 10

============[ HTTP Block Response HTML ]============
HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 2245
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Access Denied</title>
<style type="text/css">body monospace; h1 null p null strong null</style>
</head>
<body>
<h1>*** Congratulations *** </h1>
<p>

 

<div id="outputFigDisplay" class="fig"><pre id="taag_output_text" style="float:left;" class="fig" contenteditable="true">

You have been seen!

</pre><div style="cl
ear:both"></div></div>

 

<a href="https://en.wikipedia.org/wiki/Virus">
***Please click here and win your new iPhone!***</a><br />
</p>
<iframe src="https://giphy.com/embed/10Lj9SPC9dFlKw" width="480" height="240" frameBorder="0" class="giphy-embed" allowFullScreen></if
rame><p><a href="https://www.grandmetric.com/">via Grandmetric</a></p>

 

<p>
<strong>You are attempting to access a grumpy cat.</strong><br/><br/>
Consult your system admin for details.
</p>
</body>
</html>
=============[ Interactive Block HTML ]=============
HTTP/1.1 200 OK
Connection: close
Content-Length: 869
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Access Denied</title>
<style type="text/css">body {margin:0;font-family:verdana,sans-serif;} h1 {margin:0;padding:12px 25px;background-color:#343434;color:#
ddd} p {margin:12px 25px;} strong {color:#E0042D;}</style>
</head>
<body>
<h1>Access Denied</h1>
<p>
<strong>You are attempting to access a forbidden site.</strong><br/><br/>
You may continue to the site by clicking on the button below.<br/>
<em>Note:</em> You must have cookies enabled in your browser to continue.</br><br/>
Consult your system administrator for details.<br/><br/>
<noscript><em>This page uses Javascript. Your browser either doesn''t support Javascript or you have it turned off.<br/>
To continue to the site, please use a Javascript enabled browser.</em></noscript>
</p>
</body>
</html>

In the next post I will provide some hints for the FMC and Firepower sensors troubleshooting to achieve right communication.

Author

Ivan Radev

2 Comments
mustafa
6 October 2018 at 23:01

Thanks for your attention. I used this lecture for adding firewall device to fmc 🙂

 
gopi
6 April 2019 at 09:03

Hi Ivan,

Marvelous Article. Keep up the good work.

Thanks .
Gopi.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter