Menu

Poland

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Sweden

Drottninggatan 86
111 36 Stockholm
+46 762 041 514
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

  • en
  • pl
  • se
  • Dealing with Cisco Firepower Management Center (FMC) and Firepower sensor communication. Registration process.

    Dealing with Cisco Firepower Management Center (FMC) and Firepower sensor communication. Registration process.

    Date: 16.04.2018

    Author:


    This post should help you to understand the Firepower sensor registration in Firepower Management Center process and uncover the communication specifics between firepower components. I will also give you some additional hints what to check to verify the registration. In order to make troubleshooting easier there will be dedicated troubleshooting post later on.

    1. High level diagrams of the communication

    Firepower 1

     

    2.Sensor and Firepower Management Center configuration

    To follow the registration process I will capture the traffic between these two devices.

     

    configure manager add 192.168.0.200 CiscoKEY
    Manager successfully configured.
    Please make note of reg_key as this will be required while adding Device in FMC.

     

    Set the capture on the FMC:

     

    $sudo su
    root@FMC:/Volume/home/admin# tcpdump -c 200  port 8305 -n
    HS_PACKET_BUFFER_SIZE is set to 4.
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    11:53:35.363876 IP 192.168.0.201.59968 > 192.168.0.200.8305: Flags [S], seq 809749175, win 14600, options [mss 1460,sackOK,TS val 70783697 ecr 0,nop,wscale 7], length 0
    11:53:35.363912 IP 192.168.0.200.8305 > 192.168.0.201.59968: Flags [R.], seq 0, ack 809749176, win 0, length 0
    11:53:57.378569 IP 192.168.0.201.59544 > 192.168.0.200.8305: Flags [S], seq 884680013, win 14600, options [mss 1460,sackOK,TS val 70785899 ecr 0,nop,wscale 7], length 0
    11:53:57.378597 IP 192.168.0.200.8305 > 192.168.0.201.59544: Flags [R.], seq 0, ack 884680014, win 0, length 0
    11:54:19.388274 IP 192.168.0.201.35685 > 192.168.0.200.8305: Flags [S], seq 4095914441, win 14600, options [mss 1460,sackOK,TS val 70788100 ecr 0,nop,wscale 7], length 0
    11:54:19.388315 IP 192.168.0.200.8305 > 192.168.0.201.35685: Flags [R.], seq 0, ack 4095914442, win 0, length 0
    ^C
    6 packets captured
    6 packets received by filter
    0 packets dropped by kernel
    root@FMC:/Volume/home/admin#

     

    FMC sends Reset TCP flags, on every SYN attempt of the FTD.

     

    FMC device registration:

    Go to Devices -> Device management -> add

    Figure 1:

    FMC Devices dashboard

     

    Enter the sensor details and click on register. Be careful with the Registration key. It should be the same on the both devices.

     

    Figure 2. Filling the sensor details.

    FMC Add device widget

    On the backplane I will sniff the connection again. This time I will capture the traffic on a pcap file and I will follow the communication on Wireshark. We see that the Firepower Management Center initializes the communication to the sensor. Packet #3 SYN to 8305 originating from the FMC.

    Figure 3

    FMC and sensor Wireshark sniff

    Now you can see your sensor added to the FMC.

    Figure 4

    FMC Device management

    3. When and how to use DONTRESOLVE option?

     

    Dontresolve FMC

     

    The FMC sends request which is NATed by an edge device (static NAT is required). The FTD receives the SYN but does not compare the IP with its configuration manager, but it compares the NAT ID. If the NAT ID is the same, then FTD accepts the request. Then show managers – shows UUID instead of IP address.

     

    Example:

    FTD>configure manager add DONTRESOLVE CiscoKEY CiscoNATID
    > show managers
    Type                      : Manager
    Host                      : b1df2948-336c-11e8-8add-fdb0f922f231DONTRESOLVE
    Registration              : Completed

     

    FMC>

    Figure 5

    Dontresolve 2

     

    If there is not a Static NAT record on the device in between, it is normal to see the following message. You must also define a ACL to permit the traffic.

    Figure 6 – Error saying “Could not establish a connection with the sensor“.

    Could not establish a connection with the sensor

     

    In my lab, I will use ASAv to translate FTD management IP. On screenshot of the FTD console we can see that 192.168.0.200 initialized the connection to 1.1.1.11 on port 8305. Now there are no Reset TCP flags and the registration is done.

     

    Figure 7 Registration to FMC is completed

    FMC registration completed

     

    4. How to check if FMC management port 8305 is open?

    Firepower Management Center is a linux appliance by its nature. Frankly it is being called Cisco Fire Linux OS. This box communicates with its networks sensors (FTD, SFR, Firepower) through port 8305. To be sure that the registration process between the FMC and the sensor is established you may use basic Linux commands:

     

    Cisco Fire Linux OS v6.2.2 (build 11)
    Cisco Firepower Management Center for VMWare v6.2.2 (build 81)
    admin@FMC:~$ netstat -an | grep 8305
    admin@FMC:~$

     

    If you see no output, it means the FMC does not communicate with sensors and it is not even attempting to communicate.

     

    Once the FMC is configured to expect a new communication on port 8305, you can see the socket is open:

    root@FMC:/Volume/home/admin# netstat -an |grep 8305
    tcp        0      0 192.168.0.200:8305      0.0.0.0:*      LISTEN

     

    5. How to delete a sensor?

    It is highly recommended to delete a sensor from the FMC if you want to reimage it and add it again to the FMC. If you miss to delete the sensor you may hit problems while adding it again.

     

    Devices->Device management -> trash bin icon of the sensor

    Figure 8. Deleting sensor from FMC

    Deleting sensor from FMC

     

    Or you may want to deploy a new FMC and add your sensor to it? Then you may go to the FTD CLI and execute >configure manager delete

    Figure 9

    Deleting sensor from FMC - CLI

     

    If you try to delete the manager from the FTD directly, then you will see an error message:

    > configure manager delete

    Operation Failed.  Please unregister/delete the appliance from its manager, 192.168.0.200

     

    It is important to know that the policy will be working even if the sensor is being deleted from the FMC. It handles the same access control policy until another FMC is registered and pushes its own policies.

     

    Also important to know is that newly added sensor to the new FMC will fetch the policies from it. See Figure 2. You will see that you choose the ACP during the registration process.

     

    This is how the Access control policies look like on the FTD:

    show access-control-config

    ==================[ GeekyPolicy ]===================
    Description : Geek
    Default Action : Block
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Rule Hits : 1249
    ===[ Security Intelligence – Network Whitelist ]====
    Name : Global-Whitelist (List)
    IP Count : 0
    Zone : any
    ===[ Security Intelligence – Network Blacklist ]====
    Logging Configuration : Enabled
    DC : Enabled

    ———————[ Block ]———————-
    Name : Malware (Feed)
    Zone : any

    Name : Tor_exit_node (Feed)
    Zone : Outside_zone

    Name : Global-Blacklist (List)
    IP Count : 0
    Zone : any

    =====[ Security Intelligence – URL Whitelist ]======
    Name : Global-Whitelist-for-URL (List)
    URL Count : 0
    Zone : any

    =====[ Security Intelligence – URL Blacklist ]======
    Logging Configuration : Enabled
    DC : Enabled

     

    ———————[ Block ]———————-
    Name : Global-Blacklist-for-URL (List)
    URL Count : 0
    Zone : any

    =======[ Security Intelligence – DNS Policy ]=======
    Name : Default DNS Policy
    Logging Configuration : Enabled
    DC : Enabled

     

    ===============[ Rule Set: (User) ]================

    ————-[ Rule: Allow_local_FTP ]————–
    Action : Allow
    Intrusion Policy : FTP_inspect
    ISE Metadata :

    Source Networks : Inside_network (10.0.0.0/24)
    IPv4-Private-192.168.0.0-16 (192.168.0.0/16)
    Destination Networks : Inside_network (10.0.0.0/24)
    IPv4-Private-192.168.0.0-16 (192.168.0.0/16)
    Application : FTP (165)
    Application : FTP Active (4002)
    Application : FTP Data (166)
    Application : FTP Passive (4003)
    URLs
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Enabled
    Comments
    Username : admin
    Timestamp : 50139-01-10 11:23:20
    Message : Add file policy with detection of media files and report file names later
    Safe Search : No
    Rule Hits : 0
    File Policy : Block_PDF_inspect_EXE_detect_media_store_archives
    Variable Set : Custom_FTP_variable_set

    ————–[ Rule: Block_Youtube ]—————
    Action : Block
    ISE Metadata :

    Application : YouTube (929)
    Application : Youtube Upload (2107)
    URLs
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Disabled
    Safe Search : No
    Rule Hits : 0
    Variable Set : Default-Set

    —————[ Rule: Block_DIR.BG ]—————
    Action : Block
    ISE Metadata :

    URLs
    URL Entry : dir.bg
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Disabled
    Safe Search : No
    Rule Hits : 0
    Variable Set : Default-Set

    ————[ Rule: Interactive_moreto ]————
    Action : Block-with-http-bypass
    ISE Metadata :

    URLs
    URL Entry : moreto.net
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Disabled
    Safe Search : No
    Rule Hits : 0
    Variable Set : Default-Set

    —————-[ Rule: SSH_Allow ]—————–
    Action : Allow
    ISE Metadata :

    Source Networks : 10.0.0.14
    10.0.0.13
    Destination Networks : 192.168.0.200
    Destination Ports : SSH (protocol 6, port 22)
    Application : Filter: Ssh
    URLs
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Disabled
    Safe Search : No
    Rule Hits : 0
    Variable Set : Default-Set

    ————-[ Rule: Inspect_browsers ]————-
    Action : Allow
    Intrusion Policy : CyberGeeks_Snort_rules
    ISE Metadata :

    Source Networks : Inside_network (10.0.0.0/24)
    Destination Ports : HTTP (protocol 6, port 80)
    HTTPS (protocol 6, port 443)
    URLs
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Enabled
    Files : Enabled
    Safe Search : No
    Rule Hits : 0
    File Policy : Block_PDF_inspect_EXE_detect_media_store_archives
    Variable Set : Default-Set

    —————–[ Rule: TrustRDP ]—————–
    Action : Fast-path
    ISE Metadata :

    Source Networks : Inside_network (10.0.0.0/24)
    OpenVPN_10.8.0.0 (10.8.0.0/16)
    IPv4-Private-192.168.0.0-16 (192.168.0.0/16)
    Application : RDP (803)
    URLs
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Disabled
    Safe Search : No
    Rule Hits : 50
    Variable Set : Default-Set

    ——————-[ Rule: DNS ]——————–
    Action : Allow
    ISE Metadata :

    Application : DNS (617)
    Application : OpenDNS (2704)
    URLs
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Disabled
    Safe Search : No
    Rule Hits : 163
    Variable Set : Default-Set

    ————[ Rule: ICMP_IPS_test_zone ]————
    Action : Allow
    Intrusion Policy : CyberGeeks_Snort_rules
    ISE Metadata :

    Destination Ports : ICMP_Geeky (protocol 1)
    URLs
    Logging Configuration
    DC : Enabled
    Beginning : Enabled
    End : Disabled
    Files : Disabled
    Safe Search : No
    Rule Hits : 0
    Variable Set : Custom_FTP_variable_set

    ===============[ Advanced Settings ]================
    General Settings
    Maximum URL Length : 1024
    Interactive Block Bypass Timeout : 6
    SSL Policy : DecryptMe
    Do not retry URL cache miss lookup : No
    Threat Intelligence Director Enabled: No
    Inspect Traffic During Apply : Yes
    Network Analysis and Intrusion Policies
    Initial Intrusion Policy : No Rules Active
    Initial Variable Set : Default-Set
    Default Network Analysis Policy : Balanced Security and Connectivity
    Files and Malware Settings
    File Type Inspect Limit : 1460
    Cloud Lookup Timeout : 2
    Minimum File Capture Size : 6144
    Maximum File Capture Size : 1048576
    Min Dynamic Analysis Size : 6144
    Max Dynamic Analysis Size : 1048576
    Malware Detection Limit : 10485760
    Transport/Network Layer Preprocessor Settings
    Detection Settings
    Ignore VLAN Tracking Connections : No
    Maximum Active Responses : default
    Minimum Response Seconds : default
    Session Termination Log Threshold : 1048576
    Detection Enhancement Settings
    Adaptive Profile : Enabled
    Attribute Update Interval : 5
    Networks : 10.0.0.0/24, 192.168.0.0/24
    Performance Settings
    Event Queue
    Maximum Queued Events : 5
    Disable Reassembled Content Checks: False
    Performance Statistics
    Sample time (seconds) : 300
    Minimum number of packets : 0
    Summary : False
    Log Session/Protocol Distribution : False
    Regular Expression Limits
    Match Recursion Limit : Default
    Match Limit : Default
    Rule Processing Configuration
    Logged Events : 5
    Maximum Queued Events : 8
    Events Ordered By : Content Length
    Intelligent Application Bypass Settings
    State : Test
    Bypassable Applications and Filters : 5 Applications/Filters
    Drop Percentage : 3
    Processor Utilization Percentage : 3
    Latency-Based Performance Settings
    Packet Handling : Enabled
    Threshold (microseconds) : 256
    Rule Handling
    Violations Before Suspending Rule : 3
    Threshold (microseconds) : 512
    Suspension Time : 10

    ============[ HTTP Block Response HTML ]============
    HTTP/1.1 403 Forbidden
    Connection: close
    Content-Length: 2245
    Content-Type: text/html; charset=UTF-8

    <!DOCTYPE html>
    <html><head>
    <meta http-equiv=”content-type” content=”text/html; charset=UTF-8″ />
    <title>Access Denied</title>
    <style type=”text/css”>body monospace; h1 null p null strong null</style>
    </head>
    <body>
    <h1>*** Congratulations *** </h1>
    <p>

     

    <div id=”outputFigDisplay” class=”fig”><pre id=”taag_output_text” style=”float:left;” class=”fig” contenteditable=”true”>

    You have been seen!

    </pre><div style=”cl
    ear:both”></div></div>

     

    <a href=”https://en.wikipedia.org/wiki/Virus”>
    ***Please click here and win your new iPhone!***</a><br />
    </p>
    <iframe src=”https://giphy.com/embed/10Lj9SPC9dFlKw” width=”480″ height=”240″ frameBorder=”0″ class=”giphy-embed” allowFullScreen></if
    rame><p><a href=”https://www.grandmetric.com/”>via Grandmetric</a></p>

     

    <p>
    <strong>You are attempting to access a grumpy cat.</strong><br/><br/>
    Consult your system admin for details.
    </p>
    </body>
    </html>
    =============[ Interactive Block HTML ]=============
    HTTP/1.1 200 OK
    Connection: close
    Content-Length: 869
    Content-Type: text/html; charset=UTF-8

    <!DOCTYPE html>
    <html>
    <head>
    <meta http-equiv=”content-type” content=”text/html; charset=UTF-8″ />
    <title>Access Denied</title>
    <style type=”text/css”>body {margin:0;font-family:verdana,sans-serif;} h1 {margin:0;padding:12px 25px;background-color:#343434;color:#
    ddd} p {margin:12px 25px;} strong {color:#E0042D;}</style>
    </head>
    <body>
    <h1>Access Denied</h1>
    <p>
    <strong>You are attempting to access a forbidden site.</strong><br/><br/>
    You may continue to the site by clicking on the button below.<br/>
    <em>Note:</em> You must have cookies enabled in your browser to continue.</br><br/>
    Consult your system administrator for details.<br/><br/>
    <noscript><em>This page uses Javascript. Your browser either doesn”t support Javascript or you have it turned off.<br/>
    To continue to the site, please use a Javascript enabled browser.</em></noscript>
    </p>
    </body>
    </html>

    In the next post I will provide some hints for the FMC and Firepower sensors troubleshooting to achieve right communication.

    Author

    Ivan Radev

    4 Comments
    mustafa
    6 October 2018 at 23:01

    Thanks for your attention. I used this lecture for adding firewall device to fmc 🙂

     
    gopi
    6 April 2019 at 09:03

    Hi Ivan,

    Marvelous Article. Keep up the good work.

    Thanks .
    Gopi.

     
    Lucas Stephens
    9 January 2022 at 10:51

    great issues altogether, you just gained a new reader. What might you suggest in regards to your publish that you just made a few days in the past?

    Any certain?

     
    Joanna Sajkowska
    10 January 2022 at 16:08

    Thanks, Lucas, welcome on board – we’re happy to have you as our reader. Could you please be more specific about the topic from a few days back you’d like us to comment on?

     

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Cisco Firepower up to 60% discount

    Place an order and get discounted Cisco FirePOWER or schedule
    a call with Grandmetric Engineer

    Get Quote
    Grandmetric