- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Access Control Rules: Realms and Users
- Access Control Rules: Custom Security Group Tags
- Controlling Traffic Using Intrusion and File Policies
- Intelligent Application Bypass
- Access Control Using Content Restriction
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Access Control Policies: Adaptive Profiles
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Introduction to Identity Data
- Realms and Identity Policies
- User Identity Sources
- DNS Policies
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
Configuring ASA FirePOWER Module Settings
The following table summarizes an ASA FirePOWER module’s local configuration.
Viewing and Modifying the Appliance Information
The Information page provides you with information about your ASA FirePOWER module. The information includes read-only information, such as the product name and model number, the operating system and version, and the current system policy. The page also provides you with an option to change the name of the appliance.
The following table describes each field.
To modify the appliance information:
Step 1 Select Configuration > ASA FirePOWER Configuration > Local > Configuration .
Step 2 To change the appliance name, type a new name in the Name field.
The name must be alphanumeric characters and cannot be composed of numeric characters only.
Step 3 To save your changes, click Save .
The page refreshes and your changes are saved.
Enabling Cloud Communications
License: URL Filtering or Malware
The ASA FirePOWER module contacts Cisco’s Collective Security Intelligence Cloud to obtain various types of information:
- File policies associated with access control rules allow devices to detect files transmitted in network traffic. The ASA FirePOWER module uses data from the Cisco cloud to determine if the files represent malware; see Understanding and Creating File Policies.
- When you enable URL filtering, the ASA FirePOWER module can retrieve category and reputation data for many commonly visited URLs, as well as perform lookups for uncategorized URLs. You can then quickly create URL conditions for access control rules; see Performing Reputation-Based URL Blocking.
Use the ASA FirePOWER module’s local configuration to specify the following options:
You must enable this option to perform category and reputation-based URL filtering.
Due to memory limitations, some device models perform URL filtering with a smaller, less granular, set of categories and reputations. For example, if a parent URL's subsites have different URL categories and reputations, some devices may use the parent URL's data for all subsites. As a specific example, the system might evaluate mail.google.com using the google.com category and reputation. Affected devices include the following ASA models: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, and ASA 5525-X.
Allows the system to query the cloud when someone on your monitored network attempts to browse to a URL that is not in the local data set.
If the cloud does not know the category or reputation of a URL, or if the ASA FirePOWER module cannot contact the cloud, the URL does not match access control rules with category or reputation-based URL conditions. You cannot assign categories or reputations to URLs manually.
Disable this option if you do not want your uncategorized URLs to be cataloged by the Cisco cloud, for example, for privacy reasons.
Allows the system to contact the cloud on a regular basis to obtain updates to the URL data in your appliances’ local data sets. Although the cloud typically updates its data once per day, enabling automatic updates forces the ASA FirePOWER module to check every 30 minutes to make sure that you always have up-to-date information.
Although daily updates tend to be small, if it has been more than five days since your last update, new URL filtering data may take up to 20 minutes to download, depending on your bandwidth. Then, it may take up to 30 minutes to perform the update itself.
If you want to have strict control of when the system contacts the cloud, you can disable automatic updates and use the scheduler instead, as described in Automating URL Filtering Updates.
Note Cisco recommends that you either enable automatic updates or use the scheduler to schedule updates. Although you can manually perform on-demand updates, allowing the system to automatically contact the cloud on a regular basis provides you with the most up-to-date, relevant URL data.
Performing category and reputation-based URL filtering and device-based malware detection require that you enable the appropriate licenses on your ASA FirePOWER module; see Licensing the ASA FirePOWER Module.
You cannot configure cloud connection options if you have no URL Filtering license on the ASA FirePOWER module. The Cisco CSI local configuration page displays only the options for which you are licensed. ASA FirePOWER modules with expired licenses cannot contact the cloud.
Note that, in addition to causing the URL Filtering configuration options to appear, adding a URL Filtering license to your ASA FirePOWER module automatically enables Enable URL Filtering and Enable Automatic Updates . You can manually disable the options if needed.
The system uses ports 80/HTTP and 443/HTTPS to contact the Cisco cloud.
The following procedures explain how to enable communications the Cisco cloud, and how to perform an on-demand update of URL data. Note that you cannot start an on-demand update if an update is already in progress.
To enable communications with the cloud:
Step 1 Select Configuration > ASA FirePOWER Configuration > Integration > Cisco CSI .
The Cisco CSI page appears. If you have a URL Filtering license, the page displays the last time URL data was updated.
Step 3 Configure cloud connection options as described above.
You must Enable URL Filtering before you can Enable Automatic Updates or Query Cloud for Unknown URLs .
Your settings are saved. If you enabled URL filtering, depending on how long it has been since URL filtering was last enabled, or if this is the first time you enabled URL filtering, the ASA FirePOWER module retrieves URL filtering data from the cloud.
To perform an on-demand update of the system’s URL data:
Step 1 Select Configuration > ASA FirePOWER Configuration > Local > Configuration .
The URL Filtering page appears.
The ASA FirePOWER module contacts the cloud and updates its URL filtering data if an update is available.
Feedback