Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
0
Helpful
0
Replies

5506-X FirePOWER: How do I make this thing actually work?

justin.cordesman
Level 1
Level 1

‎10-16-2015 06:03 PM - edited ‎03-10-2019 06:28 AM

I recently acquired a 5506-X and I have to say that the out of the box experience with FirePOWER and with Cisco's website is pretty bad.

Once the 5506-X has completed the initial configuration wizard, and the user has jumped through the hoops of installing licenses for the ASA and the FirePOWER module (most of which the ASDM-IDM presents incorrect URL's or instructions for), even the most basic functionality does not actually work out of the box, and provides terrible diagnostic feedback.

My current annoyance is the behavior of trying to get updates for the FirePOWER module.  If I choose "Download Update" from the ASDM, I get the completely unhelpful error:

Error

Download updates failed: Unable to connect to update server

Well, that's not very specific is it? So after poking around and getting a shell on the FirePOWER module, I first tried to ping something random to see if it could do a DNS lookup and discovered that the answer is yes, sort of:

 

admin@Sourcefire3D:~$ ping www.apple.com

ping: unknown host www.apple.com

admin@Sourcefire3D:~$ ping 23.206.221.15

ping: icmp open socket: Operation not permitted

admin@Sourcefire3D:~$ nslookup www.apple.com

Server:        192.168.1.150

Address:    192.168.1.150#53

 

Non-authoritative answer:

www.apple.com    canonical name = www.isg-apple.com.akadns.net.

www.isg-apple.com.akadns.net    canonical name = www.apple.com.edgekey.net.

www.apple.com.edgekey.net    canonical name = e3191.dscc.akamaiedge.net.

Name:    e3191.dscc.akamaiedge.net

Address: 23.206.221.15

 

So great, some things are allowed to do queries and some are not.  This is totally the kind of fiddling around in a shell that I was hoping to deal with when I installed the godawful security nightmare that is Java just to manage a security appliance.

Rule updates are no better.  A similarly useless error message is presented, and the rule update log only seems to show successes (namely loading the default snort rule set from January).  The online documentation on Cisco's site provides two different URLs for downloading rule updates manually, but both are invalid.  I thought I'd try downloading the latest firmware images manually for the ASA and the FirePOWER, but of course somehow having the licenses for both on the 5506-X in one's user profile somehow doesn't make them downloadable manually and it just gives me useless links to tell me that that I need more entitlements. I basically just don't have the patience after poking at this Broken-As-Designed product to tolerate this kind of nonsense, and it beggars belief that in an age when patching quickly is the only way to maintain even a presence of security, this kind of basic functionality doesn't actually work with a completely default install.

So basically the FirePOWER doesn't seem to work at all out of the box and the diagnostics are useless.  Am I missing something completely obvious?

3 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card