Earlier this year, Cisco released Firepower 6.2.0. With that release came a feature called FlexConfig. Someone is digging around the UI might not initially understand the purpose or function of this configuration option. A really quick answer to this is that the user interface is incomplete when compared to the underlying feature capability found in Firepower Threat Defense.
A good way to better understand FlexConfig is to work through an example. Those with an ASA background will understand the modular policy framework (MFP). This feature exists in Firepower Threat Defense but its non-default configuration options are absent from the user interface. So if there is a need for a specific configuration, FlexConfig is the tool to complete this task. One use case might be the need to disable SIP inspection. In the ASA configuration, this would typically be as simple as the following.
policy-map global_policy class inspection_default no inspect sip
Since Firepower Management Console is GUI driven and is the UI for FTD, this is not an option. Ideally, there would be a complete menu system and API. Since this is not currently the case, FlexConfig is the tool that provides us an override of the defaults that aren’t exposed in the UI.
To disable SIP in FTD, we need to understand the way that this fits together. This is a series of parameters that feed the FlexConfig Object and is glued to the device by a Policy. At a high level, this is how things fit together:
Object FlexConfig/Text Object -> Object FlexConfig/FlexConfig Object
FlexConfig Object -> Flex Config Policy -> Device
Since that is enough to cause some level of confusion, let’s go through the exercise of disabling SIP in FTD (via the Firepower Management Console).
Before the modification, I am going to gather a baseline configuration directly from the device. This is possible by connecting directly to the device running FTD using this method to access the cli.
Note to reader: All Firepower content can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).
>expert [email protected]:~$ [email protected]:~$ sudo lina_cli Password: Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. firepower> en Password: firepower# show run policy-map | begin global_policy policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options UM_STATIC_IP_OPTIONS_MAP
Regarding the process of disabling inspections, there is already an object group created called Default_Inspection_Protocol_Enable. This is found in the object tab of the Firepower Management Console.
Clicking on the Magnifying Glass brings up the object for inspection. This is where it makes a reference to a Text Object called disableInspectProtocolList.
There is no need to modify the FlexConfig Object. However, it is worth noting that it can be duplicated or a new one can be created from scratch if there is functionality that is missing with the policy objects that are supplied by default.
Within this object, we can see that no protocols have been supplied via disableInspectProtocolList. To add SIP, it is necessary to go to Object, FlexConfig, Text Object. This object can be directly edited and for the example we will use the text string sip (just like we would see it in the cli “no inspect sip“).
Now we can return to the FlexConfig policy and see that it actually derived a value from the Text Object.
At this point, there is still a requirement for additional configuration. To activate this configuration, a policy must be configured to attach the FlexConfig Object to the FTD Device. To create this policy, choose Devices, FlexConfig, then New Policy.
Select the Device
Select the Default_Inspection_Protocol_Disable object from the left and click the arrow to add it to the policy.
Choose Save (Note: Preview doesn’t work properly unless save has been completed).
At this point, we can deploy the modifications like we would any other change deployed from the Firepower Management Console (using the deploy button near the upper right corner).
Finally verification can be completed at the device cli. Notice the absence of “inspect sip”. At this point the FTD device will no longer be inspecting and creating sessions based on SIP traffic.
firepower# show run policy-map | beg global_policy policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options UM_STATIC_IP_OPTIONS_MAP
FlexConfig is very powerful and can provide access to options not exposed in the UI. My recommendation is to mess around with it and understand the mechanics of the process on a test/dev system if possible. One other use case I found is demonstrated in this video explaining how to export Netflow from FTD.
If you have other tips or tricks for maintaining and operating a Firepower solution, please share them by commenting below.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.