Tom Parker

Cisco Firepower data source

Recommended Posts

I can't find a datasource for monitoring Cisco Firepower chassis based devices properly (e.g. 2100, 4100, etc.).  We have set up monitoring on the chassis IP address but it doesn't do much.  We had a power supply failure that LM did not pick up and was only discovered through visual inspection.

Edited by Tom Parker

Share this post


Link to post
Share on other sites

Hey @Tom Parker,

I believe that we currently have some monitoring engineers working on new DataSources for Firepower - I've added your name to the list of folks who are interested in coverage, so as we get closer someone should be reaching out with an update. You might also check with your Customer Success Manager if you're interested in potentially seeing the beta versions of these and providing some feedback.

Best,

Kerry

Share this post


Link to post
Share on other sites

If anyone in this thread is using Firepower Management Center and would be willing to provide read-only access for development against the REST API, please let me know and I can connect you with one of our Monitoring Engineers. We've got some SNMP datasources built but apparently there's better metrics to be had from the FSM.

Appreciate it!

Thanks,

Kerry

Share this post


Link to post
Share on other sites

Please add me as well. We have a number of Firepower deployments that we'd love to get API data from. Thank you!

Share this post


Link to post
Share on other sites

It's been a while since I looked at it, so I may have forgotten some pieces.

We've started to add these FTD devices to monitoring and discovered that there is a different configuration required for monitoring them. There are plenty of firewall metrics available via SNMP to monitor, but they aren't available if you follow Cisco's best practice recommendations.

FXOS 2100 mibs

FXOS 4100/9300 mibs

There is a platform "hypervisor" and the firewall runs on top of that. In order to get the firewall stats, you need to have a management VLAN separate from the data VLAN, and then add an IP address in the management VLAN to the mgmt interface in order to give access to monitor the firewall OIDs. The mgmt interface is a sub-interface attached to the MGMT port.

We had a TAC case open and Cisco couldn't figure this out. They closed the case after telling us this was a bug.

Without setting this management network and IP address up, you will only be able to monitor the hypervisor.

We only have one customer running the device, and they have to implement the management VLAN, so we haven't been able to test.

The API monitoring would be great to have implemented, as I assume it wouldn't require the management VLAN.

 

FTD-MGMT.png

Share this post


Link to post
Share on other sites

Hopefully this helps,

ASA w/ Firepower

You can monitor the ASA as you normally would but you need to monitor the Firepower module via the management interface.

 

Firepower Threat Defense (managed by Firesight)

This is the newer unified image. You can monitor an FTD device via the MGMT/diagnostic interface or a data interface. Ie, inside, outside, etc. You configure SNMP via the device platform profile.

 

Firepower Threat Defense (managed by Firepower Device Manager)

This is the newer unified image but managed via the local onboard FDM. You can monitor an FTD device via the MGMT/diagnostic interface or a data interface. Ie, inside, outside, etc. There is also an API exposed when managed via FDM but it doesn't offer much visibility at the moment.

 

FXOS

The bigger FTD appliances (2K, 4K and 9K) run FXOS which should also be monitored. Think of the appliances as servers that run a hypervisor(FXOS) that is used to host Cisco security products.

 

I'll update with relevant information later. Wanted to at least list the basics.

 

 

 

Share this post


Link to post
Share on other sites

Add me to the list, also let me know if there are any datasources available to monitor - Cisco Firepower 4140 Security Appliance.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.