Firepower FlexConfig – A Practical Example

Managing Your Firepower Appliance

If you are running a Firepower NGFW appliance from Cisco, you have two options to manage the device:

  • Firepower Device Manager (FDM) – An on-box GUI and set of APIs to directly control a Firepower appliance.
  • Firepower Management Center (FMC) – A management station used to control a collection of Firepower appliances and collect, correlate, and report on events generated by the Firepower appliance.

(At least today) These two options to manage your Firepower appliance are mutually exclusive; you can use one or the other. This article is focused on using the FlexConfig feature in FDM.

Flex Config gives a firewall administrator access to configure the underlying ASA engine…


What is Flex Config?

Flex Config gives a firewall administrator access to configure the underlying ASA engine (LINA in the Firepower vernacular) when there is no GUI “knobs” for the configuration change that you wish to make. There is a lot more information in the Cisco documentation for FlexConfig.

For this example, I am going to demonstrate how we might create a FlexConfig template and policy to configure SNMPv3 on the Firepower appliance, as there are no SNMP settings in the FDM GUI interface available (yet).


Variables FTW!

FlexConfig templates allow us to use variables to avoid hard coding IP address, interface names, and object/group names into our templates. 

We can add variable to our template by clicking on the (+) button in the variable section of the form. When we create a variable, we select the data type that the variable will hold. For example, if the variable is to hold an IP address, we will want to create a variable of type Network and point that variable to a network object.

The way to access a variable in our template is to wrap it in double curly braces and then access the specific property of that variable with a dot (.) accessor method followed with the property that you wish to access. For example, from the FlexConfig documentation, a variable of type network has the following properties available:

   

So, in our configuration, instead of hard coding the IP address we could use: 

  • {{SNMP-Server-1.name}} = replaces the curly braces and contents with the name of the object
  • {{SNMP-Server-1.value}} = replaces the curly braces and contents with the IP address of the object

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: