Firepower FlexConfig – A Practical Example

FlexConfig Example

Here are the commands from an ASA that I wish to deploy to the LINA engine on the Firepower appliance

! Create SNMP Group
snmp-server group my_group v3 priv
! Create SNMP v3 User
snmp-server user my_user my_group v3 auth sha my_auth_pw priv aes 128 my_priv_pw
! configure interface for SNMP access
snmp-server host inside 192.168.1.5 poll version 3 my_user
! Enable SNMP
snmp-server enable

Step 1: Create the FlexConfig Object

Under Advanced configuration, click on “Flex Config Objects” and click the (+) to create a new object.

  • Name the object and provide a description for the purpose of this configuration.

Step 2: Create Variables that Point to System Objects

Rather than hardcode your IP addresses and interface names into the flex config, we will use variables instead. In this case, I have created objects of type Network and type Interface to represent the IP address of my SNMP polling stations and the interface on the ASA on which the traffic should arrive.

Note that variable usage is not required and if you do not wish to use variables, you can certainly just hard code the IP addresses and nameif of your SNMP servers into the configuration.


Step 3: Provide the Template Configuration

Add the configuration items to the FlexConfig template. You will also want to add the commands required to remove this configuration (The “no” commands) in the reverse order of how you enabled them. 

! Create SNMP v3 User
snmp-server user my_user my_group v3 auth sha my_auth_pw priv aes 128 my_priv_pw
! configure interface for SNMP access
snmp-server host {{INSIDE-INTERFACE.name}} {{SNMP-Server-1.value}} poll version 3 my_user
snmp-server host {{INSIDE-INTERFACE.name}} {{SNMP-Server-2.value}} poll version 3 my_user
! Enable SNMP
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity

The variables will be replaced with the actual nameif text and the ip address of the SNMP servers.

So my finished policy looks like this

Notice that the variables are highlighted in green to highlight that they will be replaced with the content to which they point.


Step 4: Create the FlexConfig Policy

The FlexConfig Policy is where we will deploy/add the FlexConfig Template that we just created. Simply click on FlexConfig Policy and press the (+) button in the Group List area and select your FlexConfig template(s).

It is important to note that we have only one FlexConfig policy, but for maximum flexibility, we can deploy more than one template in that policy, for the use case where we want to configure several LINA parameters that are not available in the FDM GUI. It is also notable that the order in which we apply these templates in the policy could be important, as one template might configure a setting that the next template relies on. 

Once you have saved your FlexConfig Policy, the policy is staged and will push to the device the next time you initiate a configuration deployment.


Step 5: Verification

In my example, we can verify that the changes were successfully deployed by examining the running-configuration from the FTD console


Troubleshooting

If you have an error in your template, the deployment will fail and FDM should give you an indicator as to why the deployment failed. On my first attempt to deploy, I tried to enable power-supply traps on a virtual instance of FTD. Since there is no Cisco hardware power-supply to manage, this would create a configuration error. 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: