What is FlexConfig in Firepower Threat Defense?

Earlier this year, Cisco released Firepower 6.2.0. With that release came a feature called FlexConfig. Someone is digging around the UI might not initially understand the purpose or function of this configuration option. A really quick answer to this is that the user interface is incomplete when compared to the underlying feature capability found in Firepower Threat Defense.

A good way to better understand FlexConfig is to work through an example. Those with an ASA background will understand the modular policy framework (MFP). This feature exists in Firepower Threat Defense but its non-default configuration options are absent from the user interface. So if there is a need for a specific configuration, FlexConfig is the tool to complete this task. One use case might be the need to disable SIP inspection. In the ASA configuration, this would typically be as simple as the following.

policy-map global_policy
 class inspection_default
  no inspect sip  

Since Firepower Management Console is GUI driven and is the UI for FTD, this is not an option. Ideally, there would be a complete menu system and API. Since this is not currently the case, FlexConfig is the tool that provides us an override of the defaults that aren’t exposed in the UI.

To disable SIP in FTD, we need to understand the way that this fits together. This is a series of parameters that feed the FlexConfig Object and is glued to the device by a Policy. At a high level, this is how things fit together:

Object FlexConfig/Text Object -> Object FlexConfig/FlexConfig Object

FlexConfig Object -> Flex Config Policy -> Device

Since that is enough to cause some level of confusion, let’s go through the exercise of disabling SIP in FTD (via the Firepower Management Console).

Before the modification, I am going to gather a baseline configuration directly from the device. This is possible by connecting directly to the device running FTD using this method to access the cli.

Note to reader: All Firepower content can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).

>expert
[email protected]:~$ 
[email protected]:~$ sudo lina_cli
Password: 
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

firepower> en
Password:   
firepower# show run policy-map | begin global_policy
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options UM_STATIC_IP_OPTIONS_MAP 

Regarding the process of disabling inspections, there is already an object group created called Default_Inspection_Protocol_Enable. This is found in the object tab of the Firepower Management Console.

Clicking on the Magnifying Glass brings up the object for inspection. This is where it makes a reference to a Text Object called disableInspectProtocolList.

FCObject

There is no need to modify the FlexConfig Object. However, it is worth noting that it can be duplicated or a new one can be created from scratch if there is functionality that is missing with the policy objects that are supplied by default.

FCInspectDisablObj

Within this object, we can see that no protocols have been supplied via disableInspectProtocolList. To add SIP, it is necessary to go to Object, FlexConfig, Text Object. This object can be directly edited and for the example we will use the text string sip (just like we would see it in the cli “no inspect sip“).

EditTextObj
Now we can return to the FlexConfig policy and see that it actually derived a value from the Text Object.

SIPFlexConfig

At this point, there is still a requirement for additional configuration. To activate this configuration, a policy must be configured to attach the FlexConfig Object to the FTD Device. To create this policy, choose Devices, FlexConfig, then New Policy.

NewPolicy

Select the Device

SelectDevice

Select the Default_Inspection_Protocol_Disable object from the left and click the arrow to add it to the policy.

SelectFlexObject

Choose Save (Note: Preview doesn’t work properly unless save has been completed).

At this point, we can deploy the modifications like we would any other change deployed from the Firepower Management Console (using the deploy button near the upper right corner).

Finally verification can be completed at the device cli. Notice the absence of “inspect sip”. At this point the FTD device will no longer be inspecting and creating sessions based on SIP traffic.

firepower# show run policy-map | beg global_policy
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options UM_STATIC_IP_OPTIONS_MAP 

FlexConfig is very powerful and can provide access to options not exposed in the UI. My recommendation is to mess around with it and understand the mechanics of the process on a test/dev system if possible. One other use case I found is demonstrated in this video explaining how to export Netflow from FTD.

If you have other tips or tricks for maintaining and operating a Firepower solution, please share them by commenting below.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Security and tagged , . Bookmark the permalink.

4 Responses to What is FlexConfig in Firepower Threat Defense?

  1. Good article Paul. It’s worth noting the icmp inspection got disabled by default in FTD 6.1 and 6.2. This has been a cause for confusion among engineers unaware of that fact. There are a couple of bugs on it:

    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd56292
    https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb40875

  2. Thanks a lot!
    Wasted half a day on figuring why FTD is blocking returning echo-replies before found Marvin’s post leading me here. Fix took less than 10min!

Comments are closed.