Chathura Ariyadasa, Author at Chathura Ariyadasa (He/Him/His)

When you work with Cisco Firepower firewall systems, you may come across issues related to ACLs. What happens is Firepower systems drop any remote traffic even if the correct ACLs are in place. To resolve this issue a workaround can be applied.

The parameter is sysopt connection permit-vpn can be enabled. On ASA systems, this is enabled by default. But not on firepower systems. We will look at how we can enable this parameter on Firepower Device Manager (FDM).

Go to FDM GUI > Device > Advanced Configuration > View Configuration

Click on FlexConfig Objects and click on the ‘+’ icon to create a new FlexConfig object, give it a name

Click on the ‘+’ icon for the ‘Variables’ section. Give the variable any name, and select ‘string’ as its type. Enter ‘sysopt’ (without quotes) as the value, and click ok.

In the template section, type {{vpnSysVar}} connection permit-vpn

Go to Flexconfig policy and add the newly created Flexconfig object.

Finally, Save and deploy the changes.

When the Tenant installation fails, you need to clean up those inactive tenants. In order to do that, you need to delete the relevant columns from the Service provider appliance. We will look at how to delete that information.

NOTE: All the commands are in Bold Italic

Log into the Service Provider floating IP through SSH

Connect to the Fabric database psql -U admin fdb

Find the tenant ID select id, org_name from organization;

Disable the tenant, using the captured IDs

UPDATE organization SET is_disabled=’t’ where id=’xxxx’;

Finally, we need to delete the records from the below tables

Compute Pool – delete from compute_pool where org_id=xxxx;
Billing Summary – delete from billing_summary where org_id=xxxx;
Organization – delete from organization where id=xxxx;
Appliance – delete from appliance where org_id=xxxx;

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Author: Chathura Ariyadasa

Firepower IPSEC VPN tunnel issues with Remote ACL

Remove Inactive Tenants from Horizon DaaS Service Center