Configuration of PBR using

FlexConfig on FTD
Redouane MEDDANE

FlexConfig Policy on FTD Firepower Threat Defense is a tool that let you to configure features
that are available on ASA devices that you cannot configure on FTD devices using Firepower
Management Center such us PBR. The purpose is to use the ASA IOS command on FTD for
features not supported on FMC. It allows you to configure features that are not yet directly
supported through Firepower Management Center policies and settings. A FlexConfig policy is
a container of list of FlexConfig objects. Each object includes a series of Apache Velocity
scripting language commands, ASA software configuration commands, and variables that you
define. The contents of each FlexConfig object generates a sequence of ASA commands that
will then be deployed to the assigned devices. This command sequence then configures the
related feature on the FTD device.

Cisco recommends using FlexConfig policies only if you have a strong ASA CLI background.

Before starting the FlexConfig configuration, verify the IP addressing of the FTD.

We have three configured interfaces.

Interface g0/0 has logical name outside-1 with the IP address 192.0.2.1/24, connected to ISP-1.
Interface g0/2 has logical name outside-2 with the IP address 182.0.2.1/24, connected to ISP-2.
Int g0/1 has logical name inside with the IP add 192.168.133.62/26, connected to inside zone.

The goal is to configure a PBR Policy-Based Routing to meet the following requirement:

• If the traffic is sourced from the network 10.1.1.0/24, this traffic should be routed to ISP-1.
 • If the traffic is sourced from the network 10.2.2.0/24, this traffic should be routed to ISP-2.

In the old IOS ASA Firewall, this requirement can be accomplished as follow:

Access-list PBR-ISP1 ext per ip 10.1.1.0 255.255.255.0 any

Access-list PBR-ISP2 ext per ip 10.2.2.0 255.255.255.0 any
!
route-map PBR-TEST perm 10
match ip address PBR-ISP1
set ip next-hop 192.0.2.2
!
route-map PBR-TEST perm 20
match ip address PBR-ISP2
set ip next-hop 182.0.2.2
!
int g0/1
policy-route route-map PBR-TEST

Under the Object Management, create two extended access-lists with allow action.

The first access-list should have the following settings:

Name: PBR-ISP1
Action: Allow
Source Network: 10.1.1.0/24
Destination Network: any

Click Save.
The second access-list should have the following settings:

Name: PBR-ISP2
Action: Allow
Source Network: 10.2.2.0/24
Destination Network: any

Click Save.

The two extended Access-lists are the equivalents of the CLI IOS ASA.
Under the Object Management section, create a route-map named PBR-TEST with two sequence
numbers.

Click the Add button to create two sequence numbers.

The sequence number 10 should match the access-list PBR-ISP1 with Allow action.

The sequence number 20 should match the access-list PBR-ISP2 with Allow action.
Click the Save button under the route-map.
Under the Object Management, create two Text Objects; the Text Object specifies the Gateway or
the next-hop that will be used in the set ip next-hop command for the matched ACL.

The first Text Object called GW-ISP1 should have the ip address 192.0.2.2 in the Variable Type; this
is the IP address of the ISP-1 Router, then click Save.

The second Text Object called GW-ISP2 should have the IP address 182.0.2.2 in the Variable Type;
this is IP address of the ISP-2 Router then click Save.
Under the Object Management, create a FlexConfig Object.

Give a name PBR-TEST, and type the route-map command command. Policy object variables are
replaced with strings obtained from objects defined in Firepower Management Center. For route map
objects. A route map variable returns the name of the route map object. Select Route Map from the
table of contents, then click Add Route Map.
Give a Variable Name of Route-MAP-name, in the Available Objects; add the PBR-TEST route map
object in the Selected Object.
Notice the Variables start with the $ character, to complete the configuration, add the permit 10
keyword.

To specify the next-hop or the gateway in the route-map sequence number 10, type the set ip next-
hop command and insert a Text Object Variable, give a name of ISP-1, select the GW-ISP1 Text
Object.
Repeat the same steps for the route-map sequence number 20, you can copy and past the first script
and replace the sequence number 20, for the Text Object variable, create a new one.

Route-map $Route-MAP-name permit 20

Set ip next-hop
To specify the next-hop or the gateway in the route-map sequence number 20, insert a Text Object
Variable, give a name of ISP-2, and select the GW-ISP2 Text Object.
To apply the PBR in the inside interface g0/1, enter the following command :
Interface GigabitEthernet0/1
Policy-route route-map $Route-MAP-name
Click the Save button.
Like the Access Control Policy, NAT Policy or QoS policy, a Flex config policy must created and
associated to the managed device FTD to include the CLI commands in the FlexConfig Objects. The
purpose is to use the ASA IOS command on FTD for features not supported on FMC.

Under the Device Management create a new FlexConfig policy.

Give a name of Flex-Config-Policy and associate the managed device FTD-Training.

Under the policy, add the PBR-TEST FlexConfig object created previously. Click Save.

You review the configuration of the FlexConfig object by clicking the Preview Config button, it will
generate the CLI commands that will be injected in the LINA ASA code.
Click the Close button and deploy the FlexConfig policy.
From the FTD commands line, access the LINA code using the system support diagnostic-cli
command, you are redirected to the user level 1, to access the privileged mode, type the enable
command, the enable secret password is empy by default, this the behavior of the old ASA
appliances with IOS system.

Verify that you PBR Policy-Based Routin is deployed using the following commands:

Sho run int g0/1

Sho run route-map
Show run policy-route
Sho run access-list PBR-ISP1
Sho run access-list PBR-ISP2