Firepower ngfw internet

Firepower NGFW Internet
Edge Deployment Scenarios
Jeff Fanelli - Principal Systems Engineer
jefanell@cisco.com
BRKSEC-2050
#jefanell

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKSEC-2050

About your speaker
Jeff Fanelli
Principal Systems Engineer
Cisco Global Security Sales Organization
My city was was founded in
1701 by Antoine de la Mothe
Cadillac (some French guy)

Important: Hidden Slide Alert
Look for this “For Your Reference”
Symbol in your PDF’s
There is a tremendous amount of
hidden content, for you to use later!
(60+ slides)
BRKSEC-2050 6

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
BRKSEC-2050
Complete your Online Session Evaluation

• Firepower Software & Platforms
• ASA & Firepower NGFW
Platforms
• Management Options
• Cisco & 3rd Party Integration
• Deployment Use Cases
Today’s Agenda

Cisco Firepower Sessions: Building Blocks
BRKSEC-2056
Threat Centric Network
Security
BRKSEC-3300
Advanced IPS
Deployment
BRKSEC-3035
Firepower Platform
Deep Dive
BRKSEC-3455
Dissecting Firepower
NGFW “Installation &
Troubleshooting
BRKSEC-3667
Advanced Firepower
SSL policy
troubleshooting
BRKSEC-2064
NGFWv and ASAv in
Public Cloud (AWS and
Azure)
BRKSEC-2058
A Deep Dive into using
the Firepower Manager
BRKSEC-2051
Deploying AnyConnect
SSL VPN with ASA
(and Firepower Threat
Defense)
BRKSEC-2050
Firepower NGFW
Internet Edge
Deployment Scenarios
Thursday
Wednesday
Tuesday
We are here!
BRKSEC-2050

Firepower Threat Defense
11
BRKSEC-2050
Malware
Protection
Network
Profiling
CISCO COLLECTIVE SECURITY INTELLIGENCE
URL Filtering
Integrated Software - Single Management
WWW
Identity-Policy
Control
Identity Based
Policy Control
Network
Profiling
Analytics &
Automation
Application
Visibility
&Control
Intrusion
Prevention
High
Availability
Network
Firewall and
Routing

What’s New with Cisco NGFW and NGIPS
IBM and Cisco
NGIPS
collaboration
Expanded set of
security policies on
FDM, the on-box
manager
Flexibility to manage
local devices using
REST API
Unmask threats with
hardware-based
SSL decryption;
performance
upgrade of 3-5x
throughput
Cisco Next Generation Firewall
Cisco NGFW and
NGIPS recognized
by analysts
Easy single-hop
upgrade to 6.2.3,
with minimized
downtime
Manageability
Operational
Simplicity
Performance
Shared Threat
Intelligence
Third-Party
Recognition
BRKSEC-2050

BRKSEC-2050
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
Firepower (L7)
• Threat-Centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
Full Feature Set
Continuous Feature
Migration
Single Converged OS
Firewall URL Visibility Threats
Firepower Management
Center (FMC)
ASA with Firepower
Services

ASA with FirePOWER Services old ”marketing” spelling!
ASA 1 ASA 2
FirePOWER
1
FirePOWER
2
HA/CCL
Full ASA Feature Set
Single Uplink Queue
IP-Based Load-Balancing
Full Packet Copy
Functional Overlap
Configuration/State Replication
Independent Configuration
Mid-Flow Pickup w/Policy Reevaluation
No AVC Verdict on Mid-Flow Pickup
Functionality vs Performance
Leaning toward NGIPS use case
BRKSEC-2050 14

FTD 1
Data Plane
(“Lina”)
Advanced
Inspection
Modules
(“Snort”)
HA/CCL
FTD 2
Data Plane
(“Lina”)
Advanced
Inspection
Modules
(“Snort”)
Based on ASA Software
Packets Stay in Data Plane
Multiple Work Queues
IP/TCP/UDP Load-Balancing
Load-Based Distribution
Configuration Replication
NGFW/NGIPS State Replication
Balanced Functionality and Performance
True NGFW use case
BRKSEC-2050 15

FTD CPU Core Allocation
• Firepower uses Hyper Threading to double logical cores on x86
• Firepower 2100 runs Data Plane on dedicated NPU, Snort on x86
• Firepower 4100/9300 split cores between System, Data Plane, and Snort
• SFDataCorrelator dynamically borrows cores from Snort for file processing
Platform
Total x86
Cores
Application Cores
System
Cores
Lina Cores Snort Cores
Firepower 4110 24 22 2 8 12
Firepower 4120 or 9300
SM-24
48 46 2 20 24
SM-36
72 70 2 32 36
SM-44
88 86 2 36 48
BRKSEC-2050 16

BRKSEC-2050
What are the Firepower Deployment Options?
Firepower Appliances Firepower Threat Defense
ASA with
Firepower Services
FirePOWER
Services
ASA 9.5.x
Firepower
Threat Defense
Firepower
Appliances
7000/7100/8000/Virtual ASA 5500X (all models) ASA 5500X / Virtual
Firepower 2100 / 4100 / 9300
5585 cannot run FTD Image!
All Managed by Firepower Management Center

Feature Comparison: ASA with Firepower Services and
Features Firepower Threat Defense Firepower Services for ASA
SIMILARITIES
Routing +NAT ✔ ✔
OnBox Management ✔ ✔
HA (Active/Passive) ✔ ✔
Clustering (Active/Active) ✔ ✔
Site to Site VPN ✔ ✔
Policy based on SGT tags ✔ ✔
DIFFERENCES
Unified ASA and Firepower rules and
objects
✔ ✘
Hypervisor Support ✔
(AWS, VMware, KVM, Azure 6.2)
✘
Smart Licensing Support ✔ ✘
Multi-Context Support ✘(Coming Soon!) ✔
Remote Access VPN ✔ ✔
18
BRKSEC-2050
Note: Not an exhaustive feature list

OpenAppID
19
BRKSEC-2050
Next-generation visibility with OpenAppID
Application Visibility & Control
See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps
Cisco database
• 4,000+ apps
• 180,000+ Micro-
apps
Network &
users







1
2
Prioritize traffic

Decrypt 3.5 Gbps traffic over
five million simultaneous flows
20
BRKSEC-2050
Granular SSL Decryption Capabilities
SSL TLS handshake certificate inspection and TLS decryption engine
Log
SSL
decryption engine
Enforcement
decisions
Encrypted Traffic
AVC
http://www.%$&^*#$@#$.com
http://www.%$&^*#$@#$.com
Inspect deciphered packets Track and log all SSL sessions
NGIPS
gambling
elicit
http://www.%$*#$@#$.com











BRKSEC-2050
Web acceptable use controls and threat prevention
URL Filtering – Security Intelligence Feeds – DNS Sinkhole capability
Classify 280M+ URLs Filter sites using 80+ categories Manage “allow/block” lists easily Block latest malicious URLs
Category-based
Policy Creation
Allow Block
Admin
Cisco URL Database
DNS Sinkhole
01001010100
00100101101
Security feeds
URL | IP | DNS
NGFW
Filtering
Block
Allow
Safe Search
…………
 

BRKSEC-2050
Application and Context aware Intrusion Prevention
Next-Generation Intrusion Prevention System (NGIPS)
Communications
App & Device Data
01011101001
010
010001101
010010 10 10
Data packets
Prioritize
response
Blended threats
• Network
profiling
• Phishing
attacks
• Innocuous
payloads
• Infrequent
callouts
3
1
2
Accept
Block
Automate
policies
ISE
Scan network traffic Correlate data Detect stealthy threats Respond based on priority

Integrate third-party security intelligence
Cisco Security Intelligence Feeds & Intelligence Manager
Cisco Intelligence
Manager
Analyze security intelligence Generate rich incident reports
Correlate observations Refine security posture
Ingests
CSV files
STIX
Third-party sources
• Crowdstrike
• Flashpoint
• Soltra Edge
• EclecticIQ
• Lookingglass
Cisco sources
• Talos
• ThreatGRID
Communicates
Cisco Appliances
• NGFW
• ESA
• WSA
Analytics Elements
• Threat Intelligence
Platforms (TIPs)
• SIEM
• IR management
• Case management
BRKSEC-2050 23

c
File Reputation
24
BRKSEC-2050
Malware and ransomware detection and blocking
Cisco AMP Threat Grid (Advanced Malware Protection and cloud sandboxing)
• Known Signatures
• Fuzzy Fingerprinting
• Indications of compromise

Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device Trajectory
AMP for
Network Log

Threat Grid Sandboxing
• Advanced Analytics
• Dynamic analysis
• Threat intelligence
?
AMP for
Endpoint Log
Threat Disposition
Enforcement across
all endpoints
Risky
Safe
Uncertain
Sandbox Analysis

BRKSEC-2050
Cisco NGFW Platforms
NGFW capabilities all managed by Firepower Management Center
250 Mb -> 1.75 Gb
(NGFW + IPS Throughput)
Firepower Threat Defense for
ASA 5500-X
2 Gb -> 8 GB
(NGFW + IPS Throughput)
Firepower 2100 Series
41xx = 10 Gb -> 24 Gb
93xx = 24 Gb -> 53Gb
Firepower 4100 Series
and Firepower 9300
Up to 16x with clustering!

Software Support - Virtual Platforms
Hyper-V KVM VMWare
Amazon
Web
Services
Microsoft
Azure
ASAv
Firepower NGIPSv (FTD)
Firepower NGFWv (FTD)
BRKSEC-2050 27

BRKSEC-2050
Cisco ASA 5500-X
5506 / 5508 / 5516
Performance
Unified Management
• 1-Gbp interfaces
• Up to 1.2 Gbps throughput
• 5545 / 5555 Redundant
Power Supply and SSD
option
• Firepower Threat Defense or
ASA Software Options
• 1-Gbp interfaces
• Up to 450 Mbps throughput
• Wireless Option for 5506-X
• Software Switching capability
• Firepower Threat Defense or
ASA Software Options
• Firepower Management Center
(Enterprise Management)
• Firepower Device Manager
(On Box Manager)
• Cisco Defense Orchestrator
(Cloud Management)
SMB and Enterprise Branch NGFW
5525 / 5545 / 5555
Performance

BRKSEC-2050
Cisco Firepower 2100 Series
Performance and
Density Optimization
Unified Management
Purpose Built NGFW
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• 1-Gbp and 10-Gbps interfaces
• Up to 8.5-Gbps throughput
• 1-rack-unit (RU) form factor
• Dual SSD slots
• 12x RJ45 ports, 4xSFP(+)
• 2130 / 2140 Models
• 1x Network Module
• Fail to Wire Option
• DC & Dual PSU support
(On Box Manager)
(Cloud Management)
Introducing four high-performance models

FPR 2110 FPR 2120 FPR 2130 FPR 2140
Throughput
NGFW 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Throughput
NGFW + IPS 1.9 Gbps 3 Gbps 4.75 Gbps 8.5 Gbps
Maximum
concurrent
sessions 1 M 1.2 M 2 M 3.5 M
Maximum new
connections per
second 12000 16000 24000 40000
NO DROP IN
PERFORMACE!
30
BRKSEC-2050
Firepower 2100 Series Performance for FTD

BRKSEC-2050
Cisco Firepower 4100 Series
High performance campus and data center
Performance and
Density Optimization
Unified Management
Multiservice
Security
• Integrated inspection engines
for FW, NGIPS, Application
Visibility and Control (AVC),
URL, Cisco Advanced
Malware Protection (AMP)
• Radware DefensePro DDoS
• ASA and other future
third party
• 10-Gb and 40-Gb interfaces
• Up to 24-Gbps throughput
• 1-rack-unit (RU) form factor
• Low latency
(On Box Manager)
(Cloud Management)

BRKSEC-2050
Cisco Firepower 9300
Platform
Benefits
• Integration of best-in-class security
• Dynamic service stitching
Features*
• ASA container option
• Firepower™ Threat Defense:
• NGIPS, AMP, URL, AVC
• Third-party containers:
• Radware DDoS
Benefits
• Standards and interoperability
• Flexible architecture
Features
• Template-driven security
• Secure containerization for
customer apps
• RESTful/JSON API
• Third-party orchestration and
management
Features
• Compact, 3RU form factor
• 10-Gbps/40-Gbps I/O; 100-Gbps
ready
• Terabit backplane
• Low latency, intelligent fast path
• Network Equipment-Building
System (NEBS) ready
* Contact Cisco for services availability
Modular Carrier Class
Multiservice
Security
High performance data center

Software Support – Physical Platforms
33
BRKSEC-2050
ASA
Firepower
NGIPS
ASA with
FirePOWER
Services
Firepower
Threat
Defense
ASA 5506X -> 5555X (all models)
Firepower 2100 (all models)
ASA 5585 (With SSP blade)
Firepower 7000 / 8000 (IPS appliances)

Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
Enables comprehensive
security administration
and automation of
multiple appliances
Center
On-box Centralized
Management Options
35
BRKSEC-2050
ASDM with
FirePOWER Services
Enables easy on-
box migration and
management of ASA
with Firepower
On-box

Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
and automation of
multiple appliances
Center
On-box Centralized
Management Options
37
BRKSEC-2050
ASDM with
FirePOWER Services
Enables easy on-
box migration and
management of ASA
with Firepower
On-box

• On-box manager for
managing a single
device
• Targeted for SMB market
• Designed for Networking
Security Administrator
• Simple & Intuitive
• Mutually Exclusive from
FMC
• CLI for troubleshooting
38
BRKSEC-2050
Firepower Device Manager

Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
and automation of
multiple appliances
Center
ASDM with
FirePOWER Services
Enables easy on-
box migration and
management of ASA
with Firepower
On-box Centralized On-box
Management Options
39
BRKSEC-2050

ASDM (managing FirePOWER Services)

Firepower Device
Manager
Enables easy on-box
management of
common security and
policy tasks
and automation of
multiple appliances
Center
On-box Centralized
Management Options
41
BRKSEC-2050
ASDM with
FirePOWER Services
Enables easy on-
box migration and
management of ASA
with Firepower
On-box

BRKSEC-2050
On-box vs Off-box
Firepower Management Center
(Off-box)
Firepower Device Manager
(On-box)
NAT & Routing
Access Control
Intrusion & Malware
Device & Events Monitoring
VPN - Site to Site & RA
Security Intelligence
Other Policies: SSL, Identity, Rate Limiting (QoS) etc.
Active/Passive Authentications
Firewall Mode Router / Transparent Routed
Threat Intelligence & Analytics
Correlation & Remediation
Risk Reports
Device Setup Wizard
Interface Port-Channel
High Availability

3rd Party Integration
SNMP, Syslog, NetFlow or eStreamer

BRKSEC-2050
SNMP, Syslog, NetFlow or eStreamer
SNMP support for:
• Firepower NGFW Software
• FXOS / Chassis Manager
• (2100, 4100, 9300)
Firepower NGFW also supports:
• NetFlow Security Event
Logging
• Syslog (for all event types)

eStreamer APIs
FMC Syslog
FTD Syslog & NetFlow
• 5 tuple
• NAT
• Routing
• VPN
• IP
• HA
• sessions
• other stateful
features
• Connection Logs
• Health
• IPS (including Impact
flags)
• Malware (network,
retrospective)
• Discovery events (Host
profiles, IOC , port, etc..)
Syslog and eStreamer for Events
• Intrusion Events
• Intrusion Event Packet Data
(optional)
• Intrusion Event Extra Data
Malware Events
• File Events- SHA, SPERO
• Connection Logs and Security
Intelligence Events
• Correlation and White List Events
• Impact Flag Alerts
• Connection Events (optional)
• URL categories
• Rule ids
• AMP endpoint detectors
• Sinkhole Metadata
• SSL
• Network Analysis, Discovery
events
BRKSEC-2050 45

FTD Syslog Configuration
BRKSEC-2050 46

FMC Syslog Alert Configuration
BRKSEC-2050 47

eStreamer Overview
• Allows you to stream event data from an FMC, or 7000 or
8000 series device to a client application
• Client Server Model
• Server (FMC) accepts connection requests on port 8302
• Communicates using SSL
• Client application must support SSL-based authentication
• Waits for the client to initiate all communication sessions
• Writes all message fields in network byte order (big
endian
• Encodes text in UTF-8
BRKSEC-2050 48

Configuring eStreamer
BRKSEC-2050 49

Example: QRadar Integration
1. Create Client
2. Select Data
Source
3. Download
certificates
4. Create Log
source on
QRadar
BRKSEC-2050 50

IBM QRadar
Firepower App
• Firepower App – November
• Dashboard with 6 components
• Intrusion Events by Impact
• Indicators of Compromise
• Malware Sources
• Malware Recipients
• Malware hashed
BRKSEC-2050

Firepower App for Qradar
Shows hosts that are
potentially compromised
Which hosts on my
network have sent the
most malware
Intrusion events by
‘Impact’ or likelihood of
an attack impacting the
targeted system
Malware observed most
often on my network
Shows hosts that are
know to be
compromised
52
BRKSEC-2050

Cisco eStreamer app for Splunk

Use Case
Internet Edge Firewall
58
BRKSEC-2050
Requirement
Connectivity and Availability Requirement:
• High Availability ROUTED mode
• Firewall should support Router or Transparent Mode
Routing Requirements:
• Static and BGP Routing
• Dynamic NAT/PAT and Static NAT
Security Requirements:
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection
• SSL Decryption
Authentication Requirements:
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
FMC
ISP
FW in HA
Private Network
Service
Provider
Campus/Priv
ate Network
DMZ Network
Port-
Channel
Internet
Edge

10.1.1.0/24
192.168.1.0/24
192.168.1.1
10.1.1.1
IP:192.168.1.100
GW: 192.168.1.1
NAT
DRP
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or
more interfaces that separate L3 domains – Firewall is the
Router and Gateway for local hosts.
• Transparent Mode is where the firewall acts as a bridge
functioning at L2.
• Transparent mode firewall offers some unique benefits in the DC.
• Transparent deployment is tightly integrated with our ‘best
practice’ data center designs.
• Integrated Routing and Bridging (IRB) combines both
modes. Helpful for grouping “switchports” in routed mode.
60
BRKSEC-2050

NGFW Interface Modes
• Must choose routed or transparent at deployment
• Must configure IP on BVI in transparent mode
• Integrated Routing and Bridging combines both in routed mode
• Full feature set and state enforcement
• VLAN or VxLAN ID must change during traversal
inside1
inside2
Routed
inside outside
FTD
DMZ
Transparent inside outside
FTD
DMZ
10.1.1.0/24 10.1.2.0/24
10.1.3.0/24 10.1.1.0/24
Routed with IRB
outside
FTD
DMZ
10.1.1.1/24
10.1.2.0/24
10.1.3.0/24
BVI:inside
BRKSEC-2050 61

• 2 Deployment Modes:
• Routed
• Transparent
• 6 Interface Modes
• Routed
• Switched (BVI)
• Passive
• Passive (ERSPAN)
• Inline pair
• Inline pair with tap
• Note - interface modes can be mixed on a single FTD device
FTD Deployment and Interface Modes
Device Modes inherited from ASA
}
Interface Modes inherited from ASA
}
Interface Modes inherited from FirePOWER
}
BRKSEC-2050 62

Link Redundancy
Resiliency
with link
failures
63
BRKSEC-2050
Link and Platform Redundancy Capabilities
Firewall Link Aggregation – High Availability - Clustering
Inter-chassis Clustering
Combine up to
16
9300 blades or
4100 chasses
Active / Standby HA
LACP Link
Redundancy
LACP Link
Aggregation
Control
Protocol

FTD High Availability
• Full flow state replication with NGFW policy verdicts
• Active/Standby operation in all NGFW/NGIPS interface modes
• Interfaces are always up on standby, but any transit traffic is dropped
• MAC learning/spoofing on switchover in transparent NGFW, inline NGIPS
• GARP on switchover in routed NGFW
• Interface and Snort instance (at least 50%) status monitoring
• Zero-downtime upgrades for most applications
• Some packet loss is always expected with failover
vPC
vPC
FTD FTD
A S
HA Link
BRKSEC-2050 64

• Unlike ASA, the Management interface
does not change its IP address on
failover
• Data interfaces have an active address
and the IP address remains with the
active unit
• Standby address configuration is
optional, but it is very important that you
configure it
• Tune your interface monitoring
configuration
• Virtual MAC address configuration
avoids traffic disruption in RMA use
cases
FTD High Availability
BRKSEC-2050 65

Equal Cost Muti-Path Internet with Traffic Zones
The zone creation command should be deployed only
once. Also, notice the additional “ECMP” keyword
compared to the corresponding ASA command
The zone-member command should be deployed every
time because FMC overwrites interface configurations
during each deployment.
1 2
Traffic zone
configuration can be
used for
1. Traffic Load-
balancing (ECMP)
2. Route redundancy
3. Asymmetric traffic
handling
3. Use the FlexObjects in a FlexPolicy and deploy the changes to
the device
BRKSEC-2050 66

BRKSEC-2050
Dynamic NAT for Direct Internet Access
Automatic and Manual (complex) NAT Support for FTD including IPv6

BRKSEC-2050
Routing Protocol support
• OSPF and OSPFv3 (IPv6)
• BGP (IPv4 & IPv6)
• Static Route
• Tunneled Route support for VPNs
• Reverse Route Injection for VPNs
• Multicast Routing
• IGMP
• PIM
• EIGRP via FlexConfig
IPv4 and IPv6 advanced routing

BRKSEC-2050
Rate limiting Cloud File Sharing Traffic
QOS Policy is a new policy type with separate policy table
Not associated with an Access Control Policy – directly associated with devices

FlexConfig
• Provides a way to configure ASA features not exposed directly by Firepower
Management Center
71
BRKSEC-2050
• EIGRP Routing
• Policy Based Routing
• ISIS Routing
• NetFlow (NSEL) export
• VXLAN
• ALG inspections
• IPv6 header inspection
• BGP-BFD
• Platform Sysopt commands
• WCCP

FlexConfig Policies
• Device-level free form CLI policies that follow ASA syntax
• Supports pre-defined object templates and completely custom objects
• Natively managed feature commands are blacklisted
• Must push an object with negated commands to remove
• FlexConfig is only supported on best-effort basis
• Assume no validation and no interoperability guarantees
• When in doubt, don’t use it
• Deploy Once; Everytime is for interactions with managed features
• Always select Append rather than Prepend type
BRKSEC-2050 72

BRKSEC-2050
FlexConfig for Internet Edge Use Case:
Prepend FlexConfig:
• Disables DNS Inspection to allow
Umbrella DNSCrypt Traffic
Append FlexConfig:
• Enables ICMP and ICMP Error ASA
Inspection Engines in Firepower
• Edit FlexConfig Text Object as below
Enable ICMP Inspection & Disable DNS Inspection

BRKSEC-2050
FlexConfig for Internet Edge Use Case:
Prepend FlexConfig:
• Clears IPv6-PD on each deployment
Append FlexConfig:
• Enables outside interface (recipient of
delegated prefix) for IPv6 prefix delegation
• Assigns one or more inside interfaces with
a subnet and address from delegated
prefix
• Trust IPv6 default route from IPv6 DHCP
Server (Neighbor Advertisement)
IPv6 Prefix Delegation (IPv6-PD)

• Identity Policy
• Decryption Policy (optional)
• IPS Policy (optional, use default)
• File (AMP) Policy
• Prefilter Policy (optional)
• Access Policy
• Security Intelligence Policy
• Threat Intelligence Director
New Firewall Security Policies Steps

Identity Requirements
Authentication and Authorization

BRKSEC-2050
• Associate traffic to users and devices (IoT etc)
• Access based on users, groups and TrustSec TAG
Identity Use Cases
Method Source LDAP/AD Authoritative?
Active Forced authentication through device LDAP and AD yes
Passive Identity and IP mapping from AD Agent AD yes
User Discovery Username scraped from traffic. LDAP and AD,
passive from the
wire
no
78

User Discovery
• Deduces user identity by
passively analyzing
network
traffic
• Considered non-
authoritative
• Cannot be used in access
control policies
79
BRKSEC-2050

Active and Passive Authentication
• Passive authentication
• IP-to-user mappings are learned from ISE or Firepower User Agent
• Active authentication
• Also called captive portal
• Redirects user to HTTPS server running on the firewall
• User authenticates with username and password
• Identity policy
• Specifies what traffic requires active, passive or no authentication
• Attached to an access control policy
BRKSEC-2050 80

BRKSEC-2050
Cisco Firepower User Agent
• The agent monitors users when they log in and out of hosts
or authenticate with Active Directory credentials
• The User Agent does not report failed login attempts
• The agents associate users with IP addresses
• Can use one agent to monitor user activity
• Up to five Active Directory servers
• Send encrypted data to up to five Firepower Management Centers

BRKSEC-2050
Identity Services Engine Integration
Uses pxGrid protocol to
retrieve:
• ISE username (can map to
Active Directory)
• Device type profile & location
• TrustSec Scalable Group Tag
(SGT)
• ISE-PIC provides username
identity only
All ISE retrieved attributes
can be used in:
• Access Policies
• Decryption Policies
• QoS Policies
• FMC has 64k user limit
• Mappings sent to all
firewalls

Active Authentication (Captive Portal)

BRKSEC-2050
Captive Portal Use Cases
• Can be used for non-domain endpoints
• Enforces authentication through the browser
• Can augment passive authentication (Fall-back to Active feature)
• Various Supported Authentication types (Basic, NTLM, Kerberos, Form)
• Guest / Non Windows Device Authentication Support
• Multi-realm Support

High Level Configuration Steps
1. Configure a realm
2. Create a certificate/key pair
3. Configure an Identity Policy
4. Modify the access control policy
5. Deploy the identity and access control policy
BRKSEC-2050 86

• The redirect URL will contain an IP address
HTTP/1.1 307 Proxy Redirect
Location:
https://198.19.10.1:885/x.auth?s=Ehf2Y7FP177kbui%2B665%2BYV%2FrX3Mq9Piz8%2BVbQs
q%2FpsY%3D&u=http%3A%2F%2Foutside%2F
Connection: close
• To avoid certificate warnings on the endpoint, the IP
addresses must be included either as:
• The CN in the Subject
• IP Address entries in the Subject Alternative Name
Create Certificate/Key Pair
BRKSEC-2050

1. Create an Identity Policy
2. Upload the Certificate/Key pair
3. Create a rule
Case 1: Create passive authentication rule with fall-back to active
authentication
Case 2: Create active authentication rule.
4. Save the Identity Policy
Configure an Identity Policy
BRKSEC-2050

Configure Captive Portal
Setup An identity realm (System ->Integration -> Realms) and an identity source (System -
>Integration>Identity Sources)
• To allow Kerberos authentication,
LDAPS must be enabled on domain
controllers
• No specific TLS requirements are
required. Enabling LDAPS, as
described below, is sufficient.
• Workstations must be able to resolve
the sensor's hostname in the Active
Directory domain.
BRKSEC-2050

1. Edit the desired access control policy
2. Select the Advanced tab
3. Under Identity Policy Settings, un-check the Inherit from
base policy checkbox, if necessary
4. Under Identity Policy Settings, select the appropriate
identity policy
5. Save the access control policy
Modify the Access Control Policy
BRKSEC-2050

Customer Use Case
Citrix Logon
Hypervisor (i.e. VMware ESXi)
Server-hosted apps:
• Word
• Excel
• Power Point
Server-hosted desktops
Internet
Sensor
192.168.0.23
user1
user2
what?
is 192.168.0.23
user1 or user2?
BRKSEC-2050

Supports the
following services
• Citrix XenDesktop
• Citrix XenApp
• Xen Project
Hypervisor
• VMware ESXi 6.0
• Windows Terminal
Services
• Windows
Remote Desktop
Services (RDS)
Cisco Terminal
Server Agent
BRKSEC-2050 94

BRKSEC-2050
Identity Policy based on Passive Authentication
Must create, attaches to Access Control Policy

BRKSEC-2050
Access Control Policy Identity Control
Can Mix and Match AD & ISE Identity Groups (Guest, BYOD, etc.)

BRKSEC-2050
TrustSec Security Group Tag based identity from ISE
Can also reference Identity Services Engine identified Device Profiles

BRKSEC-2050
ISE remediation in using pxGrid

BRKSEC-2050
Active Directory “Realm” Configuration
• Realm configuration
used in Identity Policy
• User and Group
downloads used in
Access Policy
• Can have Multiple
Entries
• LDAP / LDAPS

BRKSEC-2050
Identity Services Engine pxGrid Integration
• MUST install ROOT
certificate (chain) on FMC
that signed ISE pxGrid
Cert
• MUST install ROOT
certificate (chain) on ISE
that signed FMC Cert
• Private keys not needed
(of course!)

BRKSEC-2050
External Authentication
for Administration
• LDAP / AD or RADIUS
• Example allows “External Users” to
be defined that exist in Active-
Directory for FMC or shell login
• Can stack multiple methods

BRKSEC-2050
• Protect the network from threats from remote TLS servers
• Called the outbound or unknown key case
• Example: Malware downloaded over HTTPS by users surfing
the web.
• Protect the network from attacks on internal TLS servers
• Called the inbound or known key case
• Example: Protect DMZ HTTPS servers from intrusion attacks
Customer Use Case
103

• Inspection fails for some applications
• No end-user notifications unless traffic is decrypted
• Inspection fails for some client/server combinations
• Load on firewall creates throughput degradation
• Currently TLS is being performed in software
• TLS decryption will be in hardware (roadmap / release beta)
Challenges
BRKSEC-2050 104

• Block TLS traffic without decrypting
• Block URL categories
• Block Application (approx. 400 applications can be identified)
• Block based on certificate status, TLS version or cipher suite
• Use Replace Key Only feature
• Enable logging
to help
troubleshooting
Best Practices

BRKSEC-2050
Granular TLS Decrypt
Can specify by application, certificate fields / status, ciphers, etc.
Decrypt Cert required!

Transport Layer Security
• Secure Sockets Layer (SSL) is broken, obsolete and no longer in use
• Transport Layer Security (TLS) is the current generic protocol layer
• Some detectors do not need decryption without Diffie-Hellman (DH)
• Cleartext SNI extension indicates where client may be going – spoofable
• ServerCertificate contains server identity – legitimate if CA is trusted
• Man-in-the-Middle (MITM) inspection is inevitable with TLS 1.3
Client Server
ClientHello, Server Name Identifier (SNI)
ServerHello, ServerCertificate, ServerHelloDone
ClientKeyExchange, ChangeCipherSpec, Finished
ChangeCipherSpec, Finished
ApplicationData
PKI Phase
Bulk Data Phase
BRKSEC-2050 107

Transport Layer Security
• MITM TLS inspection is two separate sessions with client and server
• Resign mode breaks with Public Key Pinning, not Certificate Pinning
• Client certificate authentication or custom encryption always break MITM
• Hardware acceleration of PKI and Bulk Data phases still leans on x86
• 3-4 times performance improvement with large transfers (Bulk Data)
• 7-8 times performance improvement with a transactional profile (PKI)
Client Public Key FTD Public Key
Server Public Key
FTD (Resign) or Server (Known) Public Key
x86 Crypto Engine
CPU Bus
BRKSEC-2050 108

Crypto
Hardware Data Plane
NGFW Inspection and Policy Enforcement
TLS
Endpoints
TLS
Endpoints
Hardware Data Plane
NGFW Inspection and Policy Enforcement
TLS
Endpoints
TLS
Endpoints
Software SSL
Hardware Accelerated SSL
Crypto
Decrypted
TLS Hardware Acceleration Architecture
BRKSEC-2050 109

Limitations and Workarounds
• At 6.2.3 FCS, SSL Hardware Acceleration not officially released / supported.
• Must use CLI to enable in 6.2.3.
• If a customer encounters a blocking issue that only shows up in Hardware
Acceleration mode, they should toggle back to Software mode until the
engineering team can provide a Hardware mode workaround or fix.
BRKSEC-2050 110

Lina debug CLI
• For live troubleshooting of traffic going through the box, new Lina debug CLI commands.
• Log into the enable mode of the lina terminal on FTD:
> ssh admin@[ftd]
> expert
$ sudo su
# lina_cli
> en
• #debug snort tls-offload
• This will print out error debug logs for proxy, tracker, and dispatcher (packetizer) modules.
• # debug snort tls-offload [all | tracker | proxy | dispatcher] [error | event | packet]
• This allows you to specify which lina component to print out errors, events, or packet data to the terminal.
• To turn these commands off, run # no debug snort tls-offload
• # show snort tls-offload
• This will display statistics related to packets encrypted and decrypted by Snort in HW acceleration mode.
• # clear snort tls-offload
• This will clear the statistics.
BRKSEC-2050 111

BRKSEC-2050
Custom IPS Policy

BRKSEC-2050
What’s in the default IPS & Network Access Policies?
Connectivity Over Security
• CVSS Score 10. 2 years
• 499 rules
• 15 preprocessors enabled
Balanced Security and Connectivity
• CVSS Score 9 or higher. 2 years
• 9250 rules
Security Over Connectivity
• CVSS Score 8 or higher. 3 years
• 12706 rules

BRKSEC-2050
Malware and File Analysis
Attached to Access Policy

Packet
TX
Packet
RX Exis
ting
Logical Packet Flow
Prefilter
Policy
Main Access
Policy
IP Reputation,
SI
Flow Creation
Ingress
Checks
Flow Lookup Clustering VPN
Normalization
Flow Lookup
Anomaly,
NGIPS, AMP
Egress
Checks
Lina
Snort
New
Pointer
Verdict
FTD
New Exis
ting
Fastpath
BRKSEC-2050 115

Prefilter Policy (optional) – Based on L2-L4 flow attributes
• First access control phase in Data Plane for each new flow
• Block: Deny the flow without any further processing
• Fastpath: Allow and process entirely in Data Plane, attempt Flow Offload
• Analyze: Pass for evaluation in Main AP, optionally assign tunnel zone
• Use correctly -- not a “high performance” substitute to NGFW policies
• Limited early IP blacklisting
• Tunneled traffic inspection
• Allowing high-bandwidth and low latency trusted flows (Flow Offload)
BRKSEC-2050 116

Access Policy – Based on Layer 2 - Layer 7 Flow Attributes
• Primary access control phase in Snort
• Block [with reset]: Deny connection [and TCP RST]
• Interactive Block [with reset]: Show HTTP(S) block page [and TCP RST]
• Monitor: Log event and continue policy evaluation
• Trust: Push all subsequent flow processing into Data Plane only
• Allow: Permit connection to go through NGIPS/File inspection
• Appropriate place for implementing NGFW policy rules
• Full NGFW traffic selection criteria
• Decisions may need multiple packets
BRKSEC-2050 117

BRKSEC-2050
Access Control Policy blocking example

BRKSEC-2050
Prefilter Fastpath and Access Rule Trust Difference?
Both methods bypass Snort Inspection!
Access Policy Trust
Prefilter Policy Fastpath
Can be defined based on L4-L7 parameters

BRKSEC-2050
Network & URL-Based Security Intelligence
• Block traffic to IP addresses and URLs with
bad reputation
• TALOS dynamic feed, 3rd party feeds
• Multiple Actions: Allow, Monitor, Block,
Interactive Block,…
• Policy configured via Access Rules or
black-list
• IoC tags for CnC and Malware matches
• Black/White-list IP / URL with one click
• Blocked traffic not subject to additional
inspection. Logged separately!
URL-SI Categories

121
BRKSEC-2050
Security Intelligence Network & URL Categories
Category Description
Attacker Active scanners and blacklisted hosts known for outbound malicious
activity
Malware Sites that host malware binaries or exploit kits
Phishing Sites that host phishing pages
Spam Mail hosts that are known for sending spam
Bots Sites that host binary malware droppers
CnC Sites that host command and control servers for botnets
Open Proxy Open proxies that allow anonymous web browsing
Open Relay Open mail relays that are known to be used for spam
Tor Exit Node Tor exit nodes
Bogon Bogon networks and unallocated IP addresses

BRKSEC-2050
DNS Inspection
• Security Intelligence support for
domains
• Addresses challenges with fast-flux
domains
• Cisco provided and user defined
DNS lists: CnC, Spam, Malware,
Phishing
• Multiple Actions: Block, Domain Not
Found, Sinkhole, Monitor
• Indications of Compromise extended
with DNS Security Intelligence DNS List Action

BRKSEC-2050
Additional Categories for DNS Security Intelligence Feeds
Same categories as Network and URL feeds plus the following:
Category Description
DGA Malware algorithms used to generate a large number of domain names
acting as rendezvous points with their command and control servers
Exploit Kit Software kit designed to identify software vulnerabilities in client
machines
Response A list of IP/ URLs which seems to be actively participation in the
malicious/ suspicious activity
Suspicious Files that appear to be suspicious and have characteristics that
resembles known malware

Cisco Threat Intelligence Director

Cisco Threat Intelligence Director (CTID)
• Uses customer threat intelligence to
identify threats
• Automatically blocks supported
indicators on Cisco NGFW
• Provides a single integration point
for all STIX and CSV intelligence
sources
BRKSEC-2050 125

Cisco Threat Intelligence Director (CTID)
Step 1
1. Ingest third-party
Cyber Threat
Intelligence indicators
Step 2
2. Publish
observables to
sensors
Step 3
3. Detect and alert to
create incidents
NGFW / NGIPS
Block Monitor
Cisco Threat
Intelligence Director
FMC
BRKSEC-2050 126

Getting Started with STIX™
• Visit the STIX Project Website
• https://stixproject.github.io/
• Create sample STIX files
• https://generator.cosive.com/
BRKSEC-2050 128

Hail a TAXII !!
• Free source of TAXII feeds
• Website URL: http://hailataxii.com
• Multiple feeds
• To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest
129
BRKSEC-2050

Branch Firewall Use Cases
Site to Site and Remote Access VPN

Branch Use Case
WAN Edge Firewall with Direct Internet Access
131
BRKSEC-2050
Requirement
Connectivity and Availability Requirement:
• MPLS Primary Network Connectivity
• Direct Internet Access for LAN Traffic
• VPN Tunnel as WAN Backup (Hub and Spoke)
• Standalone or High Availability NGFW
• Will manage Firewall over VPN
Routing Requirements:
• OSPF Routing (or BGP) for MPLS WAN
• Static or learned routes for Internet
• Dynamic NAT/PAT for outbound Internet traffic
Security Requirements:
• Application Control + URL Acceptable Use enforcement
• IPS and Malware protection
• SSL Decryption
Authentication Requirements:
• User authentication and device identity
Solution
Security Application: Firepower Threat Defense application with
FMC
Internet
NGFW
LAN
Firewall
“Outside”
Local Area
Network
MPLS WAN
Internet
Edge
OSPF Routing
VPN
Tunnel
Firewall
“Inside”
Firewall
“MPLS”

• Create Shared Access Policy
• Add firewalls to management console
• Configure Interfaces and static routes on each firewall
• Configure dynamic routing for dedicated WAN (optional)
• Configure Shared VPN Policy
• Deploy policies
• Re-address firewalls for remote site and bring on-line!
Ordered Steps for Remote Site Configuration

BRKSEC-2050
Headquarters and Branch NGFW Example
Shared Access Policy for all sites
• Allow traffic from all Branch and HQ LAN subnets to each other

BRKSEC-2050
Adding Firewall to Firepower Management Center
• Host = Out of band
management IP
• Must be reachable by FMC
• Can add with temporary
“staging” IP if ”NAT ID” field is
used (don’t forget this!)
• Device can be set to “offline” in
FMC. Devices -> Device
Management -> Device TAB ->
Management

BRKSEC-2050
Branch NGFW Use Case – Interface Configuration
Outside / Inside / MPLS Interfaces configuration (Static IP)
• Can have dual MPLS and multiple inside interfaces / LAN segments

BRKSEC-2050
HUB (Headquarters) Static Routes:
• Note “floating static routes” for all remote branch subnets to Internet gateway!

BRKSEC-2050
HQ & Branch OSPF Routing Configuration for MPLS:
• Redistributing ”connected” and “static” routes to OSPF

BRKSEC-2050
Single Hub & Spoke Site to Site VPN Configuration
• Static ”outside” IP Addresses on HUB and all Spoke firewalls

BRKSEC-2050
Create Hub and Spoke IKEv2 VPN Topology with all default settings
• DISABLE Reverse Route Injection on IPSec Tab or OSPF routes are ignored

BRKSEC-2050
Dynamic Endpoint option for sites with DHCP Outside Interface
• Set Crypto Map type to Dynamic in IPSec Tab. Hub + Spokes as Bi-directional

BRKSEC-2050
Best Practice: Disable Health Monitoring Interface Warnings
• Will prevent FMC warnings when no traffic seen on an interface

BRKSEC-2050
Deploy configurations to all firewalls
• FTD configurations are pushed to
firewalls via “STUNNEL” secure
communications channel via
management interface
• After configuration deployment,
management interface can be
changed for target site

BRKSEC-2050
Manually changing FTD management IP address information
Serial Console connection to firewall is easiest (can be
done via ssh)
• configure network ipv4 manual <IP> <MASK> <GW>
Both IPv4 and IPv6 management addresses may be
configured and used for SSH to Firewall.
Only IPv4 -or- IPv6 will be used for SFTUNNEL
communication to Firepower Manager Center

BRKSEC-2050
Bring spoke firewalls online
After connecting interface cables,
firewall should come online (verify
ICMP ping to next hop on all
interfaces)
If no dedicated WAN, spoke VPN
tunnel should immediately come up.
Optional: Verify with “show crypto
ipsec sa” via CLI.

BRKSEC-2050
Best Practice: Use of Groups in FMC for organization
• GREEN status bubble indicates firewall is online and reachable from FMC
• Same policy sets applied to all branch firewalls

BRKSEC-2050
• OSPF routes from private WAN will always be preferred
• Routing “failover” time to VPN tunnel will depend upon
OSPF Hello & Dead Interval values (must use
FlexConfig to change)
• Spoke-to-spoke traffic will transit VPN hub for sites with
WAN down (only for static IP spokes!)
• Use dynamic spoke option for DHCP addressed sites.
• Static spoke supports tunnel creation from hub or spoke
• Add “VPN only” network route to keep tunnels forced up
Benefits and Caveats

BRKSEC-2050
HQ Firewall Routing Table with all site MPLS links UP
• FTDv-A Hub Site routing table (branch site routing tables will look similar)
Learned OSPF routes from MPLS WAN for Branch LANs

BRKSEC-2050
HQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-A Hub Site routing table
OSPF route for Branch LAN replaced by “floating static” route to outside (VPN)

BRKSEC-2050
HQ Firewall Routing Table with MPLS links to FTDv-C Branch DOWN
• FTDv-B Branch routing table
OSPF route for Branch FTDv-C LAN now points to MPLS connected Hub firewall
FTDv-B branch will “talk” through MPLS to Hub site then VPN connection to FTDv-C

BRKSEC-2050
Remote Access VPN for Roaming User
ISP
FP2100 in
HA
Private Network
Campus/Priv
ate Network
Internet
Edge
• Secure SSL/IPsec AnyConnect access to corporate
network
• Support for Split Tunneling or Backhauling to
handle traffic from remote uses to Internet.
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Secure access using Firepower

BRKSEC-2050
Remote Access VPN
• AnyConnect client-
based VPN
• Limitations:
• No clientless VPN
support (client
download only)
• No legacy Cisco
IPsec IKEv1 client
support
• No Dynamic
Access Policies

RA VPN on FTD versus ASA
• Both SSL and IPsec with AnyConnect
• Basic AAA
• LDAP/AD, client certificate, RADIUS
attributes, DACLs, Time ranges
• Time Ranges
• AnyConnect client
• Proxy/DNS/WINS server assignment
• Simple configuration
• Session monitoring and control
Features provided in FTD (and ASA) Features only supported by ASA
• Advanced AAA
• Kerberos, TACACS, SAM, RSA SDI,
Local Authentication, RADIUS CoA
• Hostscan/Endpoint assessment
• AnyConnect client customization
• Dynamic Access Policies (DAP)
• LDAP attribute map
• VPN Load Balancing
• Clientless RA VPN
BRKSEC-2050 152

BRKSEC-2050
Firepower AnyConnect Remote Access
Before You Start Wizard:
1. Configure Realm or RADIUS
Server Group for authentication
2. Upload AnyConnect package(s)
(can pull from Cisco during wizard)
3. Have Firepower device interfaces
and routing configured
4. Install Self-Signed Certificate or
enroll device with public CA

BRKSEC-2050
Configuration Wizard Steps:
1. (Group) Policy Assignment
2. Connection Profile Creation
3. AnyConnect package selection
4. Access & Certificates

BRKSEC-2050
Connection Profile:
1. Name (mandatory)
2. Authentication Method (AAA
= username + password)
3. IPv4 / IPv6 Address Pool(s)
4. Group Policy Selection (can
use default)

BRKSEC-2050
AnyConnect client software selection:
• Upload from your workstation
• Download from Cisco.com using Wizard (need CCO credentials)

BRKSEC-2050
Interface Selection & Certificate:
1. Choose Interface / Zone
2. Choose Interface Identity
Certificate
3. Optional: Create Self-
Signed Certificate
4. Can also enroll device in
public Certificate Authority
*best practice

BRKSEC-2050
• Configuration Summary
• Recommended Next Steps

BRKSEC-2050
Don’t forget!
1. Allow VPN traffic from Outside
zone in your Access Policy!
2. Exempt traffic to and from your
VPN subnet from NAT!
3. Disable proxy ARP in your
NAT Exempt rule

RA VPN Wizard Summary (FMC)
BRKSEC-2050 160

RA VPN Configuration Wizard (FDM)
BRKSEC-2050 161

• Smart License support is provided for the following RA VPN license types and combinations
• VPN-only
• Apex
• Plus
• Apex and Plus
• A valid Smart license token is required for any of the RA VPN licenses
• RA VPN deployment is not be supported in Smart license evaluation mode
• Configuration cannot be deployed to a device unless the device has entitlement for at least one
RA VPN license
• Health events and licensing alerts are shown when licenses go out of compliance
RA VPN Licensing
BRKSEC-2050 162

Licencing in FMC Device Management Page
BRKSEC-2050 163

• Access interfaces – determine interfaces to be used by RA VPN
• SSL settings, such as access ports
• IKEv2 settings such as certificate
• AnyConnect image – client package to be installed on the endpoint
• AnyConnect client profile – XML can be uploaded into the FMC as file object.
• Referenced in the group policy and downloaded to the endpoint while the VPN connection is initiating
• Includes may parameters for the AnyConnect client.
• Connection profiles – determine how authentication is performed
• Group policies -- a set of user-oriented attribute/value pairs for RA VPN users
• DNS/WINS, SSL/DTLS, timeouts, client bypass protocol and DHCP network scope
• Split tunnel and split DNS configuration
• VPN filter , egress VLAN and client firewall rules
• AnyConnect client profile, SSL/DTLS settings and connection settings
RA VPN Components
BRKSEC-2050 164

Objects Associated with RA VPN
BRKSEC-2050 165

Modifying Other RA VPN Components
BRKSEC-2050 166

Dashboard Widgets
BRKSEC-2050 167

User Activity
BRKSEC-2050 168

Troubleshooting
BRKSEC-2050 169

Advanced Troubleshooting
BRKSEC-2050 170

Monitoring System Utilization
• Lina
• Snort
ftd# show cpu detailed
Break down of per-core data path versus control point cpu usage:
Core 5 sec 1 min 5 min
Core 0 2.0 (2.0 + 0.0) 1.1 (1.1 + 0.0) 0.9 (0.9 + 0.0)
Core 1 3.2 (3.2 + 0.0) 1.8 (1.8 + 0.0) 1.5 (1.5 + 0.0)
[…]
Core 35 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0) 0.0 (0.0 + 0.0)
ftd# show asp inspect-dp snort
SNORT Inspect Instance Status Info
Id Pid Cpu-Usage Conns Segs/Pkts Status
tot (usr | sys)
-- ----- ---------------- ---------- ---------- ----------
0 47430 1% ( 1%| 0%) 621 0 READY
1 47434 0% ( 0%| 0%) 610 0 READY
[…]
45 47474 2% ( 2%| 0%) 572 0 READY
Data Plane (most
transit traffic)
Control Plane
(network control and
application inspection)
Inspection Load
Load Distribution
Processing State
BRKSEC-2050 171

BRKSEC-2050
Generating Troubleshooting Files
• Navigate to Devices Device Management
• Click on the troubleshooting icon next to the device
• Click Generate Troubleshooting Files
• Select the information you wish to download
• A compressed TAR file will be downloaded
to the browser

BRKSEC-2050
Verifying Sensor Traffic and Configuration
• Capture traffic on interface – useful to verify traffic is making it to the sensor
> capture
• Capture traffic sent to Snort process – useful to verify traffic is making it to Snort
> capture-traffic
• View policy configuration from sensor – useful to confirm successful policy
deployment from FMC to sensor.
> show access-control-config

BRKSEC-2050
Sample System Support Commands
• Access policy troubleshooting – perform policy trace on traffic
> system support firewall-engine-debug
• AMP for networks troubleshooting – shows malware detection processing
> system support file-malware-debug
• AVC troubleshooting – shows details of AppID preprocessing
> system support application-identification-debug
• Safe Search and YouTube EDU troubleshooting – shows HTTP request header
modifications
> system support firewall-httpmod-debug

BRKSEC-2050
Process Control
• Show process status
> pmtool status
• Restart Snort (Sensor)
> pmtool restartbytype DetectionEngine
• Restart eventing (Sensor)
> pmtool restartbytype EventProcessor
• Restart eventing (FMC)
$ sudo pmtool restartbyid sftunnel
$ sudo pmtool restartbyid SFDataCorrelator
• .

BRKSEC-2050
Authentication Troubleshooting
• Put ADI into debug mode (FMC)
# pmtool disablebyid adi
# adi --debug
• Sample output
Oct 11 21:14:06 fmc SF-IMS[31902]: [31930] ADI:discovery [DEBUG] adi.cpp:391:HandleLog(): SRV
Target: dc.example.com
Oct 11 21:14:06 fmc SF-IMS[31902]: [31930] ADI:ldap [DEBUG] adi.cpp:391:HandleLog(): Connecting
to host: ldap://dc.example.com:389
Oct 11 21:14:06 fmc SF-IMS[31902]: [31930] ADI:ldap [WARN] adi.cpp:397:HandleLog(): LDAP bind
failed against dc.example.com:389: Invalid credentials
Oct 11 21:14:06 fmc SF-IMS[31902]: [31930] ADI:krb-realm [ERROR] adi.cpp:400:HandleLog(): Unable
to connect to EXAMPLE.COM: Invalid credentials
• Return ADI to default mode (FMC)
# pmtool enablebyid adi

• Can be run on FMC or FTD
• Must be root to execute
• Sample syntax
• user_map_query.pl -u harry
(show IP and group membership information about harry)
• user_map_query.pl -g IT
(show users belonging to the IT group)
• user_map_query.pl -i 172.16.1.25
(show who is using the IP address 172.16.1.25)
• user_map_query.pl -h
(show usage information)
User Map Query Script
BRKSEC-2050

Security Intelligence and CTID
• Files are downloaded to the FMC from Talos and stored in /var/sf/
root@FMC:/var/sf/bin# ls -d /var/sf/*download
/var/sf/clamupd_download /var/sf/sifile_download
/var/sf/cloud_download /var/sf/silamplighter_download
/var/sf/iprep_download /var/sf/siurl_download
/var/sf/sidns_download
• Files are then pushed to the FTD and stored in /ngfw/var/sf/
root@FTD:/var/sf/bin# ls -d /ngfw/var/sf/*download
/ngfw/var/sf/clamupd_download /ngfw/var/sf/sidns_download
/ngfw/var/sf/cloud_download /ngfw/var/sf/sifile_download
/ngfw/var/sf/iprep_download /ngfw/var/sf/siurl_download
• These directories contain flat files that can be easily examined
BRKSEC-2050 178

BRKSEC-2050
Syslog from FTD Data Plane

180
BRKSEC-2050
Running Show Commands from the FMC
• Use FTD CLI on FMC
• Supports three main CLIs
• Traceroute
• Ping
• Show
• Used to get information on
NAT, Routing, detailed
VPN information, etc..

BRKSEC-2050
Firepower Threat Defense Summary
Power Internet Edge and
Branch WAN Platform
• Powerful Threat Defense
Capabilities
• Advanced Site to Site VPN
and routing protocol support
• AnyConnect Remote Access
Unified Management
Robust NGFW
Feature set
Flexible
Deployment

• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Complete Your Online
Session Evaluation

Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
184
BRKSEC-2050

Cisco Firepower Sessions: Building Blocks
BRKSEC-2056
Threat Centric Network
Security
BRKSEC-3300
Advanced IPS
Deployment
BRKSEC-3035
Firepower Platform
Deep Dive
BRKSEC-3455
Dissecting Firepower
NGFW “Installation &
Troubleshooting
BRKSEC-3667
Advanced Firepower
SSL policy
troubleshooting
BRKSEC-2064
NGFWv and ASAv in
Public Cloud (AWS and
Azure)
BRKSEC-2058
A Deep Dive into using
the Firepower Manager
BRKSEC-2051
Deploying AnyConnect
SSL VPN with ASA
(and Firepower Threat
Defense)
BRKSEC-2050
Firepower NGFW
Internet Edge
Deployment Scenarios
Thursday
Wednesday
Tuesday
We are here!
BRKSEC-2050

Firepower ngfw internet

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Firepower ngfw internet

Ähnlich wie Firepower ngfw internet (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Firepower ngfw internet