Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
NGFW(FTD)
“Installation & Troubleshooting”
Veronika Klauzova
BRKSEC-3455
Cisco Spark
Questions?
Use Cisco Spark to communicate Haitham Jaradat
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space John Groetzinger
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
Related sessions - You don’t want to miss at #CLUS
BRKSEC-2020
BRKSEC-2050
Firepower NGFW TECSEC-3301
Firepower NGFW
Deployment in the Data Firepower Data-Path
Internet Edge
Center and Enterprise Troubleshooting
Deployment Scenarios
Network Edge using John Groetzinger
Jeff Fanelli
FTD
Steven Chimes
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
For Your
Reference
Related sessions - You don’t want to miss at #CLUS
TECSEC-2004
BRKSEC-3020
BRKSEC-3035 Troubleshooting FTD
Troubleshooting ASA
Firepower Platform like a TAC Engineer
Firewalls
Deep Dive Ben Ritter
Kevin Klous
Andrew Ossipov Kevin Klous
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Your presenter throughout FTD journey
• Firepower TAC engineer
• Originally from
• Working in
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Introduction
• Hardware & Software review
• Installation and Configuration
• Device registration troubles
• FTD Data-Flow: life of a packet
• Troubleshooting & Tools
• Conclusion
For Your
Reference
Abstract-Review
• The session will cover both operational and maintenance aspects of all relevant
Firepower-NGFW functions from “Installation” to “Operation” to
“Troubleshooting” with a focus on interactive demonstration of the detailed
topics.
• Upon successful completion of this session, the attendee will be able to:
• describe the FTD system architecture
• describe packet flow processing
• perform installation and configuration of FirePOWER Threat Defense(FTD)
• verify and troubleshoot traffic flows traversing FTD
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
All content and demos are based on the following
• Firepower 4100 series system
• FXOS Version 2.1(1.77)
• Firepower Threat Defense 6.2.0.2 version (Released in May 2017)
• Firepower Management Center 6.2.0.2 version (Released in May 2017)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Hardware & Software Review
LTRSEC-1000
FTD Deployment Hands-on-lab
NGFW evolution Dax Mickelson
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
What platforms can run FTD Software
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
What platforms can run FTD Software
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
What platforms can run FTD Software
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
For Your
Reference
What platforms can run FTD Software
Platform FTD Support
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Firepower 4100 – closer look
2 x 2.5” SSD Bays
Power 8 x optic SFP+ ports
Console Front view
MGMT
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower Chassis Manager
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Firepower Management Center
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Firepower Device Manager
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Firepower Threat Defense
DATA-PATH / LINA
FXOS
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
FTD CLI modes
FTD CLI modes
There are three CLIs while dealing with a ftd deployment:
Firepower-module1>
• FXOS CLI
• CLISH > > expert $ sudo su #
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Firepower Threat Defense – CLI MODES
> expert $ sudo su #
>
> system support diagnostic-cli
CTRL + a, d
firepower> enable
firepower#
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Converged FTD CLISH
• Available over SSH on data and management interface/s
• No switching back and forth between FP and ASA sub-modes
> system support diagnostic-cli
firepower> enable
firepower# show cpu BEFORE 6.1
Ctrl + a + d
> show cpu
Time CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
14:32:43 all 20.46 0.00 0.19 0.00 0.00 0.00 0.00 0.00 0.00 79.35
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Installation and Configuration
Preparing Firepower 4100 for an installation
Setup Management IP address
KSEC-FPR4100-2-A# scope fabric-interconnect a
KSEC-FPR4100-2-A /fabric-interconnect # set out-of-band gw 10.62.148.1 ip 10.62.148.38
netmask 255.255.255.0
Warning: When committed, this change may disconnect the current CLI session
KSEC-FPR4100-2-A /fabric-interconnect* #
KSEC-FPR4100-2-A /fabric-interconnect* # commit
KSEC-FPR4100-2-A /fabric-interconnect # exit
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Preparing Firepower 4100 for an installation
Verify DNS configuration settings in FXOS CLI
KSEC-FPR4100-2-A# scope system KSEC-FPR4100-2-A /system/services # show dns
KSEC-FPR4100-2-A /system # scope services Domain Name Servers:
KSEC-FPR4100-2-A /system/services # show dns IP Address: 173.38.200.100
KSEC-FPR4100-2-A /system/services # IP Address: 8.8.8.8
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Preparing Firepower 4100 for an installation
Verify and configure Network Time Synchronization (NTP)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Brief installation steps on Firepower 4100 series
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Upload new supervisor (FXOS) software to FCM
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Upgrade the supervisor (FXOS) software bundle
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Configure FTD Data & Management Interfaces
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
FTD logical device creation
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
For Your
Reference
FTD installation on 4100(1)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
For Your
Reference
FTD installation on 4100(2)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
For Your
Reference
FTD installation on 4100 (working hard)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
FTD Installation „Local Console“ monitoring
KSEC-FPR4100-2-A /ssa/slot # connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
FTD installation on 4100 (finished)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Device registration
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Device registration
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Having trouble
registering device?
Device Registration
Encrypted
FMC FTD
Tunnel
192.168.0.0/24
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Device Registration
Encrypted
FMC FTD
Tunnel
192.168.0.0/24 10.10.10.0/24
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Device Registration
• Keep-Alive messages
• Connection Events
• IPS Events
• Malware Events
• File Events
• SSL Events
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Device Registration
ftd-4100-2:/# netstat -lnta | grep 8305
tcp 0 0 10.62.148.85:60563 10.62.148.90:8305 ESTABLISHED
tcp 0 0 10.62.148.85:54849 10.62.148.90:8305 ESTABLISHED
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Device Registration
TCP 8305
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Trouble 1: FTD has DHCP IP address what now?
FMC FMC - Add FTD into FMC WebUI
1. Keep Host entry EMPTY
2. Registration/Shared Key
3. ACP
4. License
eth0 MGMT interface with static IP address
5. NAT ID (required when host entry not used)
Important Note:
NGFW will initiate Registration communication!
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Trouble 2: FMC has DHCP IP address what now?
FMC FMC - Add FTD into FMC WebUI
1. Keep Host entry (IP address of FTD)
2. Registration/Shared Key
3. ACP
4. License
eth0 MGMT interface with DHCP IP address
5. NAT ID (optional)
FTD
• Add manager/FMC IP address in CLI
• Shared Key (needs to match with FMC side)
MGMT interface with static IP address mgmt0
• NAT ID (needs to match with FMC side)
Important Note:
FMC will initiate Registration communication!
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Device registration “headache” error message
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Device registration trouble #3
FTD FMC
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Device registration trouble #3
FTD FMC
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Device registration trouble #4
FMC
FTD
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Device registration trouble #4
FTD
FMC
#tail –f /ngfw/var/log/messages
May 28 18:04:57 fmc-vklauzov SF-IMS[2769]: [3315]
sftunneld:sf_ssl[WARN] Accept: Failed to authenticate peer
'10.62.148.90’
# tail -n 14 /etc/sf/sftunnel.conf
host 10.62.148.90;
ip 10.62.148.90;
reg_key cisco12345;
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Device registration trouble #4
FTD
FMC
#tail –f /ngfw/var/log/messages
May 28 18:04:57 fmc-vklauzov SF-IMS[2769]: [3315] sftunneld:sf_ssl[WARN]
Accept: Failed to authenticate peer '10.62.148.90’
# tail -n 14 /etc/sf/sftunnel.conf
host 10.62.148.90;
ip 10.62.148.90;
reg_key cisco12345;
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
For Your
Reference
Device registration trouble 5
FMC
FTD
Internet
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
For Your
Reference
Device registration trouble 5
FMC
FTD
Internet
is full of NAT devices
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
For Your
Reference
Device registration trouble 6
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
For Your
Reference
Device registration trouble 6
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
For Your
Reference
Device registration trouble 7
FTD FMC
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
For Your
Reference
Device registration trouble 7
FTD FMC
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
For Your
Reference
Device registration trouble 7
FTD FMC
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
For Your
Reference
Device registration trouble 8
FTD FMC
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
For Your
Reference
Device registration trouble 8
FTD FMC
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
For Your
Reference
Device registration trouble 9
FTD
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
For Your
Reference
Device registration trouble 9
FTD
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Device-Registration For Your
Reference
Common-Fail-Scenarios Summary
1 Invalid Syntax 6 Low bandwidth between FMC and
FTD
2 Mismatch Between Keys 7 Process down
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
FTD Data-Flow: life of a packet
Firepower 4100 architecture overview
Security Engine (FTD)
Smart NIC
Internal NM NM 1 NM 2
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Firepower 4100 architecture overview
PDTS
Data-Path
FXOS
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Packet-Flow
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Packet-Flow
Detection Engine / Snort
RX
PDTS Lina rule-id matched
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Packet-Flow
Detection Engine / Snort
SI (DNS/URL), Identity
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Packet-Flow
Detection Engine / Snort
SI (DNS/URL), Identity
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Data-Path – Do we receive any packets?
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Data-Path – Do we receive any packets?
DATA-PATH
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Data-Path – Existing Connection
• LINA part checks whether the connection belongs to existing flow or not
• If packet is part of already established flow, then appliance skip basics checks
and process the packet in Fast-Path – and continue with checks at DAQ level
firepower# show cap in2 packet-number 46 trace detail
46: 19:28:20.056012 0050.56b6.0b33 5897.bdb9.73ee 0x8100 Length: 58
802.1Q vlan#208 P0 172.16.2.13.49182 > 20.20.20.11.80: . [tcp sum ok] 2790183968:2790183968(0) ack
1176461110 win 231 (DF) (ttl 128, id 16898)
...
Type: FLOW-LOOKUP
Found flow with id 34550, using existing flow
Unique Connection ID
firepower# sh logging | include 34550
%ASA-6-302013: Built inbound TCP connection 34550 for in2:172.16.2.13/49182
(172.16.2.13/49182) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Data-Path – Egress Interface
• Determination of Egress Interface
• Routing table / route lookup – ‘in’ entries of the ASP routing table will be
checked to determine the egress interface
• UN-NAT (destination NAT) – egress interface will be choosen based on NAT
rule
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Data-Path – Pre-Filter Policy
Flow-offload feature
• Help to offload the flows to Smart NIC for faster throughput and low latency
• Decision to offload is made by DATA-PATH (in future release also Snort would
do this)
• Flow state tracking done by DATA-PATH
• Supported in Clustering deployments, but no offload mode compatibility checks
• Supported in HA failover mode – offload flags are replicated to standby
Motivation:
• Data center FTD deployments with FAT a.k.a. Elephant Flows
• Latency issues in current data plane processing due to x86 CPU complex
involvement
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Data-Path – Pre-Filter Policy
Use cases
• High performance computing research sites
• High frequency trading
• GRE tunneled packets
Configuration
• Enabled by default on FTD (no GUI option to enable/disable feature)
• Flows that match pre-filter policy rule with Fast-Path action or Access
Control Policy rule with TRUST action will be selected for flow offload
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Data-Path – Pre-Filter Policy
• Limitations 6.1 release
• Flows processed by Detection-Engine/Snort cannot be offloaded, only
Data-Path flows
• Flow offload not supported for FTD when interfaces are configured as inline-
set
• DATA-PATH
• Handle decisions to offload based on policies setup by user
• Handle connection establishment and tear-down of offloaded flows
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Data-Path – Pre-Filter Policy
Actions
• Analyze: sends traffic for inspection to Snort
• Block: drops the traffic
• Fastpath: allows traffic and bypass further inspection,
process the rule in hardware, offload the traffic
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Data-path policy vs. Snort policy
• Distributed evaluation of policy between LINA and SNORT
Access-control policy
Pre-filter policy
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Data-path policy vs. Snort policy
• AC rules that are evaluated by Snort are pushed down to LINA as PERMIT
ACL rules
• Pre-filter rules are presented as Global ACL’s to LINA
Inner-headers packet
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Data-path / LINA “backend” ACL’s
• New type of ACL (Advanced ACL) is introduced for Access control
• Permit/Trust/Deny actions (within show access-list cmd)
• Permit means that packet is punted to Snort
• Trust means to skip Snort/Detection engine checks
• Lina can send start and end of flow events and Snort sends them to FMC
• Lina rule-id uniquely identify a rule and sends to Snort to perform NGFW
policy evaluation
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Data-Path – Pre-Filter Policy
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
SI (DNS/URL), Identity
Identity Advanced Snort / FirePOWER
BRKSEC-3455 92
Ingress NO Egress
Existing L3/L4 ALG L3, L2
RX Pre-Filter TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
This command will not remove connection from DATA-PATH, you have to run clear conn command to do so.
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
For Your
Reference
Data-Path – Pre-Filter Policy
Syslog message when flow is offloaded and no longer offloaded
%ASA-6-805001: Offloaded TCP Flow for connection 34892 from
in2:172.16.2.14/49193 (172.16.2.14/49193) to OUTSIDE:20.20.20.11/80
(20.20.20.11/80)
%ASA-6-805001: Offloaded TCP Flow for connection 34892 from
OUTSIDE:20.20.20.11/80 (20.20.20.11/80) to in2:172.16.2.14/49193
(172.16.2.14/49193)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Access Control rule actions
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Data-Path – L3/L4 ACL
5-TUPLE
FMC
Data-Path
firepower# show access-list | i icmp
access-list CSM_FW_ACL_ line 9 remark rule-id 268441864: L7 RULE: icmp traffic
access-list CSM_FW_ACL_ line 10 advanced permit icmp any any rule-id 268441864
(hitcnt=335) 0xa2dc10fa
FirePOWER
cat ngfw.rules | grep 268441864
root@ftd:/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-817d227fa40c#
268441864 fastpath any any any any any any any 1 (log dcforward both)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Data-Path – L3/L4 ACL
5-TUPLE
FMC
Data-Path
firepower# show access-list | i icmp
access-list CSM_FW_ACL_ line 9 remark rule-id 268441864: L7 RULE: icmp traffic
access-list CSM_FW_ACL_ line 10 advanced permit icmp any any rule-id 268441864
(hitcnt=335) 0xa2dc10fa
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Packet-Flow
Detection Engine / Snort
SI (DNS/URL), Identity
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Detection engine / Snort – Security Intelligence
• Ability to block dangerous / malicious traffic aka “bad guys”
• SI feed is updated by Cisco TALOS team periodically
• SI whitelist is intentionally processed by rest of the ACP rules
• 2 default SI Lists: Global Whitelist and Blacklist
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
User Story #1 – Security Intelligence (1)
• Problem description: URL website blocked
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
User Story #1 – Security Intelligence (2)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
User Story #2 – Security Intelligence
• Problem description: Inability to access local web servers from outside network
No sings of drops:
• Connection Events
• IPS Events
• Malware Events
• SI events
root@firepower:/Volume/home/admin# cd /var/sf/iprep_download/
# grep "72.4.119.2\|#" *
d8eea83e-6167-11e1-a154-589de99bfdf1:#Global-Blacklist
d8eea83e-6167-11e1-a154-589de99bfdf1:72.4.119.2
# cat d8eea83e-6167-11e1-a154-589de99bfdf1
#Global-Blacklist
72.163.4.161
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Lesson learned …
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Packet-Flow
Detection Engine / Snort
SI (DNS/URL), Identity
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Detection Engine / Snort – L7 ACL
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Detection Engine / Snort – L7 ACL
• Identification of App ID occurs usually within 3-5 packets or after SSL
handshake
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Packet-Flow
Detection Engine / Snort
SI (DNS/URL), Identity
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Traffic IN but not OUT
firepower# sh cap
capture i type raw-data trace detail interface INSIDE [Capturing - 114 bytes]
match icmp any any
capture o type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]
match icmp any any
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Snort: IPS policy
• “Troubleshooting thoughts”
• Connection inspected by SNORT?
• “show conn” – Flag ‘N’
• Packet captures (capture and capture-traffic) shows incoming traffic on
ASA/LINA side, diverted traffic flows are send to the SNORT, but NO outgoing
or there are missing packets after SNORT inspection on outside interface?
• Connection events are triggering? -> FMC Connection table view
• Is the right AC rule being evaluated? -> NGFW debugs
• IPS events are not populated? -> Create custom ICMP rule or enable “ICMP echo-
reply” rule
1:408 to confirm IPS events are generally working
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Snort: IPS policy
• In IPS policy rule to “Drop and Generate” action
• Interface should be in the “Inline” mode
• IPS policy needs to have “Drop when Inline” option enabled
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
How FTD is blocking traffic?
firepower# sh cap i packet-number 1 trace
1: 09:09:18.644467 172.16.1.17 > 20.20.20.100: icmp: echo
request
Type: SNORT
Result: DROP
Snort Verdict: (black-list) black list this flow
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Preprocessor
• Special Attention when packets are blocked, but there are no IPS events.
Change Rule State:
Drop and Generate
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Inline-normalization
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
IPS policy troubleshooting was never easier as in
6.2+
Capture with trace detail / packet tracer:
Type: SNORT
Result: DROP
Packet: TCP, ACK, seq 3806011039, ack 3309256170
Firewall: allow rule, id 268434444, allow
IPS Event: gid 1, sid 1000000, drop
Snort detect_drop: gid 1, sid 408, drop
AppID: service HTTP (676), application unknown (0)
Firewall: allow rule, id 268434444, allow
Snort: processed decoder alerts or actions queue, drop
IPS Event: gid 1, sid 1000000, drop
Snort detect_drop: gid 1, sid 1000000, drop
NAP id 2, IPS id 1, Verdict BLACKLIST, Blocked by IPS
Snort Verdict: (black-list) black list this flow
Action: drop Drop-reason: (ips) Blocked or blacklisted by the IPS preprocessor
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Data-path: Inspection
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Data-path: NAT, L2 and L3 next hop
Remaining checks are same as on the standalone ASA:
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Data-Path
Detection Engine / Snort
RX
PDTS
YES
DAQ
Existing NO Egress
Ingress L3/L4 ALG L3, L2
Pre-Filter NAT
Interface Conn Interface ACL checks hops
VPN Decrypt
QoS, VPN Encrypt
TX
Data-Path / LINA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
SI (DNS/URL), Identity Advanced Snort / FirePOWER
DATA-PATH
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
FTD Troubleshooting tools
What are main FTD processes and what they do?
snort inspects network traffic (pass, sftunnel secure tunnel between
block and alert) managed device and FMC
ids_event_processor sends intrusion events to diskmanager, managing disk space and
managing device (FMC) Pruner clean up old files
ids_event_alerter sends intrusion events to Lina Responsible for Firewall
Syslog or SNMP server functionality like ACL, NAT,
Routing etc.
wdt-util used for fail-to-wire / Snmpd, SNMP monitoring,
hardware bypass ntpd responsible for time
synchronization
SFDataCorrelator processing events pm (process responsible for launching
manager) and monitoring of all FTD
relevant processes and
restarting them in case of
failure
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Process Management - basics
FMC Root CLI:
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Process Management - basics
FMC Root CLI:
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Data-path and Snort capture points
2. snort inbound/outbound
3.
firepower# capture in
data-path outbound
DATA-PATH
1.
data-path inbound
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Data-path inbound/outbound - The Wires Never Lie!
firepower# capture in interface INSIDE match icmp any any trace detail
Capture name
Interface name
Source
Destination
protocol
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Snort Capture - The Wires Never Lie! (1)
CLISH:
> capture-traffic
Options: -s 0 -w capture.pcap icmp and host 172.16.1.17
IP 172.16.1.17 > 20.20.20.100: ICMP echo request,id 24538,seq 1,length 64
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Snort Capture - The Wires Never Lie! (2)
NON-VLAN TAGGED TRAFFIC VLAN TAGGED TRAFFIC
CLISH:
> capture-traffic
Options: -v -n -e (icmp and host 172.16.2.11) or (vlan and icmp and host 172.16.2.11)
00:50:56:b6:0b:33 > 58:97:bd:b9:73:ee, ethertype 802.1Q (0x8100), length 78: vlan 208,
p 0, ethertype IPv4, (tos 0x0, ttl 128, id 5366, offset 0, flags [none], proto ICMP
(1), length 60)
IN OUT
LINA CLI: LINA CLI:
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Which ACP rule is being evaluated?
• Tool that provides the Access Control Rule evaluation status for each flow as we receive
packets in real time.
• NGFW debug needs to have specified at least one filtering condition.
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== Policy name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 10
Variable Set : Default-Set
... (output omitted) ...
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== Policy name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 14
Variable Set : Default-Set
... (output omitted) ...
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== Policy name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 19
Variable Set : Default-Set
... (output omitted) ...
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== Policy name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 26
Variable Set : Default-Set
... (output omitted) ...
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
ACP Rule Hit Counters – FMC WebUI
• Analysis -> Custom -> Custom Workflows -> Create Custom Workflow and use Table
“Connection Events”
• Add page and fill in fields like: “Access Control Policy”, “Access Control Rule”,
“Count”, “Initiator IP”, “Responder IP”
• Add Table view
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
ACP Rule Hit Counters – FMC WebUI vs CLISH
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Event Path
Types of Events
• Network Discovery Events
• information about a host based on traffic seen from the host
• Connection Events
• when a session matches an AC rule with logging
• Intrusion Events
• when an IPS rules trigger (Drop and Generate Event)
• File Events
• when a file is captured
• Malware Events
• when a file is captured and it is detected to be Malware
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
FTD Detection Engine Logging
• When an event is generated in detection engine, it is written to :
/ngfw/var/sf/detection_engine/<uuid>/instance-*/
# cd /ngfw/var/sf/detection_engines/4dec8fce-3f8f-11e7-b0f0-d383664b5209/instance-1/
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Event Path for IPS event
/ngfw/var/sf/detection_engine/<uuid>/instance-*/snort-unified.log
> sftunnel_status
IDS Event Service:
TOTAL TRANSMITTED MESSAGES <4> for IDS Events service
RECEIVED MESSAGES <b> for service IDS Events service FMC
NGFW SEND MESSAGES <2> for IDS Events service
HALT REQUEST SEND COUNTER <0> for IDS Events service
STORED MESSAGES for IDS Events service (service 0/peer 0)
STATE <Process messages> for IDS Events service
REQUESTED FOR REMOTE <Process messages> for IDS Events service
REQUESTED FROM REMOTE <Process messages> for IDS Events service
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Event Path for Malware/Connection event
/ngfw/var/sf/detection_engine/<uuid>/instance-*/
unified_events-1.log.<timstamp> -- malware
unified_events-2.log.<timestamp> – connection
> sftunnel_status
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Event Path for Network Discovery event
/ngfw/var/sf/detection_engine/<uuid>/instance-*/unified_events-2-rna.log.<timestamp>
> sftunnel_status
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Mysteries of IPS events logging
IPS-logging
10.10.10.20 20.20.20.10
NGFW
ICMP reply
IPS block SID 1:408:8
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
2.
IPS-logging FMC
Syslog Servers
eth0
Secured channel
TCP 8305
IPS event/s
management0
1.
/ngfw/var/sf/detection_engine/<uuid>/instance-*/
snort-unified.log.1497179014
# date -d@1497179014
Sun Jun 11 11:03:34 UTC 2017
NGFW BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
IPS-logging FMC
Syslog Servers
eth0
Secured channel
TCP 8305
IPS event/s
management0
10.10.10.20 20.20.20.10
NGFW BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Possible root cause?
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
IPS alerting configuration review (1)
• IPS Policy -> Advanced Settings
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
IPS alerting configuration review (2)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
System processes review
> pmtool status
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
IPS-logging FMC
Syslog Servers
eth0
Secured channel
TCP 8305
IPS event/s
management0
/ngfw/var/sf/detection_engine/<uuid>/instance-*/
snort-unified.log.1497179014
# date -d@1497179014
Sun Jun 11 11:03:34 UTC 2017
NGFW BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Conclusion
Take the chance and drive your FTD installation to a
success
• Plan your desired hardware based on capabilities and performance
• Plan your desired feature-set and functionality
• Plan your desired operations mode (there are choices)
• Plan a pilot-phase with extra timing for all operational tasks
•
We wish you every success operating and
Upgrades/Downgrades
troubleshooting your new NG-Firewall
• Backup/Restore
• Replacement/RMA
• Practice basic troubleshooting steps
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Complete Your Online
Session Evaluation
for BRKSEC-3455
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
For Your
Reference
Reminder - You don’t want to miss at #CLUS
BRKSEC-2020
BRKSEC-2050
Firepower NGFW TECSEC-3301
Firepower NGFW
Deployment in the Data Firepower Data-Path
Internet Edge
Center and Enterprise Troubleshooting
Deployment Scenarios
Network Edge using John Groetzinger
Jeff Fanelli
FTD
Steven Chimes
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
For Your
Reference
Reminder - You don’t want to miss at #CLUS
TECSEC-2004
BRKSEC-3020
BRKSEC-3035 Troubleshooting FTD
Troubleshooting ASA
Firepower Platform like a TAC Engineer
Firewalls
Deep Dive Ben Ritter
Kevin Klous
Andrew Ossipov Kevin Klous
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Veronika Klauzova
Thank you
BRKSEC-3455
Thank you for attenting
BRKSEC-3455