Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
& Firepower-Services
“Design & Troubleshooting”
Veronika Klauzova, Firepower TAC-Engineer
Michael Vassigh, CSE Security
BRKSEC-3455
Are we there yet (VIDEO) ?
Your presenters for this journey
• Veronika Klauzova
• Firepower TAC-Engineer
• Michael Vassigh
• CSE Security
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Introduction
• Hardware-Review
and troubleshoot
• Installation & Configuration
and troubleshoot
• FTD Packet-Flow
and troubleshoot
• Conclusion
and (no more troubleshoot)
For Your
Reference
Abstract-Review
• The session will cover both operational and maintenance aspects of
all relevant Firepower-NGFW functions from “Installation” to
“Operation” to “Troubleshooting” with a focus on interactive
demonstration of the detailed topics.
• Upon successful completion of this session, the attendee will be able
to:
• describe the FTD system architecture
• describe packet flow processing
• perform installation and configuration of FirePOWER Threat
Defense(FTD) and FirePOWER Management Console (FMC)
• verify and troubleshoot traffic flows traversing FTD
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Our goals for the next 120 minutes
• Walk you through an experience of Firepower Threat Defense
• Give you all required insights to configure your device
• Give you all required insights to troubleshoot your device
• Give you enough demos to highlight the relevant details
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other sessions you hopefully have visited
Cisco Live Berlin Session-ID Session Name
And various others an AMP, DDoS, SSL-Decryption, Snort Rules and more
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Topics we will not cover today
• Your current order in CCW • CDO Cisco Defense Orchestrator
• Your troubles with getting a Smart- • Firepower Device Manager
Account
• Advanced Malware Protection
• Your current TAC-Service Request details
• Firepower 7000/8000 series • Remote-Access
• Real-World performance • VPN Site-to-Site
• Clustering • Full roadmap details
• Licensing
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
All our material and demos are based on the
following
• Firepower 4100 system
• FXOS Version 2.0(1.135)
• Firepower Threat Defense V6.1.0.1 (Released December 2016)
• Firepower Management Center V6.1.0.1 (Released December 2016)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Recent announcements
New Software Versions since January 2017 (subtotal)
• FXOS V2.1(1) • FTD V6.2
• Support for ASA V9.7.1 • Inter-Chassis clustering on
• Support for FTD V6.2 FP4100/9300
• Inter-Chassis clustering FTD V6.2 • Packet-Tracer & Capture UI
• NTP authentication • Flex-Config
• ASA-FTD Migration tool enhanced
• Integrated Routing & Bridging-
Interface support
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hardware & Software Review
Terminology brief (you might find in documentation)
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
For Your
Reference
Platform naming fundamentals
• Hardware Management: MC750, MC1500, MC3500, MC2000, MC4000
• Virtual Management: Firepower Management Center running on VMware,
AWS and KVM
• Physical managed devices: 7010, 7020, 7030, 7050, 7110, 7115, 7120, 7125,
8120, 8130, 8140, 8250, 8260, 8270, 8290, 8350, 8360, 8370, 8390
• Virtual managed devices: NGIPSv
• Physical Firepower Threat Defense devices: ASA 5506-X, ASA 5506—X,
ASA 5508-X, ASA 5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-
X and 5555-X, Firepower 9300 security appliance, Firepower 4100 series
• Virtual Firepower Threat Defense devices: Firepower Threat Defense Virtual
running on VMware, AWS or on KVM
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
What platforms can run FTD Software
Platform FTD Support
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
For Your
Reference
What platforms can not run FTD Software
Platform FTD Support
ASA-5580, ASA-5585X-SSPX No
Microsoft Hyper-V No
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
For Your
Reference
Platform specific requirements
• All ASA-5500X require to have the SSDs installed
• Beware that only the newer orders are shipped with SSD preinstalled
• ASA-5545/55X require to have 2 SSDs installed
• Beware that only the newer orders are shipped with SSD preinstalled
• Only Cisco SSDs are supported
• ASA models 5506X/5508X/5516X need to have a minimum ROMMON version
1.1.8 or higher installed
• FP4100 and FP9300 require to have a minimum version of FXOS 2.0.1 or later
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Firepower 4100 – closer look
2 x 2.5” SSD Bays
Power 8 x optic SFP+ ports
Console Front view
MGMT
Rear view
2x optional NetMods
Front view
Rear view
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
For Your
Reference
Firepower 4100 vs. 9300
Specification FP 4100 FP 9300
Rack space 1RU 3RU
Security Modules Fixed Modular
Performance Up to 80Gbps Up to 240Gbps
Port Speed Support Up to 40Gb Up to 100Gb
Positioned Internet, Wan Edge, Campus, Large and massively scalable
small and medium sized Data DC, SP
Center
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
FTD management options
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
FTD management options
Firepower Device Manager HTML5 based WebUI
aka “FDM” – on-box manager Supported on ASA
5506/8/12/15/16/25/45/55
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Firepower Threat Defense(FTD)
• Snort NG-IPS Detection Engine
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software
Brief Software Refresher
• Firepower Management • Firepower Threat Defense • Firepower eXtensible
Center (FMC) (FTD) Operating System
(FXOS)
• Is the Firepower • Is the native NGFW code • Operates the Firepower
Management Software • Runs on Appliance or VM
4100/9300 chassis
• Runs on Appliance or VM • Provides 3 management
• Provides 1 management
• Supports HA mode option: options:
• REST-API
• Provides 1 management • WEB-UI
• CLI/Shell
option: • WEB-UI(FCM)
• WEB-UI
Provides CLI/Shell access to platform SW
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
FTD CLI modes
FTD CLI modes
There are three CLIs while dealing with a ftd deployment:
Firepower-module1>
• FXOS CLI
• CLISH >
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Converged FTD CLISH
• Available over SSH on data and management interface/s
• No switching back and forth between FP and ASA sub-modes
> system support diagnostic-cli
firepower> enable
firepower# show cpu BEFORE 6.1
Ctrl + a + d
> show cpu
Time CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
14:32:43 all 20.46 0.00 0.19 0.00 0.00 0.00 0.00 0.00 0.00 79.35
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
FXOS Breakout
Firepower eXtensible Operating System (FXOS)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why a brief look at FXOS CLI
• Limited documentation as of FXOS 2.0
• No CLI Command-Reference
• Some elements are only visible in the CLI
Console-Port Switch-Fabric
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
CLI is your friend ? “Beware of „False Friends*“
„If you give us outstanding scores, you will become a beer“
*a word that is often confused with a word in another language with a different meaning because the two words look or sound similar
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
For Your
Reference
FXOS interaction and navigation (CLI)
• Initial console access is mandatory for the setup
• Initial admin password is not set(console)
• Password setup is mandatory on first login
• Strong password is optional
• Setup wizard will guide for minimal IP-Setup for Mgmt-Interface
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
FXOS interaction (CLI): Setup
You have chosen to setup a new Security Appliance. Continue? (y/n): y
Switch Fabric=A
System Name=Lab-FP4110-A
Enforced Strong Password=no
Physical Switch Mgmt0 IP Address=10.0.0.11
Physical Switch Mgmt0 IP Netmask=255.255.255.0
Default Gateway=10.0.0.1
Ipv6 value=0
Apply and save the configuration (select 'no' if you want to re-enter)? (yes/no):
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
CLI elements and navigation
• Command modes follow a hierarchy
• EXEC-mode
• Highest level
• Default Access-Level on Console
• Branches to lower levels
• CLI-Prompt shows the path to mode hierarchy
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
For Your
Reference
CLI elements and objects
• Managed Objects
• Abstract representation of physical or logical entities
• Examples are: chassis, security-modules, firmware, licenses and more
• Within each scope the objects represents the elements and parameters
• Working with objects
• Create <object>: A non-existent object is created and entered for parameters
• Delete <object>: An existent object is deleted
• Enter <object>: A non-existent object is created and entered for parameters
• Scope <object>: An existent object is entered for parameters
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
A simple CLI example
LAB-FP4110-A-A# scope security
LAB-FP4110-A-A /security #
LAB-FP4110-A-A /security # create local-user
WORD User Name
LAB-FP4110-A-A /security # create local-user mvassigh
LAB-FP4110-A-A /security/local-user* #
LAB-FP4110-A-A /security/local-user* # set email mvassigh@cisco.com
LAB-FP4110-A-A /security/local-user* # set password
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
A simple CLI example
LAB-FP4110-A-A# scope security LAB-FP4110-A-A /security # show local-user
LAB-FP4110-A-A /security # mvassigh detail
LAB-FP4110-A-A /security # create local-user
WORD User Name
LAB-FP4110-A-A /security # create local-user mvassigh
Local User mvassigh:
LAB-FP4110-A-A /security/local-user* #
LAB-FP4110-A-A /security/local-user* # set email mvassigh@cisco.com First Name:
LAB-FP4110-A-A /security/local-user* # set password Last Name:
Email: mvassigh@cisco.com
Enter a password: <System Interaction> Phone:
Confirm the password: <System Interaction> Expiration: Never
Password: ****
LAB-FP4110-A-A /security/local-user* # show configuration pending
Account status: Active
+enter local-user mvassigh User Roles:
+ set account-status active Name: read-only
+ set email mvassigh@cisco.com User SSH public key:
+ set firstname "“
+ set lastname "“
+! set password <not shown but set>
+ set phone "“
+exit
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
For Your
Reference
Important „scopes“ for configuration operations(1)
security firmware
• Authentication • Software download
• Local-User Accounts • Monitor download tasks
• Radius • Software installation (FXOS
• Tacacs packages only !)
• Trustpoints
• Certificates eth-uplink/fabric a
system/services • Physical interfaces
• Port-Channel interfaces
• SSH-Server, SSH-Keys
• HTTPS-Server and ports
• DNS
• NTP
• Configuration import/export
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Important „scopes“ for configuration operations(2)
fabric-interconnect a
• Local-Management-IP setting
LAB-FP4110-A-A /fabric-interconnect # show
Fabric Interconnect:
ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability
---- --------------- --------------- --------------- ---------------- ---------------- ------ -----------
A 10.0.0.11 10.0.0.1 255.255.255.0 :: :: 64 Operable
LAB-FP4110-A-A /fabric-interconnect # set out-of-band
gw Gw
ip Ip
netmask Netmask
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Important „scopes“ for configuration operations(3)
eth-uplink/fabric a
• Physical external interfaces/interface-modules of Firepower chassis
LAB-4110-A-A /eth-uplink/fabric # show interface
Interface:
Port Name Port Type Admin State Oper State State Reason
--------------- ------------------ ----------- ---------------- ------------
Ethernet1/1 Data Disabled Admin Down Administratively down
Ethernet1/2 Data Enabled Up
Ethernet1/3 Data Enabled Up
Ethernet1/4 Data Enabled Up
(truncated)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Important „connect” elements(1)
local-management Lab-FP4110-A-A(local-mgmt)# show mgmt-port
eth0 Link encap:Ethernet HWaddr EC:BD:1D:5E:D1:DF
• Verify Mgmt-Port IP connectivity inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Important „connect“ elements(2)
local-management Lab-FP4110-A-A(local-mgmt)# show tech-support
chassis Chassis
fprm Firepower Platform Management
• Tech-Support file generation module Security Module
Lab-FP4110-A-A(local-mgmt)# copy
• Tech-Support files [detail] techsupport/20170119182735_Lab-FP4110-A_FPRM.tar
output will be archived to disc ftp: Dest File URI
scp: Dest File URI
automatically sftp: Dest File URI
tftp: Dest File URI
• Use of copy operation to move usbdrive: Dest File URI
volatile: Dest File URI
file from system workspace: Dest File URI
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Password recovery
• Worth for a Dry-Run when the hardware hits your desk
Use BREAK, ESC or CTRL+L to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
rommon 5 > dir installables/switch
Directory of: bootflash:\installables\switch
09/01/16 04:37p 35,652,608 fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA
09/01/16 04:37p 250,003,850 fxos-k9-system.5.0.3.N2.4.01.35.SPA
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
What if you have a corrupt kickstart/system image
• For FXOS 2.0.(1)
• Open a TAC Service request
• For FXOS 2.1.(1)
• You can download them from CCO (since Feb.2017)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
A few hardware troubleshoot suggestions „CLI“
• scope chassis <all output truncated>
• show inventory fan/psu
PSU Presence PID Vendor Serial (SN) HW Revision
---------- --------------------------------- ---------- ---------- ----------- -----------
1 Equipped FPR4K-PWR-AC-1100 Cisco Systems, Inc. PST201560AY 0
2 Missing 0
Fan Modules:
Tray 1 Module 1:
Presence: Equipped
ID PID Vendor Serial (SN) HW Revision
---------- ------------ --------------- ----------- -----------
1 FPR4K-FAN Cisco Systems I JAD202808LY 0
2 FPR4K-FAN Cisco Systems I JAD202808LY 0
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
A few hardware troubleshoot suggestions „UI“
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Selected troubleshoot results from „UI“
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Deployment Modes & Interfaces
Why you should care about deployment modes
• There are 2 distinct operative deployment options for FTD Firewall
• Routed-Operations Mode
• Transparent-Operations Mode (also called Bridged-Mode)
• Sub-Deployment options are
• Cluster-Mode (9300 only, 4100 out with V6.2)
• HA/Failover-Mode
• Passive SPAN-Mode
Firewall mode Routed Routed Traffic is going through all FTD checks (Security Yes
Intelligence, Access Control Policy, Snort,
File/AMP policy)
Firewall mode Switched Transparent Traffic is going through all FTD checks (Security Yes
Intelligence, Access Control Policy, Snort,
File/AMP policy), but there is no route lookup
(only MAC lookup)
IPS-only mode Passive Routed/Transparent A copy of a packet (SPAN) is going through NGIPS No
checks
IPS-only mode Passive (ERSPAN) Routed A copy of a packet (ERSPAN) is going through NGIPS No
checks
IPS-only mode IPS-only Inline Set Routed/Transparent A packet goes through NGIPS checks Yes
IPS-only mode IPS-only Inline Set tap Routed/Transparent A packet is sent through FTD and a copy of it goes No
mode through NGIPS checks
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
FTD Interfaces general(1)
Chassis type Interface creation Interface physical Interface IP &
operation operation
Firepower 4100
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
For Your
Reference
FTD Interfaces general(2)
Chassis type Interface creation Interface physical Interface operation
operation
Firepower 4100
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
FTD Diagnostic vs. Management Interface
• Since FTD v6.1 there are 2 specialized interfaces on FTD
Management Interface Diagnostic Interface
FTD Operations • Mandatory • Optional
Access Restrictions • configure ssh access-lists FMC UI: Device >Platform Settings
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
FTD Syslog setup (ASA logs)
Create the Syslog-
Server object
Reminder:
No need for diagnostic interface IP
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
FTD Syslog setup (ASA logs cont.)
Create the Syslog-
Server object
Enable syslog
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
FTD syslog troubleshoot
• FTD CLISH
>show running-config logging
logging enable
logging timestamp
logging trap critical
logging host INSIDE 172.16.1.100
>show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level critical, facility 20, 0 messages logged
Logging to INSIDE 172.16.1.100
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Licensing (Really ?)
Classic vs. Smart Licensing
• Classic Licensing
• Manual PAK registration needed for each device to unlock license key
• Limited view – customers do not know what they own
• Licenses tied to License-Key / only one device
• Smart Licensing
• Enterprise wide / complete visibility (software, licenses, devices in one
portal)
• License token not tied to License-Key – flexible licensing across all devices
• Smart account is mandatory
• User access control
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Smart Licensing prerequisites
• FMC can reach Cisco Smart Licensing Cloud Server via hostname – verify DNS
settings
• Ensure that NTP daemon is running on the FMC
• User needs to have an account with CCSM (Cisco Smart Software Manager)
https://software.cisco.com
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Apply Smart Licenses
1. Obtain product instance registration token from CSSM (Cisco Smart Software
Manager)
2. Register Unified Manager to CSSM
3. Register NGFW/FTD devices to Unified Manager
4. Apply/Remove Smart License
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Firepower Management Center (quick look)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Smart Licensing
• Firepower Threat Defense uses ONLY Smart Licensing. Other products
(Firepower 7000/8000 series appliances or Firepower Services modules) still
use Classic Licensing.
• Controlled through FMC, restricting what features can be configured per device.
Without license FMC cannot deploy policy or receive events.
• Existing ASA classic licensing is not used.
• Evaluation mode is possible using build-in 90 days evaluation period. It has start
and end date, renewal required for continued entitlement.
• Purchased licenses are added to Smart Account automatically.
• Equivalent licenses must be purchased for HA devices.
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Smart Licensing
License feature Description License type
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Troubleshooting scenario
KSEC-FPR4100-4-A# show license all KSEC-FPR4100-4-A /security/trustpoint* # set certchain
Smart Licensing is ENABLED Enter lines one at a time. Enter ENDOFBUF to finish.
Registration: Press ^C to abort.
Status: UNREGISTERED - REGISTRATION FAILED
Trustpoint Certificate Chain:
Export-Controlled Functionality: Not Allowed >MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
Initial Registration: FAILED on Jan 11 12:24:30 yjELMAkGA1>UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
2017 UTC ExZWZ>XJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U>2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
Failure reason: Failed to authenticate server ZXJpU2>lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
KSEC-FPR4100-4-A /security # show trustpoint a>G9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
M>AkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
KSEC-FPR4100-4-A /security # ZXJ>pU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
Trustpoint is EMPTY! biwgSW5jL>iAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbi>BDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
>aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
KSEC-FPR4100-4-A# scope security nmAMq>udLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t>0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
KSEC-FPR4100-4-A /security # create trustpoint SdhDY2>pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
CHdefault BO+QueQ>A5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
r>CpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIe>Wiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYw>bQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Biggest case creator for „Smart-Licensing“ will be
solved
• Firepower Management Center bypassing proxy-configuration for Smart-
Licensing
• Bug was present in V6.0, 6.01, 6.1, 6.1.0.1
• Bug has been verified to be fixed in V6.2 on a fresh install
• Bugfix will be available in V6.1.0.2 (latest maintenance release from 8.Feb.2017 )
• We are expecting confirmation from many of you
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Installation and Configuration
Brief installation steps on Firepower 4100 series
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Configure FTD Data & Management Interfaces
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Adding interfaces for application module
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
For Your
Reference
Four things to remember on interfaces
• The Mgmt-Interface is created but will not be selectable later
The assignment happens automatically for the logical device
• The Event-Monitoring interface is optional and was newly introduced in V6.x, to
allow separation of events and diagnostics versus configuration traffic for FMC-
Appliance and Firepower-Devices (FP4100/FP9300/FP8000)
• Port-Channel Interfaces are configured but forced into „suspend“-mode
• VLAN-Sub-Interfaces are created on the logical device only
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Interface-Special Port-Channel
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
For Your
Reference
FTD installation on 4100(1)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
For Your
Reference
FTD installation on 4100(2)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
For Your
Reference
FTD installation on 4100 (working hard)
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
For Your
Reference
FTD installation on 4100 (working harder)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
FTD Installation „Local Console“ monitoring
Lab-FP4110-A-A /ssa/slot # connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
(output truncated)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
FTD installation on 4100 (finished)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
A quick few things to check via CLI
LAB-4110-A-A /ssa/logical-device # show expand | begin IP
IP v4:
Slot ID Management Sub Type IP Address Netmask Gateway Last Updated Timestamp
---------- ------------------- --------------- --------------- --------------- ----------------------
1 Firepower 10.0.0.12 255.255.255.0 10.0.0.1 2017-01-23T19:10:28.260
Bootstrap Key:
Key Value Last Updated Timestamp
---------- ---------- ----------------------
DNS_SERVERS (truncated)
128.107.212.175
FIREPOWER_MANAGER_IP
10.0.0.50
FIREWALL_MODE
routed
FQDN ftd1.example.com
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
A quick few things to verify via CLI
LAB-4110-A-A /eth-uplink/fabric # show port-channel expand
Port Channel:
Port Channel Id: 10
Name: Port-channel10
Port Type: Data
Admin State: Enabled
Oper State: Up
State Reason:
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/4 Up Up
Port Channel Id: 11
Name: Port-channel11
Port Type: Data
Admin State: Enabled
Oper State: Up
State Reason:
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/2 Up Up
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
For Your
Reference
Time for some connectivity checks
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Time for some connectivity checks (???)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Time for some connectivity checks (???)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Time for some connectivity checks (???)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Experts use CLI (1)
Lab-FP4110-A-A# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
CISCO Serial Over LAN:
Close Network Connection to Exit
Firepower-module1>connect ftd
Connecting to ftd console... enter exit to return to bootCLI
>ping 10.0.0.1 (= Our Default-Gateway ?)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
No route to host 10.0.0.1
Success rate is 0 percent (0/1)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Experts use CLI (2)
> show route
> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Current IP Addresses:
Interface Name IP address Subnet mask Method
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Experts use CLI (3)
> show interface
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
A real expert ?
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
„Experts, beware of False Friends“
> show network > ping
===============[ System Information ]===============
tcp Test connection over TCP
Hostname : ftd1.example.com system Test connectivity from the FTD
DNS Servers : 128.107.212.175 management interface
Management port : 8305
IPv4 Default route interface interface
Gateway : 10.0.0.1 Hostname hostname or A.B.C.D or X:X:X:X::X
==================[ management0 ]===================
> ping system 10.0.0.1
State : Enabled
Channels : Management & Events PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX 64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.366 ms
MTU : 9000 64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.357 ms
MAC Address : EC:BD:1D:5E:D1:FF
> traceroute
----------------------[ IPv4 ]----------------------
Configuration : Manual system Find route to remote network through FTD
Address : 10.0.0.12 management interface
Netmask : 255.255.255.0
Broadcast : 10.0.0.255
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Backup and Restore
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Backup and Restore (really ?)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
For Your
Reference
Backup and Restore Guidelines
• Bootstrap supervisor module IP settings
• Register Smart-Licensing
• Platform hardware and software version should(must) match
• Same network-modules must be installed
• The Application-Software packages must be installed
• Logical-Device EULA must be accepted (latest after Restore)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
High Availability FTD Device
FTD HA-Configuration (1)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
FTD HA-Configuration(2)
You can share an
interface for HA and
State
Beware:
HA-Configuration
immediately starts,
there is no
Deploy-Phase
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Basic Failover-Configuration verification on CLI
> show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 11:31:59 CET Feb 14 2017
====Configuration State===
====Communication State===
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (truncated)
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Exclamation mark is
your friend
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Basic Failover-Configuration verification on CLI
> show failover state
====Configuration State===
Sync Done
====Communication State===
Mac set
Think in
Don’t panic !
Columns
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Failover Troubleshooting on FMC-UI
Verify
Counters
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Breaking Failover is safe
• It maintains full operations on the Active-Unit
• Standby-Unit looses failover and interface configurations
> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel10.1 Outside 10.40.0.1 255.255.255.0 manual
Port-channel10.2 Inside 10.41.0.1 255.255.255.0 manual
Port-channel11 FOVER 172.16.1.1 255.255.255.0 unset
Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel11 FOVER 172.16.1.2 255.255.255.0 unset
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Verification on StandBy-unit
> show ip
System IP Addresses:
Current IP Addresses:
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
FTD HA information not synchronized (partial list)
• Sessions inside plaintext tunnels
• GRE, IPinIP encapsulated traffic
• TLS Decrypted sessions
• Decrypt/Resign: Blocked with Reset
• Known-Keys: Blocked with Reset
• DHCP-Server
• Multicast-Routing
• Management-Connections to FTD-Device
• HTTPS/SSH
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Failover Troubleshooting CLI (need TAC for debugs)
> system support diagnostic-cli
firepower> en
Password:
firepower# debug fover ?
firepower> en
Password:
firepower# debug fover ifc
fover event trace on
firepower# fover_health_monitoring_thread: ifc_check() group: 0, - time = 8492170
fover_health_monitoring_thread: ifc_check() group: 0, - time = 8494670
fover_health_monitoring_thread: ifc_check() group: 0, - time = 8497170
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
High-Availability Update Demo
Ready to go
Our first configuration demo
For Your
Reference
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
For Your
Reference
Advanced troubleshoot option Packet-Tracer
packet-tracer input Inside tcp 10.41.0.10 1023 10.40.0.10 22 (for your reference)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp any any eq ssh rule-id 268435458 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435458: PREFILTER POLICY: MV-Prefilter-Policy
access-list CSM_FW_ACL_ remark rule-id 268435458: RULE: MV-ICMP-Prefilter
Additional Information:
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
For Your
Reference
Troubleshoot on FTD-CLI
> show access-list
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
ASA to FTD Migration Demo
FTD Troubleshooting tools
Process Management
> pmtool
Show status of processes: disablebyid pmtool disablebyid
disablebytype pmtool disablebytype
# pmtool status enablebyid pmtool enablebyid
enablebytype pmtool enablebytype
# sudo pmtool disablebyid SFDataCorrelator restartbyid pmtool restartbyid
restartbytype pmtool restartbytype
You should see that the process is in User Disabled state: status pmtool status
# pmtool status | grep SFDataCorrelator
# sudo pmtool enablebyid SFDataCorrelator
Verify that the process is running and make sure that the process ID matches the 'pmtool’ and ‘ps’ tool:
# sudo pmtool status | grep SFDataCorrelator
# ps aux | grep <PID>
Restart all detection engine / Snort instances:
# pmtool restartbytype snort
Important note, restartbyid for Snort would cause only one instance to be restarted.
# tail -f /var/log/messages
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Functionality Of Some FTD Processes
snort inspects network traffic (pass, sftunnel secure tunnel between
block and alert) managed device and FMC
ids_event_processor sends intrusion events to diskmanager, managing disk space and
managing device (FMC) Pruner clean up old files
ids_event_alerter sends intrusion events to ntpd responsible for time
Syslog or SNMP server synchronization
wdt-util used for fail-to-wire / snmpd SNMP monitoring
hardware bypass
SFDataCorrelator processing events pm (process responsible for launching
manager) and monitoring of all FTD
relevant processes and
restarting them in case of
failure
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Troubleshooting File
Generate troubleshooting file over CLISH and ROOT CLI:
>system generate-troubleshoot all
#/usr/local/sf/bin/sf_troubleshoot.pl ALL
Storage of troubleshooting files:
Firepower: /var/common/ vs. FTD: /ngfw/var/common/
/ngfw/var/common/results-01-19-2017--214641.tar.gz
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
FTD V6.1 Troubleshooting Enhancements
• File download tool
• Threat Defense CLI tools
• packet-tracer
• show
• ping
• Traceroute
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
FXOS Capture: Quick option (1)
• Apply a reasonable Traffic-Filter
• Focus just on physical Ingress-Egress port
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
FXOS Capture: Quick option(2)
• Download your capture and filter in wireshark
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
ASA/LINA Packet Capture - The Wires Never Lie!
firepower# cap in interface INSIDE match icmp any any trace detail
firepower# cap out interface OUTSIDE match icmp any any trace detail
firepower# sh cap
capture in type raw-data trace detail interface INSIDE [Capturing - 114 bytes]
match icmp any any
capture out type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]
match icmp any any
capture asp type asp-drop all buffer 33554432 [Capturing - 114 bytes]
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
FP/Snort Capture - The Wires Never Lie! (1)
> capture-traffic
Please choose domain to capture traffic from:
0 - management0
1 - Router
Selection? 1
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: icmp
23:07:21.619642 IP 172.16.1.17 > 20.20.20.100: ICMP echo request, id 24538, seq 1, length 64
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
FP/Snort Capture - The Wires Never Lie! (2)
>capture-traffic
Options: -v -n -e (icmp and host 172.16.2.11) or (vlan and icmp and host 172.16.2.11)
12:02:43.949535 00:50:56:b6:0b:33 > 58:97:bd:b9:73:ee, ethertype 802.1Q (0x8100), length 78: vlan 208, p 0,
ethertype IPv4, (tos 0x0, ttl 128, id 5366, offset 0, flags [none], proto ICMP (1), length 60)
SNORT
IN OUT
firepower# sh cap inside firepower# sh cap outside
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Correct Access Control Rule Being Evaluated?
• Tool that provides the Access Control Rule evaluation status for each flow as we receive
packets in real time.
• NGFW debug needs to have specified at least one filtering condition.
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== AC Rule Name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 10
Variable Set : Default-Set
... (output omitted) ...
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== AC Rule Name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 16
Variable Set : Default-Set
... (output omitted) ...
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== AC Rule Name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 22
Variable Set : Default-Set
... (output omitted) ...
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Access Control Policy Rule Hit Counters - GUI
Your “custom” connections event view in FMC:
1. Analysis -> Custom -> Custom Workflows -> Create Custom Workflow and use Table “Connection
Events”
2. Add page and fill in fields like: “Access Control Policy”, “Access Control Rule”, “Count”, “Initiator
IP”, “Responder IP”
3. Add Table view
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Access Control Policy Rule Hit Counters - GUI
FTD NGFW debugs: > show access-control-config
==== [ CL-ACP-2017-FINAL ]===
…(output omitted)
172.16.2.25-8 > 20.20.20.11-0 1 AS 1 I 47 using HW or preset
------[ Rule: DNS and icmp ]------
rule order 3, 'DNS and icmp', action Trust and prefilter rule 0 Action : Allow
Destination Ports : protocol 6, port 53
protocol 17, port 53
protocol 1
FMC GUI: protocol 6, port 80
Logging Configuration
Analysis -> Connections events -> “switch workflows” and DC : Enabled
select your newly created workflow “ACP rule hitcounters” Beginning : Enabled
End : Enabled
Rule Hits : 28
Variable Set : Default-Set
… (output omitted)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Tracing Packets
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit icmp any any echo rule-id 268436992
access-list CSM_FW_ACL_ remark rule-id 268436992: ACCESS POLICY: ciscolive - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268436992: L7 RULE: icmp allow only
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x7f0c2e933260, priority=12, domain=permit, deny=false
hits=200, user_data=0x7f08c343bd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
You can operate and troubleshoot
the NG-Firewall with confidence
FTD Packet-Flow
Packet processing – before we ‘enter’ the ASA/LINA
Security Engine (ASA or FTD)
8x 10Gbps NM 1 NM 2
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
SI (DNS/URL), Identity Advanced Snort / FirePOWER
YES
DAQ
NO
Ingress Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
ASA/LINA
firepower# sh int eth 1/7 High-level information about packet
Interface Ethernet1/7 "INSIDE", is up, line protocol is up counters in and out of the box per
Hardware is EtherSVI, BW 1000 Mbps, DLY 1000 usec context basis:
MAC address 5897.bdb9.73ee, MTU 1500 firepower# clean count
IP address 172.16.1.1, subnet mask 255.255.255.0 firepower# show count
Traffic Statistics for "INSIDE":
180 packets input, 14853 bytes
155 packets output, 12628 bytes Number of packets dropped Packet rate in and out on a per-
25 packets dropped in ASP ‘show asp drop‘ interface basis:
1 minute input rate 1 pkts/sec, 94 bytes/sec firepower# clear traffic
1 minute output rate 1 pkts/sec, 85 bytes/sec
1 minute drop rate, 0 pkts/sec firepower# show traffic
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
• ASA/LINA part checks whether the connection belongs to existing flow or not
• If packet is part of already established flow, then appliance skip basics checks and process the packet
in Fast-Path – and continue with checks at DAQ level
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
Packet processing
YES
DAQ
Ingress NO Egress
Existing L3/L4 ALG L3, L2
RX Pre-Filter TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
5-TUPLE
ASA/LINA QoS, VPN Encrypt
FMC
ASA
firepower# show access-list | i icmp
access-list CSM_FW_ACL_ line 9 remark rule-id 268441864: L7 RULE: icmp traffic
access-list CSM_FW_ACL_ line 10 advanced permit icmp any any rule-id 268441864 (hitcnt=335)
0xa2dc10fa
FirePOWER
cat ngfw.rules | grep 268441864
root@ftd:/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-817d227fa40c#
268441864 fastpath any any any any any any any 1 (log dcforward both)
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
root@firepower:/Volume/home/admin# cd /var/sf/iprep_download/
root@firepower:/var/sf/iprep_download# grep "72.4.119.2\|#" * | tail -n 2
d8eea83e-6167-11e1-a154-589de99bfdf1:#Global-Whitelist
d8eea83e-6167-11e1-a154-589de99bfdf1:72.4.119.2
root@firepower:/var/sf/iprep_download# cat d8eea83e-6167-11e1-a154-589de99bfdf1
#Global-Whitelist
72.163.4.161
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
• Order of operation:
• SSL rules are processed from top to bottom
• System do not evaluate traffic with bellow rule once the match is found
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
debug_policy_all
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
“Troubleshooting thoughts”
• Connection inspected by SNORT?
• “show conn” – Flag ‘N’
• Packet captures (capture and capture-traffic) shows incoming traffic on ASA/LINA side, diverted traffic flows
are send to the SNORT, but NO outgoing or there are missing packets after SNORT inspection on outside
interface?
• Connection events are triggering? -> FMC Connection table view
• Is the right AC rule being evaluated? -> NGFW debugs
• IPS events are not populated? -> Create custom ICMP rule or enable “ICMP echo” rule 1:408
to confirm IPS events are generally working
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
alert icmp any any -> any any (sid:1000001; gid:1; icode:0;
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
firepower# sh cap
capture i type raw-data trace detail interface INSIDE [Capturing - 114 bytes]
match icmp any any
capture o type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]
match icmp any any
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
Special Attention when packets are blocked, but there are no IPS events:
Rules with GID ID 129 DO NOT generate events until
Change Rule State:
“Stateful Inspection Anomalies” option in TCP Stream preprocessor is enabled!
Drop and Generate
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
• Determination of NAT IP header – in capture trace phase ‘NAT’ with translated IP addresses details
• Based on the packet processing step “Egress Interface” determination the ‘out’ entries will be now
checked in ASP routing table
• Using packet capture trace detail option we can see phase “ROUTE-LOOKUP” with the next-hop IP
address IP address details
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
SI (DNS/URL), Identity Advanced Snort / FirePOWER
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Veronika Klauzova
Thank You
Michael Vassigh
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each for BRKSEC-3455
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 173