Brksec 3455 PDF

Dissecting Firepower-NGFW(FTD)
& Firepower-Services
“Design & Troubleshooting”
Veronika Klauzova, Firepower TAC-Engineer
Michael Vassigh, CSE Security
BRKSEC-3455
Are we there yet (VIDEO) ?
Your presenters for this journey
• Veronika Klauzova
• Firepower TAC-Engineer
• Michael Vassigh
• CSE Security
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Introduction
• Hardware-Review
and troubleshoot
• Installation & Configuration
and troubleshoot
• FTD Packet-Flow
and troubleshoot
• Conclusion
and (no more troubleshoot)
For Your
Reference
Abstract-Review
• The session will cover both operational and maintenance aspects of
all relevant Firepower-NGFW functions from “Installation” to
“Operation” to “Troubleshooting” with a focus on interactive
demonstration of the detailed topics.
• Upon successful completion of this session, the attendee will be able
to:
• describe the FTD system architecture
• describe packet flow processing
• perform installation and configuration of FirePOWER Threat
Defense(FTD) and FirePOWER Management Console (FMC)
• verify and troubleshoot traffic flows traversing FTD
Our goals for the next 120 minutes
• Walk you through an experience of Firepower Threat Defense
• Give you all required insights to configure your device
• Give you all required insights to troubleshoot your device
• Give you enough demos to highlight the relevant details
You can operate and troubleshoot

the NG-Firewall with confidence
Other sessions you hopefully have visited
Cisco Live Berlin Session-ID Session Name
Firepower Platform Deep Dive
ASA Firepower NGFW typical deployment

scenarios
A Deep Dive into using the Firepower Manager
Firewall Innovation and Transformation - a

closer look at ASA and Firepower
NGFW Clustering Deep Dive
Protecting the Network with Firepower NGFW
And various others an AMP, DDoS, SSL-Decryption, Snort Rules and more
BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Topics we will not cover today
• Your current order in CCW • CDO Cisco Defense Orchestrator
• Your troubles with getting a Smart- • Firepower Device Manager
Account
• Advanced Malware Protection
• Your current TAC-Service Request details
• Firepower 7000/8000 series • Remote-Access
• Real-World performance • VPN Site-to-Site
• Clustering • Full roadmap details
• Licensing
All our material and demos are based on the
following
• Firepower 4100 system
• FXOS Version 2.0(1.135)
• Firepower Threat Defense V6.1.0.1 (Released December 2016)
• Firepower Management Center V6.1.0.1 (Released December 2016)
Recent announcements
New Software Versions since January 2017 (subtotal)
• FXOS V2.1(1) • FTD V6.2
• Support for ASA V9.7.1 • Inter-Chassis clustering on
• Support for FTD V6.2 FP4100/9300
• Inter-Chassis clustering FTD V6.2 • Packet-Tracer & Capture UI
• NTP authentication • Flex-Config
• ASA-FTD Migration tool enhanced
• Integrated Routing & Bridging-
Interface support
Hardware & Software Review
Terminology brief (you might find in documentation)
Physical and Virtual

3D System DC (Defense Center)
Managed device / Sensor
Cisco official Firepower System terminology
Firepower Management Firepower Device Manager

Center (off-box) (on-box)
Firesight / Firepower
system
ASA with FirePOWER
Physical and Virtual
Services module managed
Managed device / Sensor
by ASDM
Presentation ID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
For Your
Reference
Platform naming fundamentals
• Hardware Management: MC750, MC1500, MC3500, MC2000, MC4000
• Virtual Management: Firepower Management Center running on VMware,
AWS and KVM
• Physical managed devices: 7010, 7020, 7030, 7050, 7110, 7115, 7120, 7125,
8120, 8130, 8140, 8250, 8260, 8270, 8290, 8350, 8360, 8370, 8390
• Virtual managed devices: NGIPSv
• Physical Firepower Threat Defense devices: ASA 5506-X, ASA 5506—X,
ASA 5508-X, ASA 5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-
X and 5555-X, Firepower 9300 security appliance, Firepower 4100 series
• Virtual Firepower Threat Defense devices: Firepower Threat Defense Virtual
running on VMware, AWS or on KVM
What platforms can run FTD Software
Platform FTD Support
ASA 5500X-Series (5506X-5555X with SSD) Yes
Firepower 4100 series Yes
Virtual options (VMware, KVM, AWS, Azure) Yes
Cisco ISR 4000/ISR-G2 (UCS-E module) Yes
For Your
Reference
What platforms can not run FTD Software
Platform FTD Support
Series 2 Firepower Appliances No
Series 3 Firepower Appliances (FP7000/8000) No
ASA-5580, ASA-5585X-SSPX No
ASA Service Module No
Firewall Service Module No
Microsoft Hyper-V No
For Your
Reference
Platform specific requirements
• All ASA-5500X require to have the SSDs installed
• Beware that only the newer orders are shipped with SSD preinstalled
• ASA-5545/55X require to have 2 SSDs installed
• Beware that only the newer orders are shipped with SSD preinstalled
• Only Cisco SSDs are supported
• ASA models 5506X/5508X/5516X need to have a minimum ROMMON version
1.1.8 or higher installed
• FP4100 and FP9300 require to have a minimum version of FXOS 2.0.1 or later
Firepower 4100 – closer look
2 x 2.5” SSD Bays
Power 8 x optic SFP+ ports
Console Front view
MGMT
Rear view
2x optional NetMods
2 x Power Supply Module Bays

6 x Hot-Swap Fans units
For Your
Firepower 9300 – closer look Reference
Front view
Rear view
For Your
Reference
Firepower 4100 vs. 9300
Specification FP 4100 FP 9300
Rack space 1RU 3RU
Security Modules Fixed Modular
Performance Up to 80Gbps Up to 240Gbps
Port Speed Support Up to 40Gb Up to 100Gb
Positioned Internet, Wan Edge, Campus, Large and massively scalable
small and medium sized Data DC, SP
Center
Similarities 1.) Both are next generation platforms on Security Service

Architecture
2.) Both run FXOS which is used to manage physical and logical
entities
FTD management options
Firepower Management Center

aka “FMC” – off-box manager
FTD management options
Firepower Device Manager HTML5 based WebUI
aka “FDM” – on-box manager Supported on ASA
5506/8/12/15/16/25/45/55
Firepower Threat Defense(FTD)
• Snort NG-IPS Detection Engine
• ASA/Lina Firewall functions
• First implementation: ASA/LINA Future

ASA and Firepower-Services
• Single unified image:

ASA/Lina + Firepower/Snort Firepower/Snort
• All ASA features will be added in

FTD
future FTD software releases
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software
Brief Software Refresher
• Firepower Management • Firepower Threat Defense • Firepower eXtensible
Center (FMC) (FTD) Operating System
(FXOS)
• Is the Firepower • Is the native NGFW code • Operates the Firepower
Management Software • Runs on Appliance or VM
4100/9300 chassis
• Runs on Appliance or VM • Provides 3 management
• Provides 1 management
• Supports HA mode option: options:
• REST-API
• Provides 1 management • WEB-UI
• CLI/Shell
option: • WEB-UI(FCM)
• WEB-UI
Provides CLI/Shell access to platform SW
All platforms have CLI/Shell access for setup & diagnostics
All platforms have version dependencies
FTD CLI modes
FTD CLI modes
There are three CLIs while dealing with a ftd deployment:
Firepower-module1>
• FXOS CLI
• CLISH >
• ASA CLI firepower#
Moving between different CLI‘s:

FXOS -> CLISH connect ftd
CLISH -> ASA system support diagnostic-cli
ASA -> CLISH CTRL + a, d
CLISH -> FXOS exit
Converged FTD CLISH
• Available over SSH on data and management interface/s
• No switching back and forth between FP and ASA sub-modes
> system support diagnostic-cli
firepower> enable
firepower# show cpu BEFORE 6.1
Ctrl + a + d
> show cpu
> show cpu system

Linux 3.10.62-ltsi-WR6.0.0.27_standard (ftd.cisco.com) 02/07/17 _x86_64_
Time CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
14:32:43 all 20.46 0.00 0.19 0.00 0.00 0.00 0.00 0.00 0.00 79.35
> show cpu

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%> 6.1+
FXOS Breakout
Firepower eXtensible Operating System (FXOS)
• Chassis management, operation and health

• Network interface allocation and connectivity
• Application storage, deployment and provisioning
• NTP for entire chassis
• Clustering setup
Why a brief look at FXOS CLI
• Limited documentation as of FXOS 2.0
• No CLI Command-Reference
• Some elements are only visible in the CLI
• Please ask for TAC-Support before you change undocumented elements

• Stay with the Web-UI for regular operations
Brief Recap Management operations
• The Firepower system is built as a distributed hardware architecture
• Various functions are serviced from different hardware components
• The Supervisor-Engine (or MIO) is the main control-point for all chassis and
interface and blade configurations
Supervisor/MIO-Board Security Service Processor • Supervisor configuration
Data-Port
navigation via CLI „scope“
connect
command
Security Service-Blade
scope
• Connection to element-OS CLI
scope via „connect“ command
Mgnt-Port
Console-Port Switch-Fabric
CLI is your friend ? “Beware of „False Friends*“
„If you give us outstanding scores, you will become a beer“
Lab-FP4110-A-A(fxos)# show interface mgmt 0

mgmt0 is down (Administratively down)
Hardware: GigabitEthernet, address: ecbd.1d5e.d1df (bia ecbd.1d5e.d1df)

Internet Address is 10.0.0.11/24
Lab-FP4110-A-A(local-mgmt)# show mgmt-port

eth0 Link encap:Ethernet HWaddr EC:BD:1D:5E:D1:DF
inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::eebd:1dff:fe5e:d1df/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Lab-FP4110-A-A(local-mgmt)# ping 10.0.0.1 count 1
PING 10.0.0.1 (10.0.0.1) from 10.0.0.11 eth0: 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.394 ms
*a word that is often confused with a word in another language with a different meaning because the two words look or sound similar
For Your
Reference
FXOS interaction and navigation (CLI)
• Initial console access is mandatory for the setup
• Initial admin password is not set(console)
• Password setup is mandatory on first login
• Strong password is optional
• Setup wizard will guide for minimal IP-Setup for Mgmt-Interface
• Remaining detailed settings via:

• Console
• SSH
• Browser
• API
FXOS interaction (CLI): Setup
You have chosen to setup a new Security Appliance. Continue? (y/n): y
Enforce strong password? (y/n) [n]:

Enter the password for "admin":
Confirm the password for "admin":
Enter the system name [Lab-FP4110-A]:
Physical Switch Mgmt0 IP address [10.0.0.11]:
Physical Switch Mgmt0 IPv4 netmask [255.255.255.0]:
IPv4 address of the default gateway [10.0.0.1]:
Configure the DNS Server IP address? (yes/no) [n]:
Configure the default domain name? (yes/no) [n]:
Following configurations will be applied:
Switch Fabric=A
System Name=Lab-FP4110-A
Enforced Strong Password=no
Physical Switch Mgmt0 IP Address=10.0.0.11
Physical Switch Mgmt0 IP Netmask=255.255.255.0
Default Gateway=10.0.0.1
Ipv6 value=0
Apply and save the configuration (select 'no' if you want to re-enter)? (yes/no):
CLI elements and navigation
• Command modes follow a hierarchy
• EXEC-mode
• Highest level
• Default Access-Level on Console
• Branches to lower levels
• CLI-Prompt shows the path to mode hierarchy
• Moving between levels

• Scope <object>:Changes mode into an existing object mode
Lab-FP4110-A-A# scope chassis 1

Lab-FP4110-A-A /chassis #
• Exit: Leaves current command mode level
• Top: Changes to highest command mode level
• Connect <component>: Connects to component CLI
For Your
Reference
CLI elements and objects
• Managed Objects
• Abstract representation of physical or logical entities
• Examples are: chassis, security-modules, firmware, licenses and more
• Within each scope the objects represents the elements and parameters
• Working with objects
• Create <object>: A non-existent object is created and entered for parameters
• Delete <object>: An existent object is deleted
• Enter <object>: A non-existent object is created and entered for parameters
• Scope <object>: An existent object is entered for parameters
A simple CLI example
LAB-FP4110-A-A# scope security
LAB-FP4110-A-A /security #
LAB-FP4110-A-A /security # create local-user
WORD User Name
LAB-FP4110-A-A /security # create local-user mvassigh
LAB-FP4110-A-A /security/local-user* #
LAB-FP4110-A-A /security/local-user* # set email mvassigh@cisco.com
LAB-FP4110-A-A /security/local-user* # set password
Enter a password: <System Interaction>

Confirm the password: <System Interaction>
A simple CLI example
LAB-FP4110-A-A# scope security LAB-FP4110-A-A /security # show local-user
LAB-FP4110-A-A /security # mvassigh detail
LAB-FP4110-A-A /security # create local-user
WORD User Name
LAB-FP4110-A-A /security # create local-user mvassigh
Local User mvassigh:
LAB-FP4110-A-A /security/local-user* #
LAB-FP4110-A-A /security/local-user* # set email mvassigh@cisco.com First Name:
LAB-FP4110-A-A /security/local-user* # set password Last Name:
Email: mvassigh@cisco.com
Enter a password: <System Interaction> Phone:
Confirm the password: <System Interaction> Expiration: Never
Password: ****
LAB-FP4110-A-A /security/local-user* # show configuration pending
Account status: Active
+enter local-user mvassigh User Roles:
+ set account-status active Name: read-only
+ set email mvassigh@cisco.com User SSH public key:
+ set firstname "“
+ set lastname "“
+! set password <not shown but set>
+ set phone "“
+exit
LAB-FP4110-A-A /security/local-user* # commit-buffer

LAB-FP4110-A-A /security/local-user # exit
For Your
Reference
Important „scopes“ for configuration operations(1)
security firmware
• Authentication • Software download
• Local-User Accounts • Monitor download tasks
• Radius • Software installation (FXOS
• Tacacs packages only !)
• Trustpoints
• Certificates eth-uplink/fabric a
system/services • Physical interfaces
• Port-Channel interfaces
• SSH-Server, SSH-Keys
• HTTPS-Server and ports
• DNS
• NTP
• Configuration import/export
fabric-interconnect a
• Local-Management-IP setting
LAB-FP4110-A-A /fabric-interconnect # show
Fabric Interconnect:
ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability
---- --------------- --------------- --------------- ---------------- ---------------- ------ -----------
A 10.0.0.11 10.0.0.1 255.255.255.0 :: :: 64 Operable
LAB-FP4110-A-A /fabric-interconnect # set out-of-band
gw Gw
ip Ip
netmask Netmask
eth-uplink/fabric a
• Physical external interfaces/interface-modules of Firepower chassis
LAB-4110-A-A /eth-uplink/fabric # show interface
Interface:
Port Name Port Type Admin State Oper State State Reason
--------------- ------------------ ----------- ---------------- ------------
Ethernet1/1 Data Disabled Admin Down Administratively down
Ethernet1/2 Data Enabled Up
(truncated)
LAB-4110-A-A /eth-uplink/fabric # show port-channel

Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
48 Port-channel48 Cluster Disabled Admin Down Administratively down
(truncated)
Important „connect” elements(1)
local-management Lab-FP4110-A-A(local-mgmt)# show mgmt-port
eth0 Link encap:Ethernet HWaddr EC:BD:1D:5E:D1:DF
• Verify Mgmt-Port IP connectivity inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
• Ping/Traceroute inet6 addr: fe80::eebd:1dff:fe5e:d1df/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
• Graceful reboot/shutdown
(output truncated)
• Disk/File operations Lab-FP4110-A-A(local-mgmt)# ping 10.0.0.1 count 1
• Packet-Captures PING 10.0.0.1 (10.0.0.1) from 10.0.0.11 eth0: 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.394 ms
• Configuration erase
Lab-FP4110-A-A(local-mgmt)# dir
1 29 Jan 19 15:23:27 2017 blade_debug_plugin

1 19 Jan 19 15:23:27 2017 bladelog
1 16 Jan 19 15:24:11 2017 cores
2 4096 Jan 19 16:27:44 2017 debug_plugin/
1 31 Jan 19 15:24:11 2017 diagnostics
2 4096 Jan 19 15:21:56 2017 lost+found/
1 25 Jan 19 15:23:53 2017 packet-capture
2 4096 Jan 19 15:23:28 2017 techsupport/
Important „connect“ elements(2)
local-management Lab-FP4110-A-A(local-mgmt)# show tech-support
chassis Chassis
fprm Firepower Platform Management
• Tech-Support file generation module Security Module
• FPRM:Supervisor/MIO Lab-FP4110-A-A(local-mgmt)# show tech-support fprm detail

Initiating tech-support information task on FABRIC A ...
• Module: SSP modules Completed initiating tech-support subsystem tasks (Total: 1)
• Chassis: chassis, blade, CIMC All tech-support subsystem tasks are completed (Total:
1[received]/1[expected])
The detailed tech-support information is located at
workspace:///techsupport/2017011918273_Lab-FP4110-A_FPRM.tar
Lab-FP4110-A-A(local-mgmt)# copy
• Tech-Support files [detail] techsupport/20170119182735_Lab-FP4110-A_FPRM.tar
output will be archived to disc ftp: Dest File URI
scp: Dest File URI
automatically sftp: Dest File URI
tftp: Dest File URI
• Use of copy operation to move usbdrive: Dest File URI
volatile: Dest File URI
file from system workspace: Dest File URI
Password recovery
• Worth for a Dry-Run when the hardware hits your desk
Use BREAK, ESC or CTRL+L to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
rommon 5 > dir installables/switch
Directory of: bootflash:\installables\switch
09/01/16 04:37p 35,652,608 fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA
09/01/16 04:37p 250,003,850 fxos-k9-system.5.0.3.N2.4.01.35.SPA
rommon 6 > boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA 1

!! Kickstart Image verified successfully !!
switch(boot)# config terminal

switch(boot)(config)# admin-password erase
Your password and configuration will be erased!
Do you want to continue? (y/n) [n] <Enter y here>
switch(boot)(config)# exit
switch(boot)# load bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.4.01.35.SPA 2
<wait>
---- Basic System Configuration Dialog ----
You have chosen to setup a new Security Appliance. Continue? (y/n): y
What if you have a corrupt kickstart/system image
• For FXOS 2.0.(1)
• Open a TAC Service request
• For FXOS 2.1.(1)
• You can download them from CCO (since Feb.2017)
A few hardware troubleshoot suggestions „CLI“
• scope chassis <all output truncated>
• show inventory fan/psu
PSU Presence PID Vendor Serial (SN) HW Revision
---------- --------------------------------- ---------- ---------- ----------- -----------
1 Equipped FPR4K-PWR-AC-1100 Cisco Systems, Inc. PST201560AY 0
2 Missing 0
Fan Modules:
Tray 1 Module 1:
Presence: Equipped
ID PID Vendor Serial (SN) HW Revision
---------- ------------ --------------- ----------- -----------
1 FPR4K-FAN Cisco Systems I JAD202808LY 0
2 FPR4K-FAN Cisco Systems I JAD202808LY 0
Lab-FP4110-A-A /chassis # show fault

Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Warning F0378 2017-01-29T12:55:26.444 42157 Power supply 2 in chassis 1 presence: missing
A few hardware troubleshoot suggestions „UI“
Click here Click here
Selected troubleshoot results from „UI“
Deployment Modes & Interfaces
Why you should care about deployment modes
• There are 2 distinct operative deployment options for FTD Firewall
• Routed-Operations Mode
• Transparent-Operations Mode (also called Bridged-Mode)
• Sub-Deployment options are
• Cluster-Mode (9300 only, 4100 out with V6.2)
• HA/Failover-Mode
• Passive SPAN-Mode
• Changing the „operations“ mode erases your existing configuration

> configure firewall routed
This will destroy the current interface configurations, are you sure that you
want to proceed? [y/N] y
The firewall mode was changed successfully.
• Note: Changing the mode requires you to re-register to FMC

FTD Interface modes comparison
Interface mode Interface type FTD mode Description Real traffic
dropping
Firewall mode Routed Routed Traffic is going through all FTD checks (Security Yes
Intelligence, Access Control Policy, Snort,
File/AMP policy)
Firewall mode Switched Transparent Traffic is going through all FTD checks (Security Yes
Intelligence, Access Control Policy, Snort,
File/AMP policy), but there is no route lookup
(only MAC lookup)
IPS-only mode Passive Routed/Transparent A copy of a packet (SPAN) is going through NGIPS No
checks
IPS-only mode Passive (ERSPAN) Routed A copy of a packet (ERSPAN) is going through NGIPS No
checks
IPS-only mode IPS-only Inline Set Routed/Transparent A packet goes through NGIPS checks Yes
IPS-only mode IPS-only Inline Set tap Routed/Transparent A packet is sent through FTD and a copy of it goes No
mode through NGIPS checks
FTD Interfaces general(1)
Chassis type Interface creation Interface physical Interface IP &
operation operation
Firepower 4100
Chassis-Manager FXOS FXOS FXOS
FTD-Mgmt FXOS-Type: Mgmt FXOS FTD
FTD-HA FXOS-Type: Data FXOS FTD
FTD-Data FXOS-Type: Data FXOS FTD
FTD-Port-Channel-Data FXOS-Type: Data FXOS FTD
FTD VLAN-SubInterfaces FTD FXOS FTD
FTD Eventing FXOS-Type: FP-Eventing FXOS FTD
For Your
Reference
FTD Interfaces general(2)
Chassis type Interface creation Interface physical Interface operation
operation
Firepower 4100
Hardware-Bypass* FXOS FXOS FTD for IPS only
NGIPS-Inline-Pair FXOS-Type: Data FXOS FTD
NGIPS-Passive FXOS-Type: Data FXOS FTD
NGIPS-ERSpan FXOS-Type: Data FXOS FTD
FTD Diagnostic vs. Management Interface
• Since FTD v6.1 there are 2 specialized interfaces on FTD
Management Interface Diagnostic Interface
FTD Operations • Mandatory • Optional
Usage • FTD to FMC communication (sftunnel) • LINA Diagnostics

• SSH/HTTPS access to FTD • SSH access to ASA CLI
• Syslog source for ASA events (can use any
data-interface)
Configuration on:
Firepower 5500-X • configure network ipv4 <x> FMC UI: Devices > Device Management
Firepower 4100/9300 • Configure via FXOS UI/CLI
Access Restrictions • configure ssh access-lists FMC UI: Device >Platform Settings
Challenges None Operational restrictions with other interfaces
FTD Syslog setup (ASA logs)
Create the Syslog-
Server object
Select the zone to reach

the server
Reminder:
No need for diagnostic interface IP
FTD Syslog setup (ASA logs cont.)
Create the Syslog-
Server object
Select your syslog

destination
Enable syslog
FTD syslog troubleshoot
• FTD CLISH
>show running-config logging
logging enable
logging timestamp
logging trap critical
logging host INSIDE 172.16.1.100
>show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level critical, facility 20, 0 messages logged
Logging to INSIDE 172.16.1.100
Licensing (Really ?)
Classic vs. Smart Licensing
• Classic Licensing
• Manual PAK registration needed for each device to unlock license key
• Limited view – customers do not know what they own
• Licenses tied to License-Key / only one device
• Smart Licensing
• Enterprise wide / complete visibility (software, licenses, devices in one
portal)
• License token not tied to License-Key – flexible licensing across all devices
• Smart account is mandatory
• User access control
Smart Licensing prerequisites
• FMC can reach Cisco Smart Licensing Cloud Server via hostname – verify DNS
settings
• Ensure that NTP daemon is running on the FMC
• User needs to have an account with CCSM (Cisco Smart Software Manager)
https://software.cisco.com
Apply Smart Licenses
1. Obtain product instance registration token from CSSM (Cisco Smart Software
Manager)
2. Register Unified Manager to CSSM
3. Register NGFW/FTD devices to Unified Manager
4. Apply/Remove Smart License
Firepower Management Center (quick look)
Smart Licensing
• Firepower Threat Defense uses ONLY Smart Licensing. Other products
(Firepower 7000/8000 series appliances or Firepower Services modules) still
use Classic Licensing.
• Controlled through FMC, restricting what features can be configured per device.
Without license FMC cannot deploy policy or receive events.
• Existing ASA classic licensing is not used.
• Evaluation mode is possible using build-in 90 days evaluation period. It has start
and end date, renewal required for continued entitlement.
• Purchased licenses are added to Smart Account automatically.
• Equivalent licenses must be purchased for HA devices.
Smart Licensing
License feature Description License type
Base NGFW (Firewall and AVC) Perpetual
Threat Protection IPS policies, Security Term

Intelligence, DNS policies
Malware Advance Malware Protection and Term
Threat Grid
URL Filtering Category and web reputation Term
filtering
Firepower Management Center Management license for Perpetual
host/user count
Troubleshooting scenario
KSEC-FPR4100-4-A# show license all KSEC-FPR4100-4-A /security/trustpoint* # set certchain
Smart Licensing is ENABLED Enter lines one at a time. Enter ENDOFBUF to finish.
Registration: Press ^C to abort.
Status: UNREGISTERED - REGISTRATION FAILED
Trustpoint Certificate Chain:
Export-Controlled Functionality: Not Allowed >MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
Initial Registration: FAILED on Jan 11 12:24:30 yjELMAkGA1>UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
2017 UTC ExZWZ>XJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U>2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
Failure reason: Failed to authenticate server ZXJpU2>lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
KSEC-FPR4100-4-A /security # show trustpoint a>G9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
M>AkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
KSEC-FPR4100-4-A /security # ZXJ>pU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
Trustpoint is EMPTY! biwgSW5jL>iAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbi>BDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
>aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
KSEC-FPR4100-4-A# scope security nmAMq>udLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t>0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
KSEC-FPR4100-4-A /security # create trustpoint SdhDY2>pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
CHdefault BO+QueQ>A5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
r>CpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIe>Wiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYw>bQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
Important note, copy the whole certificate from BEGIN to >ENDOFBUF

END otherwise the commit-buffer will fail with following
reason: KSEC-FPR4100-4-A /security/trustpoint* # commit-buffer
Error: Update failed: [failed to verify certificate chain, error:

Failed to split certificate chain]
Biggest case creator for „Smart-Licensing“ will be
solved
• Firepower Management Center bypassing proxy-configuration for Smart-
Licensing
• Bug was present in V6.0, 6.01, 6.1, 6.1.0.1
• Bug has been verified to be fixed in V6.2 on a fresh install
• Bugfix will be available in V6.1.0.2 (latest maintenance release from 8.Feb.2017 )
• We are expecting confirmation from many of you
Installation and Configuration
Brief installation steps on Firepower 4100 series
Upgrade the supervisor (FXOS) software bundle
Configure FTD Management and Data Interfaces
Install FTD application image
Provision FTD Settings (mode, IP settings, FMC info)
Add FTD to Firepower Management Center

Upgrade the supervisor (FXOS) software bundle
Configure FTD Data & Management Interfaces
Adding interfaces for application module
For Your
Reference
Four things to remember on interfaces
• The Mgmt-Interface is created but will not be selectable later
The assignment happens automatically for the logical device
• The Event-Monitoring interface is optional and was newly introduced in V6.x, to
allow separation of events and diagnostics versus configuration traffic for FMC-
Appliance and Firepower-Devices (FP4100/FP9300/FP8000)
• Port-Channel Interfaces are configured but forced into „suspend“-mode
• VLAN-Sub-Interfaces are created on the logical device only
Interface-Special Port-Channel
This is the intended behavior
For Your
Reference
FTD installation on 4100(1)
For Your
Reference
FTD installation on 4100(2)
For Your
Reference
FTD installation on 4100 (working hard)
For Your
Reference
FTD installation on 4100 (working harder)
FTD Installation „Local Console“ monitoring
Lab-FP4110-A-A /ssa/slot # connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
CISCO Serial Over LAN:

Close Network Connection to Exit [ OK ]
Executing S47install_default_sandbox_EO.pl [ OK ]
Executing S50install-remediation-modules [ OK ]
Executing S51install_health_policy.pl [ OK ]
Executing S52install_system_policy.pl [ OK ]
Executing S53change_reconciliation_baseline.pl [ OK ]
Executing S70remove_casuser.pl [ OK ]
Executing S70update_sensor_objects.sh [ OK ]
Executing S85patch_history-init [ OK ]
Executing S90banner-init [ OK ]
Executing S96grow_var.sh [ OK ]
Executing S96install_vmware_tools.pl [ OK ]
(output truncated)
FTD installation on 4100 (finished)
A quick few things to check via CLI
LAB-4110-A-A /ssa/logical-device # show expand | begin IP
IP v4:
Slot ID Management Sub Type IP Address Netmask Gateway Last Updated Timestamp
---------- ------------------- --------------- --------------- --------------- ----------------------
1 Firepower 10.0.0.12 255.255.255.0 10.0.0.1 2017-01-23T19:10:28.260
Bootstrap Key:
Key Value Last Updated Timestamp
---------- ---------- ----------------------
DNS_SERVERS (truncated)
128.107.212.175
FIREPOWER_MANAGER_IP
10.0.0.50
FIREWALL_MODE
routed
FQDN ftd1.example.com
A quick few things to verify via CLI
LAB-4110-A-A /eth-uplink/fabric # show port-channel expand
Port Channel:
Port Channel Id: 10
Name: Port-channel10
Port Type: Data
Admin State: Enabled
Oper State: Up
State Reason:
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/4 Up Up
Port Channel Id: 11
Name: Port-channel11
Port Type: Data
Admin State: Enabled
Oper State: Up
State Reason:
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/2 Up Up
For Your
Reference
Time for some connectivity checks
Time for some connectivity checks (???)
Experts use CLI (1)
Lab-FP4110-A-A# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
CISCO Serial Over LAN:
Close Network Connection to Exit
Firepower-module1>connect ftd
Connecting to ftd console... enter exit to return to bootCLI
>ping 10.0.0.1 (= Our Default-Gateway ?)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
No route to host 10.0.0.1
Success rate is 0 percent (0/1)
Experts use CLI (2)
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V – VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 169.254.1.0 255.255.255.252 is directly connected, nlp_int_tap

L 169.254.1.1 255.255.255.255 is directly connected, nlp_int_tap
> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Current IP Addresses:
Experts use CLI (3)
> show interface
Interface Port-channel10 "", is administratively down, line protocol is up

Hardware is EtherSVI, BW 10000 Mbps, DLY 1000 usec
Available but not configured via nameif
Interface Port-channel11 "", is administratively down, line protocol is up

Available but not configured via nameif
Interface Ethernet1/3 "diagnostic", is up, line protocol is up

MAC address ecbd.1d5e.d20e, MTU 1500
IP address unassigned
A real expert ?
„Experts, beware of False Friends“
> show network > ping
===============[ System Information ]===============
tcp Test connection over TCP
Hostname : ftd1.example.com system Test connectivity from the FTD
DNS Servers : 128.107.212.175 management interface
Management port : 8305
IPv4 Default route interface interface
Gateway : 10.0.0.1 Hostname hostname or A.B.C.D or X:X:X:X::X
==================[ management0 ]===================
> ping system 10.0.0.1
State : Enabled
Channels : Management & Events PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX 64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.366 ms
MTU : 9000 64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.357 ms
MAC Address : EC:BD:1D:5E:D1:FF
> traceroute
----------------------[ IPv4 ]----------------------
Configuration : Manual system Find route to remote network through FTD
Address : 10.0.0.12 management interface
Netmask : 255.255.255.0
Broadcast : 10.0.0.255
Backup and Restore
Lab-FP4110-A-A /system # show import-config detail

Import Configuration Task:
Hostname: local
Remote File: config--2017-01-24T10:19:40.384177.xml
User:
Protocol: Http
Admin State: Disabled
Status: Succeeded
Description:
Port: Default
Current Task:
Backup and Restore (really ?)
Lab-FP4110-A-A /ssa # Lab-FP4110-A-A /ssa # show logical-device detail

Logical Device:
Name: ftd1
Description:
Slot ID: 1
Mode: Standalone
Operational State: Incomplete Configuration
Template Name: ftd
Error Msg: End User License Agreement not accepted for apps: ftd.6.1.0.330
Switch Configuration Status: Ok
For Your
Reference
Backup and Restore Guidelines
• Bootstrap supervisor module IP settings
• Register Smart-Licensing
• Platform hardware and software version should(must) match
• Same network-modules must be installed
• The Application-Software packages must be installed
• Logical-Device EULA must be accepted (latest after Restore)
High Availability FTD Device
FTD HA-Configuration (1)
FTD HA-Configuration(2)
You can share an
interface for HA and
State
You can not(!) use a

VLAN-Subinterface
Beware:
HA-Configuration
immediately starts,
there is no
Deploy-Phase
Basic Failover-Configuration verification on CLI
> show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 11:31:59 CET Feb 14 2017
====Configuration State===
====Communication State===
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (truncated)
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Exclamation mark is
your friend
Basic Failover-Configuration verification on CLI
> show failover state
State Last Failure Reason Date/Time

This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 11:31:59 CET Feb 14 2017
====Configuration State===
Sync Done
====Communication State===
Mac set
Think in
Don’t panic !
Columns
Failover Troubleshooting on FMC-UI
Verify
Counters
Breaking Failover is safe
• It maintains full operations on the Active-Unit
• Standby-Unit looses failover and interface configurations
> show ip
Port-channel10.1 Outside 10.40.0.1 255.255.255.0 manual
Port-channel10.2 Inside 10.41.0.1 255.255.255.0 manual
Port-channel11 FOVER 172.16.1.1 255.255.255.0 unset
Port-channel11 FOVER 172.16.1.2 255.255.255.0 unset
> INFO: Security level for "Inside" set to 0 by default.

INFO: Security level for "Outside" set to 0 by default.
INFO: Security level for "diagnostic" set to 0 by default.
INFO: This unit is currently in standby state. By disabling failover, this unit will
remain in standby state.
Verification on StandBy-unit
> show ip
FTD HA information not synchronized (partial list)
• Sessions inside plaintext tunnels
• GRE, IPinIP encapsulated traffic
• TLS Decrypted sessions
• Decrypt/Resign: Blocked with Reset
• Known-Keys: Blocked with Reset
• DHCP-Server
• Multicast-Routing
• Management-Connections to FTD-Device
• HTTPS/SSH
Failover Troubleshooting CLI (need TAC for debugs)
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.

Type help or '?' for a list of available commands.
firepower> en
Password:
firepower# debug fover ?
cable Failover LAN status cmd-exec Failover EXEC command execution

fail Failover internal exception
fmsg Failover message
ifc Network interface status trace
open Failover device open
rx Failover Message receive
rxdmp Failover recv message dump (serial console only)
rxip IP network failover packet recv
snort Failover NGFW mode snort processing
switch Failover Switching status
sync Failover config/command replication
tx Failover Message xmit
txdmp Failover xmit message dump (serial console only)
txip IP network failover packet xmit
verify Failover message verify
For Your
Reference
Failover Troubleshooting CLI (examples)
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.

Type help or '?' for a list of available commands.
firepower> en
Password:
firepower# debug fover ifc
fover event trace on
firepower# fover_health_monitoring_thread: ifc_check() group: 0, - time = 8492170
fover_health_monitoring_thread: ifc_check() group: 0, - time = 8494670
fover_health_monitoring_thread: ifc_check() group: 0, - time = 8497170
firepower# debug fover rx

fover event trace on
firepower# fover_ip: HA TRANS: receive message for client Failover Control Module, length
32
fover_rx: rx msg: cmd 0x1, seqNum 0x43d0
fover_ip: HA TRANS: receive message for client Failover Control Module, length 32
fover_rx: rx msg: cmd 0x1, seqNum 0x43d1
lu_rx: HA TRANS: receive message for client Legacy LU support, length 52
High-Availability Update Demo
Ready to go
Our first configuration demo
For Your
Reference
A quick look at Prefilter Policies versus AC-Policies
For Your
Reference
Advanced troubleshoot option Packet-Tracer
packet-tracer input Inside tcp 10.41.0.10 1023 10.40.0.10 22 (for your reference)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp any any eq ssh rule-id 268435458 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435458: PREFILTER POLICY: MV-Prefilter-Policy
access-list CSM_FW_ACL_ remark rule-id 268435458: RULE: MV-ICMP-Prefilter
Additional Information:
For Your
Reference
Troubleshoot on FTD-CLI
> show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300
access-list CSM_FW_ACL_; 8 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268435458: PREFILTER POLICY: MV-Prefilter-Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 268435458: RULE: MV-ICMP-Prefilter
access-list CSM_FW_ACL_ line 3 advanced deny tcp any any eq ssh rule-id 268435458 event-log flow-start
(hitcnt=2) 0x60b01ea9
access-list CSM_FW_ACL_ line 4 remark rule-id 268435457: PREFILTER POLICY: MV-Prefilter-Policy
access-list CSM_FW_ACL_ line 5 remark rule-id 268435457: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268435457 (hitcnt=0) 0xf5b597d6
access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268435457 (hitcnt=0) 0x06095aba
access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268435457 (hitcnt=0) 0x52c7a066
access-list CSM_FW_ACL_ line 9 advanced permit udp any eq 3544 any range 1025 65535 rule-id 268435457
(hitcnt=0) 0x46d7839e
access-list CSM_FW_ACL_ line 10 advanced permit udp any range 1025 65535 any eq 3544 rule-id 268435457
(hitcnt=0) 0xaf1d5aa5
access-list CSM_FW_ACL_ line 11 remark rule-id 268435456: ACCESS POLICY: MV-Base - Mandatory/1
access-list CSM_FW_ACL_ line 12 remark rule-id 268435456: L7 RULE: MV-Monitor-Connections
access-list CSM_FW_ACL_ line 13 advanced permit ip ifc Inside any ifc Outside any rule-id 268435456
(hitcnt=12) 0x91a99859
access-list CSM_FW_ACL_ line 14 remark rule-id 268434432: ACCESS POLICY: MV-Base - Default/1
access-list CSM_FW_ACL_ line 15 remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ line 16 advanced deny ip any any rule-id 268434432 event-log flow-start
(hitcnt=3) 0x97aa021a BRKSEC-3455 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
ASA to FTD Migration
ASA to FTD Migration
• Required steps
• Meet the minimum requirements
• Export your ASA config to txt/cfg file
• Start a fresh FMCv instance on VMare matching your target FMC version
• Run the „migration tool“ inside FMCv root shell
• Import the ASA configuration file
• Download the converted „.sfo“-File
• Import the converted configuration into your real FMC
• Troubleshoot
• Check the migration report first
• FMC UI > Generate troubleshoot and contact TAC
ASA to FTD Migration Demo
FTD Troubleshooting tools
Process Management
> pmtool
Show status of processes: disablebyid pmtool disablebyid
disablebytype pmtool disablebytype
# pmtool status enablebyid pmtool enablebyid
enablebytype pmtool enablebytype
# sudo pmtool disablebyid SFDataCorrelator restartbyid pmtool restartbyid
restartbytype pmtool restartbytype
You should see that the process is in User Disabled state: status pmtool status
# pmtool status | grep SFDataCorrelator
# sudo pmtool enablebyid SFDataCorrelator
Verify that the process is running and make sure that the process ID matches the 'pmtool’ and ‘ps’ tool:
# sudo pmtool status | grep SFDataCorrelator
# ps aux | grep <PID>
Restart all detection engine / Snort instances:
# pmtool restartbytype snort
Important note, restartbyid for Snort would cause only one instance to be restarted.
# tail -f /var/log/messages
Functionality Of Some FTD Processes
snort inspects network traffic (pass, sftunnel secure tunnel between
block and alert) managed device and FMC
ids_event_processor sends intrusion events to diskmanager, managing disk space and
managing device (FMC) Pruner clean up old files
ids_event_alerter sends intrusion events to ntpd responsible for time
Syslog or SNMP server synchronization
wdt-util used for fail-to-wire / snmpd SNMP monitoring
hardware bypass
SFDataCorrelator processing events pm (process responsible for launching
manager) and monitoring of all FTD
relevant processes and
restarting them in case of
failure
Troubleshooting File
Generate troubleshooting file over CLISH and ROOT CLI:
>system generate-troubleshoot all
#/usr/local/sf/bin/sf_troubleshoot.pl ALL
Storage of troubleshooting files:
Firepower: /var/common/ vs. FTD: /ngfw/var/common/
/ngfw/var/common/results-01-19-2017--214641.tar.gz
What data the troubleshooting file includes? -> /etc/sf/troubleshoot.conf
Layout of the troubleshooting file: command-outputs, file-contents, dir-archives

Key to remember: Troubleshooting files can't always tell you & TAC everything!
FTD V6.1 Troubleshooting Enhancements
• File download tool
• Threat Defense CLI tools
• packet-tracer
• show
• ping
• Traceroute
Those commands will be

executed in privileged mode.
Supported on all FTD devices, both physical and virtual.
FXOS Capture: Quick option (1)
• Apply a reasonable Traffic-Filter
• Focus just on physical Ingress-Egress port
FXOS Capture: Quick option(2)
• Download your capture and filter in wireshark
ASA/LINA Packet Capture - The Wires Never Lie!
firepower# cap in interface INSIDE match icmp any any trace detail
firepower# cap out interface OUTSIDE match icmp any any trace detail
firepower# cap asp type asp-drop all buffer 33554432
firepower# sh cap
capture in type raw-data trace detail interface INSIDE [Capturing - 114 bytes]
match icmp any any
capture out type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]
match icmp any any
capture asp type asp-drop all buffer 33554432 [Capturing - 114 bytes]
firepower# sh cap in packet-number 1 trace

1: 09:09:18.644467 172.16.1.17 > 20.20.20.100: icmp: echo request
Type: SNORT
Subtype:
Result: DROP
Snort Verdict: (black-list) black list this flow
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
FP/Snort Capture - The Wires Never Lie! (1)
> capture-traffic
Please choose domain to capture traffic from:
0 - management0
1 - Router
Selection? 1
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: icmp
23:07:21.619642 IP 172.16.1.17 > 20.20.20.100: ICMP echo request, id 24538, seq 1, length 64
FP/Snort Capture - The Wires Never Lie! (2)
>capture-traffic
Options: -v -n -e (icmp and host 172.16.2.11) or (vlan and icmp and host 172.16.2.11)
12:02:43.949535 00:50:56:b6:0b:33 > 58:97:bd:b9:73:ee, ethertype 802.1Q (0x8100), length 78: vlan 208, p 0,
ethertype IPv4, (tos 0x0, ttl 128, id 5366, offset 0, flags [none], proto ICMP (1), length 60)
SNORT
IN OUT
firepower# sh cap inside firepower# sh cap outside
1: 12:09:56.732841 802.1Q vlan#208 P0 1: 12:09:56.733162 172.16.2.11 > 20.20.20.11:

172.16.2.11 > 20.20.20.11: icmp: echo request icmp: echo request
2: 12:09:56.733696 802.1Q vlan#208 P0 2: 12:09:56.733680 20.20.20.11 > 172.16.2.11:

20.20.20.11 > 172.16.2.11: icmp: echo reply icmp: echo reply
Correct Access Control Rule Being Evaluated?
• Tool that provides the Access Control Rule evaluation status for each flow as we receive
packets in real time.
• NGFW debug needs to have specified at least one filtering condition.
>system support firewall-engine-debug

Please specify an IP protocol: icmp
Please specify a client IP address: 172.16.1.17
Please specify a server IP address: 20.20.20.100
Monitoring firewall engine debug messages172.16.1.17-8 > 20.20.20.100-0 1 AS
1 I 44 New session
172.16.1.17-8 > 20.20.20.100-0 1 AS 1 I 44 using HW or preset rule order 2,
'allow and inspect', action Allow and prefilter rule 0
172.16.1.17-8 > 20.20.20.100-0 1 AS 1 I 44 allow action
Access Control Policy Rule Hit Counters
> show access-control-config
===================[ ciscolive ]==================== AC Rule Name
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 10
Variable Set : Default-Set
... (output omitted) ...
# watch ´/usr/local/sf/bin/sfcli.pl show firewall | grep "ciscolive\| Rule\:\|Rule Hits“ ´

===================[ ciscolive ]====================
Rule Hits : 10
------------------[ Rule: allow ]-------------------
Rule Hits : 14
------------------[ Rule: block ]-------------------
Rule Hits : 0
Description :
DC : Disabled
End : Disabled
Rule Hits : 16

===================[ ciscolive ]====================
Rule Hits : 16
------------------[ Rule: allow ]-------------------
Rule Hits : 14
------------------[ Rule: block ]-------------------
Rule Hits : 0
Description :
DC : Disabled
End : Disabled
Rule Hits : 22

===================[ ciscolive ]====================
Rule Hits : 22
------------------[ Rule: allow ]-------------------
Rule Hits : 14
------------------[ Rule: block ]-------------------
Rule Hits : 0
Access Control Policy Rule Hit Counters - GUI
Your “custom” connections event view in FMC:
1. Analysis -> Custom -> Custom Workflows -> Create Custom Workflow and use Table “Connection
Events”
2. Add page and fill in fields like: “Access Control Policy”, “Access Control Rule”, “Count”, “Initiator
IP”, “Responder IP”
3. Add Table view
Access Control Policy Rule Hit Counters - GUI
FTD NGFW debugs: > show access-control-config
==== [ CL-ACP-2017-FINAL ]===
…(output omitted)
172.16.2.25-8 > 20.20.20.11-0 1 AS 1 I 47 using HW or preset
------[ Rule: DNS and icmp ]------
rule order 3, 'DNS and icmp', action Trust and prefilter rule 0 Action : Allow
Destination Ports : protocol 6, port 53
protocol 17, port 53
protocol 1
FMC GUI: protocol 6, port 80
Analysis -> Connections events -> “switch workflows” and DC : Enabled
select your newly created workflow “ACP rule hitcounters” Beginning : Enabled
End : Enabled
Rule Hits : 28
… (output omitted)
Why the hit counters do not match?
Tracing Packets
firepower# packet-tracer input INSIDE icmp 172.16.1.11 8 0 20.20.20.10 det
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit icmp any any echo rule-id 268436992
access-list CSM_FW_ACL_ remark rule-id 268436992: ACCESS POLICY: ciscolive - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268436992: L7 RULE: icmp allow only
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x7f0c2e933260, priority=12, domain=permit, deny=false
hits=200, user_data=0x7f08c343bd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
You can operate and troubleshoot
the NG-Firewall with confidence
FTD Packet-Flow
Packet processing – before we ‘enter’ the ASA/LINA
Security Engine (ASA or FTD)
Smart NIC + Crypto Accelerator
Internal Switch Fabric
2x40Gbps Uplink 4x 40 Gbps or 8x 10 Gbps
8x 10Gbps NM 1 NM 2
SI (DNS/URL), Identity Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP IPS
YES
DAQ
NO
Ingress Existing Egress L3/L4 L3, L2
RX Pre-Filter ALG TX
Interface Interface ACL NAT
Conn checks hops
VPN Decrypt
ASA/LINA QoS, VPN Encrypt
ASA/LINA
firepower# sh int eth 1/7 High-level information about packet
Interface Ethernet1/7 "INSIDE", is up, line protocol is up counters in and out of the box per
Hardware is EtherSVI, BW 1000 Mbps, DLY 1000 usec context basis:
MAC address 5897.bdb9.73ee, MTU 1500 firepower# clean count
IP address 172.16.1.1, subnet mask 255.255.255.0 firepower# show count
Traffic Statistics for "INSIDE":
180 packets input, 14853 bytes
155 packets output, 12628 bytes Number of packets dropped Packet rate in and out on a per-
25 packets dropped in ASP ‘show asp drop‘ interface basis:
1 minute input rate 1 pkts/sec, 94 bytes/sec firepower# clear traffic
1 minute output rate 1 pkts/sec, 85 bytes/sec
1 minute drop rate, 0 pkts/sec firepower# show traffic
Packet processing
YES
DAQ
Ingress NO
Existing Egress L3/L4 L3, L2
Conn checks hops
VPN Decrypt
• ASA/LINA part checks whether the connection belongs to existing flow or not
• If packet is part of already established flow, then appliance skip basics checks and process the packet
in Fast-Path – and continue with checks at DAQ level
show capture <name> packet-number <number> trace show run logging

show conn detail show logging
packet-tracer FMC: Device -> Platform Settings
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
firepower# show cap in2 packet-number 46 trace detail

46: 19:28:20.056012 0050.56b6.0b33 5897.bdb9.73ee 0x8100 Length: 58
802.1Q vlan#208 P0 172.16.2.13.49182 > 20.20.20.11.80: . [tcp sum ok] 2790183968:2790183968(0) ack
1176461110 win 231 (DF) (ttl 128, id 16898)
...
Type: FLOW-LOOKUP
Found flow with id 34550, using existing flow
Unique Connection ID
firepower# sh logging | include 34550
%ASA-6-302013: Built inbound TCP connection 34550 for in2:172.16.2.13/49182
(172.16.2.13/49182) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)
%ASA-6-302014: Teardown TCP connection 34550 for in2:172.16.2.13/49182 to

OUTSIDE:20.20.20.11/80 duration 0:00:28 bytes 1073752075 Flow closed by inspection
firepower#
Packet processing
YES
DAQ
Ingress NO Egress
Existing L3/L4 ALG L3, L2
RX Pre-Filter TX
Conn checks hops
VPN Decrypt
Determination of Egress Interface

• Routing table / route lookup – ‘in’ entries of the ASP routing table will be checked to determine the
egress interface
• UN-NAT (destination NAT) – egress interface will be choosen based on NAT rule
show asp table routing

show capture <name> packet-number 10 trace detail
packet-tracer
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Pre-filter rules solves following issues:

• ASA firewall enforce access-control rules on the outer encapsulation headers without
looking into payload
• FirePOWER devices match traffic only based on inner payload headers
• Lack of the visibility on all sessions such as tunnels
Pre-filter rules were introduced in 6.1 release and allows following:
• Trust/deny/allow the tunnels based on outer header
• Tag the interesting tunnels and use them to enforce ACP rule for inner sessions inside the
tunnel
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Pre-Filter Policy Pre-filter Rule Actions
• Analyze: sends traffic for inspection to Snort

• Block: drops the traffic
• Fastpath: allows traffic and bypass further inspection,
process the rule in hardware, offload the traffic
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
firepower# show flow-offload flow

2 in use, 2 most used, 16% offloaded
TCP intfc 106 src 20.20.20.11:80 dest 172.16.2.14:49191, timestamp 2265924877, packets
191614, bytes 264712022
TCP vlan 208 intfc 107 src 172.16.2.14:49191 dest 20.20.20.11:80, timestamp 2265924879,
packets 26301, bytes 1788781
firepower# show conn address 20.20.20.11 detail long

TCP in2: 172.16.2.14/49191 (172.16.2.14/49191) OUTSIDE: 20.20.20.11/80 (20.20.20.11/80),
flags Uo, idle 12s, uptime 12s, timeout 1h0m, bytes 683253399
Newly added FLAG ‘o’ means that flow was offloaded

Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
%ASA-6-805001: Offloaded TCP Flow for connection 34892 from in2:172.16.2.14/49193

(172.16.2.14/49193) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)
%ASA-6-805001: Offloaded TCP Flow for connection 34892 from OUTSIDE:20.20.20.11/80

(20.20.20.11/80) to in2:172.16.2.14/49193 (172.16.2.14/49193)
%ASA-6-805002: TCP Flow is no longer offloaded for connection 34892 from

in2:172.16.2.14/49193 (172.16.2.14/49193) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)
%ASA-6-805002: TCP Flow is no longer offloaded for connection 34892 from

OUTSIDE:20.20.20.11/80 (20.20.20.11/80) to in2:172.16.2.14/49193 (172.16.2.14/49193)
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
5-TUPLE
FMC
ASA
firepower# show access-list | i icmp
access-list CSM_FW_ACL_ line 9 remark rule-id 268441864: L7 RULE: icmp traffic
access-list CSM_FW_ACL_ line 10 advanced permit icmp any any rule-id 268441864 (hitcnt=335)
0xa2dc10fa
FirePOWER
cat ngfw.rules | grep 268441864
root@ftd:/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-817d227fa40c#
268441864 fastpath any any any any any any any 1 (log dcforward both)
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
• Ability to block dangerous / malicious traffic aka “bad guys”

• SI feed is updated by Cisco TALOS team periodically
• SI whitelist is intentionally processed by rest of the ACP rules
root@firepower:/Volume/home/admin# cd /var/sf/iprep_download/
root@firepower:/var/sf/iprep_download# grep "72.4.119.2\|#" * | tail -n 2
d8eea83e-6167-11e1-a154-589de99bfdf1:#Global-Whitelist
d8eea83e-6167-11e1-a154-589de99bfdf1:72.4.119.2
root@firepower:/var/sf/iprep_download# cat d8eea83e-6167-11e1-a154-589de99bfdf1
#Global-Whitelist
72.163.4.161
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
SSL inspection – policy to control SSL flows

• Decrypt – Resign
• Client <---> FTD (MITM) <---> Server
• Usage: 3rd party servers or Internet resources
• Known key
• FTD imported server’s private key
• Usage: server that you own
Note: In passive deployment you can not use ”Decrypt - Resign” action
since it requires re-signing the server certificate.
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
• Do not decrypt - pass the encrypted traffic for AC rule evaluation

• Monitor – will just log traffic flow for tracking purposes, traffic will be
still evaluated by rest of the rule set
• Block, Block with reset – prevent encrypted traffic to pass through
• Order of operation:
• SSL rules are processed from top to bottom
• System do not evaluate traffic with bellow rule once the match is found
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
SSL errors on failing decrypt:

-negotiation mode with unsupported
extension
-any miss in the SSL handshake
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
> system support ssl-debug debug_policy_all > pmtool restartbytype DetectionEngine
Parameter debug_policy_all successfully added to > expert

configuration file.
admin@ftd:/opt/bootcli/cisco/cli/bin$ cd
Configuration file contents: /ngfw/var/common/
debug_policy_all
You must restart snort before this change will

take affect
This can be done via the CLI command
'pmtool restartbytype DetectionEngine'.
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
• Order of operation: rules are being processed from top to bottom

• Differentiate ACP rule operations between (AND operand) and within columns (OR operand)
• Adaptive profiling needs to be enabled (in order to determine App ID) – “on by default”
• Identification of App ID occurs usually within 3-5 packets or after SSL handshake
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
> system support firewall-engine-debug

172.16.1.10-60467 > 20.20.20.10-21 6 AS 1 I 7 no match rule order 3, 'FTP to be
allowed', app s=-1 c=-1 p=-1 m=-1
20.20.20.10-53156 > 172.16.1.10-21 6 AS 1 I 46 Starting with minimum 3, 'FTP to be

allowed', and SrcZone first with zones 2 -> 1, geo 0 -> 0, vlan 0, sgt tag:
untagged, svc 165, payload 4002, client 2000000165, misc 0, user 9999997, icmpType
0, icmpCode 0
20.20.20.10-53156 > 172.16.1.10-21 6 AS 1 I 46 match rule order 3, 'FTP to be
allowed', action Allow
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
firepower# show access-list | include FTP

access-list CSM_FW_ACL_ line 14 remark rule-id 268443650: L7 RULE: FTP to be allowed
firepower# show access-list | i 268443650
access-list CSM_FW_ACL_ line 13 remark rule-id 268443650: ACCESS POLICY: CL-ACP-2017-FINAL - Mandatory/2
access-list CSM_FW_ACL_ line 14 remark rule-id 268443650: L7 RULE: FTP to be allowed
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268443650 (hitcnt=16) 0xa1d3780e
firepower#
root@ftd:/opt/bootcli/cisco/cli/bin# cat /ngfw/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-
817d227fa40c/ngfw.rules | grep 268443650
268443650 allow any any any any any any any any (log dcforward both) (appid 52:1, 165:1, 166:1, 167:1, 168:1,
250:1, 251:1, 281:1, 291:1, 332:1, 348:1, 349:1, 365:1, 411:1, 420:4, 441:1, 469:1, 862:1, 2606:4, 3126:1,
3131:1, 3380:1, 3562:1, 4002:4, 4003:4, 2000000052:2, 2000000165:2, 2000000166:2, 2000000167:2, 2000000168:2,
2000000250:2, 2000000251:2, 2000000281:2, 2000000291:2, 2000000332:2, 2000000348:2, 2000000349:2, 2000000365:2,
2000000411:2, 2000000441:2, 2000000469:2, 2000000862:2, 2000003126:2, 2000003131:2, 2000003380:2, 2000003562:2)
root@ftd:/opt/bootcli/cisco/cli/bin#
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
logging file transfers and pass them though
blocking file transfer
Calculate SHA256, determine and log

disposition, pass file
Same as malware cloud lookup, but blocks

malicious file transfers
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
> system support firewall-engine-debug

Please specify an IP protocol: tcp
Please specify a server port: 80
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 New session
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 Starting with minimum 0, id 0 and SrcZone first with zones 3
-> 2, geo 0(0) -> 0, vlan 0, sgt tag: untagged, svc 676, payload 2655, client 638, misc 0, user 9999997, url
http://install.cisco.com/eicarcom2.zip, xff
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 no match rule order 2, 'DNS and icmp', DstPort
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 match rule order 3, 'HTTP traffic and file inspect', action
Allow
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 File policy verdict is Type, Malware, and Capture
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 File malware event for
e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397 named eicarcom2.zip with disposition Malware
and action Block Malware
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
“Troubleshooting thoughts”
• Connection inspected by SNORT?
• “show conn” – Flag ‘N’
• Packet captures (capture and capture-traffic) shows incoming traffic on ASA/LINA side, diverted traffic flows
are send to the SNORT, but NO outgoing or there are missing packets after SNORT inspection on outside
interface?
• Connection events are triggering? -> FMC Connection table view
• Is the right AC rule being evaluated? -> NGFW debugs
• IPS events are not populated? -> Create custom ICMP rule or enable “ICMP echo” rule 1:408
to confirm IPS events are generally working
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
CUSTOM SNORT ICMP RULE:
alert icmp any any -> any any (sid:1000001; gid:1; icode:0;
itype:8; msg:"icmp echo"; classtype:not-suspicious; rev:1; )
• In IPS policy rule to “Drop and Generate” action

• Interface should be in the “Inline” mode
• IPS policy needs to have “Drop when Inline” option enabled
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
firepower# sh cap i packet-number 1 trace

Phase: 4
Type: SNORT
Subtype:
Result: DROP
Config:
Snort Verdict: (black-list) black list this flow
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
firepower# sh cap
capture i type raw-data trace detail interface INSIDE [Capturing - 114 bytes]
match icmp any any
capture o type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]
match icmp any any
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Special Attention when packets are blocked, but there are no IPS events:
Rules with GID ID 129 DO NOT generate events until
Change Rule State:
“Stateful Inspection Anomalies” option in TCP Stream preprocessor is enabled!
Drop and Generate
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
• How ASA and FirePOWER L7 inspections works together?

• ASA – Application Level Gateways ALGs (protocol specific)
• Pinhole creation
• NAT rewrite
• Protocol enforcement and fine-grained control
policy-map global_policy
> configure inspect <protocol> enable/disable class inspection_default
no inspect <protocol>
Pushed to NGFW device to disable inspection
service-policy global_policy global
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
firepower# show service-policy flow tcp host 20.20.20.11 host 172.16.2.100 eq 21

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Match: default-inspection-traffic
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Input flow: set connection random-sequence-number disable
set connection advanced-options UM_STATIC_TCP_MAP
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
firepower# show service-policy inspect ftp

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 139, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0
pkts/sec, v6-fail-close 0 sctp-drop-override 0
firepower# sh run policy-map | i ftp

inspect ftp
inspect tftp
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
Remaining checks are same as on the standalone ASA:
• Determination of NAT IP header – in capture trace phase ‘NAT’ with translated IP addresses details
• Based on the packet processing step “Egress Interface” determination the ‘out’ entries will be now
checked in ASP routing table
• Using packet capture trace detail option we can see phase “ROUTE-LOOKUP” with the next-hop IP
address IP address details
Packet processing
YES
DAQ
Ingress NO
Conn checks hops
VPN Decrypt
> show capture in

2: 15:52:55.250643 20.20.20.33 > 172.16.1.56: icmp: echo reply
IN OUT
> show capture
capture in type raw-data trace interface INSIDE [Capturing - 720 bytes]
match icmp host 172.16.1.56 host 20.20.20.33
> show capture out

2: 15:52:55.250627 20.20.20.33 > 172.16.1.56: icmp: echo reply
> show capture
capture out type raw-data trace interface OUTSIDE [Capturing - 720 bytes]
match icmp host 172.16.1.56 host 20.20.20.33
Conclusion
Take the chance and drive your FTD installation to a success
• Plan your desired hardware based on capabilities and performance
• Plan your desired feature-set and functionality
• Plan your desired operations mode (there are choices)
• Plan a pilot-phase with extra timing for all operational tasks
•
We wish you every success operating and
Upgrades/Downgrades
• troubleshooting your new NG-Firewall
Backup/Restore
• Replacement/RMA
• Practice basic troubleshooting steps
• Have a look at new features and functionality inside a testbed
Veronika Klauzova
Thank You
Michael Vassigh
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each for BRKSEC-3455
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online

Brksec 3455 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Brksec 3455 PDF

Caricato da

Copyright:

Formati disponibili

Dissecting Firepower-NGFW(FTD)

You can operate and troubleshoot

Firepower Platform Deep Dive

ASA Firepower NGFW typical deployment

Firewall Innovation and Transformation - a

Protecting the Network with Firepower NGFW

Physical and Virtual

Cisco official Firepower System terminology

Firepower Management Firepower Device Manager

ASA 5500X-Series (5506X-5555X with SSD) Yes

Firepower 4100 series Yes

Firepower 9300 series Yes

Firepower 2100 series Yes

Virtual options (VMware, KVM, AWS, Azure) Yes

Cisco ISR 4000/ISR-G2 (UCS-E module) Yes

Series 2 Firepower Appliances No

Series 3 Firepower Appliances (FP7000/8000) No

ASA Service Module No

Firewall Service Module No

2 x Power Supply Module Bays

Similarities 1.) Both are next generation platforms on Security Service

Firepower Management Center

• ASA/Lina Firewall functions

• First implementation: ASA/LINA Future

• Single unified image:

• All ASA features will be added in

All platforms have CLI/Shell access for setup & diagnostics

All platforms have version dependencies

• ASA CLI firepower#

Moving between different CLI‘s:

CLISH -> ASA system support diagnostic-cli

ASA -> CLISH CTRL + a, d

CLISH -> FXOS exit

> show cpu system

> show cpu

• Chassis management, operation and health

• Please ask for TAC-Support before you change undocumented elements

Lab-FP4110-A-A(fxos)# show interface mgmt 0

Hardware: GigabitEthernet, address: ecbd.1d5e.d1df (bia ecbd.1d5e.d1df)

Lab-FP4110-A-A(local-mgmt)# show mgmt-port

Lab-FP4110-A-A(local-mgmt)# ping 10.0.0.1 count 1

PING 10.0.0.1 (10.0.0.1) from 10.0.0.11 eth0: 56(84) bytes of data.

• Remaining detailed settings via:

Enforce strong password? (y/n) [n]:

• Moving between levels

Lab-FP4110-A-A# scope chassis 1

Enter a password: <System Interaction>

LAB-FP4110-A-A /security/local-user* # commit-buffer

LAB-4110-A-A /eth-uplink/fabric # show port-channel

• Ping/Traceroute inet6 addr: fe80::eebd:1dff:fe5e:d1df/64 Scope:Link

1 29 Jan 19 15:23:27 2017 blade_debug_plugin

• FPRM:Supervisor/MIO Lab-FP4110-A-A(local-mgmt)# show tech-support fprm detail

rommon 6 > boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA 1

switch(boot)# config terminal

You have chosen to setup a new Security Appliance. Continue? (y/n): y

Lab-FP4110-A-A /chassis # show fault

Click here Click here

• Changing the „operations“ mode erases your existing configuration

• Note: Changing the mode requires you to re-register to FMC

Chassis-Manager FXOS FXOS FXOS

FTD-Mgmt FXOS-Type: Mgmt FXOS FTD

FTD-HA FXOS-Type: Data FXOS FTD

FTD-Data FXOS-Type: Data FXOS FTD