0% found this document useful (0 votes)

125 views90 pages

7.2 Feature Lab - Combined Labs 1 2

The document discusses Cisco Secure Dynamic Attributes Connector (CSDAC) version 2.0, which was released with Cisco Secure Firewall version 7.2. CSDAC enables firewall policies to automatically adapt in real-time to changes in public and private cloud workloads. It maps cloud VM IP addresses to dynamic objects that can be used in firewall rules. Any cloud changes detected by CSDAC are then cascaded to the firewall policies without needing manual updates. The new CSDAC 2.0 release introduces support for Google Cloud Platform private clouds. It also allows on-demand testing of connectors and fetching provider certificates directly. CSDAC 2.0 can run both on-premises and in the cloud.

Uploaded by

Jane Doe

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

125 views90 pages

7.2 Feature Lab - Combined Labs 1 2

Uploaded by

Jane Doe

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 90

Cisco dCloud

Cisco Secure Firewall 7.2 – Feature Lab

About the 7.2 Release and this Lab .................................................................................................................. 2
dCloud: The Cisco Demo Cloud
Time Synchronization ....................................................................................................................................... 4
Access Control Policy Lock ............................................................................................................................. 5
Cisco Secure Dynamic Attributes Connector 2.0 ............................................................................................. 9
Cisco Secure Firewall – Snort 3 Elephant Flow Detection ............................................................................ 31
Encrypted Visibility Engine............................................................................................................................ 37
Transport Layer Security 1.3 Support............................................................................................................. 42
AnyConnect VPN Certificate and SAML Authentication .............................................................................. 53
Cisco Secure Firewall – FMC Support for EIGRP ......................................................................................... 79
Cisco Secure Firewall – Policy Based Routing Path Monitoring ................................................................... 82

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 90
Cisco dCloud

About the 7.2 Release and this Lab

The purpose of this lab is to cover new features provided by the 7.2 release. Because of limitations in the pods and time constraints, only
selected features are included.

Topology
dCloud: The Cisco Demo Cloud
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most components
are fully configurable with predefined administrative user accounts. You can see the IP address and user account credentials to use to access a
component by clicking the component icon in the Topology menu of your active dCloud session and in the scenario steps that require their
use.

NOTE: For simplicity, not all IP addresses and VLANs are shown.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 90
Cisco dCloud

Credentials
All logins are built-in automatically in the “Cisco Secure Firewall Quick Launch,” as shown below

dCloud: The Cisco Demo Cloud

This Quick Launch panel loads automatically when initiating the dCloud infrastructure. It is also available on the Jumpstation desktop, look for
the Quick Launch shortcut.

Admin credentials across the environment are similar, the username is “admin” unless otherwise specified in a lab and the password will be
C1sco12345.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 90
Cisco dCloud

Time Synchronization
Before you start, it’s important that the time on the Jumpbox is properly synchronized. After connecting to the Jumpbox via Remote Desktop,
verify that the workstation time in the lower right corner is correct. It should show the correct time in the U.S. Eastern timezone. If this time
is correct you can continue with the lab exercises.

If this dCloud:
time is The
notCisco
correct,
Demoresynchronize
Cloud the clock using the following procedure:

Right-click on the time and select Adjust date/time from the menu.

Click the Sync now button in the dialog

Confirm the Jumpbox time is now set correctly.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 90
Cisco dCloud

Access Control Policy Lock

The Cisco Secure Firewall Management Center 7.2 introduces Access Control Policy Lock feature which provides administrators to lock access
control policy to prevent other administrators from editing it. Without locking, if multiple administrators edit the policy simultaneously, the
first administrator who saves changes wins, and all other administrators have their changes erased.

TaskdCloud:
1 – The
Prepare the Environment
Cisco Demo Cloud

Before we get started, create a User Role and 3 new users

Navigate to System (Select the gear icon ) > Users

Select Users Roles and copy the Administrator user role.

Maximize Policies --> Access Control --> Access Control policy --> Modify Access Control policy and uncheck Override Access Control
Policy Lock and Save.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 90
Cisco dCloud

Select Users --> Create User

• Add User Name as user1

• Password as C1sco12345
• Under User Role Configuration check Administrator (copy)

dCloud: The Cisco Demo Cloud

Select Save.

Create another User as user2, use the password as C1sco12345

Select the User Role Administrator and Save

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 90
Cisco dCloud

Navigate to Policies --> Access Control create a copy of NGFW1 and name it NGFW1 Copy

dCloud: The Cisco Demo Cloud

Task 2 – Using Access Control Policy Lock

Open NGFW1 Copy and select the lock Button and Select Lock this Policy

Logout of FMC and login using the credentials of user1, username: user1 password C1sco12345

Navigate to Policies --> Access Control and open NGFW1 Copy

NOTE: user1 who doesn’t have role to Override Access Control Policy Lock cannot make any changes to this policy, user is also notified that
the access control policy is locked by admin user.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 90
Cisco dCloud

Logout from user1 and login as user2 on FMC.

Navigate to Policies --> Access Control and open NGFW1 Copy

dCloud: The Cisco Demo Cloud

NOTE: user2 is notified that policy is locked by admin user, however there is a lock on this access control policy, which user1 didn’t have.

Click on the lock icon and select Unlock this policy

This unlocks the policy and user2 can make changes to the access control policy.

NOTE: Users with the role of override ss control policy lock can unlock policies locked by other users, however, users without role override
access control policy lock cannot unlock other users' policies

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 90
Cisco dCloud

Cisco Secure Dynamic Attributes Connector 2.0

For this scenario, we are using the following devices listed below:

• Cisco Secure Firewall Mangement Center

• Cisco Secure Firewall Threat Defense
• Cisco Secure Dynamic Attributes Connector
dCloud: The Cisco Demo Cloud

Introduction
Cisco Secure Dynamic Attributes Connector (CSDAC) is an add-on or a feature of the Cisco Firewall Management Center that enables firewall
policy to adapt in real-time to the changes in public and private cloud workload hosted in AWS, Azure, GCP, or VMware. The Firewall
Management Center and CSDAC tandem automates the firewall policy in increasingly dynamic cloud environments, keeping the rules up-to-
date without the need for tedious manual updates and policy deployment. CSDAC maps IP addresses of cloud VMs to Dynamic Objects, which
are then used in the Access Control Policy rules. Any changes in the cloud detected by CSDAC are cascaded in real-time to the management
center, and in turn, to the managed firewalls without any administrator action. CSDAC makes firewall policy dynamic, more secure, and much
easier to manage.

A new software release, version 2.0, of Cisco Secure Dynamic Attributes Connector (CSDAC) was published along with Firepower version 7.2.
The latest release introduces support for Google Cloud Platform private cloud connector. The interface allows on-demand testing of the
connectors and adapters and fetching the provider’s certificate for trust directly from the CSDAC interface.

CSDAC 2.0 is provided as an on-prem and cloud delivered form factor. On-prem runs on the most popular Ubuntu, RHEL, and CentOS
distributions with the install and upgrade process automated with Ansible Galaxy. The cloud delivered CSDAC is runs within Cisco Defense
Orchestrator and can provide dynamic updates to both on-prem and cloud delivered Firewall Management Center deployments.

Below are the major components of the CSDAC and management center integration solution that will be used throughout this lab:

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 90
Cisco dCloud

• Object Providers – the public or private cloud service hosting resources to be tracked. CSDAC 2.0 supports the import of mappings from
the following Providers:

o Microsoft Azure user-defined and service tags

o Amazon Web Services (AWS) user-defined tags
o Google Cloud Platform (GCP) attributes
Office
o Demo
dCloud: The Cisco 365 public feed
Cloud

o VMware categories and tags managed by vCenter and NSX-T

• Connectors – a connector is a software interface that interacts with a public or private cloud Provider to retrieve the up-to-date network
information, categories, and tags. CSDAC translates information provided by the connectors to Dynamic Objects used in firewall access
control policies on the management center. Architecturally the connectors are software plug-in modules installed in CSDAC, which
allows straight forward addition of new connectors in future releases.
• Dynamic Attribute Filters – a set of conditions, configured by an administrator, defining how cloud resources are mapped to Dynamic
Objects. The filters are build with AND/OR boolean expressions matching attributes specific to the source Provider. For example, you
can configure a Dynamic Object with IP addresses of VMs assigned with a specific tag in Azure or running in a particular VMWare port
group.
• Adapters – represent a secure connection to a management center configured with Dynamic Objects by CSDAC, and periodically
updated with changes detected via configured cloud Connectors.
• Dynamic Objects – a new flavor of dynamic access control policy building blocks introduced in Firepower version 7.0. The Dynamic
Objects are configured and updated with the use of Firewall Management Center’s programmatic interface. When used in ACP, the
Dynamic Objects are programmed in Snort’s Identity Memory alongside PassiveID and SGT identities and auto-updated in real-time
without the need for policy deployment.

Prerequisites
The CSDAC 2.0 feature requires the following prerequisites:

• Cisco Secure Firewall Management Center version 7.0.2

• Cisco Secure Firewall Threat Defense version 7.0.2

Objectives
• Review the pre-configured AWS and Azure connectors in the CSDAC
• Configure Office 365 public feed Provider
• Configure management center as an Adapter in the CSDAC
• Set up and test firewall rules with Dynamic Objects

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 90
Cisco dCloud

Task 1: CSDAC – Review Pre-configured Connectors

Step 1. In the Jump Box, open Quick Launch and click on CSDAC. You can also access from Chrome browser using the CSDAC bookmark.

This opens up a connection to https://198.19.10.103/ where the Cisco Secure Dynamic Attributes Connector (CSDAC) service is
hosted. Use following credentials to log in to the system: admin/Dcl0ud#132 (where 0 equals to zero).
dCloud: The Cisco Demo Cloud

Step 2. Review the list of configured connectors.

NOTE: The Azure and Azure Service Tags connectors may experience temporary connectivity issues due to Azure Resource Manager’s
throttling mechanism. In such instance, the status of the connector will display the an error message containing the reason returned
by Azure along with limits and measured request count. The dCloud laboratory pods share the same Azure API credentials. When
many instances of this laboratory are active in parallel, the cumulative rate of requests may temporarily exceed the read operations
limit.

Step 3. Find AWS connector and click on the three dots menu in the Action column. Select Edit.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 90
Cisco dCloud

dCloud: The Cisco Demo Cloud

Step 4. Observe the ASW connector’s configuration. Review the mandatory attributes to set up a connector, denoted by the red dot
symbol (*).

Step 5. Note the Test button in the bottom left part of the connector window. You can run an on-demand test to confirm the
configuration is correct.

Step 6. Click Cancel button to return to Connectors tab.

Step 7. (optional) Review the settings of the remaining configured Azure Services Tags and Azure connectors.

NOTE: You can configure multiple connectors of each type AWS, Azure, GCP, and vCenter, should you have multiple public or private
cloud instances of the same flavor.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 90
Cisco dCloud

Task 2: CSDAC – Configure an Office 365 Public Feed Connector

In the following steps you will configure an Office 365 public feed connector. This connector subscribes to the Microsoft’s publicly available list
of IP addresses used by Office 365 services. The connector provides Dynamic Objects with IPv4 and IPv6 prefixes for Skype for Business,
SharePoint, Exchange and Common.

dCloud: The Cisco Demo Cloud

Step 1. In CSDAC WebUI, navigate to Connectors tab

Step 2. Click on “+” sign button and then select Office 365
Step 3. Provide the Name “Office 365 dCloud Connector”

Step 4. (optional) Update the Pull interval to the desired value in seconds.
Step 5. Leave the Microsoft Base API URL https://endpoints.office.com unchanged.
Step 6. Specify the Instance name using the dropdown.

Microsoft cloud services are available in three separate national clouds: US Government, Germany and China. These regional cloud
instances are physically isolated instances of Microsoft cloud services localized within the geographic borders of specific countries
and operated by local personnel.

Step 7. (optional) If you wish, you can Disable optional IPs import with the toggle button.

According to Microsoft documentation, the optional IP addresses represent third-party services used only for integration
functionality. Disabling optional IP addresses retains the core functionality of the services. The prefixes in Microsoft’s public feeds are
denoted with a required attribute set to either false or true. An optional prefix set will have the required attribute set to false and
the description of the missing functionality in the notes attribute as per the example below.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 90
Cisco dCloud

"id": 5,
"serviceArea": "Exchange",
"serviceAreaDisplayName": "Exchange Online",
[...]
],
"ips": [
"13.107.6.152/31",
[...]
"2a01:111:f400::/48"
dCloud: The Cisco Demo Cloud
],
[...]
"required": false,
"notes": "Exchange Online IMAP4 migration"
},

Step 8. In the last step, click on the Test button in the bottom left side of the window to confirm CSDAC can reach out to Microsoft public
feed and download the latest version of the Office 365 service address space.

Step 9. Click Save and confirm “OK” result in the status column for the newly configured connector.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 90
Cisco dCloud

Task 3: CSDAC - Adapters

In the Adapters tab, you configure the connection to one or more FMCs that will be updated with Dynamic Objects crafted by the CSDAC.
Follow the steps below to integrate CSDAC with FMC in dCloud topology:

Step 1. In CSDAC WebUI, navigate to Adapters tab

Step 2. Click on “+” sign button and then select FMC
dCloud: The Cisco Demo Cloud
Step 3. Provide name “FMC dCloud”
Step 4. In the IP field enter FMCs hostname “fmc.dcloud.local”
Step 5. Keep Port for the connection between CSDAC and FMC set to 443
Step 6. Use “restapiuser” in User field. Which is pre-configured on the FMC with Password set to “C1sco12345”.

Step 7. The FMC Server Certificate is required to ensure CSDAC connects to the trusted FMC server. CSDAC allows you to fetch and
validate the FMCs certificate chain, directly from the UI. Click the Fetch button and review the contents of the certificates presented by
fmc.dcloud.local.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 90
Cisco dCloud

NOTE: For the Fetch to work correctly, the FMC’s HTTPS certificate CommonName (CN) must be set with the hostname resolvable by
CSDAC (fmc.dcloud.local in our setup). The FMC must also present the entire certificate trust chain in the TLS handshake. Hence it is
required to attach all Root and Intermediate CA certificates when installing FMC’s HTTPS server certificate (under System >
Configuration > HTTPS Certificate).

dCloud: The Cisco Demo Cloud

Step 8. Expand and review the contents of the FMC Server Certificate. Notice both FMC and Root CA certificates were fetched and
concatenated by CSDAC.

Step 9. Click the Test button in the bottom left side of the window to confirm correct configuration of the FMC.

Step 10. Click Save and confirm “OK” result in the status column for the newly configured FMC Adapter.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 90
Cisco dCloud

Task 4: CSDAC – Dynamic Attributes Filters

The Dynamic Attribute Filters are conditions used to map cloud resources to Dynamic Objects.

1. CSDAC pulls the list of VMs with provider-specific meta-data, which is then provided to the administrator as Key/Value pairs.

2. The Key/Value pairs are attributes such as user-defined tags in AWS/Azure, or network, power status, or VM name on vCenter.
dCloud: The Cisco Demo Cloud
3. The administrator creates a set of AND/OR conditions to match specific attributes of VMs, to add their IP addresses to individual
Dynamic Objects.

4. CSDAC pushes the Dynamic Objects with resulting IP addresses in real-time to the FMC, distributing them to the managed firewalls.

5. CSDAC pulls the clould providers periodically and when a change to VM or assigned attributes is detected, the update is pushed to
the FMC and managed firewalls. This way the firewall policy remains up-to-date without any action from administrator.

In the task below you will configure a three Dynamic Attributes Filters matching tags of VMs in AWS and Azure clouds. The IP addresses of the
VMs maching the criteria will be dynamically assigned to Dynamic Objects pushed to the FMC. Table below provides a summary of conditions
used to match VMs in this scenario.

# Dynamic Object Name Connector Query

1 AWS-Engineering AWS Department eq ‘dCloud_Engineering’

(Department eq ‘dCloud_Engineering’)
2 Azure-Engineering Azure AND
(Environment eq ‘UAT’)

(Department eq ‘dCloud_HR)
3 Azure-HR Azure AND
(Environment eq ‘Production’)

Step 11. In CSDAC WebUI, navigate to Dynamic Attributes Filters tab.

Step 12. Click on “+” sign button to add a new Dynamic Object.
Step 13. Set the Name to “AWS-Engineering”
Step 14. Select “AWS” in the Connector drop down menu.

Step 15. In the Query section click on the “+” sign button to add matching criteria. Note that CSDAC downloads and allows you to use the
keys and values specific for the selected connector.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 90
Cisco dCloud

In the screenshot below, observe the summary of an engineering VM running in AWS we are going to match on CSDAC. Note the Public and
Private IP addresses as well as the assigned Tag Key/Value pairs.

dCloud: The Cisco Demo Cloud

Step 16. Select “Department” from the Key drop-down menu.

Step 17. Leave the default Operation set to Equals.
Step 18. Select “dCloud_Engineering” from the Value drop-down menu.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 90
Cisco dCloud

Step 19. Click OK to save the condition.

dCloud: The Cisco Demo Cloud

Step 20. Click on the Show Preview to confirm list of IP addresses of VMs matched by the specified filter.

NOTE: the IP addresses of the VMs in AWS and Azure may change and differ from the ones displayed in the screenshots. IP address
changes are expected and are one of the scenarios CSDAC addresses elegantly, providing the up-to-date IP to Dynamic Object
mappings.

Step 21. Click Save and confirm the new dynamic attribute is available in the Dynamic Attributes Filters section.

Step 22. Click on “+” sign button to add a new Dynamic Object.
Step 23. Set the Name to “Azure-Engineering”
Step 24. Select “Azure” in the Connector drop down menu.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 90
Cisco dCloud

Step 25. In the Query section click on the “+” sign button to add matching criteria. Note that CSDAC downloads and allows you to use the
keys and values specific for the selected connector.

In the screenshot below, observe the summary of an engineering VM running in Azure we are going to match on CSDAC. Note the Public and
Private IP addresses as well as the assigned Tags Key:Value pairs.

dCloud: The Cisco Demo Cloud

Step 26. Select “Department” from the Key drop-down menu.

Step 27. Leave the default Operation set to Equals.
Step 28. Select “dCloud_Engineering” from the Value drop-down menu.

Step 29. Click OK to save the condition.

Step 30. Click on the “+” sign button in the Query section again to add a second matching condition.
Step 31. This time use the “Environment” Key from the drop-down menu.
Step 32. Leave the default Operation set to Equals.
Step 33. Select “UAT” from the Value drop-down menu.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 90
Cisco dCloud

Step 34. Click OK to save the condition.

Step 35. Review the Query section and confirm both conditions are configured with match all operator.

dCloud: The Cisco Demo Cloud

NOTE: You can toggle between all & any matching operators, simply click an operator joining two or more conditions.

Step 36. Click on the Show Preview to confirm list of IP addresses of VMs matched by the filter. Notice both “dCloud_Engineering” and
“UAT” Azure tags are matched.

Step 37. Click Save and confirm the new dynamic attribute is available in the Dynamic Attributes Filters section.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 90
Cisco dCloud

Step 38. Repeat Step 22 through Step 34 and create another Azure dynamic object with following details:
• Name: Azure-HR
• Connector: Azure
• Condition: (“Department” eq “dCloud_HR”) AND (“Environment” eq “Production”)

dCloud: The Cisco Demo Cloud

Step 39. Click Save and confirm the new dynamic attribute is available in the Dynamic Attributes Filters section.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 90
Cisco dCloud

Task 5: Review Dynamic Objects pushed by the CSDAC to the FMC

Step 1. Login to Firepower Management Center (https://fmc.dcloud.local) from the Jumpbox using Chrome browser or by clicking FMC
Web button in the Quick Launch app.
Step 2. Navigate to Objects > Object Management > External Attributes > Dynamic Objects.
Step 3.dCloud: The number
As the Cisco Demo
of Cloud
the attributes is significant, click on the Filter form in the top right corner and type in “Germany” to display
Azure Service Tags specific to the Germany region.

Step 4. Click on the IP icon ( ) next to one of the dynamic objects to display the host and subnet IP addresses assigned. Note that the
dynamic objects support both IPv4 and IPv6 addresses.

NOTE: The above example displays the contents of the “AzureServiceTag_Sql_GermanyNorth” dynamic object provided by CSDAC
when writing this guide. The list of IP addresses assigned to this object may differ, reflecting the current list published by Microsoft.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 90
Cisco dCloud

Step 5. Now review the dynamic objects provided with Office 365 public feeds connector. Click on the Filter form in the top right corner
and type in “o365”.

dCloud: The Cisco Demo Cloud

Step 6. Click on the IP icon ( ) next to one of the dynamic objects to display the host and subnet IP addresses assigned.

Step 7. Review IP address assignment of the AWS dynamic object configured in the previous secition in Dynamic Attributes Filters. Click on
the Filter form in the top right corner and type in “AWS”.

Step 8. Click on the IP icon ( ) next to to “AWS-Engineering” to display the host and subnet IP addresses assigned.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 90
Cisco dCloud

Step 9. Repeat Step 7 through Step 8 and review IP addresses assigned by CSDAC to “Azure-Engineering” and “Azure-HR” Dynamic
Objects.

dCloud: The Cisco Demo Cloud

Task 6: Configure Firewall Rules with CSDAC Provided Dynamic Objects

Step 1. Login to Firepower Management Center (https://fmc.dcloud.local) from the Jumpbox using Chrome browser or by clicking FMC
Web button in the Quick Launch app.
Step 2. Navigate to Policies > Access Control and edit the NGFW1 Acces Control Policy.
Step 3. Switch the policy view to the New UI layout.

Step 4. Toggle to Grid View by clicking on the matrix button ( ) until. The Grid View switches the policy display to source and
destination focus. Each source and destination criteria are collapsed into single columns and marked with colored object type
indicators.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 90
Cisco dCloud

Step 5. The New UI provides an easy way to add a new firewall rule. Hover mouse cursor over the junction between “Block Selected
Applications” and “Allow DNS – no logging” and click on the + Add Rule button to insert new rule in between.

dCloud: The Cisco Demo Cloud

Step 6. Set the basic settings of the new firewall rule as follows:
• Name: Engineering Access
• Action: Allow
• Logging: Log at the end of connection
• Send Connection Events to: Firewall Management Center

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 90
Cisco dCloud

Step 7. Click on (+) button in either Sources or Destinations and Applications sections in order to specify the objects matching criteria in
the rule.

dCloud: The Cisco Demo Cloud

Step 8. Click on the DYN tab to select from “Dynamic Attribute” object set. Type in “Engineering” in the search bar to narrow down the
display to Dynamic Objects we configured for engineering in the previous sections.

Step 9. Select the AWS_Engineering and Azure_Engineering Dynamic Objects and add them to destination criteria by clicking on Add
Destination Dynamic Attribute.

Step 10. Confirm the objects were added to the destination and click Return to Rule Summary review your rule setup.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 90
Cisco dCloud

Step 11. Confirm the rule is configured like the screenshot below & click Apply to add the rule to the Access Control Policy.

dCloud: The Cisco Demo Cloud

Step 12. The new rule should be now visible between “Block Selected Applications” and “Allow DNS – no logging”.

Step 13. Now let’s configure the rule for HR access. Repeat Step 5 through Step 12 and set a rule with following values:
• Name: HR Access
• Insert: Below Rule “Engineering Access”
• Action: Allow
• Logging: Log at the end of connection
• Send Connection Events to: Firewall Management Center
• Destinations and Applications: Azure_HR, o365_SharePoint, o365_Skype

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 90
Cisco dCloud

Step 14. You should have now two new rules Engineering Access and HR Access between “Block Selected Applications” and “Allow DNS –
no logging”.

dCloud: The Cisco Demo Cloud

Step 15. Click Save at the top right corner of the screen to save changes made to the NGFW1 policy.

Step 16. Click Deploy and push the new policy to NGFW1 with the deploy button ( ).

Task 7: Test Firewall Rules with Dynamic Objects

Step 1. Open a remote desktop session to the WKST1 PC from the jumpbox by using the Quick Launch page (look for Quick Launch on the
Jumpbox desktop). Click on the WKST1 button under Remote Access.

Log in as Administrator using password C1sco12345.

Step 2. Open Command Prompt and ping the IP addresses dynamically assigned by CSDAC to objects in the firewall policy.

NOTE: Prior to running the following ping tests, please confirm the up-to-date IP addresses assigned to each of the tested dynamic
objects. In management center navigate to Objects > External Attributes > Dynamic Objects. IP addresses

• Ping the public IP address of AWS_Engineering:

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 90
Cisco dCloud

• Ping the public IP of Azure_Engineering:

dCloud: The Cisco Demo Cloud

• Ping the public IP of Azure_HR:

• Choose and ping an IP address from o365_SharePoint object scope:

A randomly chosen IP address from Office365 SharePoint object may not respond, however the ICMP traffic will still match the
o365_SharePoint dynamic object in the firewall rule and produce a log.

Step 3. Login into FMC using the quick launch FMC Access > FMC Web as admin using the password C1sco12345 .
Step 4. Navigate to Analysis > Unified Events. Filter the view to display ICMP connections passed by the firewall. In the search bar type
“Source IP” and specify “198.19.10.21” condition matching traffic from WKST1. Click Apply.

Step 5. Search for the ICMP connections and confirm your pings were matched by HR Access and Engineering Access firewall rules in the
Access Control Rule column.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 90
Cisco dCloud

Cisco Secure Firewall – Snort 3 Elephant Flow Detection

The Cisco Secure Firewall 7.2 expands Elephant Flow Detection for Snort 3 FMC managed devices by adding the options to throttle or bypass
elephant flows. The system will add an elephant flow message to the Reason column in the connection event for connections which meet the
configured thresholds. The elephant flow selection criteria is adjusted from the FMC UI. Note that these criteria can no longer be set from
the device CLI.
dCloud: The Cisco Demo Cloud

Task 1. Prepare the Environment

Before we get started, we need to ensure the device(s) are running the Snort 3 engine and ensure that connection events are being logged.
The elephant flow detection feature will not automatically log connection events for elephant flows. To ensure that your elephant flow
events are logged we must enable full connection logging.

The default NGFW1 Access Control policy in the dCloud environment should already have connection logging enabled for all traffic except DNS
requests. Also, the NGFW1 device should already be running the Snort 3 engine. To verify follow the steps below.

1. Navigate to Devices > Device Management, verify that NGFW1 is using the Snort 3 detection engine.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 90
Cisco dCloud

2. Verify connection logging on NGFW1

• Navigate to Policies > Access Control

• Click the pencil icon to edit the NGFW1 policy
• Near the bottom, look for the Allow Outbound rule, click the pencil to edit the rule.
• In the rule, click the Logging tab and confirm that Log at End of Connection is checked.
• dCloud: The Cisco Demo Cloud
Cancel your rule editing and then click the Cancel button to stop editing the policy.

3. (optional, if you made any changes) Deploy changes to NGFW1

• Click Deploy in the top menu

• Select the NGFW1 device
• Click the deploy icon to initiate the deployment

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 90
Cisco dCloud

Task 2. Configure Elephant Flow Threshold on the FMC

In this task we will adjust the elephant flow detection threshold so we can test this feature with a smaller flow size. In release 7.2 this
threshold is configurable via the FMC.

NOTE: The deployment from the previous task must be complete before proceeding.
dCloud: The Cisco Demo Cloud
From the FMC, navigate to Policies > Access Control. Edit the NGFW1 policy and click the Advanced tab.

Click the pencil next to Elephant Flow Settings

In the Elephant Flow Settings dialog, note that detection is enabled, and the default threshold is 1024MB and 10 seconds. Change the
detection threshold to 2MB and 2 seconds.

We can go further by defining parameters for flow throttling and bypass. Click the switch to enable the Elephant flow Remediation
section. Here you can adjust the Snort CPU utilization, time window and packet drop thresholds. When a flow exceeds these thresholds,
it will be bypassed or throttled. The default is to bypass all flows exceeding the thresholds.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 90
Cisco dCloud

If you do not want to bypass all flows, you can continue by clicking the Select Applications/Filters link. This allows selection of specific
applications to bypass. Click the link and select the applications with High and Very High Business Relevance. Click All apps matching the
filter then click the Add to Rule button.

dCloud: The Cisco Demo Cloud

Save the selection. This will bypass flows only for applications matching the selected parameters.

Click the switch at the bottom of the dialog to allow throttling of the remaining flows.

The effect of these settings will be to generate connection events for flows exceeding 2 MB and lasting at least 2 seconds, if a flow also
exceeds the Snort CPU and packet drop thresholds it will either be bypassed or throttled depending on whether it matches the selected
application filter. Applications which are highly business relevant will be allowed to bypass without inspection while other flows will be
throttled but continue to be inspected by Snort. Flows which are bypassed or throttled will also generate elephant flow events indicating
the elephant flows were throttled or trusted.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 90
Cisco dCloud

Click OK to save your settings, then click Save.

• Deploy changes to NGFW1

• Click Deploy in the top menu
• Select the NGFW1 device

Click the deploy icon to initiate the deployment & wait for the deployment to complete before proceeding.
dCloud: The Cisco Demo Cloud

Task 3. Generate/View Elephant Flow Events

Now that we have set our elephant flow detection parameters, we will generate and view connection events.

Navigate to Analysis > Unified Events

Click the search bar at the top of the screen

Use the Quick Launch to open an SSH session to Kali Inside Linux (198.19.10.200).

The wget command below will download a file which should trigger the elephant flow threshold on NGFW1

wget pov.developmentserver.com/files/QuickTimeInstaller.exe

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 90
Cisco dCloud

Navigate to Analysis > Connections > Events

From the Search drop-down in the upper right, select the Predefined search for Elephant Flows (This will limit the events to just connections
with elephant flows)

dCloud: The Cisco Demo Cloud

6. You should now see the connections which exceeded the elephant flow threshold we configured on NGFW1

NOTE: that the events for the executable file also show File Monitor in the Reason column. This is because these connections matched a rule
in the Malware & File policy.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 90
Cisco dCloud

Encrypted Visibility Engine

RECOMMENDATION - Before proceeding with this section, ensure decryption is disabled. The encrypted visibility engine does
not need traffic decryption to work properly.

dCloud: The Cisco Demo Cloud

Task 1: Enabling the Encrypted Visibility Engine
The Encrypted Visibility Engine (EVE) is enabled in the default dCloud Access Control policies. Since this is a common setting
among all the policies, this feature is enabled in the Parent Policy. To view this setting:

Navigate to Policies > Access Control

Edit the Parent Policy

Click the Advanced tab, scroll to the bottom and ensure the Encrypted Visibility Engine feature is enabled.

Task 2: Encrypted Visibility Engine – Dashboard

The system collects Application Statistics where EVE has identified the client application in a connection. To view these follow
the steps below.

Navigate to Overview > Dashboard

Click switch dashboard and select Application Statistics

Click on the Encrypted Visibility Engine tab and you will be presented with two built-in dashboards:

• Top Encrypted Visibility Engine Discovered Processes - this dashboard represents the top 10 discovered process names with the most
associated network connections
• Connections by Encrypted Visibility Engine Threat Confidence - this dashboard view represents the threat confidence levels and
associated total connections

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 90
Cisco dCloud

Task 3: Encrypted Visibility Engine – Events

In this task you will review some of the event information available as a result of the EVE TLS fingerprint analysis.

On the FMC, navigate to Analysis > Unified Events

In the upper left corner click the filter icon at the top of the first column ( )
dCloud: The Cisco Demo Cloud

In the filter column search bar type "encrypted"

Click on Select 4 filtered to select all the columns

In the filter columns search bar type “client”, check the Client Application checkbox

Click Apply - this adds the five columns to the right of the existing columns.

Click the search bar at the top of the page and search for the following values:
Application Protocol: HTTPS
Source IP: 198.19.10.21 (this is WKST1)

In the upper right corner, change your time window from fixed to a Sliding Time Range of 1 hour.

Click Apply (At this point you should not see any events).

Using the Quick Launch icon on the jumpbox desktop, open a remote access session to the WKST1 desktop.

On WKST1 load the https://rit.edu website from Firefox and also from the Chrome browser.

Refresh your Unified events view on the FMC. You should now see connections.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 90
Cisco dCloud

Scroll to the right and view the values for the EVE fields. These are described below.

Probability that the detected process represents a threat (very

Encrypted Visibility Threat Confidence
low/low/medium/high/very high)

Encrypted Visibility Threat Confidence Score Raw confidence value 0-100 that the detected process is a threat
dCloud: The Cisco Demo Cloud

Encrypted Visibility Process Confidence Score Percentage confidence value in the accuracy of detected process

Encrypted Visibility Process Name Client process name

If the Process Name above is mapped to a Client Application, then this

Client Application
field will be updated based on the EVE fingerprint of the client.

Note that the detected application and process name is being identified within TLS flows and, most importantly, without decryption.
While Client Application is not specifically an EVE field, this value is updated by EVE for certain TLS processes. This is the field that would
be used in Access Control rules.

Locate the Start Tor Browser shortcut on the WKST1 desktop and start the TOR browser

Click to connect to the TOR network, then navigate to https://rit.edu and refresh to observe the new connection events on the Jump
Box.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 90
Cisco dCloud

Task 4: EVE usage in Application Filters

In this task we will look at EVE usage within Application Filters.

Navigate to Objects > Object Management

Click Application Filters

dCloud: The Cisco Demo Cloud
Click Add Application Filter

In the left column click in the search bar and type “encrypted”

Click the box next to encrypted visibility engine

Notice there are 159 entries listed under Available Applications. These are all client applications that have been mapped to EVE
processes. While EVE can identify 5,000+ processes only a subset are mapped to client applications.

Create an application filter named Blocked-Applications and select the TOR application.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 90
Cisco dCloud

Save the filter.

Navigate to Policies > Access Control and edit the NGFW1 Access Control policy

Add a Block with reset rule and on the Applications tab use your Blocked-Applications filter. Enable Log at Beginning of Connection on
the Logging tab. Place the rule in the Mandatory category along with the other block rules.

dCloud: The Cisco Demo Cloud

Save and Deploy your policy. Wait for the deployment to complete before proceeding.

Return to WKST1 and try browsing from Chrome, Firefox and the TOR browser. Review the FMC connection events and confirm that your
TOR activity is blocked.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 90
Cisco dCloud

Transport Layer Security 1.3 Support

For this scenario, we are using the following devices listed below:
• Cisco Secure Firewall Mangement Center
• Cisco Secure Firewall Threat Defense
dCloud: The Cisco Demo Cloud

Introduction
The TLS 1.3 is the latest release of the Transport Layer Security (TLS) providing significant security and efficiency improvements over its
predecessor TLS 1.2. Since officially released in August 2018, the TLS 1.3 protocol has been widely adopted by the Internet community
reaching over 60% of the 1 million top web sites by the end of 2021.

The Diagrams above depict TLS 1.2 and 1.3 handshake message exchange. The TLS 1.3 encrypts more attributes during the handshake phase
(most notably Server Certificate), shortens the exchange by 1 round trip and requires use of Ephermeral Diffie-Hellman instead of static RSA
handshake.

Prerequisites
TLS 1.3 decryption services require the following:

• Cisco Secure Firewall Management Center version 7.2

• Cisco Secure Firewall Threat Defense version 7.2

Objectives
• Download Malware Test File with and without TLS 1.3 decryption
• Enable TLS 1.3 support on the Threat Defence firewall and configure a decryption rule
• Review IPS, File and connection logs and confirm TLS 1.3 session was properly decrypted

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 90
Cisco dCloud

Task 1: Downloading Malware Test File without TLS 1.3 Decryption

Step 1. Open a remote desktop session to the WKST1 PC from the jumpbox by using the Quick Launch page (look for Quick Launch on the
Jumpbox desktop). Click on the WKST1 button under Remote Access.

Log in as Administrator using password C1sco12345.

dCloud: The Cisco Demo Cloud
Step 2. From the WKST1, open Chrome browser and navigate to https://www.eicar.org/download-anti-malware-testfile.

Step 3. Once the page loads, open Chrome’s Developer Tools by pressing CTRL+SHIFT+I or navigating Chrome Settings > More Tools >
Developer Tools. Switch to Security tab in the tools.

Step 4. Review the connection details and observe the connection is encrypted with TLS 1.3.

Step 5. Click on View certificate button above the connection details to display the server certificate of eicar.org. Click on Certification
Path to confirm the connection is secured by a publicly trusted certificate authority.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 90
Cisco dCloud

Step 6. Close the Developer Tools. Scroll down the web page and download a test malware file by clicking on eicar_com.zip hyperlink.

dCloud: The Cisco Demo Cloud

Step 7. Observe the file is downloaded and instantly quarantined locally on the endpoint by the Microsoft Defender Antivirus software.
The download status is marked as Failed – Virus detected.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 90
Cisco dCloud

Task 2: Configuring TLS 1.3 Decryption Policy

Step 1. Login into FMC using the quick launch FMC Access > FMC Web as admin using the password C1sco12345 .
Step 2. Navigate to Policies > SSL and edit the Demo SSL Policy.
Step 3. Click on Advanced Settings tab and mark the checkbox next to Enable TLS 1.3 Decryption

dCloud: The Cisco Demo Cloud

Step 4. Configure a new rule to decrypt TLS traffic towards eicar.org. Switch to Rules tab and click Add Rule.
• Name the rule as Decrypt eicar.org
• Set the action to Decrypt – Resign with TLS_Decrypt_SubCA
• Select insert above rule 2

• Switch to DN tab. In the Subject DN section add “*.eicar.org” DN.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 90
Cisco dCloud

The wildcard DN set in this task equal to CN=*.eicar.org matches secure.eicar.com and www.eicar.com. Note, it will not match
eicar.com nor super.secure.eicar.com. If you wanted to match the latter ones you would have to add following DNs to the rule
condition: CN=eicar.com and CN=*.*.eicar.com (respectively).

• Lastly,
dCloud:click
The on theDemo
Cisco Logging
Cloudtab and select Log at End of Connection and send connection events to Firewall Management Center.

• Click Add.
Step 5. Click Save to write the changes to the Demo SSL Policy.
Step 6. Navigate to Policies > Access Control and edit the NGFW1 Acces Control Policy.
Step 7. Click on the None hyperlink next to SSL Policy and select the Demo SSL Policy.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 90
Cisco dCloud

• Select Demo SSL Policy and click OK.

dCloud: The Cisco Demo Cloud

• Click Save the write the changes in the NGFW policy.

Step 8. Click Deploy and push the new policy to NGFW1 with the deploy button ( ).

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 90
Cisco dCloud

Task 3: Blocking Malware Test File Over a TLS 1.3 Encrypted Connection
Step 1. Open a remote desktop session to the WKST1 PC from the jumpbox by using the Quick Launch page (look for Quick Launch on the
Jumpbox desktop). Click on the WKST1 button under Remote Access.

Log in as Administrator using password C1sco12345.

dCloud: The Cisco Demo Cloud
Step 2. From the WKST1, open Chrome browser and clear the browsing cache. Navigate to Chrome Settings > More Tools > Clear
browsing data…

Step 3. Select All Time in the time range and select all items. Click Clear data.

Step 4. Once the cache is cleared in Chrome, navigate to https://www.eicar.org.

Step 5. Once the page loads, open Chrome’s Developer Tools by pressing CTRL+SHIFT+I or navigating Chrome Settings > More Tools >
Developer Tools. Switch to Security tab in the tools.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 90
Cisco dCloud

Step 6. Review the connection details and observe the connection is encrypted with TLS 1.3 and secured with a certificate issued by
decrypt.dcloud.local.

dCloud: The Cisco Demo Cloud

Step 7. Click on View certificate button above the connection details to display the server certificate of eicar.org. Click on Certification
Path to confirm the connection is secured by an internal certificate authority ad1.dcloud.local.

Step 8. Close the Developer Tools. Navigate to https://secure.eicar.org/eicar_com.zip.

Note: Navigating to https://eicar.org/download-anti-malware-testfile will produce unexpected results. The Snort engine will block
any downloadable files based on the ‘EICAR’ string on the webpage noted in the screenshot below, preventing the webpage from
loading properly.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 90
Cisco dCloud

The transfer of the EICAR Anti Malware Test file will be blocked. After a few failed attempts Chrome displays information the connection was
reset.

dCloud: The Cisco Demo Cloud

If the file is not blocked, ensure you cleared Chrome’s browser cache prior to downloading the EICAR test file.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 90
Cisco dCloud

Task 4: Review Connection, Malware and Intrusion Prevention Logs

Step 1. Login into FMC using the quick launch FMC Access > FMC Web as admin using the password C1sco12345 .

Step 2. Navigate to Analysis > Unified Events. Filter the view to display all connections that were not allowed by the firewall. In the search
bar type “Action” and specify “!Allowed” condition. Click Apply.
dCloud: The Cisco Demo Cloud

Step 3. Search for a Connection event log of blocked connection from 198.19.10.21 to 89.238.73.97 (Eicar site’s IP address at the time of
writing this lab guide).

Confirm the connection was blocked and observe the recorded SSL flow messages indicating TLS 1.3 handshake.

Observe the SSL status is Decrypted (Resign) and the SSL version TLSv1.3. Confirm the name of the SSL rule that matched the traffic as well as
the URL.

Step 4. Now, try to find a Malware event triggered by the EICAR file download. As the file was intercepted while being downloaded from
Eicar site, look for a flow from 89.238.73.97 (Eicar site’s IP address at the time of writing this lab guide) to the IP of the WKST1
198.19.10.21.

Confirm the action is Malware Block and the event was triggered by a Network File Transfer. Observe the rich meta data associated with this
event including the File Name, SHA-256, URL, Threat Score and the Detection Name.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 90
Cisco dCloud

Step 5. Lastly, have a look at the Intrusion event matching EICAR file string in the decrypted traffic flow. Similarly to the Malware event,
the EICAR file was intercepted by Snort while being downloaded from Eicar site. For that reason look for a flow from 89.238.73.97
(Eicar site’s IP address at the time of writing this lab guide) to the IP of the WKST1 198.19.10.21.

Confirm the action is Dropped by Snort engine. Review the details of the Snort’s rule and the content matching EICAR’s file string in the
dCloud: The Cisco Demo Cloud
connection.

Scroll down to the Packet Bytes and observe the EICAR’s file string in the packet dump.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 90
Cisco dCloud

AnyConnect VPN Certificate and SAML Authentication

For the SAML External Browser scenario, we are using the following devices listed below.
• FMC
• NGFW1
• WKST2
dCloud: The Cisco Demo Cloud

AnyConnect VPN SAML External Browser

Firepower version 7.2 introduces certificate and SAML authentication for RA VPN connection profiles, where you can now configure
AnyConnect VPN to enable additional authentication choices. Each user is authenticated with both a client certificate and SAML server.
In this lab exercise, we are going to use Duo Single Sign-On as the IDP, which authenticates the users against Azure AD and provides MFA
through Duo. We will also install CA certificate on FTD via FMC. Client certificate is pre-installed on the workstation.

Prerequisites
The SAML support for external browser requires the following prerequisites to be met:

• Firepower Management Center version 7.2

• Firepower Threat Defense version 7.2

The feature is supported for the following operating systems and the browsers:

Operating System Browsers

Windows 7+ Edge, Firefox, Chrome, IE11
Mac OS Safari, Chrome, Firefox
Linux Firefox
iOS Safari
Android Chrome

Objectives
• Review the Firepower Threat Defense and Duo Settings
• Using Firepower Management Center, configure Remote Access VPN Certificate and w/SAML as an Authentication method
• Enable External Browser Package
• Allowing Traffic Through the NGFW (Optional)
• Verify the VPN Connection and test the SAML authentication

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 90
Cisco dCloud

Understanding the Duo Integration

• DUO provides Single Sign-On and the MFA for the VPN users upon successful authentication by Azure AD.
• Leveraging DUO SSO with Azure AD, all VPN users exist on the Azure AD. Primary Authentication is done on Azure AD.

dCloud: The Cisco Demo Cloud

NOTE: The DUO and the Azure AD Accounts used for this lab are being shared by all the Lab users - the login to the DUO and Azure account
has not been shared. These accounts will be available for the duration of the SEVT Labs.

More information on how DUO SSO works and integrates with Azure AD as the SAML IDP is available here.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 90
Cisco dCloud

Task 1. Download and add CA certificate to FMC.

1. Open Chorme and open bookmark Certificates web services and Download a CA certificate, if prompted, enter credentials as username:
administrator Password: C1sco12345

dCloud: The Cisco Demo Cloud

2. Select Base 64 and Select Download CA certificate

3. Locate the file under downloads, right click the file and Open in notepad++ and copy the certificate content.

4. Open FMC, using the FMC shortcut from the bookmark toolbar and navigate to Devices > Certificates and select Add Certificates

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 90
Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Select Device as NGFW1, For Cert Enrollment click on the + icon, Name as CACert, Change Enrollment Type to Manual, Check CA Only and
paste the certificate contents copied in Step 3 and select Save

6. Select Add button to Add the new Certificate to the device.

Task 2. Create the Secure Firewall Management Center Single Sign-on Server Object
Navigate to Objects > Object Management > AAA Server.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 90
Cisco dCloud

Click Single Sign-On-Server. Click Add Single Sign-on Server.

• Open a new browser tab.

• Click on the Aux link in the bookmark toolbar.
• Click on the link November 2020 SEVT.
• Click on the file SSO_Server.txt.

dCloud: The Cisco Demo Cloud

2. Copy and paste the following information from the SSO_Server.txt file into the Sign-On-Server page in the FMC.

a. Name: DUO_SSO_Azure_AD
b. Identity Provider Entity ID: https://sso-e536f2c9.sso.duosecurity.com/saml2/sp/DIJVXBZTQQNVKQRXK5BA/metadata
c. SSO URL: https://sso-e536f2c9.sso.duosecurity.com/saml2/sp/DIJVXBZTQQNVKQRXK5BA/sso
d. Logout URL: https://sso-e536f2c9.sso.duosecurity.com/saml2/sp/DIJVXBZTQQNVKQRXK5BA/slo
e. Base URL: https://ngfw1-outside.dcloud.local

3. The Identity Provider Certificate is the certificate FTD uses to verify the messages signed by the IDP – DUO SSO in this case.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 90
Cisco dCloud

NOTE: Since the DUO account has already been provisioned, this certificate has been pre-generated for this lab exercise. If you wish, you can
download and inspect the certificate DUO_Single_SignOn.crt from the same folder as the SSO_Server.txt file. This certificate is also included in
the SSO_Server.txt file.

4. Click the + icon next to Identity Provider Certificate. Now add the Cert Enrollment for this certificate.

• Name :The
dCloud: DUO_Single_SignOn
Cisco Demo Cloud
• Under CA Information, select Enrollment Type as Manual.
• In the textbox named CA Certificate, copy and paste the contents of the certificate from SSO_Server.txt.
• Click Save and then select this certificate from the dropdown.

5. The service provider certificate is used by FTD to sign the requests and build a circle of trust with IdP. Click +

• For Name, enter NGFW1_Outside.

• Select PKCS12 File from the Enrollment Type drop-down menu.
• Click Browse PKCS12 File and select ngfw-dcloud.pfx (the extension may be hidden) from the Certificates\Lab Certificates\Other
Certificates folder on the Jumpbox desktop. Click Open.
• For Passphrase, enter C1sco12345.
• Click Save and select NGFW1_Outside from the dropdown in the Single Sign-on Server object window.

6. Verify the Single Sign-On Server Object settings, as shown below:

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 90
Cisco dCloud

dCloud: The Cisco Demo Cloud

7. Save the performed configuration changes.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 90
Cisco dCloud

Task 3. Run Remote Access VPN Wizard

In FMC, navigate to Devices > VPN > Remote Access. Click Add to launch the wizard.

Complete the Policy Assignment page of the wizard

1. For Name enter RAVPN.
dCloud: The Cisco Demo Cloud
2. Uncheck Ipsec-IKEv2.

3. From Target Devices, select NGFW1. Click Add.

4. Click Next in the bottom right corner.

Complete the Connection Profile page of the wizard

1. For Connection Profile Name, enter RAVPN (It is important that you enter this name exactly as shown as this will be used to match the DUO
MFA account).

2. For the Authentication Method, select Client Certificate & SAML.

3. For Authentication Server, select the SSO object created earlier – DUO_SSO_Azure_AD.

4. For SAML Login Experience, Select Default OS Browser.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 60 of 90
Cisco dCloud

5. Under Client Address Assignment, create and assign the IPv4 Address Pool to be assigned to the Remote Access VPN users. Click on the
Pencil icon. Click on the + icon to the right of the IPv4 Address Pools field. Enter the details as below:

• For Name, enter VPNPool.

• For IPv4 Address Range, enter 198.19.10.57-198.19.10.62.
• For Mask, enter 255.255.255.248.
• Click Save.
dCloud: The Cisco Demo Cloud

6. From the Address Pools window, select VPNPool, then click Add to add it to the Selected IPv4 Pools column. Click OK.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 90
Cisco dCloud

7. Under the Group Policy, verify that the group policy is set to DfltGrpPolicy. Click on Edit Group Policy. Under General > VPN Protocols

• Protocols, uncheck IPsec-IKEv2.

• Under General > DNS/Wins.
• Select DNS_Server from the Primary DNS Server drop-down list.
• For Default Domain, enter dcloud.local.

dCloud: The Cisco Demo Cloud

NOTE: For best security, it’s recommended that split-tunneling not be used. However, because there is no console access for the PC on which
you’ ll run AnyConnect, split tunneling must be used in this Scenario. Since there are different ways to access the PC in dCloud, you need to
create a standard ACL to bypass all these potential access addresses. You will do this now.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 90
Cisco dCloud

8. Under General > Split Tunneling

• Select Tunnel networks specified below from the IPv4 Split Tunneling drop-down list.
• For the Standard Access List drop-down list, click +.
• Create a standard access list called Split_Tunnel with the ACE that allows LAN_Network.
• Search for LAN_Network in the Available Network and then click Add.
• Click Add at the bottom right.
dCloud: The Cisco Demo Cloud
• Click Save to save the access list.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 90
Cisco dCloud

9. Under AnyConnect > Profile, click the + icon.

• Click Browse and select AnyConnectProfile.xml (the extension .xml may not be visible) from the RA VPN folder on the Jumpbox
desktop. The remaining fields will auto-populate.
• Click Save.

dCloud: The Cisco Demo Cloud

10. Select AnyConnectProfile.xml from the Client Profile drop-down list.

• Click Save to save the changes you made to DfltGrpPolicy.

• Click Next.

© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 90
Cisco dCloud

Complete the AnyConnect page of the wizard.

1. Click + to add a new AnyConnect Image.

2. Click Browse and select the AnyConnect-win-4.10.04065-webdeploy-k9.pkg from the RA VPN folder on the Jumpbox desktop. Click Open.
The remaining fields will auto-populate.

dCloud:
3. Click Save.The Cisco Demo Cloud

4. Enable the AnyConnect File Object Name checkbox and click Next

Complete the Access & Certificate page of the wizard

In this page of the wizard, we choose the NGFW interface to accept incoming VPN connections. Also, we select the Server-Side certificate the
NGFW presents for the VPN connection.

1. For Interface group/Security Zone, select OutZone from the drop-down menu.

2. FordCloud: The Cisco

Certificate Demo Cloud
Enrollment, select NGFW1_Outside from the drop-down menu.

NOTE: Do not check the option Bypass Access Control policy for decrypted traffic (sysopt permit-vpn). If you select this option, you do not
need to create specific rules in the Access Control Policy to allow the decrypted VPN traffic.

3. Click Next.

Review the configuration

Review the configuration on the Summary page. Click Finish.

Task 4. Configure External Browser Package

To enable SAML authentication for external browsers, Cisco uses a dedicated browser package that is compatible with all the endpoint
operating systems. For administrator convenience, the Default-External-Browser-Package is enabled by default as an AnyConnect File Object.
When Cisco updates the external browser package to include the latest updates, it can be uploaded to Firepower Management Center to push
to the Firepower Threat Defense.
dCloud: The Cisco Demo Cloud

The default package is available at Objects > Object Management > VPN > Anyconnect File as shown below:

To update External Browser Package, you can either click Add AnyConnect File or follow the steps below:

• In the FMC, navigate to Devices > VPN > Remote Access.

• Select the previously configured RAVPN section, then click the Advanced Tab
• Within AnyConnect Client Images & under AnyConnect External Browser Package, click + icon adjacent to Package File
• Click Browse & select the browser package named external-sso-4.10.04065-webdeploy-k9.pkg from within RAVPN folder, then click
Save.

7. Navigate Back to Devices > VPN > RemoteAccess > RAVPN > Advanced, Click on dropdown menu for Package File and select the latest
external browser package.

dCloud: The Cisco Demo Cloud

8. Click Save to confirm the changes.

Task 5. Allowing VPN Traffic through the NGFW

Modify the access control policy to allow decrypted VPN traffic

NOTE: The access control policy configuration needs to be added if you did not Check the option Bypass Access Control policy for decrypted
traffic (sysopt permit-vpn).
dCloud: The Cisco Demo Cloud
1. In FMC, navigate to Policies > Access Control > Access Control.

2. Select and edit the access control policy NGFW1. Click Add Rule.

• For Name enter AnyConnect-SSO-Permit.

• Select into Default from the Insert drop-down list.
• Keep the Action as Allow.
• The Zones tab should already be selected.
• Select OutZone and click Add to Source.
• Select InZone1 and click Add to Destination.

NOTE: The direction of the flow of the VPN traffic is from OutZone to InZone1 as the VPN is terminating on the outside interface, which is
assigned zone OutZone

3. Select the Networks tab

• Search and select VPNPoolIPs and click Add to Source Networks.

• Search and select LAN_Network and click Add to Destination.

4. Select the Inspection tab

• Select dCloud Balanced Intrusion from the Intrusion Policy drop-down list.
• Select Block Malware from the File Policy drop-down list.
• Click Add to add the rule.

5. Click Save to confirm the changes to the access control policy changes.

Configure a NAT exemption

1. In the FMC, navigate to Devices > NAT.

• Select and edit the existing NAT policy called NGFW1 NAT. Click Add Rule.
• The Interface Objects tab should be selected.
• Select InZone1 and click Add to Source.
• Select OutZone
dCloud: The Cisco and
Democlick Add to Destination.
Cloud

2. Select the Translation tab

• For Original Source, select LAN_Network.

• For Original Destination, select Address in the first box and select VPNPoolIPs in the second.
• For Translated Source, select Address in the first box and select LAN_Network in the second.
• For Translated Destination, select VPNPoolIPs.

3. Select the Advanced tab and select Do not proxy ARP on Destination Interface.

NOTE: Enabling Do not proxy ARP on Destination Interface is critical in this lab exercise. If you miss this step, your pod may have access issues
since all devices are managed in band.

4. Click OK to save the NAT rule.

5. Click Save to confirm the changes to the NAT policy.

Deployment

Perform policy deployment changes to push the RA-VPN down to the Firepower / NGFW1 device:

1. Click Deploy and Select the Deploy Icon for NGFW1, Click on Validation Warnings and Select Proceed with Deploy

dCloud: The Cisco Demo Cloud

2. Wait for the deployment task to finish.

Task 6. Connecting to Remote Access VPN

Login with AnyConnect Client

1. Connect to Wkst2 by one of the methods below. You will automatically be logged in as the administrator. You can connect using one of two
methods.
dCloud: The Cisco Demo Cloud

2. From the main dCloud webpage, click the Remote Desktop hyperlink next to Wkst2 machine. Click on the Wkst2 (Outside PC) shortcut in
the Remote Desktops folder on the Jumpbox desktop. However, if you do this, you must allow local LAN access in the AnyConnect client.

NOTE: If you are connected to the pod via VPN, use an RDP client on your laptop to connect to 198.18.133.23. Log in as Administrator using
password C1sco12345.

3. From the desktop of Wkst2, open AnyConnect from the Start Menu. The Connect To field should have NGFW1 selected. If not, click on
dropdown menu and select NGFW1.Click on Connect.

4. Click on the gear icon and uncheck Block connection to untrusted servers

NOTE: This is an optional step, if Block connections to untrusted servers is already unchecked you can ignore this step.

4. This brings up the Microsoft login prompt within the external browser for the operating system (Firefox in this case)

dCloud: The Cisco Demo Cloud

NOTE: If you see a warning for an untrusted certificate, ignore it by clicking Advanced and Accept the Risk and Continue.
In a production setup, it is suggested to use trusted certificates for VPN deployments.

5. When prompted, login with the following details:

• For your VPN username, please open the URL http://tmedemos.cisco.com/cgi-bin/get_username.py
• Use the username displayed as the output.

NOTE: If you use another username, the username might already be in use, and the VPN authentication might fail. If you face any issues with
the VPN username, such as a login failure or non-existing user error, please reach out to the lab admins in the Webex Teams room.

• Password: C1sco12345!
• You will be asked to update your password upon the first successful login.
• Enter Current Password, New Password and confirm the New Password again.

6. Upon successful login, you will be presented with the DUO setup screen since this is a new login account.

Duo MFA Setup

At this point, the VPN user account was successfully authenticated by Azure AD & redirected to DUO for MFA. Since this VPN user is’nt
associated with DUO SSO, & there is no MFA device associated with it, you’ll be prompted to set up the account.

1. Click on Start setup.

dCloud: The Cisco Demo Cloud

2. Choose Mobile phone (it is selected by default) and click Continue.

NOTE: Before proceeding with the next step, please make a note that your mobile number will be mapped to the vpn user you used to login to
AnyConnect and will be saved in the DUO Admin Account used for this Single Sign-On. No other lab users have access to that account – only
the author of this lab guide has access to this account. Please reach out to the Lab Administrators if you are having any issues setting up your
number or wish to remove your number after testing.

3. You will be prompted to enter your mobile number along with the country code. Enter your number and country code. Check the check box
to verify the number. Click Continue.

dCloud: The Cisco Demo Cloud

4. Enter the type of phone. Click Continue.

5. Now, you will be prompted to Install Duo Mobile. If you already have the Duo App installed, click on I have Duo Mobile installed. If not
already installed, install the App from the App Store.

6. Now, you will be prompted to Activate Duo Mobile. Follow the on-screen instructions.

dCloud: The Cisco Demo Cloud

7. Click Continue – the button will be enabled once this account has been added to the Duo App.

8. Duo MFA will prompt you to choose the authentication method preference. Click Continue to Login.

9. Now, you will be prompted to send a Push or a Passcode for completing the successful AnyConnect Login MFA.

dCloud: The Cisco Demo Cloud

10. Approve the push notification from the phone, and the AnyConnect login will succeed.

11 Once the VPN connection is successful, you can close the browser tab.

Task 7. Verifying VPN Access

On NGFW1 PUTTY Session, type: show vpn-sessiondb detail anyConnect to view the details and statistics.

dCloud: The Cisco Demo Cloud

To verify the AnyConnect external browser package is installed, type command: show webvpn anyconnect. To determine if the it’s
enabled on the connection profile, type command: show running-config tunnel-group <tunnel-group name>

Cisco Secure Firewall – FMC Support for EIGRP

Prior to release 7.2, configuring EIGRP on the Cisco Secure Firewall required Flexconfig. The 7.2 release adds EIGRP support to the FMC UI and
FMC API. In this exercise, you will use the FMC UI to configure EIGRP on NGFW1.

On the outside network of the Cisco Secure Firewall, there is a Cisco Cloud Services Router (CSR60). This router already has an EIGRP
configuration. In Cisco
dCloud: The this exercise you will peer NGFW1 with CSR60.
Demo Cloud

NOTE: In this lab, you will configure a minimal EIGRP configuration. The student can go beyond the enumerated tasks if other specific EIGRP
features are of interest.

Task 1. Inspect Existing EIGRP Configuration

Using the Quicklaunch, open a CLI session to NGFW1.

• Run show running-config router eigrp to confirm that there is no EIGRP configuration on NGFW1.
• Run show eigrp ? to see the available EIGRP commands. Run show eigrp neighbors to confirm that there are no EIGRP peers.
• Run show route eigrp to confirm that there are no EIGRP learned routes.

NOTE: You do not have to access NGFW1 to run EIGRP commands. You can run these commands from the FMC UI be navigating to Devices >
Threat Defense CLI.

Using the Quicklaunch, open a CLI session to CSR60.

• Run show run | section eigrp to confirm the EIGRP configuration. Confirm that the autonomous system (AS) number is 10.

Note that there is a loopback interface on CSR60 with IP address 204.44.14.1.

You can run show ip int br to confirm this, if you wish.

• Run show ip eigrp nei to confirm that there are no EIGRP peers.
• Run show ip route eigrp to confirm that there are no EIGRP learned routes.

Using Quicklaunch, open a CLI session to the Kali Inside Linux server. This device lies inside the corporate VLAN.

• Run ping 198.18.133.60 to confirm that you can reach CSR60. This traffic is going through NGFW1.
• Run ping 204.44.14.1 to confirm that you cannot reach the loopback interface on CSR60.

Task 2. Configure EIGRP on NGFW1

In the FMC UI, navigate to Devices > Device Management.

Edit the NGFW1 device and select the Routing sub-tab. Select EIGRP from the left-hand navigation pane.

Check the Enable EIGRP checkbox and set the AS Number to 10. The AS number must match the AS number on CSR60 to form a neighbor
adjacency. Select Lab_Networks from the Available Networks/Hosts list and add it to the Selected Networks/Hosts list.

dCloud: The Cisco Demo Cloud

Browse the remaining sub-tabs: Neighbors, Filter Rules, Redistribution, Summary Address, Interfaces, Advanced
Based on your knowledge of EIGRP, interpret options exposed in these tabs.

(Optional) make additional configuration changes. In Step 1 of Task 3, you will see these options impact the NGFW1 data plane
configuration.

Save the changes made to the NGFW1 device configuration.

Deploy the NGFW1 device configuration changes and wait for the deployment to complete.

Task 3. Evaluate the EIGRP Configuration on NGFW1

In the NGFW1 CLI run the following commands.

• Run show running-config router eigrp to inspect the EIGRP configuration.

dCloud: The Cisco Demo Cloud

• Run show eigrp neighbors to confirm that CSR60 is an EIGRP peer of NGFW1.
• Run show route eigrp to confirm that there are EIGRP learned routes.
• (Optional) Why are their so many EIGRP learned routes on NGFW1? Change this behavior by slightly modifying the EIGRP configuration
on CSR60. Use show route eigrp on the NGFW1 CLI to confirm that NGFW1 is now only learning two routes from CSR60:
204.44.14.0/24 and 210.1.55.0/24.

Run show ip eigrp nei on CSR60 to confirm that NGFW1 is an EIGRP peer.

On the Kali Inside Linux server, run ping 204.44.14.1 to confirm that you can now reach the loopback interface on CSR60.

(Optional) Run show ip route eigrp on CSR60. Observe that CSR60 has learned routes to the four internal corporate networks
198.19.10.0/24, 198.19.20.0/24, 198.19.30.0/24, 198.19.40.0/24.

• Stop the advertisement of the corporate LAN (198.19.10.0/24) by configuring an EIGRP outbound filter on NGFW1. Allow the
advertisement of the remaining three networks. For example, the ACL for the filter could be the following.

Note that the Kali Inside Linux server will still be able to ping 204.44.14.1 because of source NAT on NGFW1.

• Stop the advertisements of all four of these networks without any EIGRP filters on NGFW1 or CSR60, but still allow NGFW1 to learn
EIGRP routes from CSR60. Hint: run show eigrp interfaces on the NGFW1 CLI before and after your change.

Cisco Secure Firewall – Policy Based Routing Path Monitoring

Prior to release 7.1, configuring policy=based routing (PBR) and equal-cost multipath (ECMP) the Cisco Secure Firewall required Flexconfig. To
support the Direct Internet Access (DIA) feature, the 7.1 FMC UI added the following:

• Support for PBR

• SupportThe
dCloud: forCisco
ECMP zones
Demo and creating ECMP static routes and ECMP PBR
Cloud
• Application selection in extended access lists

NOTES:
® Extended access lists with application matching criteria can only be used in PBR configuration. A dynamic feed provided the
IP to application mapping so that the first packet in the connection could be routed correctly.
® PBR can only be configured in the global VRF.
® For ASAv version 9.18.1, PBR path monitoring is now available using the ASDM 7.18.1 or CSM 4.25.

If you are interested in configuring the DIA feature should consult the Cisco Secure Firewall 7.1 Features lab guide. In that exercise the student
configures the following PBR:

The key limitation to the 7.1 DIA feature was a lack of path monitoring. Therefore, the path routing choice for each application is static. In 7.2
path monitoring was added to dynamically chose the best path based on performance. In this exercise you will configure routing so:

• YouTube traffic uses the path with the least jitter

• Outlook traffic uses the path with least round-trip time (RTT)

The two metrics do not correspond to best practice for these applications. However, they have the advantage of almost always returning
distinct values for different interfaces. Therefore, they demonstrate feature functionality without stress testing.

Task 1. Inspect the Interface and Routing Configuration on NGFWBR1

This lab starts with the same partial configuration used at the beginning of the DIA exercise in the 7.1 feature lab. In this task, you will inspect
this initial configuration.

In the FMC UI, navigate to Devices > Device Management.

dCloud:
Edit the The Cisco Demo
NGFWBR1 Cloud
device.

• Select the Interfaces tab. Note that there are three outside interfaces: outside, outside2, and outside3.

• Select the Routing tab. Select ECMP in the left navigation pane. Confirm that outside and outside2 are in the same ECMP zone.

• Select Static Route in the left navigation pane. Confirm that there is no PBR configuration. Confirm the two ECMP default routes and the
third low priority default route.

• Select Policy Based Routing in the left navigation pane. Confirm that there is no PBR configuration.

Task 2. Enable Path Monitoring

To select the best interface, you must enable path monitoring on outside, outiside2, and outside3.

You should still be editing the NGFWBR1 device. Select the Interfaces tab.

• Edit interface GigabitEthernet0/0 interface. Scroll down and you will see the Priority of the interface is set to 10. Leave this setting
alone. The Cisco Demo Cloud
dCloud:

• Select the Path Monitoring tab.

• Check the Enable Path Monitoring checkbox.
• Leave Monitoring Type set to the default Next-hop of default route out of interface (Auto). But inspect the other choices.

• Click OK.

Repeat the previous step for GigabitEthernet0/3 and GigabitEthernet0/4. Note that the priorities are 10 and 20, respectively. This
reflects the ECMP configuration.

Click Save to save the interface configuration changes.

Task 3. Configure PBR with Path Monitoring

PBR configuration requires extended ACLs. You can configure these separately by navigating to Objects > Object Management or in context
when you configure PBR. In the steps below, you shall use the later approach.

You should still be editing the NGFWBR1 device. Select the Routing tab. Select Policy Based Routing in the left navigation pane.
dCloud:
Click The Cisco
Configure Demo Cloud
Interface Priority. Note that here is another place in the FMC UI where you can configure these priorities. Leave these
priorities alone. Click Cancel.

Click Add. For Ingress Interface, select inside. To the right of Match Criteria and Engress Interface, click Save

• To the right of the Match ACL drop-down list, click the plus sign.

• Create an extended ACL called YouTube that matches the YouTube application. After creation, this ACL will automatically be selected.

dCloud: The Cisco Demo Cloud

• For Interface Ordering, select Minimal Jitter.

• Select the interfaces outside, outside2, and outside3.

• Click Save to save this forwarding action.

To the right of Match Criteria and Engress Interface, click Add

dCloud: The Cisco Demo Cloud

• To the right of the Match ACL drop-down list, click the plus sign.

• Create an extended ACL called Outlook that matches the Outlook application. After creation, this ACL will automatically be selected.

• For Interface Ordering, select Minimal Round-Trip Time.

• Select the interfaces outside, outside2, and outside3.

dCloud: The Cisco Demo Cloud

• Click Save to save this forwarding action.

Confirm that your PBR configuration matches the following.

Click Save to save the NGFWBR1 device configuration changes.

Deploy the NGFWBR1 device configuration changes and wait for the deployment to complete.

Task 4. Test PBR

Using the Quicklaunch, open a CLI session to NGFWBR1.

Run the following commands to inspect the PBR configuration on NGFWBR1.

• Run show policy-route to confirm that a route-map has been created and assigned to GigabitEthernet0/1.
dCloud: The Cisco Demo Cloud

You can also confirm this by running show running-config interface GigabitEthernet 0/1.

Note that this route-map does not appear in the FMC UI under Objects > Object Management.

• Run show route-map to inspect the route map.

• Run show access-list YouTube and show access-list Outlook to see the details of the extended ACLs including the hit
count.

Enable PBR debugging on NGFWBR1.

• On the NGFWBR1 CLI run system support diagnostic-cli.

• Type enable. When prompted for a password, hit <ENTER>.
• Type debug policy-route. Periodically you will see monitoring statistics for outside, outside2, and outside3, for example:

dCloud: The Cisco Demo Cloud

Generate traffic and observe debug messages.

• Using the Quicklaunch, open a remote desktop session to WKST BR. You can also launch this from the remote desktop icon labelled
Wkstbr1 in the Remote Desktops folder on the Jumpbox desktop.
• Open a browser and generate some YouTube traffic.
• Observe that PBR decides the interface for the YouTube traffic. You will also see traffic that is not subject to PBR.

You should not let debugging run indefinitely. Disable debugging by typing no debug all.

CISCO FMC Management Center Admin 77
No ratings yet
CISCO FMC Management Center Admin 77
1,108 pages
Cisco Router Firewall Security
No ratings yet
Cisco Router Firewall Security
1,245 pages
FPTD FDM Config Guide 670
No ratings yet
FPTD FDM Config Guide 670
836 pages
FPTD FDM Config Guide 740
No ratings yet
FPTD FDM Config Guide 740
900 pages
FW Basic Training - 1 - ASA Firewall
No ratings yet
FW Basic Training - 1 - ASA Firewall
310 pages
FPMC Config Guide v623 PDF
No ratings yet
FPMC Config Guide v623 PDF
2,718 pages
Management Center Admin 74
No ratings yet
Management Center Admin 74
1,050 pages
Firepower NGFW Lab-Features v1.7
No ratings yet
Firepower NGFW Lab-Features v1.7
173 pages
FPTD FDM Config Guide 621
No ratings yet
FPTD FDM Config Guide 621
374 pages
B Ise Admin Guide 22 PDF
No ratings yet
B Ise Admin Guide 22 PDF
1,290 pages
Firepower Threat Defense 6.1 Basics Lab v1
No ratings yet
Firepower Threat Defense 6.1 Basics Lab v1
402 pages
SNPA50LG Secured PDF
No ratings yet
SNPA50LG Secured PDF
220 pages
Firepower NGFW Lab Features 7.1 - Guide
No ratings yet
Firepower NGFW Lab Features 7.1 - Guide
173 pages
Cisco Sdwan Security Policy Design Guide
No ratings yet
Cisco Sdwan Security Policy Design Guide
53 pages
Firewall 7.4 Basic Lab 240709 301 No CTF Final
No ratings yet
Firewall 7.4 Basic Lab 240709 301 No CTF Final
101 pages
Security Portfolio - Copia Original
No ratings yet
Security Portfolio - Copia Original
41 pages
Web Security Appliance 10 v13-2
No ratings yet
Web Security Appliance 10 v13-2
21 pages
Arduino Training - Day 2
No ratings yet
Arduino Training - Day 2
46 pages
Using Arduino With Matlab and Simulink PDF
No ratings yet
Using Arduino With Matlab and Simulink PDF
15 pages
Secure Firewall 7
No ratings yet
Secure Firewall 7
58 pages
B Ise 27 Admin Guide
No ratings yet
B Ise 27 Admin Guide
1,288 pages
AUTODYN - Chapter 11 - Parallel - Processing PDF
No ratings yet
AUTODYN - Chapter 11 - Parallel - Processing PDF
42 pages
Usability Inspection Methods (1994)
100% (1)
Usability Inspection Methods (1994)
2 pages
VoE ISE
No ratings yet
VoE ISE
56 pages
ECMS1 Lab Manual 1
0% (1)
ECMS1 Lab Manual 1
14 pages
Circuits Simulation Lab: Department of Technical Education
No ratings yet
Circuits Simulation Lab: Department of Technical Education
18 pages
Secure Firewall Lab-Basics 7
No ratings yet
Secure Firewall Lab-Basics 7
88 pages
Firewall 7.4 Advanced 240919 301 No CTF Final
No ratings yet
Firewall 7.4 Advanced 240919 301 No CTF Final
129 pages
FPTD FDM Config Guide
No ratings yet
FPTD FDM Config Guide
276 pages
OpenShift Container Platform 4.17 Disconnected Environments
No ratings yet
OpenShift Container Platform 4.17 Disconnected Environments
165 pages
Ltrsec 1000 LG
No ratings yet
Ltrsec 1000 LG
394 pages
FPTD FDM Config Guide 621 PDF
No ratings yet
FPTD FDM Config Guide 621 PDF
346 pages
CC880
No ratings yet
CC880
75 pages
Firepower NGFW Lab Basics - Guide
No ratings yet
Firepower NGFW Lab Basics - Guide
92 pages
Mplab Pickit4 Debugger Ug Ds50002751a
No ratings yet
Mplab Pickit4 Debugger Ug Ds50002751a
93 pages
Cisco Chapter's 5,6,7,8
No ratings yet
Cisco Chapter's 5,6,7,8
25 pages
Firepower Feature Matrix
No ratings yet
Firepower Feature Matrix
28 pages
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
No ratings yet
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
23 pages
Programming and Data Structure-Ii Lab Manual
No ratings yet
Programming and Data Structure-Ii Lab Manual
164 pages
CCNP Ccie 350 701 22 4 2022
No ratings yet
CCNP Ccie 350 701 22 4 2022
60 pages
Firepower NGFW Lab-Basics v1.7
No ratings yet
Firepower NGFW Lab-Basics v1.7
78 pages
Securing Cisco Network Devices (SND) v2.0 Volume 2 PDF
No ratings yet
Securing Cisco Network Devices (SND) v2.0 Volume 2 PDF
428 pages
CIS Cisco Firewall v8.x Benchmark v4.2.0 ARCHIVE
No ratings yet
CIS Cisco Firewall v8.x Benchmark v4.2.0 ARCHIVE
173 pages
Cisco Firewall Best Practices
No ratings yet
Cisco Firewall Best Practices
29 pages
KTSM00002 FactoryTalk View Connectivity Guide KEPWARE
No ratings yet
KTSM00002 FactoryTalk View Connectivity Guide KEPWARE
18 pages
Cisco Secure Firewall Management Center (Formerly Firepower Management Center)
No ratings yet
Cisco Secure Firewall Management Center (Formerly Firepower Management Center)
14 pages
CMD and Port Number
No ratings yet
CMD and Port Number
15 pages
Sony CRM
No ratings yet
Sony CRM
9 pages
IOT Main Notes
No ratings yet
IOT Main Notes
178 pages
NGF TDM Deck
No ratings yet
NGF TDM Deck
154 pages
Cisco Threat Response Guide v1-2 - Umbrella
No ratings yet
Cisco Threat Response Guide v1-2 - Umbrella
19 pages
FPTD FDM Config Guide 620
No ratings yet
FPTD FDM Config Guide 620
318 pages
Axxon Intellect
No ratings yet
Axxon Intellect
44 pages
Secure Firewall Lab-Advanced 7.2-1
No ratings yet
Secure Firewall Lab-Advanced 7.2-1
38 pages
Firepower NGFW Lab Advanced - Guide
No ratings yet
Firepower NGFW Lab Advanced - Guide
52 pages
ASA Firewalldesign
No ratings yet
ASA Firewalldesign
118 pages
5990-8443EN A Simple Powerful Method To Characterize Differential Interconnects (Aug 2014)
No ratings yet
5990-8443EN A Simple Powerful Method To Characterize Differential Interconnects (Aug 2014)
16 pages
TW Comms LTD CPS Firmware Upgrade Dec 18
No ratings yet
TW Comms LTD CPS Firmware Upgrade Dec 18
10 pages
Chapter 2 Network Security Devices and Cloud Services
No ratings yet
Chapter 2 Network Security Devices and Cloud Services
36 pages
Manual Testing
No ratings yet
Manual Testing
4 pages
5.0 Security Fundamentals
No ratings yet
5.0 Security Fundamentals
33 pages
FPVFreerider Manual PDF
No ratings yet
FPVFreerider Manual PDF
13 pages
Seguridad en Redes LAN - Sesion 11
No ratings yet
Seguridad en Redes LAN - Sesion 11
84 pages
Firepower NGFW Lab-Advanced v1.7
No ratings yet
Firepower NGFW Lab-Advanced v1.7
48 pages
Firepower NGFW Lab v2.4 Basic-1
100% (1)
Firepower NGFW Lab v2.4 Basic-1
54 pages
Chapter 9: Strings and Arrays
No ratings yet
Chapter 9: Strings and Arrays
58 pages
Firewall 7.2 Basic Lab v3.2 220729-Final
No ratings yet
Firewall 7.2 Basic Lab v3.2 220729-Final
118 pages
Implementing Cisco Network Security Exam (210-260)
No ratings yet
Implementing Cisco Network Security Exam (210-260)
4 pages
Ch-05 Mobility Management
No ratings yet
Ch-05 Mobility Management
47 pages
Cisco Firesight System 5.3 V1 - Always On: About This Cisco Solution
No ratings yet
Cisco Firesight System 5.3 V1 - Always On: About This Cisco Solution
22 pages
Cisco NGFW Basic Lab v1.5
No ratings yet
Cisco NGFW Basic Lab v1.5
65 pages
PROJECT QUALITY Management
No ratings yet
PROJECT QUALITY Management
10 pages
Firepower NGFW Labpdf PDF
No ratings yet
Firepower NGFW Labpdf PDF
119 pages
Microcontroller Inputs and Outputs
No ratings yet
Microcontroller Inputs and Outputs
1 page
Firepower NGFW Lab v1
100% (1)
Firepower NGFW Lab v1
111 pages
Brainly
No ratings yet
Brainly
4 pages
SIM808GPSGSMmanual 1685940223
No ratings yet
SIM808GPSGSMmanual 1685940223
12 pages
Cse Instructor Materials Chapter7
No ratings yet
Cse Instructor Materials Chapter7
26 pages
Homework 4
No ratings yet
Homework 4
3 pages
Guide: Maya Accessories Information System Manual
No ratings yet
Guide: Maya Accessories Information System Manual
3 pages
ELTP Extending ELT For Modern AI and Analytics Airbyte
No ratings yet
ELTP Extending ELT For Modern AI and Analytics Airbyte
9 pages
Firepower NGFW Basics Lab v23 PDF
No ratings yet
Firepower NGFW Basics Lab v23 PDF
52 pages
Cisco Firepower App For Splunk v2 WORKING
No ratings yet
Cisco Firepower App For Splunk v2 WORKING
19 pages
890GX Extreme4: User Manual
No ratings yet
890GX Extreme4: User Manual
72 pages
Cisco Network Admission Control (NAC) Solution Data Sheet
No ratings yet
Cisco Network Admission Control (NAC) Solution Data Sheet
5 pages
A Structure in C#
No ratings yet
A Structure in C#
8 pages