0% found this document useful (0 votes)

235 views129 pages

Firewall 7.4 Advanced 240919 301 No CTF Final

Uploaded by

Dhia Omri

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

235 views129 pages

Firewall 7.4 Advanced 240919 301 No CTF Final

Uploaded by

Dhia Omri

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 129

Cisco dCloud

Cisco Secure Firewall 7.4 Advanced Lab v3.3

Last Updated: 19-SEPTEMBER-2024

About This Demonstration

This guide for this preconfigured demonstration includes:

• Requirements

• About This Solution

• Topology

• Get Started

• Scenario 1: File & Malware Policy

• Scenario 2: IPS Policies

• Scenario 3: FTD High Availability Configuration

• Scenario 4: Cisco Secure Client RAVPN and Load Balancing

• Scenario 5: Site-to-Site VPN

• Scenario 6: Route Based VTI Site-to-Site VPN

• Scenario 7: Direct Internet Access

• Scenario 8: Monitoring and Troubleshooting

• Scenario 9: Decryption

• Scenario 10: TLS Server Identity Discovery

• Scenario 11: Encrypted Visibility Engine

• Scenario 12: Network Discovery and Firepower Recommendations

• Scenario 13: Port Scan

• Scenario 14. Application Programming Interface

• Scenario 15. Cisco Threat Intelligence Director

• Appendix A: FMC Pre-configuration

Cisco Confidential
Cisco dCloud

Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional

● Laptop ● Cisco Cisco Secure Client®

About This Solution

IT teams have been asked to manage security using a patchwork of siloed point products, starting with legacy next-generation
firewalls (NGFW), which were created with a focus on application and bolted on best effort threat protection. As such, these legacy
NGFWs are unable to provide an enterprise with the contextual information, automation, and prioritization that they need to handle
today's modern threats.

Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built
platforms or as a software solution. The system is designed to help you handle network traffic in a way that complies with your
organization’s security policy-your guidelines for protecting your network.

This allows the Cisco Firepower NGFW to evolve with a focus on enabling enterprises to stop, prioritize, understand, and automate
responses to modern threats in real-time. Firepower NGFW is unique in its threat-focus, with a foundation of comprehensive
network visibility, best-of-breed threat intelligence and highly-effective threat prevention to address both known and unknown
threats. Firepower NGFW also enables retrospective security, through Advanced Malware Protection, that can “go back in time” to
quickly find and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in
time-to-detection (TTD) for Cisco customers compared to industry averages.

In this lab you will build a multi-site network Next Generation Firewall (NGFW) solution at between a corporate and two branch
sites. Using the Firepower Management Console (FMC) you will build High Availability NGFWs at the corporate site, and manage a
branch. In this lab you will also configure a NGFW using the FDM (Firepower Device Manager). You will also configure remote
access and site to site VPNs. You will also configure Cisco Threat Intelligence Director to accept and implement third party
updates to your NGFW devices.

Cisco Confidential
Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

Get Started
.

1. For best performance, connect to the workstation with Cisco Secure Client VPN [Show Me How] and the local RDP client
on your laptop [Show Me How]

Jump PC: 198.18.133.50, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

NOTE: Check the connection for Remote Desktops for Wkstbr2 make sure you get the Login prompt password C1sco12345

Cisco Confidential
Cisco dCloud

Scenario 1. File & Malware Policy

This exercise consists of the following tasks.

• Configure the Malware & File policy settings in the FMC to allow the FTD to block files that are identified as malware and block
specified file types.

Create Malware & File Policy

1. Login to the FMC admin/C1sco12345

2. Click Policies and select Malware & File

3. Copy Block Malware Policy

4. Name: Demo File Policy

5. Edit Demo File Policy

a. Configure the RIFF rule to apply to MP4 and RIFF [MP4] file types with the following:
i. Edit the line with RIFF
b. Application Protocol: Any
c. Direction of Transfer: Any
d. Action: Block Files
e. File Types: MP4
f. Reset Connection: checked

Cisco Confidential
Cisco dCloud

6. Click Add and Save

NOTE: You are blocking MP4 files as an example of a specific file type. The Firewall will block this file type regardless, if it is
clean, unknown, or malicious without further inspection. For customer deployments make sure you understand their
requirements for file blocking.
7. Click Save to save the changes to the File & Malware policy
8. Click on Policies menu and select Access Control

9. Double click on Base_Policy to edit

10. Disable or delete the Block ICMP Over GRE (if it exists) rule in the Mandatory rule section
11. Disable or delete the Allow GRE Traffic (if it exists) in the Default rule section
12. Configure the Web Server Access rule uses File Policy Demo File Policy
a. Make sure each rule is also logging at the end of the connection
13. Click Apply, Save and then Deploy the Changes
14. Go to wkst2 from the dCloud menu

Cisco Confidential
Cisco dCloud

a. Double Click on the Firefox Icon

In the URL Field type: http://198.18.128.202 [Kali Inside Linux Server NAT’d Address]
b.
c.
Click on the Files link
Right Click on Zombies.pdf and select Save Link As… Save to Desktop: This should Fail (If you right click on the
d.
Zombies.pdf file on the desktop and look at properties you will see the file has 0 Bytes)
e. Right Click on test1.mp4 and select Save Link As… Save to Desktop: This should Fail (If you right click on the
test1.mp4 file on the desktop and look at properties you will see the file has 0 Bytes)
f. Move Zombies.pdf and test1.mp4 to the Recycle Bin
15. Return to the FMC [admin/C1sco12345]
a. Go to Analysis > Connection Events > Edit Search > Networking > Initiator IP type: 198.18.133.23 and look at the
logs you will see the File Block also go to Malware Events and File Events to show the files that were blocked.

Cisco Confidential
Cisco dCloud

Scenario 2. IPS Policies

In this scenario we will configure and use custom IPS policies. You will make copies of the Balanced Security and Connectivity and
Security Over Connectivity policies; modify the variables used by the policies and apply those polices to the ACP

Create IPS Policies

1. From the FMC click Policies menu and select Intrusion

2. You will see that dCloud Balanced Intrusion and Traffic Genterator SoC are defined.
3. Click Create Policy [Accept the warning if prompted]
4. Set the following values:
a Name: HQ-Balanced-Policy
b Description: Policy for standard traffic at HQ
c Inspection Mode: Prevention
d Base Policy: Balanced Security and Connectivity

5. You will now create another policy. Click Create Policy

Cisco Confidential
Cisco dCloud

6. Set the following values:

a Name: HQ-High-Security-Policy
b Description: Policy for traffic outside HQ
c Inspection Mode: Prevention
d Base Policy: Security Over Connectivity

7. On the policies page click the Snort 2 or Snort 3 Version

8. Look at the Number of rules that are enabled for that policy
a Snort 3 Example shown below
b Read and then Close the About Intrusion Policies Box

Cisco Confidential
Cisco dCloud

9. Click on [<] Intrusion Policy to go back to Intrusion Policies

10. Edit the HQ-High-Security-Policy and look at the number of rules.

11. Add an Intrusion Rule to the Policy to Snort 2 if you want Snort 3 start after Step (i)
a Click on HQ-High-Security-Policy > Snort 2 Version
b Click on Policy Layers > My Changes click Manage Rules

c Under Rule Configuration Rule Content Categories Scroll down until you see: protocol-ftp and Click

Cisco Confidential
Cisco dCloud

d Click on the SID field to sort the Rules by number and select rule 336

e Under Rule State choose: Drop and Generate Events

f At the Success Window click OK

Cisco Confidential
Cisco dCloud

g You will now see an Orange Triangle by Policy Information click on the Triangle

h Go to the bottom of the screen and click Commit Changes

i In the Description of Changes window type: Add FTP Intrusion Rule and click OK
12. SNORT 3
a HQ-High-Security-Policy
i Snort 3 Version
b Click on Add Rule Overrides

c All Rules > Rule Categories > Protocol > FTP

d Click SID to sort by number and select SID 336
e Set Rule Action: Block

Cisco Confidential
Cisco dCloud

d. You will now see that 1 rule has been Overridden

Customize IPS Variable Sets

You will now create Variable Sets for these policies.

1. Click Objects and menu and select Object Management

2. On the left window pane Click on Variable Set

3. Click Add Variable Set

a Name: ExternalTraffic
b Description: Used for rules involving an internet host. Defines External as anything not internal
c Click Save
4. Click the Edit button for the EXTERNAL_NET variable
5. In the list of Available Networks select HOME_NET and click Exclude to add it to the list of Excluded Networks and Save

Cisco Confidential
Cisco dCloud

6. Click Home_Net
7. Select and add Corporate_LAN (198.19.10.0/24) if not specified and select Include
8. Save

9. Click Save
10. Note that the EXTERNAL_NET is now listed as a Customized Variable and its value is anything that is not HOME_NET
and HOME_NET is also a Customized Variable

Cisco Confidential
Cisco dCloud

11. Click Save

12. Click Add Variable Set
13. Configure the following:
a Name InternalTraffic
b Description: Used for traffic crossing the FTD but not Internet related. Defines External as Any

14. Click Save

NOTE: The InternalTraffic set is not functionally different from the DefaultSet right now. For the current configuration DefaultSet
could be used in place of InternalTraffic.

Configure ACP to Use IPS Policies

You have configured some IPS policies and Variable Sets but have not attached these configurations to ACP rules

1. Click the Policies menu and select Access Control

2. Click on edit [Pencil] icon for the Base_Policy
3. Select the More and Advanced Settings
4. Click the Edit button for Network Analysis and Intrusion Policies
5. Configure the following:
a Intrusion Policy used before Access Control rule is determined: HQ-High-Security-Policy
b Intrusion Policy Variable Set: ExternalTraffic

Cisco Confidential
Cisco dCloud

6. Click OK
7. Click Access Control
8. Edit the Web Server Access Rule
9. Change the following:
a Intrusion Policy: HQ-High-Security-Policy
b Variable Set: ExternalTraffic

10. Click Apply

11. Locate the Allow Outbound InZone(s) to OutZone
12. Go to Inspection and Configure the following:
a Intrusion Policy: HQ-Balanced-Policy
b Variable Set: ExternalTraffic
13. Click Apply
14. Save the ACP and Deploy

Test IPS Polices

You will now test that IPS policy using Metasploit and review events.

1. From the Quick Launch Menu Click on the Kali Outside Linux Server
2. Type: msfconsole

3. Once the console loads type the following: use auxiliary/scanner/http/dir_webdav_unicode_bypass

Cisco Confidential
Cisco dCloud

4. Type the following command

a. set RHOSTS 198.18.128.202
5. Type set THREADS 20

6. Type run

7. Close the putty window and go back to the FMC

8. Click on Analysis > Connections > Events
9. Click on Edit Search to specify search criteria for connection events
a. Action: Block

10. Scroll down to the Networking section

a. Initiator IP field type 198.18.133.200

11. Click on Search at the top right screen

12. Notice the Action, Reason, Zones, and Device

Cisco Confidential
Cisco dCloud

13. Go to Analysis > Intrusions > Events

14. Edit Search Networking > Source IP: 198.18.133.200

15. Click on the arrow next to Impact and then Click Table View of Events

Cisco Confidential
Cisco dCloud

Scenario 3. FTD High Availability Configuration

This exercise consists of the following tasks.

• Configure and Deploy Backup NGFW

• Create High Availability Pair of Firewalls

• Configure Active/Standby with Virtual Mac Address

• Test the configuration

The objective of this exercise is to understand and configure High Availability for NGFW. You will configure the second firewall and
then add it to the High Availability group.

Steps

Run the REST API script to configure NGFW3

1. Go to the Quick Launch Menu and open a session to NGFW-3 [Console Access]

a. Type: show managers

b. Output should read Managed Locally

c. If it says managed locally type:

configure manager delete and select yes

b. Type the following: configure manager add fmc.dcloud.local C1sco12345

i. When command prompt returns type: show managers make sure fmc.dcoud.local shows “status pending”

NOTE: The following information is communicated over the failover link:

The unit state (active or standby)
Hello messages (keep-alives)
Network link status
MAC address exchange
Configuration replication and synchronization

Creating or breaking a Firepower Threat Defense high availability pair immediately restarts the Snort process on the primary and
secondary devices, temporarily interrupting traffic inspection on both devices. Whether traffic drops during this interruption or
passes without further inspection depends on the model of the managed device and how it handles traffic. See Snort® Restart
Traffic Behavior for more information. The system warns you that continuing to create a high availability pair restarts the Snort
process on the primary and secondary devices and allows you to cancel.

a. On the Kali Inside Linux Server, Type sudo runapiscript [if needed password: C1sco12345] wait for the prompt
b. When asked Which Firewall do you want to register? Type the number 3
c. When it asked Enter name of new Access Control Policy to be create: (Type: HA) for the name)

Cisco Confidential
Cisco dCloud

d. Go back to Firefox and check the registration status of NGFW3 on the FMC and allow device to register
Go to Device> Device Management> NGFW3 and enable the interfaces GigabitEthernet0/0-0/4 remove Names and Security
Zones

4. Click Save
5. Go to NGFW1 and remove the name and Security Zone from GigabitEthernet0/3
6. Make sure GigabitEthernet0/4 is Enabled
7. Save and Deploy to NGFW1 and NGFW3 accept warnings
8. Upgrade NGFW3 to match NGFW1 software version (7.4.1) you can try Unattended Mode.

Configure High Availability Pair

1. Go to Devices > Device Management> Add > Add High Availability

NOTE: The NGFW3 Management Interface (198.19.10.83) was preconfigured during initial setup. Interfaces G0/0 and G0/1 were
configured by the script. They do not have security zones listed on the interface, but they will inherit the security zones and the
interface IP Address’ from NGFW1 when the HA process is run.

a Name: HA_Test
b Device Type: Firepower Threat Defense
c Primary Peer: NGFW1
d Secondary Peer: NGFW3
e Then Continue

Cisco Confidential
Cisco dCloud

NOTE: If you have done configuration tasks on either of the HA Peers and have not deployed then you will get the following
message:

Cisco Confidential
Cisco dCloud

Interface: GigabitEthernet0/3

1. State Link Interface: Same as LAN Failover Link

2. Logical Name: Failover_Link
3. Primary IP: 198.19.254.1
4. Secondary IP: 198.19.254.2
5. Subnet Mask: 255.255.255.0
6. Click Add
High Availability Pair Added

NOTE: If Interfaces do not show up go back to Devices > Device Manager > Click on the Pencil Icon for each firewall click on the
Interfaces to make sure they are enabled and that the interfaces do not have names.

NOTE: The configuration of the HA will take some time you will see status updates from time to time if you watch the Tasks next to
the deployment button.

1. When complete you will see the following:

2. Go to Devices > Device Management Click on the pencil icon next to the HA Policy

NOTE: MAC Addresses and IP Addresses in Failover.

When you configure your interfaces, you can specify an active IP address and a standby IP address on the same network.
Although recommended, the standby address is not required. Without a standby IP address, the active unit cannot perform network
tests to check the standby interface health; it can only track the link state. You also cannot connect to the standby unit on that
interface for management purposes.

Cisco Confidential
Cisco dCloud

When the primary unit or failover group fails over, the secondary unit assumes the IP addresses and MAC addresses of the primary
unit and begins passing traffic.

The unit that is now in standby state takes over the standby IP addresses and MAC addresses.

Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the
network.

If the secondary unit boots without detecting the primary unit, the secondary unit becomes the active unit and uses its own MAC
addresses, because it does not know the primary unit MAC addresses. However, when the primary unit becomes available, the
secondary (active) unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network
traffic. Similarly, if you swap out the primary unit with new hardware, a new MAC address is used.

Virtual MAC addresses guard against this disruption because the active MAC addresses are known to the secondary unit at
startup, and remain the same in the case of new primary unit hardware. In multi-instance capability the FXOS chassis
autogenerates only primary MAC addresses. You can overwrite the generated MAC address with a virtual MAC address with both
the primary and secondary MAC addresses, setting the secondary MAC address does ensure that to-the-box management traffic is
not interrupted in the case of new secondary unit hardware.

If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow.
The FTD does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not
learn of the MAC address change for these addresses.

The IP address and MAC address for the state link do not change at failover; the only exception is if the state link is configured on a
regular data interface.

3. Select the “+” icon next to the Interface MAC Address

Physical Interface: GigabitEthernet0/1 Active Interface MAC Address: student choice (IP Address of interface used in example)
Standby Interface Mac Address: Student Choice of input [example below] Click Ok

NOTE*: The above step is an example of how to configure an Interface Mac Address

Cisco Confidential
Cisco dCloud

4. Configure Monitored Interfaces Go to the pencil icon next to Monitored Interfaces

5. Select In10 and enter the Standby IP Address: 198.19.10.31 Repeat for the outside Interface 198.18.133.132

Cisco Confidential
Cisco dCloud

6. Click OK Save and then Deploy Select HA_Test and then Deploy ignore the warnings.

Looking at the configuration of NGFW3.

1. Let’s look at some of the configuration parameters that NGFW3 received during the HA setup

2. Go to the Quick Launch open a session select NGFW-3

a show running-config interface

b show running-config failover
c To answer the Capture the Flag questions.

Testing Failover

1. Open a session to the Kali Inside Linux Server

2. Type: “ping outside” and let the script continue to run
a If the ping is unsuccessful go to the access policy “Base_Policy” and make sure the Outbound Web Server Access
rule includes ICMP

Cisco Confidential
Cisco dCloud

3. Go to the web interface of the FMC Devices > Device Management Click on the Switch Peers icon and click Yes

4. Resize the Firefox window so you can also see the results of the pinging from the Inside Linux Server.

Check to see if any packets are lost

5. Switch back to NGFW1 as Primary
Note: Switch back so that NGFW1 becomes Primary Again.

Cisco Confidential
Cisco dCloud

Scenario 4. Cisco Secure Client RAVPN and Load Balancing

This exercise consists of the following tasks.

• Modify a group policy

• Create an IP pool

• Modify the Access control and NAT policies

• Deploy and test the configuration

The objectives of this exercise are the following:

• To configure a Cisco Secure Client VPN client to connect to the NGFW

• To test the Intrusion prevention and Malware configuration of the NGFW

Steps
1. Go to System > Licenses > Universal Licenses

a. Click on Edit Licenses

b. Select Secure Client Premier License [formerly AnyConnect Apex]

i IF not assigned: Select HA_Test or NGFW1 [if HA Lab was not done]

1 Click Add and then Apply

Create objects needed for this scenario

NOTE: Most of these objects can be created while running the RA VPN wizard. This approach may be better for administrators
that are not familiar with the components of the RA VPN configuration. However, in this scenario you will create the objects
separately. This will simplify running the RA VPN wizard later.

1. In the FMC, navigate to Objects > Object Management.

2. Click Add Network > Add Object.
a. Create an IP range object called :
i. VPNPoolIPs
ii. IP address range 198.19.10.57-198.19.10.62.
iii. This object will be used to create a NAT exemption.
iv. Click Save

Cisco Confidential
Cisco dCloud

3. Click Add Network > Add Object. Create a Network object called LAN_Network with IP addresses 198.19.10.0/24

4. Click Add Network > Add Object. Create a host object called DNS_Server with IP address 198.19.10.100.

Cisco Confidential
Cisco dCloud

NOTE: For best security, it is recommended that split-tunneling not be used. However, because there is no console access for the
endpoint on which you will run AnyConnect, split tunneling must be used in this Scenario. Since there are different ways to access
the endpoint in dCloud, you need to create a standard ACL to bypass all these potential access addresses. You will do this now.

5. Create the following Network Object:

a. Name: 10.0.0.0
b. Network: 10.0.0.0/8
c. Save
6. Add Object:
a. Name: 198.19.255.0
b. Network: 198.19.255.0/24
c. Save
7. Add Object:
a. Name: 198.18.133.50
b. Host: 198.18.133.50
c. Save
8. Select Access List > Standard from the left navigation pane. Click Add Standard Access List.
9. Create a standard access list called SplitTunnel with the ACE that allows 10.0.0.0, 198.19.255.0 and 198.18.133.50. To do
this, type these networks into the text box under the Selected Network box, and click Add.

Cisco Confidential
Cisco dCloud

10. Click Save to save the access list.

11. Select Address Pools > IPv4 Pools from the left navigation pane. Click Add IPv4 Pools.
a. For Name, enter VPNPool.

Cisco Confidential
Cisco dCloud

i. For IPv4 Address Range, enter 198.19.10.57-198.19.10.62.

ii. For Mask, enter 255.255.255.248.
iii. Click Save

NOTE: Although the objects VPNPoolIPs and VPNPool represent the same IP address range, they are different object types.
VPNPool will be referenced in the RA VPN object, whereas VPNPoolIPs will be used for configuring a NAT exemption.

12. Select VPN > Secure Client File from the left navigation panel.
13. Click Add Secure Client File
14. Click Browse and select AnyConnectProfile.xml from the RA VPN folder on the Jumpbox desktop.
15. For File Type select: AnyConnect VPN Profile.

Cisco Confidential
Cisco dCloud

16. Click Add AnyConnect File. Click Browse and select anyconnect-win-4.10.XXXXX-webdeploy-k9.pkg from the RA VPN folder
on the Jumpbox desktop. For File Type: Select AnyConnect Client Image.

17. Select PKI > Cert Enrollment from the left navigation pane. Click Add Cert Enrollment.
a. For Name, enter NGFW1_Outside. [If you have done the High Availability Lab you can name HA if you wish]
b. Select PKCS12 File from the Enrollment Type drop-down menu.
c. Click Browse and select Certificates > Lab Certificates > Other Certificates > ngfw-outside on the Jumpbox desktop.
d. For Passphrase, enter C1sco12345.

Cisco Confidential
Cisco dCloud

Configure DNS Server for NGFW1

1. Navigate to Objects > Object Management > DNS Server Group. Click on Add DNS Server Group.
a. Enter Name as DCloud-DNS
b. Default Domain will be dcloud.local
c. Timeout and retries: 2
d. Enter 198.19.10.100 as the DNS Server.
e. Click on Save.

2. Navigate to Devices > Platform Settings. Click on NGFW1_Platform_Settings if not there select New Policy Threat Defense
Settings Policy.
a. Name will be NGFW1_Platform_Settings.
b. Add NGFW1 or [HA_Test] as the Selected Device.
c. Click on Save.

Cisco Confidential
Cisco dCloud

3. Navigate to DNS.
a. Verify Enable DNS name resolution by device is Enabled
b. Click Add
c. Select DCloud-DNS from the DNS Server Group dropdown.
d. Filter Domains: dcloud.local
e. click OK

f. Add InZone1 as the Interface Object.

g. Click on Save

Cisco Confidential
Cisco dCloud

4. If you get a message that “One DNS server group must be set as the default group” make Dcloud-DNS the default.

Edit the default group policy (DfltGrpPolicy)

NOTE: Typically, the VPN Group policy is edited (or a new group policy is added) while running the RA VPN wizard. This task has
been separated out for clarity, and to simplify running the RA VPN wizard later.

1. Navigate to Objects > Object Management > VPN > Group Policy from the left navigation pane.
2. Click the pencil icon to edit DfltGrpPolicy
3. Under General > VPN Protocols, uncheck IPsec-IKEv2.

4. Under General > DNS/Wins.

a. Select DNS_Server from the Primary DNS Server drop-down list.
b. For Default Domain, check for: dcloud.local.
5. Under General > Split Tunnel.
a. Select Exclude networks specified below from the IPv4 Split Tunneling drop-down list.
b. Select SplitTunnel from the Standard Access List drop-down list.

Cisco Confidential
Cisco dCloud

6. Under Secure Client > Profiles. Select AnyConnectProfile.xml from the Client Profile drop-down list.
7. Click Save to save the changes you made to DfltGrpPolicy.

NOTE: Typically, you would also be enabling AnyConnect licensing at this point, however this has already been done. You can
observe this at System > Licenses > Smart License. You will see that the FMC is using an evaluation license, but that export-
controlled features are enabled. This is generally not possible, and therefore you cannot license SSL VPN with an evaluation
license

Local Authentication on FMC controlled FTD

In this lab we will be using many of the pre-existing objects from the previous RAVPN lab.

Create a Local Realm on the FMC

1. Go Integration > Other Integrations > Realms

a. Click Add Realm > Local
b. Name: LocalAuth
c. Type: Local
d. Username: localtest
e. Password: C1sco12345!

Cisco Confidential
Cisco dCloud

f. Save

Run the RA VPN wizard

1. Go to Device > Remote Access > Add

a. Name: LocalAuth
b. VPN Protocols: Check Only SSL
c. Targeted Devices: HA_Test and Next
d. Authentication Method: AAA Only
e. Authentication Server: LOCAL
f. Local Realm: LocalAuth
g. IPv4 Address Pools: VPNPool
h. Group Policy: DfltGrpPolicy and Next
i. AnyConnect Client Image: Select image and Next
j. Interface group/Security Zone: OutZone
k. Device Certificates: NGFW1_Outside and Next
l. Look at the Summary and then Finish and Deploy Check the Validation Warning and Proceed with Deploy

Modify the Access control and NAT policies

1. In FMC, navigate to Policies > Access Control > Access Control.

2. Select and edit the access control policy (Base_Policy). Click Add Rule.
a. For Name, enter AnyConnect-S4-Permit.
b. Select into Mandatory from the Insert drop-down list
c. Select OutZone and click Add to Source.
d. Select InZone1, and click Add to Destination
3. Select the Networks
a. Select VPNPoolIPs and click Add to Source.
b. Select LAN_Network and click Add to Destination.
4. Select HQ-High-Security-Policy from the Intrusion Policy drop-down list.
5. Select Demo File Policy from the File Policy drop-down list.
6. Select the Logging Tab and select Log at End of Connection click Confirm
7. Click Apply to add the rule
8. Disable or Delete the Block ICMP #1[If it exists]
9. Disable or Delete the Default Base_Policy Allow GRE [If it exists]

Cisco Confidential
Cisco dCloud

10. Click Save to save the changes to the access control policy changes.

Configure a NAT exemption

1. In the FMC, navigate to Devices > NAT.

2. Select and edit the existing NAT policy (Default PAT). Click Add Rule NAT Rules Before
a. Select InZone1 and click Add to Source.
b. Select OutZone and click Add to Destination.
3. Select the Translation tab.
4. For Original Source, select LAN_Network
5. For Original Destination, select VPNPoolIPs.
6. For Translated Source, select LAN_Network
7. For Translated Destination, select VPNPoolIPs.
8. Select the Advanced tab and select Do not proxy ARP on Destination Interface.

NOTE: Enabling Do not proxy ARP on Destination Interface is critical in this lab exercise. If you miss this step, your pod may have
access issues, since all devices are managed in band.

9. Click OK to save the NAT rule

10. Click Save to save the changes to the NAT policy.

Deploy and verify the NGFW VPN configuration

1. Deploy policy to device.

2. In FMC, click the Deploy button.
3. Select HA_Test or NGFW1 and Click Deploy [Ignore the warning about NGFW3 if you are not in HA]
4. Wait for the deployment to complete.
5. Open a session to the NGFW-1 CLI. Run some or all of the following commands.
a. show running-config tunnel-group
b. show running-config ip local pool

c. show running-config nat

NOTE: In this scenario, the definition of a compliant system is a system that has a file called compliant.txt on the desktop. In this
exercise, Wkst2 will start out as non-compliant. And furthermore, the posture module is already installed on Wkst2.

Test VPN Connectivity

1. From the Quick Launch menu or the from the dCloud session Remote Desktop Open the Connection to WKST2

Cisco Confidential
Cisco dCloud

a. Click on the Anyconnect Icon

i. Make sure NGFW1 is selected

b. Click connect
c. When you get Security Warning click Connect Anyway

d. Group: LocalAuth
e. Username: localtest
f. Password: C1sco12345!
a. Open Firefox or Chrome browser
g. Type http://198.19.10.202 Click on Files
i. Right click on Zombies.pdf > Save link as…
1. Try to save to the Desktop. If file looks like it downloaded Right Click Properties and see Size
[should be 0 bytes]
ii. Right click on ProjectX.pdf > Save link as….
1. Save to the Destkop. Should succeed

Cisco Confidential
Cisco dCloud

NOTE: To make sure that a cloud lookup time out (which happens occasionally in these pods) does not break the exercise, the file
Zombies.pdf was added to the FMC custom detection list.

1. On NGFW1 Session type : show vpn-sessiondb detail anyconnect

VPN Load Balancing

NOTE: To perform this scenario, we will have to break the HA and manager NGFW1 and NGFW3 separately.
1. On the FMC go to Devices > Device Management > HA_Test [If HA lab was done]
a. Click on the three dots and select Break
b. Wait until the process is complete you will see NGFW1 and NGFW3
i. Open a connection to NGFW3 and Type show mangers verify that NGFW3 is still registered to the FMC
2. Go back to the FMC Devices > Device Management > Click on the Pencil Icon for NGFW3 to edit settings. You will need to
configure the Interfaces and Security Zones. For load balancing between FTD’s you will need to make sure Security Zones
are the same on each device.
3. NGFW1
a. Interfaces
i. GigabitEthernet0/3:
1. Name: in30
2. Enabled: Checked
3. Security Zone: InZone3
4. IP Address: 198.19.30.1/24
5. Ok and Save
4. NGFW3
a. Interfaces:
i. GigabitEthernet0/0:
1. Name: NGFW3_Outside
2. Enabled: Checked
3. Security Zone: Outzone
4. IP Address: 198.18.133.83/18
ii. GigabitEthernet0/1:
1. Name: NGFW3_Inside1
2. Enabled: Checked
3. Security Zone: InZone1
4. IP Address: 198.19.10.3/24
b. Click Save
c. Click Routing > Static routing > Add Route
i. Interface: NGFW3_Outside
ii. Available Network: any-ipv4
iii. Gateway: HQ-WAN-GW [198.18.128.1]

Cisco Confidential
Cisco dCloud

d. Click OK and Save

e. Go to Devices > NAT > Default PAT
i. Click on Policy Assignments > NGFW3 > Add to Policy then click OK and Save
f. Click on Deploy Validate the warnings

Verify NGFW connectivity

g. Open a session to Kali Inside Linux Server

i. Type route -n

ii. You will see the Default route 0.0.0.0 gw 198.19.10.1

iii. Type sudo route add -net 0.0.0.0 gw 198.19.10.3 password: C1sco12345
iv. Type sudo route del -net 0.0.0.0 gw 198.19.10.1 password: C1sco12345
v. Type route -n to verify 198.19.10.3 is the new default Gateway
vi. Type ping outside and verify connectivity

vii. Reconfigure default route to use Gateway 198.19.10.1 [or you can reboot the Linux server to get default
configuration] We may need to change Gateway again for VPN Load Balancing.

Verify Licensing

1. FMC System > Licenses > Universal Licenses

a. Click on Edit Licenses
i. Verify that the Secure Client Premier [AnyConnect Apex] license is applied to NGFW1 and NGFW3 if not
Add and Apply

Cisco Confidential
Cisco dCloud

Verify Objects needed for this Scenario

1. Go to Objects > Object Management > Network

2. Click Filter
a. VPNPoolIPs: 198.19.10.57-198.19.10.62
i. Edit that Object for 198.19.10.57-198.19.10.68
b. LAN_Network: 198.19.10.0/24
c. DNS_Server: 198.19.10.100

Verify Local Users for RA Authentication

1. FMC Integration > Other Integrations > Realms > LocalAuth click the pencil icon
a. Verify Local User
i. Username: localtest
ii. Password: C1sco12345! And Confirm click OK and Save
2. Make sure LocalAuth realm is Enabled

Enroll Trustpoint on NGFW3

1. FMC Device > Certificates > Add

2. Device: NGFW3
3. Cert Enrollment: NGFW1_Outside
4. Add and Wait for Certificate addition to complete

Add NGFW3 to RAVPN Configuration

1. FMC Devices > VPN > Remote Access > LocalAuth click on the Pencil Icon
a. LocalAuth click on pencil icon
i. Client Address Assignment
1. Edit VPNPool IP Address Range:
2. Expand the Override Arrow and Click Add click NGFW3 Add

Cisco Confidential
Cisco dCloud

3.
Click the pencil icon on the Override On NGFW3
4.
Edit the IPv4 Address Range: 198.19.10.63-198.19.10.68
a. Save and Save
b. Go to Policy Assignments
i. Available Devices NGFW3 Add and OK and Save

Configure VPN Load Balancing Group Settings

1. Clicked on Advanced

Cisco Confidential
Cisco dCloud

2. Enter the following:

a. Group IPv4 Address 198.18.133.84
b. Communications Interface: InZone1
c. UDP Port keep default: 9023
d. Enable IPSEC Encryption:
i. Key: Cisco12345!
ii. Click OK

3. Enable NGFW1 and NGFW3

4. Click on the pencil icon for NGFW3 and change the Priority to 10 and click OK

Cisco Confidential
Cisco dCloud

5. Save

Modify NAT and Access Control Policy

1. FMC Devices > NAT > Default PAT click on pencil icon
a. Remove or Disable all Zones except for InZone1 and OutZone
b. Click Save
2. FMC Policies > Access Control > Base_Policy click on pencil icon
a. Remove all Zones except for InZone1 and OutZone

NOTE: We are removing the extra zones because NGFW3 does not have interfaces assigned to those zones and will give you
a validation error when trying to deploy
3. Save and Deploy to all Devices

Test VPN Load Balancing

1. Open a session to NGFW1 and NGFW3

2. Type: show running-config vpn load-balancing for NGFW1 and NGFW3

NGFW1

NGFW3

Cisco Confidential
Cisco dCloud

3. From NGFW1 Type: show vpn load-balancing

Connect with AnyConnect (LOCAL authentication)

1. Connect to Wkst2 by either Remote Desktop from Jumpbox or Remote Desktop from dCloud topology page:

2. From the desktop of WKst2 open AnyConnect from the start menu or the start bar
3. Connect to the VPN Load Balancing Group 198.18.133.84 and click Connect

4. Ignore the warnings about the certificate error

a. VPN Credentials: localtest/C1sco12345!
5. From the session of NGFW1 and NGFW3 type: show vpn load-balancing to see which Firewall is handling the session
a. Your results could vary from screenshots below.

NGFW1

Cisco Confidential
Cisco dCloud

NGFW3

6. You can use the FMC Health Monitor Dashboard to View VPN session per Firewall
7. FMC System > Health > Monitor > NGFW(x)

8. Click on the Plus sign to add a custom dashboard to monitor LocalAuth sessions

Cisco Confidential
Cisco dCloud

9. Configure as follows
a. Dashboard Name: LocalAuth
b. Metrics: VPN
i. Active-RA-VPN tunnels
ii. Inactive RA-VPN tunnels
iii. Peak Concurrent RA-VPN tunnels

iv. Click Add Dashboard

Cisco Confidential
Cisco dCloud

10. Graph for NGFW1 and NGFW3 will show VPN statistics [Outputs might differ from screenshot shown]

Testing with Traffic

1. If the VPN connection is established on NGFW3 you will need to add a static route on the Inside Linux Server since the default
gateway is the NGFW1 inside interface
a. sudo route add -host <VPN Pool IP> gw 198.19.10.3
2. From Wkst2 establish two ping connections to 198.19.10.100 -t from separate Command Prompts
3. Type Ping 198.19.10.200 -t from another Command Prompt
4. Open a session to 198.19.10.200 root/C1sco12345

Wkst2

5. Use the existing session to NGFW1 and NGFW3

6. Type show conn address 198.19.10.xx (xx is the pool IP allocated to the VPN client, can be found by clicking on the gear
icon on the Anyconnect client)

Cisco Confidential
Cisco dCloud

Scenario 5. Site-to-Site VPN

This exercise consists of the following tasks.

• Create objects needed for this lab exercise

• Configure site-to-site VPN

• Create NAT exemption

• Modify the access control policy and deploy changes

• Deploy the changes and test the configuration

The objective of this exercise is to configure a site-to-site VPN tunnel between two FMC Controlled NGFWs

Steps

Create objects needed for this lab exercise

Note: If you did the Remote Deployment Lab on NGFRBr1 disable the remote management and redeploy

1. Navigate to Objects > Object Management. The Network object page will be selected.
a. Select Add Network > Add Object.

b. For Name, enter MainOfficeNetwork.

c. Select the Network radio button

d. Enter 198.19.10.0/24.

e. Click Save.

2. Click Add Network > Add Object.

a. For Name, enter Branch1OfficeNetwork.

b. Click the Network radio button

c. Enter 198.19.11.0/24.

d. Click Save.

Configure site-to-site VPN

1. Navigate to Devices > VPN > Site to Site. Click + Site to Site VPN

NOTE: The other VPN choice, Firepower Device, is for configuring secure tunnels between Firepower devices.

2. For Topology Name: S2S_Branch1.

a. Confirm that for Network Topology, Point to Point is selected. Confirm that for IKE Version, IKEv1 is not checked, and
IKEv2 is checked.

Cisco Confidential
Cisco dCloud

3. Click the plus (+) to the right of Node A. Fill out as in the figure below, and then click OK.

Note: You can leave the Enable NAT Traversal and Exempt VPN traffic from network address translation or do the optional
steps later in the scenario.

Cisco Confidential
Cisco dCloud

4. Click the plus (+) icon to the right of Node B. Fill out the fields in the figure below, then click OK.

Cisco Confidential
Cisco dCloud

Note: You can leave the Enable NAT Traversal and Exempt VPN traffic from network address translation or do the optional
steps later in the scenario.
5. Select the IKE tab.

6. Under IKEv2 Settings, for Policy, verify AES-GCM-NULL-SHA-LATEST

7. Under IKEv2 Settings, for Authentication Type, select Pre-shared Automatic Key.

NOTE: The Automatic setting can only be used if the FMC is managing both endpoints. In this case, the FMC can generate a
random shared key.

8. Select the IPsec tab, verify the IKEv2 IPsec Proposal is AES-GCM.

9. Click OK and Save.

Cisco Confidential
Cisco dCloud

Create NAT exemption at HQ [OPTIONAL]

NOTE: NAT exemption is used so that the addresses are not translated by NAT. To do this you have to have the packets
translated by the NAT process back to their original addresses. This must be done before any other NAT statements so you will put
the rule in the NAT Rules Before Category.

1. Navigate to Devices > NAT.

2. Click the pencil icon to edit the Default PAT policy.

3. Click Add Rule.

a. Leave In Category and NAT Rules Before from the NAT Rule drop-down list selected.

b. You will be at the Interface Objects tab.

Cisco Confidential
Cisco dCloud

d. Select InZone1 and click Add to Source

e. Select OutZone and click Add to Destination.

4. Select the Translation tab.

a. Select MainOfficeNetwork from the Original Source drop-down list.

b. Select MainOfficeNetwork from the Translated Source drop-down list.

c. Select Branch1OfficeNetwork from the Original Destination drop-down list.

d. Select Branch1OfficeNetwork from the Translated Destination drop-down list.

Cisco Confidential
Cisco dCloud

5. Go To Advanced and Check Do not proxy ARP on Destination Interface click OK.

6. Click Save.

Cisco Confidential
Cisco dCloud

Create NAT exemption for Branch1 [OPTIONAL]

1. Go to Devices > NAT > Branch NAT > click the pencil icon to edit the NAT policy

2. Click Add Rule.

a. Interface Objects

i. Click Branch1_InZone and Add to Source.

ii. Click Branch1_OutZone and Add to Destination.

b. Translation

i. Original Packet

1. Original Source Branch1OfficeNetwork

2. Original Destination MainOfficenetwork

ii. Translated Packet

1. Translated Source Branch1OfficeNetwork

2. Translated Destination MainOfficenetwork

Cisco Confidential
Cisco dCloud

c. Advanced
i. On the Destination Interface, click Do not proxy ARP on Destination Interface

1. Click OK

2. Click OK to save NAT Rule

3. Click Save to save the NAT policy.

Modify the access control policy and deploy changes

You will now create a rule to allow traffic between the Branch office and Main office.

1. Navigate to Policies > Access Control > Access Control. Edit the Base_Policy Access Control Policy.

2. Click Add Rule.

a. Call the rule S2S_Branch1_VPN_Access.

3. Select into Default from the Insert drop-down list. This will become the last rule in the access control policy.

4. Keep the action at Allow.

5. Select OutZone and click Add to Source.

6. Select InZone1 and click Add to Destination.

Cisco Confidential
Cisco dCloud

7. Select the Networks tab, select Branch1OfficeNetwork, and click Add to Source.

8. Select the Networks tab, select MainOfficeNetwork, and click Add to Destination.

9. Select HQ-Balanced-Policy from the Intrusion Policy drop-down list.

10. Select Block Malware from the File Policy drop-down list.

11. Click Apply to add this rule to the access control policy.

12. Verify the Allow Outbound rule has ICMP to Destination Ports

13. Click Save to save the access control policy.

14. Modify or Verify the Branch1 Access Policy for allowing inbound connections.

15. Examine the Branch1_NAT Policy to confirm the VPN NAT Exemption the first rule.

Deploy the changes and test the configuration

1. Deploy the changes on the FMC and wait for the deployment to complete.

2. Open a connection to NGFW1 and NGFWBR1

3. From NGFW1 CLI, type show crypto ipsec sa peer 198.18.128.81.

4. Go to NGFWBR1 and type: show crypto ipsec sa peer 198.18.133.81
5. Open session to Kali Inside Linux Server

6. From the Inside Linux server CLI, type ping branch. Wait a few seconds, and the ping should succeed.
7. From the Quick Launch Menu Open a session Branch Office Linux Server.

8. Type curl inside. This should succeed.

Cisco Confidential
Cisco dCloud

Scenario 6. Route Based VTI Site-to-Site VPN

This scenario will show the use of Virtual Tunnel Interface support for the Cisco Secure Firewall added in 6.7.

Policy based vs Route-Based VPN. Both are now available with the FTD. Route based VPN’s are more flexible than Policy-Based
VPN, but for some applications Policy-Based VPN’s may be needed.

Clean up from Prior VPN Lab if NAT Exemptions were done Manually

Note: If you did the Remote Deployment Lab on NGFRBr1 disable the remote management and redeploy
1. FMC Devices > NAT > Default PAT
a. Disable the NAT Rule InZone1 to OutZone MainOfficeNetwork BranchOffice Network
b. Click Save
2. FMC Devices > NAT> Branch1_NAT
a. Disable the NAT Rule branch1_InZone branch1_Outzone Branch1OfficeNetowrk MainOfficeNetwork
b. Click Save

Create Security zone for VTI interfaces

1. On the FMC go to Objects > Object Management

2. Select Interface from the left navigation pane
3. Click Add > Security Zones
a. Name: VTIZone
b. Select: Routed
c. Save

Modify the Access Control Policies on NGFW1 and NGFWBr1

1. Go to Policies > Access Control

2. Edit the Base_Policy

Cisco Confidential
Cisco dCloud

a. Create or edit the rule Allow East-West and place in Default

b. Under Zones make sure that All InZones (1-4) and VTIZone are added to the Source and Destination Zones

c. Click Apply and Save

3. Go to Policies > Access Control
4. Edit Branch1access policy
a. Create or edit the rule Allow East-West
b. Under Zone make sure that branch1_InZone and VTIZone are added to the Source and Destination Zones
c. Click Apply and Save and Save the Policy

Compare Policy-Based and Route-Based VPN configuration

1. On the FMC go to Devices > VPN > Site to Site delete S2S_Branch1
2. Click on + Site to Site VPN
3. Confirm that Point to Point is selected
a. Click on Endpoints and then click between Policy Based and Route Based notice the differences.
b. Repeat for IKE, IPSec and Advanced
4. From the site-to-site VPN wizard
a. Topology Name: VTIDemo
b. Route Based (VTI): Select
c. Network Topology: Point to Point
d. Endpoints:
i. Node A: NGFW1 or HA_Test
ii. Virtual Tunnel Interface: Click on the [+]
1. Name: vti1
2. Security Zone: VTIZone
3. Tunnel ID: 1
4. Tunnel Source: GigabitEthernet0/0 (Outside) 198.18.133.81
5. IPSec Tunnel Mode: IPv4 Address: 10.0.1.1/30

Cisco Confidential
Cisco dCloud

6. Click OK
iii. Node B: NGFWBr1
iv. Virtual Tunnel Interface: Click on the [+]
1. Name: vti2
2. Security Zone: VTIZone
3. Tunnel ID: 1
4. Tunnel Source: GigabitEthernet0/0 (branch1_Outside)
5. 198.18.128.81
6. IPsec Tunnel Mode: 10.0.1.2/30
7. Click OK

Cisco Confidential
Cisco dCloud

8. Click OK

Cisco Confidential
Cisco dCloud

5. Click Save and then Deploy > Select ALL Read and Accept the Validation Warnings

Configure BGP

1. FMC Devices > Device Management

2. Edit NGFW1 and select Routing
a. Under General Settings select BGP
i. Click Enable BGP if not already enabled.
ii. AS Number: 65000
b. Under BGP select IPV4
i. Click Enable IPv4
ii. Select Neighbor and delete existing neighbor.
1. Click Add
a. IP Address: 10.0.1.2
b. Remote AS: 65001
c. Enabled address: Enabled
d. Click OK
iii. Select Redistribution
1. Click Add
a. Source Protocol: Connected
b. Metric: 0 [Needed as a placeholder]
c. Click OK
3. Click Save at the top of the page.
4. Edit NGFWBr1
a. Select Routing and BGP and Enable BGP AS Number 65001
b. Select IPv4 under BGP
i. Click Enable IPv4
ii. Click Neighbor
1. Address: 10.0.1.1 Remote AS 65000, Enabled address: Enabled
iii. Click Redistribution
1. Redistribute Connected Metric 0
5. Click Save at the top of the Page.
6. Deploy the Changes [if you get an error on NGFW1 about AS 1 not being fully removed, go back to Routing > BGP and
retype the AS number (65000) save and redeploy].
7. Wait for the Deployment to complete and then an additional 30 seconds or so for the tunnel and BGP adjacency to complete.
8. Open a session to NGFWBr1
9. Type show crypto ipsec sa
a. Verify you have a connection if you do not you will need to troubleshoot your VPN configuration.
b. Type show run router.

Cisco Confidential
Cisco dCloud

c. Type show bgp summary

10. If you see State/Pfxcd as Idle or Active troubleshoot your BGP Connection
a. If you see StatePfxcd as 0 troubleshoot your BGP redistribution
b. Type show route bgp you should see multiple routes
c. Open a session to the Kali Inside Linux server
d. Type Ping Branch should succeed

Cisco Confidential
Cisco dCloud

Scenario 7. Cisco Secure Firewall- Direct Internet Access

Direct Internet Access (DIA) with Policy Based Routing

DIA was introduced in 7.1. It is a feature that configures policy-based routing through the FMC to classify network traffic based on
applications and implement DIA to send traffic to the internet from a branch deployment.

Steps

1. Verify the NGFWBr1 Interface addresses and Security Zones

a. GigabitEthernet 0/0:
i. Logical Name: branch1_Outside
ii. Security Zone: branch1_Outzone
iii. IP Address: 198.18.128.81/18
b. GigabitEthernet 0/1:
i. Logical Name: branch1_Inside
ii. Security Zone: branch1_InZone
iii. IP Address: 198.19.11.4/24
c. GigabitEthernet 0/2
i. Logical Name: Outside_int2
ii. Security Zone: branch1_Outzone
iii. IP Address: 198.19.20.4/24
iv. Leave Disabled
d. GigabitEthernet 0/3:
i. Logical Name: outside2
ii. Security Zone: branch1_Outzone
iii. IP Address: 198.19.40.4/24
e. GigabitEthernet 0/4:
i. Logical Name: outside3
ii. Security Zone: branch1_Outzone
iii. IP Address: 198.19.30.4/24

2. Deploy to update Interfaces.

3. Go to NGFWBr1 and Routing and Verify the following Static Routes if they do not exist create them.

Cisco Confidential
Cisco dCloud

4. Go to ECMP (Equal Cost Multipath Routing) click Add.

a. Name: ECMP-WAN
i. Add branch1_Outside and outside2.
ii. Click OK

iii. Click Save

5. Go to Objects > Object Management > Network
a. Verify that the DNS_Server object exits.
i. If not create it DNS server address: 198.19.10.100
6. Configure Object > Extended Access List > Add Extended Access List
a. Name: DIA_video
b. Click Add
i. Source/Destination Network: any
ii. Available Applications: Select Youtube and Add to Rule and Add and Save
c. Add another Access List Name: DIA_Social_Media
i. Source/Destination Network any
ii. Available Applications: Facebook

Configure Policy Based Routing

1. FMC > Devices > Device Management

a. Select NGFWBr1
i. Routing > Policy Based Routing
1. Verify or Configure Interface Priority

Cisco Confidential
Cisco dCloud

2. Click Save
b. Click Add
i. Ingress Interface: branch1_Inside
ii. Click Add
1. Match ACL: DIA_video
2. Send To: Egress Interfaces
3. Interface Ordering: Interface Priority
4. Add branch1_Outside, outside2, outside3
iii. Repeat for DIA_Social_Media
1. Interface Ordering: Order
2. Add Outside3 and Outside2
3. Save and Save

Configure Trusted DNS Server

Application detection in the DIA feature uses DNS snooping to resolve applications. To make sure that rogue DNS servers do not
resolve the requests the Cisco Secure Firewall Management Center lets you configure Trusted DNS servers. The firewall will only
snoop the traffic that goes to trusted DNS servers.

Configure Trusted DNS Servers

NOTE: We have already configured NGFW1_Platform settings. We will add Trusted DNS servers to the settings and then
associate NGFWBR1 to the Platform Settings

1. From FMC Devices > Platform Settings

Cisco Confidential
Cisco dCloud

2. NGFW1_Platform_Settings_> Click on the Pencil icon to Edit

3. Click DNS
4. Go to Trusted DNS Servers
5. Click Edit to specify Trusted DNS Servers
6. Search DNS_Server under Available Host Objects and click Add and Save

7. Click on Policy Assignments

a. Add NGFWBR1

b. Click OK and Save

8. Deploy accept the Validation Warnings

Cisco Confidential
Cisco dCloud

Verifying DIA Access flows

Open a session to NGFWBR1

1. Type system support diagnostic-cli

a. Type enable for password type [enter key]
b. Then type debug policy-route

NOTE: The debug command is configured for the validation purposes. It is recommended that you run debug commands with
caution, especially in production environments.
2. From the Quick Launch click on Branch Office Linux
3. Type nslookup www.youtube.com

Cisco Confidential
Cisco dCloud

4. From the Branch Linux Server Type: curl youtube.com

5. Look at the session on NGFWBr1
a. Notice the IP address associated to youtube.com and also the interface that was used (outside2) to send the traffic

b. Repeat the above steps using curl facebook.com

i. Note that interface3 is being used.

6. On NGFWBr1 type: undebug all

a. Type: exit, exit
7. On NGFWBr1 you can run the following commands from the CLISH:
a. show object network-service
b. show object network-service | include youtube
c. show object id “YouTube”
d. show object id “Facebook”
e. show running-config object-group network-service
f. show access-list

g. show running-config route-map

Cisco Confidential
Cisco dCloud

h. show running-config interface to look at interface priorities

i. show running-config route

Cisco Confidential
Cisco dCloud

j. show route

Cisco Confidential
Cisco dCloud

Scenario 8. Monitoring and Troubleshooting

This exercise consists of the following tasks.

• Monitoring AnyConnect user activity

• Troubleshooting

You will use the FMC for Monitoring AnyConnect User activity and troubleshooting.

Steps

Monitoring AnyConnect user activity

In this section, you can monitor all active users who have logged in through AnyConnect.

1. From Quick Launch Menu

a. Click on WKST 2

b. Login: Administrator Password: C1sco12345

c. Start an AnyConnect Session

i Either by clicking in the bottom tray on the Windows Desktop

ii or Start and type AnyConnect in the search bar

d. Click on the Connect Button [Should connect to ngfw1]

i Username: localtest

ii Password: C1sco12345!

2. In the FMC, navigate to Overview > Dashboards > Switch dashboard > Access Controlled User Statistics

3. Select the VPN tab. Note that there are 7 widgets dedicated to VPN traffic.

4. Navigate to Analysis > Users > Active Sessions.

Cisco Confidential
Cisco dCloud

a. Notice that you see localtest VPN session.

NOTE: You may also see other active sessions discovered with network discovery. For example, you may see guest discovered
through an FTP session. For brevity, those sessions were left out of the figure above. If you want more details about users and
how they were discovered, navigate to Analysis > Users > Users.

5. On wkst2, disconnect VPN

6. In the FMC, navigate to Analysis > Users > User Activity. In this window you will see details of current and past user
sessions. Spend a couple minutes reviewing the information on this page.

Troubleshooting

In this section, you will modify the Syslog level for VPN events on the NGFW. You will also run some basic troubleshooting
commands from the NGFW1 CLI. You will also look at the 7.x feature Unified events and look at Live Logs

1. FMC Analysis > Unified Events

2. In the upper right corner select Go Live

3. Wait a few seconds for the log to populate

Cisco Confidential
Cisco dCloud

a. Select a Line in the Log

b. Note the information contained in the Log

Cisco Confidential
Cisco dCloud

4. In the FMC, navigate to Device > VPN > Troubleshooting. Note that no records are displayed.

5. In the FMC, navigate to Devices > Platform Settings.

a. Click New Policy Threat Defense Settings Policy.

b. Name the policy NGFW1_Test Settings Policy.

c. Select NGFW1device and click Add to Policy.

d. Click SAVE Confirm the PFS Overwrite click OK

6. Click Save. Wait for the policy to open for editing.

7. In the left navigation pane, select Syslog.

a. Under VPN Logging Settings change the logging level to informational. Note that in a production environment, it is
recommended that you set this to errors or alerts.

b. Click Save.

8. Deploy the changes to the NGFW1_Test

Cisco Confidential
Cisco dCloud

9. On the wkst2, generate some VPN activity. For example, connect and disconnect a VPN session.

10. In the FMC, return to Device > VPN > Troubleshooting. You should see records. If you do not, try adjusting the time window
on this page.

11. On the NGFW1 CLI run some of the following commands to get a rough scope of the troubleshooting capabilities. These are
useful when troubleshooting RA VPN. They are primarily included for your reference.

a. show vpn-sessiondb ?

b. debug crypto ca ? (good for trouble-shooting certificate issues)

c. debug crypto ipsec ?

d. debug ldap ?

e. debug aaa ?

FDM Deployment Troubleshooting

1. From the Quick Launch Menu open the NGFW-2 Web

a. Admin/C1sco12345

2. Click Device > Routing >View Configuration

3. Move to Actions Column

4. Click on the pencil icon on Line #1 (StaticRoute_IPv4)

5. Click on the Dropdown Arrow by Gateway

6. Select Create new Network Object

a. Name: tsroute

b. Host: 198.18.133.82 click OK

7. For Gateway select the newly created gateway: tsroute

8. For Interface select: outside

9. Click OK

10. Click Deploy Now

11. Wait for the Deployment to finish

12. You will see a Status of Failed

13. Click the see details

Cisco Confidential
Cisco dCloud

14. You will see an error that references the next hop address

a. Go back to the FDM and fix the issue

Troubleshooting with Packet Tracer and Packet Capture

i. When to use Packet-Tracer

a. Verify if traffic to a specific port is allowed by the Lina Data path and Snort

i. Security Intelligence (IP Reputation)

ii. L3/L4 IPS Intrusion Rules

b. Packet Tracer Does Not currently work with: (Because it cannot emulate a L7 packet) i. Identity-

based rules ii. L7-related (SI DNS/URL, App ID, File Policy, L7 Intrusion Rules)

Security Intelligence [Reputation] files

We will take a look at some of the Security Intelligence files on NGFW1. This will require root privileges.

Cisco Confidential
Cisco dCloud

1. From the NGFW1 CLISH Type: Expert and sudo -I password/C1sco12345 [This will enable root privileges]
2. Type cd /ngfw/var/sf/iprep_download
a. Type ls -la *.blf [This will show the current block list files]
b. Type cat and then the file starting with 3306 and [Tab] to complete [This will let you look in the file]
c. Repeat above command for all the files with a .blf extension

Enabling Security Intelligence [Reputation]

1. Go to FMC > Policies >Access Control > Base_Policy and edit

a. Click on the Security Intelligence Tab
i. Go to Networks > 11.11.60.0-24 and click add to Blocklist
ii. Save and Deploy
2. Go back to the NGFW CLISH verify that you are in the /ngfw/var/sf/iprep_download directory by typing pwd [print working
directory]
a. Type ls -la *.blf note there is now a new file should begin with 005
b. Type cat 005 [Tab] and enter.
3. We will use this this feed later.

Packet-Tracer Lab

1. On the FMC go to Policies > Access Control > Edit the Base_Policy

2. Click Add New Rule

a. Name: Packet-Trace Rule

b. Set the Rule ABOVE rule 1

c. Under Action Block or Block with reset

d. Zones: Source Zone InZone1, Destination Zone OutZone

e. Networks: Source: MainOfficenetwork Destination Networks: any-ipv4

f. Dest Ports: ICMP, HTTPS, FTP click Add Destination Port

j. Click Logging Click Log at Beginning of Connections

k. Click Confirm

l. Click Apply Save and Deploy to NGFW1and NGFW3

NOTE: We selected all the applications related to ICMP and FTP in a production environment you would be more specific with
what particular applications you are blocking.

3. Open a session to NGFW1

a. If you are still logged in a root Type: exit, exit to get back to the CLISH

4. Type the following packet-tracer input in10 icmp 198.19.10.200 8 0 198.18.133.200

a. Look at Phases you will notice that the packet has been handed off to SNORT for further processing

b. You will see that SNORT used block w/reset a rule id to order a drop of the packet.

5. Repeat packet-tracer with HTTPS and FTP

Cisco Confidential
Cisco dCloud

Now look at the Packet-Trace command in the FMC

1. Go to Devices > Device Management.> NGFW1 click on the Three Dots

2. Click Packet Tracer

a. Packet Type: ICMP

b. Ingress Interface: in10

c. Source: 198.19.10.200

d. Type: 8 (Echo Request) Code 0

e. Destination: 198.18.133.200

f. Click Trace

NOTE: You will get the same results that you saw in the Command Line of the NGFW1 it is just shown in the window.

3. Set up the Packet Tracer for FTP

a. Click Reset

b. Select Device: NGFW1

c. Packet Type: TCP

d. Source: 198.19.10.200

e. Source Port: 1111

f. Ingress Interface: in10

g. Destination 198.18.133.200 (Outside Linux Server)

h. Destination Port: FTP

Cisco Confidential
Cisco dCloud

i. Click Trace

4. Use Packet Tracer to test HTTP traffic from 198.19.10.200 to 11.11.60.1 Interface in10, Source port 1111 Destination Port 80
or http

Capture w/Trace Lab

NOTE: There are two types of Traffic Captures the Lina based and the Snort based.

1. Lina Level capture

2. SNORT Level capture-traffic

3. Go to Devices > Device Management > click on the Three dots for NGFW1

4. Click on Packet Capture Make sure NGFW1 is selected

5. Click Add Capture

a. Name: Capturewtrace

b. Interface: in10

c. Protocol: ICMP

Cisco Confidential
Cisco dCloud

d. Source Host: 198.19.10.200 (Inside Linux Server)

e. Destination Host: any

f. Buffer Size: 33554432 (32 MB)

g. Trace Count 100

h. Save

NOTE: We have not removed the access policy denying ICMP so the pings will fail, but you will be able to see the packet shown.
Also you will export the file in PCAP format to Wireshark in this lab.

6. From the Kali Inside Linux Server type ping outside.

7. If you don’t see information in the Packets Shown Window in about 10 seconds hit the refresh.

8. Once you see packets stop the ping.

9. Click on the Save icon for the packet capture you created.

a. Save the file as PCAP.

10. When Prompted Save File and click OK.

11. Go to the downloads of Firefox or Chrome and select the file just downloaded.

12. Minimize the Browser and you will see the file opened in Wireshark.

13. Notice that the messages have (no response found!)

a. You can check the output of the trace and see Rule that was triggered also the Result:

14. Remove the Packet Tracer rule from the Base_Policy

15. Save and Deploy

Cisco Confidential
Cisco dCloud

Scenario 9. Decryption
In this scenario you will be configuring Decryption with a Known Key, Decryption with a Resign of the key and Decryption with
Additional Rules.

Steps

Import Certificates for Known Key

You will configure the FMC to decrypt traffic to and from the DMZ web server. You will need the certificate and private key of the
web server to create an object in the FMC to use for an SSL rule. Once you create the object you will also create the SSL policy,
rules, and configure the ACP

Preparing the Isolated Server

1. Open a session to IRB Isolated Linux Server (198.19.12.220) root/C1sco12345

2. Type ifconfig
a. Notice that eth0, eth0:1 and eth0:2 are on the 198.19.10.x subnet
b. Type ifconfig eth0 198.19.20.220 netmask 255.255.255.0
c. Type ifconfig eth0:1 198.19.20.221 netmask 255.255.255.0
d. Type ifconfig eth0:2 198.19.20.222 netmask 255.255.255.0
e. DO NOT MODIFY eth1
3. Type route -n
a. Notice that the default route is to Gateway 198.19.10.1
b. Type route add -net 0.0.0.0 gw 198.19.20.1 (Address of GigabitEthernet0/2 on NGFW1)
c. Verify that the route was added Type route -n
d. Type route del -net 0.0.0.0 gw 198.19.10.1
e. Verify route was deleted Type route -n
4. Modify the Access Control Policy Base_Policy to allow traffic outbound on InZone2
5. Modify the Access Control Policy Base_Policy to allow East West traffic from InZone1 to InZone2
6. Modify the NAT Policy Default_PAT to translate any address from InZone2 to Outside Interface IP Address
7. Save and Deploy
8. Test connectivity from Isolated Linux server type:
a. ping outside should succeed
b. ping inside should succeed.

Create NAT Translation for Isolated Server

1. Login to the FMC

a. Devices > NAT > Default PAT
i. Add a NAT Rule
1. NAT rules Before
2. Interface Objects:
a. Source: InZone2
b. Destination: OutZone
c. Translation: Create Original Source: wwwinssl (198.19.20.220)
d. Translation: Create Translated Source: wwwoutssl (198.18.134.220)
e. Click OK
f. Click Save
2. Policies > Access Control > Base_Policy
a. Add or modify a rule to allow outside connectivity from Outzone to InZone2
i. Destination network wwwinssl
ii. Make sure to add HQ-Balanced-Policy for Intrusion Policy and Demo File Policy for File Policy
iii. Logging at the End of the Connection

Cisco Confidential
Cisco dCloud

3. Go to Object menu and select Object Management

4. Expand PKI and Select Internal Certs under the PKI object on the left

5. Click the Add Internal Cert button

6. The Add Known Internal Certificate window appears prompting for the certificate and private key data

7. Configure the following:

a. Name: wwwinssl
8. Use the session to the IRB Isolated Linux Server
9. Run the following command to display the contents of the certificate used by the DMZ webserver
a. cat /etc/pki/tls/certs/localhost.crt
10. Copy the output of the command by highlighting the text displayed beginning with “-----BEGIN CERTIFICATE-----” and ending
with “-----END CERTIFICATE-----”

Cisco Confidential
Cisco dCloud

11. Return to the FMC

12. Paste the contents of the certificate file into the Certificate Data field

13. Go back IRB Isolated to the session

14. Run the following command
a. cat /etc/pki/tls/private/localhost.key

Cisco Confidential
Cisco dCloud

15. Copy the output of the command by highlighting the text displayed beginning with “-----BEGIN RSA PRIVATE KEY-----” and
ending with “-----END RSA PRIVATE KEY-----"
16. Return to the FMC
17. Paste the contents of the key file into the key field

18. Ensure the password field is blank

19. Click the Save button. You will now create the SSL Policy

Create SSL Policy

1. Click the Policies menu and select Decryption

2. Select Create Decryption Policy
3. Configure the following:
a. Click: Inbound Connections
b. Name Corp HQ-SSL-Policy
c. Description: SSL Policy for Corp HQ
d. Internal Certificates: wwwinssl click OK
e. Click Save
f. Click Save

Cisco Confidential
Cisco dCloud

4. Click on the edit icon [pencil] of the Corp HQ-SSL-Policy

5. Notice that a standard rule wwwinsslrule has been created
6. You will now Edit the rule to decrypt traffic targeted at the DMZ web server.
7. Verify the following:
a. Name: Decrypt wwwinsslrule
b. Action: Decrypt – Known Key
c. With: wwwinssl
d. Insert: into Category: Standard Rules

Cisco Confidential
Cisco dCloud

8. On the Zones tab select InZone2 and click Add to Destination. Select OutZone objects and click Add to Source

9. Click the Networks tab select the wwwinssl object, and click Add to Destination

10. Click the Ports tab, and select HTTPS, and click the Add to Destination button
11. Click the Cert Status tab and review the options but do not make any changes. Notice that there are many criteria to control
the behavior of encrypted traffic through the FTD

Cisco Confidential
Cisco dCloud

12. Click Logging tab and select Log at End of Connection

13. Click Save
14. Click the Save button to save changes to the policy

Configure ACP

The SSL Policy has been configured but has yet to be attached to an ACP.

1. Click Policies > Access Control > Base_Policy

2. Click Advanced > Decryption Policy Settings and the Pencil Icon to Edit

3. Choose the CorpHQ-SSL-Policy object and click OK

4. Click Access Control

5. Locate the rule that you used for the Inbound SSL Connectivity and edit the rule
6. Configure the Following:
a. Intrusion Policy: HQ-High-Security-Policy
b. Variable Set: ExternalTraffic
c. File Policy: Demo file Policy
d. Click Save
7. Click Apply, Save for the Base_Policy and Deploy All

Test SSL Policy

You will now test the SSL policy from WKST2 to see if the policy is working.

1. Go to the dCloud session page in the computer’s web browser, and find the WKST2 machine arrow and then select Remote
Desktop

Cisco Confidential
Cisco dCloud

2. Open the Firefox web browser by double-clicking on the shortcut on the desktop
3. Click on the HTTPS://198.18.134.220
4. Click on Advanced
5. Click on Accept the Risk and Continue

6. Click on the Files link

7. You will now test the SSL Policy
8. Right click on the test2.mov and select Save Link As
9. Select Desktop and Save
a. The file should be downloaded
10. Right Click on test1.mp4 and select Save Link As
a. Download will fail

Cisco Confidential
Cisco dCloud

11. The file is not being allowed to transfer even though it is a HTTPS connection. You will now review the log files that show the
information for the SSL policy
12. Return to the FMC
13. Go to Analysis > Connection > Events
14. Click Edit Search
a. Action: Block
b. Networking
i. Initiator IP: 198.18.133.23
c. Click Search

15. You can see the files that were blocked. Note that the URL reveals HTTPS
16. Click Table view of Connection Events
17. Click the X next to one of the columns in the current view

Cisco Confidential
Cisco dCloud

18. When the column settings appear scroll down and check all columns that begin with SSL

19. Click Apply

20. Review all the SSL fields available in relation to the traffic shown on the screen

Cisco Confidential
Cisco dCloud

Scenario 10. TLS Server Identity Discovery

Objectives

• Enable application detection and URL filtering for TLS 1.3 flows
• Access Control Policy with TLS Server Identity Discovery Enables
• Detection of SNI (Server Name Indication) Mismatch without SSL Policy

TLS server certificates are not encrypted in TLS 1.2. Firewalls were able to see the certificate information and implement policies
based on clear text information. TLS 1.3 encrypts the certificates which would allow for an intruder to possibly evade AppId or URL
filtering contained within a TLS 1.3 connection. TLS Server Identity Discovery helps the firewall learn TLS certificate details from
servers that support TLS 1.3 and earlier version of TLS.

Application detection and URL filtering matching TLS 1.3

Firewall features such as URL filtering by (categorization and reputation) and Application Detection (AppID) rely on the information
in the TLS certificates to enforce the (ACP/SSL) such as:

1. Server Name Indication (SNI)

2. Common Name (CN)

3. Subject Alternative Names (SANs)

4. Organizational Unit (OU)

Most of the useful information needed to enforce firewall rules effectively is encrypted, and information such as SNI that is in
cleartext can be spoofed. The following will demonstrate how an intruder can use the SNI to bypass firewall policy and what
configuration you can apply to validate the SNI further.

Investigate Default Behavior with Access Control Policy Only Enabled

1. FMC go to Policies > Prefilter > New Policy Name: Demo Prefilter Policy

a. Click on Add Prefilter Rule

i. Name: Fastpath Hosts
ii. Enabled
iii. Action: Fastpath
iv. Interface Objects: Any
v. Available Networks add: 198.19.10.100, 101, 120, 121
vi. Available Networks Groups:
1. Name: Network_Groups
a. Add all 198.19.10.x networks
b. Add to Destination Networks
vii. Ports: ICMP, TCP(6)443, TCP(6)53, UDP(17):53
viii. Add
b. Click on Add Prefilter Rule
i. Name: Fastpath DNS traffic
ii. Enabled
iii. Action: Fastpath
iv. Interface Objects: Any
v. Networks: Any
vi. Ports: TCP(6):53, UDP(17):53
vii. Logging: Log at the end of Connection
viii. Add
2. Save

Cisco Confidential
Cisco dCloud

3. FMC Policies > Access Control > New Policy > Name: TLS Policy Demo and Add or NGFW1
a. Click Save and Yes
i. Click on Add Rule
1. Name Allow FB APP
2. Zones: any
3. Applications: Facebook and Facebook Applications Other
4. Logging: At the End of Connection

5. Click Apply
4. At the Bottom of the Access Control Policy where Access Control: Block all traffic
a. Click on Logging

b. Click on Log at Beginning of Connection

c. Click Apply
5. Click on the Demo Prefilter Policy from drop-down menu

Cisco Confidential
Cisco dCloud

6. Click Save at the top of the page

7. Click Deploy

TLS Server Identity Discovery Disabled and SNI not present

1. From the Quick Launch Menu open the Kali Inside Linux Server root/C1sco12345
2. On the Linux Server type the following:
a. Openssl s_client -connect Walmart.com:443 -tls1_3
i. This will generate traffic to https://wlamart.com using TLS1.3 this command will take a few seconds to
complete

3. Click on Analysis > Connection > Events

a. Edit Search
b. Networking
i. Initiator IP*: 198.19.10.200

Cisco Confidential
Cisco dCloud

ii. Search
c. Click on Table view of Connection Events
4. Click on the x by one of the Columns
a. Verify or select SSL Flow Flags
b. Verify or select SSL Flow Messages

c. Click Apply

Observe connection event details

1. Action = Block
2. Reason = N/A
3. SSL Flow Flags = N/A
4. SSL Flow Messages = N/A
5. Web Application = Walmart
6. URL = https://walmart.com

TLS Server Identity Discovery Disabled and with SNI Present

1. Go back to the Kali Inside Linux Server and type the following
2. openssl s_client -connect Walmart.com:443 -tls1_3 -servername facebook.com

In this task, the client is trying to access Walmart.com over HTTPS protocol. The webside/Application will typically be detected on
the firewall based on the TLS handshake, and it will make the decision based on CN (Common Name) that is part of the Server
Certificate.

Cisco Confidential
Cisco dCloud

This will set the SNI of the connection to facebook.com. When SNI is used, the hostname of the server is included in the TLS
handshake. SNI provides a solution for a shared IP address that hosts multiple web server/domains that allows unique certificates
to be used for each domain. In TLS 1.3 flows, SNI helps intermediate devices determine where the client is going by providing this
information in clear text.

1. Action = Allow
2. Reason = N/A
3. SSL Flow Flags = N/A
4. SSL Flow Messages = N/A
5. Web application = Facebook
6. URL = https://facebook.com

The firewall can trust a session based on the SNI information before the certificate is learned. Learning the certificate ahead of
time is important to ensure the SNI is verified before the firewall makes its decision.

The next exercise will look at how Cisco Secure Firewall Threat Defense using the TLS Server Identity Discovery feature makes
a decision against TLS 1.3 flows based on other information, since SNI can be easily spoofed. When procession TLS 1.3 traffic
flows, the FTD with TLS Server Identity Discovery feature provides CN as the higher precedence over SNI.

Enable TLS Server Identity Discovery feature on FMC

3. FMC Policies > Access Control > TLS Policy Demo

4. Go to More Advanced Settings

Cisco Confidential
Cisco dCloud

5. Click on the TLS Server Identity Discovery Edit button [pencil] Enable early application detection and URL categorization

6. OK, Save the ACP and Deploy

TLS Server Identity Discovery Enabled and with SNI Mismatch Detection

1. On the Kali Inside Linux Server type:

a. openssl s_client -connect Walmart.com:443 -tls1_3 -servername facebook.com

2. Go to the FMC and refresh the connection event and view Table View of Connection Events

As was shown and stated before SNI is cleartext and can be spoofed or not present. The purpose of the last exercise was to
show that with TLS Server Identity Discovery you can verify SNI with other information and detect a SNI mismatch without
implementing an SSL policy inspection which is important because not all deployments use the SSL Policy.

Cisco Confidential
Cisco dCloud

TLS Server Identity Discovery Probe – Certificate not found in local cache

TLS probe helps TLS Server Identity Discovery feature learn about server certificates from TLS 1.3 sessions. This exercise aims to
demonstrate that the TLS Server Identity Discovery probe can discover a server certificate, cache it, and use it to assist with the
TLS 1.3 connections.

1. FMC Policies > Access Control edit the TLS Policy Demo
2. Click Add Rule
a. Name: Allow Finance
b. Action: Allow
c. URLs : Finance and Online Trading
d. Logging: Log at End of Connection
e. Click Confirm, Apply
f. Validate that TLS Server Identity Discovery is enabled in the Advanced tab
g. Click Save

h. Deploy
3. After deployment completes open or resume a session to NGFW1
4. Type system support ssl-probe-logging-enabled true

5. Clear the certificate cache

a. Type: system support ssl-cache-clear all

Cisco Confidential
Cisco dCloud

6. Check for a specific certificate in NGFW1 using its domain name /SNI or IP address information
a. Type: system support ssl-cache-export [Snort 3 Command]

7. If you want to look at the file

a. Type expert
b. Type sudo -i C1sco12345
c. cat /ngfw/var/common/ssl_server_certs.txt
i. File should have certificates for Cisco and potentially Microsoft the rest of the file should be empty
8. From Quick Launch Menu click on Wkst 1 [administrator/C1sco12345] if needed
9. On Wkst1 open any Financial TLS 1.3 capable website https://americanexpress.com (might take a while for the page to
load)
10. Click on the locker button
a. Click [>] to expand details about Certificates issued for the website

b. Click on More Information

Cisco Confidential
Cisco dCloud

11. FMC Analysis > Connections > Events

a. Edit Search
b. Under Networking > Initiator IP: 198.19.10.21 click Search
c. Select Table View of Connection Events for americanexpress.com

d. SSL Flow Flags = CERTIFICATE_CACHE_MISS and CERTIFICATE_CACHE_HIT

e. SSL Flag Message = CLIENT_HELLO

SSL Flow Flags field displays CERTIFICATE_CACHE_MISS on the first visit to the website because the certificate information is
not present in the local device cache. In latter visits it displays CERTIFICATE_CACHE_HIT, since the system triggered a TLS
probe that has obtained certificate details and stored it into the cache. The system uses the certificate found in cache to make
policy enforcement decisions.
12. On Wkst1 close and reopen Firefox browser to https://americanexpress.com
13. On the FMC Analysis > Connections > Events
a. Edit Search
b. Enter Initiator IP: 198.19.10.21
c. Enter URL: *americanexpress*

Note that this time SSL Flow Flag reports only CERTIFICATE_CACHE_HIT and there is no TLS Server Identity Discovery probe
session event displayed. This is because the TLS probe was not needed to be engaged as the TLS certificate for the sites were
cached locally. The system was able to leverage the necessary certificates on future requests

14. Go to NGFW1 connection and type

a. From the CLISH[>] Type: system support ssl-cache-export [Snort 3]
b. Type expert
c. Type cat /ngfw/var/common/ssl_server_certs.txt

Cisco Confidential
Cisco dCloud

d. Look for www.americanexpress.com certificate

e. Optional Type cat /ngfw/var/common/ssl_server_certs.txt | grep americanexpress.com

15. On NGFW1 change the ACP back to Base_Policy Save and Deploy

Cisco Confidential
Cisco dCloud

Scenario 11. Encrypted Visibility Engine [EVE]

NOTE: Before proceeding with this lab disable any SSL policy associated with the Base_Policy. EVE does not require the
decryption of the traffic in order to work properly.

Configuration Tasks

1. Verify that the TLS Server Identity Discovery for Base_Policy is Disabled
2. FMC Policies > Access Control > Base_Policy > More > Advanced Settings > TLS Server Identity Discovery
3. FMC Overview > Dashboard
4. Click on Switch Dashboard and select Application Statistics

5. Click on the Encrypted Visibility Engine and you will see 2 built-in dashboards
a. Top Encrypted Visibility Engine Discovered Process
b. Connections by Encrypted Visibility Threat Confidence

Cisco Confidential
Cisco dCloud

Enable the Encrypted Visibility Engine Feature

1. FMC Policies > Access Control

2. Edit the Base_Policy Access Control Policy

3. Open Advanced configuration tab section

4. Locate the Encrypted Visibility Engine at the bottom of the page and enable

Cisco Confidential
Cisco dCloud

5. Look at the Encrypted Visibility Engine message and click Enable

6. Click Save and then Deploy > Deploy to all devices wait for Deployment to complete

Encrypted Visibility Engine – Reporting

1. FMC Analysis > Connection Events > Reporting

2. You will see the following report settings:

3. Configure Connections with Application Details

a. Table: Encrypted Visibility Process Statics
b. Preset: None
c. Format: Pie Chart
d. Search: None
e. X-Axis: Encrypted Visibility Process Name
f. Y-Axis: Unique Encrypted Visibility Process Names

Cisco Confidential
Cisco dCloud

g. Time Window: 1 month

h. Results: Top 100
4. Configure Table View of Connection Events:
a. Table: Encrypted Visibility Threat Statistics
b. Preset: None
c. Format: Pie Chart
d. Search: None
e. X-Axis: Encrypted Visibility Threat Confidence
f. Y-Axis: Total Connections
g. Time Window: 1 month
h. Maximum Results: 100

i. Click Save and Generate [Leave Output format to PDF]

i. Click Generate and yes to confirm
5. Click on the Task notification and click on the PDF hyperlink to view the report

6. Output of report

Cisco Confidential
Cisco dCloud

Encrypted Visibility Engine – Events

1. FMC Analysis > Unified Events

a. In the upper left corner click the filter icon at the top of first column ( )

Cisco Confidential
Cisco dCloud

b. In the Filter columns search bar type “Encrypted”

i. Click on the 5 Encrypted options

ii. Click apply

iii. This will add the four EVE columns to the right of the existing columns
c. In the search bar at the top of the page type the following values
i. Application Protocol: HTTPS
ii. Destination IP: 129.21.1.40
iii. Make sure that the time range is a sliding time range for example last hour
iv. No events should be seen at this time.
d. Scroll to the right and view the Encrypted Visibility Fields
i. Encrypted Visibility Threat Confidence [Probability that the detected process contains malware (very low/
low/ medium/ high/ very high)]
ii. Encrypted Visibility Threat Confidence Score [Raw confidence value 0-100 that the process detected
contains malware]
iii. Encrypted Visibility Process Confidence Score [Percentage confidence value that the detected process is
correct]
iv. Encrypted Visibility Process Name [Client process name]
2. From the Quick Launch Menu open WKST 1 Administrator/C1sco12345
a. Open a firefox and chrome connection to https://rit.edu
3. Go back to FMC > Analysis > Unified Events
a. In the search bar type
i. Application protocol: https
ii. Destination IP: 129.21.1.40
iii. Click Apply [Your numbers might vary]

Cisco Confidential
Cisco dCloud

Scenario 12. Network Discovery and Firepower Recommendations

Review Discovery Data

You will now review the discovery data contained in the FMC that has been generated by the FTD.

1. Click Analysis > Hosts > Discovery Events

2. Click the link in the upper right of the screen that shows the time period the data is collected from

3. Select from the 1 week before and click Apply

4. A list of the Discovery Events for the last week is shown. The events correspond to a host initiating network traffic through the
firewall that triggered a Discovery event where the firewall obtained detailed information about the host.
5. Find an entry or Edit Search for host 198.18.133.23 click on the Hosts tab.

Cisco Confidential
Cisco dCloud

6. From the Host Profile page, you can also access data related to that host such as:
a. Content Explorer
b. Connection Events
c. Intrusion Events
7. Scroll Down and look at Vulnerabilities
8. Click on Content Explorer
a. Scroll down and look at the information
9. Go to Analysis > Hosts > Network Map
10. Type in the Search Box 198.19.10.200 expand and then and click on 198.19.10.200
a. Look to see if you have the following:
i. Operating Systems
ii. Attributes
iii. Host Protocols
iv. Vulnerabilities

Firepower Recommendations

You will now see how to tune the IPS policy based on Firepower recommendations.

1. Click Policies > Intrusion

2. Click the HQ-Balanced-Policy Snort 3 Version

3. Click on the Recommendations [Not in use]

4. Click on Start

Cisco Confidential
Cisco dCloud

5. Click on Recommended Rules (Not in use) and note the number of rules state settings

6. Examine some of the rules that were recommended to be changed.

a. Click on the GID:SID to examine the rules

NOTE: Enabling this option can reduce the number of IPS rules active in a policy. You will leave this enabled to view the effect
of the option. In a customer environment that has no performance issues, it may be undesirable to reduce the about of rules
active in the policy.

Cisco Confidential
Cisco dCloud

Scenario 13. Port Scan Detector

The purpose of this lab is to show how port scans can be detected on the FTD. With Snort 2.x port scans are detected by the
Network Analysis Policy. In order for a port scan to be detected with Snort 2.x preprocessors will need to be enabled. In 7.2 code
with Snort 3 the detection of port scans is done on the LINA plane instead of Snort. This lab will show port scan detection for both
Snort 2.x and Snort 3.x.

Steps

1. Steps for the Lab

a. Turn off Encrypted Visibility Engine
i. Policies > Access Control > Base_Policy > More > Advanced Settings > Encrypted Visibility Engine > Disable
a. Save
b. Assign NGFW3 to HA Access Control Policy
c. Convert NGFW1 to Snort 2
d. Use the AD server [198.19.10.100]
i. Create object AD_inside [host: 198.19.10.100]
ii. Create object AD_outside [host: 198.18.133.100]
e. Create Manual Static NAT Rule AD_inside > AD_outside
i. Create an Inbound access control rule #1
1. Name: Portscan
2. Zone = Outzone > inZone1
3. Ports = any
4. Intrusion Policy = HQ-Balanced-Policy
5. Turn on logging at the end of connection to verify scanning
6. Click Apply, Save, Deploy
f. Go to the Kali Outside Linux server 198.18.133.200 root/C1sco12345
g. Ping 198.18.133.100
i. Type: msfconsole
1. nmap -p- 198.18.133.100 [This will map all tcp ports] wait until complete.
ii. FMC > Analysis > Connection Events search for Networking > Initiator IP 198.18.133.200
1. Drill down on one of the events
iii. FMC > Analysis > Intrusion Events
1. No TCP port scan should be detected.
2. Edit Search > Networking > Source IP > 198.18.133.200 to verify no results.

Configure Port Scan SNORT 2

NOTE: Portscan using SNORT 2 is implemented in the Network Analysis Policy [NAP]. The Portscan Preprocessors with a GID
of 122 and SID of 1-27 need to be enabled in order for detection to happen.
1. Enabling Preprocessors for Portscan GID 122 SID 1-27
a. Policies > Intrusion > HQ-Balanced-Policy > Snort 2 Version
i. Edit the Manage Rules

Cisco Confidential
Cisco dCloud

2. In the Filter Box type: GID:122 and Enter

a. Generator ID 122 and SID 1-27 are the pre-processor rules for Portscan
i. Click on the SID to sort from low to high 1-27
1. Click on GID box to select all SID’s
a. Under Rule State click Generate Events and OK
b. Click on the Triangle Icon next to Policy Information
i. Click Commit Changes
1. Description: Snort 2 Portscan test
2. click OK
3. click OK to accept Soc message
5. Click on Network Analysis Policies next to Intrusion Policies
a. Click on Create Policy
i. Name: Snort 2 Portscan
ii. Inspection Mode > Test
iii. Click Save
b. Go to Policies > Access Control > Base_Policy > More > Advanced Settings
i. Go to Network Analysis and Intrusion Policies click on the pencil icon
1. Intrusion Policy used before Access Control rule is determined > HQ-Balanced-Policy
a. Default Network Analysis Policy > Snort 2 Portscan
i. Click OK
ii. Click Save
i. Deploy Changes when complete go to next step
6. Testing Results
a. Open a session to Kali Outside Linux Server [198.18.133.200] root/C1sco12345
b. Type: msfconsole
c. Type: nmap -p- 198.18.133.100
d. On the FMC > Analysis > Connections > Events
i. Verify that there is traffic from 198.18.133.200 > 198.19.10.100
e. On the FMC > Analysis > Intrusions > Events
i. Check to see if there is and alert to Destination IP > 198.18.133.100
7. Click on the box next to Impact and then select Delete All
8. Removing the Snort 2 Portscan
a. FMC > Policies > Intrusion > HQ-Balanced-Policy > Snort 2 Version
ii. Click on Manage Rules
1. Under Filter Type: GID:122 and Enter
2. Click the GID box [This will select all 27 SID’s]
3. Click on Rule State > Disable

Cisco Confidential
Cisco dCloud

9. Click OK
10. Click on the Orange Arrow next to Policy Information

11. At the Bottom Right click on Commit Changes

a. Click OK on the Description of Changes Box read warning if applicable and click OK
b. Go to and Edit the Base_Policy FMC > Policies > Access Control > Base_Policy
iii. Go to More > Advanced Settings > Network analysis and Intrusion Policies
1. Change the Default Network Analysis Policy back to Balanced Security and Connectivity
2. Click OK and Save
c. Go to Policies > Intrusion > Network Analysis Policies
iv. Delete the Snort 2 Portscan policy.
d. Click Deploy All
12. Testing Results
a. Open a putty session to Outside Linux Server [198.18.133.200] root/C1sco12345
b. Type: mfsconsole
c. Type: nmap -p- 198.18.133.100
d. On the FMC > Analysis > Connections > Events
v. Verify that there is traffic from 198.18.133.200 > 198.19.10.100
e. On the FMC > Analysis > Intrusions > Events
vi. Check to see if there is and alert to Destination IP > 198.18.133.100
1. This will verify that Portscan is not active
13. Configuring Portscan SNORT 3
a. FMC > Devices > Device Management > NGFW1 > Device > Inspection Engine > Upgrade
a. Enable SNORT 3 click Yes

Cisco Confidential
Cisco dCloud

b. Click Deploy All

b.
FMC > Policies > Access Control
c. Edit Base_Policy
i. More > Advanced Settings > Threat Detection > Edit
a. Portscan Mode > Detection
b. Detection on Traffic > All
c. Click on Monitor
d. Available Network
1. AD_inside
a. Add AD_Inside to Selected Network
b. Click Add
i. Name: Kali_Outside_Linux
ii. Host: 198.18.133.200
iii. Click Save
iv. Add the Kali_Outside_Linux
v. Click Ok
vi. Click Save
c. Click Deploy All
14. Testing Results
c. From the Kali Outside Linux Server
d. Type: msfconsole
e. Type: nmap -p- 198.18.133.100
f. On the FMC > Analysis > Connections > Events
e. Verify that there is traffic from 198.18.133.200 > 198.19.10.100
g. On the FMC > Analysis > Intrusions > Events
f. Check to see if there is and alert to Destination IP > 198.18.133.100
g. Click Table View of Events on the box next to Impact and then select Delete All
15. FMC > Policies > Intrusion > HQ-Balanced-Policy > Snort 3 Version
h. Base Policy in the search box type: GID:122 and Enter
h. You will see that all the SID 1-27 are disabled but the Portscan is working

Cisco Confidential
Cisco dCloud

Scenario 14 Application Programming Interface (API)

The purpose of this lab is to explore the Cisco Firewall Management Center Open API Specification. There are several ways to
access the API, but for this lab we will be using the api-explorer.

Steps

Verify that at a minimum NGFW1 is registered on the FMC

Device > Device Management >

Next, we will connect to the API-Explorer

From the Chrome Browser Click on the API Explorer Tab

1. Go to Devices
a. Get the Device records for NGFW1
i. GET /api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords

Get the Physical Interfaces for NGFW1 and view the results

ii. GET api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords/{continerUUID}/physicalinterfaces

1. NGFW1:
a. Example GigabitEthernet0/0: 00505697-87B7-0ed3-0000-339302416649
b. Example GigabitEthernet0/1: 00505697-87B7-0ed3-0000-339302416650
c. Example GigabitEthernet0/2: 00505697-87B7-0ed3-0000-339302416651
d. Example GigabitEthernet0/3: 00505697-87B7-0ed3-0000-339302416652
2. Go to Policy
a. Get a list of Access Control Policies
i. GET /api/fmc_config/v1/domain/{domainUUID}/policy/accesspolicies
ii. Note the Base_Policy UUID:
3. Go to Policy Assignments
a. GET /api/fmc_config/v1/domain/{domainUUID}/assignment/policyassignments
b. Verify the Base_Policy UUID matches the result from the previous step:
4. Go to Policy
a. GET /api/fmc_config/v1/domain/{domainUUID}/policy/accesspolicies/{continerUUID}/accessrules
i. The Domain UUID is already selected
ii. For the Container ID use the Base_Policy UUID:
b. GET /api/fmc_config/v1/domain/{domainUUID}/policy/accesspolicies/{continerUUID}/accessrules
i. Domain UUID will be pre-filled
ii. Container UUID is the Base_Policy:
1. Note the ID for Allow Outbound:
2. Note the ID for Allow East-West:
5. Go to Object
a. You will now post some objects
i. POST /api/fmc_config/v1/domain/{domainUUID}/FQDNS
1. In the “name” field type “7.4_LAB”
2. Try it out > Execute
ii. POST /api/fmc_config/v1/domain/{domainUUID}/object/ipv4addresspools
1. Select Example 2
2. In the “name” field type “7.4_LAB_Test_Pool”
3. Try it out > Execute
6. Verify

Cisco Confidential
Cisco dCloud

a. FMC > Object > Object Management > Network > Filter > 7.4
b. FMC > Object > Object Management > Address pools > IPv4 Pools > 7.4_LAB_Test_Pool

Cisco Confidential
Cisco dCloud

Scenario 15. Cisco Threat Intelligence Director (CTID)

This exercise consists of the following tasks.

• Upload a list of URLs to CTID that will trigger an Incident

• Generate CTID incidents

The CTID is a component of the FMC that can consume third party cyber threat intelligence indicators; CTID parses these
indicators to produce observables that can be detected by the NGFW. The NGFW reports detection of the observables to CTID.
Then CTID determines whether the observations constitute an incident.

Steps

Two file formats are supported.

Flat files - Lists of simple indictors such as IP addresses, URLs or SHA256 hashes.

STIX files - XML files that can describe simple or complex indicators
There are 3 ways these files can be retrieved:

• Uploaded from the computer where the FMC UI is running.

• Retrieved from a URL on a remote web server.

• Received from a TAXII feed (STIX files only).

The objective of this exercise is to configure and test CTID.

Steps

Confirm that CTID will publish observables to NGFW1

1. Navigate to Policies > Access Control > Access Control.

2. Edit Base_Policy > More > Advanced

3. CTID can be enabled or disabled at the access policy level.

Cisco Confidential
Cisco dCloud

4. Navigate to Integration > Intelligence > Elements.

5. Confirm that the NGFW1 is an element. This means that CTID can publish observables to the NGFW1 retrieved from a
STIX file from a web server.

6. Integration > Intelligence > Settings

NOTE: The CTID can be enabled or disabled globally. Clicking Pause will stop the CTID publishing to all elements.

7. Navigate to Integration > Intelligence > Sources.

8. Upload a list of URLs to CTID that will trigger an Incident.

a. Navigate to Integration > Intelligence > Sources. Click the plus sign (+) on the right to add an intelligence source.

b. For DELIVERY, select Upload.

c. For TYPE, select Flat File. The CONTENT drop-down list will appear.

d. For CONTENT, select URL.

e. Click in the FILE area and select URL_LIST.txt from the Jumpbox > Desktop > Files folder

f. For NAME, enter url list.

g. For ACTION, select Block.

Cisco Confidential
Cisco dCloud

9. Click Save.

10. Navigate to Integration > Intelligence > Sources > Sources > Observables. Confirm that two type URL observables
have been added.

Generate CTID incidents

1. It can take several minutes for the observables to be published to the sensor. In this step, you will see how to confirm the
publication of a particular observable. In the NGFW1 CLI, perform the following:

2. Type expert to get into expert mode.

3. Type ls -d /var/sf/*download.

NOTE: There are several directories listed. admin@ngfw:~$ ls -d /var/sf/*download

ls –d /var/sf/clamupd_download
ls –d /var/sf/iprep_download
ls –d /var/sf/sifile_download
ls –d /var/sf/cloud_download
ls –d /var/sf/sidns_download
ls –d /var/sf/siurl_download

Four of these (iprep_download, sidns_download, sifile_download and siurl_download) are used by security intelligence and CTID.

4. Type grep developmentserver /var/sf/download/lf.

5. You should see a type URL CTID observable.
/var/sf/siurl_download/731625d4-9512-11e7-915c-7e7252ae92ac.lf:developmentserver.com/misc/Tron.html/

Cisco Confidential
Cisco dCloud

NOTE: If you do not, wait a minute and try again. You must wait for this to be published before you go on.

6. Type exit to exit expert mode.

On the Kali Inside Linux server CLI:

1. Run wget -t 1 outside/files/ProjectX.pdf. This should succeed.

2. Run wget -t 1 developmentserver.com/misc/Tron.html. This should be blocked.

3. On the FMC, navigate to Integration > Intelligence > Incidents. Confirm that there is an incident.
a You might have to refresh s few times.

4. Drill down into the incident and observe the details for this incident.

5. Confirm that there is an incident for a URL indicator. Drill down into the incident and observe the details for this incident.

Cisco Confidential
Cisco dCloud

Appendix A. FMC Pre-configuration

After the initial installation, several configuration steps were performed on the FMC to expedite the lab exercises. These
configuration steps are detailed in this appendix.

• Configuration A1,1: NTP settings

• Configuration A1,2: Demo file policy

• Configuration A1,3: Demo intrusion policy

• Configuration A1,4: Demo SSL policy

• Configuration A1,5: Custom detection list

• Configuration A1,6: Add restapiuser.
• Configuration A1,7: Install server certificate

Steps

Configuration A1,1: NTP settings

1. Configure NTP settings on the FMC.

a. In the FMC, navigate to System > Configuration.

b. Select Time Synchronization from the left-side navigation pane.

c. Replace the default NTP server with 198.18.128.1.

d. Click Save.

Cisco Confidential
Cisco dCloud

Configuration A1,2: Demo file policy

1. Navigate to Policies > Access Control > Malware & File.

2. Click New File Policy. Enter a name Demo File Policy. Click Save.

3. Click Add File Rule. This rule will block malware found in files MSEXE, MSOLE2, NEW_OFFICE and PDFs.

4. For Action select Block Malware.

5. Check the Spero and Local Malware Analysis checkboxes.

6. Under File Type Categories, check Dynamic Analysis Capable. Note that several file types belong to this category. Click
Add.

7. Your screen should look like the figure below.

8. Click Save. Ignore the warning and click OK, when prompted.

9. Click Add File Rule. This rule will block RIFF files. You will use an AVI file to test this rule, since an AVI file is a type of RIFF
file. But Note that AVI is not listed separately as a file type.

10. For Action select Block Files.

11. Under File Types, type rif into the search box. Select RIFF from the list. Click Add.

12. Use default values for other settings. Your screen should look like the figure below.

13. Click Save.

Cisco Confidential
Cisco dCloud

NOTE: You cannot change the order of the rules you create. The order of the rules does not matter. The action of the rule
determines its precedence. The precedence of actions is as follows.

1 - Block Files
2 - Block Malware
3 - Malware Cloud Lookup 4 - Detect Files
5 - Select the Advanced tab. Confirm that Enable Custom Detection List is selected.
6 - Check the Inspect Archives checkbox.

NOTE: Archives unable to be inspected are corrupt archive, or archives with a depth that exceeds the Max Archive Depth.

14. Click the Save button in the upper-right to save the file policy.

NOTE: Archives unable to be inspected are corrupt archive, or archives with a depth that exceeds the Max Archive Depth.

15. Click the Save button in the upper-right to save the file policy.

Configuration A1,3: Demo intrusion policy

1. Navigate to Objects > Intrusion Rules. Click Import Rules.

a. Select the Rule update or text rule file to upload and install radio button.

b. Click Browse, and open the Snort_Rules.txt file in the Files folder of the Jump desktop.

NOTE: This file contains 2 simple Snort rules that are useful for testing IPS. They do not resemble published snort rules.

alert tcp any any -> any any (msg:"ProjectQ replaced"; content:"ProjectQ"; replace:"ProjectR"; sid: 1001001; rev:1;) alert tcp any
any -> any any (msg:"ProjectZ detected"; content:"ProjectZ"; sid: 1001002; rev:1;)

The first rule replaces the string ProjectQ with ProjectR. The second detects the string ProjectZ. Since the rules do not specify
where the string is in the flow, they could cause issues in a production deployment.

c. Click Import. The import process will take a minute or two. When it completes you will see the Rule Update Import
Log page. Confirm that 2 rules were successfully imported.

2. Navigate to Policies > Access Control > Intrusion.

3. Click Create Policy.

a. Set Name to Demo Intrusion Policy.

b. Make sure that Drop when Inline is checked.

c. Select Balanced Security and Connectivity as Base Policy.

Cisco Confidential
Cisco dCloud

d. Click Create and Edit Policy.

4. You will now modify the rules states for this new policy.

a. Click Rules under Policy Information menu on the left-hand side of the Edit Policy page.

b. Select local from the Category section of the rules. You should see the 2 uploaded rules. The light green arrows on
the right of each rule indicate that the rules are disabled for this policy.

c. Check the checkbox next to the first rule. Select Generate Events from the Rule State drop-down menu. Click OK.
Uncheck the checkbox next to the first rule.

d. Check the checkbox next to the second rule. Select Drop and Generate Events from the Rule State drop-down menu.
Click OK.

e. Clear the filter by clicking on the X on the right side of the Filter text field.

f. Select SID from the Rule Content section of the rules. Enter 336 into the Enter the SID filter popup. Click OK.
g. Check the checkbox next to the rule. Select Drop and Generate Events from the Rule State drop-down menu. Click
OK.

NOTE: This rule looks for a change to the root home directory in FTP traffic established on port 21. It only looks for traffic coming
from the external network, but in our lab we use the default value of $EXTERNAL_NET, which is any, so the rule can be triggered
in both directions.

An interesting exercise would be to modify this rule to search in FTP traffic in any direction, and to use the appid attribute to detect
FTP traffic on any port.

Click Policy Information in the menu on the upper-left.

Click Commit Changes.

Click OK.

Cisco Confidential
Cisco dCloud

Configuration A1,4: Demo SSL policy

1. Navigate to Objects > Object Management > PKI > Internal CAs.

a. Click Import CA.

b. For Name, enter Verifraud.

c. Click the Browse button to the right of the text Certificate Data or, choose a file.

d. Browse to the Certificates folder on the Jump desktop.

e. Upload Verifraud_CA.cer.

f. Click the Browse button to the right of the text Key or, choose a file.

g. Upload Verifraud_CA.key.

h. Click Save.

2. You will exempt from decryption infrastructure devices, such as the FMC and AMP Private Cloud. To do this, create a network
object that includes these devices.

a. Navigate to Objects > Object Management > Network.

b. Click Add Network > Add Object.

c. For Name, enter Infrastructure.

d. For Network, enter 198.19.10.80-198.19.10.130.

e. Click Save to save the network object. 3. Navigate to Policies > Access Control > SSL.

3. Click the text Add a new policy or click the New Policy button.

a. For Name, enter Demo SSL Policy.

b. Leave the default action to Do not decrypt.

c. Click Save. Wait a few seconds, and the policy will open for editing.

4. Click Add Rule.

a. For Name, enter Exempt Infrastructure.

b. Leave Action set to Do Not decrypt.

c. In the Networks tab, under Networks, select Infrastructure, and click Add to Source.

d. Click Add to add this rule to the SSL policy.

5. Click Add Rule.

a. For Name, enter Decrypt Search Engines.

b. Set Action to Decrypt - Resign.

c. Select Verifraud from the drop-down list to the right of the word with.

d. In the Applications tab, under Application Filters, search for Sear. You will see Search Engine under Categories.
Check this checkbox, and click Add to Rule.
e. Select the Logging tab, and check the Log at End of Connection checkbox.

Cisco Confidential
Cisco dCloud

f. Click Add to add this rule to the SSL policy.

6. Click Add Rule.

a. For Name, enter Decrypt Other.

b. Set Action to Decrypt - Resign.

c. Select Verifraud from the drop-down list to the right of the word with.

d. Select the Logging tab, and check the Log at End of Connection checkbox.

e. Click Add to add this rule to the SSL policy.

7. Click Save to save the SSL policy.

NOTE: The Replace Key checkbox deserves explanation. Whenever the action is set to Decrypt - Resign, Firepower will replace
the public key. The Replace Key checkbox determines how the decrypt action is applied to self-signed server certificates.

If Replace Key is deselected, self-signed certificates are treated like any other server certificates. Firepower replaces the key, and
resigns the certificate. Generally the endpoint is configured to trust Firepower, and therefore will trust this resigned certificate.

If Replace Key is selected, self-signed certificates are treated differently. Firepower replaces the key, and generates a new self-
signed cert. The browser on the endpoint will generate a certificate warning.

In other words, checking the Replace Key checkbox makes the resign action preserve lack-of-trust for self-signed certificates.

Configuration A1,5: Custom detection list

There is a harmless file called Zombies.pdf that will trigger a malware event, assuming the cloud lookup succeeds. Sometimes labs
have issues with cloud connectivity. Therefore, this is added to the custom detection list to ensure it will trigger a malware event.

1. Navigate to Objects > Object Management > File List.

2. Click the pencil icon to edit the Custom-Detection-List.

a. Select Calculate SHA from the Add by drop-down list.

b. Click Browse.

c. Browse to the Files folder on the Jump desktop.

d. Select Zombies.pdf, and click OK.

e. Click Calculate and Add SHAs.

f. Click Save.

Configuration A1,6: Add restapiuser

It is convenient to have a separate use to use the API Explorer. This allows use of both the FMC and API Explorer at the same
time.

1. Navigate to System > Users. Click Create User.

a. For User Name, enter restapiuser.

Cisco Confidential
Cisco dCloud

b. For Password, enter C1sco12345 Confirm the password.

c. Set Maximum Number of Failed Logins to 0.

d. Check the Administrator checkbox.

Configuration A1,7: Install server certificate

By default the FMC UI uses a self-signed certificate. This is replaced by a certificate signed by the pod AD server, which the Jump
browsers trust.

1. Navigate to Objects > Object Management > PKI > Trusted CAs.

a. Click Add Trusted CA.

b. For Name, enter dCloud.

c. Click the Browse button to the right of the text Certificate Data or, choose a file.

d. Browse to the Certificates folder on the Jump desktop.

e. Upload AD-ROOT-CA-CERT.cer.

f. Click Save.

Connect to the FMC CLI via SSH. Become root by typing sudo -i. The Sudo password is C1sco12345
g. Type cd /etc/ssl and then type cp server* /root.

h. Type cat > /etc/ssl/server.crt

i. From the Certificates folder on the Jump desktop edit the file fmc.cer with Notepad++.

j. Select all, and then copy and paste into the FMC CLI

k. Type Ctrl+D.

l. Type cat > /etc/ssl/server.key

m. From the Certificates folder on the Jump desktop edit the file fmc.key with Notepad++.

n. Select all, and then copy and paste into the FMC CLI

o. Type Ctrl+D.

p. Type pmtool restartbyid httpsd.

Cisco Confidential
Cisco dCloud

Cisco Confidential

11.3.1.1 Packet Tracer - Skills Integration Challenge PDF
100% (1)
11.3.1.1 Packet Tracer - Skills Integration Challenge PDF
10 pages
Name - : Friendship According To Humphrey Book Quiz
100% (1)
Name - : Friendship According To Humphrey Book Quiz
3 pages
Quiz No. 003
0% (1)
Quiz No. 003
2 pages
Firepower NGFW Lab-Basics v1.7
No ratings yet
Firepower NGFW Lab-Basics v1.7
78 pages
Secure Firewall Lab-Advanced 7.2-1
No ratings yet
Secure Firewall Lab-Advanced 7.2-1
38 pages
Secure Firewall Lab-Basics 7
No ratings yet
Secure Firewall Lab-Basics 7
88 pages
Cisco NGFW Basic Lab v1.5
No ratings yet
Cisco NGFW Basic Lab v1.5
65 pages
Firewall 7.4 Basic Lab 240709 301 No CTF Final
No ratings yet
Firewall 7.4 Basic Lab 240709 301 No CTF Final
101 pages
Firepower NGFW Lab Basics - Guide
No ratings yet
Firepower NGFW Lab Basics - Guide
92 pages
Firepower NGFW Lab v2.4 Basic-1
100% (1)
Firepower NGFW Lab v2.4 Basic-1
54 pages
Firewall 7.2 Basic Lab v3.2 220729-Final
No ratings yet
Firewall 7.2 Basic Lab v3.2 220729-Final
118 pages
Firepower NGFW Basics Lab v23 PDF
No ratings yet
Firepower NGFW Basics Lab v23 PDF
52 pages
Firepower NGFW Labpdf PDF
No ratings yet
Firepower NGFW Labpdf PDF
119 pages
7.2 Feature Lab - Combined Labs 1 2
No ratings yet
7.2 Feature Lab - Combined Labs 1 2
90 pages
Firepower Threat Defense 6.1 Basics Lab v1
No ratings yet
Firepower Threat Defense 6.1 Basics Lab v1
402 pages
Firepower NGFW Lab Advanced - Guide
No ratings yet
Firepower NGFW Lab Advanced - Guide
52 pages
Firepower NGFW Lab-Advanced v1.7
No ratings yet
Firepower NGFW Lab-Advanced v1.7
48 pages
Ltrsec 1000 LG
No ratings yet
Ltrsec 1000 LG
394 pages
Firepower NGFW Lab v1
100% (1)
Firepower NGFW Lab v1
111 pages
Secure Firewall 7
No ratings yet
Secure Firewall 7
58 pages
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
No ratings yet
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
23 pages
Cisco Firepower App For Splunk v2 WORKING
No ratings yet
Cisco Firepower App For Splunk v2 WORKING
19 pages
Radware DDOS v1
No ratings yet
Radware DDOS v1
22 pages
Chapter 2 Network Security Devices and Cloud Services
No ratings yet
Chapter 2 Network Security Devices and Cloud Services
36 pages
NGF TDM Deck
No ratings yet
NGF TDM Deck
154 pages
Cisco Firesight System 5.3 V1 - Always On: About This Cisco Solution
No ratings yet
Cisco Firesight System 5.3 V1 - Always On: About This Cisco Solution
22 pages
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
No ratings yet
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
342 pages
Security Portfolio - Copia Original
No ratings yet
Security Portfolio - Copia Original
41 pages
Web Security Appliance 10 v13-2
No ratings yet
Web Security Appliance 10 v13-2
21 pages
Roadshow Advanced 7.2 V3.2 221004 Final
No ratings yet
Roadshow Advanced 7.2 V3.2 221004 Final
347 pages
Firepower NGFW Lab-Features v1.7
No ratings yet
Firepower NGFW Lab-Features v1.7
173 pages
Firepower NGFW Lab Features 7.1 - Guide
No ratings yet
Firepower NGFW Lab Features 7.1 - Guide
173 pages
Firepower - Troubleshooting
No ratings yet
Firepower - Troubleshooting
102 pages
Cisco Secure Firewall 7.0 VPN Features - Guide
No ratings yet
Cisco Secure Firewall 7.0 VPN Features - Guide
44 pages
FPTD FDM Config Guide
No ratings yet
FPTD FDM Config Guide
276 pages
CCNP Ccie 350 701 22 4 2022
No ratings yet
CCNP Ccie 350 701 22 4 2022
60 pages
Docker, Containers And All The Rest: First Edition, #1
From Everand
Docker, Containers And All The Rest: First Edition, #1
Ami Adi
No ratings yet
DGTL Brksec 2113
No ratings yet
DGTL Brksec 2113
143 pages
Cisco Firepower 6
No ratings yet
Cisco Firepower 6
39 pages
Cisco Sdwan Security Policy Design Guide
No ratings yet
Cisco Sdwan Security Policy Design Guide
53 pages
FCSS—Enterprise Firewall 7.4 Administrator Exam Preparation
From Everand
FCSS—Enterprise Firewall 7.4 Administrator Exam Preparation
Georgio Daccache
No ratings yet
FPTD FDM Config Guide 620
No ratings yet
FPTD FDM Config Guide 620
318 pages
FW Basic Training - 1 - ASA Firewall
No ratings yet
FW Basic Training - 1 - ASA Firewall
310 pages
Seguridad en Redes LAN - Sesion 11
No ratings yet
Seguridad en Redes LAN - Sesion 11
84 pages
BRKSEC-2007 Deploying IOS Security
No ratings yet
BRKSEC-2007 Deploying IOS Security
78 pages
En CCNAS PT Practice SBA Instructions
No ratings yet
En CCNAS PT Practice SBA Instructions
5 pages
IntroCyberv2.1 Chp4 Instructor Supplemental Material
No ratings yet
IntroCyberv2.1 Chp4 Instructor Supplemental Material
32 pages
Cisco Firepower Threat Defense 6.4 Proof of Value v1.6: About This Demonstration
No ratings yet
Cisco Firepower Threat Defense 6.4 Proof of Value v1.6: About This Demonstration
34 pages
ProductInfo 05-08-2020 0458
No ratings yet
ProductInfo 05-08-2020 0458
7 pages
Implementing Cisco Network Security Exam (210-260)
No ratings yet
Implementing Cisco Network Security Exam (210-260)
4 pages
FPTD FDM Config Guide 740
No ratings yet
FPTD FDM Config Guide 740
900 pages
IntroCyberv2.1 Chp4 Instructor Supplemental Material
No ratings yet
IntroCyberv2.1 Chp4 Instructor Supplemental Material
21 pages
Cisco Threat Response Guide v1-2 - Umbrella
No ratings yet
Cisco Threat Response Guide v1-2 - Umbrella
19 pages
NGF TDM Deck
No ratings yet
NGF TDM Deck
217 pages
Implementing Umbrella SIG
No ratings yet
Implementing Umbrella SIG
59 pages
ASA Firewalldesign
No ratings yet
ASA Firewalldesign
118 pages
FPTD FDM Config Guide 621
No ratings yet
FPTD FDM Config Guide 621
374 pages
Cnss
No ratings yet
Cnss
4 pages
FCSS—Enterprise Firewall 7.6 Administrator Exam Preparation
From Everand
FCSS—Enterprise Firewall 7.6 Administrator Exam Preparation
Georgio Daccache
No ratings yet
Cisco Firewall Best Practices
No ratings yet
Cisco Firewall Best Practices
29 pages
Sfwipf
No ratings yet
Sfwipf
5 pages
CCSP - Certified Cloud Security Professional Exam Insights
From Everand
CCSP - Certified Cloud Security Professional Exam Insights
SUJAN
No ratings yet
Critical Response
No ratings yet
Critical Response
3 pages
I. Objectives: Checking of Attendance
No ratings yet
I. Objectives: Checking of Attendance
4 pages
Worksheet Adv.
No ratings yet
Worksheet Adv.
3 pages
FS1 Episode 1 The School As Learning Environment 01122023
No ratings yet
FS1 Episode 1 The School As Learning Environment 01122023
6 pages
Midterm: CS 188 Spring 2019 Introduction To Artificial Intelligence
No ratings yet
Midterm: CS 188 Spring 2019 Introduction To Artificial Intelligence
23 pages
Mahayana Buddhism Handouts
No ratings yet
Mahayana Buddhism Handouts
2 pages
PracticalEnglishUsage4e Tabcont
No ratings yet
PracticalEnglishUsage4e Tabcont
7 pages
Unit3 Basic Test Without Answers
No ratings yet
Unit3 Basic Test Without Answers
3 pages
A Behavioral Observation System For Classroom Foreign Language Skill Acquisition Activities
No ratings yet
A Behavioral Observation System For Classroom Foreign Language Skill Acquisition Activities
8 pages
Note Dualing
No ratings yet
Note Dualing
24 pages
Journey To The West 1 - The Monkey
No ratings yet
Journey To The West 1 - The Monkey
7 pages
Theme of Supernatural Power in Wuthering Heights
No ratings yet
Theme of Supernatural Power in Wuthering Heights
2 pages
Sem 2 UNIT 3 Indian Schools of Philosophy
No ratings yet
Sem 2 UNIT 3 Indian Schools of Philosophy
37 pages
Unit 7 - Right Triangles & Trigonometry
No ratings yet
Unit 7 - Right Triangles & Trigonometry
2 pages
Calculus Solutions
No ratings yet
Calculus Solutions
1,802 pages
SoMachine Basic - Operating Guide
No ratings yet
SoMachine Basic - Operating Guide
206 pages
Uncertainty Calculation Module Details
No ratings yet
Uncertainty Calculation Module Details
13 pages
DAA Unit 5
No ratings yet
DAA Unit 5
22 pages
Cisco Ios Commands
No ratings yet
Cisco Ios Commands
36 pages
Math5 - q1 - Mod5 - Performing A Series of Operations Using Pmdas or Gmdas
100% (3)
Math5 - q1 - Mod5 - Performing A Series of Operations Using Pmdas or Gmdas
18 pages
VeriLog RTL Design
100% (1)
VeriLog RTL Design
32 pages
Artificial Intelligence Applications
No ratings yet
Artificial Intelligence Applications
28 pages
Lucy and Annie A Story of Friendship
No ratings yet
Lucy and Annie A Story of Friendship
5 pages
Penguin - Test Your Vocabulary 1 Elementary PDF
No ratings yet
Penguin - Test Your Vocabulary 1 Elementary PDF
55 pages
BCS515B
No ratings yet
BCS515B
3 pages
Vaishnava Vandana
No ratings yet
Vaishnava Vandana
2 pages
Kinds of Variables and Their Uses
No ratings yet
Kinds of Variables and Their Uses
11 pages
+2 General English
No ratings yet
+2 General English
24 pages