0% found this document useful (0 votes)

21 views101 pages

Firewall 7.4 Basic Lab 240709 301 No CTF Final

The document provides a comprehensive guide for the Cisco Secure Firewall 7.4 Basic Lab, detailing requirements, solution overview, and multiple configuration scenarios for managing network security using Cisco Firepower. It includes step-by-step instructions for setting up the Firepower Management Center (FMC), configuring various security features, and integrating with Active Directory for user authentication. The lab aims to equip IT teams with the skills needed to effectively manage and respond to modern cybersecurity threats using Cisco's integrated security solutions.

Uploaded by

allanpaula

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

21 views101 pages

Firewall 7.4 Basic Lab 240709 301 No CTF Final

Uploaded by

allanpaula

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 101

Cisco dCloud

Cisco Secure Firewall 7.4 Basic Lab v3.3

Last Updated: 09-JULY-2024 dCloud: The Cisco Demo Cloud

About This Demonstration

This guide for this preconfigured demonstration includes:

• Requirements

• About This Solution

• Topology

• Get Started

• Scenario 1: Configure FMC

• Scenario 2: Basic Configuration

• Scenario 3: NAT and Routing

• Scenario 4: FTD Upgrade

• Scenario 5: Prefilter Policies

• Scenario 6: Fully Qualified Domain Name NAT

• Scenario 7: Integrated Routing and Bridging (IRB)

Cisco Confidential
Cisco dCloud

Requirements
The table below outlines the requirements for this preconfigured demonstration.
dCloud: The Cisco Demo Cloud
Table 1. Requirements

Required Optional

● Laptop ● Cisco AnyConnect®

About This Solution

IT teams have been asked to manage security using a patchwork of siloed point products, starting with legacy next-generation
firewalls (NGFW), which were created with a focus on application and bolted on best effort threat protection. As such, these legacy
NGFWs are unable to provide an enterprise with the contextual information, automation, and prioritization that they need to handle
today’s modern threats.

Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built
platforms or as a software solution. The system is designed to help you handle network traffic in a way that complies with your
organization’s security policy-your guidelines for protecting your network.

This allows the Cisco Firepower NGFW to evolve with a focus on enabling enterprises to stop, prioritize, understand, and automate
responses to modern threats in real-time. Firepower NGFW is unique in its threat-focus, with a foundation of comprehensive
network visibility, best-of-breed threat intelligence and highly-effective threat prevention to address both known and unknown
threats. Firepower NGFW also enables retrospective security, through Advanced Malware Protection, that can “go back in time” to
quickly find and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in
time-to-detection (TTD) for Cisco customers compared to industry averages.

In this lab you will build a multi-site network Next Generation Firewall (NGFW) solution at between a corporate and two branch
sites. Using the Firepower Management Console (FMC) you will build High Availability NGFW’s at the corporate site, and manage
a branch. In this lab you will also configure a NGFW using the FDM (Firepower Device Manager). You will also configure remote
access and site to site VPN’s. You will also configure Cisco Threat Intelligence Director to accept and implement third party
updates to your NGFW devices.

Cisco Confidential
Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
dCloud: The Cisco Demo Cloud
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

Cisco Confidential
Cisco dCloud

Get Started
For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
dCloud: The Cisco Demo Cloud
your laptop [Show Me How]

• Jump PC 1: 198.18.133.50, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

Cisco Confidential
Cisco dCloud

Scenario 1. Configure FMC Flag

You have been assigned as the Field Engineer to implement the Firepower Management Center and Firepower Threat Defense
appliances for your customer. You will now go through the configuration steps on the FMC to prepare it for dCloud:
managing the FTD
The Cisco Demo Cloud
appliance. In this scenario, your customer has performed the initial appliance load and bootstrap to get it on the network but has
not completed any of the required configuration to move forward and use the appliance in production.

NOTE: Because the equipment you are working with in this lab is hosted in a remote virtual environment in dCloud, there are some
aspects of initial device configuration that are not able to be experienced. This lab will step you through as closely as possible to a
new FMC and FTD appliance being deployed as possible. The FMC virtual machine has been deployed as a VM, has had an IP
address assigned to it, a certificate has been installed, and has been licensed. The FTD virtual machine, NGFW1, has been
deployed as a VM and has an IP address assigned to its management IP address.

Steps

Quick Launch

1. This lab guide references connections using the Quick Launch.

2. If you would like to disable for the duration of the lab, click on the [X] at the top right of the screen

FMC Access

1. Click on the FMC Access > FMC Web icon

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

NOTE: To access the FMC manually in case the browser does not open by default, navigate to https://fmc.dcloud.local

2. Log in to the FMC using the credentials below and clicking the Log In button. The password may be saved in the browser. If
so, then click the Log In button and proceed.

• Username: admin
• Password: C1sco12345

You are presented with the Summary Dashboard screen. There will not be many items with data on the screen as there are no
devices added to the FMC at this point in the implementation.

Cisco Confidential
Cisco dCloud

NOTE: The menus across the top of the screen will be used in configuring the features and settings used by the devices managed
dCloud: The Cisco Demo Cloud
from the FMC as well as reviewing event and security data being reported by devices the FMC manages. You will now use the
System menu represented by the gear icon in the top right of the screen to make configuration changes for the FMC itself.

Configure FMC Settings

1. In the top right corner of the FMC user interface click the System menu represented by the gear icon and select Configuration

2. On the left window select Information

3. Select Management Interfaces from the left window pane

Cisco Confidential
Cisco dCloud

4. Review the configuration items on this page but do not make any changes. This is where items such as the management
interface IP address, routes, DNS hostname, DNS domain, DNS Server settings, and Remote Management Port are
configured.
dCloud: The Cisco Demo Cloud

NOTE: In a customer deployment, you would obtain the hostname, domains, and DNS server settings from the customer and
specify the values here so the FMC can resolve DNS names. The hostname is also important when dealing with certificates for the
FMC as the common name of the certificate must match the hostname in order for the certificate to be recognized as valid.

5. On the left windows pane select Time Synchronization

NOTE: The FMC can function as a time source for managed devices. In this lab environment, the time and NTP settings are
preconfigured to help ensure the lab environment is functional. In a customer deployment, you would configure these settings to
have a reliable trusted customer time source added to the list of NTP servers to ensure the FMC has correct time.

6. Review the settings on the page, do not make any changes at this time, continue with the lab.

7. Review the HTTPS certificate for the FMC. From the left window pane select HTTPS Certificate.

This is the certificate generated by the Certificate Authority in the lab and preconfigured for lab purposes. In a customer
environment a best practice would be to replace the default self-signed certificate with a certificate generated by a trusted
Certificate Authority. Review the settings and proceed with the lab.

NOTE: The FMC can generate a Certificate Signing Request (CSR) to submit to a Certificate Authority (CA) or if a certificate was
already generated for the FMC it can be imported from this screen as well.

Cisco Confidential
Cisco dCloud

8. Configure SNMP on the FMC so that it can be polled by the customer’s monitoring system for status and performance. From
the left window panel select SNMP.

dCloud: The Cisco Demo Cloud

9. For the SNMP Version settings choose Version 3 and click Add User

10. Configure the following SNMPv3 user settings

Username: fmcsnmp
Authentication Protocol: SHA
Authentication Password: C1sco12345
Verify Password: C1sco12345
Privacy Protocol: AES128
Privacy Password: C1sco12345
Verify Password: C1sco12345
11. Click Add

NOTE: In your customer environment you should use values provided to you from your customer to match their SNMP polling
settings. A best practice is to use SNMPv3 with Authentication and Privacy protocols enabled and complex passwords

Cisco Confidential
Cisco dCloud

12. The SNMP v3 user will appear in the list. The FMC can be polled for health and performance statistics. Click Save

dCloud: The Cisco Demo Cloud

FMC Device Health Monitoring

1. Go to System > Health > Policy

2. Edit the Firewall Threat Defense Health Policies dCloud-Health by clicking on the pencil icon

3. Verify CPU > CPU Usage (per core) is enabled

Configure Scheduled Tasks

In this section you will configure the FMC to automate some tasks that can be run on a schedule. This will include updating the
CRL (Certificate Revocation List), and the VDB (Vulnerability Database).

1. Login to the FMC admin/C1sco12345

2. Select the Gear Icon at the top right Tools > Scheduling

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

3. Click Add Task

4. Fill in the following:

a. Job Type: Download CRL

b. Schedule task to run: Recurring

c. Start On: (enter tomorrow’s date)

d. Repeat Every: 1 Day

e. Run At: 10:00 pm

f. Job Name: Download CRL

g. Comment: Nightly download of CRL

5. Click Save

Cisco Confidential
Cisco dCloud

6. You will see that the task has been added to calendar.

dCloud: The Cisco Demo Cloud

7. Click Add Task

a. Job Type: Download Latest Update

b. Schedule task to run: Recurring

c. Start On: (enter tomorrow’s date)

d. Repeat Every: 1 Days

e. Run at 1:00 am

f. Job Name: Daily VDB Download

g. Update Items: Vulnerability Database

h. Comment: Download the latest copy of the VDB

i. Update Items: Vulnerability Database

j. Click Save

8. You will see the task added to your calendar.

9. Click Add Task

a. Job Type: Update URL Filtering Database (click OK to the warning regarding deploying the updates if prompted)

b. Schedule task to run: Recurring

c. Start On: (enter tomorrow’s date)

d. Repeat Every: 1 Days

e. Run at: 9:00 pm

f. Job Name: Daily URL DB Update

g. Comment: Daily update for the URL filtering database

h. Click Save

Cisco Confidential
Cisco dCloud

10. Click New Task

a. Job Type: Deploy Policies

dCloud: The Cisco Demo Cloud
b. Schedule task to run: Recurring

c. Start On: (next tomorrow’s date)

d. Repeat Every: 1 Day

e. Run At: 11:30 Pm

f. Job Name: Policy Deployment

g. Devices: All devices

h. Comment: Daily policy deployment

i. Click Save (If you receive an error stating no sensor(s) selected, click on All devices and try again)

11. Check the calendar

Configure External Authentication

Your customer has requested that you configure the FMC to allow user accounts in their Active Directory instance to authenticate
to the FMC. Specifically, any users in the IT group in AD should be logged int the FMC as an administrator. You will now configure
the FMC to allow user accounts in the customer’s Active Directory instance to authenticate to the FMC.

1. Click the System gear icon and select users

2. Select External Authentication and Add External Authentication Object

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

3. Use the following values to configure the External Authentication Object. If a value for a setting is not specified then leave the
default value and do not modify it.

a. Authentication Method: LDAP

b. Name: dcloud-AD

c. Description: Active Directory

d. Server type: MS Active Directory

e. Primary Server: 198.19.10.100

f. Port 389

4. Click the Fetch DNs button and select DC=dcloud.DC=local as the Base DN
5. Enter the following:
a. Username: dcloud0\administrator
b. Password: C1sco12345
c. Confirm Password: C1sco12345
d. Click Show Advanced Options and check the fields match below

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

NOTE: In your customer environment a user account (service account) dedicated for the FMC to query Active Directory should be
used instead of the actual “administrator” account. No special permissions are required in AD for the account to function correctly.
Additionally, it is a best practice to use encryption (Secure LDAP runs on port 636) if the customer’s domain controllers have a
certificate installed so that username and passwords are not being sent clear text through the network.

6. In the Attribute Mapping section click the Fetch Attrs button, and select sAMAccountName from the drop-down list
7. In the CLI Access Attribute field, enter sAMAccountName be aware of capitalization.

8. Expand the Group Controlled Access Roles

9. In the Administrator field enter the LDAP distinguished name of the IT group in Active Directory
a. CN=IT,CN=Users,DC=dcloud,DC=local

10. In Group Member Attribute field enter member

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

11. In CLI Access Filter click Same as Base Filter

12. In Additional Test Parameters
a. Username: rita
b. Password: C1sco12345
13. Click Test

14. Click Save

15. Click the toggle setting under the Enabled column to change the setting from disabled (grey) to enabled (blue)

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

16. Click Save and Apply

17. For External Authentication Click Apply Changes

18. In the top right corner of FMC user interface click the System menu represented by the gear icon and select Users

19. Look at the Users you will see admin and restapiuser

20. Click on Admin and then logout

21. Test the Active Directory Login

a. Username: rita
b. Password: C1sco12345

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

22. Check the login

23. Click on the Gear Icon and select Users

24. Under Username you will now see rita

25. Log out and login as Admin/C1sco12345

Cisco Confidential
Cisco dCloud

Scenario 2. Basic Configuration

This exercise consists of the following tasks:
dCloud: The Cisco Demo Cloud
• Create objects needed for the exercise

• Modify the access control policy

• Create NAT policies

• Configure Branch1 FTD Using FMC

• Remote Deployment of Branch1 FTD

• Configure FTD Using FDM

• Deploy the Configuration changes

• Modify the network discovery policy

• Deploy the configuration changes

The objective of this exercise is to deploy a simple, but effective, NGFW configuration:

• Allow outbound connections, and block other connection attempts

• Perform file type and malware blocking on these outbound connections

• Provide intrusion prevention on these outbound connections

Steps

Create objects needed for the exercise.

1. On the FMC, select Objects > Object Management.

2. Select Interface from the left navigation panel

NOTE: There are two types of interface objects: security zones and interface groups. The key difference is that interface groups
can overlap. Only security zones can be used in access control policy rules.

Verify and create the Network Objects for the Security Zones that will be added to the interfaces.

Name: Verify that InZone, OutZone, Passive are there.

Cisco Confidential
Cisco dCloud

Create Security Zone named InZone1.

a. Name: Click Add and select Security Zone

dCloud: The Cisco Demo Cloud

Name: InZone1 Select Routed from the Interface Type drop-down menu click Save

b. Create Security Zone named InZone2, InZone3, InZone4 all Routed.

Configure the FTD

1. On the Quick Launch Bar Select NGFW-1

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

2. Type: Show network

a. This will give you system information as well as configuration information.

3. Type: configure manager add fmc.dcloud.local C1sco12345 [Enter] and wait for the response

4. From the FMC Click on Devices > Device Management

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Select Add and Device

6. Configure the following:

a. Host: 198.19.10.81

b. Display Name: NGFW1

c. Registration Key: C1sco12345

d. Group: None

e. Access Control Policy [Create new policy]: Base_Policy [Save]

f. Smart Licensing: Select All

g. Unique NAT ID: [Leave Blank]

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

Note: The IP Address 198.19.10.81 is the Management Interface address that terminates the SF Tunnel. It was pre-configured
due to the limitations in the dCloud lab. In a customer environment you would configure the management address through the
wizard.

7. Click Register

You will see the following during registration.

8. Once NGFW1 has registered click on the Pencil icon to edit

9. Configuring the Interfaces. Click on the Pencil Icon on the GigabitEthernet0/0 Line

Cisco Confidential
Cisco dCloud

a. Name: Outside or Outside_Interface

b. Enabled: Checked
dCloud: The Cisco Demo Cloud
c. Security Zone: OutZone

d. Click Ipv4 Tab IP Address: 198.18.133.81 255.255.192.0 or 198.18.133.81/18

e. Click: OK

10. Configure GigabitEthernet0/1 with the following values:

a. Name: in10

b. Enable: Checked

c. Security Zone: InZone1

Cisco Confidential
Cisco dCloud

d. Ipv4: 198.19.10.1/24

e. Click OK
dCloud: The Cisco Demo Cloud
11. Configure GigabitEthernet02-04 as follows:

a. GigabitEthernet0/2

i. Name: in20

ii. Security Zone: InZone2

iii.I P Address 198.19.20.1/24

b. GigabitEthernet0/3

i. Name in30

ii. Security Zone InZone3

iii. IP Address 198.19.30.1/24

c. GigabitEthernet0/4

i. Name in40

ii. Security Zone InZone4

iii. IP Address 198.19.40.1/24

12. Click Save

Configure the default route.

1. If currently not on the page in the FMC, select Devices > Device Management. Click on the pencil icon to edit the NGFW1
device settings.

The Interfaces tab should be selected. Confirm that the interfaces of NGFW1 have Security Zones configured

Select Routing > Static Route and click the Add Route button.

Select Outside or Outside_Interface in the Interface field.

Select any-ipv4 from available networks (This is the equivalent of a default route).

Cisco Confidential
Cisco dCloud

Click Add.

For Gateway click on the “+” icon to create a new object.

dCloud: The Cisco Demo Cloud
c. Select the “+” sign next to the Gateway* pull down menu.

d. Name the Object “HQ-WAN-GW (You will be able to reuse this object later).

e. Enter the Network IP Address: 198.18.128.1 (This is the outside interface of the Firewall facing the WAN).

f. Click Save.

Cisco Confidential
Cisco dCloud

Click OK to add the Static Route Configuration.

Add another static route to the 11.11.60.0 Network

dCloud: The Cisco Demo Cloud
Interface: Outside or Outside_Interface

Available Networks Search

Name: 11.11.60.0-24

Gateway +:

Name: 198.18.133.60

Host: 198.18.133.60

Click Save.

Click OK

Click Save.

Modify Network Discovery Policy

The default network discovery policy is configured to discover all applications, both internal and external. We will want to add host
and user discovery. In a production environment, this can exceed the FMC Firepower host license. For this reason, it is best
practice to modify the policy.

1. From the menu, select Policies > Network Discovery.

g. Click the pencil icon to the right to edit the existing rule.

h. Check the Users checkbox. The Hosts checkbox will auto-check.

i. Delete both 0.0.0.0/0 and ::/0.

Create Lab_Networks

1. Name: Lab_Networks

2. Network: 198.18.0.0/15

3. Click Save

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

Add and Excluded Network

a. Click Add Rule

b. Click Exclude

c. Under the Networks Box

i. Type 11.11.60.0-24 Add and Save

ii. This will add a network that is excluded from Network Discovery

Click Save.

Cisco Confidential
Cisco dCloud

Click Deploy in the upper right-hand corner of the FMC.

a. For release 7.2 there is now an option to deploy all.

dCloud: The Cisco Demo Cloud

b. Optional check the Advanced Deploy link the NGFW(s) device and expand the list to see the details. The page
should look similar to the following picture. As of version 6.2.3 you will be alerted if there is a SNORT
interruption. In addition, you will see what will cause the interruption. If you wish to deploy later, you can click
the cancel button.

Click Preview to confirm that NGFW settings, interface and static route configuration and Objects will be modified.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

c. Click OK then Click Device NGFW1 and Deploy. Wait until Deployment completes.

Modify an Access Control Policy

1. Click on Policies > Access Control

2. Double-click on Base_Policy or Click the Pencil Icon to edit the policy

a. Note that the only rule configured is the Default Action Block All Traffic

Cisco Confidential
Cisco dCloud

NOTE: The Default Action setting instructs the FTD what to do if no rule in the ACP matches the packet. The “Block all traffic”
setting is a default deny rule that blocks any packet not matching a rule in the ACP and is a security best practice. The “Intrusion
Prevention” setting runs the packet through the Snort IPS engine and if the packet is not blocked by the IPS engine then the
packet is allowed to pass through the firewall. The “Network Discovery” setting performs network discoverydCloud:
on theThe
packet and
Cisco Demo Cloud
hosts involved then allows the packet through the firewall.

3. Click Add Rule

a. Name: Allow ICMP

b. Action: Allow

c. Insert: into Default

d. Zones:

i. Source: All InZones(1-4) (InZone1, InZone2, InZone3, InZone4)

ii. Destination: All InZones(1-4) and Outzone

e. Networks: Leave any any for now

f. Ports under Selected Destination Ports Click on Protocol click on ICMP

g. When box come up Type: Any and Add

h. Click Add and Apply

Cisco Confidential
Cisco dCloud

NOTE: Rules are divided into sets within a policy. Two sets are predefined:

Mandatory rules, which take precedent over rules of child policies dCloud: The Cisco Demo Cloud
Default rules, which are evaluated after the rules of child policies.

In this exercise, you will not create a child policy, but you will use the default rule set as a convenient way of making sure this rule
is evaluated last.

4. Your ACP should Look as follows:

5. Create a Rule that allows for Outbound Connectivity

a. Name: Allow Outbound

b. Zone: All InZones(1-4) to OutZone

c. Source Create Network Object: Corporate_LAN (198.19.10.0/24)

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

d. Ports add to Destination: HTTP/S, & FTP

e. Inspection: dCloud Balanced Intrusion and Block Malware File Policy (read the note about Snort 2 and
Snort 3)

f. Logging: End of the Connection

g. Click Apply

NOTE: The demo intrusion and file policies were pre-configured to save you time. See Appendix 1 in the Firepower Advanced Lab
Guide v3.2 for instructions on how to create these.

6. Select the More > HTTP Responses tab.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

7. Select System-provided from the Block Response Page drop-down list.

8. Select the Advanced tab.
a. Click the pencil icon to edit the Transport/Network Layer Preprocessor Settings.
i. In the Maximum Active Responses text field, enter 25
ii. Click OK.

NOTE: Setting Maximum Active Responses to a value greater than 0 enables the Intrusion Policy drop (IPS) rules that drop
packets to send TCP resets to close the connection. Connections that do not trigger an IPS drop will be reset by the FTD if “block
with reset” is applied to the rule regardless of the settings of Maximum Active Responses or if it is a LINA-only drop such as a
Fastpath block. Typically, both the client and server are sent TCP resets. With the configuration above, the system can initiate up
to 25 active responses (TCP Resets) if it sees additional traffic from this connection.

In a production deployment, it is probably best to leave this set to the default. Then no resets are sent, and the malicious system
will not know that it has been detected. But for testing and demonstrations, it is generally better to send resets when packets match
drop rules.

9. Create a Rule allow Outbound DNS

a. Name: Allow Approved DNS outbound

b. Insert: above rule 1

c. Zones: All InZones(1-4) to OutZone

d. Networks

i. Click Create Network Object

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

1. Name: host-ad1

2. Description: Active Directory and DNS server

3. Network: Host: 198.19.10.100

4. Save

ii. Click Create Network Object Group

1. Name: Authorized-Internal-DNS-Servers

2. Description: Internal DNS servers that are authorized to query external DNS

3. Network Objects: host-ad1 and Add

4. Save

iii. Available Networks select Authorized-Internal-DNS-Servers add to Source

iv. Click Ports tab, select DNS_over_TCP and DNS_over_UDP ports then click Add to Destination

v. Click Apply

vi. Click Save

NOTE: The Default Action setting instructs the FTD what to do if no rule in the ACP matches the packet. The “Block all traffic”
setting is a default deny rule that blocks any packet not matching a rule in the ACP and is a security best practice. The “Intrusion
Prevention” setting runs the packet through the Snort IPS engine and if the packet is not blocked by the IPS engine then the
packet is allowed to pass through the firewall. The “Network Discovery” setting performs network discovery on the packet and
hosts involved then allows the packet through the firewall.

Create NAT Policy

2. From the menu, select Devices > NAT.

Click the New Policy button, and select Threat Defense NAT.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

2. For Name, enter Default PAT.

3. Select the NGFW1. Click Add to Policy and then click Save.

a. Wait for the policy to open for editing.

4. Click Add Rule.

5. Select In Category and NAT Rules After from the Insert drop-down lists.

a. This will ensure that this rule will be evaluated after the auto-NAT (object NAT) rules.

6. Select Dynamic from the Type drop-down list.

a. You will be at the Interface Objects tab.

i.Select InZone1 and click Add to Source.

ii. Select OutZone and click Add to Destination.

7. Select the Translation tab.

a. Select Corporate_LAN from the Original Source drop-down list.

b. Select Destination Interface IP from the Translated Source drop-down list.

c. Click OK to save the NAT rule.

8. Create NAT rules for the following:

a. InZone2, InZone3, InZone4 as Source
b. Outzone as the Destination
c. Original Source Any
d. Translated Source Destination Interface IP

Cisco Confidential
Cisco dCloud

9. Click Save to the NAT Policy.

dCloud: The Cisco Demo Cloud

Deploy the Changes and Test

1. Deploy the Changes to NGFW1 (Ignore the Warnings if they relate to the fact that InZone is not currently defined to an
Interface)

2. Test Connection from the Kali Inside Linux Server

a. Open a session to the Kali Inside Linux

Cisco Confidential
Cisco dCloud

i. Type sudo -i

1. Password: C1sco12345
dCloud: The Cisco Demo Cloud
ii. Type ping Outside (198.18.133.200) Should Succeed this confirms the ICMP

iii. Type wget google.com Should Succeed this confirms NAT and Routing

iv. Type wget outside Should Succeed

v. Type ftp outside Login as guest, password C1sco12345

vi. Enter ls or dir to get results of the guest directory
vii. Enter cd ~root.
viii. If connection hangs, type Ctrl C to break
ix. Type quit to exit FTP.
1. In the FMC, select Analysis > Intrusions > Events.
2. If the event does not show up. Click on Edit Search > Networking > Source IP: 198.19.10.200 then click Search

3. Click Table View of Events

NOTE: Observe that Snort rule 336 was triggered. In the dCloud Balanced Intrusion Policy, the rule state for this rule is set to
Alert [as an Rule Override] This rule is disabled in the system-defined intrusion policies such as Balanced Security and
Connectivity.

NOTE: In a production environment, if you run into a situation where events are not appearing, the first thing you should check is
the time synchronization between the NGFW and FMC. However, in this lab, it is more likely to be an issue with the eventing
processes. If this happens, try restarting these processes as follows.

On the NGFW CLI run the following command.

Pmtool restartbytype EventProcessor

From the Jumper desktop, connect to the FMC using the pre-defined PuTTY session. Login as admin/C1sco12345 and run the
following commands.

Sudo pmtool restartbyid SFDataCorrelator

sudo pmtool restartbyid sftunnel

NOTE: The sudo password is C1sco12345

Cisco Confidential
Cisco dCloud

4. Click Packets Observe that details of the event are presented. You will see Message, Ingress and Egress Security Zones,
and Rule that was triggered. dCloud: The Cisco Demo Cloud

5. Test the file and malware blocking capabilities. These Wget commands can be cut and pasted from the file on the Jump
desktop called Strings in order to cut and paste the text.

6. From the Kali Inside Linux Server Login root/C1sco12345

a. As a control test, use WGET to download a file that is not blocked. wget -t 1 outside/files/ProjectX.pdf. This
should succeed.

b. Next use WGET to attempt to download the file blocked by type: wget -t 1 outside/files/test3.avi.

NOTE: Very little of the file is downloaded. This is because the NGFW can detect the file type when it sees the first block of data.
The Demo File Policy is configured to block AVI files.

c. Finally use WGET to attempt to download malware. wget -t 1 outside/files/Zombies.pdf.

NOTE: About 99% of the file is downloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up. The Demo File Policy is configured to block malware
detected in PDF files.

7. In the FMC, select Analysis > Files > Malware Events

a. Observe that one file, Zombies.pdf, was blocked
b. Click the arrow on the left to drill down to the table view of the events. Note that the host 198.19.10.200 is
represented by a red icon. This is the Kali Inside Linux Server. The red icon means the host has been assigned
an indication of compromise.

Cisco Confidential
Cisco dCloud

NOTE: The action is reported as Custom Detection Block, instead of Malware Block. This is because we added Zombies.pdf to the
custom detection list just in case the lab has issues connecting to the cloud.
dCloud: The Cisco Demo Cloud
Click on the red computer icon. This will open the host profile page. Look over this page and then close it.

From the menu, select Analysis > Files > File Events Table View of File Events. You should see information about file events.

NOTE: You can drill down if you wish.

Static NAT Policy for FMC

NOTE: We are performing this task now, but this NAT Policy will not be used until Branch 1 is brought online in a later section.

The FMC is behind the NGFW1, which is acting as a NAT device. We need to build a static NAT Policy so that the Branch FTD will
be able to communicate with the HQ-FMC.

1. Go to Device > NAT > Default PAT > Click on Add Rule.

a. NAT Rule: Select Auto NAT Rule.

b. Under Interface Objects, select InZone1 and Add to Source.
c. Select OutZone and Add to Destination.
d. Under Translation click the (+) sign and add the name FMC_Private.
i. For Host enter 198.19.10.120 (This is the address of the HQ-FMC).
e. Click Save.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

2. Click on the (+) sign again and add the name FMC_Public.
a. For Network enter 198.18.133.120 (An Address on the WAN network).

3. For Original Source Select FMC_Private

4. For Translated Source Select FMC_Public
5. Click OK

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

NOTE* The screenshot above shows the Auto NAT and NAT Rules After. Your screen may vary

6. Click Save at the top of the web page.

7. Create an Inbound Access List for the Private FMC modifying the Access Control Policy Base_Policy.
a. Select Policies > Access Control Policies.
b. Click on the pencil icon by Base_Policy.
c. Add rule called FMC_Static_NAT.
d. Action Allow.
e. Source Zone: Outzone Destination: InZone1.
f. Destination networks FMC_Private.
g. Intrusion Policy dCloud Balanced Intrusion.
h. File Policy: Block Malware.
8. Click Apply and Save.
9. Click Deploy (Ignore the Warnings if applicable)
10. Open Connection to the Kali Outside Linux Server.
a. Ping 198.18.133.120 (Outside NAT Address of the FMC).
b. Use Ctrl + C to stop the pinging.
c. Minimize the Putty session.

Cisco Confidential
Cisco dCloud

We have now deployed a FTD at the Corporate site and tested the Access Control, NAT and Intrusion policy

dCloud: The Cisco Demo Cloud

Adding FTD Branch 1 to FMC

1. Earlier we created a Static NAT entry for the FMC: 198.18.133.120.

a. Now we will configure NGFW Branch 1 so it will also be managed by the FMC.

2. Open the Connection to NGFW-BR 1

Type show managers

a. If the response is No mangers configured or Managed Locally we need to configure for FMC management

Type the following command configure manager add 198.18.133.120 C1sco12345 abcde

b. If there is a question type yes.

NOTE: You need to add the FMC’s NAT Address and also a specific NAT ID (in this case abcde). The NAT ID will need to match
with the NAT ID on the FMC when you go through the NGFW registration process.

Go back to the FMC webpage and go to Devices > Device Management > Add > Device.

a. Configure the following:

b. Host: 198.18.133.42

c. Display Name: NGFWBr1

d. Registration Key: C1sco12345

e. Group: None

f. Access Control Policy Click Create new policy

i. Branch1access

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

Under Access Control Policy, select the down arrow and choose Create New Policy.

g. Name: Branch1access Select Base Policy: None Default Action: Block all traffic. Click Save.

h. Smart Licensing: Select All Licenses

a. Unique NAT ID: abcde

ii.This ID is used as check to make sure the FTD is the one being configured. It is used as a one-time check and
must match the same ID used in the configure manager add 198.18.133.120 C1sco12345 abcde

3. Select Branch1Access Smart Licensing: Check all boxes Under Advanced Type the NAT code from the FTD: abcde.

4. Click Register.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Wait until the NGFWBr1 has registered.

NOTE: Now that the ngfwbr1 has been added we need to add interfaces, build the default route, create a NAT policy and update
the Access Policy

6. Go to Devices > Device Management. Click on the pencil icon next to the NGFWBr1.
7. Click on the pencil icon on the Gigabit Ethernet0/0 line.
8. Set up the Name, Zones and IP address.
a. Name: branch1_Outside
b. Click: Enabled
c. Security Zone: Click New Enter a name: branch1_Outzone.
9. Select the Ipv4 address tab.
a. Add or verify the IP Address:
i. 198.18.128.81/255.255.192.0.
ii. Click OK

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

NOTE: In this scenario, we used 198.18.133.42/18 for the Management IP Address of the Firewall. You can see this address by
entering the show network command from the command line or by going to expert mode on the FTD and run the ifconfig
command and look at the br1 interface. The Management IP Address is accessibly only to the Operating System. We therefore
have to build a WAN interface as an outside interface. The Outside Interface can also be configured by DHCP from the ISP, we did
not want to add an additional server to this lab scenario.

10. Configure GigabitEthernet0/1 line.

a. Name: branch1_Inside
b. Enabled
c. Security Zone: branch1_InZone
d. Ipv4: 198.19.11.4/24

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

11. Configure Gigabit Ethernet0/3

a. Name: outside2

b. Security Zone: branch1_Outzone

c. IPv4: 198.19.40.4/24

12. Configure Gigabit Ethernet0/4

a. Name: outside3

b. Security Zone: branch1_Outzone

Cisco Confidential
Cisco dCloud

c. IPv4: 198.19.30.4/24

13. Click Save at the top of the Web page.

dCloud: The Cisco Demo Cloud
14. Go to Routing > Static Route > Add Route > to build a Static route to the Internet.

a. Select Interface branch1_Outside.

15. For Available Network, select any-ipv4

a. For Gateway. Click the (+) button and configure the New Network Object:

b. Name: Branch1_WAN_GW

c. Host: 198.18.128.1

d. Click Save

e. Click OK

NOTE: This is the same address of the FMC-HQ-WAN-GW object that was created earlier. This is the gateway for the dCloud
pod. You can reuse the FMC-HQ-WAN-GW for this section if you want.

Create 2 additional static routes.

14. Add Route for outside3

a. Interface: outside3

b. Selected Network: any-ipv4

c. Gateway: 198.19.30.63

d. Metric: 10

e. Click OK

15. Add Route for outside2

a. Interface: outside2

b. Selected Network: any-ipv4

c. Gateway: 198.19.40.64

d. Metric: 11 [We will change this in the Advanced Lab for DIA]

e. Click: OK

16. Click Save.

17. Click OK

NOTE: If the Interface outside does not show up in the pull-down box, click on the save button on the top right of the screen.

16. When done, click Save at the top of the web page.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

1. Go to Devices NAT > New Policy > Threat Defense NAT.

2. Name the Policy Branch1_NAT and under available devices select NGFWBr1.

3. Click Add to Policy.

4. Click Save.

5. Click to Add Rule.

6. Select Manual NAT Rule NAT Rules After

a. Type: Dynamic.

b. Under Interface Objects, select branch1_InZone. Click Add to Source.

c. Select branch1_Outzone and Add to Destination.

d. On the Translation Tab under Original Packet Select the (+) and configure New Network Object Name:
Branch1_Networks Network: 198.19.11.0/24 (You could also use/create an Object in the Objects Page that would
encompass an entire lab network group such as 198.18.0.0/15).

7. Click Save.

8. On Translated Packet, select Destination Interface IP.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

9. Select OK and then Save at the top of the web page.

10. To modify the Access Control Policy, go to Policies > Access Control > Access Control

11. Click on the pencil icon to edit the Branch1access Policy

12. Click on Add Rule.

a. Name the rule Branch1Allow.

b. Select branch1_InZone for Source and branch1_OutZone for destination.

c. On Inspection Policy Select dCloud Balanced Intrusion and Block Malware File Policy.

13. Click on Apply Click on Save at the top of the web page Click Deploy Advanced Deployment [Optional]and Select ngfwbr1.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

a. After Deployment is Complete Open session to Branch Office Linux Type: wget -t 1 outside/files/ProjectX.pdf Should
succeed this will verify outbound connectivity from Branch 1

Configuring Remote Deployment NGFWBR1

You will now be configuring NGFWBR1 for remote deployments.

1. Connect to NGFW-BR 1 [admin/C1sco12345]

2. Type show network

3. Type show running-config sftunnel

a. No results will be shown, this is because the default sftunnel configuration is being used.

Type show nat

4. Go back to the FMC

a. Devices > Device Management > NGFWBr1

b. Go to Device sub-tab then management section and Management interface link

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

c. Select Data Interface

d. Click OK on the message and then Close

e. Select the Interfaces sub-tab and Edit GigabitEthernet0/0

f. Go to Manager Access

i. Click on Enable management on this interface for the Manager

ii. Under Available Networks select FMC_Public and click Add and OK Click Yes under Please Confirm

g. Click on Save and then Deploy when Deploying read the warning and click Deploy

h. Open a session to NGFWBr1

5. Type show network

6. Type show running-config sftunnel

7. Type show nat

8. Remove Remote Deployment Configuration from NGFWBr1

a. Device > Device Management > NGFRBr1 > Device > Management > Manager Access Interface:

Cisco Confidential
Cisco dCloud

i. Change back to Management Interface Save and Close

b. Device > Device Management > NGFRBr1 > Interfaces > GigabitEthernet0/0 > Manager Access > Uncheck Enable
management on this interface for the Manager Click OK Save and Deploy dCloud: The Cisco Demo Cloud

Configuring NGFW3 Management Using Firewall Device Manager (FDM ON BOX)

NOTE: In order to configure the FTD using the on-box manager the default FTD address is 192.168.45.45/32 with a default
gateway of 192.168.45.1 has been changed. NGFW3 has been preconfigured with the Management IP Address and the
Username/Password used below.

1. Open a session to NGFW3

2. Type show managers verify that there are No managers configured
3. Type configure manager local

NOTE: It might take between 10 to 15 minutes to restart the services on the FTD. You will get a Service Unavailable when trying
to access NGFW3 until all services are restarted.

3. From the Quick Launch open a connection to NGFW-3 Web You can also click on the NGFW3 (FDM) from the browser
status bar

If you are prompted with a security warning accept the risks

It might take between 10 to 15 minutes to restart the services on the FTD. You will get a Service Unavailable when trying to
access NGFW3 until all services are restarted

The Firepower Device Manager screen should prepopulate. If not, the credentials are Username: admin Password: C1sco12345

Click Login

You will come to the following screen, which displays the FTD connections. Scroll down to the Outside Interface Address

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

Select the arrow next to Using DHCP.

Click on Manual Input.

4. Configure the Outside Interface Address.

a. IP Address: 198.18.133.83

b. Network Mask: 255.255.192.0

c. Gateway: 198.18.128.1

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Click Next

a. If you get a message that, the connection to www.cisco.com has failed. That is ok move on to the setting of the NTP
services.

Manually Set the NTP Server.

a. Select Time Zone.

iii. Select America/Los_Angeles

b. NTP Time Server User-Defined

iv. Address: 198.18.128.1.

c. Click Next.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

6. This will bring you to Smart License select Start 90-day evaluation period without registration.

7. Performance Tier: FTDv5 – Tiered

8. Click Finish

9. The next screen select Standalone Device to configure Interfaces or Policy.

10. Select Interfaces.

NOTE: As you can see Interface GigabitEthernet 0/1 is 192.168.45.1. Also, the Outside Interface GigabitEthernet 0/0 has the
outside interface that we manually configured. If you wish to change the address of GigabitEthernet 0/1, choose the

Cisco Confidential
Cisco dCloud

GigabitEthernet 0/1 line and go to actions. A pencil Icon will appear. Click on the icon. Delete the DHCP pool. Change the IP
Address to: 198.19.10.3/255.255.255.0 and click OK

dCloud: to
11. If you made changes Click on the deployment icon and note the configuration changes that will be deployed Thethe
Cisco
FTDDemo Cloud

12. Deploy the configuration

FDM Software Upgrade

1. From the FDM go to Device > Updates > View Configuration

2. Under System Upgrade click on Browse

a. From the Desktop go to FMC FTD Software > 7.4 Upgrade

i. Click on Cisco_FTD_Upgrade-7.4.1-172.sh.REL.tar and Open

b. Look at the “Confirm System Upgrade” box and click Continue.

3. After the Upgrade you will need to Deploy

FDM Snort 3 Intrusion Policy

Snort 3 was introduced on the FDM in code version 6.7. In the next steps we will be looking at Snort 3 rules on the FDM

1. From the FDM go to Policies > Intrusion

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

2. Click on Balanced Security and Connectivity

3. Note that the Snort rules are sorted by SID

4. Click on the Action cell for one of the rules. Note that the rule states can be set to override. (ALERT, DROP, DISABLED)

5. Click on the Search field and you will see the GID (Generator ID 1 for standard text rules, shared object rules 3), SID (Snort
ID, Talos rules under 1,000,000 local rules over 1,000,000), and Action Field. Then click Cancel

6. Locate the 1:105 Rule (first rule), with the MALWARE-BACKDOOR-Daggger_1.4.0

a. Click on the Action Field and set to Drop

Cisco Confidential
Cisco dCloud

7. Deploy your policy using the deploy button button and Deploy Now
dCloud: The Cisco Demo Cloud
8. Note the rule groups on the left

9. Click on the Browser group to show the child groups

10. Select Chrome child group this will show the BROWSER-CHROME rules

11. Click on one of the Links under the GID:SID

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

12. Note the Documentation

13. Look at the current Security Level

14. Click on the Edit link to check or change the Security Level up to Level 3

15. You will see more rules enabled and total rules

16. Examine some of the new rules in this Level 3

17. Deploy Changes and then close the FDM tab.

Cisco Confidential
Cisco dCloud

FMC Health Policy Adjustments

1. On the FMC Go to System > Health > Monitor

dCloud: The Cisco Demo Cloud

2. Click on Monitoring > Firewall Management Center and look at the Overview and Process

3. Click on System > Health > Policy

4. Click on the pencil icon on the dCloud-Health Policy Line

5. On the Right -hand side click Memory Usage Data Plane and set the Warning Threshold % to 87 Save

Cisco Confidential
Cisco dCloud

6. Optional: Under CPU adjust the Data Plane and Snort Warning thresholds to 85%

7. Click on Policy Assignments & Deploy

dCloud: The Cisco Demo Cloud
a. Note that only the Firewalls are listed

b. Click Apply

8. Go back to System > Health > Monitor

9. Click on NGFW1 and look at the dashboard

10. Review Click on View System & Troubleshooting Details

11. Click on CPU, Memory, Interfaces, Connections, Snort tabs and review the results.

Cisco Confidential
Cisco dCloud

Scenario 3. NAT and Routing

This exercise consists of the following tasks.
dCloud: The Cisco Demo Cloud
Create objects needed for this lab exercise

Configure static NAT

Modify access control policy to allow outside access to wwwin

Configure EIGRP

Deploy the changes and test the configuration There are two objectives for this lab exercise:

Create a public web server

Create a DMZ web server

Configure BGP

The first objective will involve creating network objects, creating access control lists. Also, static NAT and dynamic routing will be
configured.

NOTE: The public server will be deployed in the inside network. It would be more realistic to deploy this in a DMZ, but that would
take more work. However, the lab pod has this capability. See Appendix 4 for information about creating a DMZ in the lab pod.

Steps

Create objects needed for this lab exercise

1. From the menu, select Objects > Object Management. The Network object page will be selected.

a. Click Add Network > Add Object.

i. For Name, enter wwwin.

1. Click the Host Radio Button

2. For Network, enter 198.19.10.202.

3. Click Save.

b. Click Add Network > Add Object.

i. For Name, enter wwwout.

1. Click on the Host Radio Button

2. For Network, enter 198.18.128.202.

3. Click Save.

2. Click Add Network > Add Object.

a. For Name, enter 203.14.10.0.
b. Click on Network
c. Enter 203.14.10.0/24.

Cisco Confidential
Cisco dCloud

3. Click Save.

Select Access List > Standard from the left navigation pane.
dCloud: The Cisco Demo Cloud
a. Click Add Standard Access List.

b. For Name, enter Filter203.

c. Add the 2 access control entries shown below. The second entry is critical, because of an implicit deny all at the end of
the list.

d. Click Save.

Configure Static NAT

1. From the menu, select Devices > NAT.

2. Click the pencil icon to edit the Default PAT policy.

3. Click Add Rule.

a. Select Auto NAT Rule from the Type drop-down list.

b. You will be at the Interface Objects tab. Select InZone1 and click Add to Source.

c. Select OutZone and click Add to Destination.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

4. Select the Translation tab.

a. Select wwwin from the Original Source drop-down list.
b. Select Address and wwwout from the Translated Source drop-down list.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

Click OK to save the NAT rule.

NAT Existing IP Over Different Port

1. Edit the Default PAT policy

2. Click Add Rule

a. NAT Rule: Manual NAT Rule

b. Insert In Category: NAT Rules Before

c. Type: Static

d. Description: FMC admin access from Internet

3. Interface Objects tab select Outzone for Source Interface Objects and InZone1 to Destination Interface Objects

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

4. Select the Translation Tab

a. Original Source: any

b. Original Destination field: FMC_Public

c. Click on the [+] for Original Destination Port to add a new port object for the TCP port on the Outside interface

i. Name: nat-port-FMC

ii. Protocol: TCP

iii. Port: 12345

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

d. Click Save

e. Choose the nat-port-FMC object in the Original Destination Port field

f. Translated Packet

i. Translated Source: Leave blank (will default to any)

ii. Translated Destination: FMC_Private

iii. Translation Destination Port: HTTPS

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

iv. Click OK

5. Click Save at the top of the page

Modify access control policy to allow outside access to wwwin

1. From the menu, select Policies > Access Control.

2. Edit Base_Policy

a. Click Add Rule.

b. For Name, enter Web Server Access.

c. Select into Default from the Insert drop-down list.

d. Select InZone1 and click Add to Destination.

e. Select OutZone and click Add to Source.

f. Select the Networks tab.

g. Select wwwin and click Add to Destination.

h. Select Ports. Under Available Ports type FTP and select HTTP and HTTPS and add to destination.

i. Under Manually Enter Port or Select Protocol type ICMP Click OK to Add to Destination Port

NOTE: We use the true IP of the webserver, instead of the NAT’ed address that the client will connect to.

j. Click on Intrusion Policy

k. Select dCloud Balanced Intrusion from the Intrusion Policy drop-down list.

Cisco Confidential
Cisco dCloud

l. Select Block Malware from the File Policy drop-down list.

m. Select Logging: Log at End of Connection

dCloud: The Cisco Demo Cloud
n. Click Confirm and Apply

Modify access control policy to allow outside access to FMC via different port

1. Click on Policies > Access Control > Base_Policy to edit

2. Click Add Rule
a. Name: Allow External FMC Access
b. Action: Allow
c. Rule Enabled:
d. Insert: into Mandatory
3. Zones
a. Source Zone: OutZone
b. Destination Zone: InZone1
4. Networks
a. Source: any [If using the New UI just leave blank]
b. Destination: FMC_Private
5. Ports
a. Source: any
b. Destination: HTTPS
6. Logging: Log at End of Connection
7. Click Apply
8. Click Save to save the access control policy changes.

Confiture EIGRP

NOTE: Prior to release 7.2 EIGRP could only be configured by using FlexConfig. The steps below will show you how configure
EIGRP via the FMC GUI.

1. From the menu, select Devices > Device Management

2. Click on pencil icon for NGFW1 to edit

3. Click on the Routing Tab and select EIGRP

4. Click on Enable EIGRP

a. AS Number: 10

b. Click on the [+] sign next to Available Networks

i. Name: EIGRP

ii. Network: 198.18.128.0/18

iii. Save

c. Select EIGRP and click Add

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

d. Click on the Redistribution Tab

e. Click Add

i. Protocol Connected and OK

f. Click Save at the top of the page

Cisco Confidential
Cisco dCloud

g. Click Deploy and Deploy All

5. Verify EIGRP is working:

dCloud: The Cisco Demo Cloud
a. Open a connection to NGFW1 (ssh 198.19.10.81)

b. Type: show route [you should see routes with a D in front. This will denote EIGRP, below are some examples]

c. You can also type:

i. show eigrp topology

ii. show eigrp neighbors

d. Open a connection to the Kali Inside Linux server root/C1sco12345

i. Type ping 204.44.14.1 this should succeed

Configure BGP

1. From the menu, select Devices > Device Management.

2. Click on the pencil icon to edit the device settings for the device NGFW1.
a. Select the Routing tab.
b. Go to General Setting Select BGP and check the Enable BGP checkbox.

c. Set the AS Number to 1.

d. Expand BGP in the left navigation pane and select IPv4.
e. Check the Enable Ipv4 checkbox.
f. Click on the Neighbor tab and click on Add.
g. For IP Address, enter 198.18.133.60.
h. For Remote AS, enter 60.
i. Check the Enable address checkbox.
j. Select Filter203 from the Incoming Access List drop-down list.
k. Click OK to add the neighbor.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

3. Click Save to save the BGP configuration.

Deploy the changes and test the configuration.

1. Deploy the changes and wait until the deployment is complete.

2. From the Quick Launch Menu Click on the session Kali Outside Linux Login as root, password C1sco12345
a. Type curl wwwout. This should succeed.
b. Type ssh wwwout. This should fail.
3. Return to the dCloud session page in your computer’s we browser that shows the diagram of the lab environment. Find the
WSKT2 machine, click the arrow icon and then select Remote Desktop link to connect to the WKST2 machine

4. Open the Chrome web browser by double-clicking

5. Enter the address below in the address bar of the browser and press enter
a. https://198.18.133.120:12345
b. If prompted accept the risks. You should get the following:

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Go back to the Jumpbox Quick Launch Click on the session called CSR60 admin/C1sco12345 [If needed]
a. On the CSR CLI, run the command show bgp, and confirm that routes appear.
7. From the NGFW1 CLI:
8. Run show route or show route bgp.

NOTE: show bgp rib-failure. This shows that the 198.18.128.0/18 route was not inserted in the routing table because there was a
better route (connected).You can also run the following commands from the FMC.

9. From the menu, select Device > Device Management.

10. Edit the NGFW1 device and select the Devices tab.
11. Click on the three dots and select Health Monitor
12. Click View System & Troubleshooting Details > Advanced Troubleshooting.
a. Select the Threat Defense CLI tab verify NGFW1 is selected as Device. From this tab, you can run several NGFW CLI
commands.
13. From the Kali Inside Linux server session, type ping 62.24.45.1. This should succeed.

Cisco Confidential
Cisco dCloud

Scenario 4. FTD Upgrade

This exercise consists of the following tasks.
• Verify Software version of NGFW1
dCloud: The Cisco Demo Cloud
• Download FTD upgrade software from a secondary source

• Test the configuration

The objective of this exercise is to upgrade NGFW1 by using a download FTD software from a secondary source and perform an
upgrade of FTD software on NGFW1.

Steps

Prepare for FTD Software upgrade:

Starting in software version 6.6 you do not need the FMC to download software for the FTD upgrade. In the next steps we will pull
FTD software from a specific URL.
1. Open a session to Kali Outside Linux Server
a. Login: root/C1sco12345
b. Verify the FTD upgrade software is on the Outside Linux Server
i. cd /var/www/html/files
ii. ls -la and look for Cisco_FTD_Upgrade-7.4.1-172.sh.REL.tar
2. Click on the system icon and select Product Upgrades on the FMC

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

3. Click on Add Upgrade Package Under URL Specify a remote location (Firewall Threat Defense devices only)
a. Source URL http://198.18.133.200/files/Cisco_FTD_Upgrade-7.4.1-172.sh.REL.tar
i. Click Save
4. You will see a successful load and then the upgrade listed as Software update source

5. Click Close

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

6. Look at the Product Upgrade and find the 7.4.1-172 version.

7. Note that under Availability it states URL/Pointer configured for all devices
8. Click on the Upgrade Button and under Device Details select NGFW1
a. Select Add to Selection
b. Under Device Selection click Copy Upgrade Package and Continue
c. Under Device Selection you will see that the software is being downloaded
9. When software download is complete Click on Next in the lower right corner
10. Click on Run Readiness Check and Continue
a. You can check the Tasks to see the status of the Readiness Check
11. Click Next
12. Read the Warnings and Messages Under Device Selection
13. Click Start Upgrade

Cisco Confidential
Cisco dCloud

Click on the View Details to see status.

dCloud: The Cisco Demo Cloud

14. Wait until you see the upgrade completed then click Close

15. Go to Device > Device Management verify the NGFW1 now has Version 7.4.1

16. Redeploy on NGFW1

Cisco Confidential
Cisco dCloud

Scenario 5 Prefilter Policies

This exercise consists of the following tasks.
dCloud: The Cisco Demo Cloud
Investigate NGFW default behavior for tunneled traffic

Create a tunnel zone

Create a prefilter policy

Modify the access control policy

Deploy the changes and test the configuration

If there is a clear-text tunnel, the NGFW access control policies apply to the tunneled traffic. Prefilter policies give control over the
tunneling protocol. The following tunneling protocols are supported.

GRE

IP-in-IP

Ipv6-in-IP

Teredo

Prefilter policies communicate with access control policies via tunnel tags. The prefilter policy assigns tunnel tags to specified
tunnels. The access control policy can then include rules that only apply to traffic tunneled through those specified tunnel.

In this exercise, you will create a GRE tunnel between the inside and outside CentOS servers.

You will then configure the NGFW to block ICMP through this GRE tunnel.

NOTE: This exercise has Scenario 3 as a prerequisite. This is because the exercise assumes the static NAT rule, which translates
198.19.10.202 to 198.18.128.202.

Steps

Investigate NGFW default behavior for tunneled traffic

In this task, you will confirm that the access control policy rules apply the tunneled traffic.

1. Open or confirm a session to the Kali Inside Linux server.

Cisco Confidential
Cisco dCloud

2. Open or confirm a session to the Kali Outside Linux Server

3. Create or verify a GRE tunnel between the Kali Inside Linux server and Outside Linux server.
dCloud: The Cisco Demo Cloud
a. On the Kali Outside Linux Server CLI, type sudo ifup tun0 password: C1sco12345

b. On the Kali Inside Linux Server CLI, type sudo ifup tun0 password: C1sco12345

c. On the Kali Inside Linux Server, confirm that you can ping through the tunnel with the following command. Ping 10.3.0.2

Test the IPS capabilities.

1. Modify the Base_Policy ICMP Permit Access rule to allow for HTTP, HTTPS, FTP and make sure dCloud Balanced
Intrusion policy and Block Malware File Policy are enabled.

2. Apply Save and Deploy

3. Run the following command from the Kali Inside Linux Server CLI. FTP 10.3.0.2

a. Login as guest, password C1sco12345

b. Type cd ~root. If system looks like it hangs type Ctrl C

i.You should see the following message:

ii. 421 Service not available, remote server has closed connection.

iii.Type quit to exit FTP.

4. In the FMC, from the menu, select Analysis > Intrusions > Events.
a. Look for Destination IP: 10.3.0.2
i.Click the arrow on the left to drill down to the table view of the events.
5. Test the file and malware blocking capabilities by running the following commands on the Kali Inside Linux server CLI.

NOTE: These Wget commands can be cut and pasted from the file on the Jump desktop called Strings to cut and paste.txt.

a. As a control test, use WGET to download a file that is not blocked. Wget -t 1 10.3.0.2/files/ProjectX.pdf.

b. This should succeed.

c. Next use WGET to download the file blocked by type: wget -t 1 10.3.0.2/files/test3.avi.

NOTE: Very little of the file is downloaded. This is because the NGFW can detect the file type when it sees the first block of data.

d. Finally use WGET to download malware.

e. wget -t 1 10.3.0.2/files/Zombies.pdf

NOTE: About 99% of the file is downloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up.

6. In the FMC, from the menu, select Analysis > Files > File Events.

a. Click Table View of File Events.

b. Observe that the sending and receiving Ips are 10.3.0.2 and 10.3.0.1, respectively.

Cisco Confidential
Cisco dCloud

Create a tunnel zone

1. From the menu, select Objects > Object Management.

dCloud: The Cisco Demo Cloud
a. Select Tunnel Zone from the left navigation pane.

b. Click Add Tunnel Zone.

c. For Name, enter GRE.

d. Click Save.

Create a prefilter policy

1. From the menu, select Policies > Access Control > Prefilter.

a. Click New Policy. Enter a name such as NGFW1 Prefilter Policy. Click Save.

b. Wait a few seconds for the policy to open up for editing.

2. Click Add Tunnel Rule.

a. For Name, enter Handle GRE Traffic.

b. Select GRE from the Assign Tunnel Zone drop-down list.

c. Select the Encapsulation & Ports tab and check the GRE checkbox.

NOTE: There are 3 actions.

Analyze – traffic will be passed to Snort, and access policy rules will apply.

Cisco Confidential
Cisco dCloud

Block – traffic is blocked.

Fastpath – traffic is allowed and bypasses any further inspection.

dCloud: The Cisco Demo Cloud

NOTE: You can also create prefilter rules for this policy. This gives you the ability to analyze, block or fast path traffic based on
layer 2 through 4 information.

3. Click Add to add the rule.

4. Click Save to save the prefilter policy.

Modify the access control policy

1. From the menu, select Policies > Access Control > Access Control to edit the Base_Policy Access Control Policy.

Click on the Prefilter Rules

Select NGFW1 Prefilter Policy.

Click Apply.

a. Create a rule named Block ICMP Over GRE.

b. Select Move into Mandatory

c. Set the action to Block with reset.

a. In Zones column, search for GRE (Tunnel Tag) and click Add to Source.

d. In the Available Applications or Ports column, make sure that Only ICMP is selected.

e. Select the Logging tab. Check the Log at Beginning of Connection checkbox.

a. If prompted Send Connection Events to Firepower Management Center

b. If rule does not show up in Mandatory, select the rule to be above rule 1

c. Click Apply

Click Add Rule.

a. Call the rule Allow GRE Traffic.

b. Select into Default from the Insert drop-down list. This will become the last rule in the access control policy.

c. In the Available Zones column, select GRE and click Add to Source.

d. Select dCloud Balanced Intrusion from the Intrusion Policy drop-down list.

e. Select Block Malware from the File Policy drop-down list.

f. Click Apply and Save to add the rule to the policy and save the access control policy.

Deploy the changes and test the configuration

1. Deploy the changes, as you have been. Wait for the deployment to complete.

On the Outside Linux Server, type sudo tcpdump -n -i tun0 password: C1sco12345 to monitor tunnel traffic.

Cisco Confidential
Cisco dCloud

a. Run the following commands on the Kali Inside Linux Server CLI.

b. wget 10.3.0.2 This should succeed.

dCloud: The Cisco Demo Cloud
c. ping 10.3.0.2

2. Tear down the tunnel:

a. On the Outside Linux Server CLI, type Ctrl C then sudo ifdown tun0 [password: C1sco12345]
b. On the Kali Inside Linux Server CLI, type sudo ifdown tun0 [password: C1sco12345]

Cisco Confidential
Cisco dCloud

Scenario 6 FQDN NAT

For the FQDN scenario, we will use the following devices:
dCloud: The Cisco Demo Cloud
• NGFW1

• FMC

• Kali Outside–- Outside Linux Server

• Kali Inside

FQDN NAT
The FQDN NAT can change destination addresses using the FQDN response. FQDN name can be included in NAT policy for
enhanced usability. It also provides the flexibility for a simplified firewall insertion in public/private cloud, Dynamic IP’s for
destination NAT, and One-to-many DNS resolution with load balancing. A simple example is a server inside our network that keeps
changing IP every week. FQDN based NAT rule will be a perfect fit for this kind of scenario.

NOTE: Make sure the server/host are not on DHCP with short lease span as that may create issues with DNS cache of FMC as
well as ARP issues from the outside host trying to access it.

Task 1–- Prepare the Environment

Check Current Behavior and Configuration

Before we get started, we need to check the current NAT configuration and DNS configuration, as FQDN relies on DNS to resolve
hostnames. Before FQDN support in 7.1, NAT was only based on static IP/Host objects.

To use FQDN, a DNS nameserver should be present along with an FQDN object before creating a NAT rule entry. We are using
NGFW1 for this lab.

Open or continue putty connection to NGFW1

Type command ping inside.dcloud.local. The ping shows that the name entered doesn’t have a valid DNS entry or a DNS server is
not present/configured for this NGFW1 data plane.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

To ensure the inside.dcloud.local is up and reachable from the NGFW1, try again with the command ping system
inside.dcloud.local, which uses the management interface.

The inside host is up.

Type the command show dns to see the current output and then show running-config dns

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

The entry is empty and confirms that the nameserver/DNS is not configured for the NGFW1 data plane.

Task 2 – Create DNS Entry for NGFW1

Create a DNS entry for NGFW1

1. Login into FMC Web admin/C1sco12345 [if needed]

2. Navigate to Devices > Platform Settings

3. Click New Policy

a. New Policy > Threat Defense Settings

i. Name: NGFW1_Platform_Settings

ii. Targeted Devices: NGFW1 click Add to Policy

iii.Save

4. From the left menu, click on DNS and select the checkbox for Enable DNS name resolution by device

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Add a DNS Server Group Object by clicking the + symbol

a. Name: ADserver

b. Default Domain: dcloud.local

c. Timeout: 1

d. Retries: 1

e. DNS servers: 198.19.10.100

f. click Save.

6. Click on DNS Server Group* and it will show the ADserver as a fill option.

7. Click Make as default

8. Click OK

9. Click on Save button on top right corner and Deploy

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

Once Deployed, which can take a couple mins, test the two commands again from NGFW1 CLI

ping inside.dcloud.local (or you could just type ping inside)

show dns or show running-config dns

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

The NGFW1 CLI shows that inside.dcloud.local is resolving and we can see a DNS server configured with IP 198.19.10.100.

Task 3 – Create FQDN Object and NAT Rule

For this task, we will configure the inside server using FQDN and try to reach inside from the outside server. The outside NATed
address should translate to inside once the configuration is complete.

1. From FMC, Navigate to Objects > Object Management and click on Add Object from the drop-down menu

Select FQDN for the object type and enter details as shown below. For our use case, we will use inside.dcloud.local with FQDN
and try to reach it from outside.
Click Save.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

2. Navigate to Devices > NAT and edit the Default PAT Policy

NOTE: In the current NAT rules, an old entry of Auto NAT is listed for NAT access between the Kali Inside Linux
server (wwwin) and Outside Linux server (wwwout). Delete this Auto NAT rule before making a new NAT entry with FQDN.
Currently, FQDN is supported only with Manual NAT.

3. Delete the previous Auto NAT entry for wwwin to wwwout

4. Click on Add Rule and create a new Manual NAT Rule and fill in the rule fields as shown above:

a. Original Source: any

b. Original Destination: wwwout
c. Translated Source: Interface
d. Translated Destinations: wwwindns

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

5. Click on Interface Objects

Source Interface Objects: OutZone

Destination Interface Objects: InZone1

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

7. 6. Click OK and Save. Deploy the Changes to NGFW1.

8. Once deployed login to NGFW1 CLI
a. Type show fqdn

Task 4 – Modify the Access Control Policy Rule

To allow inbound traffic to inside.dcloud.local, you must modify the Access Control policy

1. From the FMC, navigate to Policies > Access Control > Access Control and edit the Base_Policy.

2. Create or Edit the rule called Web Server Access. Add wwwindns to the destination networks.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

3. Apply, Save the rule and policy changes and deploy to NGFW1.

Task 5 – Validate the NAT Rule

Once the device is fully deployed, we will validate the NAT rule is working correctly. This will be via a ping or wget from the Outside
Linux server to the Kali Inside Linux server.

1. Open or connect to the Kali Outside Linux Server

NOTE: In the new NAT rule just created in the task above, we are translating wwwout To Inside using FQDN NAT, which means
that the wwwout object is the one to ping/access from outside and see if the translation is working correctly or not.

3. Type the command ping 198.18.128.202 in the Kali Outside CLI

4. Similarly, from the same CLI, try accessing the internal server using the command curl wwwout

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

Both are accessible & the IP is shown here for the inside web server is 198.19.10.200, which matches our FQDN configured.

5. Perform a final confirmation by looking at the FMC connection event logs. The connection logs in 7.2 show NAT fields such as
NAT translated IP, Ports, etc. which is great to have for debugging purposes. To look at NAT logs, go to FMC and Navigate
to Analysis > Connections > Events > Table View of Connection Events
a. If you don’t see the 198.x.x.x click on Edit Search > Networking > Initiator IP > 198.18.133.200 and Search

By default, the NAT fields are not enabled on the view page. Click on Table View of Connection Events

6. Enable NAT field in connection event by clicking on a X next to the field name and scrolling down to Disabled Columns to enable
all NAT-based log fields and press Apply.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

7. After enabling the NAT-based fields, scroll right to see all the fields.

As shown above, we can see the initiator IP is 198.18.133.200 (Outside Linux server IP) and the translated Destination NAT IP is
198.18.128.202 (wwwout) with Responder IP AS 198.19.10.200(wwwindns).

NOTE: At this point if the IP of the inside host changes from 198.19.10.200 to some other value, the admin doesn’t have to
manually change IP in the NAT rule anymore, this is the main benefit of a FQDN based NAT.

Cisco Confidential
Cisco dCloud

Scenario 7 Integrated Routing and Bridging (IRB)

dCloud: The Cisco Demo Cloud

This exercise consists of the following tasks.
• Create the objects needed for this lab exercise

• Modify the NGFW interface configuration

• Modify the NAT policy

• Modify the access control policy

• Deploy and test the configuration

In the lab, there is a Linux server on separate VLAN that is connected to GigabitEthernet0/2. The FQDN for this server
isolated.dcloud.local, and it has the IP address of 198.19.10.220/24. Note that this is address is in the same subnet as the inside
network.

The objective is to join these VLANs using a bridge-group on the NGFW. Traffic between these VLANs will be inspected.

NOTE: In this exercise, both interfaces in the bridge group are put in the same security zone. However this is not required. A
bridge group can contain interfaces in different security zones. This allows more granular control of traffic between interfaces in
the same bridge group.

Steps
Create the Object
Create the object needed for this lab exercise:
1. On the FMC Navigate to Objects > Object Management > Interface. Select Interface from the left navigation panel.

a. Click Add > Security Zone.

b. For Name, enter BViZone. Select Switched from the Interface Type drop-down menu.

c. Click Save.

Modify the NGFW interface configuration

1. Navigate to Devices > Device Management > NGFW1.
a. Click on the pencil icon to edit the NGFW1 device configuration, and select the Interfaces tab.

b. Click on the pencil icon to edit the GigabitEthernet0/1 interface.

c. Remove the IPv4 address and click OK. This IP must be removed, so it can be used on another interface.

d. Click Add Interfaces, and select Bridge Group Interface.

e. For Name enter InsideBVi.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

f. For Bridge Group ID, enter 1

g. Select GigabitEthernet0/1 and GigabitEthernet0/2, and click Add.

h. Select the IPv4 tab and enter the IP address 198.19.10.1/24.

i. Click OK.

i Read the information in the popup box and Click Yes

2. Click on the pencil icon to edit the GigabitEthernet0/1 interface.

a. For Name enter inside1.

b. Confirm that the Enabled checkbox is checked.

c. Select BVIZone from the Security Zone drop-down list.

d. Click OK.

3. Click on the pencil icon to edit the GigabitEthernet0/2 interface.

a. For Name enter inside2.

b. Check the Enabled checkbox.

c. Select BVIZone from the Security Zone drop-down list.

d. Click OK.

4. Click Save to save the device configuration.

Cisco Confidential
Cisco dCloud

Modify the NAT policy

NOTE: If you want the static NAT rule to work with the BVI interfaces, you must include this step. This is because object NAT
dCloud: The Cisco Demo Cloud
does not allow zones with more than one interface.

1. Navigate to Objects > Object Management. Select Interface from the left navigation panel.

a. Click Add > Interface Group.

b. For NAME, enter inZoneirb1.

c. For Interface Type, select Switched.

d. Select the interface NGFW1 > inside1 and click Add.

e. Click Save.

2. Navigate to Devices > NAT.

3. Edit the Default_PAT policy.

a. Replace InZone1 with InZoneirb1 in all the Auto NAT rules.

b. Replace InZone1 with BVIZone in every other rule.

c. Modify the NAT rule that has Original Destination: wwwout Translated Destination: wwwindns to Translated
Destination: wwwin

d. Click Save to save the NAT policy.

Modify the access control policy

1. Navigate to Policies > Access Control > Access Control.
a. Click on the pencil icon to edit the Base_Policy
b. Click on the pencil icon Mandatory Block ICMP over GRE
i. Disable or delete that firewall rule.
c. Click on the pencil icon Allow GRE Traffic
i. Disable or delete that firewall rule
d. Replace InZone1 with BVIZone in every rule.
i. Remove all other Zones if you want to remove the warnings

2. Add an access control rule to allow (but inspect) traffic between interfaces in BVIZone.

a. For Name, enter Allow East West Traffic.

b. Select into Default rule from the Insert drop-down list

c. The Zones tab should already be selected.

d. Select BVIZone, and click Add to Source.

e. Select BVIZone, and click Add to Destination.

f. Select dCloud Balanced Intrusion from the Intrusion Policy drop-down list.

g. From File Policy select Block Malware.

h. Click Apply to add the rule.

Cisco Confidential
Cisco dCloud

dCloud: The Cisco Demo Cloud

3. Click Save to save the changes to the access control policy.

4. Deploy the policies to NGFW1 and test the configuration.

a. Look at the warning and deploy
NOTE: Deploy the configuration changes and wait for the deployment to complete.

5. From the Kali Inside Linux Server CLI, test connectivity by typing ping isolated. This should succeed.

a. If the ping does not succeed check the Mandatory rules for the Base_Policy and change the Destination Zone from
any to a different zone.

6. From the Kali Inside Linux Server CLI, test the IPS capabilities.

a. Run the following command from the Kali Inside Linux server CLI. ftp isolated

b. Login as guest, password C1sco12345

i. Type cd ~root. You should see the following message:

ii. 421 Service not available, remote server has closed connection
1 If you do not see the above message type Ctrl + C
iii. Type quit to end ftp session
c. From the Kali Inside Linux server CLI, test the file and malware blocking capabilities.

i. As a control test, use WGET to download a file that is not blocked. Wget -t 1

isolated/files/ProjectX.pdf

1 This should succeed.

ii. Next use WGET to attempt to download the file blocked by type. Wget -t 1 isolated/files/test3.avi

NOTE: Very little of the file is downloaded. This is because the NGFW can detect the file type when it sees the first block of data.
The dCloud Balanced Intrusion is configured to block AVI files.

iii. Finally use WGET to attempt to download malware. Wget -t 1 isolated/files/Zombies.pdf

Remove IRB Lab components

1. Devices > Device Management > click the pencil icon on the NGFW1 line

Cisco Confidential
Cisco dCloud

2. Click Remove Icon from the BVI1 Interface

3. Go to GigiabitEthernet 0/1 and click the pencil icon
dCloud: The Cisco Demo Cloud
a. Name in10
b. Click Enabled
c. Security Zone InZone1

d. Ipv4 198.19.10.1/24
e. Click OK

4. Go to GigabitEthernet 0/2 and remove the name from the interface and make sure it is enabled.
a. Name: in20
b. Security Zone: inZone2
c. Ipv4: 198.19.20.1/24

d. Click OK
e. Click Save
5. Go to Device NAT Default PAT
a. Replace inZonebr1 with InZone1 for all NAT Rules
b. Replace the BVIZone with InZone1
c. Click Save

6. Go to Policies > Access Control > Base_Policy

a. Click the pencil icon
b. Replace ALL BVIZone with InZone1
i. If you deleted other zones recreate InZone2-4

c. Delete the Block ICMP over GRE rule in Mandatory if not already done

d. You can delete the line with BviZone to BviZone used for the Allow Internal Traffic
e. You can delete the line with Allow GRE Traffic if not already done
f. Modify the Allow Outbound rule for ICMP

g. Click Save

Cisco Confidential
Cisco dCloud

7. Click Deploy
a. Select NGFW1
dCloud: The Cisco Demo Cloud
8. Test the Network
a. From Kali Inside Linux Server [root/C1sco12345]
i. Ping Outside

b. From Outside Linux Server [root/C1sco12345]

i. Ping 198.18.133.120 (Outside NAT Address of FMC)

ii. Ping 198.18.128.202 (Outside NAT Address of Kali Inside Linux Server)
Open a session to NGFW-BR 1

iii. Open the Command Prompt

1. Ping 198.18.133.120 (Outside NAT Address of FMC)
2. Ping 198.18.128.202 (Outside NAT Address of Kali Inside Linux Server)

Cisco Confidential

KT - Introduction For VoLTE - Revised.v1.3 PDF
No ratings yet
KT - Introduction For VoLTE - Revised.v1.3 PDF
17 pages
Emaillog 0
No ratings yet
Emaillog 0
5,880 pages
CISCO FMC Management Center Device Config 77
No ratings yet
CISCO FMC Management Center Device Config 77
2,792 pages
Firepower NGFW Lab-Features v1.7
No ratings yet
Firepower NGFW Lab-Features v1.7
173 pages
Nxos Ansible v1 New-3
No ratings yet
Nxos Ansible v1 New-3
22 pages
Lantronix Modbus Protocol UsersGuide
No ratings yet
Lantronix Modbus Protocol UsersGuide
28 pages
CCNA Cisco CLI Command Line For Cisco Router and Switch
100% (1)
CCNA Cisco CLI Command Line For Cisco Router and Switch
16 pages
ALL7950 Manual English V1.01
No ratings yet
ALL7950 Manual English V1.01
49 pages
Iewb-Sc-Vol2 ALLSOLUTIONS v5 02
No ratings yet
Iewb-Sc-Vol2 ALLSOLUTIONS v5 02
1,014 pages
Sna101 7
No ratings yet
Sna101 7
257 pages
CP Plus
No ratings yet
CP Plus
253 pages
Ccna PART-2: Nasir Majeed Assistant Professor PTCL Academy Islamabad
No ratings yet
Ccna PART-2: Nasir Majeed Assistant Professor PTCL Academy Islamabad
152 pages
FPMC Config Guide v70
No ratings yet
FPMC Config Guide v70
3,202 pages
Media Gateways Built For Speed, Traffic and Flexibility
No ratings yet
Media Gateways Built For Speed, Traffic and Flexibility
12 pages
Coc 2 - Coc 4
No ratings yet
Coc 2 - Coc 4
13 pages
What Is A Web Address?
No ratings yet
What Is A Web Address?
41 pages
Setting Up The Cisco Firepower Management Center and FTDV Image Ver01
No ratings yet
Setting Up The Cisco Firepower Management Center and FTDV Image Ver01
28 pages
Mobile Computing Unit 3 Notes Printed
No ratings yet
Mobile Computing Unit 3 Notes Printed
16 pages
FPMC Config Guide v623 PDF
No ratings yet
FPMC Config Guide v623 PDF
2,718 pages
Resolving Host Names by Using Domain Name System (DNS)
No ratings yet
Resolving Host Names by Using Domain Name System (DNS)
53 pages
Caracteristicas
No ratings yet
Caracteristicas
15 pages
FTD Log
No ratings yet
FTD Log
116 pages
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
No ratings yet
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
23 pages
Firepower NGFW Lab Features 7.1 - Guide
No ratings yet
Firepower NGFW Lab Features 7.1 - Guide
173 pages
BGP Rules Every Network Engineer Should Know
No ratings yet
BGP Rules Every Network Engineer Should Know
19 pages
Configuring Quality of Service Acl
No ratings yet
Configuring Quality of Service Acl
8 pages
Cisco Firepower Threat Defense 6.4 Proof of Value v1.6: About This Demonstration
No ratings yet
Cisco Firepower Threat Defense 6.4 Proof of Value v1.6: About This Demonstration
34 pages
Firepower Threat Defense 6.1 Basics Lab v1
No ratings yet
Firepower Threat Defense 6.1 Basics Lab v1
402 pages
FPTD FDM Config Guide 670
No ratings yet
FPTD FDM Config Guide 670
836 pages
Cisco FTD v6.4 On Firepower 1000 and 2100 Series With FMC-FMCV
No ratings yet
Cisco FTD v6.4 On Firepower 1000 and 2100 Series With FMC-FMCV
102 pages
Firepower Management Center Configuration Guide, V6.6
No ratings yet
Firepower Management Center Configuration Guide, V6.6
2,814 pages
Ccna4-Lab 1: Nat & Pat: Scenario For NAT Configuration
No ratings yet
Ccna4-Lab 1: Nat & Pat: Scenario For NAT Configuration
2 pages
Switches: AT-8200 Series, Managed Fast Ethernet Switches
No ratings yet
Switches: AT-8200 Series, Managed Fast Ethernet Switches
2 pages
Cisco Cyber Vision v1-1
No ratings yet
Cisco Cyber Vision v1-1
48 pages
How Do I Make An HTTP Request in Javascript
No ratings yet
How Do I Make An HTTP Request in Javascript
2 pages
NetScaler TCP Counters
No ratings yet
NetScaler TCP Counters
11 pages
Lab 4 Udp + Lab 5 Ip
No ratings yet
Lab 4 Udp + Lab 5 Ip
11 pages
Secure Firewall 7
No ratings yet
Secure Firewall 7
58 pages
Cisco Firepower 6
No ratings yet
Cisco Firepower 6
39 pages
NC7101 Lesson Plan
No ratings yet
NC7101 Lesson Plan
6 pages
TN 41383 - License Server 4.0.1 - Failed To Communicate With AVEVA Enterprise License Product Service
No ratings yet
TN 41383 - License Server 4.0.1 - Failed To Communicate With AVEVA Enterprise License Product Service
2 pages
Secure Firewall Lab-Basics 7
No ratings yet
Secure Firewall Lab-Basics 7
88 pages
GPON - Basic Command OLT Huawei - Part 2 - NETWORKING - FROM.ZERO
No ratings yet
GPON - Basic Command OLT Huawei - Part 2 - NETWORKING - FROM.ZERO
3 pages
Applied Study of Layer 3 Switching Configuration Based On VLAN Among Colleges' Library Network Systems
No ratings yet
Applied Study of Layer 3 Switching Configuration Based On VLAN Among Colleges' Library Network Systems
4 pages
Firepower NGFW Lab-Basics v1.7
No ratings yet
Firepower NGFW Lab-Basics v1.7
78 pages
MRN 25440
No ratings yet
MRN 25440
2 pages
Firepower NGFW Lab Basics - Guide
No ratings yet
Firepower NGFW Lab Basics - Guide
92 pages
How To Simulate Browser HTTP POST Request and Capture Result in C# - Stack Overflow
No ratings yet
How To Simulate Browser HTTP POST Request and Capture Result in C# - Stack Overflow
1 page
01 M330 Series - Industrial Cellular Router Datasheet - 20191002
No ratings yet
01 M330 Series - Industrial Cellular Router Datasheet - 20191002
3 pages
7.2 Feature Lab - Combined Labs 1 2
No ratings yet
7.2 Feature Lab - Combined Labs 1 2
90 pages
FPTD FDM Config Guide 740
No ratings yet
FPTD FDM Config Guide 740
900 pages
Rip Ospf BGP
No ratings yet
Rip Ospf BGP
2 pages
Firewall 7.4 Advanced 240919 301 No CTF Final
No ratings yet
Firewall 7.4 Advanced 240919 301 No CTF Final
129 pages
FPTD FDM Config Guide 621
No ratings yet
FPTD FDM Config Guide 621
374 pages
Management Center Admin 74
No ratings yet
Management Center Admin 74
1,050 pages
Cisco UCS Central 1-4 v1 Demo Guide
100% (1)
Cisco UCS Central 1-4 v1 Demo Guide
109 pages
PCN Juniper Networks
No ratings yet
PCN Juniper Networks
21 pages
Firepower NGFW Lab v2.4 Basic-1
100% (1)
Firepower NGFW Lab v2.4 Basic-1
54 pages
FPTD FDM Config Guide
No ratings yet
FPTD FDM Config Guide
276 pages
Dcloud Cisco Radware - SSLi Outbound
No ratings yet
Dcloud Cisco Radware - SSLi Outbound
66 pages
Cyber Threat Response Lab v31
No ratings yet
Cyber Threat Response Lab v31
180 pages
Network Security POV Workshop: GSSO Channel Engineering
No ratings yet
Network Security POV Workshop: GSSO Channel Engineering
71 pages
Ltrsec 1000 LG
No ratings yet
Ltrsec 1000 LG
394 pages
Secure Firewall Lab-Advanced 7.2-1
No ratings yet
Secure Firewall Lab-Advanced 7.2-1
38 pages
Radware DDOS v1
No ratings yet
Radware DDOS v1
22 pages
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
No ratings yet
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
342 pages
Cisco ISA3000 With FTD FMC v3 Guided Demo
No ratings yet
Cisco ISA3000 With FTD FMC v3 Guided Demo
40 pages
Cisco UCS Director 5-4 VMware v1 Demo Guide
No ratings yet
Cisco UCS Director 5-4 VMware v1 Demo Guide
66 pages
Roadshow Advanced 7.2 V3.2 221004 Final
No ratings yet
Roadshow Advanced 7.2 V3.2 221004 Final
347 pages
Cisco Secure Firewall 7.0 VPN Features - Guide
No ratings yet
Cisco Secure Firewall 7.0 VPN Features - Guide
44 pages
Cisco SD-WAN (Viptela) Instant Demo v1: About This Demonstration
No ratings yet
Cisco SD-WAN (Viptela) Instant Demo v1: About This Demonstration
20 pages
Firepower NGFW Lab-Advanced v1.7
No ratings yet
Firepower NGFW Lab-Advanced v1.7
48 pages
FPTD FDM Config Guide 620
No ratings yet
FPTD FDM Config Guide 620
318 pages
NGF TDM Deck
No ratings yet
NGF TDM Deck
154 pages
Cisco UCS Central 2.0: About This Demonstration
No ratings yet
Cisco UCS Central 2.0: About This Demonstration
21 pages
Ansible For Cisco Nexus Switches v1
No ratings yet
Ansible For Cisco Nexus Switches v1
22 pages
Firepower NGFW Lab Advanced - Guide
No ratings yet
Firepower NGFW Lab Advanced - Guide
52 pages
Cisco NGFW Basic Lab v1.5
No ratings yet
Cisco NGFW Basic Lab v1.5
65 pages
Firewall 7.2 Basic Lab v3.2 220729-Final
No ratings yet
Firewall 7.2 Basic Lab v3.2 220729-Final
118 pages
Firepower NGFW Lab v1
100% (1)
Firepower NGFW Lab v1
111 pages
Device Management Common Practices: 1. Device Platform Policies 2. NAT 3. Flex-Config
No ratings yet
Device Management Common Practices: 1. Device Platform Policies 2. NAT 3. Flex-Config
4 pages
Cisco Secure SD-WAN Viptela v31 Instant Demo 191004
No ratings yet
Cisco Secure SD-WAN Viptela v31 Instant Demo 191004
33 pages
All FTD+FMC
No ratings yet
All FTD+FMC
157 pages
Firepower NGFW Labpdf PDF
No ratings yet
Firepower NGFW Labpdf PDF
119 pages
Firepower NGFW Basics Lab v23 PDF
No ratings yet
Firepower NGFW Basics Lab v23 PDF
52 pages
Cisco Firepower App For Splunk v2 WORKING
No ratings yet
Cisco Firepower App For Splunk v2 WORKING
19 pages
Ansible F5 ACI Lab v1-1
No ratings yet
Ansible F5 ACI Lab v1-1
59 pages
LLC Firepower
No ratings yet
LLC Firepower
36 pages