Scribd
Upload
76 views186 pages

TechTalk 170920 Architecture Deployment Management

Cisco Firepower Threat DefenseTech Talk

Uploaded by

Pablo Proaño
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
76 views186 pages

TechTalk 170920 Architecture Deployment Management

Cisco Firepower Threat DefenseTech Talk

Uploaded by

Pablo Proaño
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 186

Firepower Threat Defense

Tech Talk
Architecture and Deployment
Abhishek Singh, Technical Marketing Engineer
Anant Mathur, Technical Marketing Engineer Manager
Eric Kostlan, Technical Marketing Engineer
Nanda Kumar, Technical Marketing Engineer Manager

September 13th, 2017


Architecture
Packet Flows

Agenda Deployment and Interface Modes


Resiliency options
Platform Overview

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 2


Architecture

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


3
FTD High-level overview
Firepower Threat Defense (FTD) merges 2 products:
ASA
Firepower (Snort)

Developed to solve 2 main problems:


Different management for ASA and FPR
Duplicated functions between ASA and FPR

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 4


FirePOWER on ASA vs FTD
FirePOWER on ASA
Requires 2 software images
2 Operating Systems on same HW
Duplicated functionality
2 management applications

FTD
Zero-copy packet inspection
Unified management (FMC/FDM)

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 5


Architecture Diagram

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 6


Modifications to ASA

• DP threads poll on local RX


queues first, exhausting local
work before polling remote
RX queues
• PDTS only load balances to
local Snort instances

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 7


FMC Management
Architecture
• Evolution of DC with CSM
components
• Deploys SF config files and ASA delta
CLI
• Communicates with device over SF
Tunnel
• Receives status events (health, HA /
Clustering, interface updates, etc.)

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 8


FTD Management interface
• FTD physical Management interface is divided into 2 logical sub-interfaces:
• diagnostic
• br1*
‘show int ip brief’

Sftunnel between
FMC/FTD is
terminated on ‘show network’
br1

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 9


FTD Management interface
• FTD br1 vs diagnostic subinterface comparison
br1 diagnostic
Purpose • Used in order to assign the FTD IP that will be • Provides remote access to ASA engine CLI
used for FTD/FMC communication (sftunnel) • Used as a source for ASA syslog, AAA messages etc
• Provides SSH access to the FTD box

Mandatory Yes, since it is used for FTD/FMC communication No and it is actually not recommended to configure it. The
(sftunnel terminates on it) recommendation is to use a data interface instead*

Verification From CLISH CLI: From ASA CLI:


> show network firepower# show interface ip brief
=======[ br1 ]======= Interface IP-Address  OK? Method Status  Protocol
State                     : Enabled ...
Channels                  : Management & Events Management1/1 192.168.1.1 YES unset  up   up
MAC Address               : 18:8B:9D:1E:CA:7B
----------------------
[ IPv4 ]----------------------
Configuration             : Manual
Address                   : 10.62.148.29
Netmask                   : 255.255.255.128
Broadcast                 : 10.62.148.127
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 10
Packet Flow

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


FTD Packet Processing – The big picture

1. A packet enters the ingress interface and it is handled by the ASA engine
2. If the policy dictates so the packet is inspected by the Snort engine
3. Snort engine returns a verdict (whitelist or blacklist) for the packet
4. The ASA engine drops or forwards the packet based on Snort’s verdict
• Snort engine runs 6.x code
• ASA engine runs 9.X.x code
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 12
High Level Packet Processing on FTD
Trust
? Yes

No

Packet Early Advanced Egress Packet


Security Security details
Checks Checks verification

Note: Packets can be dropped at any of the 3 stages

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 13


Unified Access Control Policy
Policy L3/L4 L3/L4 L7 fields Action File, IPS policies
ID Source Destination

R1 S1 D1 Trust
R2 S2 D2 Deny Log
R3 S3 D3 App=Google+ Permit IPS-1, File-1
R4 S4 D4 URL=Games Warn File-2
R5 S5 D5 Permit IPS-2

ASA global access-group


Policy L3/L4 L3/L4 Action
ID Source Dest NGFW Access Policy
Policy L3/4 L7 fields Action Profiles
R1 S1 D1 Trust ID fields
R2 S2 D2 Deny, Log
R3 S3 D3 Permit R3 … App=Google+ Permit IPS-1, File-1

R4 S4 D4 Permit R4 … URL=Games Warn File-2


R5 S5 D5 Permit R5 … Permit IPS-2
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 14
FTD Packet Processing: Detailed

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 15


FTD Packet Processing: Ingress Interface

• Packet arrives on ingress interface.


• Input counters are incremented by NIC and periodically retrieved by CPU
• Similarly to classic ASA, input queue (RX ring) is an indicator of packet load
> show interface g1/2 detail
Interface GigabitEthernet1/2 "inside", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
IPS Interface-Mode: inline-tap, Inline-Set: Set1
47770671 packets input, 7620806887 bytes, 0 no buffer
Received 23734506 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
input queue (blocks free curr/low): hardware (1008/800)
output queue (blocks free curr/low): hardware (1023/985) © 2017-2018 Cisco and/or its affiliates. All rights reserved, 16
FTD Packet Processing: Connection Lookup

• ASA engine checks for existing connection


• If a match is found packet uses Fast Path bypassing basic checks
firepower# show capture CAPO packet-number 2 trace
2 packets captured
2: 12:51:51.094691 192.168.76.14 > 192.168.75.14: icmp: echo reply
...
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 1541, using existing flow © 2017-2018 Cisco and/or its affiliates. All rights reserved, 17
FTD Packet Processing: UN-NAT/Egress int.

• Egress interface determination


• In case there is Destination NAT (UN-NAT) the egress interface will be determined based on the
NAT rule, unless route lookup is preferred (identity NAT)
firepower# show capture DMZ packet-number 3 trace detail
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static Host-A Host-B
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.76.100/0 to 192.168.75.14/0 © 2017-2018 Cisco and/or its affiliates. All rights reserved, 18
FTD Packet Processing: UN-NAT/Egress int.

• In case route lookup is taking place the ‘in’ entries of the ASP routing table will be checked to
determine the egress interface:
firepower# show asp table routing
route table timestamp: 449
in 192.168.75.0 255.255.255.0 inside
in 192.168.76.0 255.255.255.0 dmz
in 192.168.77.0 255.255.255.0 outside
in 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 255.255.255.255 255.255.255.255 outside
out 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 10.1.1.0 255.255.255.0 via 192.168.77.1, outside

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 19


FTD Packet Processing: Prefilter Policy

• Prefilter Policy got introduced in 6.1 version


• Serves 2 main purposes
1. Adds additional flexibility when it comes to handling tunneled traffic:
• GRE
• IP-in-IP
• IPv6-in-IP
• Teredo Port 3544
2. Provides Early Access Control (EAC) which allows a flow to bypass completely the Snort engine

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 20


FTD Packet Processing: Prefilter Policy

• Prefilter Policy got introduced in 6.1 version


• Serves 2 main purposes
1. Adds additional flexibility when it comes to handling tunneled traffic:
• GRE
• IP-in-IP
• IPv6-in-IP
• Teredo Port 3544
2. Provides Early Access Control (EAC) which allows a flow to bypass completely the Snort engine

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 21


FTD Packet Processing: Prefilter Policy

• Navigate to Policies > Access Control > Prefilter and create a Prefilter Policy

• Add one or more Tunnel or/and Prefilter (Early Access Control) rules and attach the Policy to ACP

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 22


FTD Packet Processing: Prefilter Policy
(tunneled)

• Classic ASA checks the outer IP header


• A FirePOWER device (Snort) checks the inner IP header
• FTD ASA code checks the outer IP header while the Snort engine checks the inner IP header

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 23


FTD Packet Processing: Prefilter Policy
(tunneled)

• Tunneled Rules provide 3 possible actions:

1. Block – Drops the tunneled traffic


2. Fastpath – Allows the tunneled traffic and bypasses the Snort Engine
3. Analyze – Will send the tunneled traffic to Snort Engine. Optionally allows traffic Tagging
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 24
FTD Packet Processing: Prefilter Policy
(tunneled)

• How works the analyze action:


firepower# show access-list
access-list CSM_FW_ACL_ line 5 remark rule-id 268435473: RULE: Tunnel_Rule1
access-list CSM_FW_ACL_ line 6 advanced permit gre any any rule-id 268435473

root@FTD5506-1:/var/sf/detection_engines/UUID# cat ngfw.rules


# Start of tunnel and priority rules.
# These rules are evaluated by LINA. Only tunnel tags are used ..
268435473 allow any any any any any any any 47 (tunnel 2)
268434456 allow any any any any any any any 4 (tunnel -1)
268434456 allow any any any any any any any 41 (tunnel -1)
# End of tunnel and priority rules.
# Start of AC rule.
268435474 allow 2 any any any any any any any
268435468 allow any any any any any any any any (log dcforward) #
End of AC rule. © 2017-2018 Cisco and/or its affiliates. All rights reserved, 25
FTD Packet Processing: Prefilter Policy
(EAC)

• Early Access Control Rules provide 3 possible actions:

1. Block – Drops the traffic


2. Fastpath – Allows the traffic and bypasses the Snort Engine
3. Analyze – Will send the traffic to Snort Engine
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 26
FTD Packet Processing: Prefilter Policy

• Prefilter Rules are deployed to ASA as L3/L4 ACEs and are placed above the normal L3/L4 ACEs
firepower# show access-list

}
access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268434457: PREFILTER POLICY: FTD_Prefilter_Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 268434457: RULE: Fastpath_Rule1
EAC Prefilter
access-list CSM_FW_ACL_ line 3 advanced trust ip host 192.168.75.16 any rule-id 268434457 event-log both (hitcnt=0) Rules
access-list CSM_FW_ACL_ line 4 remark rule-id 268434456: PREFILTER POLICY: FTD_Prefilter_Policy

}
access-list CSM_FW_ACL_ line 5 remark rule-id 268434456: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268434456 (hitcnt=0) 0xf5b597d6 Tunnel Prefilter
access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268434456 (hitcnt=0) 0x06095aba
Rules
access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268434456 (hitcnt=2) 0x52c7a066

}
access-list CSM_FW_ACL_ line 9 advanced permit udp any any eq 3544 rule-id 268434456 (hitcnt=0) 0xcf6309bc
access-list CSM_FW_ACL_ line 10 remark rule-id 268434445: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ line 11 remark rule-id 268434445: L4 RULE: Block ICMP
access-list CSM_FW_ACL_ line 12 advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start (hitcnt=0) L3/L4
0x8bf72c63 ACEs
access-list CSM_FW_ACL_ line 13 remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1
access-list CSM_FW_ACL_ line 14 remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE © 2017-2018 Cisco and/or its affiliates. All rights reserved, 27
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268434434 (hitcnt=410) 0xa1d3780e
FTD Packet Processing: L3/L4 ACL

• Advanced L3/L4 ASA ACL is an Access Control Policy (ACP) that is configured on FMC.
• Pushed as a global ACL (CSM_FW_ACL_) to ASA engine and as AC rules in
/var/sf/detection_engines/UUID/ngfw.rules file in Snort engine
firepower# show run access-list
access-list CSM_FW_ACL_ advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start
firepower# show run access-group
access-group CSM_FW_ACL_ global

• 7 possible actions to the traffic:

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 28


FTD Packet Processing: L3/L4 ACL - Allow

• Allow Rule will be pushed to ASA engine as permit action and to Snort engine as allow action. The
rule ID correlates the ASA rules with the Snort rules
firepower# show access-list
access-list CSM_FW_ACL_ line 8 remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
access-list CSM_FW_ACL_ line 9 advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ line 11 remark rule-id 268435457: L4 RULE: ACP_Rule2_Allow_ICMP_Type
access-list CSM_FW_ACL_ line 12 advanced permit icmp host 2.2.2.2 host 3.3.3.3 echo rule-id
268435457
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules
268435456 allow any 1.1.1.1 32 any any 2.2.2.2 32 any any any (appid 3501:1)
268435457 allow any 2.2.2.2 32 8 any 3.3.3.3 32 any any 1 © 2017-2018 Cisco and/or its affiliates. All rights reserved, 29
FTD Packet Processing: L3/L4 ACL - Allow

• packet-tracer shows that ASA engine will send the packet to Snort engine for a Verdict
> packet-tracer input inside icmp 1.1.1.1 8 0 2.2.2.2

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 30


FTD Packet Processing: L3/L4 ACL - Allow

• Tracing a real packet will show the Snort Verdict


firepower# show capture CAPI packet-number 1 trace
1: 09:17:18.996149 1.1.1.1 > 2.2.2.2: icmp: echo request
!
Phase: 4
Type: ACCESS-LIST
...
This packet will be sent to snort for additional processing where a verdict will be
reached
!
Phase: 13
Type: EXTERNAL-INSPECT
...
Application: 'SNORT Inspect'

Phase: 14
Type: SNORT
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 31
...
Snort Verdict: (pass-packet) allow this packet
FTD Packet Processing: L3/L4 ACL - Allow

• ‘Allow’ action will forward all packets to Snort engine.


• In show snort statistics output the packets will be shown as Passed Packets
> clear snort statistics
> show snort statistics

Packet Counters:
Passed Packets 5
Blocked Packets 0
Injected Packets 0

Flow Counters:
Fast-Forwarded Flows 0
Blacklisted Flows 0
Flows bypassed (Snort Down) 0
Flows bypassed (Snort Busy) 0

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 32


FTD Packet Processing: L3/L4 ACL - Trust

• Trust Rule will be pushed to ASA engine as trust action and to Snort engine as fastpath action
firepower# show access-list
access-list CSM_FW_ACL_ line 17 remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
access-list CSM_FW_ACL_ line 18 advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477

root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules


268435477 fastpath any 4.4.4.4 32 any any 5.5.5.5 32 53 any 17

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 33


FTD Packet Processing: L3/L4 ACL - Trust

Packet-tracer shows that ASA engine will not send any packets to Snort engine
> packet-tracer input inside udp 4.4.4.4 1111 5.5.5.5 53

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id
No Additional Information means
268435477 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268435477: ACCESS POLICY: FTD5506-1 - Mandatory/4
the packet is not going to be
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port redirected to Snort engine
Additional Information:

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 34


FTD Packet Processing: L3/L4 ACL - Trust

• Tracing real packets shows that no packets are going to be sent to Snort
> show capture CAPI packet-number 1 trace > show snort statistics
1: 19:46:23.626386 192.168.75.14.50152 > 192.168.76.14.53: udp 34
Packet Counters:
Phase: 4 Passed Packets 0
Type: ACCESS-LIST Blocked Packets 0
Subtype: log Injected Packets 0
Result: ALLOW
Config: Flow Counters:
access-group CSM_FW_ACL_ global Fast-Forwarded Flows 0
access-list CSM_FW_ACL_ advanced trust udp host 192.168.75.14 host 192.168.76.14 eq Blacklisted Flows 0
domain Flows bypassed (Snort Down) 0
access-list CSM_FW_ACL_ remark rule-id 268435477: ACCESS POLICY: FTD5506-1 - Mandatory/4 Flows bypassed (Snort Busy) 0
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
Additional Information: Miscellaneous Counters:
Start-of-Flow events 23
End-of-Flow events 49
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 35
FTD Packet Processing: L3/L4 ACL - Trust

In case one or more of the following is true the Trust Rule will be pushed to ASA engine as permit action:
• Application is used as a condition and/or SI, QoS, Identity Policy, SSL Policy
firepower# show access-list
access-list CSM_FW_ACL_ line 14 remark rule-id 268435458: L7 RULE: ACP_Rule3_Trust_DNS_App
access-list CSM_FW_ACL_ line 15 advanced permit ip host 3.3.3.3 host 4.4.4.4 rule-id 268435458

root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules


268435458 fastpath any 3.3.3.3 32 any any 4.4.4.4 32 any any any (appid 617:1)

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 36


FTD Packet Processing: L3/L4 ACL - Trust

In that case packet-tracer shows that ASA engine will send the packet to Snort engine for a Verdict
> packet-tracer input inside udp 3.3.3.3 1111 4.4.4.4 53

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 3.3.3.3 host 4.4.4.4 rule-id 268435458
access-list CSM_FW_ACL_ remark rule-id 268435458: ACCESS POLICY: FTD5506-1 - Mandatory/3
access-list CSM_FW_ACL_ remark rule-id 268435458: L7 RULE: ACP_Rule3_Trust_DNS_App
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 37


FTD Packet Processing: L3/L4 ACL - Trust

• Tracing real packets shows that the first few packets of the flow are being sent to Snort, but the
remaining bypass the Snort engine. Snort statistics also reflect this.
> show capture CAPI packet-number 1 trace > show snort statistics
Phase: 4
Few packets to
Type: EXTERNAL-INSPECT Packet Counters:
Application: 'SNORT Inspect' Snort engine Passed Packets 2
Phase: 5 Blocked Packets 0
Type: SNORT Injected Packets 0
Snort Verdict: (pass-packet) allow this packet
Flow Counters:
> show capture CAPI packet-number 10 trace Fast-Forwarded Flows 7
Phase: 3 Blacklisted Flows 0
Type: FLOW-LOOKUP Flows bypassed (Snort Down) 0
Found flow with id 23429, using existing flow Flows bypassed (Snort Busy) 0
Phase: 4
Type: SNORT The remaining packets
Snort Verdict: (fast-forward) fast forward this flow bypass the Snort engine © 2017-2018 Cisco and/or its affiliates. All rights reserved, 38
FTD Packet Processing: L3/L4 ACL - Monitor

• Monitor Rule will be pushed to ASA engine as a permit action and to Snort engine as an audit action
firepower# show access-list
access-list CSM_FW_ACL_ line 17 remark rule-id 268435459: L7 RULE: ACP_Rule4_Monitor_HTTP
access-list CSM_FW_ACL_ line 18 advanced permit ip host 4.4.4.4 host 5.5.5.5 rule-id 268435459

root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules


268435459 audit any 4.4.4.4 32 any any 5.5.5.5 32 any any any (log dcforward flowend) (appid 676:1)

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 39


FTD Packet Processing: L3/L4 ACL - Monitor

• Monitor Rule doesn’t drop or permit traffic, but it generates a Connection Event. The packet is
checked against subsequent rules and it is either allowed or dropped

• FMC Connection Events show that the packet matched 2 rules including the Monitor Rule

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 40


FTD Packet Processing: L3/L4 ACL - Monitor

• CLISH Snort debug shows that the packet matches 2 rules (audit + block in this case)
> system support firewall-engine-debug

Please specify an IP protocol: tcp


Please specify a client IP address: 4.4.4.4
Please specify a client port:
Please specify a server IP address: 5.5.5.5
Please specify a server port: 80
Monitoring firewall engine debug messages
...
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 match rule order 4, 'ACP_Rule4_Monitor_HTTP', action Audit
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 no match rule order 5, 'ACP_Rule5_Block_Telnet_App', src network and GEO
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 no match rule order 6, 'ACP_Rule6_Block_Telnet_Port', DstPort
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 no match rule order 7, 'ACP_Rule7_Block_RST_Youtube', src network and GEO
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 no match rule order 8, 'ACP_Rule8_Interactive_Block', src network and GEO
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 no match rule order 9, 'ACL_Rule9_Interactive_Blck_RST', src network and GEO
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 match rule order 10, id 268434434 action Block
4.4.4.4-36758 > 5.5.5.5-80 6 AS 1 I 1 deny action © 2017-2018 Cisco and/or its affiliates. All rights reserved, 41
FTD Packet Processing: L3/L4 ACL - Block

• Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule conditions
and to Snort engine as deny rule. If both applied, Application takes precedence over Dest Ports.
firepower# show access-list Packet matching this rule
access-list CSM_FW_ACL_ line 20 remark rule-id 268435460: L7 RULE: ACP_Rule5_Block_Telnet_App will be dropped by Snort
access-list CSM_FW_ACL_ line 21 advanced permit ip host 5.5.5.5 host 6.6.6.6 rule-id 268435460 engine
access-list CSM_FW_ACL_ line 23 remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port
access-list CSM_FW_ACL_ line 24 advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id Packet matching this
268435464 rule will be dropped
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules by ASA engine
268435460 deny any 5.5.5.5 32 any any 6.6.6.6 32 any any any (appid 861:1)
268435464 deny any 6.6.6.6 32 any any 7.7.7.7 32 23 any 6 © 2017-2018 Cisco and/or its affiliates. All rights reserved, 42
FTD Packet Processing: L3/L4 ACL - Block

• In case traffic matches an ASA deny rule tracing of a real packet shows that the packet is dropped by
ASA engine and it is not being forwarded to Snort
firepower# show capture CAPI packet-number 1 trace
1: 12:29:00.844438 6.6.6.6.18791 > 7.7.7.7.23: S 2574076177:2574076177(0) win 4128 <mss 536>

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id 268435464 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435464: ACCESS POLICY: FTD5506-1 - Mandatory/6
access-list CSM_FW_ACL_ remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port
Additional Information:

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 43


FTD Packet Processing: L3/L4 ACL - Block

• For Block Rule that uses Application the tracing of a real packet shows that the packet is dropped by
ASA due to Snort engine verdict
firepower# show capture CAPI packet-number 7 trace
7: 13:42:53.655971 192.168.75.14.36775 > 192.168.76.14.23: P 4147441466:4147441487(21) ack 884051486 win 16695
Type: SNORT
Subtype: Snort needs to process few packets before
Result: DROP
determines the Application type
Additional Information:
Snort Verdict: (black-list) black list this flow

• Snort engine debug shows how the verdict was determined


> system support firewall-engine-debug
5.5.5.5-36774 > 6.6.6.6-23 6 AS 1 I 0 Starting with minimum 6, 'ACP_Rule5_Block_Telnet_App', and IPProto first with zones
3 -> 1, geo 0(0) -> 0, vlan 0, sgt tag: untagged, svc 861, payload 0, client 2000000861, misc 0, user 9999997, url , xff
5.5.5.5-36774 > 6.6.6.6-23 6 AS 1 I 0 match rule order 5, 'ACP_Rule5_Block_Telnet_App', action Block
5.5.5.5-36774 > 6.6.6.6-23 6 AS 1 I 0 deny action
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 44
FTD Packet Processing: L3/L4 ACL -
Block/RST

• Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule conditions
and to Snort engine as reset rule
firepower# show access-list
access-list CSM_FW_ACL_ line 26 remark rule-id 268435461: L7 RULE: ACP_Rule7_Block_RST_Youtube
access-list CSM_FW_ACL_ line 27 advanced permit ip host 7.7.7.7 host 8.8.8.8 rule-id 268435461

root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules


268435461 reset any 7.7.7.7 32 any any 8.8.8.8 32 any any any (appid 929:7)

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 45


FTD Packet Processing: L3/L4 ACL -
Block/RST

• When matching Block with Reset rule FTD sends a TCP Reset packet or an ICMP Type 3 Code 13
Destination Unreachable (Administratively filtered) message
• Snort engine debug shows the Reset action
> system support firewall-engine-debug
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 match rule order 7, 'ACP_Rule7_Block_RST_Youtube', action Reset
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 reset action

• The Reset is sent after processing few packets


firepower# show capture CAPI
5: 15:10:56.983393 192.168.75.14.36776 > 192.168.76.14.80: S 894520672:894520672(0) win 8192 <mss 1260,nop,nop,sackOK>
6: 15:10:56.984675 192.168.76.14.80 > 192.168.75.14.36776: S 3490934048:3490934048(0) ack 894520673 win 8192 <mss
1380,nop,nop,sackOK>
7: 15:10:56.984980 192.168.75.14.36776 > 192.168.76.14.80: . ack 3490934049 win 65520
8: 15:10:56.985376 192.168.75.14.36776 > 192.168.76.14.80: P 894520673:894521071(398) ack 3490934049 win
© 2017-2018 Cisco 65520
and/or its affiliates. All rights reserved, 46
9: 15:10:56.994211 192.168.76.14.80 > 192.168.75.14.36776: R 3490934049:3490934049(0) ack 894521071 win 0
FTD Packet Processing: L3/L4 ACL - Inter.
Block

• Interactive Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule
conditions and to Snort engine as bypass rule
firepower# show access-list
access-list CSM_FW_ACL_ line 29 remark rule-id 268435462: L7 RULE: ACP_Rule8_Interactive_Block
access-list CSM_FW_ACL_ line 30 advanced permit ip host 8.8.8.8 host 9.9.9.9 rule-id 268435462

root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules


268435462 bypass any 8.8.8.8 32 any any 9.9.9.9 32 any any any (appid 61:7)

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 47


FTD Packet Processing: L3/L4 ACL - Inter.
Block

• Interactive Block Rule will prompt the user that the destination is forbidden

• Snort debug shows that the rule was matched and an interactive response was sent
> system support firewall-engine-debug
8.8.8.8-36793 > 9.9.9.9-80 6 AS 1 I 0 match rule order 8, 'ACP_Rule8_Interactive_Block', action Interactive
8.8.8.8-36793 > 9.9.9.9-80 6 AS 1 I 0 bypass action sending interactive response of 1093 bytes

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 48


FTD Packet Processing: L3/L4 ACL - Inter.
Block

• The user can click on Continue button or Refresh the brower page to bypass and continue

• If the user clicks on Continue button the Snort debug shows that the traffic is allowed by the same rule
> system support firewall-engine-debug
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 New session
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 match rule order 8, 'ACP_Rule8_Interactive_Block', action
Interactive The rule mimics
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 bypass action interactive bypass © 2017-2018 Cisco and/or itsan Allow
affiliates. action
All rights reserved, 49
8.8.8.8-36794 > 9.9.9.9-80 6 AS 1 I 0 allow action
FTD Packet Processing: L3/L4 ACL - IB
w/RST

• Interactive Block Rule will be pushed to ASA engine as a permit action depending on the rule
conditions and to Snort engine as intreset rule
firepower# show access-list
access-list CSM_FW_ACL_ line 32 remark rule-id 268435463: L7 RULE: ACL_Rule9_Interactive_Blck_RST
access-list CSM_FW_ACL_ line 33 advanced permit ip host 9.9.9.9 host 10.10.10.10 rule-id 268435463

root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules


268435466 intreset any 9.9.9.9 32 any any 10.10.10.10 32 any any any (appid 623:3)

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 50


FTD Packet Processing: L3/L4 ACL - IB
w/RST

• Similar to Block with Reset, the user can click on Continue button

• In the Snort debug the action shown in Interactive Reset


> system support firewall-engine-debug
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 Starting with minimum 9, 'ACL_Rule9_Interactive_Blck_RST', and IPProto first with
zones 3 -> 1, geo 0(0) -> 0,
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 match rule order 9, 'ACL_Rule9_Interactive_Blck_RST', action Interactive Reset
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 bypass action sending interactive response of© 2017-2018
1093 bytes
Cisco and/or its affiliates. All rights reserved, 51
FTD Packet Processing: DAQ

• Data Acquisition Library (DAQ) is the interface between ASA engine and Snort engine
• DAQ communicates with ASA Datapath processes through Packet Data Transport System (PDTS)
1. A packet is placed into DMA Memory
2. Datapath processes the packet
3. If requires Snort inspection a pointer to the packet is added
to PDTS TX Queue of a specific Snort instance
4. Snort instances periodically read the TX Rings and process the
packets in the DMA Memory
5. When a Snort instance finishes the processing puts to PDTS RX
queue a PDTS Notification (Verdict or SSL Decrypted packet)
6. Datapath processes reads the Verdict or copies the Decrypted
packet to DMA memory

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 52


FTD Packet Processing: DAQ

• To see the queue utilization and the utilization of PDTS queues from CLISH
> show asp inspect-dp snort queues > show asp inspect-dp snort

SNORT Inspect Instance Queue Configuration SNORT Inspect Instance Status Info

RxQ-Size: 1 MB Id Pid Cpu-Usage Conns Segs/Pkts Status


TxQ-Size: 128 KB tot (usr | sys)
TxQ-Data-Limit: 102.4 KB (80%) -- ----- ---------------- ---------- ---------- ----------
TxQ-Data-Hi-Thresh: 35.8 KB (28%) 0 4024 0% ( 0%| 0%) 5 0 READY
1 4023 0% ( 0%| 0%) 0 0 READY
Id QId RxQ RxQ TxQ TxQ
(used) (util) (used) (util) Snort instance Process ID
-- ---- ---------- ------ ---------- ------
0 All 0 0% 0 0%
PDTS Queue utilization
1 All 0 0% 0 0%
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 53
FTD Packet Processing: SI (IP)

• Security Intelligence (SI) can Blacklist (drop) or Whitelist (allow) IP addresses early in the packet
processing lifetime within the Snort engine
• Whitelist overwrites the Blacklist
• The Blacklist can be populated in 2 ways:
1. Manually by the FMC administrator
2. Automatically by Intelligence Feed (Talos or custom) or List
• Snort returns to ASA a verdict about a packet being blacklisted

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 54


FTD Packet Processing: SI (IP)

• The files containing the IPs from Talos SI Feed are in /ngfw/var/sf/iprep_download directory
root@FTD5506-1:/ngfw/var/sf/iprep_download# ls -alt | grep blf
-rw-r--r-- 1 root root 1252278 Jun 12 16:06 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba.blf
-rw-r--r-- 1 root root 227696 Jun 12 16:05 032ba433-c295-11e4-a919-d4ae5275a468.blf

• If a packet is being dropped by Snort SI the ASA capture trace shows the Verdict
> show capture CAPI packet-number 1 trace
1: 16:07:45.147743 192.168.75.14 > 38.229.186.248: icmp: echo request
Phase: 14
Type: SNORT
Subtype:
Result: DROP
Additional Information:
Snort Verdict: (black-list) black list this flow
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 55
FTD Packet Processing: SSL Decryption

• SSL Inspection Policy controls which traffic will be decrypted by FTD so that other policies (ACP, File,
Snort) can inspect the traffic.
• Can be configured in the Firepower Management Center, under Policies > SSL.
• FTD provides 2 Decryption modes:
1. Decrypt - Know Key - SSL/TLS server owned by us
2. Decrypt - Resign - 3rd party SSL/TLS server. The FTD does man-in-the-middle and for that
reason requires Internal CA
• SSL Policy is attached to Access Control Policy (ACP)
• Client Hello features (enabled by default) allows FTD to modify (TLS ver, Ciphers) the Client Hello
message (Required for Safe Search and YouTube EDU)
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 56
FTD Packet Processing: SI (DNS/URL)

Security Intelligence (URL)


• Works similarly to IP Security Intelligence and provides 3 actions
1. Whitelist
2. Blacklist (Block)
3. Blacklist (Monitor)

• In case Talos URL Feed is used part of the db is stored locally and updated daily
• For non-cached URLs a Cloud lookup is done

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 57


FTD Packet Processing: Identity Policy

Identity Policy enables user-based authentication. The user info can be obtain in various ways:
1. Passive Authentication
• Integration with LDAP Requires User Agent

• Integration with ISE pxGrid

• Integration with Citrix VDI Identifying multiple users behind one IP


• Network Discovery (User) Traffic-based Detection (LDAP, FTP etc)
2. Active Authentication
• Captive Portal Basic, NTLM, Kerberos
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 58
FTD Packet Processing: L7 ACL

Correlate SSL Policy User-based rules


L7 ACL can do among others: Application filtering

SafeSearch

Forward to Intrusion Policy Forward to


File Cisco
Policy YouTube EDU
© 2017-2018 and/or its affiliates. All rights reserved, 59
FTD Packet Processing: QoS (Rate Limiting)

• QoS Rate-Limiting capabilities added on FTD 6.1 release


• QoS Traffic Shaping and Policing not available at the moment
• You create/manage QoS Policies from FMC Devices > Qos section
• Compared to other policies, a QoS Policy is not attached to Access Control Policy, but directly to FTD
device

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 60


FTD Packet Processing: QoS (Rate Limiting)

Source Interface Object – The interface facing the Initiator


- In case of TCP initiator is the one who sent the SYN packet
- In case of UDP is the one who send the first packet. The UDP session has idle time 2 min

Interfaces are defined by Destination Interface Objects - The interface facing the Responder
usage of Security Zones
or Interface Groups

Download - Rate limit of traffic flowing to the devices connected to the source interfaces
and from the devices connected to the destination interfaces
Upload - Rate limit of traffic leaving devices connected to the source interfaces
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 61
FTD Packet Processing: Network Discovery

• Network Discovery is used in 2 main places:


1. FMC Dashboards
2. Intrusion Prevention FireSIGHT Recommendations
• Same functionality as on classic Firepower devices
• Configuration from Policies > Network Discovery
Tip – Make sure you tune the
networks in the Network
Discovery Policy to match the
networks you want to discover
and remove the 0.0.0.0/0
and ::/0 entries

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 62


FTD Packet Processing: File Policy (AMP)

• File Policy provides few different functionalities:


Detect Files = Checks first 1460 Bytes of a
file, determines the type and generates a log

Block Files = Blocks the file based on first 1460 Bytes

Malware Cloud Lookup = Sends the SHA-256 hash of a file to the cloud for analysis
and depending on the answer generates a log if the file is bad. Optionally, Local
Analysis can analyze the file and Dynamic Analysis Capable files can be sent to cloud
for Dynamic Analysis and/or SPERO analysis

Block Malware = Sends the SHA-256 hash of a file to the cloud for analysis and
depending on the answer blocks it if the file is bad. Optionally, Local Analysis can
block the file and/or Dynamic Analysis Capable files can be sent to cloud for Dynamic
Analysis and/or SPERO analysis. © 2017-2018 Cisco and/or its affiliates. All rights reserved, 63
FTD Packet Processing: Intrusion Policy

• Tracing a real packet shows the Snort engine verdict when a Snort Rule is being matched
firepower# show capture CAPO packet-number 2 trace
2: 12:16:09.232776 192.168.77.40 > 192.168.75.39: icmp: echo reply
Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Verdict: (black-list) black list this flow
..
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 64
FTD Packet Processing: ALG Checks

• ASA Application Layer Gateway (ALG) are the classic Modular Policy Framework (MPF) rules applied
on ASA engine
• Currently on FTD the configuration MPF is not tunable (With 6.2 you can tune using Flexconfig)
• You can use classic ASA MPF commands to verify the existing MPF configuration
firepower# show run class-map
firepower# show run policy-map
firepower# show run service-policy
!
firepower# show service-policy flow tcp host 192.168.75.14 host 192.168.77.40 eq 80

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 65


FTD Packet Processing: NAT, VPN, L3, L2

• The remaining checks on ASA engine are the same as on classic ASA
• NAT IP header
• VPN Encrypt
• L3 Route
• L2 Resolution of next hop

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 66


Deployment and Interface modes

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


FTD Deployment and Interface Modes
• 2 Deployment Modes:
Routed
}

Device Modes inherited from ASA
• Transparent
• 6 Interface Modes
Routed
}

Interface Modes inherited from ASA
• Switched (BVI)

}
• Passive
• Passive (ERSPAN)
Interface Modes inherited from FirePOWER
• Inline pair
• Inline pair with tap
• Note - interface modes can be mixed on a single FTD device
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 68
Deployment Mode: Routed
• Traditional L3 firewall deployment
• Allows configuring all interface modes apart from Switched (BVI) (6.2
onwards Switched interfaces are allowed too)
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: routed

• You can later change the FTD mode from CLISH CLI:
> configure firewall routed
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 69


Deployment Mode: Transparent
• Traditional L2 firewall deployment
• Allows configuring all interface modes apart from Routed, Passive
ERSPAN
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: transparent

• You can change the FTD mode from firewall to transparent from CLISH:
> configure firewall transparent
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 70


Interface Mode: Routed
• Available only in Routed Deployment
• Traditional L3 firewall deployment
• One or more physical or logical (VLAN) routable interfaces
• Allows features like NAT or Dynamic Routing protocols to be configured
• Packets are being forwarded based on Route Lookup
• Full ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 71


Interface Mode: Switched
• Available only in Transparent Deployment mode
• Very similar to classic Transparent firewall
• Two or more physical or logical interfaces are assigned to a Bridge Group
• Full ASA engine checks are applied along with full Snort engine checks
• Packets are being forwarded based on CAM table Lookup
• BVI interface is being used to resolve next hop MAC using ARP or ICMP
• Actual traffic can be dropped

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 72


Interface Mode: Inline Pair
• 2 Physical interfaces internally bridged
• Very similar to classic inline IPS
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for
flows going through an Inline Pair.
• Few ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 73


Interface Mode: Inline Pair (Set)
Exte rna l Ne two rk

S witc h S witc h

FTD
4 P a ir Inline -S e t 2 P a ir Inline - S e t

E1 E3 E5 E7 E9 E11

E2 E4 E6 E8 E10 E12

S witc h S witc h

Hos t

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 74


Interface Mode: Inline Pair
TCP packets are handled in a TCP-state bypass mode so that majority of ASA
engine checks are disabled
firepower# show conn detail
1 in use, 30 most used
Flags: A - awaiting responder ACK to SYN, a - awaiting initiator ACK to SYN,
b - TCP state-bypass or nailed,

k - Skinny media, M - SMTP data, m - SIP media, N - inspected by Snort, n - GUP

TCP Set1:outside(outside): 192.168.75.40/23 Set1:inside(inside): 192.168.75.15/61563,


flags b N, idle 8s, uptime 8s, timeout 1h0m, bytes 69

• b flag - FTD Inline Pair mode handles a TCP connection in a TCP state-bypass mode
and doesn’t drop TCP packets that don’t belong to existing connections. A classic ASA
will drop an unsolicited SYN/ACK packet unless TCP state-bypass is enabled.
• N flag - The packet will be inspected by Snort engine
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 75
Interface Mode: Inline Pair
Configure a Name on 2 physical interfaces, enable them and assign to an
Inline Set. It is also recommended to enable Link State Propagation:
> show inline-set

Inline-set Set1
Mtu is 1500 bytes
Failsafe mode is off
Failsecure mode is off
Tap mode is off
Propagate-link-state option is on
hardware-bypass mode is disabled
Interface-Pair[1]:
Interface: GigabitEthernet1/2 "inside"
Current-Status: UP
Interface: GigabitEthernet1/3 "outside"
Current-Status: UP
Bridge Group ID: 501
>
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 76
Interface Mode: Inline Pair with Tap
• 2 Physical interfaces internally bridged
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for
flows going through an Inline Pair
• Few ASA engine checks are applied along with full Snort engine checks to
a copy of the actual traffic
• Actual traffic cannot be dropped

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 77


Interface Mode: Passive
• 1 Physical interface operating as a sniffer
• Very similar to classic IDS
• Available in Routed or Transparent Deployment modes
• Few ASA engine and Full Snort engine checks to a copy of the actual traffic
• Actual traffic cannot be dropped

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 78


Interface Mode: Passive (ERSPAN)
• 1 Physical interface operating as a sniffer
• Very similar to a remote IDS
• Available only in Routed Deployment mode
• A GRE tunnel between the capture point and the FTD carries the packets

• Few ASA engine and Full Snort engine checks a copy of the actual traffic
• Actual traffic cannot be dropped

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 79


Interface Modes - Summary
FTD interface mode FTD Deployment Description Real traffic can be
mode dropped
Full ASA and Snort
Routed Routed Yes
checks
Full ASA and Snort
Switched Transparent Yes
checks
Partial ASA and full
Inline Pair Routed or Transparent Yes
Snort checks
Routed or Transparent Partial ASA and full
Inline Pair with Tap No
Snort checks
Routed or Transparent Partial ASA and full
Passive No
Snort checks
Partial ASA and full
Passive (ERSPAN) Routed No
Snort checks
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 80
Resiliency Options

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


Resiliency and Scalability Options
• Only Network Continuity
• Fail to Wire
• Security Continuity
• HA with State Sharing
• Scalability
• Clustering

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 82

TECSEC-2652
Fail to Wire Network Modules for Firepower
4100 and 9300 Appliances
• Fixed interfaces, no removable SFP support

• Sub-second reaction time to application, software, or hardware failure

6x1GE 6x10GE 2x40GE

• Firepower 4100 only • Firepower 4100 and 9300 • Firepower 4100 and 9300
• Single width • Single width • Single width
• 1GE fiber SX • 10GE SR or LR • 40GE SR4
• No 10GE breakout support

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 83

TECSEC-2652
FTD Failover
• A pair of identical FTD devices can use Failover for High Availability
• Data interface connections must be mirrored between the units with L2 adjacency
• Primary and Secondary designations are statically assigned
• Unit in Active role is processing all transit traffic, Standby takes over when needed
• Virtual IP and MAC addresses on data interfaces move with the active unit
• Centralized management from the active unit
• Optional Stateful failover “mirrors” stateful conn table between peers
• Most connections survive a switchover seamlessly to the endpoints
• Short-lived ICMP and HTTP connections are not replicated by default

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 84

TECSEC-2652
Failover Types
Primary
• Active/Standby Failover
• Single- or multiple-context mode
Inside Outside
• Device-level switchover on failure
• One unit is always “idling”
Secondary
• Ideal plain and simple design for single tenant

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 85

TECSEC-2652
FTD Clustering
• Up to 6 identical Firepower appliances/SMs combine in one traffic processing system

• Preserve the benefits of failover


• Virtual IP and MAC addresses for first-hop redundancy
• Centralized configuration mirrored to all members
• Connection state preserved after a single member failure
• Implement true scalability in addition to high availability
• Stateless load-balancing via Spanned Etherchannel with LACP
• Out-of-band Cluster Control Link to compensate for external asymmetry
• Elastic scaling of throughput and maximum concurrent connections

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 86

TECSEC-2652
Spanned Etherchannel Data Interface Mode
• Create transparent and routed firewalls on per-context basis

• Must use Etherchannels: “firewall-on-a-stick” VLAN trunk or separate

• Use symmetric Etherchannel hashing algorithm with different switches

• Seamless load-balancing and unit addition/removal with cLACP

vPC 1 inside outside vPC 2


192.168.1.0/24 FTD Cluster 172.16.125.0/24
E0/6 E0/8

E0/7 E0/9
.1 .1
E0/6 E0/8

E0/7 E0/9
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 87

TECSEC-2652
Platform Overview

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


Portfolio

ASA 5585-X SSP60


ASA 5585-X SSP40
ASA 5555-X
ASA 5545-X ASA 5585-X SSP20
ASA 5515-X
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10

SMB/SOHO Branch Internet Edge Data Center

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 89


Hardware Portfolio

ASA 5506-X

ASA 5508-X

ASA 5516-X

ASA 5585-X SSP60


ASA 5585-X SSP40
ASA 5555-X
ASA 5545-X ASA 5585-X SSP20
ASA 5515-X
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10

SMB/SOHO Branch Internet Edge Data Center

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 90


Hardware Portfolio

FPR 9300 -SM-24


ASA 5506-X FPR 9300 -SM-36
FPR 9300 -SM-44
ASA 5508-X

ASA 5516-X

ASA 5585-X SSP60


ASA 5585-X SSP40
ASA 5555-X
ASA 5545-X ASA 5585-X SSP20
ASA 5515-X
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10

SMB/SOHO Branch Internet Edge Data Center Service Provider

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 91


Hardware Portfolio

FPR 4110 FPR 9300 -SM-24


ASA 5506-X FPR 4120 FPR 9300 -SM-36
FPR 4140 FPR 9300 -SM-44
ASA 5508-X FPR 4150

ASA 5516-X

ASA 5585-X SSP60


ASA 5585-X SSP40
ASA 5555-X
ASA 5545-X ASA 5585-X SSP20
ASA 5515-X
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10

SMB/SOHO Branch Internet Edge Data Center Service Provider

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 92


Hardware Portfolio

FPR 2110 FPR 4110 FPR 9300 -SM-24


ASA 5506-X FPR 2120 FPR 4120 FPR 9300 -SM-36
FPR 2130 FPR 4140 FPR 9300 -SM-44
ASA 5508-X FPR 2140 FPR 4150

ASA 5516-X

ASA 5585-X SSP60


ASA 5585-X SSP40
ASA 5555-X
ASA 5545-X ASA 5585-X SSP20
ASA 5515-X
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10

SMB/SOHO Branch Internet Edge Data Center Service Provider

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 93


Hardware Architectures that Support FTD

FPR 2110 FPR 4110 FPR 9300 -SM-24


ASA 5506-X FPR 2120 FPR 4120 FPR 9300 -SM-36
FPR 2130 FPR 4140 FPR 9300 -SM-44
ASA 5508-X FPR 2140 FPR 4150

ASA 5516-X

ASA 5585-X SSP60


ASA 5585-X SSP40
ASA 5555-X
ASA 5545-X ASA 5585-X SSP20
ASA 5515-X
ASA 5505 ASA 5512-X ASA 5525-X ASA 5585-X SSP10

SMB/SOHO Branch Internet Edge Data Center Service Provider

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 94


Firewall (FW) NGIPS NGFW

ASA FirePOWER FTD Firewall Mode


FPv

FTDv

FTDv

ASAv

FTD IPS-only Ports ASA + FirePOWER services


© 2017-2018 Cisco and/or its affiliates. All rights reserved, 95
Use Case: Internet Edge
Requirements Service
ISP
Provider
Connectivity and Availability Requirements:
• High Availability (Redundancy)
• Routed Mode
• Dynamic Routing (OSPF / BGP)
• RAVPN HSRP
Security Requirements:
Internet
• Dynamic NAT/PAT and Static NAT Edge
• Application Control along with URL Filtering
DMZ Network
• NGIPS and Advance Malware Protection
• Visibility and Contextual Awareness
• Identity FW in HA
• SSL decryption
Solution
Campus/Private
Security Application: Firepower NGFW appliances Network Port-
Channel
with Firepower Management Center Private Network
Caveats
NGFW RA VPN not available on 4100/9300 until July 2017 © 2017-2018 Cisco and/or its affiliates. All rights reserved, 96

NGFW RA VPN on 2100 missing some advanced ASA features


Secure Remote Access for
the Internet Edge
ISP
Secure access using FTD
• Secure SSL/IPsec AnyConnect access to corporate
network Internet
Edge
• Advanced Application level inspection can be
enabled to enforce security on inbound Remote
Access User data.
• AMP and File inspection Policy to monitor roaming
user data.
• Easy RA VPN Wizard to configure AnyConnect FP2100 in
HA
Remote Access VPN
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Private Network
Private Network
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 97
Use Case: Data Center ISP CTX 1

Requirements vPC / Port-


Channel CTX 2
Connectivity and Availability Requirements: Data Center
• High Availability (Redundancy) Edge FW in HA

• Scalability (Throughput, Connections)


• Dynamic Routing (OSPF / BGP)
• High Bandwidth, Low Latency Requirement
• 40G/100G ports CTX 1
Security Requirements: Data Center
• Dynamic NAT/PAT and Static NAT Aggregation
vPC / Port-
• NGIPS and Advance Malware Protection Channel
• Role Based Access CTX 2

FW in Cluster
Solution
Security Application: Firepower NGFW appliances
with Firepower Management Center Access
Caveats Layer App
Servers Database
App
Servers
WWW Database
WWW

Multi Context support, please see Multi Context Option Tenant A Tenant B
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 99
Use Case: Multi-Site Data Center
Requirements
Connectivity and Availability Requirements: LISP
• High Availability (Redundancy)
• Scalability (Throughput, Connections) Data Center
• High Bandwidth, Low Latency Requirement Edge Dark Fiber
• 40G/100G ports
• Inter-site cluster at tenant edge (North-South insertion)
• Inter-site cluster as first-hop router
• LISP support FW in Cluster
Security Requirements: FW in Cluster
OTV L3 OTV
• Dynamic NAT/PAT and Static NAT Data Center
• NGIPS and Advance Malware Protection Aggregation L2
• Role Based Access
Solution VM VM VM
VM VM VM
Security Application: Firepower NGFW appliances VM VM VM
VM
with Firepower Management Center
Access Extended VLAN and CCL Link VLAN
Caveats Layer
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 100
Multi Context support, please see Multi Context Option
Use Case: Branch Office
Requirements
Main
Office
Connectivity and Availability Requirements:
• High Availability (Redundancy)
• Site to Site VPN
• Authentication IPsec VPN
• Remote Management
Security Requirements: ISP
• Dynamic NAT/PAT and Static NAT
• Advance Application Control and URL filtering
• NGIPS and Advance Malware Protection
• Role Based Access/ SSL decryption Edge Router

Solution
Failover
Security Application: Firepower NGFW appliances
with Firepower Management Center,
Caveats
FMC scalability and remote Management:
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 101
Securing Public Cloud Workloads
Requirements for AWS and Azure
• Access Control, Visibility, and Intrusion Prevention
• Edge N/S & E/S Firewall
• Route-based VPNs (VTI) to Branch/DC DB APP WEB
• Secure Inter-VPC/vNET connectivity
• High Availability
• Inside VPC and across Availability Zones User Defined
Routes
• Scale Out (FW, S2S and RA-VPN) Route-based N/S & E/W
VPNs (VTI) Firewall
Solution
Security Application: Firepower NGFWv and ASAv ASAv NGFWv

appliances with Virtual Firepower Management Center

Caveats
Internet
AWS less flexible with LB & user routes further limits our ASA ASAv

designs, no support for auto-scaling, Complexity with LB


designs (all vendors), HA is Stateless. Refer Cloud Option Corporate Data Center FMC
slide. Site-to-site VPN Internet users
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 102
NGFW Hardware Architecture

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


Firepower 9300
Supervisor
Application deployment and orchestration
Network attachment (10GE/40GE) and traffic distribution
Clustering base layer for ASA Firewall or Cisco NGFW

1
2

Security Modules
Embedded packet/flow classifier (Smart NIC) and crypto hardware
CPUs with a total of 24 , 36 or 44 physical cores (48, 72 or 88 with hyperthreading)
Standalone or clustered within (up to 240Gbps) and across (1Tbps+) chassis
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 104
Supervisor Simplified Hardware Diagram

System Bus
Security Security Security
Module 1 Module 2 Module 3
RAM

2x40Gbps 2x40Gbps 2x40Gbps Ethernet

Internal Switch Fabric


X86 CPU
(up to 24x40GE)

2x40Gbps 5x40Gbps 5x40Gbps

On-board NM NM
8x10GE Slot 1 Slot 2
interfaces

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 105


Security Module Simplified Diagram

System Bus
RAM
x86 CPU 1 x86 CPU 2
24, 36 or 44 24, 36 or 44
Ethernet
cores cores

2x100Gbps

Smart NIC and


Crypto Accelerator

2x40Gbps
Backplane Supervisor Connection

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 106


Firepower 4100 Series
Built-in Supervisor and Security Module Solid State Drives
• Same hardware and software architecture as 9300 • Independent operation (no RAID)
• Fixed configurations (4110, 4120, 4140, 4150) • Slot 1 today provides limited AMP storage
• FXOS 1.1.4 for 4110-4140, • Slot 2 will add 400GB of AMP storage

1RU

Network Modules
• 10GE/40GE interchangeable with 9300
• Partially overlapping fail-to-wire controller options

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 107


Firepower 2100 Series

High Performance, Purpose Built Hardware for Cisco NGFW


Firepower
2100
FPR 2140 12x 1G 12x 10G Port
Available in 4 Platforms

Higher
Firepower Port Density in 1 Rack Unit
FPR 2130 12x-1G 12x 10G Port 2100

10 Gbps Support (2130 and 2140)


Firepower
2100
FPR 2120 16x 1G Port

Firepower
FPR 2110 16x 1G Port 2100
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 108
Hardware Architecture Overview
 Dual CPU
Advance Inspection  X86 CPU for Advanced Inspections
(x86 CPU)  NPU for Stateful Firewall

Stateful Inspection
(NPU)
SSD
SSD
SSD

Fabric
Fabric

USB MGMT 12
12 Port
Port 4 Port
CON Console 4
4 port
port 10GE
10GE -8
-8 Port
Port
GE RJ45 GE RJ45
GE RJ45 SFP+
NM Slot

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 109


Thank You

110
Firepower Tech Talk
20th September

Technical Marketing Engineer


Nanda Kumar
Eric Kostlan
Anant Mathur
Abhishek Singh
Divya Nair
Introduction
Troubleshooting Tools
Pre-filter

Agenda NAT
Migration
S2S VPN
RA VPN
Flex-Config

© 2017 Cisco and/or its affiliates. All rights reserved. 112


Troubleshooting Tools

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
Troubleshooting Tools

• Packet Tracer
• Capture Trace

© 2017 Cisco and/or its affiliates. All rights reserved. 114


Troubleshooting Tools

• Packet Tracer
• Capture Trace

© 2017 Cisco and/or its affiliates. All rights reserved. 115


Pre-Filter

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 116
Prefilter: Tunnel & Prefilter

• Tunnel Rule
• Prefilter Rule

© 2017 Cisco and/or its affiliates. All rights reserved. 117


Prefilter: Tunnel & Prefilter

• Tunnel Rule
• Prefilter Rule

© 2017 Cisco and/or its affiliates. All rights reserved. 118


NAT

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
NAT

• NAT Supported only on NGFW


• Static NAT
• Dynamic NAT
• Dynamic PAT
• Identity NAT

• NAT Types supported


• NAT 44
• NAT 66
• NAT 46
• NAT 64
© 2017 Cisco and/or its affiliates. All rights reserved. 120
NAT Rule Table

• Manual Before
• Auto
• Manual After

© 2017 Cisco and/or its affiliates. All rights reserved. 121


NAT Rule Table

• Manual Before
• Auto
• Manual After

© 2017 Cisco and/or its affiliates. All rights reserved. 122


Migration

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123
ASA Policy

 ASA 8.4 onwards


 ACL: Interface & Global
 NAT
 Network Object and Object Groups
 Service Object & Object Groups

• Unsupported Policy
 ACE with Time-range, FQDN, Local/Group user, SGT, Nested Service
Group
 ACE with are not part of Interface or Global ACL

© 2017 Cisco and/or its affiliates. All rights reserved. 124


ASA ACL to FTD Policy
ASA

Access
Prefilter
Control

ACE
Permit Block Permit Block

FastPath Analyze Trust Allow


© 2017 Cisco and/or its affiliates. All rights reserved. 125
Migration Process Overview Import as Access Control
Policy or Prefilter policy
FMC .sfo
file FMC
Migration ( Managing
Tool FTD
Device )

Migration
Report
Apply Migrated
ASA .cfg Register Policy
or .txr file

Firepower
2100

ASA
© 2017 Cisco and/or its affiliates. All rights reserved. 126
126
Migration Process Overview Import as Access Control
Policy or Prefilter policy
FMC .sfo
file FMC
Migration ( Managing
Tool FTD
Device )

Migration
Report
Apply Migrated
ASA .cfg Register Policy
or .txr file

Firepower
2100

ASA
© 2017 Cisco and/or its affiliates. All rights reserved. 127
Site to Site VPN

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 128
S2S VPN Capabilities
IKE Protocol •IKEv1 & IKEv2

Authentication •Pre-Share Key & PKI

•IPv4 & IPv6. All combinations of inside and outside protocols


IP Version supported, provided the protected networks have matching
addressing schemes

Interface Types •Static and Dynamic IP

FMC/FTD HA •VPN is supported for both FTD and FMC HA environments

•Point to Point
Topology •Hub & Spoke
•Full mesh
© 2017 Cisco and/or its affiliates. All rights reserved. 129
AnyConnect VPN

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 130
Remote Access VPN support on FTD 6.2.1

 Client: AnyConnect 4.x


 Platform: Windows, Mac, Linux & Mobile (Android, iOS)
 Protocol: SSL/IPSec
 Authentication: LDAP/AD, RADIUS, Client Cert and Cert + AAA
 Authorization: RADIUS Attributes
 Accounting: RADIUS
 Availability: FTD-HA, Dual ISP, Multi AAA
 Shared across multi device
 Supported on FMC & FDM
 Monitoring & Troubleshooting
 Rate Limiting RA VPN traffic
© 2017 Cisco and/or its affiliates. All rights reserved. 131
RA VPN FMC Configuration Wizard

© 2017 Cisco and/or its affiliates. All rights reserved. 132


FTD Packet Processing with VPN

VPN
Encrypt

VPN
Decrypt

© 2017 Cisco and/or its affiliates. All rights reserved. 133

1
RA VPN Identity Integration and Monitoring

• Dashboard widgets show


VPN usage by user
• User Activity event page
gives details of logon and
logoff events
• Active Sessions page
shows status of active
sessions
• Administrator may monitor
and terminate specific
sessions

© 2017 Cisco and/or its affiliates. All rights reserved. 134


FMC – RA VPN Monitoring

© 2017 Cisco and/or its affiliates. All rights reserved. 135


FMC – RA VPN Monitoring

© 2017 Cisco and/or its affiliates. All rights reserved. 136


FMC – RA VPN Troubleshooting

© 2017 Cisco and/or its affiliates. All rights reserved. 137


FMC – RA VPN Troubleshooting

© 2017 Cisco and/or its affiliates. All rights reserved. 138


FMC – RA VPN Troubleshooting

© 2017 Cisco and/or its affiliates. All rights reserved. 139


Flex-Configuration

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 140
FlexConfig
• To configure ASA features that cannot be configured from FMC
• Provides a work-around to configure features not exposed directly by FMC
• Examples
• Policy Based Routing (PBR)
• EIGRP
• Ethertype ACLs
• Application Layer Gateways (ALGs)
• Virtual Extensible LAN (VxLAN)
• Web Cache Communication Protocol (WCCP)
• Platform sysopt commands

© 2017 Cisco and/or its affiliates. All rights reserved. 141


FlexConfig Blacklist
• Functionality already in the FMC is not allowed in FlexConfig.
• Functionality not supported in the 6.2 release is not allowed in FlexConfig.
• Examples:
Remote access VPN
Multicontext mode
• Blacklisted commands will generate an error when Flex object save is
attempted.

© 2017 Cisco and/or its affiliates. All rights reserved. 142


FlexConfig Blacklist
• Functionality already in the FMC is not allowed in FlexConfig.
• Functionality not supported in the 6.2 release is not allowed in FlexConfig.
• Examples:
Remote access VPN
Multicontext mode
• Blacklisted commands will generate an error when Flex object save is
attempted.

© 2017 Cisco and/or its affiliates. All rights reserved. 143


Q&A

“Securing Networks with Cisco


Firepower Threat Defense”
https://goo.gl/dgUVgj

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 144
FTD – Mode Differences

NGFW
FTD NGIPS
Routed Transparent

NAT Yes Yes NO

Routing Yes No Yes

VPN (S2S, RA) Yes No No

QoS Yes No Yes

© 2017 Cisco and/or its affiliates. All rights reserved. 146


FTD Packet Processing with VPN

VPN
Encrypt

VPN
Decrypt

© 2017 Cisco and/or its affiliates. All rights reserved. 147

1
Firepower Threat Defense
Tech Talk
Management
Abhishek Singh, Technical Marketing Engineer
Anant Mathur, Technical Marketing Engineer Manager
Eric Kostlan, Technical Marketing Engineer
Nanda Kumar, Technical Marketing Engineer

September 20th, 2017


• Management Options
• Firepower Management
Center (FMC)
• Firepower Device Manager
(FDM)

Agenda • Cisco Defense Orchestrator


(CDO)
• Rest API
• Smart Licensing
• Domains

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 149


Management Options

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


150
Management Options

Firepower Device Firepower Management Cisco Defense


Manager Center Orchestrator (CDO)

Enables easy on-box Enables comprehensive Enables centralized


management of security administration cloud-based policy
common security and and automation of management of
policy tasks multiple appliances multiple
deployments

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 151


Firepower Management Center
(FMC)

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


152
Firepower Management Center (FMC)

Centralized management for multi-site  

deployments Firepower Management Center

Multi-domain management Firewall & AVC

Role-based access control NGIPS

High availability AMP

APIs and pxGrid integration Security Intelligence

…Available in physical and virtual options  

Manage across many sites Control access and set policies Investigate incidents Prioritize response

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 153


FMC Event QoS Architecture

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 154


FMC HA
• Very different from 5.4 FMC HA
• Active/Standby Deployment
• Policy changes made on active are copied over to the
standby
• Both FMC nodes receive events from each sensor
• Failover can be explicitly triggered
• Not available on 750 or Virtual Appliances

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 155


New FMC Appliances Offer Improved Scale
UCS C220 M4 Rack Server
• Three variants for different deployment sizes – FMC1000, FMC2500, FMC4500
• Position with improved scale across entry level, mid-range and high-end

FMCv FMC 1000 FS750 FMC2500 FS2000 FMC 4500 FS4000

Number of 2, 5 or 25 * 50 10 300 250 750 500


devices

Hosts/Users 50000 50000 2000 150000 150000 600000 600000

Events Varies ** 5000 2000 12000 12000


per Second 20000 20000

* FMCv licensing options are available to manage 2, 5, or 25 sensors


** FMCv events per second varies with virtual environment, CPU, memory, etc.
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 156
Firepower Device Manager
(FDM)

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


157
Firepower Device Manager (FDM)

  Integrated on-box option for single


Firepower Device Manager instance deployment
Easy set-up NAT and Routing

Intrusion and Malware


Role-based access control
prevention

High availability Device monitoring

Physical and virtual options VPN support

Set up easily Control access and set policies Investigate incidents Prioritize response

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 158


Cisco Defense Orchestrator
(CDO)

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


159
Cisco Defense Orchestrator (CDO)

Security Policy Simple Search-


Management Based Management

Device Onboarding
• Import From Offline
• Discover Direct From
Object & Policy Application, URL, Change Security Device
Analysis Malware & Threat Impact Templates
Policy Modeling
Management

Notifications Reports

Simplify security policy management in the cloud with Cisco Defense Orchestrator Security

Plan and model security policy changes Deploy changes across virtual Receive notifications about any unplanned
before deploying them across the cloud environments in real time or offline changes to security policies and objects

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 160


Chassis Manager

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


161
Firepower 9300/4100 Chassis Manager

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 162


Smart Licensing

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


163
Smart Licensing

Report
 

Software

Services

Devices

View software, services, and


Track software usage with
devices in one easy to use Activate software automatically Extend licenses automatically
regular reports to Cisco
portal
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 164
Smart Licensing
Cisco applications request feature Third-party applications may
license entitlements from Supervisor use out-of-band licensing

ASA
ASA FTD
FTD DDoS
DDoS
1
2 HTTP/HTTPS Cisco Smart
Supervisor
Supervisor Proxy Licensing
3

Supervisor fulfills aggregated entitlement requests with


Smart backend through a direct Internet connection, Satellite
HTTP/HTTPS Proxy, or an on-premise Satellite Connector
connector

• ASA entitlements: Strong Encryption, Security Contexts, Carrier Inspections


• FTD entitlements: Threat, Malware, and URL Services © 2017-2018 Cisco and/or its affiliates. All rights reserved, 165

165
Smart Licensing Workflow

Obtain Product
Instance Register Apply/Remov
Register FTD
Registration FMC to the e Smart
Token from to FMC
CSSM Licenses
CSSM

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 166


FMC: Settings
• Prerequisite:
• FMC should be able to have access to Cisco.com for Smart Licensing normal operation (see next slide for
ports/connections needed)
• Proxy access to FMC Control Panel
• FMC Configuration Guide
• In FCM go to
• System -> License -> Smart License

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 167


Backend Communication Channels and Ports

Authorized Backend

Cisco Smart Software Manger (CSSM) (cisco.com)


HTTPS: tools.cisco.com

User Interface: HTTPS (Port 8443)


Products: HTTPS (Port 443), HTTP (Port 80)
CSSM: HTTPS (tools.cisco.com, api.cisco.com,
cloudsso.cisco.com

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 168

168
FMC: Settings
• Registering FMC with CSSM
• 1: Click “Register”
• 2: Copy & Past “Token” which was generated in CSSM (cisco.com)
• 3: Click “Apply Changes”

1 2

3
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 169
FMC: Verification
• Verify Registration
• Success message indicating successful registration
• Smart License Status
• Assigned Virtual Account:
• Export-Controlled Features:

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 170


FMC: Adding Licenses to devices

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 171


FMC: Editing Licenses assigned to devices

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 172


FMC: License status tracking
• On System -> License -> Smart Licenses
• Check licenses used by FMC

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 173


FMC: Synchronize with CSSM
• Synchronize FMC with Cisco Smart Software Manager

• On System  License  Smart Licenses


• Click “Synchronize” icon

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 174


FMC: Out of Compliance
• When more Firepower Device is added beyond entitlement

If Out of Compliance, for 90 days FMC, everything works normal. After 90 days, Admin
can not Create or Edit policies . Existing policies and its traffic will continue to work as
normal. 

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 175


Smart Software Satellite-Based Licensing

Deploy Obtain Regist Regis Apply/ Synch


Configur
and e Smart
Product er ter Remov ronize
Instance
setup Software FMC e
Satellit Satellite
Registrati
to the
FTD Smart
Satelli
on Token
e Manager from Satellit to Licens te with
on FMC
Server Satellite e FMC es CSSM

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 176


Configure Satellite Server on the FMC

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 177


REST API

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


178
Rest API for FMC
• REST API for FMC was introduced in release 6.1
• Provides ability to setup Firepower for Cisco ACI solutions
• Provides manageability of Firepower devices to A
• Cisco ACI solution
• Customer-developed orchestration solutions
• Makes Firepower and FTD devices interoperable with other Cisco & third-party products
• REST API for FMC 6.1 key capabilities
• Gathers information about devices, objects and several types of policies
• Creates access control policies and access control policy rules
• Deploys policies to devices
• REST API for FMC 6.1 key limitation
• Cannot configure FTD interfaces, therefore cannot insert FTD into traffic path
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 179
REST API: 6.2
• REST API is enhanced to support interface configuration of FTD devices.
• Provides ability to setup FTD in a managed service graph for Cisco ACI solutions
• Other SDN controllers can also take advantage of the new APIs to insert FTD in the
traffic path
• With 6.2, the following capabilities have been added to the REST API.
• Support to read, create, update and delete an Inline Set on an FTD device
• Support to update configuration of Physical Interface for an FTD device
• Support to create, update and delete sub-interface) on an FTD device
• Support to create, update and delete bridge group interface on an FTD device

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 180


REST API: API Explorer
• Introduced in
6.1 release
• Provided as a
tool built into the
FMC
• Provides direct
access to
REST API
• Can help build
REST API scripts
• URL:
https://fmc
/api/api-explorer

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 181


REST API: Architecture
• REST API does not communicate with FTD directly.
• REST API communicates with FMC. FMC pushes changes to FTD.

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 182


Domains

© 2017-2018 Cisco and/or its affiliates. All rights reserved,


183
1
1

Domain Overview
Global
Global Policies
Policies

Global
Global Objects
Objects
Global
GlobalAnalytics
Analytics

2
2
3
3

Policies
Policies Policies
Policies Policies
Policies
UK/London UK/Oxford
Objects
Objects Objects
Objects Objects
Objects
Analytics
Analytics Analytics
Analytics Analytics
Analytics

USA INDIA UK

Supports up to 50 domains and 3 levels


Available for all platforms running 6.0
© 2017-2018 Cisco and/or its affiliates. All rights reserved, 184

TECSEC-2652
Access Control Policy Hierarchy
Global Policy [Mandatory] Allow SSH to All devices

Allow SSH to All devices


Engineering [Mandatory]
Deny Telnet to All devices

Allow SSH to All devices

Deny Telnet to All devices


QA Engineering

Allow Access to App_Server

Engineering [Default Policy]

Global Policy [Default Policy]


© 2017-2018 Cisco and/or its affiliates. All rights reserved, 185

TECSEC-2652
Object Override Support
Global\IND
Inherited from Global
Acme_IT_Syslog Server
Global
10.1.1.1

Global\USA
Overridden at Device
Acme_IT_Syslog Server
172.186.2.10

Acme_IT_Syslog Server Global\UK


10.1.1.1

Overridden at Policy Acme_IT_Syslog Server


192.122.2.10

Only for Objects related to Networks, Ports, and URLs

© 2017-2018 Cisco and/or its affiliates. All rights reserved, 186


Thank You

187

You might also like