dissecting firepower-ngfw(ftd) & firepower-services...

Dissecting Firepower-NGFW(FTD) & Firepower-Services “Design & Troubleshooting”

Veronika Klauzova, Firepower TAC-Engineer Michael Vassigh, CSE Security

BRKSEC-3455

Are we there yet (VIDEO) ?

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Your presenters for this journey

BRKSEC-3455

• Michael Vassigh

• CSE Security

• Veronika Klauzova

• Firepower TAC-Engineer

• Introduction

• Hardware-Review

and troubleshoot

• Installation & Configuration

and troubleshoot

• FTD Packet-Flow

and troubleshoot

• Conclusion

and (no more troubleshoot)

Agenda


Abstract-Review

• The session will cover both operational and maintenance aspects of all relevant Firepower-NGFW functions from “Installation” to “Operation” to “Troubleshooting” with a focus on interactive demonstration of the detailed topics.

• Upon successful completion of this session, the attendee will be able to:

• describe the FTD system architecture

• describe packet flow processing

• perform installation and configuration of FirePOWER Threat Defense(FTD) and FirePOWER Management Console (FMC)

• verify and troubleshoot traffic flows traversing FTD

BRKSEC-3455

For YourReference


Our goals for the next 120 minutes

• Walk you through an experience of Firepower Threat Defense

• Give you all required insights to configure your device

• Give you all required insights to troubleshoot your device

• Give you enough demos to highlight the relevant details

BRKSEC-3455

You can operate and troubleshootthe NG-Firewall with confidence


Other sessions you hopefully have visitedCisco Live Berlin Session-ID Session Name

Firepower Platform Deep Dive

ASA Firepower NGFW typical deployment

scenarios

A Deep Dive into using the Firepower Manager

Firewall Innovation and Transformation - a

closer look at ASA and Firepower

NGFW Clustering Deep Dive

Protecting the Network with Firepower NGFW

And various others an AMP, DDoS, SSL-Decryption, Snort Rules and more

7BRKSEC-3455

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-3455

Topics we will not cover today

• Your current order in CCW

• Your troubles with getting a Smart-Account

• Your current TAC-Service Request

• Firepower 7000/8000 series

• Real-World performance

• Clustering

• Licensing

• CDO Cisco Defense Orchestrator

• Firepower Device Manager

• Advanced Malware Protection details

• Remote-Access

• VPN Site-to-Site

• Full roadmap details


All our material and demos are based on the following

• Firepower 4100 system

• FXOS Version 2.0(1.135)

• Firepower Threat Defense V6.1.0.1 (Released December 2016)

• Firepower Management Center V6.1.0.1 (Released December 2016)

9BRKSEC-3455

Recent announcements

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-3455

New Software Versions since January 2017 (subtotal)

• FXOS V2.1(1)

• Support for ASA V9.7.1

• Support for FTD V6.2

• Inter-Chassis clustering FTD V6.2

• NTP authentication

• FTD V6.2

• Inter-Chassis clustering on FP4100/9300

• Packet-Tracer & Capture UI

• Flex-Config

• ASA-FTD Migration tool enhanced

• Integrated Routing & Bridging-Interface support

Hardware & Software Review


Terminology brief (you might find in documentation)

13Presentation ID

3D System DC (Defense Center)Physical and Virtual

Managed device / Sensor

Firesight / Firepower

system

Firepower Management

Center (off-box)

Physical and Virtual

Managed device / Sensor

Firepower Device Manager

(on-box)

ASA with FirePOWER

Services module managed

by ASDM

Cisco official Firepower System terminology


Platform naming fundamentals

• Hardware Management: MC750, MC1500, MC3500, MC2000, MC4000

• Virtual Management: Firepower Management Center running on VMware, AWS and KVM

• Physical managed devices: 7010, 7020, 7030, 7050, 7110, 7115, 7120, 7125, 8120, 8130, 8140, 8250, 8260, 8270, 8290, 8350, 8360, 8370, 8390

• Virtual managed devices: NGIPSv

• Physical Firepower Threat Defense devices: ASA 5506-X, ASA 5506—X, ASA 5508-X, ASA 5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X and 5555-X, Firepower 9300 security appliance, Firepower 4100 series

• Virtual Firepower Threat Defense devices: Firepower Threat Defense Virtual running on VMware, AWS or on KVM

14Presentation ID

For YourReference

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKSEC-3455

What platforms can run FTD Software

Platform FTD Support

ASA 5500X-Series (5506X-5555X with SSD) Yes

Firepower 4100 series Yes



Virtual options (VMware, KVM, AWS, Azure) Yes

Cisco ISR 4000/ISR-G2 (UCS-E module) Yes


What platforms can not run FTD Software

Platform FTD Support

Series 2 Firepower Appliances No

Series 3 Firepower Appliances (FP7000/8000) No

ASA-5580, ASA-5585X-SSPX No

ASA Service Module No

Firewall Service Module No

Microsoft Hyper-V No

For YourReference


Platform specific requirements

• All ASA-5500X require to have the SSDs installed

• Beware that only the newer orders are shipped with SSD preinstalled

• ASA-5545/55X require to have 2 SSDs installed

• Beware that only the newer orders are shipped with SSD preinstalled

• Only Cisco SSDs are supported

• ASA models 5506X/5508X/5516X need to have a minimum ROMMON version 1.1.8 or higher installed

• FP4100 and FP9300 require to have a minimum version of FXOS 2.0.1 or later

17BRKSEC-3455

For YourReference


Firepower 4100 – closer look

18BRKSEC-3455

Front view

Rear view

PowerConsole

MGMT

8 x optic SFP+ ports

2 x 2.5” SSD Bays

2 x Power Supply Module Bays6 x Hot-Swap Fans units

2x optional NetMods


Firepower 9300 – closer look

Front view

Rear view

19BRKSEC-3455

For YourReference


Firepower 4100 vs. 9300

20BRKSEC-3455

Specification FP 4100 FP 9300

Rack space 1RU 3RU

Security Modules Fixed Modular

Performance Up to 80Gbps Up to 240Gbps

Port Speed Support Up to 40Gb Up to 100Gb

Positioned Internet, Wan Edge, Campus,

small and medium sized Data

Center

Large and massively scalable

DC, SP

Similarities 1.) Both are next generation platforms on Security Service

Architecture

2.) Both run FXOS which is used to manage physical and logical

entities

For YourReference


FTD management options

Firepower Management Center

aka “FMC” – off-box manager


FTD management options

Firepower Device Manager

aka “FDM” – on-box manager

HTML5 based WebUI

Supported on ASA 5506/8/12/15/16/25/45/55


Future

Firepower/Snort

ASA/LINA

Firepower Threat Defense(FTD)• Snort NG-IPS Detection Engine

• ASA/Lina Firewall functions

• First implementation:

ASA and Firepower-Services

• Single unified image:

ASA/Lina + Firepower/Snort

• All ASA features will be added in

future FTD software releasesFTD

Software


Brief Software Refresher

• Firepower Management Center (FMC)

• Is the Firepower Management Software

• Runs on Appliance or VM

• Supports HA mode

• Provides 1 management option:• WEB-UI

• Firepower eXtensible Operating System (FXOS)

• Operates the Firepower 4100/9300 chassis

• Provides 3 management options:• REST-API

• CLI/Shell

• WEB-UI(FCM)

• Firepower Threat Defense (FTD)

• Is the native NGFW code

• Runs on Appliance or VM

• Provides 1 management option:• WEB-UI

All platforms have CLI/Shell access for setup & diagnostics

Provides CLI/Shell access to platform SW

All platforms have version dependencies

FTD CLI modes


FTD CLI modes

There are three CLIs while dealing with a ftd deployment:

• FXOS CLI

• CLISH

• ASA CLI

Moving between different CLI‘s:

BRKSEC-3455

firepower#

>

Firepower-module1>

connect ftd

system support diagnostic-cli

CTRL + a, d

exit

FXOS -> CLISH

CLISH -> ASA

ASA -> CLISH

CLISH -> FXOS


Converged FTD CLISH

• Available over SSH on data and management interface/s

• No switching back and forth between FP and ASA sub-modes

28BRKSEC-3455

> system support diagnostic-cli

firepower> enable

firepower# show cpu

Ctrl + a + d

> show cpu

> show cpu system

Linux 3.10.62-ltsi-WR6.0.0.27_standard (ftd.cisco.com) 02/07/17 _x86_64_

Time CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle

14:32:43 all 20.46 0.00 0.19 0.00 0.00 0.00 0.00 0.00 0.00 79.35

> show cpu

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%>

BEFORE 6.1

6.1+

FXOS Breakout


Firepower eXtensible Operating System (FXOS)

• Chassis management, operation and health

• Network interface allocation and connectivity

• Application storage, deployment and provisioning

• NTP for entire chassis

• Clustering setup

BRKSEC-3455


Why a brief look at FXOS CLI

• Limited documentation as of FXOS 2.0

• No CLI Command-Reference

• Some elements are only visible in the CLI

31BRKSEC-3455

• Please ask for TAC-Support before you change undocumented elements

• Stay with the Web-UI for regular operations


Brief Recap Management operations

• The Firepower system is built as a distributed hardware architecture

• Various functions are serviced from different hardware components

• The Supervisor-Engine (or MIO) is the main control-point for all chassis and interface and blade configurations

32BRKSEC-3455

Console-Port

Mgnt-Port

Data-Port

Supervisor/MIO-Board

Switch-Fabric

Security Service-Blade

Security Service Processor • Supervisor configuration navigation via CLI „scope“ command

• Connection to element-OS CLI via „connect“ command

scope

scope

connect


CLI is your friend ?

„If you give us outstanding scores, you will become a beer“

33BRKSEC-3455

*a word that is often confused with a word in another language with a different meaning because the two words look or sound similar

Lab-FP4110-A-A(fxos)# show interface mgmt 0

mgmt0 is down (Administratively down)

Hardware: GigabitEthernet, address: ecbd.1d5e.d1df (bia ecbd.1d5e.d1df)

Internet Address is 10.0.0.11/24

Lab-FP4110-A-A(local-mgmt)# show mgmt-port

eth0 Link encap:Ethernet HWaddr EC:BD:1D:5E:D1:DF

inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0

inet6 addr: fe80::eebd:1dff:fe5e:d1df/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Lab-FP4110-A-A(local-mgmt)# ping 10.0.0.1 count 1

PING 10.0.0.1 (10.0.0.1) from 10.0.0.11 eth0: 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.394 ms

“Beware of „False Friends*“


FXOS interaction and navigation (CLI)

• Initial console access is mandatory for the setup

• Initial admin password is not set(console)

• Password setup is mandatory on first login

• Strong password is optional

• Setup wizard will guide for minimal IP-Setup for Mgmt-Interface

• Remaining detailed settings via:

• Console

• SSH

• Browser

• API

34BRKSEC-3455

For YourReference


FXOS interaction (CLI): SetupYou have chosen to setup a new Security Appliance. Continue? (y/n): y

Enforce strong password? (y/n) [n]:

Enter the password for "admin":

Confirm the password for "admin":

Enter the system name [Lab-FP4110-A]:

Physical Switch Mgmt0 IP address [10.0.0.11]:

Physical Switch Mgmt0 IPv4 netmask [255.255.255.0]:

IPv4 address of the default gateway [10.0.0.1]:

Configure the DNS Server IP address? (yes/no) [n]:

Configure the default domain name? (yes/no) [n]:

Following configurations will be applied:

Switch Fabric=A

System Name=Lab-FP4110-A

Enforced Strong Password=no

Physical Switch Mgmt0 IP Address=10.0.0.11

Physical Switch Mgmt0 IP Netmask=255.255.255.0

Default Gateway=10.0.0.1

Ipv6 value=0

Apply and save the configuration (select 'no' if you want to re-enter)? (yes/no):

35BRKSEC-3455


CLI elements and navigation

• Command modes follow a hierarchy

• EXEC-mode• Highest level

• Default Access-Level on Console

• Branches to lower levels

• CLI-Prompt shows the path to mode hierarchy

• Moving between levels• Scope <object>:Changes mode into an existing object mode

• Exit: Leaves current command mode level

• Top: Changes to highest command mode level

• Connect <component>: Connects to component CLI

36BRKSEC-3455

Lab-FP4110-A-A# scope chassis 1

Lab-FP4110-A-A /chassis #


CLI elements and objects

• Managed Objects

• Abstract representation of physical or logical entities

• Examples are: chassis, security-modules, firmware, licenses and more

• Within each scope the objects represents the elements and parameters

• Working with objects

• Create <object>: A non-existent object is created and entered for parameters

• Delete <object>: An existent object is deleted

• Enter <object>: A non-existent object is created and entered for parameters

• Scope <object>: An existent object is entered for parameters

37BRKSEC-3455

For YourReference


A simple CLI exampleLAB-FP4110-A-A# scope security

LAB-FP4110-A-A /security #

LAB-FP4110-A-A /security # create local-userWORD User Name

LAB-FP4110-A-A /security # create local-user mvassigh

LAB-FP4110-A-A /security/local-user* #

LAB-FP4110-A-A /security/local-user* # set email [email protected] /security/local-user* # set password

Enter a password: <System Interaction>

Confirm the password: <System Interaction>

38BRKSEC-3455

mailto:[email protected]


A simple CLI exampleLAB-FP4110-A-A# scope security

LAB-FP4110-A-A /security #

LAB-FP4110-A-A /security # create local-userWORD User Name

LAB-FP4110-A-A /security # create local-user mvassigh

LAB-FP4110-A-A /security/local-user* #

LAB-FP4110-A-A /security/local-user* # set email [email protected] /security/local-user* # set password

Enter a password: <System Interaction>

Confirm the password: <System Interaction>

LAB-FP4110-A-A /security/local-user* # show configuration pending

+enter local-user mvassigh+ set account-status active

+ set email [email protected]

+ set firstname "“

+ set lastname "“

+! set password <not shown but set>

+ set phone "“

+exit

LAB-FP4110-A-A /security/local-user* # commit-buffer

LAB-FP4110-A-A /security/local-user # exit

39BRKSEC-3455

LAB-FP4110-A-A /security # show local-user

mvassigh detail

Local User mvassigh:

First Name:

Last Name:

Email: [email protected]

Phone:

Expiration: Never

Password: ****

Account status: Active

User Roles:

Name: read-only

User SSH public key:





For YourReference

security

• Authentication

• Local-User Accounts

• Radius

• Tacacs

• Trustpoints

• Certificates

system/services

• SSH-Server, SSH-Keys

• HTTPS-Server and ports

• DNS

• NTP

• Configuration import/export

40BRKSEC-3455

firmware

• Software download

• Monitor download tasks

• Software installation (FXOS packages only !)

eth-uplink/fabric a

• Physical interfaces

• Port-Channel interfaces

Important „scopes“ for configuration operations(1)



fabric-interconnect a

• Local-Management-IP setting

41BRKSEC-3455

LAB-FP4110-A-A /fabric-interconnect # show

Fabric Interconnect:

ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability

---- --------------- --------------- --------------- ---------------- ---------------- ------ -----------

A 10.0.0.11 10.0.0.1 255.255.255.0 :: :: 64 Operable

LAB-FP4110-A-A /fabric-interconnect # set out-of-band

gw Gw

ip Ip

netmask Netmask



eth-uplink/fabric a

• Physical external interfaces/interface-modules of Firepower chassis

42BRKSEC-3455

LAB-4110-A-A /eth-uplink/fabric # show interface

Interface:

Port Name Port Type Admin State Oper State State Reason

--------------- ------------------ ----------- ---------------- ------------

Ethernet1/1 Data Disabled Admin Down Administratively down

Ethernet1/2 Data Enabled Up



(truncated)

LAB-4110-A-A /eth-uplink/fabric # show port-channel

Port Channel:

Port Channel Id Name Port Type Admin State Oper State State Reason

--------------- ---------------- ------------------ ----------- ---------------- ------------

48 Port-channel48 Cluster Disabled Admin Down Administratively down

(truncated)


Important „connect” elements(1)

local-management

• Verify Mgmt-Port IP connectivity

• Ping/Traceroute

• Graceful reboot/shutdown

• Disk/File operations

• Packet-Captures

• Configuration erase

43BRKSEC-3455

Lab-FP4110-A-A(local-mgmt)# show mgmt-port

eth0 Link encap:Ethernet HWaddr EC:BD:1D:5E:D1:DF

inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0

inet6 addr: fe80::eebd:1dff:fe5e:d1df/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

(output truncated)

Lab-FP4110-A-A(local-mgmt)# ping 10.0.0.1 count 1

PING 10.0.0.1 (10.0.0.1) from 10.0.0.11 eth0: 56(84) bytes of data.


Lab-FP4110-A-A(local-mgmt)# dir

1 29 Jan 19 15:23:27 2017 blade_debug_plugin

1 19 Jan 19 15:23:27 2017 bladelog

1 16 Jan 19 15:24:11 2017 cores

2 4096 Jan 19 16:27:44 2017 debug_plugin/

1 31 Jan 19 15:24:11 2017 diagnostics

2 4096 Jan 19 15:21:56 2017 lost+found/

1 25 Jan 19 15:23:53 2017 packet-capture

2 4096 Jan 19 15:23:28 2017 techsupport/


Important „connect“ elements(2)

local-management

• Tech-Support file generation

• FPRM:Supervisor/MIO

• Module: SSP modules

• Chassis: chassis, blade, CIMC

44BRKSEC-3455

Lab-FP4110-A-A(local-mgmt)# show tech-support

chassis Chassis

fprm Firepower Platform Management

module Security Module

Lab-FP4110-A-A(local-mgmt)# show tech-support fprm detail

Initiating tech-support information task on FABRIC A ...

Completed initiating tech-support subsystem tasks (Total: 1)

All tech-support subsystem tasks are completed (Total:

1[received]/1[expected])

The detailed tech-support information is located at

workspace:///techsupport/2017011918273_Lab-FP4110-A_FPRM.tar

• Tech-Support files [detail] output will be archived to disc automatically

• Use of copy operation to move file from system

Lab-FP4110-A-A(local-mgmt)# copy

techsupport/20170119182735_Lab-FP4110-A_FPRM.tar

ftp: Dest File URI

scp: Dest File URI

sftp: Dest File URI

tftp: Dest File URI

usbdrive: Dest File URI

volatile: Dest File URI

workspace: Dest File URI


Password recovery

• Worth for a Dry-Run when the hardware hits your deskUse BREAK, ESC or CTRL+L to interrupt boot.

Use SPACE to begin boot immediately.

Boot interrupted.

rommon 5 > dir installables/switch

Directory of: bootflash:\installables\switch

09/01/16 04:37p 35,652,608 fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA

09/01/16 04:37p 250,003,850 fxos-k9-system.5.0.3.N2.4.01.35.SPA

rommon 6 > boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA

!! Kickstart Image verified successfully !!

switch(boot)# config terminal

switch(boot)(config)# admin-password erase

Your password and configuration will be erased!

Do you want to continue? (y/n) [n] <Enter y here>

switch(boot)(config)# exit

switch(boot)# load bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.4.01.35.SPA

<wait>

---- Basic System Configuration Dialog ----

You have chosen to setup a new Security Appliance. Continue? (y/n): y

1

2


What if you have a corrupt kickstart/system image

• For FXOS 2.0.(1)

• Open a TAC Service request

• For FXOS 2.1.(1)

• You can download them from CCO (since Feb.2017)

46BRKSEC-3455


A few hardware troubleshoot suggestions „CLI“

• scope chassis <all output truncated>

• show inventory fan/psu

47BRKSEC-3455

PSU Presence PID Vendor Serial (SN) HW Revision

---------- --------------------------------- ---------- ---------- ----------- -----------

1 Equipped FPR4K-PWR-AC-1100 Cisco Systems, Inc. PST201560AY 0

2 Missing 0

Fan Modules:

Tray 1 Module 1:

Presence: Equipped

ID PID Vendor Serial (SN) HW Revision

---------- ------------ --------------- ----------- -----------

1 FPR4K-FAN Cisco Systems I JAD202808LY 0

2 FPR4K-FAN Cisco Systems I JAD202808LY 0

Lab-FP4110-A-A /chassis # show fault

Severity Code Last Transition Time ID Description

--------- -------- ------------------------ -------- -----------

Warning F0378 2017-01-29T12:55:26.444 42157 Power supply 2 in chassis 1 presence: missing


A few hardware troubleshoot suggestions „UI“

48BRKSEC-3455

Click here Click here


Selected troubleshoot results from „UI“

49BRKSEC-3455

Deployment Modes & Interfaces


Why you should care about deployment modes

• There are 2 distinct operative deployment options for FTD Firewall

• Routed-Operations Mode

• Transparent-Operations Mode (also called Bridged-Mode)

• Sub-Deployment options are• Cluster-Mode (9300 only, 4100 out with V6.2)

• HA/Failover-Mode

• Passive SPAN-Mode

• Changing the „operations“ mode erases your existing configuration

• Note: Changing the mode requires you to re-register to FMC

51BRKSEC-3455

> configure firewall routed

This will destroy the current interface configurations, are you sure that you

want to proceed? [y/N] y

The firewall mode was changed successfully.


FTD Interface modes comparisonInterface mode Interface type FTD mode Description Real traffic

dropping

Firewall mode Routed Routed Traffic is going through all FTD checks (Security Intelligence, Access Control Policy, Snort, File/AMP policy)

Yes

Firewall mode Switched Transparent Traffic is going through all FTD checks (Security Intelligence, Access Control Policy, Snort, File/AMP policy), but there is no route lookup (only MAC lookup)

Yes

IPS-only mode Passive Routed/Transparent A copy of a packet (SPAN) is going through NGIPS checks

No

IPS-only mode Passive (ERSPAN) Routed A copy of a packet (ERSPAN) is going through NGIPS checks

No

IPS-only mode IPS-only Inline Set Routed/Transparent A packet goes through NGIPS checks Yes

IPS-only mode IPS-only Inline Set tap mode

Routed/Transparent A packet is sent through FTD and a copy of it goes through NGIPS checks

No

52BRKSEC-3455


FTD Interfaces general(1)

Chassis type Interface creation Interface physical

operation

Interface IP &

operation

Firepower 4100

Chassis-Manager FXOS FXOS FXOS

FTD-Mgmt FXOS-Type: Mgmt FXOS FTD

FTD-HA FXOS-Type: Data FXOS FTD

FTD-Data FXOS-Type: Data FXOS FTD

FTD-Port-Channel-Data FXOS-Type: Data FXOS FTD

FTD VLAN-SubInterfaces FTD FXOS FTD

FTD Eventing FXOS-Type: FP-Eventing FXOS FTD

53BRKSEC-3455


FTD Interfaces general(2)

Chassis type Interface creation Interface physical

operation

Interface operation

Firepower 4100

Hardware-Bypass* FXOS FXOS FTD for IPS only

NGIPS-Inline-Pair FXOS-Type: Data FXOS FTD

NGIPS-Passive FXOS-Type: Data FXOS FTD

NGIPS-ERSpan FXOS-Type: Data FXOS FTD

54BRKSEC-3455

For YourReference


FTD Diagnostic vs. Management Interface

Management Interface Diagnostic Interface

FTD Operations • Mandatory • Optional

Usage • FTD to FMC communication (sftunnel)

• SSH/HTTPS access to FTD

• LINA Diagnostics

• SSH access to ASA CLI

• Syslog source for ASA events (can use any

data-interface)

Configuration on:

Firepower 5500-X

Firepower 4100/9300

• configure network ipv4 <x>

• Configure via FXOS UI/CLI

FMC UI: Devices > Device Management

Access Restrictions • configure ssh access-lists FMC UI: Device >Platform Settings

Challenges None Operational restrictions with other interfaces

55BRKSEC-3455

• Since FTD v6.1 there are 2 specialized interfaces on FTD


FTD Syslog setup (ASA logs)

56BRKSEC-3455

Create the Syslog-

Server object

Select the zone to reach

the server

Reminder:

No need for diagnostic interface IP


FTD Syslog setup (ASA logs cont.)

57BRKSEC-3455

Create the Syslog-

Server object

Select your syslog

destination

Enable syslog


FTD syslog troubleshoot

• FTD CLISH

58BRKSEC-3455

>show running-config logging

logging enable

logging timestamp

logging trap critical

logging host INSIDE 172.16.1.100

>show logging

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Hide Username logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level critical, facility 20, 0 messages logged

Logging to INSIDE 172.16.1.100

Licensing (Really ?)


Classic vs. Smart Licensing

• Classic Licensing

• Manual PAK registration needed for each device to unlock license key

• Limited view – customers do not know what they own

• Licenses tied to License-Key / only one device

• Smart Licensing

• Enterprise wide / complete visibility (software, licenses, devices in one portal)

• License token not tied to License-Key – flexible licensing across all devices

• Smart account is mandatory

• User access control

60Presentation ID


Smart Licensing prerequisites

• FMC can reach Cisco Smart Licensing Cloud Server via hostname – verify DNS settings

• Ensure that NTP daemon is running on the FMC

• User needs to have an account with CCSM (Cisco Smart Software Manager)

61Presentation ID

https://software.cisco.com


Apply Smart Licenses

1. Obtain product instance registration token from CSSM (Cisco Smart Software Manager)

2. Register Unified Manager to CSSM

3. Register NGFW/FTD devices to Unified Manager

4. Apply/Remove Smart License

62Presentation ID


Firepower Management Center (quick look)

63BRKSEC-3455


Smart Licensing

• Firepower Threat Defense uses ONLY Smart Licensing. Other products (Firepower 7000/8000 series appliances or Firepower Services modules) still use Classic Licensing.

• Controlled through FMC, restricting what features can be configured per device. Without license FMC cannot deploy policy or receive events.

• Existing ASA classic licensing is not used.

• Evaluation mode is possible using build-in 90 days evaluation period. It has start and end date, renewal required for continued entitlement.

• Purchased licenses are added to Smart Account automatically.

• Equivalent licenses must be purchased for HA devices.

64Presentation ID


Smart Licensing

License feature Description License type

Base NGFW (Firewall and AVC) Perpetual

Threat Protection IPS policies, Security

Intelligence, DNS policies

Term

Malware Advance Malware Protection and

Threat Grid

Term

URL Filtering Category and web reputation

filtering

Term

Firepower Management Center Management license for

host/user count

Perpetual

65Presentation ID


Troubleshooting scenarioKSEC-FPR4100-4-A# show license all

Smart Licensing is ENABLED

Registration:

Status: UNREGISTERED - REGISTRATION FAILED

Export-Controlled Functionality: Not Allowed

Initial Registration: FAILED on Jan 11 12:24:30 2017 UTC

Failure reason: Failed to authenticate server

KSEC-FPR4100-4-A /security # show trustpoint

KSEC-FPR4100-4-A /security #

Trustpoint is EMPTY!

KSEC-FPR4100-4-A# scope security

KSEC-FPR4100-4-A /security # create trustpoint

CHdefault

KSEC-FPR4100-4-A /security/trustpoint* # set certchain

Enter lines one at a time. Enter ENDOFBUF to finish.

Press ^C to abort.

Trustpoint Certificate Chain:>MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB

yjELMAkGA1>UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZ>XJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp

U>2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW

ZXJpU2>lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0

a>G9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL

M>AkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW

ZXJ>pU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln

biwgSW5jL>iAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp

U2lnbi>BDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y

>aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1

nmAMq>udLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex

t>0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz

SdhDY2>pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG

BO+QueQ>A5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+

r>CpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/

NIe>Wiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E

BAMCAQYw>bQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH

>ENDOFBUF

KSEC-FPR4100-4-A /security/trustpoint* # commit-buffer

66BRKSEC-3455

Important note, copy the whole certificate from BEGIN to END otherwise the commit-buffer will fail with following reason:

Error: Update failed: [failed to verify certificate chain, error: Failed to split certificate chain]


Biggest case creator for „Smart-Licensing“ will be solved

• Firepower Management Center bypassing proxy-configuration for Smart-Licensing

• Bug was present in V6.0, 6.01, 6.1, 6.1.0.1

• Bug has been verified to be fixed in V6.2 on a fresh install

• Bugfix will be available in V6.1.0.2 (latest maintenance release from 8.Feb.2017 )

• We are expecting confirmation from many of you

67BRKSEC-3455

Installation and Configuration


Brief installation steps on Firepower 4100 series

69Presentation ID

Add FTD to Firepower Management Center

Upgrade the supervisor (FXOS) software bundle

Configure FTD Management and Data Interfaces

Install FTD application image

Provision FTD Settings (mode, IP settings, FMC info)


Upgrade the supervisor (FXOS) software bundle


Configure FTD Data & Management Interfaces

71BRKSEC-3455


Adding interfaces for application module


Four things to remember on interfaces

• The Mgmt-Interface is created but will not be selectable laterThe assignment happens automatically for the logical device

• The Event-Monitoring interface is optional and was newly introduced in V6.x, to allow separation of events and diagnostics versus configuration traffic for FMC-Appliance and Firepower-Devices (FP4100/FP9300/FP8000)

• Port-Channel Interfaces are configured but forced into „suspend“-mode

• VLAN-Sub-Interfaces are created on the logical device only

73BRKSEC-3455

For YourReference


Interface-Special Port-Channel

•

This is the intended behavior

74BRKSEC-3455


FTD installation on 4100(1)For YourReference


FTD installation on 4100(2)For YourReference

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77Presentation ID

FTD installation on 4100 (working hard)For YourReference


FTD installation on 4100 (working harder)For YourReference


FTD Installation „Local Console“ monitoringLab-FP4110-A-A /ssa/slot # connect module 1 console

Telnet escape character is '~'.

Trying 127.5.1.1...

Connected to 127.5.1.1.

Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit [ OK ]

Executing S47install_default_sandbox_EO.pl [ OK ]

Executing S50install-remediation-modules [ OK ]

Executing S51install_health_policy.pl [ OK ]

Executing S52install_system_policy.pl [ OK ]

Executing S53change_reconciliation_baseline.pl [ OK ]

Executing S70remove_casuser.pl [ OK ]

Executing S70update_sensor_objects.sh [ OK ]

Executing S85patch_history-init [ OK ]

Executing S90banner-init [ OK ]

Executing S96grow_var.sh [ OK ]

Executing S96install_vmware_tools.pl [ OK ]

(output truncated)


FTD installation on 4100 (finished)


A quick few things to check via CLILAB-4110-A-A /ssa/logical-device # show expand | begin IP

IP v4:

Slot ID Management Sub Type IP Address Netmask Gateway Last Updated Timestamp

---------- ------------------- --------------- --------------- --------------- ----------------------

1 Firepower 10.0.0.12 255.255.255.0 10.0.0.1 2017-01-23T19:10:28.260

Bootstrap Key:

Key Value Last Updated Timestamp

---------- ---------- ----------------------

DNS_SERVERS (truncated)

128.107.212.175

FIREPOWER_MANAGER_IP

10.0.0.50

FIREWALL_MODE

routed

FQDN ftd1.example.com


A quick few things to verify via CLILAB-4110-A-A /eth-uplink/fabric # show port-channel expand

Port Channel:

Port Channel Id: 10

Name: Port-channel10

Port Type: Data

Admin State: Enabled

Oper State: Up

State Reason:

Member Port:

Port Name Membership Oper State State Reason

--------------- ------------------ ---------------- ------------

Ethernet1/4 Up Up

Port Channel Id: 11

Name: Port-channel11

Port Type: Data

Admin State: Enabled

Oper State: Up

State Reason:

Member Port:

Port Name Membership Oper State State Reason

--------------- ------------------ ---------------- ------------

Ethernet1/2 Up Up


Time for some connectivity checks

83BRKSEC-3455

For YourReference


Time for some connectivity checks (???)

84BRKSEC-3455



85BRKSEC-3455



86BRKSEC-3455


Experts use CLI (1)Lab-FP4110-A-A# connect module 1 console

Telnet escape character is '~'.

Trying 127.5.1.1...

Connected to 127.5.1.1.

Escape character is '~'.

CISCO Serial Over LAN:

Close Network Connection to Exit

Firepower-module1>connect ftd

Connecting to ftd console... enter exit to return to bootCLI

>ping 10.0.0.1 (= Our Default-Gateway ?)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

No route to host 10.0.0.1

Success rate is 0 percent (0/1)

87BRKSEC-3455


Experts use CLI (2)> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, V – VPN

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 169.254.1.0 255.255.255.252 is directly connected, nlp_int_tap

L 169.254.1.1 255.255.255.255 is directly connected, nlp_int_tap

> show ip

System IP Addresses:

Interface Name IP address Subnet mask Method

Current IP Addresses:


88BRKSEC-3455


Experts use CLI (3)> show interface

Interface Port-channel10 "", is administratively down, line protocol is up

Hardware is EtherSVI, BW 10000 Mbps, DLY 1000 usec

Available but not configured via nameif

Interface Port-channel11 "", is administratively down, line protocol is up


Available but not configured via nameif

Interface Ethernet1/3 "diagnostic", is up, line protocol is up


MAC address ecbd.1d5e.d20e, MTU 1500

IP address unassigned

89BRKSEC-3455


A real expert ?

90BRKSEC-3455


„Experts, beware of False Friends“> show network

===============[ System Information ]===============

Hostname : ftd1.example.com

DNS Servers : 128.107.212.175

Management port : 8305

IPv4 Default route

Gateway : 10.0.0.1

==================[ management0 ]===================

State : Enabled

Channels : Management & Events

Mode : Non-Autonegotiation

MDI/MDIX : Auto/MDIX

MTU : 9000

MAC Address : EC:BD:1D:5E:D1:FF

----------------------[ IPv4 ]----------------------

Configuration : Manual

Address : 10.0.0.12

Netmask : 255.255.255.0

Broadcast : 10.0.0.255

91BRKSEC-3455

> ping

tcp Test connection over TCP

system Test connectivity from the FTD

management interface

interface interface

Hostname hostname or A.B.C.D or X:X:X:X::X

> ping system 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.



> traceroute

system Find route to remote network through FTD

management interface


Backup and Restore

Lab-FP4110-A-A /system # show import-config detail

Import Configuration Task:

Hostname: local

Remote File: config--2017-01-24T10:19:40.384177.xml

User:

Protocol: Http

Admin State: Disabled

Status: Succeeded

Description:

Port: Default

Current Task:


Backup and Restore (really ?)

Lab-FP4110-A-A /ssa # Lab-FP4110-A-A /ssa # show logical-device detail

Logical Device:

Name: ftd1

Description:

Slot ID: 1

Mode: Standalone

Operational State: Incomplete Configuration

Template Name: ftd

Error Msg: End User License Agreement not accepted for apps: ftd.6.1.0.330

Switch Configuration Status: Ok


Backup and Restore Guidelines

• Bootstrap supervisor module IP settings

• Register Smart-Licensing

• Platform hardware and software version should(must) match

• Same network-modules must be installed

• The Application-Software packages must be installed

• Logical-Device EULA must be accepted (latest after Restore)

94BRKSEC-3455

For YourReference

High Availability FTD Device


FTD HA-Configuration (1)

96BRKSEC-3455


FTD HA-Configuration(2)

97BRKSEC-3455

You can share an

interface for HA and

State

You can not(!) use a

VLAN-Subinterface

Beware:

HA-Configuration

immediately starts,

there is no

Deploy-Phase


Basic Failover-Configuration verification on CLI

98BRKSEC-3455

> show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Failed Comm Failure 11:31:59 CET Feb 14 2017

====Configuration State===

====Communication State===

>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (truncated)

Beginning configuration replication: Sending to mate.

End Configuration Replication to mateExclamation mark is

your friend


Basic Failover-Configuration verification on CLI> show failover state

State Last Failure Reason Date/Time

This host - Primary

Active None

Other host - Secondary

Standby Ready Comm Failure 11:31:59 CET Feb 14 2017

====Configuration State===

Sync Done

====Communication State===

Mac set

99BRKSEC-3455

Don’t panic !Think in

Columns


Failover Troubleshooting on FMC-UI

100BRKSEC-3455

Verify

Counters


Breaking Failover is safe

101BRKSEC-3455

• It maintains full operations on the Active-Unit

• Standby-Unit looses failover and interface configurations

> show ip



Port-channel10.1 Outside 10.40.0.1 255.255.255.0 manual

Port-channel10.2 Inside 10.41.0.1 255.255.255.0 manual

Port-channel11 FOVER 172.16.1.1 255.255.255.0 unset



Port-channel11 FOVER 172.16.1.2 255.255.255.0 unset

> INFO: Security level for "Inside" set to 0 by default.

INFO: Security level for "Outside" set to 0 by default.

INFO: Security level for "diagnostic" set to 0 by default.

INFO: This unit is currently in standby state. By disabling failover, this unit will

remain in standby state.


Verification on StandBy-unit> show ip





102BRKSEC-3455


FTD HA information not synchronized (partial list)

• Sessions inside plaintext tunnels

• GRE, IPinIP encapsulated traffic

• TLS Decrypted sessions

• Decrypt/Resign: Blocked with Reset

• Known-Keys: Blocked with Reset

• DHCP-Server

• Multicast-Routing

• Management-Connections to FTD-Device

• HTTPS/SSH

103BRKSEC-3455


Failover Troubleshooting CLI (need TAC for debugs)

104BRKSEC-3455


Attaching to ASA console ... Press 'Ctrl+a then d' to detach.

Type help or '?' for a list of available commands.

firepower> en

Password:

firepower# debug fover ?

cable Failover LAN status cmd-exec Failover EXEC command execution

fail Failover internal exception

fmsg Failover message

ifc Network interface status trace

open Failover device open

rx Failover Message receive

rxdmp Failover recv message dump (serial console only)

rxip IP network failover packet recv

snort Failover NGFW mode snort processing

switch Failover Switching status

sync Failover config/command replication

tx Failover Message xmit

txdmp Failover xmit message dump (serial console only)

txip IP network failover packet xmit

verify Failover message verify


Failover Troubleshooting CLI (examples)

105BRKSEC-3455


Attaching to ASA console ... Press 'Ctrl+a then d' to detach.

Type help or '?' for a list of available commands.

firepower> en

Password:

firepower# debug fover ifc

fover event trace on

firepower# fover_health_monitoring_thread: ifc_check() group: 0, - time = 8492170

fover_health_monitoring_thread: ifc_check() group: 0, - time = 8494670

fover_health_monitoring_thread: ifc_check() group: 0, - time = 8497170

firepower# debug fover rx

fover event trace on

firepower# fover_ip: HA TRANS: receive message for client Failover Control Module, length

32

fover_rx: rx msg: cmd 0x1, seqNum 0x43d0

fover_ip: HA TRANS: receive message for client Failover Control Module, length 32

fover_rx: rx msg: cmd 0x1, seqNum 0x43d1

lu_rx: HA TRANS: receive message for client Legacy LU support, length 52

For YourReference

High-Availability Update Demo

Ready to go

Our first configuration demo


For YourReference

A quick look at Prefilter Policies versus AC-Policies


Advanced troubleshoot option Packet-Tracer

110BRKSEC-3455

packet-tracer input Inside tcp 10.41.0.10 1023 10.40.0.10 22 (for your reference)

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced deny tcp any any eq ssh rule-id 268435458 event-log flow-start

access-list CSM_FW_ACL_ remark rule-id 268435458: PREFILTER POLICY: MV-Prefilter-Policy

access-list CSM_FW_ACL_ remark rule-id 268435458: RULE: MV-ICMP-Prefilter

Additional Information:

For YourReference


Troubleshoot on FTD-CLI> show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list CSM_FW_ACL_; 8 elements; name hash: 0x4a69e3f3

access-list CSM_FW_ACL_ line 1 remark rule-id 268435458: PREFILTER POLICY: MV-Prefilter-Policy

access-list CSM_FW_ACL_ line 2 remark rule-id 268435458: RULE: MV-ICMP-Prefilter

access-list CSM_FW_ACL_ line 3 advanced deny tcp any any eq ssh rule-id 268435458 event-log flow-start

(hitcnt=2) 0x60b01ea9

access-list CSM_FW_ACL_ line 4 remark rule-id 268435457: PREFILTER POLICY: MV-Prefilter-Policy

access-list CSM_FW_ACL_ line 5 remark rule-id 268435457: RULE: DEFAULT TUNNEL ACTION RULE

access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268435457 (hitcnt=0) 0xf5b597d6

access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268435457 (hitcnt=0) 0x06095aba

access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268435457 (hitcnt=0) 0x52c7a066

access-list CSM_FW_ACL_ line 9 advanced permit udp any eq 3544 any range 1025 65535 rule-id 268435457

(hitcnt=0) 0x46d7839e

access-list CSM_FW_ACL_ line 10 advanced permit udp any range 1025 65535 any eq 3544 rule-id 268435457

(hitcnt=0) 0xaf1d5aa5

access-list CSM_FW_ACL_ line 11 remark rule-id 268435456: ACCESS POLICY: MV-Base - Mandatory/1

access-list CSM_FW_ACL_ line 12 remark rule-id 268435456: L7 RULE: MV-Monitor-Connections

access-list CSM_FW_ACL_ line 13 advanced permit ip ifc Inside any ifc Outside any rule-id 268435456

(hitcnt=12) 0x91a99859

access-list CSM_FW_ACL_ line 14 remark rule-id 268434432: ACCESS POLICY: MV-Base - Default/1

access-list CSM_FW_ACL_ line 15 remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE

access-list CSM_FW_ACL_ line 16 advanced deny ip any any rule-id 268434432 event-log flow-start

(hitcnt=3) 0x97aa021a

For YourReference

ASA to FTD Migration


ASA to FTD Migration

• Required steps

• Meet the minimum requirements

• Export your ASA config to txt/cfg file

• Start a fresh FMCv instance on VMare matching your target FMC version

• Run the „migration tool“ inside FMCv root shell

• Import the ASA configuration file

• Download the converted „.sfo“-File

• Import the converted configuration into your real FMC

• Troubleshoot

• Check the migration report first

• FMC UI > Generate troubleshoot and contact TAC

113BRKSEC-3455

ASA to FTD Migration Demo

FTD Troubleshooting tools


Process ManagementShow status of processes:

# pmtool status

# sudo pmtool disablebyid SFDataCorrelator

You should see that the process is in User Disabled state:

# pmtool status | grep SFDataCorrelator

# sudo pmtool enablebyid SFDataCorrelator

Verify that the process is running and make sure that the process ID matches the 'pmtool’ and ‘ps’ tool:

# sudo pmtool status | grep SFDataCorrelator

# ps aux | grep <PID>

Restart all detection engine / Snort instances:

# pmtool restartbytype snort

Important note, restartbyid for Snort would cause only one instance to be restarted.

# tail -f /var/log/messages

116BRKSEC-3455

> pmtooldisablebyid pmtool disablebyiddisablebytype pmtool disablebytypeenablebyid pmtool enablebyidenablebytype pmtool enablebytyperestartbyid pmtool restartbyidrestartbytype pmtool restartbytypestatus pmtool status


Functionality Of Some FTD Processes

snort inspects network traffic (pass,

block and alert)

sftunnel secure tunnel between

managed device and FMC

ids_event_processor sends intrusion events to

managing device (FMC)

diskmanager,

Pruner

managing disk space and

clean up old files

ids_event_alerter sends intrusion events to

Syslog or SNMP server

ntpd responsible for time

synchronization

wdt-util used for fail-to-wire /

hardware bypass

snmpd SNMP monitoring

SFDataCorrelator processing events pm (process

manager)

responsible for launching

and monitoring of all FTD

relevant processes and

restarting them in case of

failure

117BRKSEC-3455


Troubleshooting FileGenerate troubleshooting file over CLISH and ROOT CLI:

>system generate-troubleshoot all

#/usr/local/sf/bin/sf_troubleshoot.pl ALL

Storage of troubleshooting files:

Firepower: /var/common/ vs. FTD: /ngfw/var/common/

/ngfw/var/common/results-01-19-2017--214641.tar.gz

What data the troubleshooting file includes? -> /etc/sf/troubleshoot.conf

Layout of the troubleshooting file: command-outputs, file-contents, dir-archives

Key to remember: Troubleshooting files can't always tell you & TAC everything!

118BRKSEC-3455


FTD V6.1 Troubleshooting Enhancements

• File download tool

• Threat Defense CLI tools

• packet-tracer

• show

• ping

• Traceroute

Those commands will be

executed in privileged mode.

Supported on all FTD devices, both physical and virtual.

119BRKSEC-3455


FXOS Capture: Quick option (1)

• Apply a reasonable Traffic-Filter

• Focus just on physical Ingress-Egress port

120BRKSEC-3455


FXOS Capture: Quick option(2)

• Download your capture and filter in wireshark

121BRKSEC-3455


ASA/LINA Packet Capture - The Wires Never Lie!firepower# cap in interface INSIDE match icmp any any trace detail

firepower# cap out interface OUTSIDE match icmp any any trace detail

firepower# cap asp type asp-drop all buffer 33554432

firepower# sh cap

capture in type raw-data trace detail interface INSIDE [Capturing - 114 bytes]

match icmp any any

capture out type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]

match icmp any any

capture asp type asp-drop all buffer 33554432 [Capturing - 114 bytes]

firepower# sh cap in packet-number 1 trace

1: 09:09:18.644467 172.16.1.17 > 20.20.20.100: icmp: echo request

Type: SNORT

Subtype:

Result: DROP

Snort Verdict: (black-list) black list this flow

input-interface: INSIDE

input-status: up

input-line-status: up

Action: drop

Drop-reason: (snort-drop) Snort requested to drop the frame


FP/Snort Capture - The Wires Never Lie! (1)> capture-traffic

Please choose domain to capture traffic from:

0 - management0

1 - Router

Selection? 1

Please specify tcpdump options desired.

(or enter '?' for a list of supported options)

Options: icmp

23:07:21.619642 IP 172.16.1.17 > 20.20.20.100: ICMP echo request, id 24538, seq 1, length 64


FP/Snort Capture - The Wires Never Lie! (2)>capture-traffic

Options: -v -n -e (icmp and host 172.16.2.11) or (vlan and icmp and host 172.16.2.11)

12:02:43.949535 00:50:56:b6:0b:33 > 58:97:bd:b9:73:ee, ethertype 802.1Q (0x8100), length 78: vlan 208, p 0,

ethertype IPv4, (tos 0x0, ttl 128, id 5366, offset 0, flags [none], proto ICMP (1), length 60)

firepower# sh cap inside

1: 12:09:56.732841 802.1Q vlan#208 P0

172.16.2.11 > 20.20.20.11: icmp: echo request

2: 12:09:56.733696 802.1Q vlan#208 P0

20.20.20.11 > 172.16.2.11: icmp: echo reply

SNORT

firepower# sh cap outside

1: 12:09:56.733162 172.16.2.11 > 20.20.20.11:

icmp: echo request

2: 12:09:56.733680 20.20.20.11 > 172.16.2.11:

icmp: echo reply

IN OUT


Correct Access Control Rule Being Evaluated?

>system support firewall-engine-debug

Please specify an IP protocol: icmp

Please specify a client IP address: 172.16.1.17

Please specify a server IP address: 20.20.20.100

Monitoring firewall engine debug messages172.16.1.17-8 > 20.20.20.100-0 1 AS

1 I 44 New session

172.16.1.17-8 > 20.20.20.100-0 1 AS 1 I 44 using HW or preset rule order 2,

'allow and inspect', action Allow and prefilter rule 0

172.16.1.17-8 > 20.20.20.100-0 1 AS 1 I 44 allow action

125BRKSEC-3455

• Tool that provides the Access Control Rule evaluation status for each flow as we receive packets in real time.

• NGFW debug needs to have specified at least one filtering condition.


Access Control Policy Rule Hit Counters

126BRKSEC-3455

> show access-control-config

===================[ ciscolive ]====================

Description :

Default Action : Allow

Default Policy : Balanced Security and Connectivity

Logging Configuration

DC : Disabled

Beginning : Disabled

End : Disabled

Rule Hits : 10

Variable Set : Default-Set

... (output omitted) ...

# watch ´/usr/local/sf/bin/sfcli.pl show firewall | grep "ciscolive\| Rule\:\|Rule Hits“ ´

===================[ ciscolive ]====================

Rule Hits : 10

------------------[ Rule: allow ]-------------------

Rule Hits : 14

------------------[ Rule: block ]-------------------

Rule Hits : 0

AC Rule Name



127BRKSEC-3455


===================[ ciscolive ]====================

Description :




DC : Disabled


End : Disabled

Rule Hits : 16




===================[ ciscolive ]====================

Rule Hits : 16

------------------[ Rule: allow ]-------------------

Rule Hits : 14

------------------[ Rule: block ]-------------------

Rule Hits : 0

AC Rule Name



128BRKSEC-3455


===================[ ciscolive ]====================

Description :




DC : Disabled


End : Disabled

Rule Hits : 22




===================[ ciscolive ]====================

Rule Hits : 22

------------------[ Rule: allow ]-------------------

Rule Hits : 14

------------------[ Rule: block ]-------------------

Rule Hits : 0

AC Rule Name


Access Control Policy Rule Hit Counters - GUI

Your “custom” connections event view in FMC:

1. Analysis -> Custom -> Custom Workflows -> Create Custom Workflow and use Table “Connection Events”

2. Add page and fill in fields like: “Access Control Policy”, “Access Control Rule”, “Count”, “InitiatorIP”, “Responder IP”

3. Add Table view

129BRKSEC-3455


Access Control Policy Rule Hit Counters - GUIFTD NGFW debugs:

172.16.2.25-8 > 20.20.20.11-0 1 AS 1 I 47 using HW or preset rule order 3, 'DNS and icmp', action Trust and prefilter rule 0

FMC GUI:

Analysis -> Connections events -> “switch workflows” and select your newly created workflow “ACP rule hitcounters”

130BRKSEC-3455


==== [ CL-ACP-2017-FINAL ]===

…(output omitted)

------[ Rule: DNS and icmp ]------

Action : Allow

Destination Ports : protocol 6, port 53

protocol 17, port 53

protocol 1

protocol 6, port 80


DC : Enabled

Beginning : Enabled

End : Enabled

Rule Hits : 28


… (output omitted)

Why the hit counters do not match?


Tracing Packets

firepower# packet-tracer input INSIDE icmp 172.16.1.11 8 0 20.20.20.10 det

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit icmp any any echo rule-id 268436992

access-list CSM_FW_ACL_ remark rule-id 268436992: ACCESS POLICY: ciscolive - Mandatory/1

access-list CSM_FW_ACL_ remark rule-id 268436992: L7 RULE: icmp allow only


This packet will be sent to snort for additional processing where a verdict will be reached

Forward Flow based lookup yields rule:

in id=0x7f0c2e933260, priority=12, domain=permit, deny=false

hits=200, user_data=0x7f08c343bd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8, tag=any, ifc=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, ifc=any, vlan=0, dscp=0x0

input_ifc=any, output_ifc=any

131BRKSEC-3455

You can operate and troubleshootthe NG-Firewall with confidence

FTD Packet-Flow


Packet processing – before we ‘enter’ the ASA/LINA

Security Engine (ASA or FTD)

Smart NIC + Crypto Accelerator

Internal Switch Fabric

8x 10Gbps NM 1 NM 2

2x40Gbps Uplink 4x 40 Gbps or 8x 10 Gbps


ASA/LINA

firepower# sh int eth 1/7

Interface Ethernet1/7 "INSIDE", is up, line protocol is up


MAC address 5897.bdb9.73ee, MTU 1500

IP address 172.16.1.1, subnet mask 255.255.255.0

Traffic Statistics for "INSIDE":

180 packets input, 14853 bytes

155 packets output, 12628 bytes

25 packets dropped

1 minute input rate 1 pkts/sec, 94 bytes/sec

1 minute output rate 1 pkts/sec, 85 bytes/sec

1 minute drop rate, 0 pkts/sec

High-level information about packet

counters in and out of the box per

context basis:

firepower# clean count

firepower# show count

Packet rate in and out on a per-

interface basis:

firepower# clear traffic

firepower# show traffic

Number of packets dropped in ASP ‘show asp drop‘

L3, L2

hops

ASA/LINA

Pre-Filter

Advanced Snort / FirePOWER

SI (IP) SSL L7 ACL File/AMP

L3/L4 ACL

YES

NO

VPN Decrypt

SI (DNS/URL), Identity

RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

136BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

• ASA/LINA part checks whether the connection belongs to existing flow or not

• If packet is part of already established flow, then appliance skip basics checks and process the packet in Fast-Path – and continue with checks at DAQ level

show run logging

show logging

FMC: Device -> Platform Settings

show capture <name> packet-number <number> trace

show conn detail

packet-tracer


Packet processing

137BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# show cap in2 packet-number 46 trace detail46: 19:28:20.056012 0050.56b6.0b33 5897.bdb9.73ee 0x8100 Length: 58

802.1Q vlan#208 P0 172.16.2.13.49182 > 20.20.20.11.80: . [tcp sum ok] 2790183968:2790183968(0) ack

1176461110 win 231 (DF) (ttl 128, id 16898)

...

Type: FLOW-LOOKUP

Found flow with id 34550, using existing flow

firepower# sh logging | include 34550

%ASA-6-302013: Built inbound TCP connection 34550 for in2:172.16.2.13/49182

(172.16.2.13/49182) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)

%ASA-6-302014: Teardown TCP connection 34550 for in2:172.16.2.13/49182 to

OUTSIDE:20.20.20.11/80 duration 0:00:28 bytes 1073752075 Flow closed by inspection

firepower#

Unique Connection ID


Packet processing

Determination of Egress Interface

• Routing table / route lookup – ‘in’ entries of the ASP routing table will be checked to determine the egress interface

• UN-NAT (destination NAT) – egress interface will be choosen based on NAT rule

138BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

show asp table routing

show capture <name> packet-number 10 trace detail

packet-tracer


Packet processing

139BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

Pre-filter rules solves following issues:

• ASA firewall enforce access-control rules on the outer encapsulation headers without looking into payload

• FirePOWER devices match traffic only based on inner payload headers

• Lack of the visibility on all sessions such as tunnels

Pre-filter rules were introduced in 6.1 release and allows following:

• Trust/deny/allow the tunnels based on outer header

• Tag the interesting tunnels and use them to enforce ACP rule for inner sessions inside the tunnel


Packet processing

140BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

Pre-filter Rule Actions

• Analyze: sends traffic for inspection to Snort

• Block: drops the traffic

• Fastpath: allows traffic and bypass further inspection,

process the rule in hardware, offload the traffic

Pre-Filter Policy


Packet processing

141BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# show flow-offload flow

2 in use, 2 most used, 16% offloaded

TCP intfc 106 src 20.20.20.11:80 dest 172.16.2.14:49191, timestamp 2265924877, packets

191614, bytes 264712022

TCP vlan 208 intfc 107 src 172.16.2.14:49191 dest 20.20.20.11:80, timestamp 2265924879,

packets 26301, bytes 1788781

firepower# show conn address 20.20.20.11 detail long

TCP in2: 172.16.2.14/49191 (172.16.2.14/49191) OUTSIDE: 20.20.20.11/80 (20.20.20.11/80),

flags Uo, idle 12s, uptime 12s, timeout 1h0m, bytes 683253399

Newly added FLAG ‘o’ means that flow was offloaded


Packet processing

142BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

%ASA-6-805001: Offloaded TCP Flow for connection 34892 from in2:172.16.2.14/49193

(172.16.2.14/49193) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)

%ASA-6-805001: Offloaded TCP Flow for connection 34892 from OUTSIDE:20.20.20.11/80

(20.20.20.11/80) to in2:172.16.2.14/49193 (172.16.2.14/49193)

%ASA-6-805002: TCP Flow is no longer offloaded for connection 34892 from

in2:172.16.2.14/49193 (172.16.2.14/49193) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)

%ASA-6-805002: TCP Flow is no longer offloaded for connection 34892 from

OUTSIDE:20.20.20.11/80 (20.20.20.11/80) to in2:172.16.2.14/49193 (172.16.2.14/49193)


Packet processing

143BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# show access-list | i icmp

access-list CSM_FW_ACL_ line 9 remark rule-id 268441864: L7 RULE: icmp traffic

access-list CSM_FW_ACL_ line 10 advanced permit icmp any any rule-id 268441864 (hitcnt=335)

0xa2dc10fa

root@ftd:/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-817d227fa40c# cat ngfw.rules | grep 268441864

268441864 fastpath any any any any any any any 1 (log dcforward both)

FirePOWER

FMC

ASA

5-TUPLE


Packet processing

144BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

root@firepower:/Volume/home/admin# cd /var/sf/iprep_download/

root@firepower:/var/sf/iprep_download# grep "72.4.119.2\|#" * | tail -n 2

d8eea83e-6167-11e1-a154-589de99bfdf1:#Global-Whitelist

d8eea83e-6167-11e1-a154-589de99bfdf1:72.4.119.2

root@firepower:/var/sf/iprep_download# cat d8eea83e-6167-11e1-a154-589de99bfdf1

#Global-Whitelist

72.163.4.161

• Ability to block dangerous / malicious traffic aka “bad guys”

• SI feed is updated by Cisco TALOS team periodically

• SI whitelist is intentionally processed by rest of the ACP rules


Packet processing

145BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

SSL inspection – policy to control SSL flows

• Decrypt – Resign

• Client <---> FTD (MITM) <---> Server

• Usage: 3rd party servers or Internet resources

• Known key

• FTD imported server’s private key

• Usage: server that you own

Note: In passive deployment you can not use ”Decrypt - Resign” action since it requires re-signing the server certificate.


Packet processing

146BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

• Do not decrypt - pass the encrypted traffic for AC rule evaluation

• Monitor – will just log traffic flow for tracking purposes, traffic will be

still evaluated by rest of the rule set

• Block, Block with reset – prevent encrypted traffic to pass through

• Order of operation:

• SSL rules are processed from top to bottom

• System do not evaluate traffic with bellow rule once the match is found


Packet processing

147BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

148BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

149BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

SSL errors on failing decrypt:

-negotiation mode with unsupported

extension

-any miss in the SSL handshake


Packet processing

150BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

> system support ssl-debug debug_policy_all

Parameter debug_policy_all successfully added to

configuration file.

Configuration file contents:

debug_policy_all

You must restart snort before this change will

take affect

This can be done via the CLI command

'pmtool restartbytype DetectionEngine'.

> pmtool restartbytype DetectionEngine

> expert

admin@ftd:/opt/bootcli/cisco/cli/bin$ cd

/ngfw/var/common/


Packet processing

151BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

152BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

• Order of operation: rules are being processed from top to bottom

• Differentiate ACP rule operations between (AND operand) and within columns (OR operand)

• Adaptive profiling needs to be enabled (in order to determine App ID) – “on by default”

• Identification of App ID occurs usually within 3-5 packets or after SSL handshake


Packet processing

153BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

154BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

> system support firewall-engine-debug

172.16.1.10-60467 > 20.20.20.10-21 6 AS 1 I 7 no match rule order 3, 'FTP to be

allowed', app s=-1 c=-1 p=-1 m=-1

20.20.20.10-53156 > 172.16.1.10-21 6 AS 1 I 46 Starting with minimum 3, 'FTP to be

allowed', and SrcZone first with zones 2 -> 1, geo 0 -> 0, vlan 0, sgt tag:

untagged, svc 165, payload 4002, client 2000000165, misc 0, user 9999997, icmpType

0, icmpCode 0

20.20.20.10-53156 > 172.16.1.10-21 6 AS 1 I 46 match rule order 3, 'FTP to be

allowed', action Allow


Packet processing

155BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# show access-list | include FTP

access-list CSM_FW_ACL_ line 14 remark rule-id 268443650: L7 RULE: FTP to be allowed

firepower# show access-list | i 268443650

access-list CSM_FW_ACL_ line 13 remark rule-id 268443650: ACCESS POLICY: CL-ACP-2017-FINAL - Mandatory/2

access-list CSM_FW_ACL_ line 14 remark rule-id 268443650: L7 RULE: FTP to be allowed

access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268443650 (hitcnt=16) 0xa1d3780e

firepower#

root@ftd:/opt/bootcli/cisco/cli/bin# cat /ngfw/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-

817d227fa40c/ngfw.rules | grep 268443650

268443650 allow any any any any any any any any (log dcforward both) (appid 52:1, 165:1, 166:1, 167:1, 168:1,

250:1, 251:1, 281:1, 291:1, 332:1, 348:1, 349:1, 365:1, 411:1, 420:4, 441:1, 469:1, 862:1, 2606:4, 3126:1,

3131:1, 3380:1, 3562:1, 4002:4, 4003:4, 2000000052:2, 2000000165:2, 2000000166:2, 2000000167:2, 2000000168:2,

2000000250:2, 2000000251:2, 2000000281:2, 2000000291:2, 2000000332:2, 2000000348:2, 2000000349:2, 2000000365:2,

2000000411:2, 2000000441:2, 2000000469:2, 2000000862:2, 2000003126:2, 2000003131:2, 2000003380:2, 2000003562:2)

root@ftd:/opt/bootcli/cisco/cli/bin#


Packet processing

156BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

logging file transfers and pass them though

blocking file transfer

Calculate SHA256, determine and log

disposition, pass file

Same as malware cloud lookup, but blocks

malicious file transfers


Packet processing

> system support firewall-engine-debug

Please specify an IP protocol: tcp

Please specify a server port: 80

172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 New session

172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 Starting with minimum 0, id 0 and SrcZone first with zones 3

-> 2, geo 0(0) -> 0, vlan 0, sgt tag: untagged, svc 676, payload 2655, client 638, misc 0, user 9999997, url

http://install.cisco.com/eicarcom2.zip, xff

172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 no match rule order 2, 'DNS and icmp', DstPort

172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 match rule order 3, 'HTTP traffic and file inspect', action

Allow

172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 File policy verdict is Type, Malware, and Capture

172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 File malware event for

e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397 named eicarcom2.zip with disposition Malware

and action Block Malware

157BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

http://install.cisco.com/eicarcom2.zip


Packet processing

158BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

“Troubleshooting thoughts”

• Connection inspected by SNORT?

• “show conn” – Flag ‘N’

• Packet captures (capture and capture-traffic) shows incoming traffic on ASA/LINA side, diverted traffic flows are send to the SNORT, but NO outgoing or there are missing packets after SNORT inspection on outside interface?

• Connection events are triggering? -> FMC Connection table view

• Is the right AC rule being evaluated? -> NGFW debugs

• IPS events are not populated? -> Create custom ICMP rule or enable “ICMP echo” rule 1:408to confirm IPS events are generally working


Packet processing

159BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

CUSTOM SNORT ICMP RULE:

alert icmp any any -> any any (sid:1000001; gid:1; icode:0;

itype:8; msg:"icmp echo"; classtype:not-suspicious; rev:1; )

• In IPS policy rule to “Drop and Generate” action

• Interface should be in the “Inline” mode

• IPS policy needs to have “Drop when Inline” option enabled


Packet processing

160BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# sh cap i packet-number 1 trace


Phase: 4

Type: SNORT

Subtype:

Result: DROP

Config:


Snort Verdict: (black-list) black list this flow

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

Action: drop

Drop-reason: (snort-drop) Snort requested to drop the frame


Packet processing

161BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# sh cap

capture i type raw-data trace detail interface INSIDE [Capturing - 114 bytes]

match icmp any any

capture o type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]

match icmp any any


Packet processing

162BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

Change Rule State:

Drop and Generate

Special Attention when packets are blocked, but there are no IPS events:

Rules with GID ID 129 DO NOT generate events until

“Stateful Inspection Anomalies” option in TCP Stream preprocessor is enabled!


Packet processing

163BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

164BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

165BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

• How ASA and FirePOWER L7 inspections works together?

• ASA – Application Level Gateways ALGs (protocol specific)• Pinhole creation

• NAT rewrite

• Protocol enforcement and fine-grained control

> configure inspect <protocol> enable/disablepolicy-map global_policy

class inspection_default

no inspect <protocol>

service-policy global_policy global

Pushed to NGFW device to disable inspection


Packet processing

166BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# show service-policy flow tcp host 20.20.20.11 host 172.16.2.100 eq 21

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Match: default-inspection-traffic

Action:

Input flow: inspect ftp

Class-map: class-default

Match: any

Action:

Output flow: Input flow: set connection random-sequence-number disable

set connection advanced-options UM_STATIC_TCP_MAP


Packet processing

167BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

firepower# show service-policy inspect ftp

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: ftp, packet 139, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0

pkts/sec, v6-fail-close 0 sctp-drop-override 0

firepower# sh run policy-map | i ftp

inspect ftp

inspect tftp


Packet processing

Remaining checks are same as on the standalone ASA:

• Determination of NAT IP header – in capture trace phase ‘NAT’ with translated IP addresses details

• Based on the packet processing step “Egress Interface” determination the ‘out’ entries will be nowchecked in ASP routing table

• Using packet capture trace detail option we can see phase “ROUTE-LOOKUP” with the next-hop IP address IP address details

168BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS


Packet processing

169BRKSEC-3455

L3, L2

hops

ASA/LINA

Pre-Filter



L3/L4 ACL

YES

NO

VPN Decrypt


RXIngress

Interface

Existing

Conn

Egress

Interface

DAQ

NAT TXALGchecks

QoS, VPN Encrypt

IPS

IN OUT

> show capture in


2: 15:52:55.250643 20.20.20.33 > 172.16.1.56: icmp: echo reply

> show capture

capture in type raw-data trace interface INSIDE [Capturing - 720 bytes]

match icmp host 172.16.1.56 host 20.20.20.33

> show capture out


2: 15:52:55.250627 20.20.20.33 > 172.16.1.56: icmp: echo reply

> show capture

capture out type raw-data trace interface OUTSIDE [Capturing - 720 bytes]

match icmp host 172.16.1.56 host 20.20.20.33

Conclusion


Take the chance and drive your FTD installation to a success

• Plan your desired hardware based on capabilities and performance

• Plan your desired feature-set and functionality

• Plan your desired operations mode (there are choices)

• Plan a pilot-phase with extra timing for all operational tasks

• Upgrades/Downgrades

• Backup/Restore

• Replacement/RMA

• Practice basic troubleshooting steps

• Have a look at new features and functionality inside a testbed

BRKSEC-3455

We wish you every success operating and troubleshooting your new NG-Firewall

Thank You

Veronika Klauzova

Michael Vassigh


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

173BRKSEC-3455

for BRKSEC-3455

CiscoLive.com/Online

dissecting firepower-ngfw(ftd) & firepower-services...

Documents