Upload
doannhan
View
341
Download
4
Embed Size (px)
Citation preview
Dissecting Firepower-NGFW(FTD) & Firepower-Services “Design & Troubleshooting”
Veronika Klauzova, Firepower TAC-Engineer Michael Vassigh, CSE Security
BRKSEC-3455
Are we there yet (VIDEO) ?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Your presenters for this journey
BRKSEC-3455
• Michael Vassigh
• CSE Security
• Veronika Klauzova
• Firepower TAC-Engineer
• Introduction
• Hardware-Review
and troubleshoot
• Installation & Configuration
and troubleshoot
• FTD Packet-Flow
and troubleshoot
• Conclusion
and (no more troubleshoot)
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract-Review
• The session will cover both operational and maintenance aspects of all relevant Firepower-NGFW functions from “Installation” to “Operation” to “Troubleshooting” with a focus on interactive demonstration of the detailed topics.
• Upon successful completion of this session, the attendee will be able to:
• describe the FTD system architecture
• describe packet flow processing
• perform installation and configuration of FirePOWER Threat Defense(FTD) and FirePOWER Management Console (FMC)
• verify and troubleshoot traffic flows traversing FTD
BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Our goals for the next 120 minutes
• Walk you through an experience of Firepower Threat Defense
• Give you all required insights to configure your device
• Give you all required insights to troubleshoot your device
• Give you enough demos to highlight the relevant details
BRKSEC-3455
You can operate and troubleshootthe NG-Firewall with confidence
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other sessions you hopefully have visitedCisco Live Berlin Session-ID Session Name
Firepower Platform Deep Dive
ASA Firepower NGFW typical deployment
scenarios
A Deep Dive into using the Firepower Manager
Firewall Innovation and Transformation - a
closer look at ASA and Firepower
NGFW Clustering Deep Dive
Protecting the Network with Firepower NGFW
And various others an AMP, DDoS, SSL-Decryption, Snort Rules and more
7BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-3455
Topics we will not cover today
• Your current order in CCW
• Your troubles with getting a Smart-Account
• Your current TAC-Service Request
• Firepower 7000/8000 series
• Real-World performance
• Clustering
• Licensing
• CDO Cisco Defense Orchestrator
• Firepower Device Manager
• Advanced Malware Protection details
• Remote-Access
• VPN Site-to-Site
• Full roadmap details
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
All our material and demos are based on the following
• Firepower 4100 system
• FXOS Version 2.0(1.135)
• Firepower Threat Defense V6.1.0.1 (Released December 2016)
• Firepower Management Center V6.1.0.1 (Released December 2016)
9BRKSEC-3455
Recent announcements
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-3455
New Software Versions since January 2017 (subtotal)
• FXOS V2.1(1)
• Support for ASA V9.7.1
• Support for FTD V6.2
• Inter-Chassis clustering FTD V6.2
• NTP authentication
• FTD V6.2
• Inter-Chassis clustering on FP4100/9300
• Packet-Tracer & Capture UI
• Flex-Config
• ASA-FTD Migration tool enhanced
• Integrated Routing & Bridging-Interface support
Hardware & Software Review
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Terminology brief (you might find in documentation)
13Presentation ID
3D System DC (Defense Center)Physical and Virtual
Managed device / Sensor
Firesight / Firepower
system
Firepower Management
Center (off-box)
Physical and Virtual
Managed device / Sensor
Firepower Device Manager
(on-box)
ASA with FirePOWER
Services module managed
by ASDM
Cisco official Firepower System terminology
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Platform naming fundamentals
• Hardware Management: MC750, MC1500, MC3500, MC2000, MC4000
• Virtual Management: Firepower Management Center running on VMware, AWS and KVM
• Physical managed devices: 7010, 7020, 7030, 7050, 7110, 7115, 7120, 7125, 8120, 8130, 8140, 8250, 8260, 8270, 8290, 8350, 8360, 8370, 8390
• Virtual managed devices: NGIPSv
• Physical Firepower Threat Defense devices: ASA 5506-X, ASA 5506—X, ASA 5508-X, ASA 5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X and 5555-X, Firepower 9300 security appliance, Firepower 4100 series
• Virtual Firepower Threat Defense devices: Firepower Threat Defense Virtual running on VMware, AWS or on KVM
14Presentation ID
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKSEC-3455
What platforms can run FTD Software
Platform FTD Support
ASA 5500X-Series (5506X-5555X with SSD) Yes
Firepower 4100 series Yes
Firepower 9300 series Yes
Firepower 2100 series Yes
Virtual options (VMware, KVM, AWS, Azure) Yes
Cisco ISR 4000/ISR-G2 (UCS-E module) Yes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKSEC-3455
What platforms can not run FTD Software
Platform FTD Support
Series 2 Firepower Appliances No
Series 3 Firepower Appliances (FP7000/8000) No
ASA-5580, ASA-5585X-SSPX No
ASA Service Module No
Firewall Service Module No
Microsoft Hyper-V No
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Platform specific requirements
• All ASA-5500X require to have the SSDs installed
• Beware that only the newer orders are shipped with SSD preinstalled
• ASA-5545/55X require to have 2 SSDs installed
• Beware that only the newer orders are shipped with SSD preinstalled
• Only Cisco SSDs are supported
• ASA models 5506X/5508X/5516X need to have a minimum ROMMON version 1.1.8 or higher installed
• FP4100 and FP9300 require to have a minimum version of FXOS 2.0.1 or later
17BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower 4100 – closer look
18BRKSEC-3455
Front view
Rear view
PowerConsole
MGMT
8 x optic SFP+ ports
2 x 2.5” SSD Bays
2 x Power Supply Module Bays6 x Hot-Swap Fans units
2x optional NetMods
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower 9300 – closer look
Front view
Rear view
19BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower 4100 vs. 9300
20BRKSEC-3455
Specification FP 4100 FP 9300
Rack space 1RU 3RU
Security Modules Fixed Modular
Performance Up to 80Gbps Up to 240Gbps
Port Speed Support Up to 40Gb Up to 100Gb
Positioned Internet, Wan Edge, Campus,
small and medium sized Data
Center
Large and massively scalable
DC, SP
Similarities 1.) Both are next generation platforms on Security Service
Architecture
2.) Both run FXOS which is used to manage physical and logical
entities
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKSEC-3455
FTD management options
Firepower Management Center
aka “FMC” – off-box manager
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKSEC-3455
FTD management options
Firepower Device Manager
aka “FDM” – on-box manager
HTML5 based WebUI
Supported on ASA 5506/8/12/15/16/25/45/55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Future
Firepower/Snort
ASA/LINA
Firepower Threat Defense(FTD)• Snort NG-IPS Detection Engine
• ASA/Lina Firewall functions
• First implementation:
ASA and Firepower-Services
• Single unified image:
ASA/Lina + Firepower/Snort
• All ASA features will be added in
future FTD software releasesFTD
Software
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKSEC-3455
Brief Software Refresher
• Firepower Management Center (FMC)
• Is the Firepower Management Software
• Runs on Appliance or VM
• Supports HA mode
• Provides 1 management option:• WEB-UI
• Firepower eXtensible Operating System (FXOS)
• Operates the Firepower 4100/9300 chassis
• Provides 3 management options:• REST-API
• CLI/Shell
• WEB-UI(FCM)
• Firepower Threat Defense (FTD)
• Is the native NGFW code
• Runs on Appliance or VM
• Provides 1 management option:• WEB-UI
All platforms have CLI/Shell access for setup & diagnostics
Provides CLI/Shell access to platform SW
All platforms have version dependencies
FTD CLI modes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD CLI modes
There are three CLIs while dealing with a ftd deployment:
• FXOS CLI
• CLISH
• ASA CLI
Moving between different CLI‘s:
BRKSEC-3455
firepower#
>
Firepower-module1>
connect ftd
system support diagnostic-cli
CTRL + a, d
exit
FXOS -> CLISH
CLISH -> ASA
ASA -> CLISH
CLISH -> FXOS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Converged FTD CLISH
• Available over SSH on data and management interface/s
• No switching back and forth between FP and ASA sub-modes
28BRKSEC-3455
> system support diagnostic-cli
firepower> enable
firepower# show cpu
Ctrl + a + d
> show cpu
> show cpu system
Linux 3.10.62-ltsi-WR6.0.0.27_standard (ftd.cisco.com) 02/07/17 _x86_64_
Time CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle
14:32:43 all 20.46 0.00 0.19 0.00 0.00 0.00 0.00 0.00 0.00 79.35
> show cpu
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%>
BEFORE 6.1
6.1+
FXOS Breakout
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower eXtensible Operating System (FXOS)
• Chassis management, operation and health
• Network interface allocation and connectivity
• Application storage, deployment and provisioning
• NTP for entire chassis
• Clustering setup
BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why a brief look at FXOS CLI
• Limited documentation as of FXOS 2.0
• No CLI Command-Reference
• Some elements are only visible in the CLI
31BRKSEC-3455
• Please ask for TAC-Support before you change undocumented elements
• Stay with the Web-UI for regular operations
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Brief Recap Management operations
• The Firepower system is built as a distributed hardware architecture
• Various functions are serviced from different hardware components
• The Supervisor-Engine (or MIO) is the main control-point for all chassis and interface and blade configurations
32BRKSEC-3455
Console-Port
Mgnt-Port
Data-Port
Supervisor/MIO-Board
Switch-Fabric
Security Service-Blade
Security Service Processor • Supervisor configuration navigation via CLI „scope“ command
• Connection to element-OS CLI via „connect“ command
scope
scope
connect
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CLI is your friend ?
„If you give us outstanding scores, you will become a beer“
33BRKSEC-3455
*a word that is often confused with a word in another language with a different meaning because the two words look or sound similar
Lab-FP4110-A-A(fxos)# show interface mgmt 0
mgmt0 is down (Administratively down)
Hardware: GigabitEthernet, address: ecbd.1d5e.d1df (bia ecbd.1d5e.d1df)
Internet Address is 10.0.0.11/24
Lab-FP4110-A-A(local-mgmt)# show mgmt-port
eth0 Link encap:Ethernet HWaddr EC:BD:1D:5E:D1:DF
inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::eebd:1dff:fe5e:d1df/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Lab-FP4110-A-A(local-mgmt)# ping 10.0.0.1 count 1
PING 10.0.0.1 (10.0.0.1) from 10.0.0.11 eth0: 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.394 ms
“Beware of „False Friends*“
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FXOS interaction and navigation (CLI)
• Initial console access is mandatory for the setup
• Initial admin password is not set(console)
• Password setup is mandatory on first login
• Strong password is optional
• Setup wizard will guide for minimal IP-Setup for Mgmt-Interface
• Remaining detailed settings via:
• Console
• SSH
• Browser
• API
34BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FXOS interaction (CLI): SetupYou have chosen to setup a new Security Appliance. Continue? (y/n): y
Enforce strong password? (y/n) [n]:
Enter the password for "admin":
Confirm the password for "admin":
Enter the system name [Lab-FP4110-A]:
Physical Switch Mgmt0 IP address [10.0.0.11]:
Physical Switch Mgmt0 IPv4 netmask [255.255.255.0]:
IPv4 address of the default gateway [10.0.0.1]:
Configure the DNS Server IP address? (yes/no) [n]:
Configure the default domain name? (yes/no) [n]:
Following configurations will be applied:
Switch Fabric=A
System Name=Lab-FP4110-A
Enforced Strong Password=no
Physical Switch Mgmt0 IP Address=10.0.0.11
Physical Switch Mgmt0 IP Netmask=255.255.255.0
Default Gateway=10.0.0.1
Ipv6 value=0
Apply and save the configuration (select 'no' if you want to re-enter)? (yes/no):
35BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CLI elements and navigation
• Command modes follow a hierarchy
• EXEC-mode• Highest level
• Default Access-Level on Console
• Branches to lower levels
• CLI-Prompt shows the path to mode hierarchy
• Moving between levels• Scope <object>:Changes mode into an existing object mode
• Exit: Leaves current command mode level
• Top: Changes to highest command mode level
• Connect <component>: Connects to component CLI
36BRKSEC-3455
Lab-FP4110-A-A# scope chassis 1
Lab-FP4110-A-A /chassis #
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CLI elements and objects
• Managed Objects
• Abstract representation of physical or logical entities
• Examples are: chassis, security-modules, firmware, licenses and more
• Within each scope the objects represents the elements and parameters
• Working with objects
• Create <object>: A non-existent object is created and entered for parameters
• Delete <object>: An existent object is deleted
• Enter <object>: A non-existent object is created and entered for parameters
• Scope <object>: An existent object is entered for parameters
37BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A simple CLI exampleLAB-FP4110-A-A# scope security
LAB-FP4110-A-A /security #
LAB-FP4110-A-A /security # create local-userWORD User Name
LAB-FP4110-A-A /security # create local-user mvassigh
LAB-FP4110-A-A /security/local-user* #
LAB-FP4110-A-A /security/local-user* # set email [email protected] /security/local-user* # set password
Enter a password: <System Interaction>
Confirm the password: <System Interaction>
38BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A simple CLI exampleLAB-FP4110-A-A# scope security
LAB-FP4110-A-A /security #
LAB-FP4110-A-A /security # create local-userWORD User Name
LAB-FP4110-A-A /security # create local-user mvassigh
LAB-FP4110-A-A /security/local-user* #
LAB-FP4110-A-A /security/local-user* # set email [email protected] /security/local-user* # set password
Enter a password: <System Interaction>
Confirm the password: <System Interaction>
LAB-FP4110-A-A /security/local-user* # show configuration pending
+enter local-user mvassigh+ set account-status active
+ set email [email protected]
+ set firstname "“
+ set lastname "“
+! set password <not shown but set>
+ set phone "“
+exit
LAB-FP4110-A-A /security/local-user* # commit-buffer
LAB-FP4110-A-A /security/local-user # exit
39BRKSEC-3455
LAB-FP4110-A-A /security # show local-user
mvassigh detail
Local User mvassigh:
First Name:
Last Name:
Email: [email protected]
Phone:
Expiration: Never
Password: ****
Account status: Active
User Roles:
Name: read-only
User SSH public key:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For YourReference
security
• Authentication
• Local-User Accounts
• Radius
• Tacacs
• Trustpoints
• Certificates
system/services
• SSH-Server, SSH-Keys
• HTTPS-Server and ports
• DNS
• NTP
• Configuration import/export
40BRKSEC-3455
firmware
• Software download
• Monitor download tasks
• Software installation (FXOS packages only !)
eth-uplink/fabric a
• Physical interfaces
• Port-Channel interfaces
Important „scopes“ for configuration operations(1)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Important „scopes“ for configuration operations(2)
fabric-interconnect a
• Local-Management-IP setting
41BRKSEC-3455
LAB-FP4110-A-A /fabric-interconnect # show
Fabric Interconnect:
ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability
---- --------------- --------------- --------------- ---------------- ---------------- ------ -----------
A 10.0.0.11 10.0.0.1 255.255.255.0 :: :: 64 Operable
LAB-FP4110-A-A /fabric-interconnect # set out-of-band
gw Gw
ip Ip
netmask Netmask
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Important „scopes“ for configuration operations(3)
eth-uplink/fabric a
• Physical external interfaces/interface-modules of Firepower chassis
42BRKSEC-3455
LAB-4110-A-A /eth-uplink/fabric # show interface
Interface:
Port Name Port Type Admin State Oper State State Reason
--------------- ------------------ ----------- ---------------- ------------
Ethernet1/1 Data Disabled Admin Down Administratively down
Ethernet1/2 Data Enabled Up
Ethernet1/3 Data Enabled Up
Ethernet1/4 Data Enabled Up
(truncated)
LAB-4110-A-A /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
48 Port-channel48 Cluster Disabled Admin Down Administratively down
(truncated)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Important „connect” elements(1)
local-management
• Verify Mgmt-Port IP connectivity
• Ping/Traceroute
• Graceful reboot/shutdown
• Disk/File operations
• Packet-Captures
• Configuration erase
43BRKSEC-3455
Lab-FP4110-A-A(local-mgmt)# show mgmt-port
eth0 Link encap:Ethernet HWaddr EC:BD:1D:5E:D1:DF
inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::eebd:1dff:fe5e:d1df/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
(output truncated)
Lab-FP4110-A-A(local-mgmt)# ping 10.0.0.1 count 1
PING 10.0.0.1 (10.0.0.1) from 10.0.0.11 eth0: 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.394 ms
Lab-FP4110-A-A(local-mgmt)# dir
1 29 Jan 19 15:23:27 2017 blade_debug_plugin
1 19 Jan 19 15:23:27 2017 bladelog
1 16 Jan 19 15:24:11 2017 cores
2 4096 Jan 19 16:27:44 2017 debug_plugin/
1 31 Jan 19 15:24:11 2017 diagnostics
2 4096 Jan 19 15:21:56 2017 lost+found/
1 25 Jan 19 15:23:53 2017 packet-capture
2 4096 Jan 19 15:23:28 2017 techsupport/
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Important „connect“ elements(2)
local-management
• Tech-Support file generation
• FPRM:Supervisor/MIO
• Module: SSP modules
• Chassis: chassis, blade, CIMC
44BRKSEC-3455
Lab-FP4110-A-A(local-mgmt)# show tech-support
chassis Chassis
fprm Firepower Platform Management
module Security Module
Lab-FP4110-A-A(local-mgmt)# show tech-support fprm detail
Initiating tech-support information task on FABRIC A ...
Completed initiating tech-support subsystem tasks (Total: 1)
All tech-support subsystem tasks are completed (Total:
1[received]/1[expected])
The detailed tech-support information is located at
workspace:///techsupport/2017011918273_Lab-FP4110-A_FPRM.tar
• Tech-Support files [detail] output will be archived to disc automatically
• Use of copy operation to move file from system
Lab-FP4110-A-A(local-mgmt)# copy
techsupport/20170119182735_Lab-FP4110-A_FPRM.tar
ftp: Dest File URI
scp: Dest File URI
sftp: Dest File URI
tftp: Dest File URI
usbdrive: Dest File URI
volatile: Dest File URI
workspace: Dest File URI
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45BRKSEC-3455
Password recovery
• Worth for a Dry-Run when the hardware hits your deskUse BREAK, ESC or CTRL+L to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
rommon 5 > dir installables/switch
Directory of: bootflash:\installables\switch
09/01/16 04:37p 35,652,608 fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA
09/01/16 04:37p 250,003,850 fxos-k9-system.5.0.3.N2.4.01.35.SPA
rommon 6 > boot bootflash:/installables/switch/fxos-k9-kickstart.5.0.3.N2.4.01.35.SPA
!! Kickstart Image verified successfully !!
switch(boot)# config terminal
switch(boot)(config)# admin-password erase
Your password and configuration will be erased!
Do you want to continue? (y/n) [n] <Enter y here>
switch(boot)(config)# exit
switch(boot)# load bootflash:/installables/switch/fxos-k9-system.5.0.3.N2.4.01.35.SPA
<wait>
---- Basic System Configuration Dialog ----
You have chosen to setup a new Security Appliance. Continue? (y/n): y
1
2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What if you have a corrupt kickstart/system image
• For FXOS 2.0.(1)
• Open a TAC Service request
• For FXOS 2.1.(1)
• You can download them from CCO (since Feb.2017)
46BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A few hardware troubleshoot suggestions „CLI“
• scope chassis <all output truncated>
• show inventory fan/psu
47BRKSEC-3455
PSU Presence PID Vendor Serial (SN) HW Revision
---------- --------------------------------- ---------- ---------- ----------- -----------
1 Equipped FPR4K-PWR-AC-1100 Cisco Systems, Inc. PST201560AY 0
2 Missing 0
Fan Modules:
Tray 1 Module 1:
Presence: Equipped
ID PID Vendor Serial (SN) HW Revision
---------- ------------ --------------- ----------- -----------
1 FPR4K-FAN Cisco Systems I JAD202808LY 0
2 FPR4K-FAN Cisco Systems I JAD202808LY 0
Lab-FP4110-A-A /chassis # show fault
Severity Code Last Transition Time ID Description
--------- -------- ------------------------ -------- -----------
Warning F0378 2017-01-29T12:55:26.444 42157 Power supply 2 in chassis 1 presence: missing
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A few hardware troubleshoot suggestions „UI“
48BRKSEC-3455
Click here Click here
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Selected troubleshoot results from „UI“
49BRKSEC-3455
Deployment Modes & Interfaces
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why you should care about deployment modes
• There are 2 distinct operative deployment options for FTD Firewall
• Routed-Operations Mode
• Transparent-Operations Mode (also called Bridged-Mode)
• Sub-Deployment options are• Cluster-Mode (9300 only, 4100 out with V6.2)
• HA/Failover-Mode
• Passive SPAN-Mode
• Changing the „operations“ mode erases your existing configuration
• Note: Changing the mode requires you to re-register to FMC
51BRKSEC-3455
> configure firewall routed
This will destroy the current interface configurations, are you sure that you
want to proceed? [y/N] y
The firewall mode was changed successfully.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Interface modes comparisonInterface mode Interface type FTD mode Description Real traffic
dropping
Firewall mode Routed Routed Traffic is going through all FTD checks (Security Intelligence, Access Control Policy, Snort, File/AMP policy)
Yes
Firewall mode Switched Transparent Traffic is going through all FTD checks (Security Intelligence, Access Control Policy, Snort, File/AMP policy), but there is no route lookup (only MAC lookup)
Yes
IPS-only mode Passive Routed/Transparent A copy of a packet (SPAN) is going through NGIPS checks
No
IPS-only mode Passive (ERSPAN) Routed A copy of a packet (ERSPAN) is going through NGIPS checks
No
IPS-only mode IPS-only Inline Set Routed/Transparent A packet goes through NGIPS checks Yes
IPS-only mode IPS-only Inline Set tap mode
Routed/Transparent A packet is sent through FTD and a copy of it goes through NGIPS checks
No
52BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Interfaces general(1)
Chassis type Interface creation Interface physical
operation
Interface IP &
operation
Firepower 4100
Chassis-Manager FXOS FXOS FXOS
FTD-Mgmt FXOS-Type: Mgmt FXOS FTD
FTD-HA FXOS-Type: Data FXOS FTD
FTD-Data FXOS-Type: Data FXOS FTD
FTD-Port-Channel-Data FXOS-Type: Data FXOS FTD
FTD VLAN-SubInterfaces FTD FXOS FTD
FTD Eventing FXOS-Type: FP-Eventing FXOS FTD
53BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Interfaces general(2)
Chassis type Interface creation Interface physical
operation
Interface operation
Firepower 4100
Hardware-Bypass* FXOS FXOS FTD for IPS only
NGIPS-Inline-Pair FXOS-Type: Data FXOS FTD
NGIPS-Passive FXOS-Type: Data FXOS FTD
NGIPS-ERSpan FXOS-Type: Data FXOS FTD
54BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Diagnostic vs. Management Interface
Management Interface Diagnostic Interface
FTD Operations • Mandatory • Optional
Usage • FTD to FMC communication (sftunnel)
• SSH/HTTPS access to FTD
• LINA Diagnostics
• SSH access to ASA CLI
• Syslog source for ASA events (can use any
data-interface)
Configuration on:
Firepower 5500-X
Firepower 4100/9300
• configure network ipv4 <x>
• Configure via FXOS UI/CLI
FMC UI: Devices > Device Management
Access Restrictions • configure ssh access-lists FMC UI: Device >Platform Settings
Challenges None Operational restrictions with other interfaces
55BRKSEC-3455
• Since FTD v6.1 there are 2 specialized interfaces on FTD
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Syslog setup (ASA logs)
56BRKSEC-3455
Create the Syslog-
Server object
Select the zone to reach
the server
Reminder:
No need for diagnostic interface IP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD Syslog setup (ASA logs cont.)
57BRKSEC-3455
Create the Syslog-
Server object
Select your syslog
destination
Enable syslog
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD syslog troubleshoot
• FTD CLISH
58BRKSEC-3455
>show running-config logging
logging enable
logging timestamp
logging trap critical
logging host INSIDE 172.16.1.100
>show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level critical, facility 20, 0 messages logged
Logging to INSIDE 172.16.1.100
Licensing (Really ?)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Classic vs. Smart Licensing
• Classic Licensing
• Manual PAK registration needed for each device to unlock license key
• Limited view – customers do not know what they own
• Licenses tied to License-Key / only one device
• Smart Licensing
• Enterprise wide / complete visibility (software, licenses, devices in one portal)
• License token not tied to License-Key – flexible licensing across all devices
• Smart account is mandatory
• User access control
60Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Licensing prerequisites
• FMC can reach Cisco Smart Licensing Cloud Server via hostname – verify DNS settings
• Ensure that NTP daemon is running on the FMC
• User needs to have an account with CCSM (Cisco Smart Software Manager)
61Presentation ID
https://software.cisco.com
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Apply Smart Licenses
1. Obtain product instance registration token from CSSM (Cisco Smart Software Manager)
2. Register Unified Manager to CSSM
3. Register NGFW/FTD devices to Unified Manager
4. Apply/Remove Smart License
62Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Management Center (quick look)
63BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Licensing
• Firepower Threat Defense uses ONLY Smart Licensing. Other products (Firepower 7000/8000 series appliances or Firepower Services modules) still use Classic Licensing.
• Controlled through FMC, restricting what features can be configured per device. Without license FMC cannot deploy policy or receive events.
• Existing ASA classic licensing is not used.
• Evaluation mode is possible using build-in 90 days evaluation period. It has start and end date, renewal required for continued entitlement.
• Purchased licenses are added to Smart Account automatically.
• Equivalent licenses must be purchased for HA devices.
64Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Smart Licensing
License feature Description License type
Base NGFW (Firewall and AVC) Perpetual
Threat Protection IPS policies, Security
Intelligence, DNS policies
Term
Malware Advance Malware Protection and
Threat Grid
Term
URL Filtering Category and web reputation
filtering
Term
Firepower Management Center Management license for
host/user count
Perpetual
65Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Troubleshooting scenarioKSEC-FPR4100-4-A# show license all
Smart Licensing is ENABLED
Registration:
Status: UNREGISTERED - REGISTRATION FAILED
Export-Controlled Functionality: Not Allowed
Initial Registration: FAILED on Jan 11 12:24:30 2017 UTC
Failure reason: Failed to authenticate server
KSEC-FPR4100-4-A /security # show trustpoint
KSEC-FPR4100-4-A /security #
Trustpoint is EMPTY!
KSEC-FPR4100-4-A# scope security
KSEC-FPR4100-4-A /security # create trustpoint
CHdefault
KSEC-FPR4100-4-A /security/trustpoint* # set certchain
Enter lines one at a time. Enter ENDOFBUF to finish.
Press ^C to abort.
Trustpoint Certificate Chain:>MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1>UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZ>XJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U>2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2>lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
a>G9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
M>AkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJ>pU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jL>iAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbi>BDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
>aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMq>udLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t>0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2>pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQ>A5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
r>CpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIe>Wiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYw>bQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
>ENDOFBUF
KSEC-FPR4100-4-A /security/trustpoint* # commit-buffer
66BRKSEC-3455
Important note, copy the whole certificate from BEGIN to END otherwise the commit-buffer will fail with following reason:
Error: Update failed: [failed to verify certificate chain, error: Failed to split certificate chain]
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Biggest case creator for „Smart-Licensing“ will be solved
• Firepower Management Center bypassing proxy-configuration for Smart-Licensing
• Bug was present in V6.0, 6.01, 6.1, 6.1.0.1
• Bug has been verified to be fixed in V6.2 on a fresh install
• Bugfix will be available in V6.1.0.2 (latest maintenance release from 8.Feb.2017 )
• We are expecting confirmation from many of you
67BRKSEC-3455
Installation and Configuration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Brief installation steps on Firepower 4100 series
69Presentation ID
Add FTD to Firepower Management Center
Upgrade the supervisor (FXOS) software bundle
Configure FTD Management and Data Interfaces
Install FTD application image
Provision FTD Settings (mode, IP settings, FMC info)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70BRKSEC-3455
Upgrade the supervisor (FXOS) software bundle
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure FTD Data & Management Interfaces
71BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72BRKSEC-3455
Adding interfaces for application module
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Four things to remember on interfaces
• The Mgmt-Interface is created but will not be selectable laterThe assignment happens automatically for the logical device
• The Event-Monitoring interface is optional and was newly introduced in V6.x, to allow separation of events and diagnostics versus configuration traffic for FMC-Appliance and Firepower-Devices (FP4100/FP9300/FP8000)
• Port-Channel Interfaces are configured but forced into „suspend“-mode
• VLAN-Sub-Interfaces are created on the logical device only
73BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interface-Special Port-Channel
•
This is the intended behavior
74BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75BRKSEC-3455
FTD installation on 4100(1)For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76BRKSEC-3455
FTD installation on 4100(2)For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77Presentation ID
FTD installation on 4100 (working hard)For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78BRKSEC-3455
FTD installation on 4100 (working harder)For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79BRKSEC-3455
FTD Installation „Local Console“ monitoringLab-FP4110-A-A /ssa/slot # connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
CISCO Serial Over LAN:
Close Network Connection to Exit [ OK ]
Executing S47install_default_sandbox_EO.pl [ OK ]
Executing S50install-remediation-modules [ OK ]
Executing S51install_health_policy.pl [ OK ]
Executing S52install_system_policy.pl [ OK ]
Executing S53change_reconciliation_baseline.pl [ OK ]
Executing S70remove_casuser.pl [ OK ]
Executing S70update_sensor_objects.sh [ OK ]
Executing S85patch_history-init [ OK ]
Executing S90banner-init [ OK ]
Executing S96grow_var.sh [ OK ]
Executing S96install_vmware_tools.pl [ OK ]
(output truncated)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80BRKSEC-3455
FTD installation on 4100 (finished)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81BRKSEC-3455
A quick few things to check via CLILAB-4110-A-A /ssa/logical-device # show expand | begin IP
IP v4:
Slot ID Management Sub Type IP Address Netmask Gateway Last Updated Timestamp
---------- ------------------- --------------- --------------- --------------- ----------------------
1 Firepower 10.0.0.12 255.255.255.0 10.0.0.1 2017-01-23T19:10:28.260
Bootstrap Key:
Key Value Last Updated Timestamp
---------- ---------- ----------------------
DNS_SERVERS (truncated)
128.107.212.175
FIREPOWER_MANAGER_IP
10.0.0.50
FIREWALL_MODE
routed
FQDN ftd1.example.com
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82BRKSEC-3455
A quick few things to verify via CLILAB-4110-A-A /eth-uplink/fabric # show port-channel expand
Port Channel:
Port Channel Id: 10
Name: Port-channel10
Port Type: Data
Admin State: Enabled
Oper State: Up
State Reason:
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/4 Up Up
Port Channel Id: 11
Name: Port-channel11
Port Type: Data
Admin State: Enabled
Oper State: Up
State Reason:
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/2 Up Up
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Time for some connectivity checks
83BRKSEC-3455
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Time for some connectivity checks (???)
84BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Time for some connectivity checks (???)
85BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Time for some connectivity checks (???)
86BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Experts use CLI (1)Lab-FP4110-A-A# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.
CISCO Serial Over LAN:
Close Network Connection to Exit
Firepower-module1>connect ftd
Connecting to ftd console... enter exit to return to bootCLI
>ping 10.0.0.1 (= Our Default-Gateway ?)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
No route to host 10.0.0.1
Success rate is 0 percent (0/1)
87BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Experts use CLI (2)> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V – VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 169.254.1.0 255.255.255.252 is directly connected, nlp_int_tap
L 169.254.1.1 255.255.255.255 is directly connected, nlp_int_tap
> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Current IP Addresses:
Interface Name IP address Subnet mask Method
88BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Experts use CLI (3)> show interface
Interface Port-channel10 "", is administratively down, line protocol is up
Hardware is EtherSVI, BW 10000 Mbps, DLY 1000 usec
Available but not configured via nameif
Interface Port-channel11 "", is administratively down, line protocol is up
Hardware is EtherSVI, BW 10000 Mbps, DLY 1000 usec
Available but not configured via nameif
Interface Ethernet1/3 "diagnostic", is up, line protocol is up
Hardware is EtherSVI, BW 10000 Mbps, DLY 1000 usec
MAC address ecbd.1d5e.d20e, MTU 1500
IP address unassigned
89BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A real expert ?
90BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
„Experts, beware of False Friends“> show network
===============[ System Information ]===============
Hostname : ftd1.example.com
DNS Servers : 128.107.212.175
Management port : 8305
IPv4 Default route
Gateway : 10.0.0.1
==================[ management0 ]===================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 9000
MAC Address : EC:BD:1D:5E:D1:FF
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 10.0.0.12
Netmask : 255.255.255.0
Broadcast : 10.0.0.255
91BRKSEC-3455
> ping
tcp Test connection over TCP
system Test connectivity from the FTD
management interface
interface interface
Hostname hostname or A.B.C.D or X:X:X:X::X
> ping system 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=0.366 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=0.357 ms
> traceroute
system Find route to remote network through FTD
management interface
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92BRKSEC-3455
Backup and Restore
Lab-FP4110-A-A /system # show import-config detail
Import Configuration Task:
Hostname: local
Remote File: config--2017-01-24T10:19:40.384177.xml
User:
Protocol: Http
Admin State: Disabled
Status: Succeeded
Description:
Port: Default
Current Task:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93BRKSEC-3455
Backup and Restore (really ?)
Lab-FP4110-A-A /ssa # Lab-FP4110-A-A /ssa # show logical-device detail
Logical Device:
Name: ftd1
Description:
Slot ID: 1
Mode: Standalone
Operational State: Incomplete Configuration
Template Name: ftd
Error Msg: End User License Agreement not accepted for apps: ftd.6.1.0.330
Switch Configuration Status: Ok
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Backup and Restore Guidelines
• Bootstrap supervisor module IP settings
• Register Smart-Licensing
• Platform hardware and software version should(must) match
• Same network-modules must be installed
• The Application-Software packages must be installed
• Logical-Device EULA must be accepted (latest after Restore)
94BRKSEC-3455
For YourReference
High Availability FTD Device
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD HA-Configuration (1)
96BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD HA-Configuration(2)
97BRKSEC-3455
You can share an
interface for HA and
State
You can not(!) use a
VLAN-Subinterface
Beware:
HA-Configuration
immediately starts,
there is no
Deploy-Phase
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic Failover-Configuration verification on CLI
98BRKSEC-3455
> show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 11:31:59 CET Feb 14 2017
====Configuration State===
====Communication State===
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (truncated)
Beginning configuration replication: Sending to mate.
End Configuration Replication to mateExclamation mark is
your friend
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic Failover-Configuration verification on CLI> show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready Comm Failure 11:31:59 CET Feb 14 2017
====Configuration State===
Sync Done
====Communication State===
Mac set
99BRKSEC-3455
Don’t panic !Think in
Columns
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Failover Troubleshooting on FMC-UI
100BRKSEC-3455
Verify
Counters
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Breaking Failover is safe
101BRKSEC-3455
• It maintains full operations on the Active-Unit
• Standby-Unit looses failover and interface configurations
> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel10.1 Outside 10.40.0.1 255.255.255.0 manual
Port-channel10.2 Inside 10.41.0.1 255.255.255.0 manual
Port-channel11 FOVER 172.16.1.1 255.255.255.0 unset
Current IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel11 FOVER 172.16.1.2 255.255.255.0 unset
> INFO: Security level for "Inside" set to 0 by default.
INFO: Security level for "Outside" set to 0 by default.
INFO: Security level for "diagnostic" set to 0 by default.
INFO: This unit is currently in standby state. By disabling failover, this unit will
remain in standby state.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verification on StandBy-unit> show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Current IP Addresses:
Interface Name IP address Subnet mask Method
102BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD HA information not synchronized (partial list)
• Sessions inside plaintext tunnels
• GRE, IPinIP encapsulated traffic
• TLS Decrypted sessions
• Decrypt/Resign: Blocked with Reset
• Known-Keys: Blocked with Reset
• DHCP-Server
• Multicast-Routing
• Management-Connections to FTD-Device
• HTTPS/SSH
103BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Failover Troubleshooting CLI (need TAC for debugs)
104BRKSEC-3455
> system support diagnostic-cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> en
Password:
firepower# debug fover ?
cable Failover LAN status cmd-exec Failover EXEC command execution
fail Failover internal exception
fmsg Failover message
ifc Network interface status trace
open Failover device open
rx Failover Message receive
rxdmp Failover recv message dump (serial console only)
rxip IP network failover packet recv
snort Failover NGFW mode snort processing
switch Failover Switching status
sync Failover config/command replication
tx Failover Message xmit
txdmp Failover xmit message dump (serial console only)
txip IP network failover packet xmit
verify Failover message verify
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Failover Troubleshooting CLI (examples)
105BRKSEC-3455
> system support diagnostic-cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> en
Password:
firepower# debug fover ifc
fover event trace on
firepower# fover_health_monitoring_thread: ifc_check() group: 0, - time = 8492170
fover_health_monitoring_thread: ifc_check() group: 0, - time = 8494670
fover_health_monitoring_thread: ifc_check() group: 0, - time = 8497170
firepower# debug fover rx
fover event trace on
firepower# fover_ip: HA TRANS: receive message for client Failover Control Module, length
32
fover_rx: rx msg: cmd 0x1, seqNum 0x43d0
fover_ip: HA TRANS: receive message for client Failover Control Module, length 32
fover_rx: rx msg: cmd 0x1, seqNum 0x43d1
lu_rx: HA TRANS: receive message for client Legacy LU support, length 52
For YourReference
High-Availability Update Demo
Ready to go
Our first configuration demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109BRKSEC-3455
For YourReference
A quick look at Prefilter Policies versus AC-Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced troubleshoot option Packet-Tracer
110BRKSEC-3455
packet-tracer input Inside tcp 10.41.0.10 1023 10.40.0.10 22 (for your reference)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp any any eq ssh rule-id 268435458 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435458: PREFILTER POLICY: MV-Prefilter-Policy
access-list CSM_FW_ACL_ remark rule-id 268435458: RULE: MV-ICMP-Prefilter
Additional Information:
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111BRKSEC-3455
Troubleshoot on FTD-CLI> show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list CSM_FW_ACL_; 8 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268435458: PREFILTER POLICY: MV-Prefilter-Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 268435458: RULE: MV-ICMP-Prefilter
access-list CSM_FW_ACL_ line 3 advanced deny tcp any any eq ssh rule-id 268435458 event-log flow-start
(hitcnt=2) 0x60b01ea9
access-list CSM_FW_ACL_ line 4 remark rule-id 268435457: PREFILTER POLICY: MV-Prefilter-Policy
access-list CSM_FW_ACL_ line 5 remark rule-id 268435457: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268435457 (hitcnt=0) 0xf5b597d6
access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268435457 (hitcnt=0) 0x06095aba
access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268435457 (hitcnt=0) 0x52c7a066
access-list CSM_FW_ACL_ line 9 advanced permit udp any eq 3544 any range 1025 65535 rule-id 268435457
(hitcnt=0) 0x46d7839e
access-list CSM_FW_ACL_ line 10 advanced permit udp any range 1025 65535 any eq 3544 rule-id 268435457
(hitcnt=0) 0xaf1d5aa5
access-list CSM_FW_ACL_ line 11 remark rule-id 268435456: ACCESS POLICY: MV-Base - Mandatory/1
access-list CSM_FW_ACL_ line 12 remark rule-id 268435456: L7 RULE: MV-Monitor-Connections
access-list CSM_FW_ACL_ line 13 advanced permit ip ifc Inside any ifc Outside any rule-id 268435456
(hitcnt=12) 0x91a99859
access-list CSM_FW_ACL_ line 14 remark rule-id 268434432: ACCESS POLICY: MV-Base - Default/1
access-list CSM_FW_ACL_ line 15 remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ line 16 advanced deny ip any any rule-id 268434432 event-log flow-start
(hitcnt=3) 0x97aa021a
For YourReference
ASA to FTD Migration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA to FTD Migration
• Required steps
• Meet the minimum requirements
• Export your ASA config to txt/cfg file
• Start a fresh FMCv instance on VMare matching your target FMC version
• Run the „migration tool“ inside FMCv root shell
• Import the ASA configuration file
• Download the converted „.sfo“-File
• Import the converted configuration into your real FMC
• Troubleshoot
• Check the migration report first
• FMC UI > Generate troubleshoot and contact TAC
113BRKSEC-3455
ASA to FTD Migration Demo
FTD Troubleshooting tools
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Process ManagementShow status of processes:
# pmtool status
# sudo pmtool disablebyid SFDataCorrelator
You should see that the process is in User Disabled state:
# pmtool status | grep SFDataCorrelator
# sudo pmtool enablebyid SFDataCorrelator
Verify that the process is running and make sure that the process ID matches the 'pmtool’ and ‘ps’ tool:
# sudo pmtool status | grep SFDataCorrelator
# ps aux | grep <PID>
Restart all detection engine / Snort instances:
# pmtool restartbytype snort
Important note, restartbyid for Snort would cause only one instance to be restarted.
# tail -f /var/log/messages
116BRKSEC-3455
> pmtooldisablebyid pmtool disablebyiddisablebytype pmtool disablebytypeenablebyid pmtool enablebyidenablebytype pmtool enablebytyperestartbyid pmtool restartbyidrestartbytype pmtool restartbytypestatus pmtool status
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Functionality Of Some FTD Processes
snort inspects network traffic (pass,
block and alert)
sftunnel secure tunnel between
managed device and FMC
ids_event_processor sends intrusion events to
managing device (FMC)
diskmanager,
Pruner
managing disk space and
clean up old files
ids_event_alerter sends intrusion events to
Syslog or SNMP server
ntpd responsible for time
synchronization
wdt-util used for fail-to-wire /
hardware bypass
snmpd SNMP monitoring
SFDataCorrelator processing events pm (process
manager)
responsible for launching
and monitoring of all FTD
relevant processes and
restarting them in case of
failure
117BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Troubleshooting FileGenerate troubleshooting file over CLISH and ROOT CLI:
>system generate-troubleshoot all
#/usr/local/sf/bin/sf_troubleshoot.pl ALL
Storage of troubleshooting files:
Firepower: /var/common/ vs. FTD: /ngfw/var/common/
/ngfw/var/common/results-01-19-2017--214641.tar.gz
What data the troubleshooting file includes? -> /etc/sf/troubleshoot.conf
Layout of the troubleshooting file: command-outputs, file-contents, dir-archives
Key to remember: Troubleshooting files can't always tell you & TAC everything!
118BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD V6.1 Troubleshooting Enhancements
• File download tool
• Threat Defense CLI tools
• packet-tracer
• show
• ping
• Traceroute
Those commands will be
executed in privileged mode.
Supported on all FTD devices, both physical and virtual.
119BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FXOS Capture: Quick option (1)
• Apply a reasonable Traffic-Filter
• Focus just on physical Ingress-Egress port
120BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
FXOS Capture: Quick option(2)
• Download your capture and filter in wireshark
121BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122BRKSEC-3455
ASA/LINA Packet Capture - The Wires Never Lie!firepower# cap in interface INSIDE match icmp any any trace detail
firepower# cap out interface OUTSIDE match icmp any any trace detail
firepower# cap asp type asp-drop all buffer 33554432
firepower# sh cap
capture in type raw-data trace detail interface INSIDE [Capturing - 114 bytes]
match icmp any any
capture out type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]
match icmp any any
capture asp type asp-drop all buffer 33554432 [Capturing - 114 bytes]
firepower# sh cap in packet-number 1 trace
1: 09:09:18.644467 172.16.1.17 > 20.20.20.100: icmp: echo request
Type: SNORT
Subtype:
Result: DROP
Snort Verdict: (black-list) black list this flow
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123BRKSEC-3455
FP/Snort Capture - The Wires Never Lie! (1)> capture-traffic
Please choose domain to capture traffic from:
0 - management0
1 - Router
Selection? 1
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: icmp
23:07:21.619642 IP 172.16.1.17 > 20.20.20.100: ICMP echo request, id 24538, seq 1, length 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124BRKSEC-3455
FP/Snort Capture - The Wires Never Lie! (2)>capture-traffic
Options: -v -n -e (icmp and host 172.16.2.11) or (vlan and icmp and host 172.16.2.11)
12:02:43.949535 00:50:56:b6:0b:33 > 58:97:bd:b9:73:ee, ethertype 802.1Q (0x8100), length 78: vlan 208, p 0,
ethertype IPv4, (tos 0x0, ttl 128, id 5366, offset 0, flags [none], proto ICMP (1), length 60)
firepower# sh cap inside
1: 12:09:56.732841 802.1Q vlan#208 P0
172.16.2.11 > 20.20.20.11: icmp: echo request
2: 12:09:56.733696 802.1Q vlan#208 P0
20.20.20.11 > 172.16.2.11: icmp: echo reply
SNORT
firepower# sh cap outside
1: 12:09:56.733162 172.16.2.11 > 20.20.20.11:
icmp: echo request
2: 12:09:56.733680 20.20.20.11 > 172.16.2.11:
icmp: echo reply
IN OUT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correct Access Control Rule Being Evaluated?
>system support firewall-engine-debug
Please specify an IP protocol: icmp
Please specify a client IP address: 172.16.1.17
Please specify a server IP address: 20.20.20.100
Monitoring firewall engine debug messages172.16.1.17-8 > 20.20.20.100-0 1 AS
1 I 44 New session
172.16.1.17-8 > 20.20.20.100-0 1 AS 1 I 44 using HW or preset rule order 2,
'allow and inspect', action Allow and prefilter rule 0
172.16.1.17-8 > 20.20.20.100-0 1 AS 1 I 44 allow action
125BRKSEC-3455
• Tool that provides the Access Control Rule evaluation status for each flow as we receive packets in real time.
• NGFW debug needs to have specified at least one filtering condition.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy Rule Hit Counters
126BRKSEC-3455
> show access-control-config
===================[ ciscolive ]====================
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 10
Variable Set : Default-Set
... (output omitted) ...
# watch ´/usr/local/sf/bin/sfcli.pl show firewall | grep "ciscolive\| Rule\:\|Rule Hits“ ´
===================[ ciscolive ]====================
Rule Hits : 10
------------------[ Rule: allow ]-------------------
Rule Hits : 14
------------------[ Rule: block ]-------------------
Rule Hits : 0
AC Rule Name
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy Rule Hit Counters
127BRKSEC-3455
> show access-control-config
===================[ ciscolive ]====================
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 16
Variable Set : Default-Set
... (output omitted) ...
# watch ´/usr/local/sf/bin/sfcli.pl show firewall | grep "ciscolive\| Rule\:\|Rule Hits“ ´
===================[ ciscolive ]====================
Rule Hits : 16
------------------[ Rule: allow ]-------------------
Rule Hits : 14
------------------[ Rule: block ]-------------------
Rule Hits : 0
AC Rule Name
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy Rule Hit Counters
128BRKSEC-3455
> show access-control-config
===================[ ciscolive ]====================
Description :
Default Action : Allow
Default Policy : Balanced Security and Connectivity
Logging Configuration
DC : Disabled
Beginning : Disabled
End : Disabled
Rule Hits : 22
Variable Set : Default-Set
... (output omitted) ...
# watch ´/usr/local/sf/bin/sfcli.pl show firewall | grep "ciscolive\| Rule\:\|Rule Hits“ ´
===================[ ciscolive ]====================
Rule Hits : 22
------------------[ Rule: allow ]-------------------
Rule Hits : 14
------------------[ Rule: block ]-------------------
Rule Hits : 0
AC Rule Name
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy Rule Hit Counters - GUI
Your “custom” connections event view in FMC:
1. Analysis -> Custom -> Custom Workflows -> Create Custom Workflow and use Table “Connection Events”
2. Add page and fill in fields like: “Access Control Policy”, “Access Control Rule”, “Count”, “InitiatorIP”, “Responder IP”
3. Add Table view
129BRKSEC-3455
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy Rule Hit Counters - GUIFTD NGFW debugs:
172.16.2.25-8 > 20.20.20.11-0 1 AS 1 I 47 using HW or preset rule order 3, 'DNS and icmp', action Trust and prefilter rule 0
FMC GUI:
Analysis -> Connections events -> “switch workflows” and select your newly created workflow “ACP rule hitcounters”
130BRKSEC-3455
> show access-control-config
==== [ CL-ACP-2017-FINAL ]===
…(output omitted)
------[ Rule: DNS and icmp ]------
Action : Allow
Destination Ports : protocol 6, port 53
protocol 17, port 53
protocol 1
protocol 6, port 80
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Enabled
Rule Hits : 28
Variable Set : Default-Set
… (output omitted)
Why the hit counters do not match?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tracing Packets
firepower# packet-tracer input INSIDE icmp 172.16.1.11 8 0 20.20.20.10 det
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit icmp any any echo rule-id 268436992
access-list CSM_FW_ACL_ remark rule-id 268436992: ACCESS POLICY: ciscolive - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268436992: L7 RULE: icmp allow only
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x7f0c2e933260, priority=12, domain=permit, deny=false
hits=200, user_data=0x7f08c343bd80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any
131BRKSEC-3455
You can operate and troubleshootthe NG-Firewall with confidence
FTD Packet-Flow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134BRKSEC-3455
Packet processing – before we ‘enter’ the ASA/LINA
Security Engine (ASA or FTD)
Smart NIC + Crypto Accelerator
Internal Switch Fabric
8x 10Gbps NM 1 NM 2
2x40Gbps Uplink 4x 40 Gbps or 8x 10 Gbps
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135BRKSEC-3455
ASA/LINA
firepower# sh int eth 1/7
Interface Ethernet1/7 "INSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 1000 usec
MAC address 5897.bdb9.73ee, MTU 1500
IP address 172.16.1.1, subnet mask 255.255.255.0
Traffic Statistics for "INSIDE":
180 packets input, 14853 bytes
155 packets output, 12628 bytes
25 packets dropped
1 minute input rate 1 pkts/sec, 94 bytes/sec
1 minute output rate 1 pkts/sec, 85 bytes/sec
1 minute drop rate, 0 pkts/sec
High-level information about packet
counters in and out of the box per
context basis:
firepower# clean count
firepower# show count
Packet rate in and out on a per-
interface basis:
firepower# clear traffic
firepower# show traffic
Number of packets dropped in ASP ‘show asp drop‘
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
136BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
• ASA/LINA part checks whether the connection belongs to existing flow or not
• If packet is part of already established flow, then appliance skip basics checks and process the packet in Fast-Path – and continue with checks at DAQ level
show run logging
show logging
FMC: Device -> Platform Settings
show capture <name> packet-number <number> trace
show conn detail
packet-tracer
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
137BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# show cap in2 packet-number 46 trace detail46: 19:28:20.056012 0050.56b6.0b33 5897.bdb9.73ee 0x8100 Length: 58
802.1Q vlan#208 P0 172.16.2.13.49182 > 20.20.20.11.80: . [tcp sum ok] 2790183968:2790183968(0) ack
1176461110 win 231 (DF) (ttl 128, id 16898)
...
Type: FLOW-LOOKUP
Found flow with id 34550, using existing flow
firepower# sh logging | include 34550
%ASA-6-302013: Built inbound TCP connection 34550 for in2:172.16.2.13/49182
(172.16.2.13/49182) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)
%ASA-6-302014: Teardown TCP connection 34550 for in2:172.16.2.13/49182 to
OUTSIDE:20.20.20.11/80 duration 0:00:28 bytes 1073752075 Flow closed by inspection
firepower#
Unique Connection ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
Determination of Egress Interface
• Routing table / route lookup – ‘in’ entries of the ASP routing table will be checked to determine the egress interface
• UN-NAT (destination NAT) – egress interface will be choosen based on NAT rule
138BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
show asp table routing
show capture <name> packet-number 10 trace detail
packet-tracer
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
139BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
Pre-filter rules solves following issues:
• ASA firewall enforce access-control rules on the outer encapsulation headers without looking into payload
• FirePOWER devices match traffic only based on inner payload headers
• Lack of the visibility on all sessions such as tunnels
Pre-filter rules were introduced in 6.1 release and allows following:
• Trust/deny/allow the tunnels based on outer header
• Tag the interesting tunnels and use them to enforce ACP rule for inner sessions inside the tunnel
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
140BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
Pre-filter Rule Actions
• Analyze: sends traffic for inspection to Snort
• Block: drops the traffic
• Fastpath: allows traffic and bypass further inspection,
process the rule in hardware, offload the traffic
Pre-Filter Policy
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
141BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# show flow-offload flow
2 in use, 2 most used, 16% offloaded
TCP intfc 106 src 20.20.20.11:80 dest 172.16.2.14:49191, timestamp 2265924877, packets
191614, bytes 264712022
TCP vlan 208 intfc 107 src 172.16.2.14:49191 dest 20.20.20.11:80, timestamp 2265924879,
packets 26301, bytes 1788781
firepower# show conn address 20.20.20.11 detail long
TCP in2: 172.16.2.14/49191 (172.16.2.14/49191) OUTSIDE: 20.20.20.11/80 (20.20.20.11/80),
flags Uo, idle 12s, uptime 12s, timeout 1h0m, bytes 683253399
Newly added FLAG ‘o’ means that flow was offloaded
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
142BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
%ASA-6-805001: Offloaded TCP Flow for connection 34892 from in2:172.16.2.14/49193
(172.16.2.14/49193) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)
%ASA-6-805001: Offloaded TCP Flow for connection 34892 from OUTSIDE:20.20.20.11/80
(20.20.20.11/80) to in2:172.16.2.14/49193 (172.16.2.14/49193)
%ASA-6-805002: TCP Flow is no longer offloaded for connection 34892 from
in2:172.16.2.14/49193 (172.16.2.14/49193) to OUTSIDE:20.20.20.11/80 (20.20.20.11/80)
%ASA-6-805002: TCP Flow is no longer offloaded for connection 34892 from
OUTSIDE:20.20.20.11/80 (20.20.20.11/80) to in2:172.16.2.14/49193 (172.16.2.14/49193)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
143BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# show access-list | i icmp
access-list CSM_FW_ACL_ line 9 remark rule-id 268441864: L7 RULE: icmp traffic
access-list CSM_FW_ACL_ line 10 advanced permit icmp any any rule-id 268441864 (hitcnt=335)
0xa2dc10fa
root@ftd:/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-817d227fa40c# cat ngfw.rules | grep 268441864
268441864 fastpath any any any any any any any 1 (log dcforward both)
FirePOWER
FMC
ASA
5-TUPLE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
144BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
root@firepower:/Volume/home/admin# cd /var/sf/iprep_download/
root@firepower:/var/sf/iprep_download# grep "72.4.119.2\|#" * | tail -n 2
d8eea83e-6167-11e1-a154-589de99bfdf1:#Global-Whitelist
d8eea83e-6167-11e1-a154-589de99bfdf1:72.4.119.2
root@firepower:/var/sf/iprep_download# cat d8eea83e-6167-11e1-a154-589de99bfdf1
#Global-Whitelist
72.163.4.161
• Ability to block dangerous / malicious traffic aka “bad guys”
• SI feed is updated by Cisco TALOS team periodically
• SI whitelist is intentionally processed by rest of the ACP rules
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
145BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
SSL inspection – policy to control SSL flows
• Decrypt – Resign
• Client <---> FTD (MITM) <---> Server
• Usage: 3rd party servers or Internet resources
• Known key
• FTD imported server’s private key
• Usage: server that you own
Note: In passive deployment you can not use ”Decrypt - Resign” action since it requires re-signing the server certificate.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
146BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
• Do not decrypt - pass the encrypted traffic for AC rule evaluation
• Monitor – will just log traffic flow for tracking purposes, traffic will be
still evaluated by rest of the rule set
• Block, Block with reset – prevent encrypted traffic to pass through
• Order of operation:
• SSL rules are processed from top to bottom
• System do not evaluate traffic with bellow rule once the match is found
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
147BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
148BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
149BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
SSL errors on failing decrypt:
-negotiation mode with unsupported
extension
-any miss in the SSL handshake
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
150BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
> system support ssl-debug debug_policy_all
Parameter debug_policy_all successfully added to
configuration file.
Configuration file contents:
debug_policy_all
You must restart snort before this change will
take affect
This can be done via the CLI command
'pmtool restartbytype DetectionEngine'.
> pmtool restartbytype DetectionEngine
> expert
admin@ftd:/opt/bootcli/cisco/cli/bin$ cd
/ngfw/var/common/
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
151BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
152BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
• Order of operation: rules are being processed from top to bottom
• Differentiate ACP rule operations between (AND operand) and within columns (OR operand)
• Adaptive profiling needs to be enabled (in order to determine App ID) – “on by default”
• Identification of App ID occurs usually within 3-5 packets or after SSL handshake
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
153BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
154BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
> system support firewall-engine-debug
172.16.1.10-60467 > 20.20.20.10-21 6 AS 1 I 7 no match rule order 3, 'FTP to be
allowed', app s=-1 c=-1 p=-1 m=-1
20.20.20.10-53156 > 172.16.1.10-21 6 AS 1 I 46 Starting with minimum 3, 'FTP to be
allowed', and SrcZone first with zones 2 -> 1, geo 0 -> 0, vlan 0, sgt tag:
untagged, svc 165, payload 4002, client 2000000165, misc 0, user 9999997, icmpType
0, icmpCode 0
20.20.20.10-53156 > 172.16.1.10-21 6 AS 1 I 46 match rule order 3, 'FTP to be
allowed', action Allow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
155BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# show access-list | include FTP
access-list CSM_FW_ACL_ line 14 remark rule-id 268443650: L7 RULE: FTP to be allowed
firepower# show access-list | i 268443650
access-list CSM_FW_ACL_ line 13 remark rule-id 268443650: ACCESS POLICY: CL-ACP-2017-FINAL - Mandatory/2
access-list CSM_FW_ACL_ line 14 remark rule-id 268443650: L7 RULE: FTP to be allowed
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268443650 (hitcnt=16) 0xa1d3780e
firepower#
root@ftd:/opt/bootcli/cisco/cli/bin# cat /ngfw/var/sf/detection_engines/ae4faffe-d1b2-11e6-8ea4-
817d227fa40c/ngfw.rules | grep 268443650
268443650 allow any any any any any any any any (log dcforward both) (appid 52:1, 165:1, 166:1, 167:1, 168:1,
250:1, 251:1, 281:1, 291:1, 332:1, 348:1, 349:1, 365:1, 411:1, 420:4, 441:1, 469:1, 862:1, 2606:4, 3126:1,
3131:1, 3380:1, 3562:1, 4002:4, 4003:4, 2000000052:2, 2000000165:2, 2000000166:2, 2000000167:2, 2000000168:2,
2000000250:2, 2000000251:2, 2000000281:2, 2000000291:2, 2000000332:2, 2000000348:2, 2000000349:2, 2000000365:2,
2000000411:2, 2000000441:2, 2000000469:2, 2000000862:2, 2000003126:2, 2000003131:2, 2000003380:2, 2000003562:2)
root@ftd:/opt/bootcli/cisco/cli/bin#
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
156BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
logging file transfers and pass them though
blocking file transfer
Calculate SHA256, determine and log
disposition, pass file
Same as malware cloud lookup, but blocks
malicious file transfers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
> system support firewall-engine-debug
Please specify an IP protocol: tcp
Please specify a server port: 80
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 New session
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 Starting with minimum 0, id 0 and SrcZone first with zones 3
-> 2, geo 0(0) -> 0, vlan 0, sgt tag: untagged, svc 676, payload 2655, client 638, misc 0, user 9999997, url
http://install.cisco.com/eicarcom2.zip, xff
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 no match rule order 2, 'DNS and icmp', DstPort
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 match rule order 3, 'HTTP traffic and file inspect', action
Allow
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 File policy verdict is Type, Malware, and Capture
172.16.2.27-54675 > 10.83.180.17-80 6 AS 1 I 40 File malware event for
e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397 named eicarcom2.zip with disposition Malware
and action Block Malware
157BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
158BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
“Troubleshooting thoughts”
• Connection inspected by SNORT?
• “show conn” – Flag ‘N’
• Packet captures (capture and capture-traffic) shows incoming traffic on ASA/LINA side, diverted traffic flows are send to the SNORT, but NO outgoing or there are missing packets after SNORT inspection on outside interface?
• Connection events are triggering? -> FMC Connection table view
• Is the right AC rule being evaluated? -> NGFW debugs
• IPS events are not populated? -> Create custom ICMP rule or enable “ICMP echo” rule 1:408to confirm IPS events are generally working
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
159BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
CUSTOM SNORT ICMP RULE:
alert icmp any any -> any any (sid:1000001; gid:1; icode:0;
itype:8; msg:"icmp echo"; classtype:not-suspicious; rev:1; )
• In IPS policy rule to “Drop and Generate” action
• Interface should be in the “Inline” mode
• IPS policy needs to have “Drop when Inline” option enabled
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
160BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# sh cap i packet-number 1 trace
1: 09:09:18.644467 172.16.1.17 > 20.20.20.100: icmp: echo request
Phase: 4
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Verdict: (black-list) black list this flow
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
161BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# sh cap
capture i type raw-data trace detail interface INSIDE [Capturing - 114 bytes]
match icmp any any
capture o type raw-data trace detail interface OUTSIDE [Capturing - 0 bytes]
match icmp any any
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
162BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
Change Rule State:
Drop and Generate
Special Attention when packets are blocked, but there are no IPS events:
Rules with GID ID 129 DO NOT generate events until
“Stateful Inspection Anomalies” option in TCP Stream preprocessor is enabled!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
163BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
164BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
165BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
• How ASA and FirePOWER L7 inspections works together?
• ASA – Application Level Gateways ALGs (protocol specific)• Pinhole creation
• NAT rewrite
• Protocol enforcement and fine-grained control
> configure inspect <protocol> enable/disablepolicy-map global_policy
class inspection_default
no inspect <protocol>
service-policy global_policy global
Pushed to NGFW device to disable inspection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
166BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# show service-policy flow tcp host 20.20.20.11 host 172.16.2.100 eq 21
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Match: default-inspection-traffic
Action:
Input flow: inspect ftp
Class-map: class-default
Match: any
Action:
Output flow: Input flow: set connection random-sequence-number disable
set connection advanced-options UM_STATIC_TCP_MAP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
167BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
firepower# show service-policy inspect ftp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 139, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0
pkts/sec, v6-fail-close 0 sctp-drop-override 0
firepower# sh run policy-map | i ftp
inspect ftp
inspect tftp
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
Remaining checks are same as on the standalone ASA:
• Determination of NAT IP header – in capture trace phase ‘NAT’ with translated IP addresses details
• Based on the packet processing step “Egress Interface” determination the ‘out’ entries will be nowchecked in ASP routing table
• Using packet capture trace detail option we can see phase “ROUTE-LOOKUP” with the next-hop IP address IP address details
168BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Packet processing
169BRKSEC-3455
L3, L2
hops
ASA/LINA
Pre-Filter
Advanced Snort / FirePOWER
SI (IP) SSL L7 ACL File/AMP
L3/L4 ACL
YES
NO
VPN Decrypt
SI (DNS/URL), Identity
RXIngress
Interface
Existing
Conn
Egress
Interface
DAQ
NAT TXALGchecks
QoS, VPN Encrypt
IPS
IN OUT
> show capture in
1: 15:52:55.249834 172.16.1.56 > 20.20.20.33: icmp: echo request
2: 15:52:55.250643 20.20.20.33 > 172.16.1.56: icmp: echo reply
> show capture
capture in type raw-data trace interface INSIDE [Capturing - 720 bytes]
match icmp host 172.16.1.56 host 20.20.20.33
> show capture out
1: 15:52:55.250261 172.16.1.56 > 20.20.20.33: icmp: echo request
2: 15:52:55.250627 20.20.20.33 > 172.16.1.56: icmp: echo reply
> show capture
capture out type raw-data trace interface OUTSIDE [Capturing - 720 bytes]
match icmp host 172.16.1.56 host 20.20.20.33
Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Take the chance and drive your FTD installation to a success
• Plan your desired hardware based on capabilities and performance
• Plan your desired feature-set and functionality
• Plan your desired operations mode (there are choices)
• Plan a pilot-phase with extra timing for all operational tasks
• Upgrades/Downgrades
• Backup/Restore
• Replacement/RMA
• Practice basic troubleshooting steps
• Have a look at new features and functionality inside a testbed
BRKSEC-3455
We wish you every success operating and troubleshooting your new NG-Firewall
Thank You
Veronika Klauzova
Michael Vassigh
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
173BRKSEC-3455
for BRKSEC-3455