Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP), 1st edition
Published by Cisco Press (December 4, 2017) © 2018
- Nazmul Rajib
eTextbook
- Available for purchase from all major ebook resellers, including InformIT.com.
- To request a review copy, click on the "Request a Review Copy" button.
- A print text (hardcover or paperback)Â
- Free shipping
- Also available for purchase as an ebook from all major ebook resellers, including InformIT.com
Senior Cisco engineer Nazmul Rajib draws on unsurpassed experience supporting and training Cisco Firepower engineers worldwide, and presenting detailed knowledge of Cisco Firepower deployment, tuning, and troubleshooting. Writing for cybersecurity consultants, service providers, channel partners, and enterprise or government security professionals, he shows how to deploy the Cisco Firepower next-generation security technologies to protect your network from potential cyber threats, and how to use Firepower’s robust command-line tools to investigate a wide variety of technical issues.
Each consistently organised chapter contains definitions of keywords, operational flowcharts, architectural diagrams, best practices, configuration steps (with detailed screenshots), verification tools, troubleshooting techniques, and FAQs drawn directly from issues raised by Cisco customers at the Global Technical Assistance Center (TAC). Covering key Firepower materials on the CCNA Security, CCNP Security, and CCIE Security exams, this guide also includes end-of-chapter quizzes to help candidates prepare.
Â
Introduction xxv
Part I Troubleshooting and Administration of Hardware Platform
Chapter 1 Introduction to the Cisco Firepower Technology 1
History of Sourcefire 1
   Evolution of Firepower 2
   FirePOWER Versus Firepower 3
Firepower Threat Defense (FTD) 6
   FirePOWER Service Versus Firepower Threat Defense (FTD) 6
   Firepower System Software Components 7
   Firepower System Hardware Platforms 9
   Firepower Accessories 10
Summary 11
Chapter 2 FTD on ASA 5500-X Series Hardware 13
ASA Reimaging Essentials 13
Best Practices for FTD Installation on ASA Hardware 14
Installing and Configuring FTD 16
   Fulfilling Prerequisites 16
   Upgrading Firmware 18
   Installing the Boot Image 26
   Installing the System Software 32
Verification and Troubleshooting Tools 44
   Navigating to the FTD CLI 44
   Determining the Version of Installed Software 46
   Determining the Free Disk Space on ASA Hardware 47
   Deleting a File from a Storage Device 48
   Determining the Availability of Any Storage Device or SSD 48
   Determining the Version of the ROMMON Software or Firmware 50
Summary 52
Quiz 52
Chapter 3 FTD on the Firepower eXtensible Operating System (FXOS) 55
Firepower 9300 and 4100 Series Essentials 55
   Architecture 57
   Software Images 58
       Firepower Extensible Operating System (FXOS) 59
       FTD Software 60
       Firmware 60
   Web User Interfaces 61
Best Practices for FTD Installation on Firepower Hardware 62
Installing and Configuring FTD 64
   Fulfilling Prerequisites 64
       Deleting Any Existing Logical Devices 64
       Upgrading the FXOS Software 65
       Enabling Interfaces 67
   Installing FTD 71
       Uploading the FTD Software Image 72
       Adding a Logical Device for FTD 73
       Completing the Initialization of FTD 77
Verification and Troubleshooting Tools 79
   Navigating to the FTD CLI 79
   Verifying the FXOS Software 81
   Verifying the Status of a Security Application 82
   Verifying the Security Modules, Adapters, and Switch Fabric 84
   Verifying the Hardware Chassis 87
   Verifying the Power Supply Unit (PSU) Modules 90
   Verifying the Fan Modules 92
Summary 94
Quiz 94
Chapter 4 Firepower Management Center (FMC) Hardware 97
FMC Component Essentials 97
   On-Box Managers 98
   Off-Box Managers 99
   Cisco Integrated Management Controller (CIMC) 101
   Internal USB Storage for the System_Restore Image 104
   User Interfaces 104
Best Practices for FMC Reimage 105
   Pre-installation Best Practices 105
   Post-installation Best Practices 108
Installing and Configuring the FMC 109
   Fulfilling Prerequisites 109
   Configuration Steps 110
       Step 1: Load the System_Restore Image 111
       Step 2: Configure the Network Settings 114
       Step 3: Choose a Transport Protocol 114
       Step 4: Download and Mount an ISO File 116
       Step 5: Run the Installation 117
       Step 6: Initialize the System 120
Verification and Troubleshooting Tools 122
   Identifying the FMC on a Rack 122
   Determining the Hardware and Software Details of the FMC 124
   Determining the RAID Battery Status 124
   Determining the Status of a Power Supply Unit (PSU) 125
       Checking Logs on the CLI 125
       Enabling Alerts on the GUI 127
       Performing a Complete Power Cycle 129
       PSU Checklist 129
   Verifying the Fans 129
Summary 132
Quiz 132
Chapter 5 Firepower System Virtual on VMware 135
FMC and FTD Virtual Essentials 135
   Supported Virtual Environments 135
   ESXi Versus VI 136
   VMware Installation Package in a Tarball 136
   Disk Provisioning Options 137
Best Practices for Firepower Virtual Appliance Deployment 138
   Pre-deployment Best Practices 138
   Post-deployment Best Practices 140
Installing and Configuring a Firepower Virtual Appliance 141
   Fulfilling Prerequisites 142
   Creating a Virtual Network 144
       Creating a Network for FMC Virtual 145
       Creating a Network for FTD Virtual 148
       Using Promiscuous Mode 152
   Deploying an OVF Template 154
   Initializing an Appliance 160
       Initializing an FMC Virtual Appliance 161
       Initializing an FTD Virtual Appliance 162
Verification and Troubleshooting Tools 163
   Determining the Status of Allocated Resources 164
   Determining the Status of a Network Adapter 165
   Upgrading a Network Adapter 166
Summary 170
Quiz 170
Part II Troubleshooting and Administration of Initial Deployment
Chapter 6 The Firepower Management Network 173
Firepower System Management Network Essentials 173
   The FTD Management Interface 173
   Designing a Firepower Management Network 176
Best Practices for Management Interface Configuration 180
   Configuring a Management Network on FMC Hardware 180
   Configuration Options 180
       Using the GUI During the First Login 180
       Using the GUI On Demand 182
       Using the Command-Line Interface 183
   Verification and Troubleshooting Tools 184
Configuring a Management Network on ASA Hardware 186
   Configuration 186
   Verification and Troubleshooting Tools 187
Configuring a Management Network on a Firepower Security Appliance 190
   Configuring the FXOS Management Interface 190
   Verification of the FXOS Management Interface Configuration 191
   Configuring the FTD Management Interface 192
   Verification of the FTD Management Interface Configuration 194
Summary 197
Quiz 197
Chapter 7 Firepower Licensing and Registration 199
Licensing Essentials 199
   The Smart Licensing Architecture 199
       Cisco Smart Software Manager (CSSM) 200
       CSSM Satellite 201
   Firepower Licenses 202
Best Practices for Licensing and Registration 203
Licensing a Firepower System 203
   Licensing Configuration 204
       Evaluation Mode 205
       Registering with the CSSM 206
   Verifying a Smart License Issue 209
Registering a Firepower System 211
   Registration Configuration 211
       Setting Up FTD 211
       Setting Up the FMC 212
   Verifying the Registration and Connection 215
   Analyzing the Encrypted SFTunnel 221
Summary 229
Quiz 230
Chapter 8 Firepower Deployment in Routed Mode 231
Routed Mode Essentials 231
Best Practices for Routed Mode Configuration 233
Configuring Routed Mode 233
   Fulfilling Prerequisites 234
   Configuring the Firewall Mode 234
   Configuring the Routed Interface 235
       Configuring an Interface with a Static IP Address 235
       DHCP Services 238
   FTD as a DHCP Server 240
   FTD as a DHCP Client 241
Verification and Troubleshooting Tools 243
   Verifying the Interface Configuration 243
   Verifying DHCP Settings 246
Summary 249
Quiz 249
Chapter 9 Firepower Deployment in Transparent Mode 251
Transparent Mode Essentials 251
Best Practices for Transparent Mode 252
Configuring Transparent Mode 253
   Fulfilling Prerequisites 254
   Changing the Firewall Mode 254
   Deploying Transparent Mode in a Layer 2 Network 255
       Configuring the Physical and Virtual Interfaces 256
       Verifying the Interface Status 261
       Verifying Basic Connectivity and Operations 264
   Deploying an FTD Device Between Layer 3 Networks 267
       Selecting the Default Action 268
       Adding an Access Rule 269
   Creating an Access Rule for SSH 272
       Verifying Access Control Lists 274
Summary 276
Quiz 276
Part III Troubleshooting and Administration of Traffic Control
Chapter 10 Capturing Traffic for Advanced Analysis 277
Traffic Capture Essentials 277
Best Practices for Capturing Traffic 278
Configuring Firepower System for Traffic Analysis 278
   Capturing Traffic from a Firepower Engine 279
       tcpdump Options 280
       Downloading a .pcap File Generated by Firepower Engine 285
   Capturing Traffic from the Firewall Engine 288
       Downloading a .pcap File Generated by Firewall Engine 291
       Enabling HTTP Service in FTD 293
   Capturing Traffic from the FMC 298
       Downloading a .pcap File Generated by FMC 299
Verification and Troubleshooting Tools 302
   Adding an Access Rule to Block ICMP Traffic 302
   Analyzing the Traffic Flow by Using a Block Rule 303
   Packet Processing by an Interface 306
Summary 309
Quiz 309
Chapter 11 Blocking Traffic Using Inline Interface Mode 311
Inline Mode Essentials 311
   Inline Mode Versus Passive Mode 312
   Inline Mode Versus Transparent Mode 314
   Tracing a Packet Drop 314
Best Practices for Inline Mode Configuration 316
Configuring Inline Mode 316
   Fulfilling Prerequisites 317
   Creating an Inline Set 317
       Verifying the Configuration 321
       Verifying Packet Flow by Using packet-tracer 324
       Verifying Packet Flow by Using Real Packet Capture 328
   Enabling Fault Tolerance Features 333
       Configuring Fault Tolerance Features 334
       Verifying Fault Tolerance Features 335
   Blocking a Specific Port 336
       Configuring Blocking a Specific Port 337
       Verifying Blocking of a Specific Port 339
       Analyzing a Packet Drop by Using a Simulated Packet 340
       Analyzing a Packet Drop by Using a Real Packet 342
Summary 344
Quiz 345
Chapter 12 Inspecting Traffic Without Blocking It 347
Traffic Inspection Essentials 347
   Passive Monitoring Technology 347
   Inline Versus Inline Tap Versus Passive 350
Best Practices for Detection-Only Deployment 352
Fulfilling Prerequisites 352
Inline Tap Mode 352
   Configuring Inline Tap Mode 353
   Verifying an Inline Tap Mode Configuration 354
Passive Interface Mode 357
   Configuring Passive Interface Mode 357
       Configuring Passive Interface Mode on an FTD Device 357
       Configuring a SPAN Port on a Switch 359
   Verifying a Passive Interface Mode Configuration 359
Analyzing Traffic Inspection Operation 362
   Analyzing a Connection Event with a Block Action 362
       Analyzing Live Traffic 362
       Analyzing a Simulated Packet 364
   Analyzing an Intrusion Event with an Inline Result 366
Summary 370
Quiz 371
Chapter 13 Handling Encapsulated Traffic 373
Encapsulation and Prefilter Policy Essentials 373
Best Practices for Adding a Prefilter Rule 375
Fulfilling Prerequisites 375
   Transferring and Capturing Traffic on the Firewall Engine 377
Scenario 1: Analyzing Encapsulated Traffic 379
   Configuring Policies to Analyze Encapsulated Traffic 379
       Prefilter Policy Settings 379
       Access Control Policy Settings 381
   Verifying the Configuration and Connection 382
   Analyzing Packet Flows 385
Scenario 2: Blocking Encapsulated Traffic 391
   Configuring Policies to Block Encapsulated Traffic 391
   Verifying the Configuration and Connection 392
   Analyzing Packet Flows 395
Scenario 3: Bypassing Inspection 397
   Configuring Policies to Bypass Inspection 397
       Custom Prefilter Policy 397
       Access Control Policy Settings 401
   Verifying the Configuration and Connection 403
   Analyzing Packet Flows 405
Summary 407
Quiz 407
Chapter 14 Bypassing Inspection and Trusting Traffic 409
Bypassing Inspection and Trusting Traffic Essentials 409
   The Fastpath Rule 409
   The Trust Rule 410
Best Practices for Bypassing Inspection 412
Fulfilling Prerequisites 412
Implementing Fastpath Through a Prefilter Policy 413
   Configuring Traffic Bypassing 413
       Configuring a Prefilter Policy 413
       Invoking a Prefilter Policy in an Access Control Policy 418
   Verifying the Prefilter Rule Configuration 420
   Enabling Tools for Advanced Analysis 421
   Analyzing the Fastpath Action 422
Establishing Trust Through an Access Policy 427
   Configuring Trust with an Access Policy 427
   Verifying the Trust Rule Configuration 429
   Enabling Tools for Advanced Analysis 430
   Analyzing the Trust Action 432
   Using the Allow Action for Comparison 440
Summary 442
Quiz 442
Chapter 15 Rate Limiting Traffic 445
Rate Limiting Essentials 445
Best Practices for QoS Rules 447
Fulfilling Prerequisites 448
Configuring Rate Limiting 449
Verifying the Rate Limit of a File Transfer 454
Analyzing QoS Events and Statistics 458
Summary 462
Quiz 462
Part IV Troubleshooting and Administration of Next-Generation Security Features
Chapter 16 Blacklisting Suspicious Addresses by Using Security Intelligence 463
Security Intelligence Essentials 463
   Input Methods 466
Best Practices for Blacklisting 468
Fulfilling Prerequisites 468
Configuring Blacklisting 468
   Automatic Blacklist Using Cisco Intelligence Feed 468
   Manual Blacklisting Using a Custom Intelligence List 472
   Immediate Blacklisting Using a Connection Event 477
       Adding an Address to a Blacklist 477
       Deleting an Address from a Blacklist 479
   Monitoring a Blacklist 480
   Bypassing a Blacklist 482
       Adding an Address to a Whitelist 483
       Deleting an Address from a Whitelist 484
Verification and Troubleshooting Tools 485
   Verifying the Download of the Latest Files 486
   Verifying the Loading of Addresses into Memory 489
   Finding a Specific Address in a List 491
   Verifying URL-Based Security Intelligence Rules 491
Summary 494
Quiz 494
Chapter 17 Blocking a Domain Name System (DNS) Query 497
Firepower DNS Policy Essentials 497
   Domain Name System (DNS) 497
   Blocking of a DNS Query Using a Firepower System 499
   DNS Rule Actions 500
       Actions That Can Interrupt a DNS Query 500
       Actions That Allow a DNS Query 502
   Sources of Intelligence 504
Best Practices for Blocking DNS Query 506
Fulfilling Prerequisites 507
Configuring DNS Query Blocking 508
   Adding a New DNS Rule 508
   Invoking a DNS Policy 510
Verification and Troubleshooting Tools 511
   Verifying the Configuration of a DNS Policy 511
   Verifying the Operation of a DNS Policy 515
Summary 520
Quiz 520
Chapter 18 Filtering URLs Based on Category, Risk, and Reputation 523
URL Filtering Essentials 523
   Reputation Index 523
   Operational Architecture 525
Fulfilling Prerequisites 526
Best Practices for URL Filtering Configuration 529
Blocking URLs of a Certain Category 532
   Configuring an Access Rule for URL Filtering 532
   Verification and Troubleshooting Tools 534
Allowing a Specific URL 537
   Configuring FTD to Allow a Specific URL 538
   Verification and Troubleshooting Tools 540
Querying the Cloud for Uncategorized URLs 543
   Configuring FMC to Perform a Query 544
   Verification and Troubleshooting Tools 546
Summary 550
Quiz 550
Chapter 19 Discovering Network Applications and Controlling Application Traffic 553
Application Discovery Essentials 553
   Application Detectors 553
   Operational Architecture 555
Best Practices for Network Discovery Configuration 557
Fulfilling Prerequisites 558
Discovering Applications 560
   Configuring a Network Discovery Policy 561
   Verification and Troubleshooting Tools 564
       Analyzing Application Discovery 564
       Analyzing Host Discovery 566
       Undiscovered New Hosts 567
Blocking Applications 570
   Configuring Blocking of Applications 570
   Verification and Troubleshooting Tools 572
Summary 575
Quiz 576
Chapter 20 Controlling File Transfer and Blocking the Spread of Malware 577
File Policy Essentials 577
   File Type Detection Technology 579
   Malware Analysis Technology 579
   Licensing Capability 582
Best Practices for File Policy Deployment 583
Fulfilling Prerequisites 584
Configuring a File Policy 586
   Creating a File Policy 586
   Applying a File Policy 592
Verification and Troubleshooting Tools 593
   Analyzing File Events 594
   Analyzing Malware Events 599
       The FMC Is Unable to Communicate with the Cloud 599
       The FMC Performs a Cloud Lookup 603
       FTD Blocks Malware 607
   Overriding a Malware Disposition 610
Summary 615
Quiz 615
Chapter 21 Preventing Cyber Attacks by Blocking Intrusion Attempts 617
Firepower NGIPS Essentials 617
   Network Analysis Policy and Preprocessor 619
   Intrusion Policy and Snort Rules 621
   System-Provided Variables 624
   System-Provided Policies 626
Best Practices for Intrusion Policy Deployment 632
NGIPS Configuration 637
   Configuring a Network Analysis Policy 637
       Creating a New NAP with Default Settings 637
       Modifying the Default Settings of a NAP 639
   Configuring an Intrusion Policy 641
       Creating a Policy with a Default Ruleset 641
       Incorporating Firepower Recommendations 642
       Enabling or Disabling an Intrusion Rule 646
       Setting Up a Variable Set 648
   Configuring an Access Control Policy 650
Verification and Troubleshooting Tools 654
Summary 665
Quiz 665
Chapter 22 Masquerading the Original IP Address of an Internal Network Host 667
NAT Essentials 667
   NAT Techniques 669
   NAT Rule Types 670
Best Practices for NAT Deployment 672
Fulfilling Prerequisites 673
Configuring NAT 676
   Masquerading a Source Address (Source NAT for Outbound Connection) 676
       Configuring a Dynamic NAT Rule 677
       Verifying the Configuration 681
       Verifying the Operation: Inside to Outside 683
       Verifying the Operation: Outside to Inside 690
   Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection) 695
       Configuring a Static NAT Rule 695
       Verifying the Operation: Outside to DMZ 696
Summary 706
Quiz 706
Appendix A Answers to the Review Questions 707
Appendix B Generating and Collecting Troubleshooting Files Using the GUI 713
Generating Troubleshooting Files with the GUI 713
Appendix C Generating and Collecting Troubleshooting Files Using the CLI 717
Generating Troubleshooting Files at the FTD CLI 717
   Downloading a File by Using the GUI 718
   Copying a File by Using the CLI 719
Generating Troubleshooting Files at the FMC CLI 719
Â
Â
9781587144806Â Â Â TOCÂ Â Â 11/9/2017
Nazmul Rajib is a senior engineer and leader of the Cisco Global Technical Services organization focusing on next-generation security technologies. He leads cybersecurity training initiatives, develops internal training programs, and trains the current generation of Cisco engineers who support Cisco security solutions around the world. He also reviews design specifications, tests security software, and provides solutions to businesscritical networking issues. Nazmul has authored numerous technical publications at Cisco.com and in the Cisco support community.
Nazmul is a veteran engineer of Sourcefire, Inc., which developed Snort–the most popular open-source intrusion prevention system in the world. He created and managed the global knowledge base for Sourcefire and designed Sourcefire security certifications for partner enablement. Nazmul trained security engineers from many managed security service providers (MSSP) in the United States. He supported the networks of numerous Fortune 500 companies and U.S. government agencies.
Nazmul has a master of science degree in internetworking. He also holds many certifications in the areas of cybersecurity, information technology, and technical communication. He is a Sourcefire Certified Expert (SFCE) and Sourcefire Certified Security Engineer (SFCSE).
Need help? Get in touch