You are on page 1of 144

Test Plan Report

10/15/2013 03:49:52 UTC

Project: CX & PRSM Raptor-Threat Defense # Entity Title contains 309 test cases. Description

1. Verify that the threat ids of the threat objects/entries Verify that the threat ids of the threat objects/entries in the taxonomy file do not change after a software in the taxonomy file do not change after a software image upgrade. image upgrade. 2. Verify that threats may be deprecated, but should never be deleted from the threat taxonomy file. Verify that threats may be deprecated, but should never be deleted from the threat taxonomy file (Thetotal number of entries/ threat objects in the threat taxonomy file after a software image upgrade can only be equal or greater than the previous number).

3. Verify that the Global Threat Profile is set to default threat profile object. Verify that the default threat profile object gets automatically created and cannot be deleted. 4. Verify that a threat profile object can be created and Also verify that more than one threat profile it is possible to create more than one threat profile object with the same name cannot be created. object 5. Verify that a threat profile object can be edited. 6. Verify that a threat profile object can be deleted. 7. Verify filtering of search results for threat profile objects 8. Verify that a threat profile object can be created during policy creation. 9. Verify Access Policy Threat Profile, User Created Use the same threat and try different settings on the slider bar. Traffic should be allowed, denied or ignored as expected. 3 different profiles, each attached to an access policy. Run 3 different PCAPs and verify allow/denied/ignored. Then change the slider bar in each profile to cause the next action. 3 different access policies with same threat profile attached. Run 3 different PCAPS and check allowed/denied/ignored. Then change slider bar in the profile to cause the next action.

10. Verify Multiple threat profiles attached to access policies

11. Verify Same Profile attached to multiple access policies

Cisco Systems, Inc. Cisco Confidential Page 1 of 144

12. Verify Default Profile attached to access policies

2 access policies each with a different user created threat profile plus an any/any access policy with default threat profile attached. Run PCAPs and check allowed/denied/ignored. Then change a second profile to also use the default profile. Procedure: 1. Configure a threat protection object with Deny/Alert boundary at 12. 2. Enable Intrusion Protection at the device Level (and apply license if necessary). 3. Pass pcap 22579-0.pcap (which has one threat with score of 15 and another threat socre of 10) with wireplay. 4. Edit the threat protection object and configure the alert/ignore boundary at 12. Expected Result: 1, 2 & 3. Verify the threat is detected in event tab for Threats, and the event is an HTTP Deny. 4. Verify the threat is detected, and the event is an HTTP Complete (a.k.a Alert)

13. Verify Worst Action is picked in the case of several threats firing at once.

14. Verify Multiple Exception Types in a Threat Profile in a Single access policy 15. Verify Global Threat Profile set to Default Threat Profile

In threat profile, have multiple exceptions of each type, and verify expected action for each threat Access policy with a threat profile configured, Global is left as default. Send a threat that doesn@t match the access policy. Global profile should take effect since nothing in access policies matches. Then add more access policies which won@t match the threat & try again. Access policy with a threat profile configured, Global is set to a user created threat profile. Send a threat that doesn@t match the access policy. Global profile should take effect since nothing in access policies matches. Then add more access policies which won@t match the threat & try again Have a threat profile associated with one access policy, and also a global threat profile. Traffic which matches the access policy should trigger on the access policy, not the global profile. Pending match on 2 Access Policy Threat Profiles (matches on a later stage), then threat is identified, Global Profile should be used. Then multiple late stage Access Policies. Then change the action in the Global Threat profile to the next action and verify it takes effect.

16. Verify Global threat Profile set to User Created Profile

17. Verify Threat Profile Configured for both Access Policy and Global; traffic matches Access policy.

18. Verify Global threat profile takes effect with late stage matches on 2 Access policies with threat profiles.

Cisco Systems, Inc. Cisco Confidential Page 2 of 144

19. Verify Access policies with threat profiles, #1 matches in response body, #2 matches on source IP, and global profile defined.

Access policy matches in response body (application), #2 access policy matches Source IP. And there is global profile. Traffic going to the Dest URL with a threat in the req URL (or req header or response header) should use Global threat profile. Note: The PCAPs which aren@t firing yet (in the body) are the ones which should let us have pending matches on info in the body, such as different layers of application type. Should alert, but entered in blocked (only). Should alert, but entered in None (only). Should alert, but entered in Alert (only) Should deny, but entered in alert (only). Should deny, but entered in None (only). Should deny, but entered in Deny (only). chunked-8010.pcap chunked.pcap deflate.pcap gzip-8888.pcap gzip.pcap utf-7.pcap utf-7-all.pcap utf-8.pcap

20. Verify Exceptions for a global threat profile (user defined profile has exceptions)

21. Verify threats with encoding in the http body, chunked 22. Verify threats with encoding in the http body, deflate. 23. Verify threats with encoding in the http body, gzip 24. Verify threats with encoding in the http body, utf-7 25. Verify threats with encoding in the http body, utf-8

26. Verify threats with encoding in the http body, utf-16 utf-16be.pcap utf-16be-marker.pcap utf-16le.pcap utf-16le-marker.pcap utf-16le-marker-8000.pcap utf-16le-tcp-3128.pcap utf-16le-tcp-8080.pcap 27. Verify threats with encoding in the http body, utf-32 utf-32be.pcap utf-32be-marker.pcap utf-32le.pcap utf-32le-marker.pcap 28. Verify threats with encoding in the http body, more than one encoding at once chunked-gzip.pcap utf-7-chunked-gzip.pcap utf-16be-chunked.pcap utf-16be-chunked-24326.pcap utf-32le-chunked-gzip.pcap Verify HTTP related threat events in Event Viewer Display (in the new Threat Defense View). Verify threat events can be expanded and details seen.

29. Verify HTTP related threat events in Event Viewer Display. 30. Verify the threat events by switching between real time and historic views. 31. Verify pause and play buttons on real time view for threat events. 32. Verify threat events displayed within the selected custom time range.

Cisco Systems, Inc. Cisco Confidential Page 3 of 144

xml. Verify that the new attacker/victim fields are populated in the TLS complete/Flow deny events when TLS decryption is configured. Verify that the new attacker/victim fields are not populated in the events when no threats are detected. To swap the attacker/victim fields in the events in event viewer. Inc. victim. Cisco Confidential Page 4 of 144 . victim. look for a pcap such as 1060 and change the <swap-attacker-victim> field to "true" from the default value of "false" and restart the services. Verify that the new attacker/victim fields (4 fields to validate: attacker. 36. and victim hostname) are populated in the events when threats are detected from the destination/server. victim. and victim hostname)are populated in the TLS complete/Flow deny events when TLS decryption is enabled and a decryption policy is configured. Verify the functionality of non threat related events in threat defense view in event viewer. Verify that the user can pick any of the previously configured threat profiles. 38. 44. Verify that a new tab named Threat Defense exists in the Devices page. Verify that a drop down menu of threat profiles will be available for the user to choose from. go to /var/data/updater/threat_defense/td_http_sigs. 43. Verify that the new attacker/victim fields (4 fields to validate: attacker. 37. Verify that the user is able edit an access policy and corresponding threat objects from the event viewer. Verify that the new attacker/victim fields (4 fields to validate: attacker.deletion and application of filtering for threat events 34. Verify that the new attacker/victim fields (4 fields to validate: attacker. attacker hostname. including the default threat profile and None as the Global Threat profile and apply it. for the Global threat profile and a Submit button. Cisco Systems. and victim hostname) are not populated in the events in threat defense view and all events view by adding those columns when no threats are detected. 40. Verify that a fresh software install on the device comes with a pre-selected/enabled Global Threat Profile.33. Verify creation. Generate some events with threats and some events without threats and validate that the events without threats are not seen in the threat defense tab. 45. 41. attacker hostname. 39. Verify custom view creation by addiing the threat related columns to existing views 35. 42. Verify that the new attacker/victim fields are populated in the events when threats are detected from the source/client. Verify that the new attacker/victim fields are populated in the events when threats are detected from the destination/server. Verify that the addition/deletion of a threat profile object gets reflected in the available options for Global threat profile. attacker hostname. and victim hostname) are populated in the events when threats are detected from the source/client. attacker hostname. victim.

52. Top Attackers and Top Victims) in the Top Threats drilldown page. with traffic running through falcon.. Verify the functionality when the user has explicitly disabled threat prevention updates in the GUI by selecting "Never check" option for Updates in the Device>>Updates page. the scanner and threats generated accurately.. Verify the functionality of full updates for threat prevention component when an update becomes available. 51. middle of update process. Verify that traffic that Threat Prevention identifies as Verify that traffic that Threat Prevention identifies as not being of interest is not scanned by the scanner. 54.Top Attackers and Top Victims dashlets and accurately. thru falcon and set the logs to debug level.46.HttpThreatProtectionPlugin . Verify the functionality of threat prevention updates Verify the functionality of threat prevention updates when the device reloads in middle of update when falcon reloads (or restart the services) in process.Send some traffic/pcaps with magic/mime-type that the engines have no signatures for. 55.Check logs to verify that threat defense engines do not inspect the traffic and a debug message of the format "DEBUG Scanners. 48. Cisco Systems. (i. Verify the default behavior for threat prevention updates. threat prevention component get updated by default on a fresh software install on the device and when the user has not explicitly disabled updates). Cisco Confidential Page 5 of 144 . Verify that reporting data for Top Threats changes accordingly with different time ranges in the drill down page. Top Policies. Verify the functionality of full updates for threat prevention component when an update becomes available. Verify that the drill down page of Top Threats are populated accurately.Skipping threat scanning@due to nextStage mismatch" is seen. . 47. Verify that traffic with magic/mime-type recognized Verify that traffic with magic/mime-type recognized by threat prevention engines still gets scanned by by threat prevention engines still gets scanned by the scanner and threats generated accurately. Check the event viewer for the corresponding events in System Event View and the updater_connector. Inc. not being of interest is not scanned by the scanner. 53. 49. Verify the default behavior for threat prevention updates. Verify the navigation to event viewer from from the dashlets (Top Policies. Verify the navigation to event viewer from the dashlets in Top Threats drilldown page. Verify top threats reporting data changes accordingly with different time ranges in the drill down page. Verify that the drill down page of Top Threats are populated with Threats summary.e. 50. Verify the functionality of threat prevention updates Verify the functionality of threat prevention updates with traffic passing through the device. Verify the functionality when the user has explicitly disabled threat prevention updates.log. .

Cisco Confidential Page 6 of 144 . Use netcat to send @GET /<~2000 character long string>/. Verify signature fires. Verify threats in non-http-tcp (tls) traffic using Global threat profiles 58. Use wireplay to replay 5035-0_whisker_I8M2. Verify header de-obfuscation of premature request ending./faxsurvey? HTTP/1.pcap. Repeat above test case Txw1201278c. Verify header de-obfuscation of long URL@s. alert only. Verify signature fires. Configure access policy with threat aggressive threat profile.log (DEBUG LEVEL). Verify signature fires. Change the access policy to use the alert only threat profile & replay the pcap. (Found in file 2000ish_chars_long_url) Verify signature fires. Verify header de-obfuscation of case sensitivity..pcap. access policy. 61.0@<enter><enter> from the client. Verify header de-obfuscation of percent encoding. Verify header de-obfuscation of reverse traversal. Cisco Systems. Use wireplay to replay 5035-0_whisker_I5M2. Verify header de-obfuscation of Microsoft %u encoding. Check monocle log (at TRACE level) to ensure full string was scanned. Use wireplay to replay 5035-0_whisker_I9M2.pcap. Verify threat fires. Verify threats in non-http-tcp (tls) traffic. 60.pcap. Use wireplay to replay 5035-0_whisker_I3M2. 65.pcap. 64. Verify signature fires Use netcat to send @GET /%u0066axsurve%u0065y HTTP/1. Verify that threats are scanned in tls_proxy. Use wireplay to replay 5035-0_whisker_I7M2. Verify signature fires. Test several pcap files. except use the Global threat profile instead of an Access policy Use wireplay to replay 5035-0_whisker_I1M2.pcap. Use stunnel and wireplay to replay a pcap of nonhttp-tcp traffic (tls) containing a threat. Inc. Test several pcap files. 62. 66. Verify header de-obfuscation of HTTP misencoding (tabs).pcap. 59. 63. Verify signature fires. Verify scanning occurs and that a TLS Complete event is seen with threat fields filled in.0. Verify signature fires Use wireplay to replay 5035-0_whisker_I6M2. Verify that threat events (Flow Deny) are seen in the threat defense events tab with threat fields filled in. Change the access policy to use the ignore all threat profile & replay the pcap. Use wireplay to replay 5035-0_whisker_I2M2. 57. Enable decryption and configure a decryption policy that decrypts all tls traffic. Add cert used by stunnel as a root cert. Configure aggressive.pcap. Verify there is no event in the Threat Protection tab. Verify header de-obfuscation of windows \ delimiter. Verify scanning occurs and that a TLS Complete event is seen only in the Context Aware tab with no threat fields filled in. Verify header de-obfuscation of parameter hiding.56. Test several pcap files. and ignore all threat profile objects. 67. Verify header de-obfuscation of session splicing.

ASA5525. Verify header de-obfuscation of double deobfuscation. 70.0"<enter><enter> from the client (found in file double-deob). some of which are allowed and some of which are denied. so that CR. Use wireplay to replay PCAPS with threats in HTTP traffic. Verify correct number of monocle/combined. For those product names. Use netcat to send "GET /%e0%81%9m%dg%81%q1%6osurvey"<enter><e nter> from the client (found in file "base36"). monocle/minor process are spawned on Spyker Hardware 73. so that CR. ASA5515.%63om"<enter><enter> from the client (found in file header_for_deob). Verify that processes are spawned correctly in a VM system. Cisco Confidential Page 7 of 144 . but no sherlock process(s)). Verify correct number of monocle/combined. Verify by looking at TRACE level monocle log that the header was deobfuscated. Issue ps -ef.LF is sent.u%62untu. Inc. Change "product" to ASA5512. Start services. Note: in a VM.0"<enter>"Host: extr%61s. 5515 or 5525. Use netcat to send @GET / HTTP/1. 75. there are a monocle process(es). there are equal numbers of monocle processes(es) and sherlock process(es).e.68. Test on at least one Saleen hardware. 69.conf.e. Verify that Threat Protection event tab displays Configure threat profile objects & attach profile to Action field (instead of Event Type) and populates it either access policy or global threat profile correctly for HTTP events (optional). For any other product strings. you should see combined processes (i. Verify signature fires. Verify header de-obfuscation of Base 36 encoding. Verify that HTTP Complete events actually show up in the Threat Protection Events tab with "Info" in the action field. monocle/major. Verify correct number of monocle/combined. 72. monocle/major. Verify header de-obfuscation of info in the header. but not in the first line of the request 71. monocle/minor process are spawned on higher end Saleen hardware 74. we can only test separate versus combined (cannot test the # of processes because it's always 1 in a VM). monocle/major. Edit /etc/model. 5545 or above Test on at least one Saleen hardware 5512. A or B. For <enter> use ^V^M Enterkey. monocle/minor process are spawned on lower end Saleen hardware Test on at least one Sypker hardware. For <enter> use ^V^M Enterkey.LF is sent. i. Verify that HTTP Deny events actually show up in the Threat Protection Events tab with "Deny" Cisco Systems. Stop services. Use netcat to send "GET /f%2561xsurvey HTTP/1. the processes are split. Verify signature fires.

.a directory and a corresponding auth policy. Use wireplay and stunnel to replay PCAPS with threats in TLS traffic. some of which are allowed and some of which are denied. There are no errors in the pde log files (pde. . Inc.Create a realm named xsa of type standard LDAP. Verify that Threat Protection event tab displays Configure threat profile objects & attach profile to Action field (instead of Event Type) and populates it either access policy or global threat profile correctly for TLS Proxy events (optional). Threat Score. .log (may be 0 length at the beginning) Recycling of process produces logging entries The logging level can be changed. Verify that the correct set of default fields is displayed: Receive Time. Attacker.Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional). Verify that Flow Deny events actually show up in the Threat Protection Events tab with "Deny" in the action field. 77.log and stdout_pde. Policy Name.authenticate as user jeff. Verify predictive defense process and logging. 78. Procedure: . Verify that Threat Protection event tab displays Attacker and Target fields and populates them with user name/hostname/ip address when threats are detected from the source/client. Expected Results: . Navigate to the Threat Protection tab of the Event Viewer.Use wireplay to replay PCAPS with threats in HTTP traffic. Deny Reason Issue ps -ef. Cisco Systems. .From the internal client. 79. Verify that the defaults for Threat Protection are updated.Verify that HTTP Complete events show up in the Threat Protection Events tab with username in the Attacker field. Threat Category. Target. some of which are allowed and some of which are denied. Action. goes with monocle setting) There is a process running for PD.williams/xsaxsa and then use wireplay to replay the above PCAPS with threats in HTTP traffic.Verify that HTTP Complete events show up in the Threat Protection Events tab with IP address or hostname (if it exists) in the Attacker field. Verify that TLS Complete events actually show up in the Threat Protection Events tab with "Info" in the action field. Threat.76. Cisco Confidential Page 8 of 144 . Tail/view the logs for PD Recycle the pde process (heimdall_svc pde recycle) Change the logging level (for now. some of which are allowed and some of which are denied.

Procedure: . . .authenticate as user jeff. Inc. Cisco Confidential Page 9 of 144 .From the internal client. Cisco Systems. some of which are allowed and some of which are denied.To originate the threats from destination/server. .a directory and a corresponding auth policy.Verify that HTTP Complete events show up in the Threat Protection Events tab with IP address or hostname (if it exists) in the Target field. Verify that Threat Protection event tab displays Attacker and Target fields and populates them with user name/hostname/ip address when threats are detected from the destination/server. go to /var/data/updater/threat_defense/sigs/td_http_sigs. xml and change swap-attacker-victim flag to true instead of false and restart the services.Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional). Expected Results: . some of which are allowed and some of which are denied. .williams/xsaxsa and then use wireplay to replay the above PCAPS with threats in HTTP traffic.Use wireplay to replay PCAPS with threats in HTTP traffic.Verify that HTTP Complete events show up in the Threat Protection Events tab with username in the Target field.80.Create a realm named xsa of type standard LDAP.

Use wireplay to replay PCAPS with threats in HTTP traffic. Verify scanning occurs and that a Flow Complete event is seen only in the Context Aware tab with no threat fields filled in. . Configure access policy with threat aggressive threat profile. Cisco Systems. go to /var/data/updater/threat_defense/sigs/td_http_sigs. . Test several pcap files. . some of which are allowed and some of which are denied.a directory and a corresponding auth policy. 82.Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional). Expected Results: . Verify there is no event in the Threat Protection tab. . Change the access policy to use the alert only threat profile & replay the pcap. Replay PCAPS using wire play with threats in HTTP traffic. nontls (but still tcp) traffic containing a threat.81.Verify that the Top Attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname (if it exists). Verify that threat events ( Deny) are seen in the threat defense events tab with threat fields filled in. Use wireplay to replay a pcap of non-http-tcp. Procedure: . xml and change swap-attacker-victim flag to true instead of false and restart the services. Cisco Confidential Page 10 of 144 . some of which are allowed and some of which are denied. .From the internal client. . Verify that the Attacker/Target dashlets in the Threat protection report are accurately populated with user name/hostname/ipaddress. Verify threats in non-http-tcp.To originate the threats from destination/server. Inc. some of which are allowed and some of which are denied.Verify that the Top Targets dashlet in Threat Prevention report landing page is populated correctly with username. non-tls traffic (but still Configure aggressive. Change the access policy to use the ignore all threat profile & replay the pcap. Test several pcap files. Test several pcap files. threat profile objects.authenticate as user jeff. alert only and ignore all tcp) access policy.Create a realm named xsa of type standard LDAP.Verify that the Top Attackers dashlet in Threat Prevention report landing page is populated correctly with username. Verify scanning occurs and that an Info Action is seen with threat fields filled in.williams/xsaxsa and then use wireplay to replay the above PCAPS with threats in HTTP traffic.

Change the access policy to use the ignore all threat profile & replay the pcap. non-tls (but still tcp) traffic using Global threat profiles 84. Test several pcap files. Verify threats in http traffic using Global threat profiles Repeat above test case Txw1363277c. Test several pcap files. access policy.83. Use wireplay to replay a pcap of http traffic containing a threat. except use the Global threat profile instead of an Access policy Cisco Systems. Test several pcap files. except use the Global threat profile instead of an Access policy Configure aggressive. Verify threats in http traffic. Verify there is no event in the Threat Protection tab. Verify scanning occurs and that an Info Action is seen with threat fields filled in. Verify that threat events ( Deny) are seen in the threat defense events tab with threat fields filled in. Verify threats in non-http-tcp. Cisco Confidential Page 11 of 144 . alert only and ignore all threat profile objects. Verify scanning occurs and that an HTTP Complete event is seen only in the Context Aware tab with no threat fields filled in. Configure access policy with threat aggressive threat profile. 85. Repeat above test case Txw1363273c. Change the access policy to use the alert only threat profile & replay the pcap. Inc.

Create a realm named xsa of type standard LDAP. . Expected Results: . . .Click on Transactions and Data Usage tabs in the Top attackers dashlet.Verify that the report data changes accordingly and accurately with the selection of Transactions and Data Usage tabs in the Top Attackers dashlet. Procedure: .To originate the threats from destination/server. some of which are allowed and some of which are denied. Cisco Confidential Page 12 of 144 . go to /var/data/updater/threat_defense/sigs/td_http_sigs.Verify that the report data changes accordingly and accurately with the selection of All.Click on the available options for Transactions pull down menu in the Top attackers dashlet. . Inc. . . Replay PCAPS using wire play with threats in HTTP traffic. Cisco Systems. xml and change swap-attacker-victim flag to true instead of false and restart the services. .williams/xsaxsa and then use wireplay to replay the above PCAPS with threats in HTTP traffic.Verify that the Top Attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname (if it exists).Verify that the Top Targets dashlet in Threat Prevention report landing page is populated correctly with username.Verify that the reporting data in the Top attackers dashlet changes accordingly with different time ranges.Verify that the Top Attackers dashlet in Threat Prevention report landing page is populated correctly with username. Denied and Allowed for Transactions pull down menu Top Attackers dashlet. Verify that the Top attackers dashlet in the Threat Protection report are accurately populated.From the internal client.86. . .a directory and a corresponding auth policy. . some of which are allowed and some of which are denied.Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional). .authenticate as user jeff. some of which are allowed and some of which are denied. .Use wireplay to replay PCAPS with threats in HTTP traffic.Select different options available in the Time Range pull down menu in the Threat Protection report landing page.

Cisco Systems.87. Verify that the drill down report page is populated with Attackers summary. some of which are allowed and some of which are denied. Verify the drill down functionality for report data from Top Attackers dashlet in Threat Protection report landing page. . Expected Results: .Verify that the report data changes accordingly and accurately with the selection of All.Click on the available options for Transactions pull down menu in each of the dash lets in the drill down page. Inc. Cisco Confidential Page 13 of 144 . . .Denied and Allowed options for Transactions in each of the dash lets in the drill down page. . Policies detecting maximum threats.Use wireplay to replay PCAPS with threats in HTTP traffic. .Verify that the reporting data in the drill down page changes accordingly with different time ranges in all the dash lets.Verify that the Top attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname or username (if it exists).Verify that the report data changes accordingly and accurately with the selection of Transactions and Data Usage tabs in each of the dash lets in the drill down page.Click on the ip address/username/username/graphical bar in the Top attackers dashlet. . .Select different options available in the Time Range pull down menu in the Top Attackers drill down page.Verify that the drill down page specific to the attacker is displayed. Procedure: .Use wireplay to replay PCAPS with threats in HTTP traffic. some of which are allowed and some of which are denied.Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional). . .Click on Transactions and Data Usage tabs in each of the dashlets.Top Targets and Threats dash lets and and accurately. .

Use wireplay to replay PCAPS with threats in HTTP traffic. .Select different options available in the Time Range pull down menu in the Top Attackers modal overlay report. .Choose attacker (I.Verify that the Top attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname or username (if it exists). . . Cisco Systems. .Click on any of the column names in the Top attackers modal overlay.Click on the View more in the Top attackers dashlet. . .Verify that the reporting data in the Top attackers modal overlay changes accordingly with different time ranges.Verify that the Top attackers report data gets sorted by that column in the descending order. some of which are allowed and some of which are denied.100 and 1000 for Items shown pull down menu in Top Attackers modal overlay.Verify that a list of all the transactions/events specific to the attacker are listed in the event viewer. . Cisco Confidential Page 14 of 144 . Verify the modal overlay of Top Attackers report. Inc.Click on values and percentages in the modal overlay report. .Select different options available in the Items shown pull down menu in the Top Attackers modal overlay report. . .. Procedure: .Verify that a modal overlay report displaying all the Top attackers is displayed.88. .Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional).e. . Expected Results: . an entry in the Attackers column) and click on the corresponding number in Transactions column beside it. displays the report data sorted by the column in an ascending order. Verify that on clicking the column name a second time.Verify that the report data changes accordingly and accurately with the selection of 10.Verify that Top Attackers report data changes accordingly and accurately with the selection of values and percentages.

.Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional).Click on the available options for Transactions pull down menu in each of the dash lets in the drill down page. Policies detecting maximum threats.Verify that the report data changes accordingly and accurately with the selection of Transactions and Data Usage tabs in each of the dash lets in the drill down page. . Verify the drill down functionality for report data from Top Attackers dashlet in Threat Protection report landing page.Verify that the reporting data in the drill down page changes accordingly with different time ranges in all the dash lets. . . some of which are allowed and some of which are denied.Verify that the Top attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname or username (if it exists).Click on Transactions and Data Usage tabs in each of the dashlets.Verify that the drill down page specific to the attacker is displayed.Top Targets and Threats dash lets and and accurately.Click on the ip address/username/username/graphical bar in the Top attackers dashlet. Cisco Systems. . Expected Results: . . Inc.Verify that the report data changes accordingly and accurately with the selection of All.89.Select different options available in the Time Range pull down menu in the Top Attackers drill down page.Use wireplay to replay PCAPS with threats in HTTP traffic.Use wireplay to replay PCAPS with threats in HTTP traffic. Cisco Confidential Page 15 of 144 .Denied and Allowed options for Transactions in each of the dash lets in the drill down page. Verify that the drill down report page is populated with Attackers summary. some of which are allowed and some of which are denied. . . . . Procedure: .

Cisco Confidential Page 16 of 144 . . . . . Procedure: . . displays the report data sorted by the column in an ascending order. Verify the modal overlay of Top Attackers report.e. Cisco Systems. Verify that on clicking the column name a second time. . .Click on values and percentages in the modal overlay report..Use wireplay to replay PCAPS with threats in HTTP traffic. .Verify that a list of all the transactions/events specific to the attacker are listed in the event viewer. . .Verify that the report data changes accordingly and accurately with the selection of 10. .Verify that a modal overlay report displaying all the Top attackers is displayed. an entry in the Attackers column) and click on the corresponding number in Transactions column beside it.Select different options available in the Items shown pull down menu in the Top Attackers modal overlay report.Click on any of the column names in the Top attackers modal overlay.Click on the View more in the Top attackers dashlet.Select different options available in the Time Range pull down menu in the Top Attackers modal overlay report. Expected Results: .100 and 1000 for Items shown pull down menu in Top Attackers modal overlay.Verify that the Top attackers report data gets sorted by that column in the descending order. Inc.Verify that Top Attackers report data changes accordingly and accurately with the selection of values and percentages.Verify that the Top attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname or username (if it exists). some of which are allowed and some of which are denied.90.Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional). .Verify that the reporting data in the Top attackers modal overlay changes accordingly with different time ranges. .Choose attacker (I.

For MDM/SMX verify that Devices dashlet is displayed in the drilldown page and is populated accurately. Click on Transactions and Data Usage tabs in each of the dashlets.91. Verify that the report data changes accordingly and accurately with the selection of All.Denied and Allowed options for Transactions in each of the dash lets in the drill down page. Cisco Systems. Expected Results: Verify that the Top attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname or username (if it exists). Click on the ip address/username/username/graphical bar in the Top attackers dashlet. Use wireplay to replay PCAPS with threats in HTTP traffic. Verify that the reporting data in the drill down page changes accordingly with different time ranges in all the dash lets. Procedure: Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional). Policies detecting maximum threats. Click on the available options for Transactions pull down menu in each of the dash lets in the drill down page.Top Targets and Threats dash lets and and accurately. some of which are allowed and some of which are denied. Verify the drill down functionality for report data from Top Attackers dashlet in Threat Protection report landing page. some of which are allowed and some of which are denied. Verify that the drill down report page is populated with Attackers summary. Select different options available in the Time Range pull down menu in the Top Attackers drill down page. Use wireplay to replay PCAPS with threats in HTTP traffic. Verify that the drill down page specific to the attacker is displayed. Cisco Confidential Page 17 of 144 . Inc. Verify that the report data changes accordingly and accurately with the selection of Transactions and Data Usage tabs in each of the dash lets in the drill down page.

e. Procedure: Configure a threat profile object and attach the created threat profile to an access policy or use the existing global threat profile (optional).. Click on the View more in the Top attackers dashlet. Expected Results: Verify that the Top attackers dashlet in Threat Prevention report landing page is populated correctly with IP address or hostname or username (if it exists).For MDM/SMX verify that Devices dashlet is displayed in the drilldown page and is populated accurately. Click on any of the column names in the Top attackers modal overlay. Verify that the Top attackers report data gets sorted by that column in the descending order.92. Cisco Systems.100 and 1000 for Items shown pull down menu in Top Attackers modal overlay. Select different options available in the Time Range pull down menu in the Top Attackers modal overlay report. Verify the modal overlay of Top Attackers report. Verify that the drill down report page is populated with Attackers summary. Cisco Confidential Page 18 of 144 . Use wireplay to replay PCAPS with threats in HTTP traffic. Choose an attacker (I. Verify that the reporting data in the Top attackers modal overlay changes accordingly with different time ranges..Top Targets and Threats dash lets and and accurately. Click on values and percentages in the modal overlay report.e. Inc. Policies detecting maximum threats. Verify that the report data changes accordingly and accurately with the selection of 10. Verify that a list of all the transactions/events specific to the attacker are listed in the event viewer. Choose an attacker (I. Verify that the drill down page specific to the attacker is displayed. Verify that Top Attackers report data changes accordingly and accurately with the selection of values and percentages. Verify that on clicking the column name a second time. Verify that a modal overlay report displaying all the Top attackers is displayed. Select different options available in the Items shown pull down menu in the Top Attackers modal overlay report. some of which are allowed and some of which are denied. displays the report data sorted by the column in an ascending order. an entry in the Attackers column) and click on the corresponding number in Transactions column beside it. an entry in the Attackers column) and click on it.

10 Top target dashlet 5. Policies dashlet 10 Data Usage in Policies dashlet 0. 10 data usage in Top attackers dashlet 4. Verify Threat protection Overall view is displayed properly 95. Clicking on different links in Dashlets 98. Policies detecting maximum threats 99. Time range reports proper threat defense alarms Threat Protection page shows all necessary dashlets properly and all links work properly Verify that you can generate a report when clicking on Generate report Verify that the proper report generated showing the proper threat defense components based on provided time range Verify that all the links in the dashlets work properly and that proper information is displayed.93. Verify that the Top attackers drop down list works properly Verify that the View More button in Top attacker works properly Verify that the Data usage button is working properly in top Attackers dashlet. 11 Top threats 0. Verify that we can skip scanning traffic for threats based on the NBAR verdict (bittorrent) Tail the Sherlock log file (at DEBUG level. Cisco Systems. Verify that the maximum threats works properly Verify that the Policies dashlet report the proper threats verify Data usage in the Policies dashlet works properly. Verify that the Top target dashlet components and links work properly Verify that Data usage works properly in Top target Verify that threats are displayed properly Verify that top threats works properly Verify that top threats works properly 97. currently follows HTTP). 94. Also verify the message "Not submitting event: event was sent back to data plane" is seen. Generate Report 96. 10 Threats 8. BAVC verdict: 1022" is seen in the log. 10 Top attackers Dashlet 1. 10 Top target dashlet functionality 6. 10 View More in Top attacker dashlet 3. Cisco Confidential Page 19 of 144 . Verify that the Top target dashlet is working properly. Verify that a Flow Complete message is seen in the Context Aware Security tab of the Event Viewer. 10 Data usage in Top target 7. Inc. Default configuration is fine. Pass a pcap containing bittorrent traffic Verify a single copy of a message along the lines of "Skipping threat scanning of body. 10 Top attackers drop down list 2. 10 Top threats 9. Verify Top attackers dashlet in Threat Protection page works properly.

Once card comes up perform the following checks: Show platform hardware regex Sho tech support Check system events in the GUI.). issue the following commands to check the reporting of LSI POST: Show platform hardware regex Sho tech support Check system events in the GUI. when POST passes Procedure: On a Spyker blade (which has LSI hardware) that is functioning properly. 11 Verify that LSI status evented properly when LSI 2. Expected results: Show platform hardware regex output indicates that LSI POST indicates "LSI RegexAccelerator not present" Show tech support output contains the result of "show platform hardware regex" There is a system event with the status of LSI unavailable.11 Verify that LSI POST results are reported properly 1. Reboot the card. Expected results: Show platform hardware regex output indicates that LSI POST passed. Show tech support output contains the result of "show platform hardware regex" There is a system event with the status of LSI POST (passed). Cisco Systems. Expected results: Show platform hardware regex output indicates that LSI POST failed. 11 Verify that LSI POST results are reported properly 3. Issue the following commands to check the reporting of LSI POST: Show platform hardware regex Sho tech support Check system events in the GUI. when POST fails Procedure: On a Spyker blade (which has LSI hardware) that is functioning properly. use root access to modify a file that the LSI card needs (Modify /opt/lsi/platform_hooks/load and insert the line "exit 0" at the top of the script). Inc. Cisco Confidential Page 20 of 144 . Show tech support output contains the result of "show platform hardware regex" There is a system event with the status of LSI POST (failed. Â card is physically removed Procedure: Modify a Spyker blade such that LSI card is removed.

in the SIGN Up client logs for a standalone ASA-CX Configure a threat profile object and attach the device and is accurate. Expected Results: Verify that the following fields (startTimeStamp.realms . Cisco Confidential Page 21 of 144 . endTimeStamp. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm. Attach the newly configured threat profile object to one of the newly configured access policies.realms.and top_applications) are modified accurately in the SIGN Up client logs (in the /var/log/cisco/signup.policy_sets.com/display/PROJECT/Falco n+Telemetry+Data for a detailed explanation of all the fields mentioned above and their expected results.auth_policies. in test case adding/deleting one or more policies and profiles. 1.decryption_policies. data reflects the changes accurately after Repeat test steps as mentioned above.disk_utilization.fil e_filtering_profiles. Send some traffic thru the box.applications. Refer to the wiki http://wikicentral.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.cisco.total_policies.threat_profiles. Delete an access policy. 11 Verify that the recently collected platform telemetry Procedure: 5. Configure file filtering and web reputation profiles on the device.access_poli cies.product.model. total_policies.timezone. Enable decryption and configure a decryption policy on the device. platform_version. created threat profile to an access policy.applications.devices. Cisco Systems.11 Verify that the platform telemetry data is collected Procedure: 4. Inc. endTimeStamp.access_policies.threat_p rofiles.db_size. Send some traffic thru the box. Configure another threat profile object and a couple of more access policies.web_reputation_profiles.log file). Expected Results: Verify that the following fields (startTimeStamp.c pu_usage. Verify that the access_policies field in the collected platform telemetry data gets updated accurately to reflect the deleted access policy.log file). Create a realm and add corresponding directory config to the realm.

auth_policies.access_poli cies.fil e_filtering_profiles. Once the device comes up and becomes operational. endTimeStamp.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup. Inc.web_reputation_profiles. after the monitord process comes back up.policy_sets. platform_version.c pu_usage. Cisco Confidential Page 22 of 144 .devices.c pu_usage.applications. Cisco Systems.realms.log file). Procedure: Repeat test steps as mentioned above. collected and is accurate after the device restarts/reboots. Expected Results: Verify that the following fields (startTimeStamp.access_poli cies. Verify that the platform telemetry data gets collected in the signup log after the devices comes up and all the above mentioned fields are accurately populated. in test case 1. Verify that the platform telemetry data gets collected and is accurate after the sign_up process comes back up.product. 11 Verify that the platform telemetry data gets Procedure: 7. with the newer software.decryption_policies.log file).disk_utilization.timezone.product. 1. Once the device comes up and becomes operational.total_policies.disk_utilization. Verify that the telemetry data gets collected in the signup log after the devices comes up and all the above mentioned fields are accurately populated.db_size.auth_policies.total_policies.web_reputation_profiles. Forcefully kill the sign_up process (Issue a kill or pkill command).11 Verify that the platform telemetry data gets 6.db_size. send some traffic thru the box.model. endTimeStamp.Repeat test steps as mentioned above.applications.threat_p rofiles.policy_sets.devices.timezone. in test case alone ASA-CX device to a latest software image.threat_p rofiles. platform_version. send some traffic thru the box. Upgrade to latest software image and reload the device. collected and is accurate after upgrading the stand.realms. Expected Results: Verify that the following fields (startTimeStamp.model. Verify that the platform telemetry data gets collected in the signup logs and and is accurate. Forcefully kill the monitord process.fil e_filtering_profiles.decryption_policies. Reload/Restart the device.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.

Cisco Confidential Page 23 of 144 . platform_version.db_size. SMX.decryption_policies.disk_utilization. managed ASA. Inc.threat_p rofiles. Configure a threat profile object and attach the created threat profile to an access policy.product.Log into SMX.log file) of SMX. Refer to the wiki http://wikicentral. Create a realm and add corresponding directory config to the realm.devices.timezone. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm. Send some traffic thru the ASA-CX.11 Verify that the platform telemetry data is collected in Procedure: 8.com/display/PROJECT/Falco n+Telemetry+Data for a detailed explanation of all the fields mentioned above and their expected results. Cisco Systems. and discover a ASA-CX device in CX device and is accurate.total_policies. Enable decryption and configure a decryption policy in SMX.applications.c pu_usage.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.web_reputation_profiles.fil e_filtering_profiles.realms.policy_sets.access_poli cies. endTimeStamp. Configure file filtering and web reputation profiles in SMX.model. the SIGN Up client logs for a single. Expected Results: Verify that the following fields (startTimeStamp.auth_policies.cisco.

Verify that the following fields (startTimeStamp.model. Configure a threat profile object and attach the created threat profile to an access policy on another ASA-CX device. Add/discover this ASA-CX in SMX.applications. total_policies. Send some traffic thru both the ASA-CX devices.product.fil e_filtering_profiles.access_policies.access_poli cies.db_size. Configure a couple of access policies on the device-group of the newly discovered ASA-CX device.log file) of SMX.decryption_policies. Configure file filtering and web reputation profiles on the device as well.applications. Expected Results: Verify that the following fields (startTimeStamp. Cisco Confidential Page 24 of 144 . the SIGN Up client logs after adding one or more Repeat test steps as mentioned above. endTimeStamp.devices.and top_applications) are modified accurately in the SIGN Up client logs (in the /var/log/cisco/signup.log file) of SMX after adding the new ASA-CX device. in test case ASA-CX devices to PRSM.auth_policies.total_policies. endTimeStamp.devices.timezone. Inc.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.policy_sets.threat_p rofiles. platform_version.11 Verify that the platform telemetry data is collected in Procedure: 9. Cisco Systems.web_reputation_profil es. 5.disk_utilization.threat_profiles.web_reputation_profiles.c pu_usage.realms.

threat_profiles. in test case 5. Configure another threat profile object and a couple of more access policies.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup. Procedure: Repeat test steps as mentioned above. Cisco Systems. Cisco Confidential Page 25 of 144 . Expected Results: Verify that the following fields (startTimeStamp.access_policies.access_poli cies.devices.log file) of SMX/PRSM. endTimeStamp.db_size.c pu_usage.realms.disk_utilization. data reflects the changes accurately after adding/deleting one or more policies and profiles in PRSM. Inc. Verify that the access_policies and the threat_profiles fields in the collected platform telemetry data gets updated accurately to reflect the deleted policies and profiles.threat_p rofiles. Send some traffic thru the box.product.fil e_filtering_profiles.12 Verify that the recently collected platform telemetry 0. endTimeStamp.realms .timezone.model.decryption_policies. Delete an access policy and a threat profile.web_reputation_profiles. total_policies.log file) of SMX.total_policies.and top_applications) are modified accurately in the SIGN Up client logs (in the /var/log/cisco/signup. Verify that the following fields (startTimeStamp.auth_policies. platform_version. Attach the newly configured threat profile object to one of the newly configured access policies.policy_sets.applications.applications.

web_reputation_profiles. endTimeStamp. endTimeStamp.log file) of SMX.access_poli cies.product.access_poli cies.decryption_policies. Expected Results: Verify that the following fields (startTimeStamp. Expected Results: Verify that the following fields (startTimeStamp.log file) of SMX. in test case 6.db_size. Procedure: Repeat test steps as mentioned above. Cisco Confidential Page 26 of 144 .auth_policies.fil e_filtering_profiles.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.realms.policy_sets. Forcefully kill the monitord process.devices.total_policies.timezone.total_policies.model. Once the devices comes up and PSM becomes operational.timezone. 12 Verify that the platform telemetry data gets 2.c pu_usage.auth_policies.db_size. Verify that the platform telemetry data gets collected in the signup log after the devices comes up and all the above mentioned fields are accurately populated.policy_sets.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.disk_utilization.devices. send some traffic thru the box. with the newer software. Reload/restart SMX/PRSM.model. Verify that the platform telemetry data get collected in the SIGN Up client logs of SMX and is accurate after the PRSM comes up and becomes operational. in test case 6.threat_p rofiles.fil e_filtering_profiles. Inc. Procedure: Repeat test steps as mentioned above. collected and is accurate after PRSM reboots/restarts.c pu_usage.disk_utilization.applications.decryption_policies.threat_p rofiles. Forcefully kill the sign_up process (Issue a kill or pkill command). platform_version. platform_version. Verify that the platform telemetry data gets collected in the signup logs and and is accurate. collected and is accurate after upgrading PRSM/SMX to a latest software image.realms.applications. Upgrade the ASA-CX devices and PRSM/SMX to latest software image and reload.12 Verify that the platform telemetry data gets 1. Verify that the platform telemetry data gets collected and is accurate after the sign_up process comes back up. after the monitord process comes back up.web_reputation_profiles. Cisco Systems.product.

Reload/restart one of the ASA-CX devices. collected and is accurate after one or more ASA-CX Repeat test steps as mentioned above.c pu_usage.product.auth_policies. Details" pane of the events for threat protection when threats are detected 12 Verify that the threat protection fields are (threat 7.access_poli cies.applications.db_size. details" pane of the events when no threats are detected. Network overview page 12 Verify the addition of a new section to the "View 6. name. Inc.policy_sets.auth_policies. platform_version.threat_p rofiles.12 Verify that the platform telemetry data gets Procedure: 3. etc.total_policies. Verify that Threat dashlet works properly in Dashboard -> Network Overview page Cisco Systems. score. Verify that the devices field in the collected platform telemetry data is are modified accurately in the SIGN Up client logs of SMX after deleting/unmanaging the ASA-CX device. 6. endTimeStamp.model.decryption_policies.realms.timezone. Verify that the platform telemetry data get collected in the SIGN Up client logs of SMX and is accurate after the reloaded ASA-CX device comes up and becomes operational. Switch to single-device mode/delete an ASA-CX from SMX/PRSM.applications.log file) of SMX. victim. Expected Results: Verify that the following fields (startTimeStamp. Expected Results: Verify that the following fields (startTimeStamp.) populated and are accurate 12 Verify the absence of Threats section in the "View 8.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.fil e_filtering_profiles.disk_utilization.access_poli cies.threat_p rofiles. in test case devices reboots/restarts. 12 Verify that Threats dashlet works properly in the 5.c pu_usage.realms.devices.total_policies.timezone. category.disk_utilization. attacker.web_reputation_profiles.web_reputation_profiles.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup. collected and is accurate after unmanaging one or more ASA-CX devices to PRSM.db_size.fil e_filtering_profiles.log file) of SMX.model. in test case 6. Cisco Confidential Page 27 of 144 .policy_sets. platform_version.product. 12 Verify that the platform telemetry data gets 4. Procedure: Repeat test steps as mentioned above.devices.decryption_policies. endTimeStamp.

root . Cisco Confidential Page 28 of 144 .236 .log file).236 .log file). 2. Restart the Cisco services.log file). Expected Results: Verify that a log level message such as " 2013-0212 12:24:38.conf and add an argument '-t' to the program_arguments variable. Open up a browser with ASA-CX ip and navigate to Device>>Configuration>>Logging and change the management-plane logging level to TRACE. Inc.12 Verify that threat protection events are sent to 9. 2. Verify that the logging format of the telemetry data has changed in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup.[DEBUG] status: OKid: SET_LOG_LEVEL" is seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. This Test case verifies that a series of events are sent to SystemEventView Procedure: 1. Open up a ssh session to ASA-CX and go to /cisco/heimdall/etc/monitord.root . Verify that a log level message such as " 2013-0212 12:24:38.[DEBUG] status: OK id: SET_LOG_LEVEL" is seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. 3. Cisco Systems. telemetry data. SystemEventView 13 Verifying logging format and level changes for 0.

decrypted=PID: ASA-SSM-10 .ironport.devices. just as seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup.model. Log into the backend FBNP server (i.sfo.e. and discover a ASA-CX device in SMX. Cisco Systems. A successful telemetry package sent should result a log entries like the following: INFO AUTH SUCCESS <dict/udi>: ip=173.applications. Cisco Confidential Page 29 of 144 .total_policies.cloud. telemetry data for an ASA-CX device in both unmanaged and managed modes. platform_version.product.threat_p rofiles.40..com and from there ssh to qafbnp-app002. Inc. endTimeStamp.policy_sets.auth_policies. auth={'udi': '0bb93985f42d941e50dc8f022350d1a8033958cdc7 050750aa5c503d0ad5e71e491c060954d870f6fab6 a9d336e59bbdfd4864e8c56552d78702202862f121 4a'}.13 Verify that the backend FBNP server is receiving 1.37.web_reputation_profiles.and top_applications) are populated and are accurate.com) and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome.decryption_policies. vln=n/a Verify that this directory contains the actual telemetry packet that was sent from the ASA-CX device and verify that each packet has the following content (startTimeStamp.9.log file). Log into SMX.disk_utilization. Verify that the telemetry data as described in step2 gets collected in the same phone home log for SMX in the FBNP server.fil e_filtering_profiles.db_size.vega. SSH to bastion1.ironport.timezone.lo g Check the logs in /data/ironport/phonehomelogs/ directory.access_poli cies. Procedure: Repeat test steps 1-3 as in test case 1. Expected Results: Verify that this phone home log provides the info on who made a connection and whether the telemetry package received can be authenticated and decoded successful.realms.c pu_usage. SN: JAD1618024A.

model.policy_sets. Enable decryption and configure a decryption policy on the device.auth_policies. Configure file filtering and web reputation profiles on the device. Create a realm and add corresponding directory config to the realm. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm. Cisco Systems. Validate that the new update is downloaded and applied properly. Expected Results: Verify that the following fields (startTimeStamp. Cisco Confidential Page 30 of 144 . Send some traffic thru the box again.cisco. Refer to the wiki http://wikicentral.web_reputation_profiles.13 Verify the functionality of good platform telemetry 2.total_policies. updates on a stand alone CX device.fil e_filtering_profiles.timezone.c pu_usage. Procedure: Configure a threat profile object and attach the created threat profile to an access policy.com/display/PROJECT/Falco n+Telemetry+Data for a detailed explanation of all the fields mentioned above and their expected results.db_size. "heimdall_svcdown updater_connector") and update the system.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup. Validate that after the update. platform_version. Inc.devices.applications.threat_p rofiles.disk_utilization. Verify that a corresponding system event gets generated and can be seen in the event viewer. Send some traffic thru the box.decryption_policies.access_poli cies.realms. Start updater again (using the CLI "heimdall_svc up updater_connector"). Shutdown updater (using the CLI.log file). Verify that the updater UI (Device>>Updates>>Updates) shows the version and timestamps correctly. endTimeStamp. the platform telemetry data gets collected in the SIGNUP client logs and is accurate.product.

auth_policies. Cisco Systems.access_poli cies.total_policies. Verify that a corresponding system event gets generated and can be seen in the event viewer. Cisco Confidential Page 31 of 144 .13 Verify whether platform telemetry update will 3.applications. Inc. Once the device comes up and becomes operational. continue to apply after the ASA-CX device reboots/reloads in middle of update process. platform_version. Refer to the wiki http://wikicentral. Validate that after the update.decryption_policies.policy_sets. the platform telemetry data gets collected in the SIGNUP client logs and is accurate.realms. Verify that the updater UI (Device>>Updates>>Updates) shows the version and timestamps correctly.model.product. Procedure: Repeat test steps 1-6 in test case 1.web_reputation_profiles.cisco. endTimeStamp.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.db_size.com/display/PROJECT/Falco n+Telemetry+Data for a detailed explanation of all the fields mentioned above and their expected results.c pu_usage.fil e_filtering_profiles. Expected Results: Verify that the following fields (startTimeStamp.threat_p rofiles.devices. Reload/Restart the device. Validate that the new update is downloaded and applied properly after the device comes up and becomes operational.timezone.log file). send some traffic thru the box.disk_utilization.

web_reputation_profiles. Send some traffic thru the managed ASA-CX again.threat_p rofiles. Enable decryption and configure a decryption policy in PRSM/SMX.disk_utilization. "heimdall_svc down updater_connector") and update the system.c pu_usage. Verify that the updater UI (Device>>Updates>>Updates) shows the version and timestamps correctly.decryption_policies.13 Verify the functionality of good platform telemetry 4. and discover a ASA-CX device in SMX.com/display/PROJECT/Falco n+Telemetry+Data for a detailed explanation of all the fields mentioned above and their expected results. Inc.product.realms.applications.policy_sets.model. Validate that after the update.devices.timezone. the platform telemetry data gets collected in the PRSM SIGNUP client logs and is accurate. Refer to the wiki http://wikicentral. platform_version. updates on a managed ASA-CX device.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup. endTimeStamp. Cisco Systems. Cisco Confidential Page 32 of 144 .auth_policies.cisco.log file) of SMX.access_poli cies. Start updater again (using the CLI "heimdall_svc up updater_connector").total_policies. Validate that the new update is downloaded and applied properly. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm. Create a realm and add corresponding directory config to the realm. Configure file filtering and web reputation profiles in PRSM/SMX. Expected Results: Verify that the following fields (startTimeStamp. Configure a threat profile object and attach the created threat profile to an access policy.db_size. Shutdown updater (using the CLI.fil e_filtering_profiles. Verify that a corresponding system event gets generated and can be seen in the event viewer. Procedure: Log into SMX. Send some traffic thru the device.

decryption_policies. continue to apply after PRSM reboots/reloads in middle of update process. Verify that a corresponding system event gets generated and can be seen in the event viewer.log file) of SMX. Cisco Systems.model. Expected Results: Verify that the following fields (startTimeStamp.realms. endTimeStamp.product. Inc.devices. Validate that the new update is downloaded and applied properly after PRSM comes up and the managed ASA-CX becomes operational.com/display/PROJECT/Falco n+Telemetry+Data for a detailed explanation of all the fields mentioned above and their expected results.fil e_filtering_profiles.policy_sets.access_poli cies.13 Verify whether platform telemetry update will 5. Verify that the updater UI (Device>>Updates>>Updates) shows the version and timestamps correctly.web_reputation_profiles. Validate that after the update. send some traffic thru the managed ASA-CX. Refer to the wiki http://wikicentral.and top_applications) are populated and are accurate in the SIGN Up client logs (in the /var/log/cisco/signup.db_size. Procedure: Repeat test steps 1-7 in test case 5. Cisco Confidential Page 33 of 144 . Reload/Restart the PRSM. Once PRSM/SMX comes up and becomes operational.threat_p rofiles.total_policies.disk_utilization. platform_version.c pu_usage.timezone.auth_policies.cisco. the platform telemetry data gets collected in the PRSM SIGNUP client logs and is accurate.applications.

Verify in Events and Dashboard. Traffic is blocked. Threat protection 7-9: Traffic is ignored. Expected Result: 1-6: Access policy. is created. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for the Profile Name and take both slider bars to 0. and click on Profile Edit Object. 11-Change the Action for the same threats to Alert and pass the same pcaps. Click on Save Object. Objects. Cisco Confidential Page 34 of 144 . Steps: 1-Navigate to Policies. Save Object. Inc. 8-Expand Advanced threat settings. 9-Now pass the same traffic 10-Change the Action for the same threats to Deny and pass the same pcaps. more Alert. and Threat Profile.13 Verify that threat profiles work correctly with 3 or 6. and Ignore exceptions. 5-Click on Save Policy and commit 6-Pass some traffic using at least 3 pcaps and note the names of the threats. 7-Create an exception for the pcaps by going to Policies. and commit object. Here all traffic will be blocked and monitored. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored Cisco Systems. Deny. Enter the name of the threats noted down in Exceptions and select Ignore for Action and click on Apply.

13 Verify that threat profiles work properly when 7. Expected Result: 1-6: Access policy. threats with Ignore are ignored. Cisco Confidential Page 35 of 144 . Repeat for all Policies. Steps: 1-Create multiple Access policies by going to Policies. 9-Now pass the same traffic 10-Change the Action for the same threats to Deny and pass the same pcaps. 12-Change the Action of the threats one to Alert. 11-Change the Action for the same threats to Alert and pass the same pcaps. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for the Profile Name and take both slider bars to 0. and threats with Alert are allowed but reported in Events and Threat Protection. and another to ignore and pass traffic. 13-Change the Access policies but keep the Threat Profile. Here all traffic will be blocked and monitored. 5-Click on Save Policy and commit 6-Pass some traffic using at least 3 pcaps and note the names of the threats. Inc. Enter the name of the threats noted down in Exceptions and select Ignore for Action and click on Apply. Traffic is blocked. and Threat Profile. 8-Expand Advanced threat settings. Verify in Events and Dashboard. Cisco Systems. Save Object. is created. Objects. 13-threats with Deny are blocked. multiple Exceptions types are created in multiple access policies within a single Threat Profile. Threat protection 7-9: Traffic is ignored. and commit object. another to Deny. Click on Save Object. and click on Profile Edit Object. 7-Create an exception for the pcaps by going to Policies. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored 12-Traffic behaves as expected.

Traffic is blocked. Verify in Events and Dashboard. 14-Change the sliders to the middle of the slider bar and save changes and commit them. This will allow all traffic and not monitor them. and ignored for Ignore case. for Ignore it will be ignored and for Alert it will alert. 13-Change the Action for Exception to Alert. 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for the Profile Name and take both slider bars to 0. Threat protection. 8-Expand Advanced threat settings. and commit object. 10-Traffic is blocked and monitored. Cisco Confidential Page 36 of 144 . Risk acceptance. Verify in Events and Dashboard. Blocked and reported for Deny case. 14-Traffic that is in Deny will be blocked. 11-Change the Action for the same threats to Alert and pass the same pcaps. 9-Now pass the same traffic 10-Change the Action for the same threats to Deny and pass the same pcaps. and Ignore Exceptions work Steps: 8. 12-Edit the Profile Object and move the Profile slider bars to 100 and save changes and commit. Verify in Events and Dashboard. Click on Save Object.13 Verify that Alert. Objects. Save Object. Inc. Threat protection. And repeat 12-13. Verify in Events and Dashboard. Verify in Events and Dashboard. then Deny. properly with a Threat profiles with varying level of 1-Navigate UI to add a new Access Policy. 12-All traffic is allowed and not monitored. Deny. and Threat Profile. Now pass some traffic. Enter the name of the threats noted down in Exceptions and select Ignore for Action and click on Apply. then Ignore and pass traffic for each action. Threat protection 7-9: Traffic is ignored. Expected Result: 1-6: Access policy. 5-Click on Save Policy and commit 6-Pass some traffic using at least 3 pcaps and note the names of the threats. 13-Traffic is allowed but reported for Alert case. and click on Profile Edit Object. is created. 11-Traffic is allowed and monitored. For other traffic it will depend on how they fall in the slider bar. Here all traffic will be blocked and monitored. Threat protection. 7-Create an exception for the pcaps by going to Policies. Threat protection. Cisco Systems.

Verify in Events and Dashboard. non-http-traffic (TLS) is placed as an exception in Exceptions. Inc. Enter the name of the threat noted down in Exceptions and select Ignore for Action and click on Apply. Cisco Confidential Page 37 of 144 . when set to Ignore the traffic passes through and does not get reported. Expected Result: 1-6: Access policy. 9-Now pass the same traffic 10-Change the Action for the same threat to Deny and pass the same traffic 11-Change the Action for the same threat to Alert and pass the same traffic 12-Edit profile Object and change the slider bar to 100. Here all traffic will be blocked and monitored. 13-Repeat the test by passing the same traffic and setting action to Alert. and Ignore. Objects. Make sure it works with Alert. and commit object. and Threat Profile.13 Verify that threat profiles works properly when a 9. Ignore. Save Object. Click on Save Object. when set to Deny it is blocked and reported in Events and Threat protection page. Here all traffic will be allowed. Deny. 5-Click on Save Policy and commit 6-Pass some non-http-traffic (TLS) traffic (use stunnel to encrypt the traffic and send it over TLS) and note the name of the threat. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored 12-13: when Action is set to Alert traffic is passed. Threat protection 7-9: Traffic is ignored. is created. 7-Create an exception for the pcap by going to Policies. and click on Profile name Edit Object. 8-Expand Advanced threat settings. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for test profile Name and take both slider bars to 0. Cisco Systems. Steps: 1-Navigate to Policies. and Deny. Traffic is blocked.

and Ignore. Threat protection and selecting the profile in drop down list and clicking on submit. Ignore. and Threat Profile. when set to Ignore the traffic passes through and does not get reported. Expected Result: 1-6: Access policy. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored 12-13: when Action is set to Alert traffic is passed. 8-Expand Advanced threat settings. non-http-traffic (TLS) is placed as an exception in Global Exceptions. Traffic is blocked. Enter the name of the threat noted down in Exceptions and select Ignore for Action and click on Apply. Threat protection 7-9: Traffic is ignored.14 Verify that threat profiles works properly when a 0. and click on Profile name Edit Object. Cisco Confidential Page 38 of 144 . Steps: 1-Navigate to Policies. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for test profile Name and take both slider bars to 0. Objects. Click on Save Object. 7-Create an exception for the pcap by going to Policies. is created. Here all traffic will be blocked and monitored. 9-Now pass the same traffic 10-Change the Action for the same threat to Deny and pass the same traffic 11-Change the Action for the same threat to Alert and pass the same traffic 12-Edit profile Object and change the slider bar to 100. 13-Repeat the test by passing the same traffic and setting action to Alert. Here all traffic will be allowed. and commit object. 5-Click on Save Policy and commit 6-Pass some non-HTTP TLS traffic (use stunnel to encrypt the traffic and send it over TLS) and note the name of the threat. Make sure it works with Alert. Cisco Systems. Verify in Events and Dashboard. Also set this profile to Global profile by going to Device. and Deny. Inc. Save Object. when set to Deny it is blocked and reported in Events and Threat protection page. Deny.

Ignore. Deny. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored 12-13: when Action is set to Alert traffic is passed. Verify in Events and Dashboard. Save Object. 13-Repeat the test by passing the same traffic and setting action to Alert. Threat protection and selecting the profile in drop down list and clicking on submit. TCP traffic is placed as an exception in Exceptions. and click on Profile name Edit Object. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for test profile Name and take both slider bars to 0. Traffic is blocked. Expected Result: 1-6: Access policy. is created. non-TLS. non-TLS. Inc. 8-Expand Advanced threat settings. TCP traffic using proper pcaps and note the name of the threat. and Deny. Here all traffic will be blocked and monitored. Cisco Confidential Page 39 of 144 . Threat protection 7-9: Traffic is ignored. and commit object. Objects.14 Verify that threat profiles works properly when a 1. Also set this profile to Global profile by going to Device. 9-Now pass the same traffic 10-Change the Action for the same threat to Deny and pass the same traffic 11-Change the Action for the same threat to Alert and pass the same traffic 12-Edit profile Object and change the slider bar to 100. and Ignore. Make sure it works with Alert. 5-Click on Save Policy and commit 6-Pass some non-HTTP. 7-Create an exception for the pcap by going to Policies. Click on Save Object. non-HTTP. Cisco Systems. Here all traffic will be allowed. and Threat Profile. when set to Ignore the traffic passes through and does not get reported. Enter the name of the threat noted down in Exceptions and select Ignore for Action and click on Apply. Steps: 1-Navigate to Policies. when set to Deny it is blocked and reported in Events and Threat protection page.

5-Click on Save Policy and commit 6-Pass some non-HTTP. a non-HTTP. Also set this profile to Global profile by going to Device. Enter the name of the threat noted down in Exceptions and select Ignore for Action and click on Apply. when set to Deny it is blocked and reported in Events and Threat protection page. 13-Repeat the test by passing the same traffic and setting action to Alert. Ignore. Inc.14 Verify that that Threat Profiles work properly when 2. 9-Now pass the same traffic 10-Change the Action for the same threat to Deny and pass the same traffic 11-Change the Action for the same threat to Alert and pass the same traffic 12-Edit profile Object and change the slider bar to 100. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored 12-13: when Action is set to Alert traffic is passed. Expected Result: 1-6: Access policy. when set to Ignore the traffic passes through and does not get reported. Cisco Systems. non-TLS. Objects. TCP traffic using proper pcaps and note the name of the threat. 8-Expand Advanced threat settings. Traffic is blocked. Click on Save Object. TCP traffic is used within a Global Threat profile. Here all traffic will be blocked and monitored. Threat protection and selecting the profile in drop down list and clicking on submit. is created. Save Object. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for test profile Name and take both slider bars to 0. Verify in Events and Dashboard. Threat protection 7-9: Traffic is ignored. non-TLS. and click on Profile name Edit Object. Steps: 1-Navigate to Policies. and Deny. Cisco Confidential Page 40 of 144 . and Threat Profile. Here all traffic will be allowed. and commit object. 7-Create an exception for the pcap by going to Policies.

Enter the name of the threat noted down in Exceptions and select Ignore for Action and click on Apply. Verify in Events and Dashboard. 1052-0. Objects. 5-Click on Save Policy and commit 6-Pass some traffic using pcaps and make sure it is an HTTP pcap traffic e. is created. Here all traffic will be blocked and monitored.g. Inc. 9-Now pass the same traffic 10-Change the Action for the same threat to Deny and pass the same traffic 11-Change the Action for the same threat to Alert and pass the same traffic Expected Result: 1-6: Access policy.pcap and note the name of the threat. 7-Create an exception for the pcap by going to Policies. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored Cisco Systems. 8-Expand Advanced threat settings. and commit object. and click on Profile name Edit Object. Save Object. and Threat Profile. Threat protection 7-9: Traffic is ignored. Access Policy Steps: 1-Navigate to Policies. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for test profile Name and take both slider bars to 0. Cisco Confidential Page 41 of 144 . Click on Save Object.14 Verify that http-traffic exception work properly in 3. Traffic is blocked.

Objects. and Threat Profile. 1052-0. Enter the name of the threat noted down in Exceptions and select Ignore for Action and click on Apply. 5-Click on Save Policy and commit.this might change in future build.g. Cisco Confidential Page 42 of 144 . 6-Pass some traffic using pcaps and make sure it is an HTTP pcap traffic e. Threat protection. Inc. 4-Try to go to a destination not in the list of IPs. 2-The file and the list of IPs are in the file. 9-Now pass the same traffic 10-Change the Action for the same threat to Deny and pass the same traffic 11-Change the Action for the same threat to Alert and pass the same traffic Expected Result: 1-6: Access policy. Click on Save Object. /var/data/updater2 in SMX Expected Results: 1-Access policy and threat profile are created and configured properly. Verify in Events and Dashboard.14 Verify that http-traffic exception work properly in 4. is created. Here all traffic will be blocked and monitored. Cisco Systems. 8-Expand Advanced threat settings.pcap and note the name of the threat. Access Policy within the Global Threat Profile. Save Object. Policies and under Access click on Add new policy 2-Enter a name for Policy Name 3-Expand profile and click on Create new profile 4-Enter a name for test profile Name and take both slider bars to 0. and click on Profile name Edit Object. 7-Create an exception for the pcap by going to Policies. Corresponding deny events can be seen in Event Viewer . and commit object. Threat protection 7-9: Traffic is ignored. Steps: 1-Navigate to Policies. 3-The traffic is blocked as expected. Select this threat profile and submit. 3-Send some traffic thru the box such that the source/destination of IP is on the blacklisted IPs. 4-User can navigate to IPs not in the IP list. Make this profile the Global Threat profile by going to Device. 10-Traffic is blocked and monitored 11-Traffic is allowed and monitored Steps: 1-Configure a threat profile object and attach the profile to an Access Policy 2-Verify that a list of IPs exist in /var/data/updater2/drop . Traffic is blocked. 14 Verify that you can block a list of IPs using 5.

Repeat the test steps 1. 4-User can navigate to IPs not in the IP list. Procedure: Log into SMX. 14 Verify the functionality of cold start recovery for a 7. 2-The file and the list of IPs are in the file. in test case 1. bad TP signature update that fails in the Switch state on a managed ASA-CX device.this might change in future build. Cisco Systems. Corresponding deny events can be seen in Event Viewer . Expected Results: Validate as mentioned above in test case 1 (steps 1-10).9 as mentioned above. 5-Verify that the traffic is blocked and corresponding deny events can be seen in the PRSM Event Viewer. Cisco Confidential Page 43 of 144 .14 Verify that you can block a list of IPs using 6. /var/data/updater2 in PRSM Steps: 1-In the PRSM configure a threat profile object and attach the profile to an Access Policy 2-Verify that a list of IPs exist in /var/data/updater2/drop . 3-Send some traffic thru the box such that the source/destination of IP is on the blacklisted IPs. Inc. 4-Try to go to a destination not in the list of IPs. 5-Traffic is blocked from the IP list and corresponding deny events can be seen in the PRSM Event Viewer. Expected Results: 1-Access policy and threat profile are created and configured properly. 3-The traffic is blocked as expected. and discover an ASA-CX device in SMX.

manually on a managed ASA-CX device. Expected Results: Verify that traffic passes thru the box successfully and corresponding events can be seen in the event viewer. Procedure: Manually clear out all the bad tp signatures. Validate that threats cannot be detected and corresponding events are not displayed in the threat protection tab in the event viewer.xml /cisco/updater/updates/threat_defense/threat_defen se_taxonomy. manually on an unmanaged ASA-CX device. xml /var/data/updater/threat_defense/sigs/td_stream_si gs. Create an access policy and attach the created threat profile to the access policy.14 Verify the functionality of cold start recovery 8. and discover an ASA-CX device in SMX. Expected Results: Validate as mentioned above in test case 3. in test case 3. xml /var/data/updater/threat_defense/etc/td_stream_co nfig. Configure a threat profile object and set it to be the most aggressive.xml /var/data/updater/threat_defense/etc/td_http_config. Cisco Systems. Procedure: Log into SMX. Cisco Confidential Page 44 of 144 . by deleting the files: (/var/data/updater/threat_defense/sigs/td_http_sigs. Inc. Send some pcaps thru the device. Repeat test steps 2-5 as mentioned above.conf) Send some traffic thru the box. 14 Verify the functionality of cold start recovery 9.

Verify that version number for tp signature in the Updater UI (Device>>Updates>>Updates) will change between the updates.. still fire. Verify that a corresponding system event (Switched to update tp/threats. that the threats detected earlier. Will resume in 43200 seconds". This will reset version numbers and updater state. Verify that a corresponding system event. Validate that all the other processes (such as monocle) start up successfully.conf) by setting the variables allow_overwrite to False. Verify that tp signature update fails in the Switch state and enters the cool down period. Page 45 of 144 Verify that traffic passes thru the box successfully after the rollback update. version.log) : "Some Inspectors failed to switch: . Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. Cisco Confidential rollback. ) gets generated in the event viewer indicating the Cisco Systems." and "tp updates have been disabled. do a config reset and set the logging levels to trace. before the update. it is advised to erase and install the rpms again. Procedure: Between each test case. such as "Some scanners failed to switch to tp/threats . Create an access policy and attach the created threat profile to the access policy. . reflects that the tp signature component 's version number changes to the same as before the update. Validate that after the update. bad TP signature update that fails in the Switch state on a stand alone ASA-CX device.15 Verify the functionality of cold start recovery for a 0. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP signatures. Validate that the following msg are displayed in the updater logs(/var/log/cisco/updater_connector. Verify that tp signature update then rolls back successfully and the updater UI. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Start updater again (using the CLI "heimdall_svc up updater_connector"). Send some traffic thru the box. Verify that updater will detect the bad signatures and will initiate a cold start to clear out the bad signatures. "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector.. Configure a threat profile object and set it to be the most aggressive. Send some traffic thru the box and then some pcaps that fire threats. Update the system as follows: Shut down updater (using the CLI. Inc. Send the same pcaps as abo Expected Results: Verify that traffic passes thru the box . " gets generated and can be seen in the event viewer.

15 Filter works properly in the list of Threats 3. Threats list. Threats 2. 15 List of threats are updated with new threats in SMX Procedure: 4. 5-List of threats will appear that have the string in their description. 15 List of threats are updated with new threats in 5. Cisco Confidential Page 46 of 144 . 1-Take a list of threats that appear in Policies. 15 List of threats appears in Policies. continous to the end Steps: Navigate to Policies then threats and click on the scroll bar and start scrolling down. Steps: Navigate to the Policies. 3-Verify that there are new updates in the Threats list. 3-All threats will appear. Threats page Expected Result: List of threats appear with "Threats" at the top. Threats and enter Adobe Acrobat in the Filter field and click on Filter 2-Enter non-alphanumeric characters in the filter field such as . + ( ) << or >> and click on Filter 3-Clear the Filter field and click on Filter. Expected Result: An infinite scroll bar is present where it constantly goes to the database and brings in new scrolls to the page. Cisco Systems. Expected Result: Verify that the new threats are listed in the updates. Inc. 2-Update the SMX device. 4-all threats will appear with that string in the threat. Expected Result: Verify that the new threats are listed in the updates. PRSM Procedure: 1-Take a list of threats that appear in Policies.15 The Scroll bar in List of Threat is infinite ie 1. then an empty list will appear. If no threats have those characters. Threats list. and Filter field below it with a list of all of threats. 3-Verify that there are new updates in the Threats list. 2-Update the SMX device. 4-Search for several threats by name by entering the names in the Filter field and clicking on Filter 5-Search for description of the threat and not the name Expected Result: 1-List of threats will appear that have "Adobe Acrobat" in them 2-list of threats will appear with those characters in them. Steps: 1-Navigate to Policies. You should be able to scroll down to see the last one.

blocked in a browser with SMX Procedure: 1-Load the appropriate build on an ASA-CX in an umanaged mode. restart services. Threats list. 2-Update the PRSM device. Expected Result: You should NOT see an EUN displayed. Cisco Confidential Page 47 of 144 . Overwrite the /var/data/updater/threat_defense/sigs/td_http_sigs. deprecated in PRSM 1-Take a list of threats that appear in Policies. 3-Verify that there are threats deprecated/removed from Threats list. open a console and run teh command "python -m SimpleHTTPServer 8000" 5-From your client. xml with the us4510. Expected Result: Verify that the threats are not listed in the updates. Cisco Systems. rerun the tests. 15 List of threats are updated with some threats being Procedure: 7. Inc. open a browser and navigate to http://<server-ip>:8000/vulnerable. deprecated in SMX 1-Take a list of threats that appear in Policies. 3-Verify that there are threats deprecated/removed from Threats list.php 6-You should see an EUN on your client 7-Edit the swap-attacker-victim field in the signature XML file and set it to false. and in the monocle logs you should see a log message indicating that the EUN is disabled. Threats list. 3-Makue sure you have a policy in place to deny threats.xml file (You can get this file from Paul G) 2-Make sure to restart services so that monocle picks up the updated signature file. 4-From your box running as your server.15 List of threats are updated with some threats being Procedure: 6. 15 Verify no EUN is generated when threats are 8. 2-Update the SMX device. Expected Result: Verify that the threats are not listed in the updates.

4-From your box running as your server. open a console and run teh command "python -m SimpleHTTPServer 8000" 5-From your client. 16 LSI Regex Acceleration: Huge_ variables are no set procedure: 2. Expected Result: All Variables that start with Huge should be set to 0 and remain at zero for Saleen and VMs except for Hugepagesize will be at 2048 kB. and in the monocle logs you should see a log message indicating that the EUN is disabled. 3-Makue sure you have a policy in place to deny threats.xml file (You can get this file from Paul G) 2-Make sure to restart services so that monocle picks up the updated signature file. Expected Result: You should NOT see an EUN displayed. open a browser and navigate to http://<server-ip>:8000/vulnerable. Inc. procedure: 1-Create an authentication Realm in ASACX 2-In the client machine try to browse the internet 3-A popup will appear asking for user name and password 4-enter the username and password from the Realm Expected Result: User name and password are accepted and user can surf the internet. 16 LSI Regex Acceleration: Verify that Authentication 0.15 Verify no EUN is generated when threats are 9. Cisco Confidential Page 48 of 144 . Expected Result: All Variables that start with Huge should be set to a value and remain at that value. Cisco Systems. to zero in Spyker 1-login to Saleen 2-pass some pcaps from server to client and generate some traffic 2-Navigate to /proc 3-vi meminfo and search Huge_ variables. zero in Saleen/VM 1-login to Saleen 2-Navigate to /proc 3-vi meminfo and search Huge_ variables. blocked in a browser with PRSM Procedure: 1-Load the appropriate PRSM build. restart services. rerun the tests. Overwrite the /var/data/updater/threat_defense/sigs/td_http_sigs. works properly in Spyker 16 LSI Regex Acceleration: Huge_ variables are set to procedure: 1.php 6-You should see an EUN on your client 7-Edit the swap-attacker-victim field in the signature XML file and set it to false. xml with the us4510.

Cisco Systems. 2-su admin 3-Services Stop 4-Services start 5-pass some traffic 6-pass some pcaps 7-check the /proc/meminfo file Expected Result: 1-5: all traffic pass successfully 6-Threats are reported in Event's and Threat protection page and blocked. 16 LSI Regex Acceleration: Restarting services will not procedure: 4. works properly in Saleen procedure: 1-Create an authentication Realm in ASACX 2-In the client machine try to browse the internet 3-A popup will appear asking for user name and password 4-enter the username and password from the Realm Expected Result: User name and password are accepted and user can surf the internet. 7. affect operations in Spyker and 1-login to the Spyker machine with putty.All Variables that start with Huge should be set to a value other than 0 and remain above 0. Hugepagesize should be at 2048 kB. affect operations in Saleen and VMs 1-login to the Saleen machine with putty. 2-su admin 3-Services Stop 4-Services start 5-pass some traffic 6-pass some pcaps 7-check the /proc/meminfo file Expected Result: 1-5: all traffic pass successfully 6-Threats are reported in Event's and Threat protection page and blocked. 16 LSI Regex Acceleration: Verify that Authentication 5.16 LSI Regex Acceleration: Restarting services will not procedure: 3. Cisco Confidential Page 49 of 144 . 7-Huge variables remain at 0 except for Hugepageszies will be at 2048 kB. Inc.

Inc..g. Verify there is output indicating lsi not present 3. Check the processes. In addition there's no LSI card on a VM.. 2. Check for a file flag: "/var/log/cisco/boot/lsi. 4. 5. either. present. At root prompt. 4. 4. At root prompt. Check the processes. so that POST will fail. "show platform hardware regex" should show per engine counters. Note. all Spykers as well as Saleens 5525 and above have an LSI card. Expected Results: 1.16 Verify correct behavior of LSI/VPS when LSI card is Procedure: Bring up an ASACX blade which has 6.operational". At root prompt. Verify it's missing. e. POST status should be displayed. issue "lsmod" command. but load or POST fails LSI card present. present LSI card present. Verify there is output indicating lsi not present 3. issue "lsmod" command. 4. Verify there is no vps process running. 1. Issue the cli command: show platform hardware regex 3. 1. 2. 5.. 16 Verify correct behavior of LSI/VPS when LSI card is Procedure: Modify an ASACX blade which has an 8. "Flow/N. Check for a file flag: "var/log/cisco/boot/lsi. Verify it's missing. Check System Events tab in the Event Viewer. Cisco Confidential Page 50 of 144 . Check System Events tab in the Event Viewer. 2. Verify there are no System Events for LSI. 2. modify /opt/lsi/platform_hooks/load to "exit 0" as the first line of the script (before doing anything else). Also. Verify it's present. Verify the kernel module cpp_base is not listed. Note.operational".operational". Verify there is a System Event present indicating a problem with POST/LSI Cisco Systems.jobs submitted. Verify the kernel module cpp_base is not listed. Verify there is a System Event present for restoring communication with LSI. Expected Results: 1. 5. 16 Verify correct behavior of LSI/VPS when there is no Procedure: Bring up an ASACX blade which has no LSI card present. 1. Note." etc. Issue the cli command: show platform hardware regex 3. 2.. Check for a file flag: "var/log/cisco/boot/lsi. Check System Events tab in the Event Viewer. LSI card present and 5515 do not have LSI card. Verify the kernel module cpp_base is listed. 3. Verify there is no vps process running. Saleen models 5512 7. 4. Check the processes. 4. In order to make POST fail. issue "lsmod" command. 5. all Spykers as well as Saleens 5525 and above have an LSI card. 5. Expected Results: 1. 2. 5. Verify that one vps process is running. Verify there is output indicating lsi is present. Issue the cli command: show platform hardware regex 3.

Cisco Confidential Page 51 of 144 . Verify there is output indicating lsi not present 2. Expected Results: Verify that Threat Analysis appears as an option for Report Type 17 LSI Regex Acceleration: Verify that /mnt/ has no 0. Issue the cli command: show platform hardware regex 2. 2-Click on Generate Report. and then restart vps via the "service restart" command. option when selecting Generate Report in single mode or ASA-CX 17 US5805: Verify Threat Protection appears as an 5. modify opt/lsi/platform_hooks/load to fail by adding "exit 1" as opposed to "exit 0".16 Verify correct behavior of LSI/VPS when LSI driver 9. Check System Events tab in the Event Viewer. 2-Click on Generate Report. Expected Results: 1. fails to be reloaded upon VPS restart Procedure: Modify an ASACX blade which has an LSI card present: starting from a running/working state. option when selecting Generate Report in Manged mode or PRSM Cisco Systems. Expected Results: Verify that Threat Analysis appears as an option for Report Type Procedure: 1-In a managed mode or PRSM navigate to Dashboard page. Verify there is a system event indicating LSI is unaccessible Procedure: Navigate to /mnt/ folder in Saleen or VM Expected Result: There is no hugetlb folder under /mnt/ Procedure: Navigate to /mnt/ folder in Spyker Expected Result: There is a hugetlb folder under and it is populated with some files Procedure: Verify that decryption works properly in Saleen/VM environments Expected Result: Decryption works properly in Saleen/VM environments Procedure: Verify that decryption works properly in Spyker environments Expected Result: Decryption works properly in Spyker environments Procedure: 1-In a single mode ASA-CX navigate to Dashboard page. hugetlb folder in Spyker and it is populated with files 17 LSI Regex Acceleration: Verify that Decryption 2. works properly in Spyker 17 US5805: Verify Threat Protection appears as an 4. hugetlb folder in Saleen/VM 17 LSI Regex Acceleration: Verify that /mnt/ has 1. Note. 1. works properly in Saleen/VM 17 LSI Regex Acceleration: Verify that Decryption 3. Inc. all Spykers as well as Saleens 5525 and above have an LSI card.

Cisco Confidential Page 52 of 144 . Expected Results: Verify that Threat Analysis appears as an option for Report Type Procedure: 1-In a managed mode or PRSM navigate to all pages that have Generate report eg Network overview. Policies. generated using Threat protection in single mode or 1-In a single mode or ASA-CX navigate to ASA-CX for all pre-defined Time Ranges Dashboard. Procedure: 1-In a single mode or ASA-CX navigate to all pages that have Generate report eg Network overview.17 US5805: Verify Threat Protection appears as an 6. Expected Results: A report is generated succesfully. generated using Threat protection in managed mode or PRSM for all pre-defined Time Ranges Procedure: 1-In a single mode or ASA-CX navigate to Dashboard. Application types 2-Click on Generate Report. 3-Select Threat Analysis and generate a report for all pre-defined Time Ranges. 3-Select Threat Analysis and generate a report. Cisco Systems. 3-Select Threat Analysis and generate a report. Inc. Policies. User devices. Applications. Users. User devices. Expected Results: A report is generated succesfully. Malicious traffic. 2-Click on Generate report. Application types 2-Click on Generate Report. Expected Results: A report is generated succesfully. 17 US5805: Verify that a report can be successfully 9. 17 US5805: Verify that a report can be successfully Procedure: 8. generated using Threat protection in single mode or 1-In a single mode or ASA-CX navigate to ASA-CX Dashboard. Malicious traffic. 2-Click on Generate report. Expected Results: Verify that Threat Analysis appears as an option for Report Type 17 US5805: Verify Threat Protection appears as an 7. Expected Results: A report is generated succesfully. Web categories. generated using Threat protection in managed mode or PRSM Procedure: 1-In a single mode or ASA-CX navigate to Dashboard. 18 US5805: Verify that a report can be successfully Procedure: 0. Web destinations. Applications. option when selecting Generate Report in Managed Mode or PRSM everywhere Generate Report appears. Web categories. option when selecting Generate Report in single mode or ASA-CX everywhere Generate Report appears. Threat protection. Web destinations. Users. 2-Click on Generate report. 3-Select Threat Analysis and generate a report for all pre-defined Time Ranges. 2-Click on Generate report. Threat protection. 18 US5805: Verify that a report can be successfully 1.

Expected Results: 1-Generated report reflects the HTTP and nonHTTP traffic correctly and accurately. Procedure: 1-Pass some HTTP Traffic thorugh ASA-CX(single mode) 2-Pass some non-HTTP traffic through ASA-CX. 4-Generate a Threat Analysis report. 2-Click on Generate report. Expected Results: A report is generated succesfully. Expected Results: 1-Generated report reflects the HTTP and nonHTTP traffic correctly and accurately. 3-Generate a Threat Analysis Report in the ASACX mode. Expected Results: A report is generated succesfully. Procedure: 1-Pass some HTTP Traffic thorugh a managed mode or PRSM. and non5. generated using Threat protection in single mode or 1-In a single mode or ASA-CX navigate to ASA-CX using custom ranges. Allow. 3-Select Threat Analysis and generate a report for custom time ranges taking hours. 18 US5805: Verify that a report can be successfully 3. Cisco Confidential Page 53 of 144 . 2-Pass some non-HTTP traffic through a managed mode device or PRSM. and months. days.18 US5805: Verify that a report can be successfully Procedure: 2. generated using Threat protection in managed mode or PRSM using custom Time Ranges Procedure: 1-In managed mode or PRSM navigate to Dashboard. and months. 18 US5805: Verify that after passing HTTP. 3-Generate a Threat Analysis Report in the PRSM. 2-Pass several pcaps that are not included in the exceptions in the profile. days. 2-Click on Generate report. exceptions they are properly reported in single mode or ASA-CX Cisco Systems. 3-Pass the traffic in the exceptions. Dashboard. 3-Select Threat Analysis and generate a report for custom time ranges taking hours. and non4. Procedure: 1-In a single mode or ASA-CX create a few exceptions for threats to Deny. Expected Results: The report reflects all the passed pcaps correctly and accurately. Inc. and ingore threats. HTTP traffic that these are properly generated in the report in managed mode or PRSM 18 US5805: Verify that when threats are placed as 6. HTTP traffic that these are properly generated in the report in single mode or ASA-CX 18 US5805: Verify that after passing HTTP.

2-Click on Genrate report. 2-Pass several pcaps that are not included in the exceptions in the profile. 2-Click on Genrate report. 3-Pass the traffic in the exceptions. Expected Results: The dailog box is closed and you return to the Dashboard page. 3-When Generat report dialog box appears click on the Cancel button. Cisco Confidential Page 54 of 144 . Refer to the mocukup for details. 18 US5805: Verify Cancel works properly in the 8. Allow. Inc. Protection report has the top 25 policies detecting maximum threats page in managed mode or PRSM. Expected Results: The dailog box is closed and you return to the Dashboard page. 3-When Generat report dialog box appears click on the Cancel button. Expected Results: 1-Verify that generated report has the top 25 Policies detecting maximum threats page. Generate report dialog box in managed mode or PRSM 19 US5805: Verify that the generated Threat 0.18 US5805: Verify that when threats are placed as 7. exceptions they are properly reported in managed mode or PRSM Procedure: 1-In a managed mode or PRSM create a few exceptions for threats to Deny. Procedure: 1-Generate a Threat Analysis report a single mode device or ASA-CX. Refer to the mocukup for details. Expected Results: 1-Verify that generated report has the top 25 Policies detecting maximum threats page. Procedure: 1-Generate a Threat Analysis report a managed mode or PRSM. 4-Generate a Threat Analysis report. Generate report dialog box in single mode or ASACX 18 US5805: Verify Cancel works properly in the 9. Procedure: 1-In a single mode or ASA-CX navigate to the Dashboard. 2-View the generated Threat Analysis report. 2-Verify that all the details are there as per mockup. 2-Verify that all the details are there as per mockup. 2-View the generated Threat Analysis report. Cisco Systems. 19 US5805: Verify that the generated Threat 1. Expected Results: The report reflects all the passed pcaps correctly and accurately. Protection report has the top 25 policies detecting maximum threats page in single mode or ASA-CX. and ingore. Procedure: 1-In managed mode or PRSM navigate to the Dashboard.

19 US5805: Verify that the generated Threat 4. Expected Results: 1-Verify that generated report has the top 25 attackers page. 19 US5805: Verify that the generated Threat 3. Cisco Systems.19 US5805: Verify that the generated Threat 2. Expected Results: 1-Verify that generated report has the top 25 attackers page. Refer to the mocukup for details. 2-View the generated Threat Analysis report. 19 US5805: Verify that the generated Threat 6. 2-View the generated Threat Analysis report. Protection report has the top 25 threats page in single mode or ASA-CX. 19 US5805: Verify that the generated Threat 5. Refer to the mocukup for details. 2-View the generated Threat Analysis report. Refer to the mocukup for details. Procedure: 1-Generate a Threat Analysis report a single mode device or ASA-CX. Expected Results: 1-Verify that generated report has the top 25 targets page. Refer to the mocukup for details. Procedure: 1-Generate a Threat Analysis report a single mode device or ASA-CX. Procedure: 1-Generate a Threat Analysis report a managed mode or PRSM. 2-Verify that all the details are there as per mockup. 2-View the generated Threat Analysis report. 2-Verify that all the details are there as per mockup. Refer to the mocukup for details. Protection report has the top 25 targets page in managed mode or PRSM. Expected Results: 1-Verify that generated report has the top 25 threats page. Protection report has the top 25 attackers page in managed mode or PRSM. Inc. 2-Verify that all the details are there as per mockup. 2-View the generated Threat Analysis report. Procedure: 1-Generate a Threat Analysis report a managed mode or PRSM. Expected Results: 1-Verify that generated report has the top 25 targets page. Cisco Confidential Page 55 of 144 . Protection report has the top 25 targets page in single mode or ASA-CX. 3-Verify that threat score average column has the proper data such as threat score average. threats sent and received. 2-Verify that all the details are there as per mockup. Procedure: 1-Generate a Threat Analysis report a single mode device or ASA-CX. follow the latest mockups for the latest updates. Protection report has the top 25 attackers page in single mode or ASA-CX. 2-Verify that all the details are there as per mockup.

log file in 9. 2-Verify that all the details are there as per mockup.log @~@LineBrMrk: 2013-03-27 21:38:32. 842 INFO pde. 1-Install and configure a PRSM. 3-Verify that threat score average column has the proper data such as threat score average. ASA-CX Procedure: In ASA-CX make sure services are running if not start them: "/etc/init. 19 US5805: Verify that generate report works properly Procedure: 8. Refer to the mocukup for details. on PRSM when no ASA-CX devices are added. Cisco Confidential Page 56 of 144 . Expected Results: 1-Verify that generated report has the top 25 threats page.PD::start updated version Cisco Systems. Protection report has the top 25 threats page in managed mode or PRSM. 2-View the generated Threat Analysis report.ThreatProtection . 2-Before adding an devices click on the generate report button. threats sent and received. Procedure: 1-Generate a Threat Analysis report a managed mode or PRSM. Inc.19 US5805: Verify that the generated Threat 7. 19 US5704: Verify proper update to PDE. Expected Results: 1-Verify that when pressing on generate report button the generate report dialog box appears.d/cisco_services start" vi /cisco/updater/updater_connector. follow the latest mockups for the latest updates.conf allow_overwrite=False (so the values don't change to default values) server_hostname = updater-he-01 serial = tp-20130322_engine-updatedlibPD (to update first) restart the updater_connector process using: heimdall_svc recycle updater_connector 1-Apply a TP engine update that addes a dynamic library Expected Result: the following line should appear in pde.

d/cisco_services start" vi /cisco/updater/updater_connector. libPD. 2-The following links will be listed in /cisco/updater/librariers/ folder: libTD.so. Cisco Systems. libvelocity. 3-The following files will be listed in /cisco/updater/staging-librariers/tp/ folder: libTD.so.so.so.so. 4-Verify update was succesffull in Device -> Updates. libPD. libvelocity. and libadded. 3-type ls -l /cisco/updater/librariers in the putty shell. 4-type ls -l /cisco/updater/staging-librariers/tp/ in the putty shell.so links and files are created in ASA-CX under /lib64 and /librariers folder after applying a TP engine update Procedure: Make sure services are running if not start them: "/etc/init. libPD. and libadded. libPD.so. Inc.20 US5704: Verify that libTD.so. libvelocity.so without any extensions or numbers added to the link.so without any extensions or numbers added to the links.so.so.so. 6-Verify threat protection keeps working properly after update completes. 5-Verify the proper events are generated in system events. libvelocity.conf allow_overwrite=False (so the values don't change to default values) server_hostname = updater-he-01 serial = tp-20130322_engine-addedso (to update first) tp-20130322_engine-addedso restart the updater_connector process using: heimdall_svc recycle updater_connector 1-Apply a TP engine update that addes a dynamic library 2-Start a putty shell to ASA-CX and type ls -l /usr/lib64. Cisco Confidential Page 57 of 144 . and libadded. and 0.so without any extensions or numbers added to the files. Expected Result: 1-The following links will be listed in /usr/lib64 folder: libTD.so.

and libvelocity. Inc.so. and libvelocity. Cisco Systems. libPD. 5-Verify the proper events are generated in system events. 4-type ls -l /cisco/updater/staging-librariers/tp/ in the putty shell. Expected Result: 1-The following links will be listed in /usr/lib64 folder: libTD. 2-The following links will be listed in /cisco/updater/librariers/ folder: libTD.so without any extensions or numbers added to the files.so.so links and files are created in PRSM under /lib64 and /librariers folder after applying a TP engine update Procedure: Make sure services are running if not start them: "/etc/init.so.so.so without any extensions or numbers added to the link. and 1. 3-The following files will be listed in /cisco/updater/staging-librariers/tp/ folder: libTD.so. Cisco Confidential Page 58 of 144 . libPD. 3-type ls -l /cisco/updater/librariers in the putty shell.conf allow_overwrite=False (so the values don't change to default values) server_hostname = updater-he-01 serial = tp-20130322_engine-addedso (to update first) restart the updater_connector process using: heimdall_svc recycle updater_connector 1-Apply a TP engine update that addes a dynamic library 2-Start a putty shell to PRSM and type ls -l /usr/lib64. 6-Verify Threat Protection works properly fater update completes. 4-Verify update was succesffull in Device -> Updates.20 US5704: Verify that libTD. libPD. libPD. and libvelocity.so.d/cisco_services start" vi /cisco/updater/updater_connector.so without any extensions or numbers added to the links.so.so. libvelocity.

so. 2-Start a putty shell to ASA-CX and type ls -l /usr/lib64.so without any extensions or numbers added to the links.conf allow_overwrite=False (so the values don't change to default values) server_hostname = updater-he-01 serial = tp-20130322_engine-good (for rollback to updated version) restart the updater_connector process using: heimdall_svc recycle updater_connector 1-Apply a TP engine rollback that rollbacks to the previous version.so.d/cisco_services start" vi /cisco/updater/updater_connector.so without any extensions or numbers added to the link. Cisco Systems.so without any extensions or numbers added to the files. and libvelocity. and libvelocity. Inc. 4-Verify rollback was succesffull in Device -> Updates. 6-Verify Threat protection keeps on working after rollback completes. Cisco Confidential Page 59 of 144 . libPD.so. and 2.so. Expected Result: 1-The following linsk will be listed in /usr/lib64 folder: libTD. and libvelocity. 4-type ls -l /cisco/updater/staging-librariers/tp/ in the putty shell.so. 3-The following files will be deleted and replaced with the previous versions in /cisco/updater/staginglibrariers/tp/ folder: libTD. libvelocity.so. 5-Verify the proper events are generated in system events.so.20 US5704: Verify that libTD.so. libPD. 3-type ls -l /cisco/updater/librariers in the putty shell.so links and files are deleted in ASA-CX under /lib64 and /librariers folder after applying a TP engine rollback Procedure: This test case must be ran after the test case where serial number was tp-20130322_engine-addedso Make sure services are running if not start them: "/etc/init. libPD. libPD. 2-The following links will be deleted from /cisco/updater/librariers/ folder: libTD.

libPD.so. 2-Start a putty shell to PRSM and type ls -l /usr/lib64. 4-Verify update was succesffull in Device -> Updates. 3-The following files will be listed in /cisco/updater/staging-librariers/tp/ folder: libTD.so. Expected Result: 1-The following linsk will be listed in /usr/lib64 folder: libTD.so. libPD.so. Cisco Confidential Page 60 of 144 .20 US5704: Verify that libTD.so.conf allow_overwrite=False (so the values don't change to default values) server_hostname = updater-he-01 serial = tp-20130322_engine-good (for rollback to updated version) restart the updater_connector process using: heimdall_svc recycle updater_connector 1-Apply a TP engine rollback that rollbacks to the previous version. libPD.d/cisco_services start" vi /cisco/updater/updater_connector. 5-Verify the proper events are generated in system events.so.so without any extensions or numbers added to the link.so. 2-The following links will be listed in /cisco/updater/librariers/ folder: libTD. 3-type ls -l /cisco/updater/librariers in the putty shell. 4-type ls -l /cisco/updater/staging-librariers/tp/ in the putty shell. libPD. libvelocity. Inc.so links and files are deleted in PRSM under /lib64 and /librariers folder after applying a TP engine rollback Procedure: This test case must be ran after the test case where serial number was tp-20130322_engine-addedso Make sure services are running if not start them: "/etc/init. and libvelocity. Cisco Systems. and libvelocity.so without any extensions or numbers added to the links.so. and libvelocity.so without any extensions or numbers added to the files. and 3. 6-Verify Threat Protection works properly after rollback completes.

so links in the following folders: /usr/lib64 /cisco/updater/librariers/ /cisco/updater/staging-librariers/tp/ 20 US5704: verify successful rollback when inspectors Procedure: 5. 2-Start a putty shell to ASA-CX and type ls -l /usr/lib64. 4-type ls -l /cisco/updater/staging-librariers/tp/ in the putty shell.conf allow_overwrite=False (so the values don't change to default values) server_hostname = updater-he-01 serial = tp-20130322_engine-addedso-failnotify restart the updater_connector process using: heimdall_svc recycle updater_connector 1-Apply a TP engine rollback that rollbacks to the previous version. Expected Result: This package will create libadded. Expected Result: This package will create libadded. After a rollback completes successfully. 3-type ls -l /cisco/updater/librariers in the putty shell. Cisco Confidential Page 61 of 144 . you should not see libadded. 2-Start a putty shell to ASA-CX and type ls -l /usr/lib64. you should not see libadded.so links in the following folders: /usr/lib64 /cisco/updater/librariers/ /cisco/updater/staging-librariers/tp/ Cisco Systems.d/cisco_services start" vi /cisco/updater/updater_connector.d/cisco_services start" vi /cisco/updater/updater_connector. Inc.conf allow_overwrite=False (so the values don't change to default values) server_hostname = updater-he-01 serial = tp-20130322_engine-addedso-failnotify restart the updater_connector process using: heimdall_svc recycle updater_connector 1-Apply a TP engine rollback that rollbacks to the previous version.20 US5704: verify successful rollback when inspectors Procedure: 4. After a rollback completes successfully. failt to start up in ASA-CX In ASA-CX Make sure services are running if not start them: "/etc/init.so. 3-type ls -l /cisco/updater/librariers in the putty shell. but then the inspectors will fail to start up causing a roll back. failt to start up in PRSM In PRSM Make sure services are running if not start them: "/etc/init. 4-type ls -l /cisco/updater/staging-librariers/tp/ in the putty shell. but then the inspectors will fail to start up causing a roll back.so.

Cisco Confidential Page 62 of 144 . Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. Start updater again (using the CLI "heimdall_svc up updater_connector").20 Verify the functionality of good SAS and TP (AVC 6.log) Verify that a corresponding system event gets generated and can be seen in the event viewer. Validate that the new updates are downloaded and applied successfully. before the update still fire. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures. that the threats detected earlier. "heimdall_svcdown updater_connector") Change the configuration file (/cisco/updater/updater_connector. Send some traffic thru the box. Send the same pcaps as above. from the logs. Validate that after the update. Inc. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Update the system as follows: Shut down updater (using the CLI. Cisco Systems. Procedure: Configure a threat profile object and set it to be the most aggressive. Verify that traffic passes thru the box successfully after the update. Send some traffic thru the box and then some pcaps that fire threats. Verify that the updater UI (Device>>Updates>>Updates) shows the version and timestamps correctly and the versions have changed. Expected Results: Verify that traffic passes thru the box . (/var/log/cisco/updater_connector. signature and TP Signature) updates on a stand alone CX device. Create an access policy and attach the created threat profile to the access policy. Navigate to Device>>Configuration>>ASA-CX Logging in the browser and set the logging level of all the components to trace.conf) by setting the variables allow_overwrite to False.

it is advised to erase and install the rpms again. Procedure: Between each test case. Cisco Confidential Page 63 of 144 . Start updater again (using the CLI "heimdall_svc up updater_connector"). Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. such as "Preparing update failed for tp/threats. Verify that a corresponding system event. still fire.20 Verify the functionality of good SAS 7. Send some traffic thru the box. Send the same pcaps as above.. Validate that the new SAS engine/signature updates are completed and applied successfully from the logs (/var/log/cisco/updater_connector. Update the system as follows: Shut down updater (using the CLI. engine/signature updates and bad TP signature update that fails in the Prepare state on a stand alone ASA-CX device. Configure a threat profile object and set it to be the most aggressive. before the update. This will reset version numbers and updater state. that the threats detected earlier. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Verify that traffic passes thru the box successfully after the update. Send some traffic thru the box and then some pcaps that fire threats. do a config reset and set the logging levels to trace. Will resume in 43200 seconds". Verify that a corresponding system event gets generated and can be seen in the event viewer. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures." gets generated and can be seen in the event viewer. Create an access policy and attach the created threat profile to the access policy.conf) by setting the variables allow_overwrite to False. Expected Results: Verify that traffic passes thru the box . Inc. Verify that TP signature update fails in the PREPARE state and enters the cool down period. Verify that the updater UI (Device>>Updates>>Updates) shows that version number for TD signature component remains the same as before the update. Validate that a msg is displayed in the updater logs as "tp updates have been disabled. Validate that after the update. "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector. Cisco Systems.log).

Validate that the new SAS engine/signature updates are completed and applied successfully from the logs (/var/log/cisco/updater_connector.20 Verify the functionality of good SAS 8. Validate that after the update. Send the same pcaps as above. Expected Results: Verify that traffic passes thru the box . Validate that a msg is displayed in the updater logs as "tp updates have been disabled. "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector. Procedure: Between each test case. This will reset version numbers and updater state. still fire. Will resume in 43200 seconds". Send some traffic thru the box. Send some traffic thru the box and then some pcaps that fire threats. Cisco Systems. engine/signature updates and bad TP engine update that fails in the Prepare state on a stand alone ASA-CX device." gets generated and can be seen in the event viewer. Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. that the threats detected earlier. Verify that TP engine update fails in the PREPARE state and enters the cool down period. Configure a threat profile object and set it to be the most aggressive. it is advised to erase and install the rpms again. such as "Preparing update failed for tp/engine. Inc.. Start updater again (using the CLI "heimdall_svc up updater_connector"). Verify that the updater UI (Device>>Updates>>Updates) shows that version number for TD engine component remains the same as before the update. Verify that traffic passes thru the box successfully after the update. Create an access policy and attach the created threat profile to the access policy. Verify that a corresponding system event gets generated and can be seen in the event viewer. Update the system as follows: Shut down updater (using the CLI. before the update. Verify that a corresponding system event. do a config reset and set the logging levels to trace.conf) by setting the variables allow_overwrite to False. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures.log). Cisco Confidential Page 64 of 144 .

Validate that the new tp engine/signature updates are completed and applied successfully from the logs (/var/log/cisco/updater_connector. and install the rpms again. Send the same pcaps as above." gets generated and can be seen in the event viewer. still fire. Verify that a corresponding system event. Verify that a corresponding system event gets generated and can be seen in the event viewer. Verify that SAS (in this case. Inc. Validate that after the update.20 Verify the functionality of good TP engine/signature Procedure: 9. Validate that a msg is displayed in the updater logs as "sas updates have been disabled. that the threats detected earlier. Verify that traffic passes thru the box successfully after the update. Start updater again (using the CLI "heimdall_svc up updater_connector"). Cisco Confidential Page 65 of 144 . such as "Preparing update failed for avc/dat. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. Create an access policy and attach the created threat profile to the access policy. updates and bad SAS signature update that fails in Between each test case. This will reset version numbers and updater state. do a config reset and set the logging levels to trace. "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector. AVC signature) component remains the same as before the update. Cisco Systems.. Send some traffic thru the box and then some pcaps that fire threats. Expected Results: Verify that traffic passes thru the box . Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures. Send some traffic thru the box. Will resume in 43200 seconds".log). Verify that the updater UI (Device>>Updates>>Updates) shows that version number for SAS (in this case. before the update. it is advised to erase the Prepare state on a stand alone ASA-CX device. Configure a threat profile object and set it to be the most aggressive. Update the system as follows: Shut down updater (using the CLI. AVC signature) update fails in the PREPARE state and enters the cool down period.conf) by setting the variables allow_overwrite to False.

Cisco Confidential Page 66 of 144 .21 Verify the functionality of good TP engine/signature Procedure: 0. SAS engine) update fails in the PREPARE state and enters the cool down period. Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. Start updater again (using the CLI "heimdall_svc up updater_connector"). This will reset version numbers and updater state. before the update. Validate that a msg is displayed in the updater logs as "sas updates have been disabled. Cisco Systems. updates and bad SAS engine update that fails in Between each test case. Inc. Create an access policy and attach the created threat profile to the access policy. Verify that traffic passes thru the box successfully after the update. such as "Preparing update failed for sas engine.conf) by setting the variables allow_overwrite to False. Verify that the updater UI (Device>>Updates>>Updates) shows that version number for SAS (in this case. do a config reset and set the logging levels to trace. Send some traffic thru the box." gets generated and can be seen in the event viewer. SAS engine) component remains the same as before the update.. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. it is advised to erase the Prepare state on a stand alone ASA-CX device. that the threats detected earlier. Verify that SAS (in this case. Will resume in 43200 seconds". "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector. Verify that a corresponding system event.log). Verify that a corresponding system event gets generated and can be seen in the event viewer. Expected Results: Verify that traffic passes thru the box . Update the system as follows: Shut down updater (using the CLI. Send some traffic thru the box and then some pcaps that fire threats. Configure a threat profile object and set it to be the most aggressive. still fire. Validate that the new tp engine/signature updates are completed and applied successfully from the logs (/var/log/cisco/updater_connector. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures. Send the same pcaps as above. Validate that after the update. and install the rpms again.

Cisco Confidential engine/signature component. Verify that version number for SAS engine in the Updater UI (Device>>Updates>>Updates) will change between the updates. do a config reset and set the logging levels to trace.21 Verify the functionality of good TP engine/signature Procedure: 1. Verify that a corresponding system event. it is advised to erase and install the rpms again. Page 67 of 144 Validate that SAS engine update rolls back successfully and the updater UI. Verify that a corresponding system event gets . updates and bad SAS engine update that fails in the Switch state on a stand alone ASA-CX device. Verify that SAS engine update fails in the Switch state and enters the cool down period. Start updater again (using the CLI "heimdall_svc up updater_connector"). server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Verify that a corresponding system event gets generated and can be seen in the event viewer and the updater UI (Device>>Updates>>Updates) displays the new version number for tp Cisco Systems. Create an access policy and attach the created threat profile to the access policy. Send the same pcaps as above. Expected Results: Verify that traffic passes thru the box .log).. Update the system as follows: Shut down updater (using the CLI. Between each test case." gets generated and can be seen in the event viewer. "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector. reflects that the SAS engine component 's version number changes to the same as before the update. Will resume in 43200 seconds". This will reset version numbers and updater state. Send some traffic thru the box. Send some traffic thru the box and then some pcaps that fire threats. Configure a threat profile object and set it to be the most aggressive. Validate that the following msg are displayed in the updater logs : "Failed while switching to new SAS version" and "sas updates have been disabled. Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures. Validate that the new tp engine/signature updates are completed and applied successfully from the logs (/var/log/cisco/updater_connector. such as "Switching to new update failed for avc/dat. Inc.conf) by setting the variables allow_overwrite to False.

Validate that the following msg are displayed in the updater logs : "Some Inspectors failed to switch: . updates and bad SAS signature update that fails in the Switch/Commit state on a stand alone ASA-CX Between each test case.conf) by setting the variables allow_overwrite to False. Cisco Validate Confidential update rolls back successfully and the updater UI. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Send some traffic thru the box and then some pcaps that fire threats. Page 68 of 144 reflects that the tp engine and SAS (in this case.log). do a config reset and set the logging levels to trace. Verify that SAS (in this case. it is advised to erase device. Send the same pcaps as above. This will reset version numbers and updater state. AVC signature) component 's version numbers change to the same as before the update. Verify that a corresponding system event gets generated and can be seen in the event viewer and the updater UI (Device>>Updates>>Updates) displays the new version number for tp engine/signature component. Configure a threat profile object and set it to be the most aggressive. Expected Results: Verify that traffic passes thru the box . and install the rpms again. Create an access policy and attach the created threat profile to the access policy. Verify that a corresponding system event gets generated in the event viewer indicating the . "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector. Start updater again (using the CLI "heimdall_svc up updater_connector").. Send some traffic thru the box. Inc. Verify that version number for AVC signature in the Updater UI (Device>>Updates>>Updates) will change between the updates. Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. Validate that the new tp engine/signature updates are completed and applied successfully from the logs (/var/log/cisco/updater_connector. Verify that a corresponding system event gets generated and can be seen in the event viewer. that SAS (in this case AVC signature) Cisco Systems. Will resume in 43200 seconds". AVC Signature) update fails in the Switch state and enters the cool down period.21 Verify the functionality of good TP engine/signature Procedure: 2. Update the system as follows: Shut down updater (using the CLI." and "tp updates have been disabled. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures.

Cisco Systems. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server. Create an access policy and attach the created threat profile to the access policy. Verify that both tp and sas engine updates fails in the Switch state and enters the cool down period. Start updater again (using the CLI "heimdall_svc up updater_connector"). Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures. Send the same pcaps as above. Send some traffic thru the box. Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. Procedure: Between each test case. Configure a threat profile object and set it to be the most aggressive. Update the system as follows: Shut down updater (using the CLI. This will reset version numbers and updater state. before the update. Verify that a corresponding system event gets generated in the event viewer indicating the rollback. Verify that version numbers for tp and sas engine in the Updater UI (Device>>Updates>>Updates) will change between the updates.21 Verify the functionality of bad TP and bad engine 3. it is advised to erase and install the rpms again. Validate that after the update. reflects that all the corresponding component version numbers change to the same as before the update. do a config reset and set the logging levels to trace. Validate that both SAS and tp engines roll back successfully along with both tp and sas signatures and the updater UI. Inc. Verify that a corresponding system event gets generated and can be seen in the event viewer. "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector. updates that fails in the Switch/Commit state on a stand alone ASA-CX device. that the threats detected earlier. Expected Results: Verify that traffic passes thru the box .conf) by setting the variables allow_overwrite to False. Send some traffic thru the box and then some pcaps that fire threats. Cisco Confidential Page 69 of 144 . Verify that traffic passes thru the box successfully after the update. still fire.

log). "heimdall_svc down updater_connector") Change the configuration file (/cisco/updater/updater_connector.21 Verify the functionality of good WBRS incremental Procedure: 4. Cisco Systems. Configure a threat profile object and set it to be the most aggressive.Verify that a corresponding system event gets generated and can be seen in the event viewer. Validate that the new updates are downloaded and applied successfully. Ensure that threats can be detected and corresponding events are displayed in the threat protection tab in the event viewer. (/var/log/cisco/updater_connector. from the logs. do a config reset and set the logging levels to trace. Start updater again (using the CLI "heimdall_svc up updater_connector"). Send the same pcaps as above.conf) by setting the variables allow_overwrite to False. Cisco Confidential Page 70 of 144 . Send some traffic thru the box. Validate that after the update. it is advised to erase stand alone ASA-CX device. Create an access policy and attach the created threat profile to the access policy. This will reset version numbers and updater state. Update the system as follows: Shut down updater (using the CLI. Expected Results: Verify that traffic passes thru the box . that the threats detected earlier. and install the rpms again. Verify that traffic passes thru the box successfully after the update. updates and good TP signature/engine update on a Between each test case. before the update still fire. Open up a browser with ASA-CX ip and navigate to Device>>Updates and make a note of the preupgrade version numbers for TP and SAS engine/signatures. Verify that the updater UI (Device>>Updates>>Updates) shows the version and timestamps correctly and the versions have changed. Send some traffic thru the box and then some pcaps that fire threats. Inc. server_hostname to the hostname of the updater server being used and the serial to the name of the updater package provisioned in the updater server.

Send some traffic thru the box. Verify that on clicking the link beneath Telemetry. Enable decryption and configure a decryption policy on the device.log) Cisco Systems. Cisco Confidential Page 71 of 144 .partial. Expected Results: Verify that a welcome screen listing the option for telemetry is displayed. Procedure: Load the latest software image on the device and open a browser with the ip address of the device.None).21 Verify that telemetry is disabled by default on an 5. unmanaged ASA-CX device. Create a realm and add corresponding directory config to the realm.log file) and in the monitord log (/var/log/cisco/monitord. Configure file filtering and web reputation profiles on the device. Configure a threat profile object and attach the created threat profile to an access policy. the user is redirected to a page displaying all the three options for telemetry (Standard/Full. Verify that no telemetry data is being collected in the SIGN Up client logs (in the /var/log/cisco/signup. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm. Verify that by default the none option is selected for telemetry. Inc.

applications.log file). Inc.threat_p rofiles.model. Send some traffic thru the box.21 Verify that all telemetry data (including merlin Procedure: 6.access_poli cies.com/display/PROJECT/Merli n+Telemetry for a detailed explanation of all the fields mentioned above and their expected results. Configure file filtering and web reputation profiles on the device. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm.total_policies. created threat profile to an access policy.and top_applications) are populated and are accurate in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. platform_version.WebAVC.cisco. Enable decryption and configure a decryption policy on the device. Verify that the following merlin telemetry data (startTimeStamp.W ebCAT and WebREP from the Predictive Defense process) is collected and is accurate in the ASACX SIGN Up client logs (in the /var/log/cisco/signup.auth_policies. Participation page on an unmanaged ASA-CX Configure a threat profile object and attach the device.pattern_c ount for each of the http.cisco. Refer to the wikis http://wikicentral.web_reputation_profiles.db_size. Expected Results: Verify that the following platform telemetry fields (startTimeStamp. Create a realm and add corresponding directory config to the realm.graph_count.ThreatID. Cisco Systems.c pu_usage.disk_utilization.ThreatLevel. Cisco Confidential Page 72 of 144 .fil e_filtering_profiles.realms.decryption_policies.timezone.AttackerIP.product. Navigate to Administration>Network participation and click on the button named Partial and save the changes.stream and udp engines and SigID.com/display/PROJECT/Falco n+Telemetry+Data and http://wikicentral.policy_sets. endTimeStamp.graph_bytes. telemetry) gets collected when Standard/Full option Open a browser with the ip address of the is selected for telemetry in the Network device.log file).devices. endTimeStamp.

Configure file filtering and web reputation profiles in PRSM. Verify that no telemetry data is being collected in the PRSM on in the managed ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. PRSM. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm. Expected Results: Verify that a welcome screen listing the option for telemetry is displayed. Configure a threat profile object and attach the created threat profile to an access policy. Cisco Confidential Page 73 of 144 . Verify that on clicking the link beneath Telemetry.log) Cisco Systems. Enable decryption and configure a decryption policy in PRSM. Verify that by default the none option is selected for telemetry. Create a realm and add corresponding directory config to the realm. the user is redirected to a page displaying all the three options for telemetry (Standard/Full. Inc.None). Discover an ASA-CX device.21 Verify that telemetry is disabled by default in 7. Procedure: Log into SMX.partial. Send some traffic thru PRSM.log file) and in the monitord log (/var/log/cisco/monitord.

cisco. Cisco Systems.db_size.policy_sets.auth_policies.21 Verify that all telemetry data (including merlin 8.and top_applications) are populated and are accurate in the PRSM SIGN Up client logs (in the /var/log/cisco/signup.WebAVC.AttackerIP. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm. endTimeStamp.com/display/PROJECT/Falco n+Telemetry+Data and http://wikicentral.devices. Procedure: Open a browser with the ip address of PRSM and ensure that an ASA-CX is discovered in PRSM. Configure a threat profile object and attach the created threat profile to an access policy.timezone.com/display/PROJECT/Merli n+Telemetry for a detailed explanation of all the fields mentioned above and their expected results. Navigate to Administration>Network participation and click on the button named Partial and save the changes. platform_version.threat_p rofiles.ThreatID. Inc.fil e_filtering_profiles. Configure file filtering and web reputation profiles on the device.access_poli cies.c pu_usage.W ebCAT and WebREP from the Predictive Defense process) is collected and is accurate in the PRSM SIGN Up client logs (in the /var/log/cisco/signup.stream and udp engines and SigID.model.graph_count.decryption_policies. Send some traffic thru the box. Expected Results: Verify that the following platform telemetry fields (startTimeStamp.product. Cisco Confidential Page 74 of 144 .pattern_c ount for each of the http.disk_utilization.web_reputation_profiles.ThreatLevel.cisco. Create a realm and add corresponding directory config to the realm.realms. Enable decryption and configure a decryption policy on the device. telemetry ) gets collected when Standard/Full option is selected for telemetry in the Network Participation page in PRSM. Refer to the wikis http://wikicentral. Verify that the following merlin telemetry data (startTimeStamp.applications.graph_bytes.log file).log file). endTimeStamp.total_policies.

and top_applications) are populated and are accurate in the PRSM SIGN Up client logs (in the /var/log/cisco/signup.total_policies.realms. Configure a threat profile object and attach the created threat profile to an access policy. Expected Results: Verify that only following platform telemetry fields (startTimeStamp.decryption_policies. Cisco Confidential Page 75 of 144 .web_reputation_profiles. Procedure: Open a browser with the ip address of PRSM and ensure that an ASA-CX is discovered in PRSM. Cisco Systems.product. Enable decryption and configure a decryption policy on the device.21 Verify that only platform telemetry data gets 9. Create a realm and add corresponding directory config to the realm.threat_p rofiles.applications. collected when Partial option is selected for telemetry in the Network Participation page in PRSM.access_poli cies. Navigate to Administration>Network participation and click on the button named Partial and save the changes. endTimeStamp.db_size.timezone. Verify that only platform telemetry data gets collected in the PRSM signup logs and no merlin telemetry data is present in the logs.c pu_usage. Inc. Send some traffic thru the box.auth_policies.disk_utilization. Configure an any/any authentication policy (with action:Get identity via active authentication) and associate it with the realm.devices.log file). platform_version.policy_sets.fil e_filtering_profiles. Configure file filtering and web reputation profiles on the device.model.

Expected Results: Verify that the value of ad_agent_configured has changed to 1 from 0.22 US5697: Verify that these strings do not exist in 0. 2-Verify that the following strings do not exist in /var/log/cisco/monitord. num_transparent_asa. Procedure: 1-Install and configure an ASA-CX. num_transparent_asa.log. 22 US5697: Verify ad_agent_configured is updated 1. 2-You need to go to the file /cisco/heimdall/etc/ monitord. num_asa_managed. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. num_routed_asa Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. 5-Run tail -F /cisco/heimdall/etc/monitord. ASA-CX: num_asacx_managed.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Expected Results: 1-The above values do not exist in the /var/log/cisco/monitord. num_ha_asa. num_sc_asa.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. 2-View the contents of /var/log/cisco/monitord.log or simply search the contents of the file. num_sc_asa. Inc. 5-Run tail -F /cisco/heimdall/etc/monitord.log file in an ASA-CX Box: num_asacx_managed.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. num_k2_managed. num_routed_asa.log file. properly when AD Agent is configured in ASA-CX Cisco Systems. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Procedure: 1-Enable AD Agent in ASA-CX configuration. num_asa_managed. Cisco Confidential Page 76 of 144 . num_k2_managed. num_ha_asa.log or simply search the contents of the file.

2-View the contents of /var/log/cisco/monitord. 3-Verify that the numbers decrease by 1 everytime an LDAP realm is removed. number of LDAP Realms configured in ASA-CX Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 5-Run tail -F /cisco/heimdall/etc/monitord. 2-Verify that num_ldap_realms increments with each ldap added. Cisco Systems. Expected Results: 1-Verify that the value of num_ldap_realms has changed to 1 from 0.log and 3-Try adding more LDAP realms in PRSM up to 3.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Cisco Confidential Page 77 of 144 .22 US5697: Verify num_ldap_realms reflects te 2. Inc. Procedure: 1-Configure and enable LDAP realm in PRSM. 2-You need to go to the file /cisco/heimdall/etc/ monitord. 4-Delete The LDAP Realms.log or simply search the contents of the file.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday.

number of AD Realms configured in ASA-CX Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.log Expected Results: 1-Every time an SSO realm is added in ASA-CX the value of num_ad_realms increments by 1.22 US5697: Verify num_ad_realms reflects the 3.log when an AD Realm is removed in ASA-CX. 22 US5697: Verify num_sso_realms correctly reflects 4. Procedure: 1-Configure and enable few SSO Realms in ASACX 2-Every time an SSO Realm is added in ASA-CX view the contents of /var/log/cisco/monitord. Cisco Confidential Page 78 of 144 . 2-You need to go to the file /cisco/heimdall/etc/ monitord. Procedure: 1-Configure and enable an AD Realm in ASA-CX 2-Add an AD realm in ASA-CX and view the contents of /var/log/cisco/monitord.log Expected Results: 1-Verify the value of num_ad_realms is changed to 1 in /var/log/cisco/monitord.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 5-Run tail -F /cisco/heimdall/etc/monitord. 2-You need to go to the file /cisco/heimdall/etc/ monitord.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. 2-Verify the value of num_ad_realms is changed to 0 in /var/log/cisco/monitord. Inc. the total number of SSO Realms configured in ASA-CX. Cisco Systems.log.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. 3-Remove the AD Realm in ASA-CX and view the contents of /var/log/cisco/monitord.log or simply search the contents of the file.log or simply search the contents of the file.log when an AD Realm is added in ASA-CX.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. 5-Run tail -F /cisco/heimdall/etc/monitord.

Cisco Confidential Page 79 of 144 . ASA-CX when not joined to PRSM.22 US5697: Verify is_managed is updated properly in 5. 3-check the value of ui_confg_version.log file.log or simply search the contents of the file. Expected Results: 1-is_managed is set to 0 when not joined to PRSM. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 2-On the ASA-CX box check for is_managed value in /var/log/cisco/monitord. 2-You need to go to the file /cisco/heimdall/etc/ monitord.log 2-make some changes to the Database like creating a new policy. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Cisco Systems. correct.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. Expected Results: 1-The value of ui_config_version is incremented by 1 in ASA-CX everytime a change is made to the database. 5-Run tail -F /cisco/heimdall/etc/monitord. 2-You need to go to the file /cisco/heimdall/etc/ monitord.log or simply search the contents of the file. Procedure: 1-Install and configure an ASA-CX.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. Inc. 5-Run tail -F /cisco/heimdall/etc/monitord.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. 22 US5697: Verify ui_config_version on ASA-CX is 6. Procedure: 1-On an ASA-CX check for the value of ui_config_version in /var/log/cisco/monitord.

2-check the value of core_dumps in monitord. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. Procedure: 1-Install an ASA-CX and navigate to /var/log/cisco/monitord.log or simply search the contents of the file.log.log file. updated properly when a new core_dumps is created. Cisco Confidential Page 80 of 144 . Cisco Systems. Expected Results: 1-Verify that the value of core_dumps will be incremented each time a new file is created in the /var/data/cores by 1 since the last collection time.22 US5697: Verify core_dumps on a ASA-CX is 7. 5-Run tail -F /cisco/heimdall/etc/monitord. 2-Verify that the value of core_dumps will go back to 0 after a core dump collection time.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Inc. 2-You need to go to the file /cisco/heimdall/etc/ monitord. 3-Verify that the names of core_dumps is logged as well. 3-Navigate to /var/data/cores and create a new file and wait for a minute.

Expected Results: 1-Verify that the value of core_dumps will be incremented each time a new file is created in the /var/data/cores by 1 in less than 2 minutes and the name of files will be in the log as well. 2-check the value of core_dumps in monitord. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Inc. 3-Navigate to /var/data/cores and create and create several files and observe the log.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Procedure: 1-Install an ASA-CX and navigate to /var/log/cisco/monitord. 2-Verify that the total number of files created in the last 24 hours is reflected correctly and the name of files is in the log as well that have been added in the last 24 hours. updated properly after the 24 hour period.log or simply search the contents of the file.log. Cisco Confidential Page 81 of 144 .log file.observe the log after 24 hours. Cisco Systems.22 US5697: Verify core_dumps on a ASA-CX is 8. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. 4. 5-Run tail -F /cisco/heimdall/etc/monitord.

number of LDAP Realms configured in PRSM. 5-Run tail -F /cisco/heimdall/etc/monitord.log and 3-Try adding more LDAP realms in ASA-CX Expected Results: 1-Verify that the value of num_ldap_realms has changed to 1 from 0. Cisco Confidential Page 82 of 144 .log or simply search the contents of the file.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Expected Results: Verify that the value of ad_agent_configured has changed to 1 from 0.log.22 US5697: Verify ad_agent_configured is updated 9. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 2-View the contents of /var/log/cisco/monitord.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. 2-Verify that num_ldap_realms increments with each ldap added.log or simply search the contents of the file. 23 US5697: Verify num_ldap_realms reflects te 0. 2-You need to go to the file /cisco/heimdall/etc/ monitord.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. properly when AD Agent is configured in PRSM Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. Procedure: 1-Enable AD Agent in PRSM configuration. 5-Run tail -F /cisco/heimdall/etc/monitord. Procedure: 1-Configure and enable LDAP realm in ASA-CX 2-View the contents of /var/log/cisco//monitord. Cisco Systems. Inc.

) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. 2-You need to go to the file /cisco/heimdall/etc/ monitord. the total number of SSO Realms configured in PRSM.log. Cisco Confidential Page 83 of 144 .log Expected Results: 1-Every time an SSO realm is added in PRSM the value of num_ad_realms increments by 1. 2-Every time an SSO realm is added in PRSM view the contents of /var/log/cisco/monitord.log Expected Results: 1-Verify the value of num_ad_realms is changed to 1 in /var/log/cisco/monitord.log when an AD Realm is added in PRSM. 5-Run tail -F /cisco/heimdall/etc/monitord.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Procedure: 1-Configure and enable an SSO Realm in PRSM. 5-Run tail -F /cisco/heimdall/etc/monitord.log or simply search the contents of the file. Cisco Systems. number of AD Realms configured in PRSM Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.log or simply search the contents of the file. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Procedure: 1-Configure and enable few AD realms in PRSM 2-Add an AD realm in PRSM and view the contents of /var/log/cisco/monitord. 3-Remove the AD Realm in PRSM and view the contents of /var/log/cisco/monitord. Inc.log when an AD Realm is removed in PRSM. 2-Verify the value of num_ad_realms is changed to 0 in /var/log/cisco/monitord.23 US5697: Verify num_ad_realms reflects the 1. 23 US5697: Verify num_sso_realms correctly reflects 2.

Procedure: 1-Install and configure an ASA-CX. Cisco Confidential Page 84 of 144 .log file. Expected Results: 1-Verify that is_managed is equal to 1when joined to PRSM. 2-Join this ASA-CX box to PRSM device.log or simply search the contents of the file.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. 3-On the ASA-CX box check for is_managed value in /var/log/cisco/monitord. ASA-CX when joined to PRSM. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. Inc. 2-You need to go to the file /cisco/heimdall/etc/ monitord. 2-Verify that the number is reduced to 0 when ASACX is removed from PRSM. 5-Run tail -F /cisco/heimdall/etc/monitord.23 US5697: Verify is_managed is updated properly in 3. Cisco Systems. 4-Delete the ASA-CX device from PRSM.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug.

2-Verify that num_asacx_managed on PRSM box will be incremented to 1 once a device is added to PRSM. 3-Join the ASA-CX to PRSM and search /var/log/cisco/monitord.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Cisco Systems. 2-You need to go to the file /cisco/heimdall/etc/ monitord. 2-Install and configure a PRSM box and search the contents of the file /var/log/cisco/monitord.23 US5697: Verify num_asacx_managed on a PRSM 4.log Expected Results: 1-Verify that num_asacx_managed on PRSM box before adding the ASA-CX device is 0.log or simply search the contents of the file.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. Inc.log for num_asacx_managed. Procedure: 1-Configure and install an ASA-CX. 5-Run tail -F /cisco/heimdall/etc/monitord. 3-Verify that num_asacx_managed on PRSM will increment each time a device is added. 4-Verify that num_asacx_managed on PRSM will decrement each time a device is removed. Cisco Confidential Page 85 of 144 . is updated properly when an ASA-CX joins the PRSM.log on PRSM box 4-Unjoin the ASA-CX from PRSM and search /var/log/cisco/monitord. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes.

23 US5697: Verify num_asa_managed on a PRSM is 5. Inc. Expected Results: 1-Verify that the original value of num_asa_managed is 0 since there are no ASA devices being managed by PRSM.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug.log or simply search the contents of the file. 4-Join another device to the PRSM. Cisco Systems. 3-Verify it works for both Spyker and Saleen ASAs.log file. 5-Run tail -F /cisco/heimdall/etc/monitord. 5-Remove teh joined ASA devices from PRSM. 3-Verify that the value of num_asa_managed will decrement by 1 each time an ASA device is removed from PRSM. 3-Join an ASA device to the PRSM. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Cisco Confidential Page 86 of 144 .conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 2-Verify that the value of num_asa_managed will get incremented by 1 with each ASA device being added to PRSM. Procedure: 1-Install and configure a PRSM 2-Check the value of num_asa_managed in /var/log/cisco/monitord. updated properly with each ASA device added or removed.

Inc. to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 2-Verify that the value of num_ha_asa is incremented by 1 each time an ASA device is added to PRSM that is set to HA. updated properly when the number of ASA devices 1-To allow telemetry to work or enabled you need on HA are added to PRSM or removed. Cisco Systems. Procedure: 1-Install and configure a PRSM device. 3-Set an ASA device to be HA and join it to PRSM. 5-Start removing the ASA Devices. Cisco Confidential Page 87 of 144 . 4-Set another ASA device to be HA and join it to PRSM. 5-Run tail -F /cisco/heimdall/etc/monitord. 2-check for the value of num_ha_asa. 3-Verify that the value of num_ha_asa is decremented by 1 each time an ASA device is removed from PRSM that is set to HA. 2-You need to go to the file /cisco/heimdall/etc/ monitord.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday.log.23 US5697: Verify num_ha_asa on a PRSM is Pre-requisite: 6.log or simply search the contents of the file. Before joining any devices to the PRSM check /var/log/cisco//monitord. Expected Results: 1-Verify that the value of num_ha_asa is set to 0 when no ASA devices have joined the PRSM.

Cisco Confidential Page 88 of 144 .log 4-Unamange the ASA device(s).log or simply search the contents of the file. 2-You need to go to the file /cisco/heimdall/etc/ monitord. 3-Verify that each time an ASA device is unamanged that variable is reduced by 1. 3-Add a Single-context ASA device to PRSM and check for the value of num_sc_asa in /var/log/cisco//monitord. 5-Run tail -F /cisco/heimdall/etc/monitord. Procedure: 1-Install and configure a PRSM device. 2-Each time a single-context ASA device is joined to the PRSM the value of num_sc_asa is incremented by 1. properly each time single-context ASA device is 1-To allow telemetry to work or enabled you need added.23 US5697: Verify num_sc_asa on a PRSM is updated Pre-requisite: 7. to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. Cisco Systems. Inc. 2-check for the value of num_sc_asa in /var/log/cisco//monitord.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Expected Results: 1-The originla value of num_sc_asa is equal to 0 when no single-context devices have been added to the PRSM.log.

Inc. 3-Verify that the num_transparent_asa is decremented each time an ASA device is removed from PRSM that is in transparent mode Cisco Systems. 2-Verify that the value of num_transparent_asa is incremented by 1 everytime an ASA device is added to PRSM that is in transparent mode. 5-Run tail -F /cisco/heimdall/etc/monitord.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. is updated properly when ASA device is added that 1-To allow telemetry to work or enabled you need is in transparent mode. to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 3-Remove the ASA devices. Procedure: 1-Install a PRSM 2-check the contents of /var/log/cisco/monitord.log or simply search the contents of the file. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Cisco Confidential Page 89 of 144 .log 3-Check the value for num_transparent_asa 2-Add ASA devices that is in transparent mode(up to three).23 US5697: Verify num_transparent_asa on a PRSM Pre-requisite: 8. Expected Results: 1-Verify that the initial value of num_transparent_asa is 0 when no ASA devices are added to PRSM that are in transparent mode.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug.

Expected Results: 1-Verify that the default value of num_routed_asa in /var/log/cisco/monitord. Cisco Systems.23 US5697: Verify num_routed_asa is updated 9. Inc.log increments by 1 everytime an ASA device is added to PRSM that is in the routed mode. 3-Verify that the value of num_routed_asa in /var/log/cisco/monitord. 3-Remove the ASA devices from PRSM that are in routed mode. 2-check the value of num_routed_asa in /var/log/cisco/monitord.log decrements by 1 everytime an ASA device is removed from PRSM that is in the routed mode. 2-You need to go to the file /cisco/heimdall/etc/ monitord.log or simply search the contents of the file.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug.log 2-Add ASA devices to PRSM that is in a routed mode(up to three).conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. Procedure: 1-Install a PRSM and. 2-Verify that the value of num_routed_asa in /var/log/cisco/monitord. properly when the number of ASA devices that is added to PRSM that are in a routd mode. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 5-Run tail -F /cisco/heimdall/etc/monitord. Cisco Confidential Page 90 of 144 .log is 0 originally when no ASA devices are connected to PRSM that are in the routd mode.

conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday.log 2-Make some changes for example add a policy. Procedure: 1-On a PRSM check for the value of ui_config in /var/log/cisco/monitord. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Inc. Expected Results: 1-The value of ui_config is incremented everytime a change is made to the database in PRSM. correct.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug.24 US5697: Verify ui_config_version on PRSM is 0. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 5-Run tail -F /cisco/heimdall/etc/monitord. 3-check the value of ui_confi again. Cisco Systems. Cisco Confidential Page 91 of 144 .log or simply search the contents of the file.

Expected Results: 1-Verify that the value of core_dumps will be incremented each time a new file is created in the /var/data/cores by 1 in less than 2 minutes and the name of files will be in the log as well. 4.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. 2-Verify that the total number of files created in the last 24 hours is reflected correctly and the name of files is in the log as well that have been added in the last 24 hours.log file. 3-Navigate to /var/data/cores and create and create several files and observe the log.log. Cisco Systems. Inc.24 US5697: Verify core_dumps on a PRSM is updated Pre-requisite: 1. Cisco Confidential Page 92 of 144 . properly when a new core_dumps is created and 1-To allow telemetry to work or enabled you need after the passage of 24 hours. Procedure: 1-Install an ASA-CX and navigate to /var/log/cisco/monitord.observe the log after 24 hours. 5-Run tail -F /cisco/heimdall/etc/monitord. 2-You need to go to the file /cisco/heimdall/etc/ monitord. 2-check the value of core_dumps in monitord.log or simply search the contents of the file.

traffic is allowed. Threat Protection section. Pre-requisite: 1-To allow telemetry to work or enabled you need to go to Administration then Network Participation select Standard (Full) and click on Save and commit changes. and threats don't appear in the Dashboard. 4-Delete the ASA-CX device from PRSM. no 3. For PCAPS with a threat score greater than 70.24 US5697: Verify is_managed does not exist on 2. If necessary.log file. and in the Dashboard. For PCAPS with a threat score less than 40. and 3. 2.) 3-Save the file and run heimdall_svc recycle monitord 4-Set the Management Plane log level to Debug. Procedure: 1-On a PRSM box that have ASA or ASA-CX devices added check the /var/log/cisco/monitord. 5-Run tail -F /cisco/heimdall/etc/monitord. 2-You need to go to the file /cisco/heimdall/etc/ monitord. Use wireplay to play several PCAPs. 2-Join an ASA-CX box to PRSM device and check for is_managed value in /var/log/cisco/monitord. threats appear in the Context Aware Events tab. For PCAPS with a threat score between 40 and 70. clear config on the ASACX. and some with a threat score less than 40. 24 Verify threat protection with Global Profile. changes Cisco Systems. threats appear in the Context Aware Events tab. Threat Protection section. so that only default threat protection is present (global threat profile active for the device. Inc.log file. Procedure Steps: 1. some with a threat score greater than 70. Cisco Confidential Page 93 of 144 . Expected Results: 1-Verify that is_managed does not exist on PRSM box after step 1.conf and add '-t' to program argument as such: Program_arguments = ['-t'] (this will enable telemetry to gather every minute instead of everyday. Expected results: 1-2. PRSM.log or simply search the contents of the file. traffic appears in the Context Aware Events tab but not in the Threat Protection Events tab. traffic is allowed. traffic is denied. Threat Protection section. and some with a threat score between 40 and 70. set to the Default Threat Profile). and in the Dashboard. 2.

Alert) for it. Configure an access policy and attach the above threat profile to the access policy.cisco. Expected Results: Verify that the traffic is denied and a corresponding Deny event gets generated in the Threat Protection tab of the event viewer with information such as threat score and threat name. Verify the Threat protection and Dashboard reports are appropriately populated. Send another pcap such as 15175-0.com/display/PROJECT/Excal ibur+QA+Information for a detailed list of all the pcaps (HTTP and non HTTP) and their corresponding threats and/or port information. Microsoft Internet Explorer HTML Form Value Handling Denial of Service Vulnerability) and select an action (eg.24 Verify the functionality of threat protection. Refer to the wiki http://wikicentral. which generates the above mentioned threat (Microsoft Internet Explorer HTML Form Value Handling Denial of Service Vulnerability) thru the box. Cisco Confidential Page 94 of 144 .. Inc. Cisco Systems. (all the way to the right).. select a threat (for eg.pcap. say Block Threat Profile with the slider bars set to 0. 4. Send a pcap such as 1052-0. Procedure: Create a threat profile object. Verify that traffic is allowed and a corresponding Info event gets generated in the threat protection tab of the event viewer and the corresponding threat protection and Dashboard reports are accurately populated.pcap thru the box. In the Advanced Threat Settings section.

4-The scroll bar is infinite i.e. 3-Once you hover over a threat Read More and Go to information site appears. Inc. new threats appear as you scroll down to the last one. 5-The list of threats will appear with the filter criteria. Clicking on the links will send you to the proper websiet. 2-Verify that to the right of each threat a Reference and a desc/reference will appear for each threat as per taxonomy doc. Cisco Confidential Page 95 of 144 . Once you click on the links they will appear on a new browser/popup.24 US7590: Verify that Threat list appears when going Procedure: 5. 6-Repeat the same test for PRSM with and without an ASA-CX managed. to Components and then Threats 1-Install and configure an ASA-CX. 3-Hover over the Threats. 5-enter a criteria for search in the Filter textbox. 2-Navigate to Components and then Threats. Expected Results: 1-Verify that a list of threats will appear. 4-scroll down as far as possible. 6-Results are the same for PRSM as with ASA-CX umanaged Cisco Systems.

work properly after recycle. Per Ranjan.grep [v]ps or do a pidof vps. Look in the logs vps. all components e. 4-in a putty session to ASA-CX type heimdall_svc recycle vps. Note the value of PID for VPS. Also.log and heimdall. Repeat on a Saleen.g. Procedure: 1-Run top command. SIGQUIT and VPS in heimdall file.24 US7595: Verify that after recycling the VPS doesn't Pre-requisite: 6. Cisco Confidential Page 96 of 144 .log file make sure it is running the loop every second and there are no related error messages. Also run ps ax . 5-in another putty session run the lsmod command and make sure cpp_base should be there after recylce (very important).log and make sure vps went down and came up cleanly. /var/log/cisco/heimdall.cisco. Also look for any error messages that might be related to this process. 4-Verify that VPS comes up properly and there are no errors or core files created due to recycle. 3-In VPS.log and also vim them or vi. 2-Start running a putty sessions and run a tail -F command for the following log files: /var/log/cisco/vps. 3-set the data-plane logging level to DEBUG. this number is 3.log file. 2-search for SIGKILL. break any processes 1-Make sure the build has the new velocity library to support VPS. Cisco Systems. 24 Verify performance when threat protection feature 7. This means the old process was killed a new process is created. Expected Results: 1-in the putty session the PID of VPS should change.7G for Spkyer A and 6. Inc. Expected Results: Verify that the EMIX performance number with threat protection disabled is within 10% of the corresponding Torino or Barbary image.com/display/TORINO/QA+Pe rformance+Tracking+Page+-+Saleen. Saleen numbers can be found at http://wikicentral.log. There shouldn't be any sigkills or sigquits for VPS in the heimdall.7G for Spyker B. is disabled (Monocle and Sherlock) Procedure: Load the Peregrine/Raptor (REL) image under test and run the Breakingpoint performance test using EMIX traffic (EMIX600 test) on a Spyker A or B.

Verify that the updater UI (Configurations>>Updates) shows the version and timestamps correctly. Procedure: Configure a threat profile object and attach the created threat profile to an access policy. Ensure that a file containing a black list of ip 's is present at the location /var/data/updater2/drop. Cisco Systems. Inc. Send some traffic thru the box. Validate that the new update is downloaded and applied properly. Validate that after the update. traffic that was blocked earlier still gets blocked and corresponding deny events can be seen in the event viewer. Send some traffic thru the box again. Cisco Confidential Page 97 of 144 .24 Verify the functionality of good reputation updates 8. such that the originating/source ip is from the list of blacklisted ip's. "heimdall_svc down updater_connector") and update the system. Verify that all the other traffic. Ensure that the user can send some more traffic thru the box such that the originating/source ip is from the newly added ip's in the blacklist and gets blocked. on a stand alone CX device. Verify that a corresponding system event gets generated and can be seen in the event viewer. Verify that all the other traffic. Expected Results: Verify that the traffic gets blocked and corresponding deny events can be seen in the event viewer. (not originating from the black listed ip) gets allowed. (not originating from the black listed ip) gets allowed. Start updater again (using the CLI "heimdall_svc up updater_connector"). Shutdown updater (using the CLI.

(not originating from the black listed ip) gets allowed. (not originating from the black listed ip) gets allowed. Once the device comes up and becomes operational. Reload/Restart the device. Validate that after the update. Cisco Confidential Page 98 of 144 .24 Verify whether reputation update will continue to 9. Cisco Systems. Procedure: Repeat test steps 1-5 in test case 1. Inc. Validate that the new update is downloaded and applied properly after the device comes up and becomes operational. send some traffic thru the box. Ensure that the user can send some more traffic thru the box such that the originating/source ip is from the newly added ip's in the blacklist and gets blocked. Verify that the updater UI (Configurations>>Updates) shows the version and timestamps correctly. traffic that was blocked earlier still gets blocked and corresponding deny events can be seen in the event viewer. Verify that all the other traffic. Expected Results: Verify that the traffic gets blocked and corresponding deny events can be seen in the event viewer. apply after the ASA-CX device reboots/reloads in middle of update process. Verify that a corresponding system event gets generated and can be seen in the event viewer. Verify that all the other traffic.

Cisco Confidential Page 99 of 144 . Procedure: · Log into SMX. such that the originating/source ip is from the list of blacklisted ip's. (not originating from the black listed ip) gets allowed. · Shutdown updater (using the CLI. (not originating from the black listed ip) gets allowed. and discover a ASA-CX device in SMX/PRSM. "heimdall_svc down updater_connector") and update the system. · Send some traffic thru the managed ASACX again. · Start updater again (using the CLI "heimdall_svc up updater_connector"). · Ensure that the user can send some more traffic thru the box such that the originating/source ip is from the newly added ip's in the blacklist and gets blocked. · Configure a threat profile object and attach the created threat profile to an access policy. · Verify that the updater UI (Configurations>>Updates) shows the version and timestamps correctly. · Verify that all the other traffic.25 Verify the functionality of good reputation updates 0. · Validate that the new update is downloaded and applied properly. on a managed ASA-CX device. · Verify that all the other traffic. Expected Results: · Verify that the traffic gets blocked and corresponding deny events can be seen in PRSM event viewer. Inc. · Validate that after the update. Cisco Systems. · Verify that a corresponding system event gets generated and can be seen in PRSM event viewer. traffic that was blocked earlier still gets blocked and corresponding deny events can be seen in the event viewer. · Send some traffic thru the box.

· Verify that all the other traffic. traffic that was blocked earlier still gets blocked and corresponding deny events can be seen in PRSM event viewer. · Validate that the new update is downloaded and applied properly after PRSM comes up and the managed ASA-CX becomes operational.25 Verify whether reputation update will continue to 1. Expected Results: · Verify that the traffic gets blocked and corresponding deny events can be seen in the event viewer. Cisco Systems. · Verify that the updater UI (Configurations>>Updates) shows the version and timestamps correctly. · Ensure that the user can send some more traffic thru the box such that the originating/source ip is from the newly added ip's in the blacklist and gets blocked. (not originating from the black listed ip) gets allowed. (not originating from the black listed ip) gets allowed. · Validate that after the update. · Verify that a corresponding system event gets generated and can be seen in the event viewer. apply after PRSM reboots/reloads in middle of update process. Procedure: · Repeat test steps 1-6 in test case 4. send some traffic thru the managed ASA-CX. Inc. · Reload/Restart the PRSM. Cisco Confidential Page 100 of 144 . · Once PRSM/SMX comes up and becomes operational. · Verify that all the other traffic.

log file).. Select the participation level as Standard(recommended). Navigate to Administration>Network participation.com) and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome.vega. SSH to bastion1.com and from there ssh to qafbnp-app002. Cisco Systems. Send some traffic thru the box. Verify that sas telemetry data is collected and is accurate in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. click on save and commit the changes. telemetry is enabled and Standard(recommended) option is selected on an unmanaged ASA-CX device. Procedure: Open a browser with the ip address of the device.e. Verify that this phone home log provides the info on who made a connection and whether the telemetry package received can be authenticated and decoded successful. just as seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. Expected Results: Verify that a log level message indicating that the SAS endpoint is registered with the SIGN Up client is seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup.log file).sfo.log file).cloud.25 Verify that sas telemetry data gets collected when 2.lo g Check the logs in /data/ironport/phonehomelogs/ directory. Inc.ironport. Cisco Confidential Page 101 of 144 . click on the option Yes to enable Cisco network participation.ironport. Verify that this directory contains the actual telemetry packet that was sent from the ASA-CX device and verify that each packet has the appropriate and accurate SAS telemetry data. Log into the backend FBNP server (i.

com) and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome.ironport. click on save and commit the changes.cloud.com and from there ssh to qafbnp-app002.log file)..log file).ironport. Verify that this directory contains the actual telemetry packet that was sent from the ASA-CX device and verify that each packet has the appropriate and accurate SAS telemetry data. Log into the backend FBNP server (i. Cisco Confidential Page 102 of 144 . telemetry is enabled and Limited option is selected for telemetry on an unmanaged ASA-CX device. Verify that sas telemetry data is collected and is accurate in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup.log file). Inc.sfo. just as seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. Send some traffic thru the box.25 Verify that sas telemetry data gets collected when 3. Procedure: Repeat test steps 1-3 in test case 1. Expected Results: Verify that a log level message indicating that the SAS endpoint is registered with the SIGN Up client is seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup.lo g Check the logs in /data/ironport/phonehomelogs/ directory.e. Select the participation level as Limited. Verify that this phone home log provides the info on who made a connection and whether the telemetry package received can be authenticated and decoded successful.vega. Cisco Systems. SSH to bastion1.

Cisco Systems.ironport..com and from there ssh to qafbnp-app002. click on the option No to disable Cisco network participation/telemetry.Open a browser with the ip address of the device. Inc. Log into the backend FBNP server (i.log file).sfo. Click on save and commit the changes. SSH to bastion1.com) and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome.vega. Send some traffic thru the box. Navigate to Administration>Network participation.25 Verify that sas telemetry data does not get collected Procedure: 4.e. Expected Results: Verify that no log level message indicating that the SAS endpoint is registered with the SIGN Up client is seen in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup. Verify that no sas telemetry data is collected in the ASA-CX SIGN Up client logs (in the /var/log/cisco/signup.ironport. CX device. Configure a threat profile object and attach the created threat profile to an access policy.log file). Verify that this directory does not contain any telemetry packet sent from the ASA-CX device.cloud. Cisco Confidential Page 103 of 144 . when telemetry is disabled on an unmanaged ASA.lo g Check the logs in /data/ironport/phonehomelogs/ directory.

just as seen in the PRSM SIGN Up client logs (in the /var/log/cisco/signup.sfo. and discover a ASA-CX device in SMX/PRSM.lo g · Check the logs in /data/ironport/phonehomelogs/ directory.e. SSH to bastion1. Inc.ironport. telemetry is enabled and Standard(recommended) option is selected in an ASA-CX device managed by PRSM. · Log into the backend FBNP server (i. · Verify that this phone home log provides the info on who made a connection and whether the telemetry package received can be authenticated and decoded successful. · Send some traffic thru the managed ASACX.com) and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome.log file). Procedure: · Log into SMX. click on the option Yes to enable Cisco network participation. · Verify that sas telemetry data is collected and is accurate in PRSM SIGN Up client logs (in the /var/log/cisco/signup.com and from there ssh to qa-fbnp-app002. · Select the participation level as Standard(recommended). Expected Results: · Verify that a log level message indicating that the SAS endpoint is registered with the SIGN Up client is seen in PRSM SIGN Up client logs (in the /var/log/cisco/signup.ironport.vega..log file). · Navigate to Administration>Network participation.25 Verify that sas telemetry data gets collected when 5.cloud. click on save and commit the changes. · Configure a threat profile object and attach the created threat profile to an access policy in PRSM. Cisco Confidential Page 104 of 144 . · Verify that this directory contains the actual telemetry packet that was sent from the managed ASA-CX device and verify that each packet has the appropriate and accurate SAS telemetry data. Cisco Systems.log file).

· Verify that this phone home log provides the info on who made a connection and whether the telemetry package received can be authenticated and decoded successful. Cisco Confidential Page 105 of 144 .com) and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome. Inc. · Verify that this directory contains the actual telemetry packet that was sent from the managed ASA-CX device and verify that each packet has the appropriate and accurate SAS telemetry data.log file). Cisco Systems.ironport.lo g · Check the logs in /data/ironport/phonehomelogs/ directory.log file).ironport. · Verify that sas telemetry data is collected and is accurate in PRSM SIGN Up client logs (in the /var/log/cisco/signup.log file).sfo. telemetry is enabled and Limited option is selected for telemetry in an ASA-CX device managed by PRSM. SSH to bastion1. Procedure: · Repeat test steps 1-3 in test case 4. just as seen in the PRSM SIGN Up client logs (in the /var/log/cisco/signup. click on save and commit the changes..vega.25 Verify that sas telemetry data gets collected when 6. · Log into the backend FBNP server (i.com and from there ssh to qa-fbnp-app002.cloud.e. · Select the participation level as Limited. · Send some traffic thru the managed ASACX. Expected Results: · Verify that a log level message indicating that the SAS endpoint is registered with the SIGN Up client is seen in PRSM SIGN Up client logs (in the /var/log/cisco/signup.

device in SMX/PRSM. · Send some traffic thru the managed ASACX. · Click on save and commit the changes.e. and discover a ASA-CX managed by PRSM.ironport. Expected Results: · Verify that no log level message indicating that the SAS endpoint is registered with the SIGN Up client is seen in the managed ASA-CX/ PRSM SIGN Up client logs (in the /var/log/cisco/signup..sfo. Inc.com and from there ssh to qa-fbnp-app002.com) and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome.cloud.log file).ironport. click on the option No to disable Cisco network participation/telemetry. when telemetry is disabled in an ASA-CX device · Log into SMX. · Configure a threat profile object and attach the created threat profile to an access policy in PRSM. Cisco Confidential Page 106 of 144 . · Log into the backend FBNP server (i. SSH to bastion1. Cisco Systems.lo g · Check the logs in /data/ironport/phonehomelogs/ directory.25 Verify that sas telemetry data does not get collected Procedure: 7. · Navigate to Administration>Network participation. · Verify that no sas telemetry data is collected in the managed ASA-CX/PRSM SIGN Up client logs (in the /var/log/cisco/signup.vega.log file). · Verify that this directory does not contain any telemetry packet sent from the managed ASACX device.

25 Verify the functionality of good velocity updates on 8. a stand alone CX device.

Procedure: Configure a threat profile object and attach the created threat profile to an access policy. Send some traffic thru the box. Shutdown updater (using the CLI, "heimdall_svc down updater_connector") and update the system. Start updater again (using the CLI "heimdall_svc up updater_connector"). Send some traffic thru the box again. Expected Results: Verify that threats get detected and corresponding events are seen in the event viewer. Validate that the new update is downloaded and applied properly. Verify that a corresponding system event gets generated and can be seen in the event viewer. Verify that the updater UI (Configurations>>Updates), specifically tp engine shows the version and timestamps correctly. Ensure that VPS process gets recycled by the updater from vps log (located at /var/log/cisco/vps.log) and the version in the test update package is seen in the log after vps is recycled. Validate that after the update, threats still get detected and corresponding events can be seen in the event viewer.

25 Verify whether velocity update will continue to apply Procedure: 9. after the ASA-CX device reboots/reloads in middle Repeat test steps 1-4 in test case 1. of update process. Reload/Restart the device. Once the device comes up and becomes operational, send some traffic thru the box. Expected Results: Verify that threats get detected and corresponding events are seen in the event viewer. Validate that the new update is downloaded and applied properly after the device comes up and becomes operational. Verify that a corresponding system event gets generated and can be seen in the event viewer. Verify that the updater UI (Configurations>>Updates), specifically tp engine shows the version and timestamps correctly. Ensure that VPS process gets recycled by the updater from vps log (located at /var/log/cisco/vps.log) and the version in the test update package is seen in the log after vps is recycled. Validate that after the update, threats still get detected and corresponding events can be seen in the event viewer.

Cisco Systems, Inc. Cisco Confidential Page 107 of 144

26 Verify the functionality of velocity update and make Procedure: 0. sure that it fails to apply and rolls back successfully · Repeat test steps 1-4 in test case 1. on a stand-alone CX device. · Send some traffic thru the box again. Expected Results: · Verify that threats get detected and corresponding events are seen in the event viewer. · Validate that the new update fails to apply and gets rolled back to the old version successfully. · Verify that a corresponding system event gets generated and can be seen in the event viewer. · Verify that the updater UI (Configurations>>Updates), specifically tp engine shows the version and timestamps correctly. · Ensure that VPS process gets recycled by the updater from vps log (located at /var/log/cisco/vps.log) and the version in the test update package is seen in the log after vps is recycled. · Validate that after the failed update and rollback, threats still get detected and corresponding events can be seen in the event viewer.

Cisco Systems, Inc. Cisco Confidential Page 108 of 144

26 Verify the functionality of good velocity updates on 1. a managed ASA-CX device.

Procedure: · Log into SMX, and discover a ASA-CX device in SMX/PRSM. · Configure a threat profile object and attach the created threat profile to an access policy. · Send some traffic thru the box. · Shutdown updater (using the CLI, "heimdall_svc down updater_connector") and update the system. · Start updater again (using the CLI "heimdall_svc up updater_connector"). · Send some traffic thru the managed ASACX again. Expected Results: · Verify that threats get detected and corresponding events can be seen in PRSM event viewer. · Validate that the new update is downloaded and applied properly. · Verify that a corresponding system event gets generated and can be seen in PRSM event viewer. · Verify that the updater UI (Configurations>>Updates), specifically tp engine shows the version and timestamps correctly. · Ensure that VPS process gets recycled by the updater from vps log (located at /var/log/cisco/vps.log)and the version in the test update package is seen in the log after vps is recycled. · Validate that after the update, threats still get detected and corresponding events can be seen in PRSM event viewer.

Cisco Systems, Inc. Cisco Confidential Page 109 of 144

· Once PRSM/SMX comes up and becomes operational. · Ensure that VPS process gets recycled by the updater from vps log (located at /var/log/cisco/vps. Inc. · Ensure that VPS process gets recycled by the updater from vps log (located at /var/log/cisco/vps. specifically tp engine shows the version and timestamps correctly. · Send some traffic thru the managed ASACX device again. · Reload/Restart the PRSM. Cisco Systems.log)and the version in the test update package is seen in the log after vps is recycled. threats still get detected and corresponding events can be seen in PRSM event viewer. · Verify that a corresponding system event gets generated and can be seen in PRSM event viewer. specifically tp engine shows the version and timestamps correctly. · Validate that after the failed update. 26 Verify the functionality of velocity update and make Procedure: 3.log)and the version in the test update package is seen in the log after vps is recycled. process. Expected Results: · Verify that threats get detected and corresponding events can be seen in PRSM event viewer. · Verify that a corresponding system event gets generated and can be seen in PRSM event viewer. sure that it fails to apply and rolls back successfully · Repeat test steps 1-5 in test case 4. · Validate that the new update fails to apply on PRSM and gets rolled back to the old version successfully. after PRSM reboots/reloads in middle of update · Repeat test steps 1-5 in test case 4.26 Verify whether velocity update will continue to apply Procedure: 2. send some traffic thru the managed ASA-CX. Expected Results: · Verify that threats get detected and corresponding events can be seen in PRSM event viewer. · Validate that after the update. · Validate that the new update is downloaded and applied properly after PRSM comes up and the managed ASA-CX becomes operational. threats still get detected and corresponding events can be seen in PRSM event viewer. · Verify that the updater UI (Configurations>>Updates). on a managed ASA-CX device. Cisco Confidential Page 110 of 144 . · Verify that the updater UI (Configurations>>Updates).

type handling Procedure: 1. if not blocked).g. Test all types in turn by editing the profile. 2. but that other types (which aren't in the field) are allowed. Inc. you need to have encryption enabled & a decryption policy in place. you can only pick from the list). audio.audio/*) & modify the access policy to use that profile. 3. Verify downloads are blocked for one type/subtype. Create a new object that blocks downloads of all subtypes within a type (e. audio/mp3).) are tested. and make sure that all of the types (text. Try to download a few subtypes within that type. improved MIME4. Verify filtering of the list & selection & that freeform typing is not allowed (i. but of a different subtype (e. video.g. Verify that all file types can be blocked from downloading.26 Verify File Filtering of downloads. 4. Create a new File Filtering Profile which blocks downloads of particular file type/subtype (e. audio/wav). Attempt to Download a file of that type from a web site or use a file sharing website like FileDropper to download. Cisco Systems. Cisco Confidential Page 111 of 144 . as well as other type/subtypes (which should be allowed. Expected results: 1. but other type/subtype combination are allowed. but that other subtypes of the same type are allowed. etc.e. 2.) Attempt to download other types of the same type. 4.g. Edit the object and add several more file type/subtype combinations. Verify all files within a type are blocked. (Note that if you use dropbox. Verify EUN is received & downloads don't occur. Try to test type/subtypes which are more common. 3. Enter a few characters in the downloads field & select from the list. Create an any/any access policy (with allow action) and select the file Filtering Profile you created. Verify all type/subtype combinations in the download field are blocked.

Verify that all file types can be blocked from uploading. Create an any/any access policy (with allow action) and select the file Filtering Profile you created. 2. Inc. All combinations of uploads and downloads block the files that they should and don't block files that they shouldn't. 3. as well as other type/subtypes (which should be allowed if not blocked). Expected results: 1. Expected Results: 1 & 2. Create a File Filtering profile that contains a mixture of several download types/subtypes (includings type/*) and several upload types (including type/*). Test all types in turn by editing the profile. audio/wav). Verify EUN is received (is this always true for uploads?) and uploads don't occur. Verify all type/subtype combinations in the upload field are blocked. improved MIME-type handling Procedure: 1.e. handling 1. you need to have encryption enabled & a decryption policy in place. you can only pick from the list). (Note that if you use dropbox. but that other types (which aren't in the field) are allowed. audio/mp3). 3. Create a new object that blocks uploads of all subtypes within a type (e. Attempt to Upload a file of that type to a web site or use a file sharing website like FileDropper to upload. Try to download a few subtypes within that type. and make sure that all of the types (text. Try to test type/subtypes which are more common.audio/*) & modify the access policy to use that profile. but that other subtypes of the same type are allowed. 26 Verify File Filtering of mix of uploads and 6.g.g. Verify filtering of the list & selection & that freeform typing is not allowed (i. downloads. Cisco Confidential Page 112 of 144 . Edit the object and add several more file type/subtype combinations.26 Verify File Filtering of uploads. 4. 2. but other type/subtype combination are allowed. video. Create an any/any access policy (with allow action) and select the file Filtering Profile you created. Verify all files within a type are blocked.) Attempt to upload other types of the same type. Enter a few characters in the uploads field & select from the list. The profile can be edited and those edits take effect. Cisco Systems. Verify uploads are blocked for one type/subtype.g. Edit the File Filtering profile a few times and mix up the types/subtypes that you are testing. but of a different subtype (e. audio. 4. 2.) are tested. improved MIME-type Procedure: 5. etc. Create a new File Filtering Profile which blocks uploads of particular file type/subtype (e.

4. Remove those types/subtypes which are no longer valid. 2 & 3. Don't edit the input from Step 1 yet. Appropriate error messages are issued when outdated types/subtypes are used. Stop services. Create a File Filtering profile that contains a mixture of several download types/subtypes and several upload types. Verify that the file types/subtypes that you removed are no longer visible. Expected Results: 1. Outdated types/subtypes can be removed and valid type/subtypes can be added and function correctly. but the rest of the types/subtypes appear properly. Make note of which file types/subtypes are available in the dropdown lists for both upload and download. add some that are valid and attempt download & upload again. 4.26 Verify changes in the MIME file take effect & that 7. Create an any/any access policy (with allow action) and select the file Filtering Profile you created. Create a file filtering profile and attempt to add to both the upload and download fields (which you removed). 1. Attempt to download and upload files which match the types/subtypes you already defined. Inc. Cisco Systems. 2. Edit the MIME file (location is something like /cisco/updater/updates/sas/appdata/magic) and carefully remove a few entries from the file. Restart services 3. Cisco Confidential Page 113 of 144 . errors for entries which "go away" are handled.

26 Verify the functionality of a good update of a new Note: An avc update will not be applied if the 8. Verify that the expected uploads and downloads are blocked. 6. Expected Results: 1. Create an any/any access policy (with allow action) and select the file Filtering Profile you created.lo g Verify that the updater UI (Configurations>>Updates) shows the version and timestamps correctly. install the current csas rpm and restart services. If necessary. Cisco Confidential Page 114 of 144 . stop services. 2. See note above. Start updater again (using the CLI "heimdall_svc up updater_connector"). (Change the variable. Update the system. 5.conf file) 4. Shutdown updater (using the CLI. you will need to go back to the earlier version. When testing updates. Cisco Systems. allow_overwrite=False. & 6 Verify that the changes (removals or additions) in the type/subtype list are visible and that File Filtering performs as expected. 2. Verify that a corresponding system event gets generated and can be seen in the event viewer and in /var/log/cisco/system_events_updater_connector. You can do this by uninstalling the current csas rpm and reinstalling it.log. 3 & 4. After you have applied the update once. Configure a File Filtering object and note the contents of the file type/subtype list that appears in the Upload and Download fields. set the variables server_hostname. Verify that the new update is downloaded and applied properly without errors. Select a couple of entries from the list for each field. Attempt to upload/download those file type/subtypes. Procedure: 1. you need to ensure that the version of avc dat that you are running is earlier than the one on the update server. Inc. 5. MIME file (part of AVC application) on a standalone current (same) version is already installed on the CX device system. serial and pid to appropriate values in the /cisco/updater/updater_connector. "heimdall_svc down updater_connector") 3. Perform step 1 again. Check the details in /var/data/cisco/updater_connector.

install the current csas rpm and restart services. See note above. Verify that the updater UI (Configurations>>Updates). Verify that a corresponding system event gets generated and can be seen in the event viewer. Start updater again (using the CLI "heimdall_svc up updater_connector"). Configure a File Filtering object and note the contents of the file type/subtype list that appears in the Upload and Download fields. MIME file (part of AVC application) on a standalone CX device and make sure that it fails to apply and roll back is successful Note: An avc update will not be applied if the current (same) version is already installed on the system. After you have applied the update once.conf file) 4. Procedure: 1. serial and pid to appropriate values in the /cisco/updater/updater_connector. & 6. Expected Results: 1. When testing updates. set the variables server_hostname. Cisco Confidential Page 115 of 144 . 5. 3 and 4. Verify that the type/subtype lists for upload and download didn't change and that the expected uploads and downloads are blocked Cisco Systems. stop services. Select a couple of entries from the list for each field. Attempt to upload/download those file type/subtypes. Verify that the new update fails to apply and gets rolled back to the old version successfully. (Change the variable. Shutdown updater (using the CLI. Inc. allow_overwrite=False. you need to ensure that the version of avc dat that you are running is earlier than the one on the update server. Repeat step 1. specifically avc dat shows the version and timestamps correctly. you will need to go back to the earlier version. "heimdall_svc down updater_connector") 3. Verify that the expected uploads and downloads are blocked. You can do this by uninstalling the current csas rpm and reinstalling it. Create an any/any access policy (with allow action) and select the file Filtering Profile you created. If necessary. 2.26 Verify the functionality of a bad update of a new 9. Update the system. 6. 5. 2.

Cisco Systems. set the variables server_hostname. Update the system. MIME file (part of AVC application) on a managed CX device Note: An avc update will not be applied if the current (same) version is already installed on the system. allow_overwrite=False. 7. Cisco Confidential Page 116 of 144 . Repeat Step 2 Expected Results: 1. When testing updates. Start updater again (using the CLI "heimdall_svc up updater_connector"). install the current csas rpm and restart services.27 Verify the functionality of a good update of a new 0. 3. 6 & 7. 6. Validate that after the update. Select a couple of entries from the list for each field. "heimdall_svc down updater_connector") 4. (Change the variable. 4. & 5.conf file) 5. you need to ensure that the version of avc dat that you are running is earlier than the one on the update server. uploads and downloads are blocked as expected and corresponding events can be seen in PRSM event viewer. and discover a ASA-CX device in SMX/PRSM. Inc. Configure a File Filtering object and note the contents of the file type/subtype list that appears in the Upload and Download fields. Shutdown updater (using the CLI. Procedure: 1. See note above. If necessary. Verify that the expected uploads and downloads are blocked. specifically avc dat shows the version and timestamps correctly. 3. stop services. 2. Verify that the updater UI (Configurations>>Updates). Verify that a corresponding system event gets generated and can be seen in PRSM event viewer. After you have applied the update once. You can do this by uninstalling the current csas rpm and reinstalling it. Log into SMX. Verify that CX is successfully managed in PRSM. Create an any/any access policy (with allow action) and select the file Filtering Profile you created. serial and pid to appropriate values in the /cisco/updater/updater_connector. you will need to go back to the earlier version. Attempt to upload/download those file type/subtypes. 2.

Select a couple of entries from the list for each field. 3. Verify that the new update fails to apply and gets rolled back to the old version successfully. 6 & 7.27 Test bad update of a new MIME file (part of AVC 1. 2. Attempt to upload/download those file type/subtypes. Verify that the expected uploads and downloads are blocked. stop services. Configure a File Filtering object and note the contents of the file type/subtype list that appears in the Upload and Download fields. and discover a ASA-CX device in SMX/PRSM. Cisco Confidential Page 117 of 144 . Inc. Procedure: 1. Create an any/any access policy (with allow action) and select the file Filtering Profile you created. See note above. Verify that the type/subtype lists for upload and download didn't change and that the expected uploads and downloads are blocked and corresponding events can be seen in PRSM event viewer. Log into SMX. Repeat step 1. Cisco Systems. install the current csas rpm and restart services. application) on a managed CX device Note: An avc update will not be applied if the current (same) version is already installed on the system. 7. (Change the variable. Verify that the updater UI (Configurations>>Updates). 6. specifically avc dat shows the version and timestamps correctly. 4 and 5. set the variables server_hostname. "heimdall_svc down updater_connector") 4. Verify that CX is successfully managed in PRSM. Verify that a corresponding system event gets generated and can be seen in the PRSM event viewer. allow_overwrite=False. Update the system. You can do this by uninstalling the current csas rpm and reinstalling it. After you have applied the update once. Expected Results: 1. When testing updates.conf file) 5. Start updater again (using the CLI "heimdall_svc up updater_connector"). Shutdown updater (using the CLI. If necessary. 2. you will need to go back to the earlier version. 3. serial and pid to appropriate values in the /cisco/updater/updater_connector. you need to ensure that the version of avc dat that you are running is earlier than the one on the update server.

5. 2. Leave the default profile for the policy at Follow Global (Device-Level) Profile 6. 4. Verify threat is alerted. standalone CX Procedure: 1.3 & 4. 5. Expected Results: 1. Configure Intrusion Protection (currently at Configurations->Devices. Alert all and Ignore all threat profiles. plus the 3 you created. Create an any/any access policy. For threat profile. Verify Intrusion Protection defaulted to Off but can be turned on. Select the Deny all Profile. 7. select none. Inc. Play a PCAP with wireplay. 2. Verify threat is detected and evented according to the Default Threat Profile (and the particular PCAP that is played). 7. 8. (Device-Level) threat profile. Verify threat is ignored & the Access policy name shows in the event for the traffic in the Context Aware Events tab. 27 Verify access policy when set to None profile. Change Global (Device-Level) Profile to Ignore only. Change Global (Device-Level) Profile to Alert only. Select the Deny all Profile (as the Global (Device-Level) Profile) 4. standalone CX Cisco Systems. Create an any/any access policy. 6. 8. Create Deny all. plus the 3 you created. Create Deny all threat profile. Verify Profile choices are Default. Verify Profile default is Follow Global (DeviceLevel) Profile. Play a PCAP with wireplay 5. Verify threat is denied. 6. Expected Results: 1. 5 & 6. Follow Global. 2. Basic Device properties. Verify threat is ignored.27 Verify access policy when set to Follow Global 2. Basic Device properties. Configure Intrusion Protection (currently at Configurations->Devices. 4. Threat Protection) to On 3. Threat Protection) to On 3. Verify threat is denied. Procedure: 1. Verify Profile choices are Default. 2. Play a PCAP with wireplay. Verify Profiles can be created. Play a PCAP with Wireplay. Play a PCAP with wireplay. 3. Verify Profile can be created. 3. Cisco Confidential Page 118 of 144 . Play a PCAP with Wireplay.

Cisco Systems. Verify threat is ignored. and 3. Verify threat is denied. Play a PCAP with wireplay 6. 2. Configure Intrusion Protection (currently at Configurations->Devices. Select the Deny all Profile. Leave the global (Device-Level) setting at its default 3. Expected Results: 1. 6 & 7. Play a PCAP with wireplay. Play a PCAP with wireplay Expected Results: 1. Threat Protection) to On 2. Create Deny all threat profile. standalone CX Procedure: 5.27 Verify setting global (Device-Level) threat profile 4. Configure Intrustion Protection to Off. Basic Device properties. 5 & 6. Play a PCAP with wireplay 4. Play a PCAP with wireplay 5. Threat Protection) to On 3. 2. Cisco Confidential Page 119 of 144 . Select the Default Threat profile (for global (Device-Level))) 5. 1. 3 & 4. 27 Verify disabling of Threat Protection. 4. Select none (or blank) as the global (DeviceLevel) threat profile 7. Verify the threat is ignored & the Implicit Allow policy name shows in the event for the traffic in the Context Aware Events tab. policy to None (as the default & when setting is changed to none). standalone CX Procedure: 1. Basic Device properties. 6. 4 & 5. Inc. Verify the default setting is none (or blank). Verify the threat is ignored & the Implicit Allow policy name shows in the event for the traffic in the Context Aware Events tab. 2. Verify threat is detected and evented according to the Default Threat Profile (and the particular PCAP that is played). Configure Intrusion Protection (currently at Configurations->Devices.

select the Alert all profile (as the global (Device-Level) profile) 5. play a PCAP with wireplay. For CX #1. verify threat is ignored. Verify threat is denied for CX #1 and is alerted for CX #2. 8 & 9.27 Verify access policy when set to Follow Global 6. 2. 6. On CX #1. verify threat is denied. For CX #2. verify threat is denied. Verify Event indicates the Allow Any/Any policy. For both CXes. Expected Results: 1. 4. Create an any/any access policy for CX #2. Change Global (Device-Level) Profile for CX #2 to Deny only. Leave the default which follows Global Profile. 6 & 7. Verify Event indicates the Allow Any/Any policy . select the Deny all Profile (as the global (Device-Level) profile). Create Deny all. Threat Protection) to On. Change Global (Device-Level) Profile for CX #1 to Ignore only. On CX #2. nonshared policies Procedure: 1. play a PCAP with wireplay. Verify Profiles can be created. For both CXes. Inc. verify threat is alerted. Verify Events indicate the Implicit Allow policies for both CXes. configure Intrusion Protection (currently at Configurations->Devices. On both CXes. 3. On CX #1. 4 & 5. Create an any/any access policy for CX #1. (Device-Level) threat profile. Verify CX's can be discovered. 3. Discover two CX's with PRSM 2. Verify Event indicates the Allow Any/Any policy Cisco Systems. Alert all and Ignore all threat profiles. play a PCAP with wireplay. On CX #2. Verify Intrusion Protection defaulted to Off but can be turned on for both CX #1 and CX #2. Basic Device properties. 8. 7. managed CX. Verify Event indicates the Allow Any/Any policy . On both CXes. Leave the default profile which follows Global Profile. Cisco Confidential Page 120 of 144 . 9.

shared policies Procedure: 1. 5. For both CXes. 3. Verify Profiles can be created. verify threat is denied. Share CX #1's access policy with CX #2. Level) threat profile. select the Deny all Profile (as the global (Device-Level) profile). 4 . For both CXes. On CX #1. 9. Cisco Confidential Page 121 of 144 . 2. For CX #1. For CX #2. On CX #2. On CX #2. play a PCAP with wireplay. 8. For both CXes. Verify Event indicates the Allow Any/Any policy. Verify Events indicate the Implicit Allow policies for both CXes. Verify threat is denied for CX #1 and is alerted for CX #2. Inc. play a PCAP with wireplay. 8 & 9. 6. 6 & 7. Change Global (Device-Level) Profile for CX #1 to Ignore only. 6 & 7.27 Verify access policy set to Follow Global (Device7. select the Alert Only as the global (device-level) profile. Verify CX's can be discovered. Verify Event indicates the Allow Any/Any policy. Change Global (Device-Level) Profile for CX #2 to Deny only. 7. Create an any/any access policy for CX #1. Basic Device properties. Create Deny all. Cisco Systems. Leave the default profile for the policy to Follow Global Profile. Alert all and Ignore all threat profiles. verify threat is ignored. For both CXes. Verify Event indicates the Allow Any/Any policy . 4. Threat Protection) to On. configure Intrusion Protection (currently at Configurations->Devices. Discover two CXes with PRSM 2. Verify Event indicates the Allow Any/Any policy . verify threat is alerted. 3.5. On CX #1. verify threat is denied. play a PCAP with wireplay Expected Results: 1. managed CX.

verify threat is denied and the Implicit Allow policy name shows in the event for the traffic in the Threat Protection Events tab. On both CXes. non-shared policies Procedure: 1. Create Deny all threat profile. Basic Device properties. On both CXes. Inc. On both CXes. Verify Profile can be created. 3. Cisco Confidential Page 122 of 144 . configure Intrusion Protection (currently at Configurations->Devices. 8. 7.4 & 5. verify threat is denied and the Implicit Allow policy name shows in the event for the traffic in the Threat Protection Events tab. Play a PCAP with wireplay. On both CX's. 7. managed 9. On both CXes. Discover two CX's with PRSM 2. On both CXes. On both CX's. shared policies Cisco Systems. 2. Basic Device properties. Discover two CX's with PRSM 2. Play a PCAP with wireplay. create an any/any access policy. 6. On both CXes. Expected Results: 1. On both CXes. Verify CX's can be discovered. Share this access policy with CX #2. 6& 7. Verify Profile can be created. verify threat is ignored & the Access policy name shows in the event for the traffic in the Context Aware Events tab. create an any/any access policy with a Threat Profile set to None. 2. 3. Play a PCAP with wireplay. Verify CX's can be discovered. On both CXes. managed CX. Play a PCAP with wireplay. select the Deny all Profile (as the Global (Default-Level) Profile) 5. On both CX's. On CX #1. select the Deny all Profile (as the Global (Default-Level) Profile) 5. For Threat Profile. Threat Protection) to On 4. 6& 7. Threat Protection) to On 4. 27 Verify access policy set to None profile. Expected Results: 1. CX. configure Intrusion Protection (currently at Configurations->Devices. On both CXes. On both CX's. 3.27 Verify access policy when set to None profile. 6. verify threat is ignored & the Access policy name (from CX #1) shows in the event for the traffic in the Context Aware Events tab. select none. Procedure: 1.4 & 5. Create Deny all threat profile. 3.

3. 2. non-shared policies. Play a PCAP with wireplay Expected Results: 1. On CX #1 . Threat Protection) to On. On both CXes. On both CXes. Verify CXes can be discovered. On both CXes. On both CXes. On both CXes. play a PCAP with wireplay 7. On both CXes.select the Default Threat profile (for global (Device-Level)) 6. On CX #1. verify the threat is ignored & the Implicit Allow policy name shows in the event for the traffic in the Context Aware Events tab. Play a PCAP with wireplay 7. the default & when setting is changed to none). Share the Instrusion Protection settings of CX #1 with CX #2. On both CXes. Discover two CX's with PRSM managed CX. Threat Protection) to On 3.28 Verify setting global threat profile policy to None (as Procedure: 0. verify the threat is ignored & the Implicit Allow policy name shows in the event for the traffic in the Context Aware Events tab. Basic Device properties. 5 & 6. 1. On both CXes. Cisco Confidential Page 123 of 144 . 1. Basic Device properties. Inc. 3. 28 Verify setting global threat profile policy to None (as Procedure: 1. Play a PCAP with wireplay Expected Results: 1.select the Default Threat profile (for global (Device-Level)) 6. verify the threat is ignored on both CXes & the Implicit Allow policy name shows in the events for the traffic in the Context Aware Events tab. verify threat is detected and evented according to the Default Threat Profile (and the particular PCAP that is played). the default & when setting is changed to none). 2. On both CXes. select the None Profile (or just leave it blank) 4. and 4. 4. 2. and select the None Profile (or just leave it blank) 3. 7 & 8. Discover two CXes with PRSM managed CX. configure Intrusion Protection (currently at Configurations->Devices. select none (or blank) as the global (Default-Level) threat profile 8. Play a PCAP with wireplay 5. On both CXes. configure Intrusion Protection (currently at Configurations->Devices. On both CXes. verify the threat is ignored & the Implicit Allow policy name shows in the event for the traffic in the Context Aware Events tab. On both CXes. On both CXes. 5 & 6. select none (or blank) as the global (Device-Level) threat profile 8. verify threat is detected and evented according to the Default Threat Profile (and the particular PCAP that is played). shared policies. 2. On both CXes . On both CXes. Play a PCAP with wireplay 5. 7 & 8. Cisco Systems. and 4. On both CXes. On CX #1. Verify CXes can be discovered.

Expected Result: 1-Verify that the new telemetry options pop-up as soon as the admin logs in. configure Intrustion Protection to Off. 28 US7591: Verify the removal of current telemetry 4. On both CXes. 4 & 5. 3. Play a PCAP with wireplay 7. configure Intrustion Protection to Off. 6. On both CXes. 4 . Expected Results: 1. 7. 2-Login to ASA-CX. 6 & 7. select the Deny all Profile (as the Device-Level profile) 5. Expected Results: 1. On both CXes. Share the Instrusion Protection settings of CX #1 with CX #2. verify threat is denied. Procedure: 2. 3-Verify that this works properly with PRSM as well. 3-Repat test with PRSM. Procedure: 3. Play a PCAP with wireplay. Discover two CXes with PRSM 2. On both CXes. Threat Protection) to On 4. Create Deny all threat profile. 7 & 8. On both CXes. 2-Verify that the old telemetry options in the welcome screen has been removed. Inc. Cisco Systems. Procedure: 1-Install a new ASA-CX build with the latest telemetry features. 28 Verify disabling of Threat Protection. Play a PCAP with wireplay 6. configure Intrusion Protection (currently at Configurations->Devices. verify threat is denied. verify threat is ignored. non-shared policies 1. On both CXes.28 Verify disabling of Threat Protection. 3. On both CXes. On both CXes. Basic Device properties. 3. On both CXes. Basic Device properties. Create Deny all threat profile. managed CX. 5 & 6. managed CX. 3. Verify both CXes can be discovered 2. On CX #1. Discover two CXes with PRSM 2. Threat Protection) to On 4. configure Intrusion Protection (currently at Configurations->Devices. Play a PCAP with wireplay. option in the welcome screen. Network participation you see the new telemetry screen. On CX #1. Cisco Confidential Page 124 of 144 . Verify both CXes can be discovered 2. verify threat is ignored. On both CXes. On both CXes. shared policies 1. On CX #1. 3-Verify that when you navigate to Administration. 8. select the Deny all Profile (as the Device-Level profile) 5.

welcome screen that asks customers to configure their telemetry setting Procedure: 1-Install and configure a new ASA-CX box. No. Limited. 2-Verify that the data is sent correclty to the backend FBNP server. View terms of agreement.cloud. Inc. and Save. Standard. 5-When selecting No for enable telemetry and saving and committing. Standard. View terms of agreement. Cisco Confidential Page 125 of 144 . Limited.sfo. 6-when selecting Yes for enable telemetry and save changes and committing.28 US7591: Verify the addition of new pop-up prior to 5. SSH to bastion1. 4-Verify that the save and commit work properly by logging out and back in and making sure it saved the changes. 2-Login to ASA-CX. Cisco Systems. No button. telemetry level(unconfigured) and backend changes 1-Install and configure a new ASA-CX device and to support it. 2-All button and features are working properly: Yes. it will stay saved and telemetry data will not be sent.ironport. leave the telemetry level to the default level and it needs to be in that state without any changes. it will send telemetry data as requested.ironport.vega. and save.com and from there ssh to qafbnp-app002.lo g Check teh logs in /data/ironport/phonehomelogs/ directory) Expected Result: 1-Verify the addition of the new telemetry levels when unconfigured and verify the back end can support it. 3-Verify that settings are saved after logging out and back in.com and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome. Expected Result: 1-Verify that immediately after login the pop-up screen appears that asks customers to configure their telemetry settings. 3-Verify that all the buttons are functional and not broken: Yes.e. 28 US7591: Verify the addition of a new default Procedure: 6. 4-When clicking on View terms of agreement the terms of agreements appear. 2-In order to verify telemetry data is sent properly login to the backend FBNP server (i.

28 US7591: Verify the Telemetry screen should popProcedure: 7. up every time the UI is opened until a user changes 1-Install and configure a new ASA-CX and navigate their level from unconfigured. to telemetry screen but don't configure the telemetry screen. Save but don't commit changes. 2-login to the ASA-CX. 3-Repeat for PRSM. Expected Result: 1-Verify that telemetry pops-up every time the user logs in without committing changes. 2-Result is the same for PRSM. 28 US7591: Verify that the new UI works properly and Procedure: 8. pops up properly. 1-Install and configure a new ASA-CX and login. 2-Test with PRSM as well. Expected Result: 1-Verify that it pops-up properly and has all components: Standard, Limited, Save, view agreement, and Yes-No button 2-Verify that PRSM works as well. 28 US7591: Verify that the new pop-up stops 9. appearing once telemetry changes have been committed. Procedure: 1-Install and configure a new ASA-CX and configure the telemetry page. 2-Repeat test case for PRSM. 3-Reboot the ASA-CX verify that changes have been saved and the pop-up doesn't appear again. 4-Reboot the PRSM and verify that changes have been saved and pop-up doesn't appear again. Expected Result: 1-Verify that the pop-up doesn't appear again after configuration is complete once. 2-Verify that reboot doesn't erase the saved configuration on ASA-CX and PRSM.

Cisco Systems, Inc. Cisco Confidential Page 126 of 144

29 US7591: Verify that the telemetry change is applied Procedure: 0. properly. 1-Install and configure an ASA-CX and login. 2-Select Standard and Save and Commit changes. Test in PRSM as well. 3-Navigate to Administration, and then Network Participation and select Limited and save and Commit Changes. Test in PRSM as well. 4-Navigate to Administrator, and then Network Participation and then turn OFF the network participation. 5-In order to verify telemetry data is sent properly login to the backend FBNP server (i.e. SSH to bastion1.sfo.ironport.com and from there ssh to qafbnp-app002.vega.cloud.ironport.com and check the FBNP or phone home logs in :/data/ironportvar/phonehomeserver/phonehome.lo g Check teh logs in /data/ironport/phonehomelogs/ directory) Expected Result: 1-Verify that on the first login the telemetry pop-up screen appears. 2-Verify that standard telemetry is applied and configured properly. 3-Verify that the Limited telemetry is applied and configured properly. 4-Verify that the user can opt out of providing telemetry information. 5-Verify that the pop-up does not appear after initial configuration, save and commit. 6-Verify that the data is sent correclty to the backend FBNP server. 29 US7591: Verify that the new telemetry pop-up 1. behaves properly for an upgrade. Procedure: 1-Install and configure an old version of ASA-CX that doesn't have the new pop-up feature and configure the telemetry page as not enabling telemetry. 2-perform an upgrade. 3-Repeat test case for PRSM. Expected Result: 1-Telemetry pop-up should not appear. 2-Result is the same for PRSM.

Cisco Systems, Inc. Cisco Confidential Page 127 of 144

29 US7591: Verify that the new telemetry pop-up 2. behaves properly for an upgrade.

Procedure: 1-Install and configure an old version of ASA-CX that doesn't have the new pop-up feature and configure the telemetry page to enable telemetry. Perform an upgrade. Repeat with PRSM. 2-Install and configure an old version of ASA-CX that doesn't have the new pop-up feature and configure the telemetry page to opt-out of telemetry. Perform an upgrade. Repeat with PRSM. 3-Install and configure an old version of ASA-CX that doesn't have the new pop-up feature and leave telemetry unconfigured. Perform an upgrade. Repeat with PRSM. Expected Result: 1-Verify that the telemetry pop-up doesn't appear for test case 1 and 2. 2-Verify that the telemetry pop-up does appear for test case 3.

29 US7591: Verify that the telemetry buttons are 3. grayed out and disabled when No is selected for telemetry.

Procedure: 1-Install and configure an ASA-CX and login to the main page. 2-When the telemetry page appears select No for telemetry. 3-Hover over the telemetry options Standard and Limited. 4-Repeat the test case for PRSM Expected Result: 1-Verify that when No is selected for telemetry the hovering feature for telemetry buttons, Limited, and disabled, are disabled and grayed out. 2-Verify that this is the correct behavior for PRSM as well.

29 US7591: Verify that selected button remain 1-Install and configure a new ASA-CX and login to 4. selected after disabling the No button for telemetry. the ASA-CX. 2-pop-up telemetry should appear. 3-Select Limited and then select No for telemetry. 4-select Yes again for telemetry. 5-Select Standard and then select No for telemetry. 6-Select Yes again for telemetry. Expected Result: 1-Verify that the latest configuration appears after selecting YES

Cisco Systems, Inc. Cisco Confidential Page 128 of 144

new users after configuring telemetry options. Login and participation page. Save and commit. saved properly and appear in the Network 1-Install and configure an ASA-CX. 2-Install and configure an ASA-CX. Cisco Systems. Repeat with PRSM. Login and configure the telemetry settings to accept telemetry and select Limited. save changes and commit. 5-Repeat the same test case with a PRSM. Cisco Confidential Page 129 of 144 . 3-Create a new admin user. configure the telemetry settings to accept telemetry and select Standard and Save and commit. Expected Result: 1-Navigate to Administration and then Network participation. 3-Install and configure an ASA-CX. 4-Login as the new admin user. Verify that all the changes have been saved properly and appear in the Network participation page. Repeat with PRSM. 2-The result is the same for PRSM. Inc.29 US7591: Verify that selected telemetry changes are Procedure: 5. Repeat with PRSM. 29 US7591: Verify that Welcome screen appears for 6. 2-Login for the first time and configure the telemetry. Login and configure the telemetry settings to opt out of telemetry by selecting No. Expected Result: 1-Verify that when logging it as the new user the Welcome screen appears and the telemetry screen doesn't appear since it has already been configured. Save and commit. Procedure: 1-Install and configure a new ASA-CX.

Verify that the all the updates related to the threat protection feature (blacklist/engines/sigs) will be downloaded and applied as they become available. Pass some non-threat related traffic thru the ASACX. Cisco Confidential Page 130 of 144 . Verify that the user would be able to enable threat protection by navigating to Configurations>>Policies/Settings>>Threat Protection. Verify that the the blacklist toggles in the UI are enabled and can be changed.29 Verify the functionality of the default evaluation 7. Verify that the user would be able to create a new threat profile object and associate it with an access policy. Verify that all the non-threat related traffic can still pass thru the device as expected and the user will still be able to see corresponding events and reports. Pass some threat related traffic thru the ASA-CX. Verify that the global/device-level threat profile is editable. Cisco Systems. Verify that all the non-threat related updates (sas/avc/wbrs/telemetry) will be downloaded and applied if they are available. Expected Results: Verify that a fresh installation of the latest software image on ASA-CX comes with a default evaluation license for threat protection feature. Verify that all the threat related traffic passing thru the box. Procedure: Perform a fresh installation of the latest software image on an unmanaged ASA-CX. during this period will be detected and is visible in events (in the Threat Protection tab of the event viewer) and in the corresponding Threat Protection reports. license for threat protection feature on an unmanaged ASA-CX device. Inc. Verify that after the software upgrade the evaluation license for threat protection becomes available for the user.

clock (date) such that the evaluation license for threat protection expires. Cisco Confidential Page 131 of 144 . Cisco Systems. Verify that all the threat related traffic passing thru the box.29 Verify the functionality of license expiration for Procedure: 8. during this period will not be detected and visible in either events (in the Threat Protection tab of the event viewer) or in the Threat Protection reports. Expected Results: Verify that the user will not be able to edit any access policies that are explicitly associated with threat profiles. Verify that the user will still be able to see threat related events and corresponding threat protection reports for the time period before the license expired. Pass some threat related traffic thru the ASA-CX. Verify that the user will not be able to create any new threat profile objects or edit any existing threat profile objects. Restart cisco services. threat protection feature on an unmanaged ASA-CX Shutdown cisco services and change the system device. Verify that all the non-threat related updates (sas/avc/wbrs/telemetry) will be downloaded and applied if they are available. Inc. and cannot be reenabled Verify that all the updates related to the threat protection feature (blacklist/engines/sigs) will be not be downloaded and applied. Verify that the user will not be able to add any new access policies with attached threat profiles. Verify that all the non-threat related traffic can still pass thru the device as expected and the user will still be able to see corresponding events and reports. Verify that the global/device-level threat profile is still editable. Pass some non-threat related traffic thru the ASACX. Verify that the Threat Protection and the blacklist toggles on the UI are disabled.

29 Verify the functionality of license renewal for threat 9. Pass some threat related traffic thru the ASA-CX. Verify that the user will be able to create new threat profile objects Validate that the user will be to edit any existing threat profile objects. Verify that the all the updates related to the threat protection feature (blacklist/engines/sigs) will be now be downloaded and applied. Cisco Systems. Cisco Confidential Page 132 of 144 . Expected Results: Verify that the user will now be able to edit any access policies that are explicitly associated with threat profiles. Verify that all the non-threat related updates (sas/avc/wbrs/telemetry) will be downloaded and applied if they are available. Verify that all the non-threat related traffic can pass thru the device as expected and the user will still be able to see corresponding events and reports. Verify that the the Threat Protection and the blacklist toggles on the UI are now re-enabled. Procedure: Renew the license for threat protection. Pass some non-threat related traffic thru the ASACX. Verify that the user will now be able to add any new access policies with attached threat profiles. protection feature on an unmanaged ASA-CX device. Inc. Verify that the global/device-level threat profile is editable. Verify that the user will be able to see threat related events and corresponding threat protection reports again.

Pass some non-threat related traffic thru the ASACX. Verify that the the Threat Protection and the blacklist toggles on the UI are disabled. and cannot be re-enabled Verify that the all the updates related to the threat protection feature (blacklist/engines/sigs) will be not be downloaded and applied. during this period will not be detected and visible in either events (in the Threat Protection tab of the event viewer) or in the Threat Protection reports. Verify that all the non-threat related updates (sas/avc/wbrs/telemetry) will be downloaded and applied if they are available. Expected Results: Verify that the user will not be able to edit any access policies that are explicitly associated with threat profiles. Procedure: Revoke and remove the license for threat protection.30 Verify the functionality of license revocation and 0. Verify that all the non-threat related traffic can still pass thru the device as expected and the user will still be able to see corresponding events and reports. removal for threat protection feature on an unmanaged ASA-CX device. Verify that the user will not be able to add any new access policies with attached threat profiles. Verify that the global/device-level threat profile is still editable. Cisco Confidential Page 133 of 144 . Cisco Systems. Verify that the user will not be able to create any new threat profile objects or edit any existing threat profile objects. Verify that all the threat related traffic passing thru the box. Verify that the user will still be able to see threat related events and corresponding threat protection reports for the time period before the license removal. Pass some threat related traffic thru the ASA-CX. Inc.

Procedure: Log into PRSM/SMX and import/discover an ASACX. Pass some threat related traffic thru the ASA-CX. Pass some threat related traffic thru the ASA-CX. device. Restart cisco services. Verify that the user will be able to create new threat profile objects. Cisco Confidential Page 134 of 144 . Validate that the user will be to edit any existing threat profile objects. license for threat protection feature on a managed ASA-CX device in PRSM/SMX. Verify that the user will now be able to add any new access policies with attached threat profiles. Shutdown cisco services and change the system clock (date) such that the evaluation license for threat protection expires. Pass some non-threat related traffic thru the ASACX. 30 Verify the functionality of the default evaluation 2. Pass some non-threat related traffic thru the ASACX. Procedure: Log into PRSM/SMX and import/discover an ASACX. Verify that all the non-threat related updates (sas/avc/wbrs/telemetry) will be downloaded and applied if they are available. Verify that the user will be able to see threat related events and corresponding threat protection reports again. Verify that all the non-threat related traffic can pass thru the device as expected and the user will still be able to see corresponding events and reports. Pass some threat related traffic thru the ASA-CX. Expected Results: Verify that the user will now be able to edit any existing access policies that are explicitly associated with threat profiles (probably created before the license removal). Verify that the the Threat Protection and the blacklist toggles on the UI are now re-enabled. threat protection feature on an unmanaged ASA-CX Add a license for threat protection. Inc. Cisco Systems. threat protection feature on a managed ASA-CX device in PRSM/SMX. Verify that the all the updates related to the threat protection feature (blacklist/engines/sigs) will be now be downloaded and applied. Expected Results: Repeat test steps 1-10 as in test case 2. 30 Verify the functionality of license expiration for 3. Verify that the global/device-level threat profile is editable. Expected Results: Repeat test steps 1-10 as in test case 1. Perform a fresh installation of the latest software image on PRSM and ASA-CX. Pass some non-threat related traffic thru the ASACX.30 Verify the functionality of addition of a license for Procedure: 1.

30 Verify the functionality of license renewal for threat Procedure: 4. protection feature on a managed ASA-CX device in Log into PRSM/SMX and import/discover an ASAPRSM/SMX. CX. Renew the license for threat protection. Pass some threat related traffic thru the ASA-CX. Pass some non-threat related traffic thru the ASACX. Expected Results: Repeat test steps 1-10 as in test case 3. 30 Verify the functionality of license revocation and Procedure: 5. removal for threat protection feature on a managed Log into PRSM/SMX and import/discover an ASAASA-CX device in PRSM/SMX. CX. Upgrade from a previous software release such as Torino/Barbary. Pass some threat related traffic thru the ASA-CX. Pass some non-threat related traffic thru the ASACX. Expected Results: Repeat test steps 1-10 as in test case 4. 30 Verify the functionality of addition of a license for 6. threat protection feature on a managed ASA-CX device in PRSM/SMX. Procedure: Log into PRSM/SMX and import/discover an ASACX. Add a license for threat protection. Pass some threat related traffic thru the ASA-CX. Pass some non-threat related traffic thru the ASACX. Expected Results: Repeat test steps 1-10 as in test case 5.

Cisco Systems, Inc. Cisco Confidential Page 135 of 144

30 Verify Barbary/K2 to Peregrine upgrade, Intrusion 7. Protection, telemetry features and onbox management

Procedure: 1. Load the current Barbary/K2 image. 2. Configure and exercise a broad set of features. - Enable root login by generating a root patch on CX. - Change the logging levels to DEBUG. - Configure access policies ( One with URL Object, One with Network Object and one with Application/Service). - Enable authentication (create a realm,add a directory) and configure an identity policy. - Enable decryption (Generate a cert and import the cert into clients) and configure a decryption policy. 3. Upgrade from Barbary/K2 to Peregrine using the upgrade GUI. 4. Use the broad set of features again. - Enable telemetry and choose a participation level. - Change the logging levels to DEBUG. - Ensure that the above configured access policies, identity policy and decryption policies are retained. - Enable Intrusion Protection. Create a new threat profile object and associate it with an access policy. - Send some blacklisted traffic. - Enable updater. 5. Revert. 6. Exercise the broad set of features again. - Ensure that the above configured access policies, identity policy and decryption policies are retained.

Expected Result: 1 & 2. Verify the features work on the Barbary/K2 release. Send some traffic and verify the access policies, identity and decryption policies work as expected. 3. Verify upgrade is successful. Verify that a pop-up for enabling and configuring telemetry appears. Ensure that all telemetry data (including platform and merlin telemetry data) is being collected in signup logs and sent to FBNP server. 4. Verify the same set of features works on the Peregrine Release. Send some traffic and verify the access policies, identity and decryption policies work as expected. Send some traffic containing threats and verify that the threats get detected. Verify that the blacklisted traffic gets denied. Ensure that tp (signature and engine) updates get downloaded. Send some traffic containing threats again after the tp update and ensure that threats get Cisco Systems, Inc. Cisco Confidential detected. Page 136 of 144 5. Verify revert is successful. Ensure that pop-up screen for telemetry does not appear and no consequently no telemetry data gets collected in the signup logs. 6. Verify the features work on the Barbary/K2

30 Verify Torino to Peregrine upgrade, Intrusion 8. Prevention,telemetry features and onbox management.

Procedure: 1. Load the current Torino image. 2. Configure and exercise a broad set of features. - Enable root login by generating a root patch on CX. - Change the logging levels to DEBUG. - Configure access policies ( One with URL Object, One with Network Object and one with Application/Service). - Enable authentication (create a realm,add a directory) and configure an identity policy. - Enable decryption (Generate a cert and import the cert into clients) and configure a decryption policy. 3. Upgrade from Torino to Peregrine using the upgrade GUI. 4. Use the broad set of features again. - Enable telemetry and choose a participation level. - Change the logging levels to DEBUG. - Ensure that the above configured access policies, identity policy and decryption policies are retained. - Enable Intrusion Protection. Create a new threat profile object and associate it with an access policy. - Send some blacklisted traffic. - Enable updater. 5. Revert. 6. Exercise the broad set of features again. - Ensure that the above configured access policies, identity policy and decryption policies are retained.

Expected Result: 1 & 2. Verify the features work on the Torino release. Send some traffic and verify the access policies, identity and decryption policies work as expected. 3. Verify upgrade is successful. Verify that a pop-up for enabling and configuring telemetry appears. Ensure that all telemetry data (including platform and merlin telemetry data) is being collected in signup logs and sent to FBNP server. 4. Verify the same set of features works on the Peregrine Release. Send some traffic and verify the access policies, identity and decryption policies work as expected. Send some traffic containing threats and verify that the threats get detected. Verify that the blacklisted traffic gets denied. Ensure that tp (signature and engine) updates get downloaded. Send some traffic containing threats again Cisco Systems, Inc. Cisco Confidential after Page 137 of 144 the tp update and ensure that threats get detected. 5. Verify revert is successful. Ensure that pop-up screen for telemetry does not appear and no consequently no telemetry data gets collected in the signup logs.

30 Verify Peregrine to Peregrine upgrade. identity and decryption policies work as expected. Send some traffic containing threats again after the tp update and ensure that threats get detected. identity policy and decryption policies are retained.Ensure that the above configured access policies(with and without threat profiles). identity policy and decryption policies are retained.Send some blacklisted traffic. Send some traffic and verify the access policies. Load an image from the betazoid/main branch from the Peregrine release 2.Enable Intrusion Protection. . 5. Verify that the blacklisted traffic gets denied.Enable telemetry and choose a participation level. .add a directory) and configure an identity policy. . Expected Result: 1 & 2. . Use the broad set of features again. Upgrade to the latest image from Peregrine using the upgrade GUI. Exercise the broad set of features again. 3. . Configure and exercise a broad set of features. Revert 6. Intrusion 9. Verify revert is successful and verify the same set of features still work.telemetry features and onbox management Procedure: 1.Configure access policies ( One with URL Object. Ensure that all telemetry data (including platform and merlin telemetry data) is being collected in signup logs and sent to FBNP server. Cisco Confidential Page 138 of 144Send some traffic containing threats and verify that the threats get detected. Cisco Systems. Create a new threat profile object and associate it with an access policy. Verify upgrade is successful and verify the same set of features still work with the latest image from the Peregrine Release. Send some traffic containing threats and verify that the threats get detected. . Ensure that tp (signature and engine) updates get downloaded.Ensure that the above configured access policies(with and without threat profiles). . One with Network Object and one with Application/Service). Inc.Change the logging levels to DEBUG. Prevention. Verify that a pop-up for enabling and configuring telemetry appears. 4. . 3.Enable authentication (create a realm. identity and decryption policies work as expected. . Send some traffic and verify the access .Enable decryption (Generate a cert and import the cert into clients) and configure a decryption policy. Verify the features work on the Peregrine release Send some traffic and verify the access policies. .Enable updater. 4. Verify that the blacklisted traffic gets denied.

pcap is Microsoft Internet Explorer Vector Markup Language Processing Arbitrary Code Execution Vulnerability 5. Verify 1358-0. Verify 1019-0.pcap is IBM Tivoli Directory Server ibmslapd.pcap is Malicious Command-andControl Network Traffic 3.pcap is Joomla! TinyMCE TinyBrowser Plug-in Arbitrary File Upload Vulnerability 10. Verify 1263-0.pcap is Adobe Shockwave Player Lnam Chunk String Processing dirapi. Inc. Verify 1341-0.pcap is Flame Trojan Toolkit 6. Verify 1450-0.pcap is Heap Spraying Buffer Overflow Attacks 12.pcap is Microsoft Windows Security Update for Digital Certificates Spoofing Vulnerability 9. Verify 1446-0.pcap is HP Database Archiving Software Unspecified Arbitrary Code Execution Vulnerability 13. Verify 1256-0. Verify 1021-0.pcap is Oracle Java Unspecified Code Execution Vulnerability 15. Verify 1373-0.pcap is Microsoft Internet Explorer Property ID Processing Memory Corruption Vulnerability 7.dll Arbitrary Code Execution Vulnerability 11.• Hawkeye Pcap Efficacy # Entity Title contains 108 test cases. Description 1. Verify 1466-0.pcap is Malicious Command-andControl Network Traffic 2. Verify 1545-0. Verify 1263-1.pcap is Microsoft Windows Security Update for Digital Certificates Spoofing Vulnerability 8.pcap is BaoFeng Storm mps. Verify 1052-0. Verify 1138-0.pcap is Cisco Linksys WVC200 Wireless-G PTZ Device ActiveX Control SetSource() Buffer Overflow Vulnerability 14. Verify 1258-2. Verify 1394-0. Verify 1421-0.pcap is Microsoft Internet Explorer img Tag Processing Arbitrary Code Execution Vulnerability 18.pcap is Adobe Acrobat Reader Unspecified Memory Corruption Vulnerability Cisco Systems.exe Arbitrary Code Execution Vulnerability 17.dll ActiveX Control Arbitrary Code Execution Vulnerability 16. Cisco Confidential Page 139 of 144 . Verify 1389-0.pcap is Adobe Acrobat and Reader PRC Remote Code Execution Vulnerability 4.

Verify 16217-1.worm 38.pcap is Autodesk Design Review LiveUpdate16.pcap is Microsoft SQL Server sp_replwritetovarbin() Buffer Overflow Vulnerability 32.DLL ActiveX Control Arbitrary Program Execution Vulnerability 36.pcap is Novell iPrint Client ActiveX Control nipplib. Verify 15001-0.pcap is Mozilla Firefox. Verify 11203-0. Verify 1565-0. Cisco Confidential Page 140 of 144 . Verify 15773-0.pcap is HP StorageWorks P4000 Virtual SAN Appliance Arbitrary Code Execution Vulnerability 24. Verify 16217-0.pcap is Novell ZENworks Asset Management Web Console Information Disclosure Vulnerability 22.pcap is Worm: W32.pcap is IRC Channel Join 26.pcap is Autodesk Design Review LiveUpdate16. Verify 1563-0.pcap is Worm: W32/Conficker.pcap is Worm: W32.pcap is Autodesk Design Review LiveUpdate16.pcap is Cisco Application Control Engine Module and Appliance Processing SSH Packet Denial of Service Vulnerability 33.pcap is IBM Lotus Notes URL Handling Remote Arbitrary Code Execution Vulnerability 21.Waledac 30. Verify 15193-0. Verify 1569-0. Verify 15313-0.pcap is Microsoft Internet Explorer HTML Form Value Handling Denial of Service Vulnerability 29. Verify 15634-0.worm Cisco Systems.pcap is Microsoft Internet Explorer HTML Form Value Handling Denial of Service Vulnerability 28.DLL ActiveX Control Arbitrary Program Execution Vulnerability 37.dll Buffer Overflow Vulnerability 25.pcap is Novell ZENworks Configuration Management LaunchHelp. Verify 15113-0. Verify 16293-1. Thunderbird and SeaMonkey SVG Image Processing Arbitrary Code Execution Vulnerability 20. Verify 16293-0.dll ActiveX Control Arbitrary Code Execution Vulnerability 23. Verify 1568-0.pcap is Worm: W32/Conficker.19. Inc.DLL ActiveX Control Arbitrary Program Execution Vulnerability 35.Waledac 31. Verify 16217-2. Verify 1575-0.pcap is Adobe Flash Player Invalid Object Reference Buffer Overflow Vulnerability 34.pcap is Remote Control Software Potential Security Risk 27. Verify 15193-1. Verify 1555-0. Verify 15175-1.

Verify 1975-11 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 54. Verify 16956-0 is Microsoft Office PowerPoint Data Out of Bounds Memory Corruption Vulnerability 59. Verify 1975-7 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 50. Verify 1646-0 is Oracle Java SE Critical Patch Update October 2012 56. Verify 16933-0 is Microsoft Office PowerPoint Data Out of Bounds Memory Corruption Vulnerability 58. Verify 1975-4 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 47.39. Verify 1872-0 is IrfanView JPEG2000 Plugin Remote Stack Based Buffer Overflow Vulnerability Cisco Systems.pcap is Binary Planting Vulnerability 42. Cisco Confidential Page 141 of 144 . Verify 1975-12 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 55. Verify 1975-5 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 48. Verify 1975-0 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 43. Verify 1975-8 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 51. Inc. Verify 1975-3 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 46. Verify 1651-0. Verify 1791-0 is Heap Spraying Buffer Overflow Attacks 60. Verify 16473-1 is Microsoft Internet Explorer Uninitialized Memory Access Code Execution Vulnerability 57. Verify 1975-10 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 53. Verify 1975-2 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 45. Verify 1975-6 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 49. Verify 1654-0. Verify 1787-0.exe Remote Arbitrary Code Execution Vulnerability 40. Verify 1975-1 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 44.pcap is Multiple Cisco Ironport Appliances Sophos Threat Engine Vulnerabilities 41.pcap is HP StorageWorks File Migration Agent HsmCfgSvc. Verify 1975-9 is Self-Signed SSL Certificates Used in Spear-Phishing Attacks 52.

Verify 1837-0.pcap is Ruby on Rails JavaScript Object Notation convert_json_to_yaml() Code Execution Vulnerability Cisco Systems.pcap is Wibu Systems WibuKey Runtime for Windows ActiveX Control DisplayMessageDialog() Buffer Overflow Vulnerability 79. Verify 1792-0.pcap is Nuclear Rat Remote Access Utility 74.61. Inc.pcap is IBM Informix Dynamic Server Long Username Buffer Overflow Vulnerability 69.pcap is Oracle Java Unspecified Code Execution Vulnerability 70. Verify 1985-2 is Heap Spraying Buffer Overflow Attacks 68.pcap is Heap Spraying Buffer Overflow Attacks 76. Verify 1985-0 is Heap Spraying Buffer Overflow Attacks 66. Verify 1787-0.pcap is Binary Planting Vulnerability 75. Verify 1421-0. Verify 1563-0. Verify 17785-0. Verify 19819-1 is Multiple Adobe Products SWF File or PDF File Remote Arbitrary Code Execution Vulnerability 65.pcap is Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability 77. Verify 15175-0. Verify 1985-1 is Heap Spraying Buffer Overflow Attacks 67. Verify 18420-1. Verify 1853-0.pcap is IBM Lotus Notes URL Handling Remote Arbitrary Code Execution Vulnerability 72. Verify 1838-0. Verify 1654-0. Cisco Confidential Page 142 of 144 .pcap is Microsoft Office Excel Array Index Parsing Memory Corruption Vulnerability 80. Verify 19279-0 is Cisco Wireless LAN Controller Unauthorized Configuration Change Vulnerability 64. Verify 1813-0. Verify 19219-0 is Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability 63. Verify 18921-0 is Apple Safari and Safari for Windows XML External Entity Information Disclosure Vulnerability 62.pcap is Multiple Cisco Ironport Appliances Sophos Threat Engine Vulnerabilities 73.pcap is Microsoft Internet Explorer HTML Form Value Handling Denial of Service Vulnerability 71.pcap is Heap Spraying Buffer Overflow Attacks 78. Verify 1080-0.

5 unicode Remote Buffer Overflow 95. Verify 1759-0. Verify 15233-1.pcap is Heap Spraying Buffer Overflow Attacks 98. Cisco Confidential Page 143 of 144 .pcap is ??????? 85. Verify 1818-0.pcap is Heap Spraying Buffer Overflow Attacks 97. Verify 19339-1.pcap is Exploit Shell Code Encoding Obfuscation Issue 10 Verify 1044-2. Verify 1985-2. Verify 1985-1.pcap is ??????? 84.pcap is Exploit Shell Code Encoding 0.pcap is ?????? 87.81.pcap is MySQL Heap Based Buffer Overflow Vulnerability 83. Obfuscation Issue 10 Verify 1044-3.pcap is Apple Safari and Safari for Windows XML External Entity Information Disclosure Vulnerability 90. Inc. Verify 1985-0.pcap is Exploit Shell Code Encoding 3. Verify 19639-0. Verify 1963-0. Verify 1044-0.pcap is Microsoft DirectShow Field Size Validation Arbitrary Code Execution Vulnerability 93.pcap is Exploit Shell Code Encoding 1.pcap is Microsoft Windows Video msvidctl ActiveX Control Code Execution Vulnerability 92.pcap is IBM Informix Dynamic Server oninit.exe EXPLAIN Remote Code Execution Vulnerability 89. Obfuscation Issue 10 Verify 1044-4.pcap is Oracle Java SE Java Sandbox Remote Security Bypass Vulnerability 99.pcap is Mozilla Firefox Just-In-Time JavaScript Parsing Arbitrary Code Execution Vulnerability 94. Obfuscation Issue Cisco Systems.pcap is Exploit Shell Code Encoding 2. Verify 15233-2. Verify 16957-0. Verify 19600-0.pcap is Mozilla Firefox 3.pcap Microsoft Windows DirectShow QuickTime Media Processing Arbitrary Code Execution Vulnerability 91.pcap is MySQL Heap Based Buffer Overflow Vulnerability 82.pcap is ?????? 86. Verify 1963-1. Verify 19219-0. Verify 18921-0. Verify 2083-0. Verify 18297-3.pcap is Heap Spraying Buffer Overflow Attacks 96. Verify 19383-1.pcap is [UNAVAILABLE(29475)] 88. Obfuscation Issue 10 Verify 1044-5.

Cisco Confidential Page 144 of 144 .pcap is Exploit Shell Code Encoding 8. Verify 1052-0. Verify 1138-0. Description 1.pcap is a Client Attacker Cisco Systems.pcap is a Server Attacker 6.pcap is Exploit Shell Code Encoding 4.pcap is a Server Attacker 8. Obfuscation Issue 10 Verify 1044-8.pcap is Exploit Shell Code Encoding 6.pcap is a Client Attacker 9. Obfuscation Issue 10 Verify 1044-9. Obfuscation Issue 10 Verify 1044-10. Verify 16217-0. Verify 1256-0. Verify 19219-0. Verify 1258-2.pcap is a Client Attacker 3.pcap is Exploit Shell Code Encoding 7. Obfuscation Issue 10 Verify 1044-7.pcap is a Server Attacker 4.pcap is a Server Attacker 5.10 Verify 1044-6.pcap is a Server Attacker 10. Inc. Verify 15175-0. Verify 1021-0. Verify 15001-0.pcap is a Client Attacker 7. Verify 1019-0.pcap is Exploit Shell Code Encoding 5. Obfuscation Issue • Attacker and Victim Testcases # Entity Title contains 10 test cases.pcap is a Server Attacker 2.