防火墙PoV FTD功能测试指南英文版PoV PDF

)
Cisco Firepower NGFW Proof of

Value Guide – Version 1.2
Introduction
Guide Overview
This lab is designed to help field and partners understand how to setup NGFW and the key features
available with it.
There are 3 sections to this guide.
• Introduction. A brief description of the guide, including sample topology and table of contents.
• Setup. These chapters cover setting up the test environment.
• Use Cases. These 15 chapters cover specific use cases to demonstrate specific feature\ sets.
The following conventions are be used in this guide.
Font Function
Arial Bold Used to indicate emphasis
Arial Italic Used for elements is the UI, links, etc.
Courier New Bold Used to indicate text that must be typed in. Also
the output of some commands uses this font.
Developers
The labs pod and lab guide were created by the Technical Marketing team of the Security Business
Group at Cisco Systems.
NGFW PoV Guide V1.2 – Introduction October 2016 I-1

)
Sample Topology
Here is the topology that was used to develop this guide. This topology is available at the GOLD lab.
Guide Table of Contents

Setup
• Setup 1: Internet Access and Communication Ports .......................................................................... S1-1
• Setup 2: Installation ............................................................................................................................ S2-1
• Setup 3: Initial Configuration ............................................................................................................... S3-1
• Setup 4: Deployment .......................................................................................................................... S4-1
Use Cases
• Use Case 1: Demonstrating AVC ...................................................................................................... U1-1
• Use Case 2: Demonstrating URL and Geolocation Based Filtering .................................................. U2-1
• Use Case 3: Demonstrating SSL Decryption .................................................................................... U3-1
• Use Case 4: Demonstrating Authentication ....................................................................................... U4-1
• Use Case 5: Demonstrating Security Intelligence ............................................................................. U5-1
• Use Case 6: Demonstrating IPS ........................................................................................................ U6-1
• Use Case 7: Demonstrating AMP Threat Grid .................................................................................. U7-1
• Use Case 8: Demonstrating Rate Limiting ........................................................................................ U8-1
• Use Case 9: Demonstrating the True Client IP Feature .................................................................... U9-1
• Use Case 10: Demonstrating Event Correlation .............................................................................. U10-1
• Use Case 11: Demonstrating ISE Integration ................................................................................. U11-1
• Use Case 12: Demonstrating Safe Search or YouTube EDU ......................................................... U12-1
• Use Case 13: Demonstrating FMC Analytics .................................................................................. U13-1
• Use Case 14: Demonstrating Custom Dashboard and Reporting ................................................... U14-1
• Use Case 15: Demonstrating Site-to-Site VPN ............................................................................... U15-1
• Use Case 16: Demonstrating REST API ......................................................................................... U16-1

)
Use Case Dependencies

Use Case Dependency
Use Case 1: Demonstrating AVC
Use Case 2: Demonstrating URL and Geolocation Based Filtering
Use Case 3: Demonstrating SSL Decryption
Use Case 4: Demonstrating Authentication
Use Case 5: Demonstrating Security Intelligence
Use Case 6: Demonstrating IPS
Use Case 7: Demonstrating AMP Threat Grid Use dCloud for more data
Use Case 8: Demonstrating Rate Limiting
Use Case 9: Demonstrating the True Client IP Feature
Use Case 10: Demonstrating Event Correlation Use Case 4: Demonstrating IPS
(Task3 and Task4)
Use Case 11: Demonstrating ISE Integration Use Case 4: Demonstrating
Authentication (Task1 and Task2)
Use Case 12: Demonstrating Safe Search or YouTube EDU
Use Case 13: Demonstrating FMC Analytics Use dCloud for more data
Use Case 14: Demonstrating Custom Dashboard and Reporting
Use Case 15: Demonstrating Site to Site VPN

Use Case 16: Demonstrating REST API
Business to Use Case Mappings

Use Case Business Objective Firewall Capabilities
SETUP
Installing Firepower Usability, preparing the device • Ease of Use
(NGFW & FMC) for management
Managing NGFW Usability, preparing the device • Ease of Use

for management
NGFW Deployment for Deploying NGFW for Inspection • NGFW deployment Modes
Firewall POV (as a next hop, Bump on wire, • Network Discovery
IPS) • Routing
• NAT
• Clustering (9300, Inter-chassis
Future)
• HA

)
Use Cases
Use Case 1: Standard Reduce Attack surface by • Application Visibility
and Custom Application blocking unwanted application, • Access Control
detection and control blocking unproductive known and • Application Control
for classification, customer applications
monitoring and control
Use Case 2: Blocking objectionable websites, • Access Control

Geolocation and URL Reduce attack surface • URL Filtering
Based Filtering • URL Reputation
Use Case 3: Decrypt Enterprise Visibility and Treat • Access Control

SSL Traffic to detect Inspection for encrypted Traffic • Threat Detection
hidden threats
Use Case 4: Manage User Discovery using Active/ • Access Control

Authentication and User Passive Authentication. • Identity Based Policies
Discovery (SFUA/ISE) Integration with ISE (RBAC) • Security Capabilities- ISE
Use Case 5: Reducing and Stopping • Access Control

Blacklisting Using connections to Malicious IP, • IP, URL & DNS reputation
Security Intelligence Domains and URLs • URL Filtering
(IP/DNS/URL)
Use Case 6: Examine Stop Inbound Malicious threat • Threat Detection

Traffic for Intrusions that exploits vulnerable software • IPS Threat, Detection & Blocking
• Security Capabilities- NGIPS
USABILITY, PREPARING THE EASE OF USE
DEVICE FOR USE
Use Case 7: Detect, Stopping and Detecting Advance • Threat Detection

Contain and Remediate Threats (ex Malwares) • File Trajectory
Threat with AMP/Threat • Malware Detection
Grid • Malware Blocking
• File Analysis
• Cisco Integration
• Security Capability- AMP
Use Case 8: Limit Improved Network Efficiency, • Access Control

Traffic based on traffic Compliance/Regulatory
attributes with QoS
Use Case 9: Detecting Increase Host visibility behind • Access Control

and controlling client proxy, Compliance/Regulatory • Application Control
applications with X-
Forwarded-For headers

)
Use Case 10: Reduce Improve Threat detection time • Threat Detection
Threat Detection time • Correlation
by examining early • Indication of Compromise
indications of
compromise
Use Case 11: Threat Containment for infected • Cisco Integration

Performing Rapid host through ISE (RBAC) • Remediation API
Threat Containment • Remediation via ISE
with ISE/PxGrid • Security Capability-ISE
Use Case 12: Secure Safe Browsing, • Access Control

Controlled Browsing for Compliance/Regulatory
YouTube & Safe
Search
Use Case 13: Using Improved Operational Efficiency, • Impact Assessment

FMC Analytics for Reduced Threat Impact, Solution • Indications of compromise
Contextual & Network Integration, • Host Profiling
Visibility, Auto- Compliance/Regulatory • Threat Tracking
correlation for IOCs and
Impact Level generation
Use Case 14: Creating Customization • Threat Tracking

custom dashboards and • Customization
reporting including risk • Reporting
reporting for Executive
Visibility
Use Case 15: Secure communication to Head • S2S VPN

Extending your Office
Business Network
through a Site to Site
Virtual Private Network
(VPN)
Use Case 16: Third Automation, Integration with • Remediation API

Party Integration with Third Party • Third Party Integration
REST API

Setup
NGFW PoV Guide V1.2 – Setup October 2016

Setup 1: Internet Access and Communication
Ports
Firepower System Feature Internet Access Requirements
Feature Internet access is required to... Appliances
AMP for Firepower Perform malware cloud lookups. Management
Center
Cisco Advanced Malware Protection Receive endpoint-based (AMP for Endpoints) malware Management
(Cisco AMP) integration events from the Cisco AMP cloud. Center
dynamic analysis: querying Query the AMP Threat Grid cloud for threat scores of Management
files previously submitted for dynamic analysis. Center
dynamic analysis: submitting Submit files to the AMP Threat Grid cloud for dynamic Any device
analysis.
intrusion rule, VDB, and GeoDB Download or schedule the download of an intrusion rule, Management
updates GeoDB, or VDB update directly to an appliance. Center
local malware analysis and file Download signature updates to the local malware analysis Management
preclassification signature updates and preclassification engines. Center
RSS feed dashboard widget Download RSS feed data from an external source, Management
including Cisco. Center
7000 & 8000

Series
Security Intelligence filtering Download Security Intelligence feed data from an Management
external source, including Cisco-provided intelligence Center
feeds.
system software updates Download or schedule the download of a system update Any except
directly to an appliance. NGIPSv
URL filtering Download URL category and reputation data for access Management
control, and query for uncategorized URLs. Center
whois Request whois information for an external host. Management
Center
The following table lists the open ports required by each appliance type so that you can take full advantage of
Firepower System features.
Default Communication Ports for Firepower System Features and Operations
Port Description Direction Is Open on... To...

22/TCP SSH/SSL Bidirectional Any Allow a secure remote connection
to the appliance.
25/TCP SMTP Outbound Any Send email notices and alerts from
NGFW PoV Guide V1.2 – Setup October 2016 S1-1


the appliance.
53/TCP DNS Outbound Any Use DNS.
67/UDP DHCP Outbound Any Use DHCP. Note that these ports
are closed by default.
68/UDP
80/TCP HTTP Outbound Management allow the RSS Feed dashboard
Center, 7000 & widget to connect to a remote web
8000 Series server.
Bidirectional Management update custom and third-party
Center Security Intelligence feeds via
HTTP.
Download URL category and

reputation data (port 443 also
required).
161/UDP SNMP Bidirectional Any Allow access to an appliance’s
MIBs via SNMP polling.
162/UDP SNMP Outbound Any Send SNMP alerts to a remote trap
server.
389/TCP LDAP Outbound Any except Communicate with an LDAP server
NGIPSv for external authentication.
636/TCP
389/TCP LDAP Outbound Management Obtain metadata for detected
Center LDAP users.
636/TCP
443/TCP HTTPS Inbound Any except Access an appliance’s web
NGIPSv interface.
443/TCP HTTPS Bidirectional Management Obtain:
Center
AMQP  software, intrusion rule,
VDB, and GeoDB updates
AMP cloud, AMP Threat
 URL category and
Grid cloud, and Threat
Intelligence Communication reputation data (port 80
Preferences also required)
 the Intelligence Feed and
other secure Security
Intelligence feeds
 endpoint-based (AMP for
Endpoints) malware

events
 malware dispositions for
files detected in network
traffic
 dynamic analysis
information on submitted
files
Bidirectional Management Download software updates using

Center, 7000 & the device’s local web interface.
8000 Series
Bidirectional Any managed Submit files for dynamic analysis.
device
514/UDP syslog Outbound Any Send alerts to a remote syslog

server.
623/UDP SOL/LOM Bidirectional 7000 & 8000 Allow you to perform Lights-Out
Series Management using a Serial Over
LAN (SOL) connection.
1500/TCP database access Inbound Management Allow read-only access to the
Center database by a third-party client.
2000/TCP
1812/UDP RADIUS Bidirectional Any except Communicate with a RADIUS
NGIPSv server for external authentication
1813/UDP and accounting.
3306/TCP User Agent Inbound Management Communicate with User Agents.

Center
8302/TCP eStreamer Bidirectional Management Communicate with an eStreamer
Center 7000 & client.
8000 Series
8305/TCP appliance comms Bidirectional Any Securely communicate between
appliances in a deployment.
Required.
8307/TCP host input client Bidirectional Management Communicate with a host input
Center client.
32137/TCP AMP cloud and Threat Bidirectional Management Allow upgraded Management
Intelligence Communication Center Centers to communicate with the
Preferences Cisco AMP cloud.

Setup 2: Installation
Requirements
• The guide will assume off-box management (FMC) unless otherwise stated.
• The focus of this guide will be on NGFW. But many of the use cases will also apply to NGIPS or ASA
with Firepower Services
• NGFW: Firewall mode may be routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive
If inline tap or passive is used, you must skip the demonstration of application blocking
• An endpoint will be required for most of the demonstrations
• For some demonstrations, additional products, such as ISE, will have to be installed
• http://sinkhole.developmentserver.com to act as a sinkhole for demonstrating security
intelligence.
• http://pov.developmentserver.com to provide files and certificates to be used in these
demonstrations
Installation Outline
The installation process consists of the following tasks.
Task 1: Install the NGFW
Task 2: Configure the device for FMC management
Task 3: Install the FMC
Task 4: Install Licenses
Tasks
Task 1: Install the NGFW
Step 1 Depending on the Hardware platform, please refer the respective install guides to install or
upgrade to the Firepower Threat Defense NGFW software on your devices.
a. For ASA 5506-5555 running ASA+FP Services, you might need to reimage the box.
Reimage instructions:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-55xx-X-
qsg.html#pgfId-181902
b. For 4100: http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp4100/ftd-
4100-qsg.html
c. For 9300: http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp9300/ftd-
9300-qsg.html The firewall mode cannot be changed while the device is registerd with
the FMC. If you intend to use FDM, you must choose routed mod
During initial setup, you will be asked to pick firewall mode (routed or transparent). This can be
changed after installation by using the Firepower CLI.
.

For 4100/9300, it’s from chassis manager – Setting Screen while provisioning FTD.
The firewall mode cannot be changed while the device is registered with the FMC. If you intend
to use FDM, you must choose routed mod.
Task 2: Configure the device for Firepower Management

Step 2 Please refer the respective install guides to configure the initial device configuration for Firepower
Management
a. The first time you access the CLI via console or SSH, a setup wizard prompts you for
basic network configuration parameters.
i. For 4100:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp4100/ftd-
4100-qsg.html#pgfId-155318
ii. For 9300:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp9300/ftd-
9300-qsg.html#pgfId-174731
iii. For FTD on ASA 55XX:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-
55xx-X-qsg.html#pgfId-182037

Step 3 If you installed the Virtual NGFW, you might have had the option of adding the manager. If not,
you can login to NGFW and type the command configure manager add <FMC ipAddress>
cisco123. Make sure to remember the registration key. You will need this while registering
NGFW with FMC.
Task 3: Install the FMC

Step 4 Depending on whether you want to install a new virtual Firepower Management Center or
Upgrade/Reimage the Appliance, you might have different options. Also follow the steps to setup
the management interface on the same network as the NGFW management interface.
a. Installing a new Virtual Firepower Management Center (FMCv):
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/quick_start/management_cent
er_virtual/FMCv-quick/intro-virtual.html
b. Upgrading the Firepower Management Center Appliance: To do this, please follow the
process outlined in the Release Notes of the appliance version you wish to upgrade to.
c. Restoring/Base Install/Reimaging the Firepower Management Center Appliance:
http://www.cisco.com/c/en/us/td/docs/security/firepower/hw/firepower_management_cent
er/management_center/restoring_factory_defaults.html
Task 4: Licensing for NGFW

Step 5 These licenses need to be present in your Smart Account already. You should have a base
license for your appliance in your Smart Account
a. A Cisco Smart Account. You can create one at Cisco Software Central
(https://software.cisco.com/). Here are some details on Smart Licensing for Firepower
Threat Defense:
http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-
config-guide-
v61/Licensing_the_Firepower_System.html?bookSearch=true#concept_5B8D7BC78F15
4A34A31118D05B26D851
b. NOTE: Service Subscriptions for Threat, Malware and URL Filtering are needed to use
IPS, AMP and URL based policies via FMC.
c. Evaluation Licenses are available for 90 days the first time you install the software.
Navigate to System  Licenses  Smart Licenses and turn on evaluation mode.

Setup 3: Initial Configuration
Initial Configuration Outline
The initial configuration process consists of the following tasks.
Task 1: Configure the NGFW access control policy
Task 2: Modify the network discovery policy
Task 3: Explore domains and role based access control
Task 4: Register NGFW to FMC and activate Smart Licenses
Task 5: Explore object override and policy inheritance
Tasks
Task 1: Configure the NGFW access control policy
Step 1 Navigate to Objects → Object Management → Interfaces. Click Add  Security Zone. Create two
zones, InZone and OutZone. For Interface Type select Routed.
Step 2 Navigate to Policies → Access Control → Access Control.
Step 3 Create a New Policy, NGFW Access Control Policy. Keep all other settings unchanged. Notice
the Default Action is to Block All Traffic.
Step 4 Add a Rule to allow outbound connections, from InZone to OutZone. Call this rule Allow
Outbound.
Step 5 In the Inspection tab, select Balanced Security and Connectivity. If you want you could create a
file policy now and assign to this rule.
Step 6 Click Add to add the rule to the policy, and Save to save the policy changes.
Task 2: Modify the network discovery policy

The default network discovery policy is configured to discover all applications, both internal and external.
We will want to add host and user discovery. In a production environment, this can exceed the FMC
Firepower host license. For this reason, it is best practice to modify the policy.
Step 7 Navigate to Policies  Network Discovery.
Step 8 Edit the existing rule. Check the Users checkbox. The Hosts checkbox will auto-check.
Step 9 Under the Networks tab, change the network and change it to the internal networks used for
POV.

Task 3: Explore domains and role based access control
Step 10 Navigate to System  Domains and add a domain.
Note: Notice the pop-ups. Network Discovery is only available at the leaf domain level to all for Networks
overlapping. Also, once domains are created each device that you manage via FMC must be a part of the
leaf domain.
Step 11 Notice the screen on the top right. You are now the Global Domain Admin.

Step 12 Navigate to System  Users. Create a domain administrator for the child domain. Make sure to
hit save on both screens.
Step 13 Logoff and log back in as USAadmin (in my

example)
Step 14 Notice that you are logged into the Domain and do not have access to global domain. For
example: If you navigate to Policies  Access Control, notice that the Policy you created in
Global Domain is Read-only in Child Domain. Also, if you had multiple such domains and devices
in each domain, the child domain admin (USAadmin) will not have visibility into the devices,
events, etc. from the other domains.

Step 15 However, you can now navigate to System  Users and create a user within this child domain.
Remember I selected a Network Admin Role for him.
Step 16 Logout and log back in as USADomain\user1.
Step 17 Notice the tabs and his role this time.
Step 18 Logout and log back in as Global admin.

Task 4: Register NGFW to FMC and activate Smart Licenses
Step 19 In FMC, navigate to Devices → Device Management. Add Device and fill out the details of your
NGFW. Remember the Registration key you configured on the NGFW.
Note: If you have domains configured, when you Add Device you need to add it to a leaf domain. For the purpose
of this guide, I am going to delete the Domain created in Task 3 but you could continue to use that if the
customer wants Domain.
Step 20 Wait for deployment to Device to complete
Task 5: Explore object override and policy inheritance

Step 21 Navigate to Objects  Object Management  Network. Add network object called InsidePC with
IP 172.16.1.21.
Step 22 Click Allow Override, expand the override section, and click Add. Notice now you can create a per
device override for this object name called InsidePC. Select the device you want to create the

override on as Targets.
Step 23 And in the Override tab, you can type in the override IP address.

Step 24 Here is how it shows which device it will have the respective values once you click Add.
Step 25 Save the object and notice the Override column has a 1. When you use this object in a Rule, for
NGFW device it will be evaluated as the override value instead of the default value.

Step 26 Navigate to Policies  Access Control. Add a new policy but this time Select Base Policy as
NGFW Access Policy. You can select from Available Devices and assign this policy to it.
Step 27 Notice the Inheritance structure created.
Step 28 If you noticed when the child policy was expanded, the Mandatory and Default sections of the
Parent Policy wrap around the Child Policy. This is an onion model. Rules from the Mandatory
section of parent policy are enforced on the child policy while the Rules in the Default section of
the parent policy can be overridden by the child policy.
Note: Policy Inheritance (Enforcement) is handy with Domain. Global Domain Policy can to enforced onto child
domains thus creating sometime like a Corporate Level Policy with a Branch Policy that is managed by the
Branch Admin.

Setup 4: Deployment
Deployment Outline
This deployment chapter consists of the following tasks.
Task 1: Configure routed or transparent mode
Task 2: Configure interfaces and default route (routed mode)
Task 3: Configure manual and auto NAT
Task 4: Configure platform settings
Task 5: Explore dynamic routing (routed mode)
Task 6: Deploy policy changes
Task 7: Test the deployment
Task 8: Deploying NGFW in high availability (active/standby)
Tasks
Task 1: Configure routed or transparent mode
Step 1 During the Initial Setup Configuration Wizard for ASA5500 Series on via chassis manager for
4100/9300, you were are to pick one of the Firewall Modes – Routed or Transparent. If you wish
to change that now –
a. For ASA5500 series, you need to de-register the device, go back to CLI to change it and
re-register the device.
> configure firewall ?
routed Change to routed firewall mode
transparent Change to transparent firewall mode
b. For 4100/9300 series, you need to de-register the device, go back to Chassis Manager,
change it and re-register FTD.

Task 2: Configure interfaces and default route (routed mode)
Step 2 Navigate to Devices  Device Management. Edit the NGFW device. Edit the physical interfaces
and configure inside and outside interfaces as needed for the test. Configure the ipv4 address.
Step 3 Select the Routing tab. Select Static Route and add a route to the outside gateway.
Task 3: Configure manual and auto NAT

Step 4 Navigate to Devices  NAT to create a NAT Policy.
Note: Starting witj 6.1. you can create a shared NAT policyh across multiple devices..

Step 5 If needed by environment, create a New Firepower Threat Defense NAT Policy from the drop-
down for NGFW. Give it a name; assign it to the NGFW device and click Save.
Step 6 Once the Rule Page open, Add a Rule. Notice you can create dynamic NAT, dynamic PAT, static
NAT, and identity NAT rules. Decide which rules should be implemented as manual or auto NAT.
We recommend using auto NAT unless you need the extra features that manual NAT provides. It
is easier to configure auto NAT, and it might be more reliable for applications such as Voice over
IP (VoIP).
Note: To learn about the different NAT types and

compare: http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-
guide-v601/Network_Address_Translation__NAT__for_Threat_Defense.html?bookSearch=true#ID-2090-
00000008.

Step 7 As an Example, lets create a Manual NAT Rule for dynamic PAT as per the screenshot below –
Step 8 Select the Translation Tab and configure the Original and Translated Packet.
Step 9 Save the policy.

Step 10 As an example, assuming you have a web server on the inside and you want to have an ip
address on the outside mapped to the inside.

Step 11 Add a new Static Auto NAT Rule. Example –
Step 12 Populate the Original Packet Source and Translated Packet Source Address.
Note: You need to create the Source objects for wwwin and wwwout before or Add from this screen by clicking on
+ . For this to work, you will need to add an Allow Rule from outZone to inZone.
.
Step 13 For this to work, you will need to add an Access Control Rule to Allow traffic from outZone to
inZone. You can choose to select HTTP/HTTPS as Ports in this rule and also, select a Balanced
IPS Policy in the Inspection Tab.

Task 4: Configure platform settings
Step 14 Navigate to Devices  Platform Settings. Select New Threat Defense Settings Policy and assign
it to the NGFW Device. This is policy can be shared across devices.
Step 15 Click Save and then select Time Synchronization. Confirm that the Via NTP from Management
Center radio button is selected.
Task 5: Explore dynamic routing (routed mode)

Step 16 Navigate to Devices  Device Management. Edit the device and select the Routing tab.
Step 17 Notice all the dynamic routing options: OSPF, OSPFv3, BGP, Multicast Routing. Here is an
example of configuring BGP.
a. Select BGP, Enable BGP checkbox. Set the AS Number to 10.
b. Expand BGP in the left navigation pane and select IPv4.

c. Enable Ipv4 checkbox. Click on the Neighbor tab and add a BGP Neighbor. Click OK and
save the configuration.
Task 6: Deploy policy changes

Step 18 Click the Deploy button in the upper right hand corner of the FMC. Click the checkbox for the
NGFW device and click the Deploy button. Notice the notification popups and click on the icon to
the right of the Deploy link in the upper right-hand corner of the FMC to check the status of the
deployment. Wait for deployment to complete.
Task 7: Test the deployment

Step 19 From the inside use any click to ping an outside IP address, hostname, website to make sure you
have connectivity to outside and DNS is working.
Step 20 You can also try to browse certain websites.
Step 21 If you have the InsideWebServer and the Auto Nat Rule and Access Rule created in the Section
1c, Task 3, you can try to go from a PC outside to it in a browser and make sure it gets NATed
correctly and you are able to reach it.
Step 22 You can also SSH to the NGFW CLI and run some show commands. For e.g. if you have BGP
configured in Task 5, run show route.
Task 8: Deploying NGFW in high availability (active/standby)

Step 23 If you wish to deploy NGFW in HA mode, you will need to install, configure and register another
NGFW to the FMC. Here are the details for FTD in HA
mode. http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-
config-guide-v601/fpmc-config-guide-v601_chapter_01100110.html

Step 24 This is how the connectivity would look. It is an Active/Standby mode with stateful failover.
Primary’s policies are synchronized to Secondary’s. Two nodes connected by one dedicated
“failover link” and optional “State Link”. Management interface on each unit has/maintains a
distinct management IP address. Configuration updates are sent to the current active node by the
FMC.
Note: On FP9300 platforms, failover is only supported across blades in different chassis in non-cluster mode with
matching interfaces on separate blades.
Note: The two HA units must be identical in hardware configuration, memory, interfaces, and software versions
Note: Smart License Requirements for HA pair: Firepower Threat Defense devices in a high availability
configuration must have the same licenses. Before high availability is established, it does not matter which
licenses are assigned to the secondary/standby device. During high availability configuration, the Firepower
Management Center releases any unnecessary licenses assigned to the standby device and replaces them
with identical licenses assigned to the primary/active device. For example, if the active device has a Base
license and a Threat license, and the standby device has only a Base license, the Firepower Management
Center communicates with the Cisco Smart Software Manager to obtain an available Threat license from
your account for the standby device. If your Smart Licenses account does not include enough purchased
entitlements, your account becomes Out-of-Compliance until you purchase the correct number of licenses.
High availability configurations require two Smart License entitlements; one for each device in the pair

Use Cases
NGFW PoV Guide V1.2 – Use Cases October 2016

Use Case 1: Demonstrating AVC
Business Objectives
Application Visibility and Control is first level of defense against attacks, and also improve business
productivity by blocking or controlling non-productive applications. AVC can control or block applications,
micro applications or custom applications.
Demonstration Objectives
This use case will demonstrate application detection and control for custom and standard applications.
OpenAppID is an open source application detection engine, supported by the Snort community. This is
utilized for AVC in the NGFW. The AppID Snort preprocessor has a Lua interface that allows the
preprocessor to utilize Lua scripts. This allows the creation of custom application detectors using the Lua
scripting language. Below is a sample custom application.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be :routed or transparent
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Create custom application detector
Task 2: Configure custom application detection and blocking
Task 3: Configure standard application detection and blocking for SSH
Task 4: Deploy and test standard and custom application detection
Tasks
Task 1: Create custom application detector
Step 1 Navigate to Policies  Application Detectors. Click on Create a Custom Detector.
Note that Detector Type here is Basic. This means the Lua script will be created for us. An
alternative is to create and advanced detector. This allows us to upload a custom Lua script
NGFW PoV Guide V1.2 – Use Cases October2016 U1-1

Step 2 Click the Add button to the right of the Application Protocol drop-down menu. Fill out the
Application Editor page as below and save.
Step 3 Select TestApp from the Application Protocol drop-down menu and save.

Step 4 On saving, the screen below opens up where you can define you Detection Pattern and Packet
Captures. You will not be using packet captures in this demonstration.
Step 5 Add a detection pattern as below. Click OK and Save
Step 6 Search for the custom application detector you just created and Enable
it.
Step 7 You can also download and open the custom detector in an editor and inspect the Lua script, if
you wish.

Task 2: Configure custom application detection and blocking
Step 8 Navigate to Policies  Access Control  Access Control, and edit the NGFW access control
policy. Add a rule to block TestApp
a. Make this the 1st rule
b. For Action, select Block with reset.
c. In the Applications tab, search for TestApp, and add this application to the Rule.
d. In the Logging tab, check the Log at Beginning of Connection checkbox
e. Click Save.
Task 3: Configure standard application detection and blocking for SSH and Xbox
policy.
c. In the Applications tab, search for SSH and add this to the Rule
d. In the Logging tab, check the Log at Beginning of Connection checkbox.

Note: You could also go to the Ports tab and Block SSH on a certain port. But if you wanted to create a Rule to
Block SSH on all non-default ports, you would need to do 2 steps. Create a Rule # 2 to Block SSH w/o Port
and a Rule # 1 above that to Allow SSH on port 22.
e. Repeat the above steps to block web applications like Xbox Live.
Task 4: Deploy and test standard and custom application detection

Step 10 Make sure to save and deploy the access control policy to the correct device.
Step 11 From inside PC, send some traffic for the HTTP custom App with TestApp as the User Agent.
You could do this via Firefox browser by editing the Default User Agent from Tools  Edit User
Agents. Create a new user agent.
Step 12 Also, try to SSH to any server on the outside.
Step 13 And browse to http://www.xbox.com. It should be blocked.
Step 14 Navigate to Analysis  Connections  Events. Drill down to the Table View of Connection
Events and confirm that the TestApp application was detected. It will be in the Client column of
the table.

Use Case 2: Demonstrating URL and
Geolocation Based Filtering
Business Objectives
URL filtering allows you to not only restrict access to objectionable websites, but also to reduce attack
surface. You can restrict access by web categories, reputation of the website (risk, geolocation etc.)
The objective of this demonstration is to show how to filter URLs based on URL category, risk, or
geolocation. These features can be used to enhance security and enforce acceptable use.
• FMC
Task 1: Configure URL Filtering
Task 2: Configure Geolocation Filtering
Task 3: Deploy the Access Control Policy
Task 4: Test URL category and geolocation features
Note: For this demonstration, it is best to configure an end user notification page. When editing the access control
policy, you can configure this page in the HTTP Responses tab. Note that even if the action is set to Block
with reset, this page will be displayed.
Tasks
Task 1: Configure URL filtering
Step 1 Navigate to System  Integration. Under Cisco CSI, make sure Enable URL Filtering is checked.
Also check Query Cisco CSI for Unknown URLs.
policy. Add a rule to block unacceptable sites like gambling sites. Follow steps below.
c. In the URL tab, search for Gambling and add this to the rule
d. In the Logging tab, select Log at Beginning of Connection.
e. Click Add to save the rule.
NGFW PoV Guide V1.2 – Use Cases October 2016 U2-1

Step 3 Save the changes to the access control policy.
Task 2: Configure geolocation filtering

Step 4 Navigate to Analysis  Lookup  Geolocation
a. Enter an IP you wish to block by geolocation. For example, you can use
186.192.90.5. This is the IP address for the Brazilian news site globo.com.
b. Click Search.
policy. Add a rule to block some countries
a. In the Networks tab, in the Geolocation sub-tab, search for any country you wish to block
and click Add to Destination.
b. In the Logging tab, select Log at Beginning of Connection.
c. Click Add to save the rule.
Step 6 Save the changes to the access control policy.
Task 3: Deploy the Access Control Policy

Step 7 Deploy the access control policy.
Task 4: Test URL category and geolocation features

Step 8 From your endpoint, browse to gambling sites like http://poker.com and verify that it is blocked.
Step 9 Test geolocation by browsing to a country specific site.
Step 10 Navigate to Analysis  Connections  Events. Drill down to the Table View of Connection
Events and verify that traffic was blocked. Check the URL Category.
Step 11 For geolocation, check the initiator and responder country.

Use Case 3: Demonstrating SSL Decryption
Business Objectives
Most of the web traffic is encrypted and it uses HTTPS protocol to secure Internet traffic. NGFW must
decrypt the encrypted traffic to inspect it for exploits, and to control micro applications like Facebook chat,
YouTube upload etc.
The objective of this demonstration is to show how to filter URLs based on URL category, risk, or
geolocation. These features can be used to enhance security and enforce acceptable use. You will also
demonstrate how to create decryption exemptions based on URL category.
• FMC
• NGIPS: Interface mode must be inline pair (non-tap)
Task 1: Create a self-signed certificate using the FMC
Task 2: Create an SSL policy
Task 3: Associate the SSL policy to the access control policy
Task 4: Deploy and test the SSL policy
Tasks
Task 1: Create a self-signed certificate using the FMC

Step 1 Navigate to Objects  Object Management  PKI  Internal CAs. Click Generate CA. Fill in the
details and Generate self-signed CA
Step 2 Edit the certificate. Generated and download the certificate.
Step 3 Install the certificate into the browser on the endpoint you will use for testing.
Task 2: Create an SSL policy

Step 4 Navigate to Policies  Access Control  SSL.
Step 5 Click the text Add a new policy or click the New Policy button.
a. For Name, enter Decrypt with Self-Signed.
b. Leave the default action to Do not decrypt.
c. Click Save. Wait a few seconds, and the policy will open for editing.
Step 6 Click Add Rule.
a. For Name, enter Exempt financial services.
b. Set Action to Do Not decrypt.
c. In the Category tab, under Categories, select Financial Services, and click Add to Rule.
d. Select the Logging tab, and check the Log at End of Connection checkbox.
e. Click Add to add this rule to the SSL policy.
a. For Name, enter Decrypt other.
b. Set Action to Decrypt – Resign.
c. Select the self-signed certificate from the drop-down list to the right of the word with.
d. Check the Replace Key checkbox.
e. Select the Logging tab, and check the Log at End of Connection checkbox.
f. Click Add to add this rule to the SSL policy.

Step 8 Click Save to save the SSL policy
Note: The above policy decrypts everything. But for POV, you might want to keep it as restrictive to your testing as
possible to avoid browser performance issues.
Task 3: Associate the SSL policy to the access control policy

Step 9 Navigate to Policies  Access Control  Access Control. Edit the Access Control Policy.
Step 10 Click the text the None to the right of the SSL policy configuration near the top of the Policy or
from the Advance tab. Select the SSL policy you just created.
Task 4: Create a File and Use it in Access Control Policy

Step 11 Create a File Policy to Block Malware for Archives and Dynamic Analysis Capable File Type
Categories. You can also add Eicar File Type as we will be using this for our testing.
Step 12 Also, in your Access Control Policy, make sure you have an Allow Rule for Outbound Connection
with this file policy for inspection.
Task 5: Deploy and test the SSL Policy

Step 13 Save and deploy the updated access control policy.
Step 14 Go to http://eicar.org.

a. Try download the test malware file using HTTPS. This is an option on the EICAR
website.
b. Verify, usually by clicking the lock icon in the browser, that the certificate has been
resigned.
c. Verify that the EICAR virus is blocked. This demonstrates the malware is blocked, even
over HTTPS.
Step 15 Go to a banking website, like https://www.wellsfargo.com. Confirm that the certificate has not
been resigned.

Use Case 4: Demonstrating Authentication
Business Objectives
User Discovery allows you to monitor user activities by associating user with the IP addresses. User
discovery can happen passively using agent (ISE or SFUA) or active where no agent is required.
The goal of this demonstration is to show the value of passive authentication and user discovery. There
are two passive authentication sources:
• The Cisco Firepower Active Directory Agent
Formerly known as the Sourcefire User Agent (SFUA)
• The Cisco Identity Services Engine (ISE)
You can configure either, but not both, of these sources.
• FMC
• Access to a privileged Active Directory account.
• An endpoint with any standard browser to serve as a client.
Task 1: Integrate FMC into authentication infrastructure
Task 2: Create an identity policy with a passive authentication rule
Task 3: Associate the Identity Policy to the Access Control Policy
Task 4: Deploy and test passive authentication
Tasks
Task 1: Integrate FMC into authentication infrastructure
Step 1 Make sure to Install SFUA OR ISE depending on what you choose for getting user-ip mappings.
a. SFUA: http://www.cisco.com/c/en/us/support/docs/security/firesight-management-
center/118131-technote-sourcefire-00.html
b. ISE 2.1: http://www.cisco.com/c/en/us/td/docs/security/ise/2-
1/install_guide/b_ise_InstallationGuide21.html
Step 2 In FMC, navigate to System  Integration. Select the Identity Sources tab. Choose one of the
identity Sources (Identity Services Engine or User Agent) and complete the integration.
c. For ISE, make sure you have the right certificates pre-created. Here is the detail
HOW TO guide: https://communities.cisco.com/docs/DOC-68292
d. For the user agent: You just need the hostname or IP address.
Step 3 Create a realm. Navigate to System > Integration. Select the Realms tab and click New Realm.

Step 4 Provide the necessary information. Before saving, click Test to confirm the configuration.
Step 5 Add a directory server to the realm by clicking Add directory. . Before saving, click Test to
confirm the
configuration.
Step 6 Select the User Download tab. Check Download users and groups, and then click Save.
Step 7 Enable the realm.
Step 8 Click the icon to the right of the switch you used to enable the realm. This will download the
users and groups.
Task 2: Create an Identity Policy with a passive authentication rule

Step 9 Navigate to Policies  Access Control  Identity. Add a new policy.
Step 10 If you want to use active authentication, you will need a certificate/key pair.
a. Select the Active Authentication tab.

b. Select the plus icon next to the Server Certificate text field.
c. Upload the certificate/key pair.

Step 11 Select the Rules tab.
Step 12 Click Add Rule, and give the rule a name.
Step 13 Set the Action set to Passive Authentication.

Step 14 Select the Realms and Settings tab.
a. Select the realm you created in Task 1 from the Realm drop-down menu.
b. Check Use active authentication if passive authentication cannot identity user.
c. Check Identify as Special Identities/Guest if authentication cannot identify the user.
d. By default, Authentication Type is HTTP Basic. You can change it to NTLM, Kerberos,
HTTP Negotiate or HTTP Response Page. You can change the default if you wish.
Step 15 Click Add to save the rule.
Step 16 Click Save to save the policy.
Task 3: Associate the Identity Policy to the Access Control Policy

Step 17 Navigate to Policies  Access Control  Access Control.
Step 18 Click the text None to the right of Identity Policy (left-hand side upper corner), choose the Identify
Policy that you have configured in the previous step and click the OK button
Step 19 Add a rule to the access control policy.
a. In the Users tab, select a user or an AD group.
b. Select some other criteria that you want to allow or block for this user or group.

c. If you have ISE integrated, you can also add ISE Attributes to the Rule and create a more
granular rule with Security Group Tags or Device Type or Location IP.
d. Save the rule and then save the Access Control Policy changes.
Task 4: Deploy and test passive authentication

Step 20 Deploy the changes.
Step 21 Login the Client PC as different user and monitor the User Activity and Connection Events pages.

Use Case 5: Demonstrating Security
Intelligence
Business Objectives
Security Intelligence is very powerful tool to get visibility into malicious IPs, Domains and URLs. Security
Intelligence provides reputation score to IP, Domain and URLs, that help business to blacklist IP, domain,
URLs with bad reputation. Security Intelligence is gathered by analyzing 100s of Tera bytes of data
collected from humungous Cisco deployment footprint. If IP, Domain and URL is associated with any
malicious activity across any part of the world, its reputation score is affected. SI helps restricting access
to CnC servers with bad reputation or domain:
In this demonstration, your goal is to perform Security Intelligence configuration. This consists of the
following:
• Deploy an IP based black list
• Deploy a URL based black list
• Configure and deploy a DNS sinkhole
IP and URL black lists are self-explanatory, but DNS sinkholing deserves some explanation. Typically, if
the edge firewall sees a DNS query to a malicious site, it is coming from an internal DNS server. This
server has probably not been compromised. What the firewall can do is intercept the query, and return
forged A and AAAA records.

These records could point the client at a non-existent destination, or a server controlled by the
administrator. If the attempt to connect to the server is seen by the firewall, the endpoint can be assigned
an indication of compromise (IoC).
• FMC
Note: You will also need target web servers for this demonstration. These will be provided by Cisco.
• A web server to provide custom feeds: pov.developmentserver.com/feeds.
• A web server to take the place of a CnC server: this cnc.developmentserver.com
• A web server to serve test IP based security intellegence: www.developmentserver.com
• A web server to serve test URL based security intellegence: url.developmentserver.com
• A web server to serve as the DNS sinkhole: sinkhole.developmentserver.com
This demonstration consists of 4 tasks.
Task 1: Configure network, DNS and URL feeds
Task 2: Configure a DNS sinkhole
Task 3: Configure security intelligence in the access control policy
Task 4: Test security intelligence configuration
Tasks
Task 1: Configure network, DNS and URL feeds
Note: Each of this Security Intelligence objects can be either lists or feeds. This guide uses feeds. If you want to
use lists, you can download lists using the URLs in Steps 2, 3 and 4.
Step 1 In the FMC, navigate to Objects  Object Management.

Step 2 Select Security Intelligence  Network Lists and Feeds. Click Add Network Lists and Feeds.
a. For Name type NetFeed.
b. Select Feed from the Type drop-down menu.
c. For Feed URL, type http://pov.developmentserver.com/feeds/NetFeed
d. Click Save.
Step 3 Select Security Intelligence  DNS Lists and Feeds. Click Add DNS Lists and Feeds.
a. For Name type DNSFeed.
c. For Feed URL, type http://pov.developmentserver.com/feeds/DNSFeed
d. Click Save.

Step 4 Select Security Intelligence  URL Lists and Feeds. Click Add URL Lists and Feeds.
a. For Name type URLFeed.
c. For Feed URL, type http://pov.developmentserver.com/feeds/URLFeed
d. Click Save.
Task 2: Configure a DNS sinkhole

Step 5 Navigate to Objects  Object Management  Sinkhole. Click Add Sinkhole.
a. Fill out the fields as below. Note that an IPv6 address is mandatory, so we use an
address reserved for documentation only. Note that Type is set to Command and
Control. This will determine the type of IoC generated.
Note: The IPv4 address 54.68.53.177 corresponds to sinkhole.developmentserver.com. The IPv6 address
2001:db8::1 is in the range of IPv6 addresses reserved for documentation.
b. Click Save.
Step 6 Navigate to Policies  Access Control  DNS. Click Add DNS Policy.
a. For the name, enter NGFW DNS Policy. Click Save.

b. Click Add DNS Rule. Configure the rule as shown below.
c. Click Add to add the rule. Then click Save to save the new DNS policy.
Task 3: Configure security intelligence in an access policy

Step 7 Navigate to Policies  Access Control  Access Control. Edit the NGFW Access Control Policy.
Step 8 Select the Security Intelligence Tab.
a. Select NGFW DNS Policy from the DNS Policy drop-down menu.
b. Using the Networks tab under Available Objects, select the network feed you created n
Task 1. Click Add to Blacklist.
c. Using the URLs tab under Available Objects, select the URL feed you created in Task 1.
Click Add to Blacklist.
d. Confirm that your Security Intelligence configuration look what you see below.
e. Click Save to save the changes to the NGFW Access Control Policy.
Step 9 Deploy the changes. Note that the DNS policy and access control policies have been modified.
Step 10 Wait until the deployment is complete.
Task 4: Test security intelligence configuration

Step 11 Test the network feed. This feed contains 1 IP address: 198.170.110.164. This is the IP address
for www.developmentserver.com. From the endpoint, try to ping or browse
to www.developmentserver.com. This will be blocked.
Step 12 Test the DNS sinkhole. Note that the DNS list or feed contains 1
FQDNs: cnc.developmentserver.com.

a. In the Firefox browser navigate to http://cnc.developmentserver.com. Note that you are
redirected to http://sinkhole.developmentserver.com.
b. Open the Windows Command Processor, type:
nslookup cnc.developmentserver.com
Confirm that the IPv4 and IPv6 returned by the query are the addresses configured in the
sinkhole object.
Step 13 Test the URL feed. This object contains 1 URL: url.developmentserver.com/files
a. In the Firefox browser navigate to http://url.developmentserver.com. Note that this is

allowed.
b. Click the Files link. Note that you cannot access this folder.
Step 14 Navigate to Analysis  Connections  Security Intelligence Events.
a. Confirm that you see the Security Intelligence events generated in this task.
b. Confirm that the endpoint computer icon is red, indicating an IoC.
c. Click on one of these red icons to view the host profile, and confirm that this is a
command-and-control connection IoC.

Use Case 6: Demonstrating IPS
Business Objective
Providing IPS is a cornerstone of any NGFW. The objective is to demonstrate how Firepower best-of-
breed IPS ability to detect and analyze threat.
The objective of this demonstration is to show the IPS capabilities of the NGFW.
• FMC
If inline tap or passive is used, you must skip the demonstration threat blocking
Task 1: Create a new intrusion policy
Task 2: Enable Firepower Recommendations
Task 3: Enable signatures 336 for the demonstration
Task 4: Deploy and test simple IPS functionality
Task 5: Explore advanced settings
Task 6: Explore policy layers
Task 7: Explore creating a custom Snort signature
Task 8: Getting Custom intrusion policy from TALOS for IXIA BreakingPoint Strike List
Task 9: Associate the intrusion policy to the access control policy
Task 10: Deploy and test advanced IPS functionality
Note: For a short and simple demonstration, do Task 1 through Task 4.
Tasks
Task 1: Create a new intrusion policy
Step 1 Navigate to Navigate to Policies  Access Control  Intrusion. Create a new Intrusion policy.
Step 2 You might want to uncheck Drop when Inline if you don’t want it to drop but just generate events
Step 3 You can leave the Base Policy as Balanced Security and Connectivity.

Step 4 Edit the policy. Select Rules from the left panel. Notice the categories and rules.
Task 2: Enable Firepower Recommendations

Step 5 Click on the Firepower Recommendations on the left panel.
Note: Firepower Recommendations are useful for automatically tuning the Intrusion policy for your customer’s
environment. It is most effective after the system has had a minimum of several hours to “learn” the
network.
Note: In order for this demonstration to work, it is best that the network traffic has a chance to flow through the
sensor for an extended length of time.
Step 6 Click on Advanced Settings, and uncheck the option to Disable Rules.
Note: In production deployments, customers will often leave this setting Checked, but in a POV, it is best to
Uncheck it and leave more rules enabled.
Step 7 Click Generate and Use Recommendations. This might take a few minutes.

Step 8 Click on Policy Information and verify that Firepower is changing several rule states.
Step 9 Click Commit Changes. You can also do this after all changes to the Intrusion policy has been
made.
Task 3: Enable signatures 336 for the demonstration

Step 10 Enable rule 336. This will block attempts to change to the root home directory when using FTD.
a. Click Rules under Policy Information menu on the left-hand side of the Edit Policy page.
b. Select SID from the Rule Content section of the rules. Enter 336 into the Enter the SID
filter popup. Click OK.
c. Check the checkbox next to the rule. Select Drop and Generate Events from the Rule
State drop-down menu. Click OK.
Note: This rule looks for a change to the root home directory in FTP traffic established on port 21. It only looks for
traffic coming from the external network, but in our lab we use the default value of $EXTERNAL_NET, which
is any, so the rule can be triggered in both directions. You may consider the following flow.
1. Demonstrate how this rule works with unmodified variables, as shown in Task 4.
2. Modify your variables to define the home and external networks.
3. Demonstrate that this rule is no longer triggered.
Step 11 Click on Policy Information in the menu on the upper-left.
Step 12 Click Commit Changes. Click OK.

Step 13 Go to Policy Information and click Commit Changes once
all the changes to the intrusion policy have been made.
Task 4: Deploy and test simple IPS functionality


Step 15 Modify the access control policy to use the custom intrusion policy you create. Exactly how you
do this will depend on how the access control policy is constructed.
Step 16 Select the Advanced tab in the access control policy.
a. Click the pencil icon to edit the Transport/Network Layer Preprocessor Settings.
b. In the Maximum Active Responses text field, enter 25.
c. Click OK.
Note: Setting Maximum Active Responses to a value greater than 0 enables the rules that drop packets to send
TCP resets to close the connection. Typically both the client and server are sent TCP resets. With the
configuration above, the system can initiate up to 25 active responses (TCP Resets) if it sees additional
traffic from this connection.
In a production deployment, it is probably best to leave this set to the default. Then no resets are sent, and
the malicious system will not know that it has been detected. But for testing and demonstrations, it is
generally better to send resets when packets match drop rules.
Step 17 Save and deploy the access control policy.

Step 18 From the test endpoint:
a. Connect to pov.developmentserver.com via FTP.
b. Login as anonymous. Use any password.
c. Type cd ~root. The connection should be reset. If you see
550 Failed to change directory.
there is an issue with the IPS configuration.
Step 19 Navigate to Analysis  Intrusion Events. Confirm that the intrusion event has been generated.
Task 5: Explore advanced settings

Step 20 Navigate to Policies  Access Control  Intrusion. Edit the intrusion policy.
Step 21 Click on Advanced Setting on the left panel.
Step 22 Specific Threat Detection: The sensitive data preprocessor detects sensitive data such as credit
card numbers and Social Security numbers in ASCII text.
Step 23 Intrusion Rule Thresholds: The global rule threshold sets limits for event logging by an intrusion
policy. You can set a global rule threshold across all traffic to limit how often the policy logs

events from a specific source or destination and displays those events per specified time period.
You can also set thresholds per shared object rule, standard text rule, or preprocessor rule in the
policy. When you set a global threshold, that threshold applies for each rule in the policy that
does not have an overriding specific threshold. Thresholds can prevent you from being
overwhelmed with a large number of events. Every intrusion policy contains a default global rule
threshold that applies by default to all intrusion rules and preprocessor rules. This default
threshold limits the number of events on traffic going to a destination to one event per 60
seconds. You can edit it –
Step 24 External Responses: In addition to the various views of intrusion events with in the web interface,
you can enable logging to system log (syslog) facilities or send event data to an SNMP trap
server. Per policy, you can specify intrusion event notification limits, set up intrusion event
notification to external logging facilities, and configure external responses to intrusion events.
Note that in addition to these per-policy alerting configurations, you can globally enable or disable
email alerting on intrusion events for each rule or rule group. Your email alert settings are used
regardless of which intrusion policy processes a packet.
Step 25 Remember to commit the Changes when done if you see the ! icon near Policy Information once
all the changes to the Intrusion policy have been made.
Task 6: Explore policy layers

Step 26 Click on Policy Layers on the left panel.

Note: Larger organizations with many managed devices may have many intrusion policies and network analysis
policies to support the unique needs of different departments, business units or, in some instances, different
companies. Configurations in both policy types are contained in building blocks called layers, which you can
use to efficiently manage multiple policies
Layers in intrusion and network analysis policies work in essentially the same way. You can create and edit
either policy type without consciously using layers. You can modify your policy configurations and, if you
have not added user layers to your policy, the system automatically includes your changes in a single
configurable layer that is initially named My Changes. You can also add up to 200 layers where you can
configure any combination of settings. You can copy, merge, move, and delete user layers and, most
important, share individual user layers with other policies of the same type.
Task 7: Explore creating a custom Snort signature

Step 27 Navigate to Objects  Intrusion Rules. Notice you can Import Rules or Create one from here.
Click Create Rule.

Step 28 You can define the various detection options. Here is an example for a custom IoT rule for
SCADA Protocol.
Task 8: Getting Custom intrusion policy from TALOS for IXIA BreakingPoint
Strike List
Step 29 If you are asked to test with IXIA BreakingPoint Strike List, you need to fill this form (link below)
and follow the steps on Page 2 to request a custom TALOS Intrusion policy.
TALOS Coverage Request Form:
https://docs.cisco.com/share/s/x2vpFeAjTvOkUy5B3kVjlw
a.
Note: Do not turn on Maximum Detection or all signatures. That is strictly not recommended by TALOS. There is a
lead-time of 3-5 weeks so submit the request much in advance.
Step 30 You will receive a .sfo file containing the custom Intrusion policy from TALOS which you then
need to import into your FMC.
Note: The FMC and managed device version information is very important for this to work.
Step 31 Once imported into FMC, you need to continue to follow the next task to associate the Intrusion
policy to the Access Control Policy and proceed further.

Task 9: Associate the intrusion policy to the access control policy
Step 33 Create an allow rule to permit traffic from Any to Any. Make this rule the first allow rule after all the
block rules in your access control policy. In the Inspection tab, select the POV Intrusion policy just
created and in the Logging tab, and make sure logging is turned on.
Step 34 Save the Access Control Policy.
Task 10: Deploy and test advanced IPS functionality

Step 35 Make sure to save and deploy the access control policy to the correct device.
Step 36 Let the traffic run through the sensor for hours, days, weeks as needed
Step 37 You can go to eicar.org and try to download some test malware files.
Step 38 Navigate to Analysis  Intrusion Events.
Step 39 You can go to Table View of Events to get more details about the events.

Use Case 7: Demonstrating AMP Threat Grid
Business Objectives
• AMP Threat Grid integration with the NGFW, the enterprise can be protected against breaches,
saving a customer much more than just money.
• The reality is that breaches are practically inevitable. The ability to identify compromised system,
and perform threat analysis, during or after the attack is of great value to customer.
The objective of this demonstration the AMP capabilities with a focus on how the product integrates with
AMP Threat Grid. This will probably use the AMP Threat Grid public cloud, but information about the
private clouds in included.
• FMC
If inline tap or passive is used, you must skip the demonstration of blocking
Task 1: Verify AMP Threat Grid connectivity
Task 2: Create a file policy
Task 3: Associate the file policy to an access control policy
Task 4: Test the file policy
Task 5: Explore events, network file trajectory and dynamic analysis summary
Tasks
Task 1: Verify AMP Threat Grid connectivity
Step 1 Navigate to AMP  AMP Management. Edit the default cloud connection or click Add AMP Cloud
Connection. If you wish to add a Private Cloud. Make sure the state is enabled once you are
connected.
Step 2 Navigate to AMP  Dynamic Analysis Connections. Verify the connectivity to the AMP Threat
Grid cloud. For Threat Grid Sanboxing to work, the managed device itself needs connectivity to
the Threat Grid Public/Private Cloud.

Note: Cisco AMP Threat Grid Appliance Setup and Configuration
Guide: http://www.cisco.com/c/dam/en/us/td/docs/security/amp_threatgrid/amp-threat-grid-appliance-setup-
and-config-guide-v2-1-3.pdf
Connecting to Threat Grid Appliance:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-
v61/Reference_a_wrapper_Chapter_topic_here.html?bookSearch=true#concept_71E2BDBBF3FB40F6B66
0B1165E2B65D8
Task 2: Create a file policy

Step 3 Navigate to Policies  Access Control  Malware & File. Create a new file policy.
Step 4 Add a rule
a. Change Action to Malware Cloud Lookup or Block Malware depending on whether you
want only visibility or actually want to block it.
b. Select Spero Analysis and Local Malware Analysis options. You might want to select
Dynamic Analysis, but this demonstration will use manual submission. Leave Reset
Connections selected.
c. Under Store Files, select all 4 options.
d. Under File Type Categories, select Office Documents, Archive, Executables and PDF
files. Click Add.
e. Under File Types, select EICAR. Click Add.
f. Save the rule.

Step 5 Save the file policy.
Note: This file policy is designed for demonstrating features such as archive inspection. But for a production
environment, you would probably not want to store so many files types.
Note: For File Rule Actions and Evaluation Order:

v61/Reference_a_wrapper_Chapter_topic_here.html?bookSearch=true#ID-2193-00000329.

Note: Explore the Advance Tab. You can even create a Custom Detection List from Objects  File List and
enabled
Task 3: Associate the file policy to an access control policy

Step 6 Navigate to Policies  Access Control  Access Control Policy.
Step 7 In the Inspection tab the appropriate allow rules, select the POV file policy just created. .
Note: If your only allow run is the default rule, you will need to create an allow rule. You cannot associate a file
policy with the default rule.
Step 8 Save and deploy the updated access control policy.
Task 4: Test the file policy

Step 9 You can go to eicar.org and try to download some test malware files. This should be blocked.
Step 10 Go to http://pov.developmentserver.com/files. Download ProjectX.doc. This will be allowed or
blocked depending on whether you added this to the customer detection list. Optionally, you can
download other files.
Step 11 Navigate to Analysis  Files  Malware Events. Drill down to Table View of Malware Events.
Confirm the Eicar test virus was blocked.
Step 12 Navigate to Analysis  Files  File Events. Drill down to Table View of File Events. Review the
file events.
Step 13 Navigate to Analysis  Files  Captured Files. Drill down to Table View of Captured Files.
Review the file events. Right click on the SHA for ProjectX.pdf and select analyze file. You will
have to wait before the analysis is complete.

Note: To prove value to the customer, it would be good to run the FTD over a longer period of time in passive
mode with production traffic. If you are going to do this, it is recommended that you make changes to the
file policy.
1. Disable file storage.
2. Look for malware on all file types>
3. Add a rule to detect all file types.
Task 5: Explore events, network file trajectory and dynamic analysis summary
Note: For this task you can use Cisco dCloud.
Step 14 Navigate to Analysis  Files  File Events. Notice the different types of files that were detected
and their Disposition.
Step 15 You can View the Table View of File Events to get more details on the Events
Step 16 You can see a red circle icon near the SHA256 column which means that file was detected as
Malware and you might even see a Threat Score for some files if they were run in the Sandbox
environment (usually this takes about 5-7mins)
Step 17 Clicking on the red circle will take you to the Network File Trajectory of the File.

Step 18 You can also click on the red circles near the threat score to see the Dynamic Analysis Summary
of that file. If you want to dig deeper, you can click on View Full Report which will redirect you to
the Threat Grid Portal.

Use Case 8: Demonstrating Rate Limiting
Business Objectives
Businesses today don’t restrict their employees to watch or use bandwidth intensive applications, but
overuse of such application might slow the network. Also from business point of view, bandwidth intensive
applications but be allowed to run with ceiling bandwidth. Rate limiting or QOS, will allow you to rate limit
such applications, and help you running your business without network outrage, caused by bandwidth
intensive applications.
The objective of this demonstration is to demonstrate the rate limiting feature available on The Cisco
Firepower NGFW. There are several options that can be discussed and tested. In this demonstration will
focus on application based rate limiting.
• FMC
• NGFW in routed mode only
Task 1: Baseline transfer rate
Task 2: Configure rate limiting
Task 3: Test rate limiting
Tasks
Task 1: Baseline transfer rate
Step 1 From the endpoint, in the browser.
a. Download the media file. Confirm that it is downloading at more than 1 Mbps, so the
download should take under one second. Here is a test file you could use -
http://pov.developmentserver.com/files/test2.mov
b. Download the office document. Confirm that it is downloading at more than 1 Mbps, so
the download should take under one second. Here is a test file you could use -
http://pov.developmentserver.com/files/ProjectX.doc
If you have AMP for Networks on the sensor, you may have to run this twice to obtain a multi-
MBps transfer rate, as AMP may be slowing down the first download.
Note: If you have a Linux or Cygwin environment, it is probably better to use Wget to perform this demonstration.
Wget displays byte rate instead of bit rate. All that is important for this demonstration to work is to make
sure we are receiving data at over 1 Megabyte per second = 8 Megabits per second.
Task 2: Configure rate limiting

It is assumed that you have an access control policy that allows Internet access.

For rate limiting to work, you need to create interface objects. For purposes of this document, it is
assumed that you have security zones for the inside and outside interfaces, and those zones are called
InZone and OutZone.
Step 2 In the FMC, navigate to Devices  QoS.
Step 3 Click the New Policy button.
a. Enter a name like NGFW QoS Policy.
b. Select the NGFW from Available Devices and click Add to Policy.
c. Click Save.
Step 4 Wait a few seconds for the policy to open up for editing.
a. For Name, enter Multimedia.
b. Select Interfaces in Destination Interface Objects from the Apply QoS On drip-down list.
c. For Download/Upload Limit, enter 1, meaning 1 Megabit per second.
d. The Interface Objects tab should be selected. Select InZone and click Add to Source.
e. Select OutZone, and click Add to Destination.
Note: There are two types of interface objects: security zones and interface groups. The key difference is that
interface groups can overlap. Either can be used in QoS policies.
f. Select the Applications tab.

g. Enter multi into the Application Filters search field.
h. Select the three multimedia application filters and click Add to Rule.
Step 6 Click OK to save the rule.

Step 7 Click Save to save the QoS Policy.
Step 8 Deploy the policy changes as you have before. You can ignore the warning. Click Proceed.
Step 9 Wait for the deployment to complete.
Task 3: Test rate limiting

Step 10 Return to the Inside UNIX server CLI.
a. Download the media file. Confirm that it is downloading at a rate of about 1 Mbps or 124
KBps. At this rate, the download should take about 8 seconds.
b. Download the office document. Confirm that it is still downloading at more than 1 Mbps,
so the download should take under one second.

Use Case 9: Demonstrating the True Client IP
Feature
Business Objectives
True Client feature will enable visibility into your network sitting behind proxy. NGFWs those see network
through Proxy, don’t get true IP address of the client. It is difficult for Firewall to enforce policies and get
real visibility into the host machine. True Client IP will not only provide visibility into the host real IP, but
also enforce policies based on client’s real IP.
The objective of this demonstration is to showcase the true client IP feature in Firepower 6.1.
• FMC
• NGIPS: Interface mode may inline, inline tap or passive.
If inline tap or passive is used, you will not be able to block the traffic.
• An endpoint with any standard browser to serve as a client. The browser must have a plug-in that
allows modification of the XFF headers. See https://addons.mozilla.org/en-us/firefox/addon/x-
forwarded-for-header. Note that this add-on is incompatible with Firefox 48. You should also install
LiveHTTPHeaders, so you can inspect the HTTP request header to confirm that that XFF header is
correct.
In this guide, we will assume that you are using Firefox.
Note: If the customer has a proxy server with XFF header forwarding enabled, you can modify this exercise to
make a more convincing demonstration. However, note that for this demonstration to work, you need two
distinct client IPs.

Task 1: Modify the access control policy
Task 2: Deploy the access control policy
Task 3: Test the true client IP feature
Tasks
Note that it is assumed that you already have an access control policy that allows the endpoint to browse
the Internet.
Step 1 In the FMC, edit the access control policy you are using.
Step 2 Select the HTTP Responses tab. Select System-Provided from the Block Response Page drop-
down list.
a. Call the rule Test XFF Feature.

b. Set the Action to Block with reset.
c. Select above rule from the Insert drop-down list. Choose the number 1.
d. Select Networks tab.
i. In the Source Networks area, select the Source subtab. At the bottom of the
page, enter the IP address of the endpoint and click Add. The endpoint will
emulate a web proxy server.
ii. In the Source Networks area, select the Original Client subtab. At the bottom of
the page, enter 1.2.3.4 and click Add.
iii. In the Destination Networks area, at the bottom of the page, enter
198.170.110.164, and click Add. This is the IP address for
www.developmentserver.com
e. Select Logging tab. Check the Log at Beginning of Connection checkbox.
f. Click Add to add the rule to the policy.
Task 2: Deploy the access control policy

Step 4 Click Deploy in the upper right hand corner of the FMC.
Step 5 Check the checkbox for the NGFW device, and click the Deploy Button.
Step 6 Click on the icon to the right of the Deploy link in the upper right-hand corner of the FMC. Wait
until the deployment is complete.
Task 3: Test the true client IP feature

You will now test the changers you made.
Step 7 From the endpoint.
a. Open the Firefox browser and confirm that you can browse to
http://www.developmentserver.com.
b. Open the add-on manager, and set the IP address to 1.2.3.5.
c. Confirm that you can still browse to http://www.developmentserver.com.

d. In the add-on manager, change the IP address to 1.2.3.4.
e. Try to browse to http://www.developmentserver.com. You should see the default
Firepower block page.
Step 8 In the FMC, navigate to Analysis  Connection  Events.
a. Drill down to Table View of Connection Events.
b. Click on the X to the right of First Packet, select All Columns and click Apply.
c. Observer that both the endpoint IP address and the spoofed client IP address.

Use Case 10: Demonstrating Event Correlation
Business Objectives
Correlation policies allow a wide variety of actions to be taken automatically if a simple or complex
combination of events occur. These actions can range from sending an alert to having a network device
change the access of a device.
This use case will demonstrate the effectiveness of correlation policies, which alerts on potential
indications of compromise from hosts. Here we are going to demonstrate how to trigger a correlation rule
when and intrusion event targets our Critical Network and the target host has a criticality of high or
medium.
• FMC
• NGFW: Firewall mode may be: routed or transparent.
If inline tap or passive is used, you must skip the demonstration of application blocking.
Task 1: Verify Host Discovery and modify Host Attribute
Task 2: Configure correlation rules
Task 3: Create a correlation policy
Task 4: Modify the IPS and the access control policy
Task 5: Test the correlation policy
Tasks
Task 1: Modify the Host Attribute in Host Profile
Step 1 Make sure you enable Host Discovery in Network Discovery Policy and Hosts have been learnt
for this use case.

Step 2 Once the host is passively learnt because of traffic flowing via the sensor, navigate to Analysis 
Hosts  Network Map. Find the Critical Host that you are planning to test with, and Edit the Host
Attribute. Change it to High.
Task 2: Configure correlation rule

Step 3 Navigate to Policies  Correlation-> Rule Management. Click Create Rule.
Step 4 In the rule. Select an intrusion event occurs.
a. For the condition, select Source IP, is in, <client machine ip address range>. These are
your Critical Systems that need to be protected.
Step 5 Click to Add Host Profile Qualification as shown below

a. For the condition, select Source Host, Host Criticality, is High, OR
b. Add another condition, select Source Host, Host Criticality is Medium.
Step 6 Click Save.
Task 3: Create a Correlation Policy

Step 7 Navigate to Policies  Correlation-> Policy Management. Click on Create Policy. Name the
policy and write a description.
Step 8 Click Add Rules, and select Critical Host under Ungrouped Rules.
Step 9 Click Add and then Save.

Step 10 Make sure to Activate the Policy.
Task 4: Modify the IPS and Access Control Policy

Step 11 If you are already using and IPS Policy, you need to enable signature 336 for this use case. If not,
create a new IPS Policy. Refer to Use Case 6 – Demonstrating IPS Task 1 and 3.
Step 12 Associate this IPS Policy to an Allow Outbound Connection Rule in your Access Control Policy.
Step 13 Save and Deploy all changes.
Task 5: Test the Correlation Policy

Step 14 Go to the client machine.
a. Connect to pov.developmentserver.com via FTP.
b. Login as anonymous. Use any password.
c. Type cd ~root. The connection should be reset. If you see
550 Failed to change directory.
there is an issue with the IPS configuration.
Step 15 Navigate to Analysis  Intrusion Events. Confirm that the intrusion event has been generated.
Step 16 Navigate to Analysis  Correlation  Correlation Events. Confirm that a correlation event was
created.

Use Case 11: Demonstrating ISE Integration
Business Objectives
There is no silver bullet to kill malware, and it’s almost important to have remediation capabilities for
enterprises. ISE is RBAC that remediates and quarantine infected machines in case NGFW finds
infection in the network
You will configure the FMC to tell ISE to quarantine any endpoint that has encountered malware, it will tell
ISE to quarantine the endpoint. Once the endpoint is quarantined, it will only have access to one
specified web server (which is simulating a remediation server).
The specific objectives of this demonstration are the following:
• Integrate ISE with FMC
• Configure Firepower to use the Cisco Identity Services Engine (ISE) for passive authentication.
• Demonstrate that SGTs create on ISE are immediately available on the FMC for policy configuration.
• Configure the access control policy based on ISE metadata
• Deploy the ISE remediation module in an FMC Correlation Policy
• FMC
• NGFW: Firewall mode may be routed or transparent.
• ISE 1.3, 2.0 or 2.1. ISE much be managing an 802.1x capable switch that the endpoint is connected
to.
Note: Instead of 802.1x infrastructure, you can use a RADIUS simulator to simulate a switch. You can find a
RADIUS simulator at http://pov.developmentserver.com/files.
• A certificate singed by an authority trusted by ISE. This must be produced using the correct
template. See https://communities.cisco.com/docs/DOC-68292 for details.
• A realm associated with AD server, configured on the FMC. See Use Case 4.
Task 1: Configure custom detection list
Task 2: Configure ISE integration
Task 3: Utilize ISE metadata the access control policy
Task 4: Configure the access control policy to use ISE integration
Task 5: Create a correlation policy using the ISE remediation module
Task 6: Test the ISE remediation module

Tasks
Task 1: Configure custom detection list
If there is an issue with cloud lookups, this demonstration will fail. Therefore, is probably good to have a
file on the custom detection.
Also, this allows Zombies.pdf to be replaced with some other file with a supported file type.
Step 1 Download a PDF file to add do the customer detection list. For example, you can use
http://pov.developmentserver.com/files/ProjectX.pdf.
Step 2 Navigate to Objects  Object Management. Click on File List.
Step 3 Click the pencil icon to edit the Custom-Detection-List.
a. Select Calculate SHA from the Add by drop-down list.
b. Click Browse.
c. Browse to the Files folder on the Jump Box desktop.
d. Select ProjectX.pdf, and click OK.
e. Click Calculate and Add SHAs.
f. Click Save.
Task 2: Configure ISE integration

Step 1 In the FMC, navigate to Objects  Object Management. In the left navigation pane, select PKI
 Trusted CAs.
a. Click Add Trusted CA.
b. Add the CA that ISE is using, so the FMC can trust ISE.
c. Click Save.
Step 2 In the FMC navigate to System  Integration, and select the Identity Sources tab.

Step 3 Click the Identity Services Engine button.
a. For Primary Host Name/IP Address, enter the IP address or hostname of ISE.
b. Select the root CA certificate that ISE trusts from the pxGrid Server CA drop-down list.
c. Select the root CA certificate that ISE trusts from MNT Server CA drop-down list.
d. Click the Add button to the right of the FMC Server Certificate drop-down list.
e. Click the green circle (with plus sign) to the right of the Server Certificate drop-down list.
i. For Name, enter FMCpxgrid.
ii. Upload the certificate and key signed for the FMC by the CA that ISE is using.
iii. Click Save.
Note: You can refer to this to generate pxgrid client certificate using openssl:
https://communities.cisco.com/docs/DOC-68287.
f. Click Test. If the connection fails click Test again. In any case, click on Additional Logs
to see details
g. If the test continues to fail, check your configuration.

h. Click Save.
Task 3: Utilize ISE metadata in the access control policy

Step 4 Make sure you have an Identity Policy created. See Use Case 4. You do not need fallback to
active authentication turned on for this use case. Also, will need a File Policy with Malware Cloud
Lookup for the respective file type (pdf in this example)
Step 5 Navigate to Policies  Access Control Access Control. Edit the NGFW Access Control Policy.
a. Make sure you have you Identity Policy populated in your Access Control Policy. Also,
make sure you have the File Policy to block the file type that will trigger the Malware
Event (pdf in this example) assigned to the Allow Outbound Connection Rule.
b. Click Add Rule, and select the STG/ISE Attributes tab.
c. In the Available Attributes column, select Security Group Tag. Confirm that the Available
Metadata column auto-populates.
d. Note that the first SGT in the list is any. You will see an SGT above this in Step 6.
e. In the Available Attributes column, select Device Type. Confirm that the Available
f. In the Available Attributes column, select Location IP. Confirm that the Available
Step 6 In the Firefox browser you have been using to manage the FMC, open another tab and click on
the ISE bookmark on the bookmark toolbar.
a. Login to IS
b. Navigate the Administration  pxGrid Services. Notice that in the list of clients, there are
two entries related to FMC.

c. Expand iseagent-fmc.example.com.
d. Note the 6 capabilities, or topics of information, that the FMC is subscribed to. These
include the 3 capabilities already available in 6.0:
• EndpointProfileMetaData – contains the ISE device information
• SessionDirectory – defines the ISE session attributes
• TrustSecMetaData – defines the Security Group Tag (SGT) information
The other capabilities are related to the remediation capabilities covered later in this lab.
Step 7 Since the FMC is subscribed to the pxGrid capabilities, changes to ISE session attributes should
be synchronously communicated to the FMC. In this step this will be confirmed.
a. In ISE, navigate to Work Centers  TrustSec  Components.
b. Click Add. For Name, enter 0TestTag. Click Submit.
c. In the FMC, you were editing a rule. In the Available Attributes column, switch from
Location IP back to Security Group Tag. Note that the SGT 0TestTag is now available.
d. In the FMC, navigate to System  Monitoring  Syslog.
e. Search for pxgrid. This can be useful for troubleshooting ISE integration issues.
Note: If you need to troubleshoot ISE communication issues, in the FMC, navigate to System  Monitoring 
Syslog, Search for pxgird in the syslog messages.
Step 8 Keep the Add Rule window open, and go on to the next task.
Task 4: Configure the access control policy to use ISE integration

Step 9 In the Add Rule page perform the following.
a. Call the rule Block SSH for AD Group.

b. In the Insert drop-down list, change below rule, to into Mandatory.
c. Set the action to Block with reset.
d. Select the Applications tab, and type SSH into the Available Applications search field.
Then select SSH and OpenSSH. Click Add to Rule.
e. Select the Users tab.
i. In the Available Realms column, select realm you configured. The Available
Users column will populate.
ii. In the Available Users column, select an AD group.
iii. Click Add to Rule.
f. Select Logging tab. Check the Log at Beginning of Connection checkboxes.

g. Click Add to add the rule to the policy.
a. Call the rule Quarantine Restriction.

b. In the Insert drop-down list, change below rule, to above rule, and choose rule 1.
c. Set the action to Block with reset.
d. Select the SGT/ISE Attributes tab.
i. In the Available Attributes column, select Security Group Tag.
ii. In the Available Metadata column, select Quarantined_Systems.
e. Select Logging tab. Check the Log at Beginning of Connection checkbox.
f. Click Add to add the rule to the policy.
a. Call the rule Quarantine Access.

b. In the Insert drop-down list, change below rule, to above rule, and choose rule 1.
c. Set the action to Allow.
d. In the networks tab, at the bottom of the Destination Networks column, type
198.170.110.164, and click Add. This is the IP address for
www.developmentserver.com.
e. Select the SGT/ISE Attributes tab.
i. In the Available Attributes column, select Security Group Tag.
ii. In the Available Metadata column, select Quarantined_Systems.
f. In the Inspection tab, set the Intrusion Policy to Demo Intrusion Policy.
g. In the Inspection tab, set the File Policy to Demo File Policy.
h. Select Logging tab. Check the Log at Beginning of Connection and Log at End of
Connection checkboxes.
i. Click Add to add the rule to the policy.
Step 12 Click Save to save the access control policy. You can ignore the warning about the identity
policy. Do not deploy this policy to the NGFW yet.
Step 13 FMC, navigate to Analysis  Connections  Events. Show details of the events from the
previous step. You may wish to filter by destination port.
Task 5: Create a correlation policy using the ISE remediation module

Step 14 In the FMC navigate to Policies  Actions  Instances.

Step 15 Select pxGrid Mitigation from the Select a module type drop-down list. Click Add.
a. For Instance Name, enter pxGridTestInstance. Click Create.
b. At the bottom of the Edit Instance page, select Mitigate Source from the Add a new
remediation of type drop-down list. Click Add.

c. For Remediation Name, enter TestRemediation. Leave the Mitigation Action set to
quarantine. Click Create.

Step 16 Navigate to Policies  Correlation.
Step 17 Click the Rule Management tab.
a. Click Create Rule.
b. For Rule Name, enter MalwareDetected.
c. Under Select the type of event for this rule, select a Malware event occurs and by
network-based malware detection from the drop-down lists. Click Save.
Step 18 Click the Policy Management tab.

a. Click Create Policy.
b. For Rule Name, enter MalwareMitigation.
c. Click Add Rules. Check the MalwareDetected rule. Click Add.
d. Back in the Correlation Policy Information page, click the responses icon to the right of
the rule that was just added.

e. Highlight TestRemediation, and click the up-arrow to move it from Unassigned
Responses to Assigned Responses. Click Update.
f. Confirm that your Correlation Policy information matches what is in the following picture.
Click Save.
g. Activate the Correlation Policy.
Task 6: Test the ISE remediation module
Step 19 On one endpoint you are using for testing, log is as a member of the AD group that you will block
from using SSH.
a. Confirm that you can surf the web.
b. Confirm that you can connect to SSH to pov.developmentserver.com using SSH to port
9922. You do not need to log in.
Step 20 Deploy the access control policy.
Step 21 Return to the endpoint you are using for testing.
a. Confirm that you can still surf the web.
b. Confirm that you can no longer use SSH, even to port 9922.

c. Navigate to http://pov.developmentserver.com.
d. Click the Files folder, and try to open ProjectX.pdf. The browser connection should be
reset.
Step 22 In the FMC, navigate to Analysis  Correlation  Correlation Events. A single event should be
present.
Step 23 In FMC syslogs, search on pxgrid and notice the Quarantine Remediation was sent to ISE.
Step 24 Next time the user tries to In ISE, navigate to Operations  RADIUS Livelog. You should see the
users new SGT Tag is Quarantine_Systems. This was configured on ISE.
Step 25 Wait a minute. In the FMC, navigate to Analysis  Users  User Activity. You should see that
the Quarantined_Systems SGT is now assigned to the end-user.
Step 26 Back on the endpoint used for testing, confirm that the only website you can browse to is
http://www.developmentserver.com.

Use Case 12: Demonstrating Safe Search or
YouTube EDU
Business Objectives
• Google provides safe search capability that act as automated filter for pornography and potentially
offensive content. This feature will enforce businesses/ education bodies to provide safe browsing
environment.
• YouTube for School is a feature provided by YouTube to control the access of YouTube, in which the
students will be allowed to access only the educational contents. In order to achieve this, the school
or the school district has to register with YouTube, and YouTube will give a unique ID to the school or
the school district.
The objective of this demonstration is to perform either or the following (or both).
• Firepower Safe Search feature
• Firepower YouTube EDU feature
These features can be independently demonstrated, but since there configurations are closely related, we
include both in this use case
• FTD
• NGIPS: Interface mode must be inline (not tap).
• For the YouTube EDU feature, a valid YouTube EDU account
Task 1: Configure an SSL decryption
Tash 3: Deploy access control policy
Task 4: Test the configuration

Tasks
Task 1: Configure an SSL decryption
For Save Search and YouTube EDU to work properly, SSL decryption must be enabled. Furthermore,
there much be SSL decryption rules that are specific to the Safe Search and YouTube EDU applications.
This is covered in Step 6. If you only have a rule to decrypt everything, these features will not work.
Step 1 Navigate to Objects  Object Management  PKI  Internal CAs. Click Generate CA. Fill in the
details and Generate self-signed CA.
Step 2 Edit the certificate. Generated and download the certificate.
Step 3 Install the certificate into the browser you will be using for your testing.
Step 4 Navigate to Policies  Access Control  SSL.
Step 5 Click the text Add a new policy or click the New Policy button.
a. For Name, enter Demo SSL Policy.
b. Leave the default action to Do not decrypt.
c. Click Save. Wait a few seconds, and the policy will open for editing.
a. For Name, enter Search Engines and YouTube.
b. Set Action to Decrypt – Resign.
c. Select the only CA available from the drop-down list to the right of the word with.

d. In the Applications tab, under Application Filters, search for Sear. You will see search
engine under Categories. Check this checkbox, and click Add to Rule.
e. Important: uncheck the search engine checkbox before you proceed to the next sub-step.
f. Still in the Applications tab, under Available Applications, search for You. You will see
YouTube and Youtube Upload. Select these two applications, and click Add to Rule.
g. Select the Logging tab, and check the Log at End of Connection checkbox.
h. Click Add to add this rule to the SSL policy.
Step 7 Click Save to save the SSL policy.

It is assumed that you already have an access control policy that allows the endpoint to browse the
Internet. You will enforce safe search on supported web sites, and block unsupported search engines.
You will also enforce YouTube EDU.
Step 8 In the FMC, edit the access control policy you are using.
a. Select the HTTP Responses tab. Select System-Provided from the Block Response
Page drop-down list.
a. Click on the link None to the right of the string SSL Policy above the policy rules.
b. From the drop-down list, select the Demo SSL Policy and click OK.
Step 9 Select the Rules tab. Click Add Rule.
a. Call the rule Safe Search.
b. Leave the action set to Allow.

c. Select above rule from the Insert drop-down list. Choose the number 1.
d. Select Applications tab.
i. At the top-right of the Selected Applications and Filter section, click the Safe
Search icon
ii. Check the Enable Safe Search checkbox. Select Block with reset from the
Action for non supported engines drop-down list
Click OK.
e. Select Logging tab. Check the Log at Beginning of Connection and Log at End of
f. Click Save to add the rule to the policy.
a. Call the rule YouTube EDU.
b. Leave the action set to Allow.
c. Select Applications tab.
i. In the upper-right corner of the rule editing page, click the YouTube EDU icon
ii. Check the Enable YouTube EDU checkbox. Enter the Custom ID. Click OK.
d. Select Logging tab. Check the Log at Beginning of Connection and Log at End of
e. Click Save to add the rule to the policy.
Note: The order of rules is critical. Since YouTube is a supported safe search, it will match the Safe Search rule, if
that rule is first. That would mean it would not match the YouTube EDU rule.

Step 11 Click Save to save the access control policy changes.
Step 12 Check that your access control policy looks correct. A typical access control policy appears in the
following picture.
Task 3: Deploy access control policy

Step 13 Click Deploy in the upper right hand corner of the FMC.
Step 14 Check the checkbox for the NGFW device, and click the Deploy Button.
Step 15 Click on the icon to the right of the Deploy link in the upper right-hand corner of the FMC. Wait
until the deployment is complete.
Task 4: Test the configuration
Note: If you want to see how the URIs are being re-written to support Safe Search and YouTube EDU, you can run
the following command on the NGFW CLI.
system support firewall-httpmod-debug
When prompted for the client IP, enter the client IP of your endpoint. You can leave the other choices alone.
Step 16 On your test endpoint, test the Safe Search feature using the following sub-steps.
a. Navigate to https://www.google.com.
b. Click on the lock icon, and confirm that the certificate was issued by the CA you created,
so SSL decryption is taking place.
c. Click the Settings button in the lower right of the web page, and select Search settings.
d. Confirm that Safe Search is disabled by looking at the search settings.
e. Click the back button in the browser.
f. Perform a search, for example using the word test.
g. Note that in the upper right of the Google web page, it says that safe search is on, or that
explicit content is being filtered.
h. Navigate to http://aol.com. You should see the default Firepower block page.
Step 17 On your test endpoint, test the YouTube EDU feature using the following sub-steps.
a. Navigate to https://www.youtube.com.

b. Click on the lock icon, and confirm that the certificate was issued by the CA you created,
so SSL decryption is taking place.
c. Note that even though you navigated to https://www.youtube.com, you ended up landing
on https://www.youtube.com/education.
d. Try to navigate to https://www.youtube.com by removing education from the URL. Notice
that you stay on https://www.youtube.com/education.
Step 18 In the FMC, navigate to Analysis  Connections  Events. If you can find an event with the
Reason set to Content Restriction, you can click on the link Content Restriction to filter. But in a
noisy system, you would follow the following sub-steps to filter the events.
a. To the right of the text No Search Constraints, click on the Edit Search link.
b. For Reason, type Content Restriction. Click Search.
c. You should see the YouTube, Google and AOL Notice that the Action is always Allow,
even for AOL.
d. Click on the Table View of Connection Events in the upper left-hand corner. This will
provide details about each connection event.

Use Case 13: Demonstrating FMC Analytics
Business Objectives
Security events must be properly investigated to provide value. Advanced analytics provides the
capability to interpret security events, and derive value from them.
The objective of this demonstration is to show FMC analytics for contextual and network visibility, auto-
correlation for IOCs and Impact Level generation.
This demonstration will use Cisco dCloud.
• This demonstration requires access to, and familiarity with Cisco dCloud.
Task 1: Utilize the Content Explorer
Task 2: Explore Indication of Compromise and Host Network Map
Task 3: Explore application protocol information
Task 4: Explore Security Intelligence
Task 5: Explore intrusion information and impact levels
Task 6: Explore file, geolocation and URL information
Tasks
Task 1: Utilize the Content Explorer
Step 1 Navigate to Analysis  Context Explorer.
Note: You use the Context Explorer to investigate a predefined set of recent data in granular detail and clear
context: for example, if you notice that only 15% of hosts on your network use Linux, but account for almost
all YouTube traffic, you can quickly apply filters to view data only for Linux hosts, only for YouTube-
associated application data, or both.
Step 2 Notice you can configure the Context Explorer time range to reflect a period as short as the last
hour (the default) or as long as the last year.
Step 3 You have the option to filter that data for a more granular contextual picture of activity on your
network. Filters encompass all types of Firepower System data except URL information, support
exclusion as well as inclusion, can be applied quickly by clicking on Context Explorer graph data
points, and affect the entire explorer. You can apply up to 20 filters at a time.

Task 2: Explore Indication of Compromise and Host Network Maps
Step 4 Notice the host with most Indications of Compromise (Indications by Hosts chart)
a.
Note: The system auto-correlates data from multiple sources to determine a host’s compromised status, including
intrusion events, Security Intelligence, and Cisco Advanced Malware Protection (AMP).
Step 5 Left click on it and View Host Information. Notice it opens up the Host Profile.

Step 6 Also, from the Network Information, notice all the difference Operating Systems discovered.
Step 7 At the same time, open in another tab – Analysis  Hosts  Network Map. Talk about how the
topology was passively learnt by due to turning on Network Discovery.
You can use the network map to:

• Obtain a quick, overall view of your network.
• Select different views to suit the analysis you want to perform. Each view of the network
map has the same format: a hierarchical tree with expandable categories and sub-
categories. When you click a category, it expands to show you the sub-categories
beneath it.
• Organize and identify subnets via the custom topology feature. For example, if each
department in your organization uses a different subnet, you can assign familiar labels to
those subnets using the custom topology feature.
• View detailed information by drilling down to any monitored host's host profile.
• Delete an asset if you are no longer interested in investigating it.
Step 8 You can also use the custom topology feature (Policies  Network Discovery) to help you
organize and identify subnets in your hosts and network devices network maps. For example, if
each department within your organization uses a different subnet, you can label those subnets
using the custom topology feature. You can also view the Hosts network map according to the
organization you specified in the custom topology.

Task 3: Explore application protocol information
Step 9 Notice the viewing capabilities with the Application Protocol Information. You can view by
Application Protocol, Client Applications or by Web Application. You can further view by Risk or
Business
Relevance.
Step 10 You can pick an application and Drill into Analysis which would open the Analysis  Hosts 
Applications
Step 11 You can further view the Table View of Applications and even get more details on which User or
IP Address is using that particular application.
Task 4: Explore Security Intelligence

Step 12 Observe the Charts under Security Intelligence.

Step 13 Left click on the Security Intelligence Traffic by Source or Destination IP and notice you have to
option to Blacklist or Whitelist that ip
address.
Step 14 Notice with our new IP and Geolocation Lookup feature in 6.1 you can also get “Whois”
information about that Ip Address.

Task 5: Explore intrusion information and impact levels
Step 15 Explore the various charts under Intrusion Information.
Step 16 Notice the Intrusion Events by Impact. The impact level in this field indicates the correlation
between intrusion data, network discovery data, and vulnerability information.
Step 17 Here is a description on what those Impact Levels mean and how the security admin can
prioritize his
incidents
Task 6: Explore file, geolocation and URL information

Step 18 Explore the file information. Five of the six graphs display AMP for Firepower data: the file types,
file names, and malware dispositions of the files detected in network traffic, as well as the hosts
sending (uploading) and receiving (downloading) those files. The sixth graph displays all malware

threats detected in your organization, whether by AMP for Firepower or AMP for Endpoints.
Step 19 The geolocation information section of the Context Explorer contains three interactive donut
graphs that display an overall picture of countries with which hosts on your monitored network are
exchanging data: unique connections by initiator or responder country, intrusion events by source
or destination country, and file events by sending or receiving country. You can go to eicar.org
and try to download some test malware files.
Step 20 The URL Information section of the Context Explorer contains three interactive bar graphs that
display an overall picture of URLs with which hosts on your monitored network are exchanging
data: traffic and unique connections associated with URLs, sorted by individual URL, URL
category, and URL reputation. You cannot filter on URL information.

Use Case 14: Demonstrating Custom
Dashboard and Reporting
Business Objectives
Visibility provides business with the ability to determine the character of the network usage. This allows
the customer to be proactive. Both network architecture and security decisions can be informed by the
knowledge gained through the visibility provided by Firepower technology.
In this demonstration you will custom dashboards and standard or risk reports for executive visibility.
This demonstration will use Cisco dCloud.
• This demonstration requires access to, and familiarity with Cisco dCloud.
Task 1: Create a custom dashboard
Task 2: Convert the custom dashboard to a report template
Task 3: Explore other reporting templates
Task 4: Generate a risk report
Tasks
Task 1: Create a custom dashboard
Step 1 Navigate to Overview  Dashboards Management.
Step 2 Copy one of the existing dashboards.
Step 3 Once you have that, you can add and delete tabs, add and delete widgets. The Custom Analysis
widget is very powerful. And you can create most of the statistical data widgets by modifying the
fields. You can also leverage Custom Tables if you have created any.

Step 4 Here is an example custom dashboard available on dCloud.

Task 2: Convert the custom dashboard to a report template
Step 5 Notice the Report Designer button on the right hand top corner of your Dashboard.
Step 6 You can click on that and then save it as a report template, Generate a Report, Include cover
page, logo, header and footer from Advanced Settings and create a Custom Report.
Step 7 You can generate a HTML, PDF or CSV format report.

Step 8 If you have Relay Host configured, you can even Email the Report.

Task 3: Explore other reporting templates
Step 9 Navigate to Overview  Reporting and select the Report Templates tab.
Step 10 Notice that you have some pre-defined templates including Advanced Malware, Attack Risk and
Network Risk.
Step 11 For the Standard Reports, you can generate a report, copy and customize, even Export and
Import into another FMC.
Task 4: Generate a risk report

Step 12 You can simply click on the Generate Report icon in the row of the type of risk report you wish to
generate the respective risk report. Here are some sample risk reports for you reference based
on dCloud - http://pov.developmentserver.com/Sample_Risk_Reports/

Use Case 15: Demonstrating Site-to-Site VPN
Business Objectives
Connecting offices with site-to-site VPN is essential to conduct business. Point-to-point, star or full mesh
topologies are used. Many customers prefer to use the Internet edge devices as VPN head-ends to
reduce device number and administrative overhead.
This use case will demonstrate configure site to site VPN between one NGFW and another NGFW/ASA
using Firepower Management Center. A VPN deployment specifies the endpoints and networks that are
included in a VPN and how they connect to each other. The system supports three types of VPN
deployments:
• Point-to-Point VPN Deployments
• Hub and Spoke VPN Deployments
• Full Mesh VPN Deployments
For this use case, we will be using the Point-to-Point topology. For more information on VPN
Deployments please refer to -
v61/fpmc-config-guide-v61_chapter_01110010.html
• FMC
• NGFW to NGFW, or NGFW to ASA
• NGFW: Firewall mode may be: routed or transparent
Task 1: Spin up another NGFW or ASA
Task 2: Configure site-to-site VPN on the NGFW
Task 3: Create NAT exemption
Task 4: Modify the access control policy and deploy changes
Task 5: Test site to site VPN
Tasks
Task 1: Spin up another NGFW or ASA
Step 1 Follow the installation and upgrade guides/instructions and spin up another external device.
Note: Each topology mentioned above can have external devices, which are Cisco or Non-Cisco. For details on
NGFW VPN Deployments -
v61/fpmc-config-guide-v61_chapter_01110011.pdf.
NGFW PoV Guide V1.2 – Use Cases October 2016 U15- 1

Step 2 Smart Licensing for VPN: There is no specific licensing for enabling Firepower Threat Defense
VPN, it is available by default. The Firepower Management Center determines whether to allow
or block the usage of strong crypto on a Firepower Threat Defense device based on attributes
provided by the smart licensing server. This is controlled by whether you selected the option to
allow export-controlled functionality on the device when you registered with Cisco Smart License
Manager. If you are using the evaluation license, or you did not enable export-controlled
functionality, you cannot use strong encryption
Task 2: Configure site-to-site VPN on the NGFW

Step 3 Navigate to Devices  VPN. Click Add VPN  Firepower Threat Defense Device.
Step 4 Create a new Point to Point VPN Topology. Select IKEv2. Make sure IKEv1 is not
checked.
Step 5 Add Node A and Node B based on your Endpoints. You might want to create objects to define
Protected Networks.
Step 6 Select the IKEv2 tab.

a. Under IKEv2 Settings, for Policy, confirm that DES-SHA-SHA is selected

b. Under IKEv2 Settings, for Pre-shared Key Type, select Manual
Note: The Automatic setting can only be used if the FMC is managing both endpoints. In this case, the FMC can
generate and distribute a random shared key.
c. Under IKEv2 Settings, for Key, enter cisco123, and confirm the entry.

d. Select the IPsec tab, confirm that the IKEv2 IPsec Proposal is DES_SHA-1.
e. Click Save to save the VPN settings
Task 3: Create NAT exemption

Step 7 Navigate to Devices  NAT.
Step 8 You should have already created a NAT policy to NAT outbound connections. If not, create one:
Navigate to Devices  NAT. Click New Policy  Threat Defense NAT.
Step 9 Click Add Rule. Make sure the rule you add in the following step is the first rule in the NAT policy.
a. Leave In Category and NAT Rules Before from the NAT Rule drop-down list selected.
b. You will be at the Interface Objects tab.
i. Select InZone and click Add to Source.
ii. Select OutZone, and click Add to Destination.
c. Select the Translation tab.
i. Select MainOfficeNetwork from the Original Source drop-down list.
ii. Select MainOfficeNetwork from the Translated Source drop-down list.
iii. Select BranchOfficeNetwork from the Original Destination drop-down list.

iv. Select BranchOfficeNetwork from the Translated Destination drop-down list.
d. Select the Advanced tab, and check the Do not proxy ARP on Destination Interface
checkbox.
e. Click OK to save the NAT rule.

Step 10 Click Save to save the NAT policy.
Task 4: Modify the access control policy and deploy changes

You will now create a rule to allow traffic between the Branch office and Main office.
Step 11 Navigate to Policies  Access Control  Access Control. Edit the NGFW Access Control Policy.
a. Call the rule VPN Access.

b. Select into Default from the Insert drop-down list. This will become the last rule in the
access control policy.
c. Leave the action to Allow.
d. The Zones tab should already be selected.
i. Select InZone and click Add to Destination.
ii. Select OutZone, and click Add to Source.
e. Select the Networks tab, select BranchOfficeNetwork, and click Add to Source.

f. Select the Inspection tab.
i. Select Demo Intrusion Policy from the Intrusion Policy drop-down list.
ii. Select Demo File Policy from the File Policy drop-down list.
g. Click Add to add this rule to the access control policy.
Step 13 Click Save to save the access control policy.
Step 14 Deploy the changes, as you have been. Wait for the deployment to complete.
Task 5: Test site-to-site VPN

Step 15 From the NGFW CLI, type show crypto ipsec sa. There should be no IPSec security
associations.
Step 16 From the Inside UNIX server CLI, type ping branch.example.com. Wait a few seconds, and
the ping should succeed.
Step 17 From the NGFW CLI, type show crypto ipsec sa. There should now be an IPSec security
association.

Use Case 16: Demonstrating REST API
Business Objectives
REST API is essential to provide customer with automation capabilities and facilitate 3rd party integration.
This use case will demonstrate the all new RESTful configuration API for Firepower Management Center.
The REST API is an application programming interface (API), based on “RESTful” principles, which you
can quickly enable on any Firepower device and use with any REST client, or programming language.
Through the REST client or software, you can contact the specific Firepower device's REST agent and
use standard HTTP methods to access current configuration information, and issue additional
configuration parameters.
• FMC
• Postman software client available https://www.getpostman.com
• Client machine running python 2.7 or later
Task 1: Enabling REST API in FMC
Task 2: Explore API using onboard API Explorer
Task 3: Execute API commands and Write configuration using Third Party clients (Postman)
Task 4: Completely automate Firepower Configuration with software scripts
Tasks
Task 1: Enabling REST API in FMC
Step 1 Login to FMC and navigate to System  Configuration  REST API preferences
Note: REST API configuration is only available in Firepower Management Center v6.1 or greater
Step 2 Select the checkbox to Enable REST API and press Save

Task 2: Explore API using onboard API Explorer
Step 3 Navigate to https://[IP/Hostname of FMC]:[port]/api/api-explorer
Step 4 Login using FMC credentials
Note: Using same credentials as FMC admin will disconnect any other users logged in with that account. It is
recommended to create a unique user for API related tasks.
Step 5 The API explorer is broken up into three panes

a. Configuration parameters available in REST API
i. Categories of configuration that can be managed using the REST API
b. Available methods for chosen configuration parameter
i. Specific URIs and supported methods for configuration items
c. Command console
i. Run http request against the REST API from the console to test JSON data and
request method

Step 6 Select System Information from the left pane
Step 7 Press GET in the center pane for URI /api/fmc_platform/v1/info/serverversion
Step 8 Press GET in right console pane to run the request
Step 9 Console output represents JSON format of the FMC version information
Note: Any test GET request can be made from any category to get a better understanding of the JSON format for
said command when writing data (POST). Showcase this as a way to help in preparing to create custom
scripts
Task 3: Execute API commands and Write configuration using Third Party clients
(Postman)
Step 10 Open Postman and select POST method in the center pane
Step 11 In the request URL field enter:
https://[IP/Hostname of FMC]:[port]/api/fmc_platform/v1/auth/generatetoken
Step 12 Select the Authorization tab and choose Basic Auth from the dropdown
Step 13 Enter your API user credentials and press Update Request
Step 14 Confirm the right URL path and press Send

Note: When using a non-native API client, you must manually generate authentication tokens for your requests as
a way to authorize the transaction. The built in API explorer is generating the authentication on its own once
logged into the UI so it is not required to do it manually
Step 15 In the response pane navigate to the Headers tab and locate the “X-auth-access-token”
Note: This generated token will need to be used as a header in every subsequent request made to the API
Step 16 Return to the request Headers tab and add the token to the new request
Step 17 Change the URL to reflect desired object to modify (in this case access policies)
Step 18 Switch to the Body section and chose Raw format to enter the JSON Data for the request
Step 19 Press Send to complete the request and take note of the response data/code
Note: REST API will use traditional HTTP error/response codes to indicate successful or failed requests

Task 4: Completely automate Firepower Configuration with software scripts
You will now combine the understanding of the previous two sections by creating a standalone software
script to execute against the REST API
Note: For this example, we will be using Python scripting to create a network object, the logic and process outlined
here can be adapted to any scripting/software language
Step 20 To begin our python script must contain three sections to successfully run
a. Authentication sequence to generate and request a token
b. HTTP POST URL and data in JSON format
c. Make request and read response
Step 21 Sample script below shows steps to complete authentication sequence

Step 22 Sample script below shows POST URL and data in JSON format
Step 23 Sample script below makes HTTP request and reads response
Step 24 Run python script, output response should read a status code 201, Post was successful…
Note: For help writing scripts you can start with generated scripts made from the API explorer window at the
bottom of the console pane

防火墙PoV FTD功能测试指南英文版PoV PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

防火墙PoV FTD功能测试指南英文版PoV PDF

Uploaded by

Copyright:

Available Formats

)

Cisco Firepower NGFW Proof of

Arial Bold Used to indicate emphasis

Arial Italic Used for elements is the UI, links, etc.

NGFW PoV Guide V1.2 – Introduction October 2016 I-1

Guide Table of Contents

NGFW PoV Guide V1.2 – Introduction October 2016 I-2

Use Case Dependencies

Use Case 15: Demonstrating Site to Site VPN

Business to Use Case Mappings

Managing NGFW Usability, preparing the device • Ease of Use

NGFW PoV Guide V1.2 – Introduction October 2016 I-3

Use Case 2: Blocking objectionable websites, • Access Control

Use Case 3: Decrypt Enterprise Visibility and Treat • Access Control

Use Case 4: Manage User Discovery using Active/ • Access Control

Use Case 5: Reducing and Stopping • Access Control

Use Case 6: Examine Stop Inbound Malicious threat • Threat Detection

Use Case 7: Detect, Stopping and Detecting Advance • Threat Detection

Use Case 8: Limit Improved Network Efficiency, • Access Control

Use Case 9: Detecting Increase Host visibility behind • Access Control

NGFW PoV Guide V1.2 – Introduction October 2016 I-4

Use Case 11: Threat Containment for infected • Cisco Integration

Use Case 12: Secure Safe Browsing, • Access Control

Use Case 13: Using Improved Operational Efficiency, • Impact Assessment

Use Case 14: Creating Customization • Threat Tracking

Use Case 15: Secure communication to Head • S2S VPN

Use Case 16: Third Automation, Integration with • Remediation API

NGFW PoV Guide V1.2 – Introduction October 2016 I-5

NGFW PoV Guide V1.2 – Setup October 2016

7000 & 8000

Default Communication Ports for Firepower System Features and Operations

Port Description Direction Is Open on... To...

NGFW PoV Guide V1.2 – Setup October 2016 S1-1

Port Description Direction Is Open on... To...

Download URL category and

NGFW PoV Guide V1.2 – Setup October 2016 S1-2

Port Description Direction Is Open on... To...

Bidirectional Management Download software updates using

514/UDP syslog Outbound Any Send alerts to a remote syslog

3306/TCP User Agent Inbound Management Communicate with User Agents.

NGFW PoV Guide V1.2 – Setup October 2016 S1-3

NGFW PoV Guide V1.2 – Setup October 2016 S2-1

Task 2: Configure the device for Firepower Management

NGFW PoV Guide V1.2 – Setup October 2016 S2-2

Task 3: Install the FMC

Task 4: Licensing for NGFW

NGFW PoV Guide V1.2 – Setup October 2016 S2-3

Task 2: Modify the network discovery policy

NGFW PoV Guide V1.2 – Setup October 2016 S2-1

NGFW PoV Guide V1.2 – Setup October 2016 S2-2

Step 13 Logoff and log back in as USAadmin (in my

NGFW PoV Guide V1.2 – Setup October 2016 S2-3

Step 16 Logout and log back in as USADomain\user1.

Step 17 Notice the tabs and his role this time.

Step 18 Logout and log back in as Global admin.

NGFW PoV Guide V1.2 – Setup October 2016 S2-4

Step 20 Wait for deployment to Device to complete

Task 5: Explore object override and policy inheritance

NGFW PoV Guide V1.2 – Setup October 2016 S2-5

NGFW PoV Guide V1.2 – Setup October 2016 S2-6

NGFW PoV Guide V1.2 – Setup October 2016 S2-7

Step 27 Notice the Inheritance structure created.

NGFW PoV Guide V1.2 – Setup October 2016 S2-8