Professional Documents
Culture Documents
Font Function
Courier New Bold Used to indicate text that must be typed in. Also
the output of some commands uses this font.
Developers
The labs pod and lab guide were created by the Technical Marketing team of the Security Business
Group at Cisco Systems.
Sample Topology
Here is the topology that was used to develop this guide. This topology is available at the GOLD lab.
Use Case 10: Demonstrating Event Correlation Use Case 4: Demonstrating IPS
(Task3 and Task4)
Use Case 11: Demonstrating ISE Integration Use Case 4: Demonstrating
Authentication (Task1 and Task2)
Use Case 12: Demonstrating Safe Search or YouTube EDU
Use Case 13: Demonstrating FMC Analytics Use dCloud for more data
Use Case 14: Demonstrating Custom Dashboard and Reporting
NGFW Deployment for Deploying NGFW for Inspection • NGFW deployment Modes
Firewall POV (as a next hop, Bump on wire, • Network Discovery
IPS) • Routing
• NAT
• Clustering (9300, Inter-chassis
Future)
• HA
Use Cases
Use Case 1: Standard Reduce Attack surface by • Application Visibility
and Custom Application blocking unwanted application, • Access Control
detection and control blocking unproductive known and • Application Control
for classification, customer applications
monitoring and control
Use Case 10: Reduce Improve Threat detection time • Threat Detection
Threat Detection time • Correlation
by examining early • Indication of Compromise
indications of
compromise
The following table lists the open ports required by each appliance type so that you can take full advantage of
Firepower System features.
events
malware dispositions for
files detected in network
traffic
dynamic analysis
information on submitted
files
Installation Outline
The installation process consists of the following tasks.
Task 1: Install the NGFW
Task 2: Configure the device for FMC management
Task 3: Install the FMC
Task 4: Install Licenses
Tasks
Task 1: Install the NGFW
Step 1 Depending on the Hardware platform, please refer the respective install guides to install or
upgrade to the Firepower Threat Defense NGFW software on your devices.
a. For ASA 5506-5555 running ASA+FP Services, you might need to reimage the box.
Reimage instructions:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-55xx-X-
qsg.html#pgfId-181902
b. For 4100: http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp4100/ftd-
4100-qsg.html
c. For 9300: http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp9300/ftd-
9300-qsg.html The firewall mode cannot be changed while the device is registerd with
the FMC. If you intend to use FDM, you must choose routed mod
During initial setup, you will be asked to pick firewall mode (routed or transparent). This can be
changed after installation by using the Firepower CLI.
.
The firewall mode cannot be changed while the device is registered with the FMC. If you intend
to use FDM, you must choose routed mod.
c. Evaluation Licenses are available for 90 days the first time you install the software.
Navigate to System Licenses Smart Licenses and turn on evaluation mode.
Tasks
Task 1: Configure the NGFW access control policy
Step 1 Navigate to Objects → Object Management → Interfaces. Click Add Security Zone. Create two
zones, InZone and OutZone. For Interface Type select Routed.
Step 2 Navigate to Policies → Access Control → Access Control.
Step 3 Create a New Policy, NGFW Access Control Policy. Keep all other settings unchanged. Notice
the Default Action is to Block All Traffic.
Step 4 Add a Rule to allow outbound connections, from InZone to OutZone. Call this rule Allow
Outbound.
Step 5 In the Inspection tab, select Balanced Security and Connectivity. If you want you could create a
file policy now and assign to this rule.
Step 6 Click Add to add the rule to the policy, and Save to save the policy changes.
Note: Notice the pop-ups. Network Discovery is only available at the leaf domain level to all for Networks
overlapping. Also, once domains are created each device that you manage via FMC must be a part of the
leaf domain.
Step 11 Notice the screen on the top right. You are now the Global Domain Admin.
Step 14 Notice that you are logged into the Domain and do not have access to global domain. For
example: If you navigate to Policies Access Control, notice that the Policy you created in
Global Domain is Read-only in Child Domain. Also, if you had multiple such domains and devices
in each domain, the child domain admin (USAadmin) will not have visibility into the devices,
events, etc. from the other domains.
Note: If you have domains configured, when you Add Device you need to add it to a leaf domain. For the purpose
of this guide, I am going to delete the Domain created in Task 3 but you could continue to use that if the
customer wants Domain.
Step 23 And in the Override tab, you can type in the override IP address.
Step 25 Save the object and notice the Override column has a 1. When you use this object in a Rule, for
NGFW device it will be evaluated as the override value instead of the default value.
Step 28 If you noticed when the child policy was expanded, the Mandatory and Default sections of the
Parent Policy wrap around the Child Policy. This is an onion model. Rules from the Mandatory
section of parent policy are enforced on the child policy while the Rules in the Default section of
the parent policy can be overridden by the child policy.
Note: Policy Inheritance (Enforcement) is handy with Domain. Global Domain Policy can to enforced onto child
domains thus creating sometime like a Corporate Level Policy with a Branch Policy that is managed by the
Branch Admin.
Tasks
Task 1: Configure routed or transparent mode
Step 1 During the Initial Setup Configuration Wizard for ASA5500 Series on via chassis manager for
4100/9300, you were are to pick one of the Firewall Modes – Routed or Transparent. If you wish
to change that now –
a. For ASA5500 series, you need to de-register the device, go back to CLI to change it and
re-register the device.
> configure firewall ?
routed Change to routed firewall mode
transparent Change to transparent firewall mode
b. For 4100/9300 series, you need to de-register the device, go back to Chassis Manager,
change it and re-register FTD.
Step 3 Select the Routing tab. Select Static Route and add a route to the outside gateway.
Note: Starting witj 6.1. you can create a shared NAT policyh across multiple devices..
Step 6 Once the Rule Page open, Add a Rule. Notice you can create dynamic NAT, dynamic PAT, static
NAT, and identity NAT rules. Decide which rules should be implemented as manual or auto NAT.
We recommend using auto NAT unless you need the extra features that manual NAT provides. It
is easier to configure auto NAT, and it might be more reliable for applications such as Voice over
IP (VoIP).
Step 8 Select the Translation Tab and configure the Original and Translated Packet.
Step 12 Populate the Original Packet Source and Translated Packet Source Address.
Note: You need to create the Source objects for wwwin and wwwout before or Add from this screen by clicking on
+ . For this to work, you will need to add an Allow Rule from outZone to inZone.
.
Step 13 For this to work, you will need to add an Access Control Rule to Allow traffic from outZone to
inZone. You can choose to select HTTP/HTTPS as Ports in this rule and also, select a Balanced
IPS Policy in the Inspection Tab.
Step 15 Click Save and then select Time Synchronization. Confirm that the Via NTP from Management
Center radio button is selected.
Note: On FP9300 platforms, failover is only supported across blades in different chassis in non-cluster mode with
matching interfaces on separate blades.
Note: The two HA units must be identical in hardware configuration, memory, interfaces, and software versions
Note: Smart License Requirements for HA pair: Firepower Threat Defense devices in a high availability
configuration must have the same licenses. Before high availability is established, it does not matter which
licenses are assigned to the secondary/standby device. During high availability configuration, the Firepower
Management Center releases any unnecessary licenses assigned to the standby device and replaces them
with identical licenses assigned to the primary/active device. For example, if the active device has a Base
license and a Threat license, and the standby device has only a Base license, the Firepower Management
Center communicates with the Cisco Smart Software Manager to obtain an available Threat license from
your account for the standby device. If your Smart Licenses account does not include enough purchased
entitlements, your account becomes Out-of-Compliance until you purchase the correct number of licenses.
High availability configurations require two Smart License entitlements; one for each device in the pair
Demonstration Objectives
This use case will demonstrate application detection and control for custom and standard applications.
OpenAppID is an open source application detection engine, supported by the Snort community. This is
utilized for AVC in the NGFW. The AppID Snort preprocessor has a Lua interface that allows the
preprocessor to utilize Lua scripts. This allows the creation of custom application detectors using the Lua
scripting language. Below is a sample custom application.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be :routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive
If inline tap or passive is used, you must skip the demonstration of application blocking
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Create custom application detector
Task 2: Configure custom application detection and blocking
Task 3: Configure standard application detection and blocking for SSH
Task 4: Deploy and test standard and custom application detection
Tasks
Task 1: Create custom application detector
Step 1 Navigate to Policies Application Detectors. Click on Create a Custom Detector.
Note that Detector Type here is Basic. This means the Lua script will be created for us. An
alternative is to create and advanced detector. This allows us to upload a custom Lua script
Step 3 Select TestApp from the Application Protocol drop-down menu and save.
Step 6 Search for the custom application detector you just created and Enable
it.
Step 7 You can also download and open the custom detector in an editor and inspect the Lua script, if
you wish.
e. Click Save.
Task 3: Configure standard application detection and blocking for SSH and Xbox
Step 9 Navigate to Policies Access Control Access Control, and edit the NGFW access control
policy.
a. Make this the 1st rule
b. For Action, select Block with reset.
c. In the Applications tab, search for SSH and add this to the Rule
d. In the Logging tab, check the Log at Beginning of Connection checkbox.
e. Repeat the above steps to block web applications like Xbox Live.
Step 11 From inside PC, send some traffic for the HTTP custom App with TestApp as the User Agent.
You could do this via Firefox browser by editing the Default User Agent from Tools Edit User
Agents. Create a new user agent.
Step 12 Also, try to SSH to any server on the outside.
Step 14 Navigate to Analysis Connections Events. Drill down to the Table View of Connection
Events and confirm that the TestApp application was detected. It will be in the Client column of
the table.
Demonstration Objectives
The objective of this demonstration is to show how to filter URLs based on URL category, risk, or
geolocation. These features can be used to enhance security and enforce acceptable use.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be :routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive
If inline tap or passive is used, you must skip the demonstration of application blocking
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Configure URL Filtering
Task 2: Configure Geolocation Filtering
Task 3: Deploy the Access Control Policy
Task 4: Test URL category and geolocation features
Note: For this demonstration, it is best to configure an end user notification page. When editing the access control
policy, you can configure this page in the HTTP Responses tab. Note that even if the action is set to Block
with reset, this page will be displayed.
Tasks
Task 1: Configure URL filtering
Step 1 Navigate to System Integration. Under Cisco CSI, make sure Enable URL Filtering is checked.
Also check Query Cisco CSI for Unknown URLs.
Step 2 Navigate to Policies Access Control Access Control, and edit the NGFW access control
policy. Add a rule to block unacceptable sites like gambling sites. Follow steps below.
a. Make this the 1st rule
b. For Action, select Block with reset.
c. In the URL tab, search for Gambling and add this to the rule
d. In the Logging tab, select Log at Beginning of Connection.
e. Click Add to save the rule.
a. Enter an IP you wish to block by geolocation. For example, you can use
186.192.90.5. This is the IP address for the Brazilian news site globo.com.
b. Click Search.
Step 5 Navigate to Policies Access Control Access Control, and edit the NGFW access control
policy. Add a rule to block some countries
a. Make this the 1st rule
b. For Action, select Block with reset.
a. In the Networks tab, in the Geolocation sub-tab, search for any country you wish to block
and click Add to Destination.
b. In the Logging tab, select Log at Beginning of Connection.
c. Click Add to save the rule.
Step 6 Save the changes to the access control policy.
Step 10 Navigate to Analysis Connections Events. Drill down to the Table View of Connection
Events and verify that traffic was blocked. Check the URL Category.
Step 11 For geolocation, check the initiator and responder country.
Demonstration Objectives
The objective of this demonstration is to show how to filter URLs based on URL category, risk, or
geolocation. These features can be used to enhance security and enforce acceptable use. You will also
demonstrate how to create decryption exemptions based on URL category.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be routed or transparent
• NGIPS: Interface mode must be inline pair (non-tap)
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Create a self-signed certificate using the FMC
Task 2: Create an SSL policy
Task 3: Associate the SSL policy to the access control policy
Task 4: Deploy and test the SSL policy
Tasks
Task 1: Create a self-signed certificate using the FMC
Step 3 Install the certificate into the browser on the endpoint you will use for testing.
Note: The above policy decrypts everything. But for POV, you might want to keep it as restrictive to your testing as
possible to avoid browser performance issues.
Step 12 Also, in your Access Control Policy, make sure you have an Allow Rule for Outbound Connection
with this file policy for inspection.
Step 14 Go to http://eicar.org.
Demonstration Objectives
The goal of this demonstration is to show the value of passive authentication and user discovery. There
are two passive authentication sources:
• The Cisco Firepower Active Directory Agent
Formerly known as the Sourcefire User Agent (SFUA)
• The Cisco Identity Services Engine (ISE)
You can configure either, but not both, of these sources.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive
• Access to a privileged Active Directory account.
• An endpoint with any standard browser to serve as a client.
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Integrate FMC into authentication infrastructure
Task 2: Create an identity policy with a passive authentication rule
Task 3: Associate the Identity Policy to the Access Control Policy
Task 4: Deploy and test passive authentication
Tasks
Task 1: Integrate FMC into authentication infrastructure
Step 1 Make sure to Install SFUA OR ISE depending on what you choose for getting user-ip mappings.
a. SFUA: http://www.cisco.com/c/en/us/support/docs/security/firesight-management-
center/118131-technote-sourcefire-00.html
b. ISE 2.1: http://www.cisco.com/c/en/us/td/docs/security/ise/2-
1/install_guide/b_ise_InstallationGuide21.html
Step 2 In FMC, navigate to System Integration. Select the Identity Sources tab. Choose one of the
identity Sources (Identity Services Engine or User Agent) and complete the integration.
c. For ISE, make sure you have the right certificates pre-created. Here is the detail
HOW TO guide: https://communities.cisco.com/docs/DOC-68292
d. For the user agent: You just need the hostname or IP address.
Step 3 Create a realm. Navigate to System > Integration. Select the Realms tab and click New Realm.
Step 5 Add a directory server to the realm by clicking Add directory. . Before saving, click Test to
confirm the
configuration.
Step 6 Select the User Download tab. Check Download users and groups, and then click Save.
Step 8 Click the icon to the right of the switch you used to enable the realm. This will download the
users and groups.
Step 10 If you want to use active authentication, you will need a certificate/key pair.
a. Select the Active Authentication tab.
a. Select the realm you created in Task 1 from the Realm drop-down menu.
b. Check Use active authentication if passive authentication cannot identity user.
c. Check Identify as Special Identities/Guest if authentication cannot identify the user.
d. By default, Authentication Type is HTTP Basic. You can change it to NTLM, Kerberos,
HTTP Negotiate or HTTP Response Page. You can change the default if you wish.
Step 15 Click Add to save the rule.
Step 16 Click Save to save the policy.
d. Save the rule and then save the Access Control Policy changes.
Demonstration Objectives
In this demonstration, your goal is to perform Security Intelligence configuration. This consists of the
following:
• Deploy an IP based black list
• Deploy a URL based black list
• Configure and deploy a DNS sinkhole
IP and URL black lists are self-explanatory, but DNS sinkholing deserves some explanation. Typically, if
the edge firewall sees a DNS query to a malicious site, it is coming from an internal DNS server. This
server has probably not been compromised. What the firewall can do is intercept the query, and return
forged A and AAAA records.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be :routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive
• An endpoint with any standard browser to serve as a client
Note: You will also need target web servers for this demonstration. These will be provided by Cisco.
• A web server to provide custom feeds: pov.developmentserver.com/feeds.
• A web server to take the place of a CnC server: this cnc.developmentserver.com
• A web server to serve test IP based security intellegence: www.developmentserver.com
• A web server to serve test URL based security intellegence: url.developmentserver.com
• A web server to serve as the DNS sinkhole: sinkhole.developmentserver.com
Demonstration Outline
This demonstration consists of 4 tasks.
Task 1: Configure network, DNS and URL feeds
Task 2: Configure a DNS sinkhole
Task 3: Configure security intelligence in the access control policy
Task 4: Test security intelligence configuration
Tasks
Task 1: Configure network, DNS and URL feeds
Note: Each of this Security Intelligence objects can be either lists or feeds. This guide uses feeds. If you want to
use lists, you can download lists using the URLs in Steps 2, 3 and 4.
Step 3 Select Security Intelligence DNS Lists and Feeds. Click Add DNS Lists and Feeds.
a. For Name type DNSFeed.
b. Select Feed from the Type drop-down menu.
c. For Feed URL, type http://pov.developmentserver.com/feeds/DNSFeed
d. Click Save.
Note: The IPv4 address 54.68.53.177 corresponds to sinkhole.developmentserver.com. The IPv6 address
2001:db8::1 is in the range of IPv6 addresses reserved for documentation.
b. Click Save.
Step 6 Navigate to Policies Access Control DNS. Click Add DNS Policy.
a. For the name, enter NGFW DNS Policy. Click Save.
c. Click Add to add the rule. Then click Save to save the new DNS policy.
e. Click Save to save the changes to the NGFW Access Control Policy.
Step 9 Deploy the changes. Note that the DNS policy and access control policies have been modified.
Step 10 Wait until the deployment is complete.
Demonstration Objectives
The objective of this demonstration is to show the IPS capabilities of the NGFW.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be :routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive
If inline tap or passive is used, you must skip the demonstration threat blocking
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Create a new intrusion policy
Task 2: Enable Firepower Recommendations
Task 3: Enable signatures 336 for the demonstration
Task 4: Deploy and test simple IPS functionality
Task 5: Explore advanced settings
Task 6: Explore policy layers
Task 7: Explore creating a custom Snort signature
Task 8: Getting Custom intrusion policy from TALOS for IXIA BreakingPoint Strike List
Task 9: Associate the intrusion policy to the access control policy
Task 10: Deploy and test advanced IPS functionality
Tasks
Task 1: Create a new intrusion policy
Step 1 Navigate to Navigate to Policies Access Control Intrusion. Create a new Intrusion policy.
Step 2 You might want to uncheck Drop when Inline if you don’t want it to drop but just generate events
Step 3 You can leave the Base Policy as Balanced Security and Connectivity.
Note: Firepower Recommendations are useful for automatically tuning the Intrusion policy for your customer’s
environment. It is most effective after the system has had a minimum of several hours to “learn” the
network.
Note: In order for this demonstration to work, it is best that the network traffic has a chance to flow through the
sensor for an extended length of time.
Step 6 Click on Advanced Settings, and uncheck the option to Disable Rules.
Note: In production deployments, customers will often leave this setting Checked, but in a POV, it is best to
Uncheck it and leave more rules enabled.
Step 7 Click Generate and Use Recommendations. This might take a few minutes.
Step 9 Click Commit Changes. You can also do this after all changes to the Intrusion policy has been
made.
Note: This rule looks for a change to the root home directory in FTP traffic established on port 21. It only looks for
traffic coming from the external network, but in our lab we use the default value of $EXTERNAL_NET, which
is any, so the rule can be triggered in both directions. You may consider the following flow.
1. Demonstrate how this rule works with unmodified variables, as shown in Task 4.
2. Modify your variables to define the home and external networks.
3. Demonstrate that this rule is no longer triggered.
c. Click OK.
Note: Setting Maximum Active Responses to a value greater than 0 enables the rules that drop packets to send
TCP resets to close the connection. Typically both the client and server are sent TCP resets. With the
configuration above, the system can initiate up to 25 active responses (TCP Resets) if it sees additional
traffic from this connection.
In a production deployment, it is probably best to leave this set to the default. Then no resets are sent, and
the malicious system will not know that it has been detected. But for testing and demonstrations, it is
generally better to send resets when packets match drop rules.
Step 22 Specific Threat Detection: The sensitive data preprocessor detects sensitive data such as credit
card numbers and Social Security numbers in ASCII text.
Step 23 Intrusion Rule Thresholds: The global rule threshold sets limits for event logging by an intrusion
policy. You can set a global rule threshold across all traffic to limit how often the policy logs
Step 24 External Responses: In addition to the various views of intrusion events with in the web interface,
you can enable logging to system log (syslog) facilities or send event data to an SNMP trap
server. Per policy, you can specify intrusion event notification limits, set up intrusion event
notification to external logging facilities, and configure external responses to intrusion events.
Note that in addition to these per-policy alerting configurations, you can globally enable or disable
email alerting on intrusion events for each rule or rule group. Your email alert settings are used
regardless of which intrusion policy processes a packet.
Step 25 Remember to commit the Changes when done if you see the ! icon near Policy Information once
all the changes to the Intrusion policy have been made.
Layers in intrusion and network analysis policies work in essentially the same way. You can create and edit
either policy type without consciously using layers. You can modify your policy configurations and, if you
have not added user layers to your policy, the system automatically includes your changes in a single
configurable layer that is initially named My Changes. You can also add up to 200 layers where you can
configure any combination of settings. You can copy, merge, move, and delete user layers and, most
important, share individual user layers with other policies of the same type.
Task 8: Getting Custom intrusion policy from TALOS for IXIA BreakingPoint
Strike List
Step 29 If you are asked to test with IXIA BreakingPoint Strike List, you need to fill this form (link below)
and follow the steps on Page 2 to request a custom TALOS Intrusion policy.
TALOS Coverage Request Form:
https://docs.cisco.com/share/s/x2vpFeAjTvOkUy5B3kVjlw
a.
Note: Do not turn on Maximum Detection or all signatures. That is strictly not recommended by TALOS. There is a
lead-time of 3-5 weeks so submit the request much in advance.
Step 30 You will receive a .sfo file containing the custom Intrusion policy from TALOS which you then
need to import into your FMC.
Note: The FMC and managed device version information is very important for this to work.
Step 31 Once imported into FMC, you need to continue to follow the next task to associate the Intrusion
policy to the Access Control Policy and proceed further.
Step 39 You can go to Table View of Events to get more details about the events.
Demonstration Objectives
The objective of this demonstration the AMP capabilities with a focus on how the product integrates with
AMP Threat Grid. This will probably use the AMP Threat Grid public cloud, but information about the
private clouds in included.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be :routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive
If inline tap or passive is used, you must skip the demonstration of blocking
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Verify AMP Threat Grid connectivity
Task 2: Create a file policy
Task 3: Associate the file policy to an access control policy
Task 4: Test the file policy
Task 5: Explore events, network file trajectory and dynamic analysis summary
Tasks
Task 1: Verify AMP Threat Grid connectivity
Step 1 Navigate to AMP AMP Management. Edit the default cloud connection or click Add AMP Cloud
Connection. If you wish to add a Private Cloud. Make sure the state is enabled once you are
connected.
Step 2 Navigate to AMP Dynamic Analysis Connections. Verify the connectivity to the AMP Threat
Grid cloud. For Threat Grid Sanboxing to work, the managed device itself needs connectivity to
the Threat Grid Public/Private Cloud.
Note: This file policy is designed for demonstrating features such as archive inspection. But for a production
environment, you would probably not want to store so many files types.
Step 7 In the Inspection tab the appropriate allow rules, select the POV file policy just created. .
Note: If your only allow run is the default rule, you will need to create an allow rule. You cannot associate a file
policy with the default rule.
Task 5: Explore events, network file trajectory and dynamic analysis summary
Step 14 Navigate to Analysis Files File Events. Notice the different types of files that were detected
and their Disposition.
Step 15 You can View the Table View of File Events to get more details on the Events
Step 16 You can see a red circle icon near the SHA256 column which means that file was detected as
Malware and you might even see a Threat Score for some files if they were run in the Sandbox
environment (usually this takes about 5-7mins)
Step 17 Clicking on the red circle will take you to the Network File Trajectory of the File.
Demonstration Objectives
The objective of this demonstration is to demonstrate the rate limiting feature available on The Cisco
Firepower NGFW. There are several options that can be discussed and tested. In this demonstration will
focus on application based rate limiting.
Demonstration Requirements
• FMC
• NGFW in routed mode only
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Baseline transfer rate
Task 2: Configure rate limiting
Task 3: Test rate limiting
Tasks
Task 1: Baseline transfer rate
Step 1 From the endpoint, in the browser.
a. Download the media file. Confirm that it is downloading at more than 1 Mbps, so the
download should take under one second. Here is a test file you could use -
http://pov.developmentserver.com/files/test2.mov
b. Download the office document. Confirm that it is downloading at more than 1 Mbps, so
the download should take under one second. Here is a test file you could use -
http://pov.developmentserver.com/files/ProjectX.doc
If you have AMP for Networks on the sensor, you may have to run this twice to obtain a multi-
MBps transfer rate, as AMP may be slowing down the first download.
Note: If you have a Linux or Cygwin environment, it is probably better to use Wget to perform this demonstration.
Wget displays byte rate instead of bit rate. All that is important for this demonstration to work is to make
sure we are receiving data at over 1 Megabyte per second = 8 Megabits per second.
c. Click Save.
Step 4 Wait a few seconds for the policy to open up for editing.
Step 5 Click Add Rule.
a. For Name, enter Multimedia.
b. Select Interfaces in Destination Interface Objects from the Apply QoS On drip-down list.
c. For Download/Upload Limit, enter 1, meaning 1 Megabit per second.
d. The Interface Objects tab should be selected. Select InZone and click Add to Source.
e. Select OutZone, and click Add to Destination.
Note: There are two types of interface objects: security zones and interface groups. The key difference is that
interface groups can overlap. Either can be used in QoS policies.
Demonstration Objectives
The objective of this demonstration is to showcase the true client IP feature in Firepower 6.1.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be routed or transparent
• NGIPS: Interface mode may inline, inline tap or passive.
If inline tap or passive is used, you will not be able to block the traffic.
• An endpoint with any standard browser to serve as a client. The browser must have a plug-in that
allows modification of the XFF headers. See https://addons.mozilla.org/en-us/firefox/addon/x-
forwarded-for-header. Note that this add-on is incompatible with Firefox 48. You should also install
LiveHTTPHeaders, so you can inspect the HTTP request header to confirm that that XFF header is
correct.
Note: If the customer has a proxy server with XFF header forwarding enabled, you can modify this exercise to
make a more convincing demonstration. However, note that for this demonstration to work, you need two
distinct client IPs.
Tasks
Task 1: Modify the access control policy
Note that it is assumed that you already have an access control policy that allows the endpoint to browse
the Internet.
Step 1 In the FMC, edit the access control policy you are using.
Step 2 Select the HTTP Responses tab. Select System-Provided from the Block Response Page drop-
down list.
Step 3 Click Add Rule.
Step 5 Check the checkbox for the NGFW device, and click the Deploy Button.
Step 6 Click on the icon to the right of the Deploy link in the upper right-hand corner of the FMC. Wait
until the deployment is complete.
c. Observer that both the endpoint IP address and the spoofed client IP address.
Demonstration Objectives
This use case will demonstrate the effectiveness of correlation policies, which alerts on potential
indications of compromise from hosts. Here we are going to demonstrate how to trigger a correlation rule
when and intrusion event targets our Critical Network and the target host has a criticality of high or
medium.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be: routed or transparent.
• NGIPS: Interface mode may inline, inline tap or passive.
If inline tap or passive is used, you must skip the demonstration of application blocking.
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Verify Host Discovery and modify Host Attribute
Task 2: Configure correlation rules
Task 3: Create a correlation policy
Task 4: Modify the IPS and the access control policy
Task 5: Test the correlation policy
Tasks
Task 1: Modify the Host Attribute in Host Profile
Step 1 Make sure you enable Host Discovery in Network Discovery Policy and Hosts have been learnt
for this use case.
Step 8 Click Add Rules, and select Critical Host under Ungrouped Rules.
Step 16 Navigate to Analysis Correlation Correlation Events. Confirm that a correlation event was
created.
Demonstration Objectives
You will configure the FMC to tell ISE to quarantine any endpoint that has encountered malware, it will tell
ISE to quarantine the endpoint. Once the endpoint is quarantined, it will only have access to one
specified web server (which is simulating a remediation server).
The specific objectives of this demonstration are the following:
• Integrate ISE with FMC
• Configure Firepower to use the Cisco Identity Services Engine (ISE) for passive authentication.
• Demonstrate that SGTs create on ISE are immediately available on the FMC for policy configuration.
• Configure the access control policy based on ISE metadata
• Deploy the ISE remediation module in an FMC Correlation Policy
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be routed or transparent.
• NGIPS: Interface mode may inline, inline tap or passive.
• An endpoint with any standard browser to serve as a client
• ISE 1.3, 2.0 or 2.1. ISE much be managing an 802.1x capable switch that the endpoint is connected
to.
Note: Instead of 802.1x infrastructure, you can use a RADIUS simulator to simulate a switch. You can find a
RADIUS simulator at http://pov.developmentserver.com/files.
• A certificate singed by an authority trusted by ISE. This must be produced using the correct
template. See https://communities.cisco.com/docs/DOC-68292 for details.
• A realm associated with AD server, configured on the FMC. See Use Case 4.
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Configure custom detection list
Task 2: Configure ISE integration
Task 3: Utilize ISE metadata the access control policy
Task 4: Configure the access control policy to use ISE integration
Task 5: Create a correlation policy using the ISE remediation module
Task 6: Test the ISE remediation module
f. Click Save.
Note: You can refer to this to generate pxgrid client certificate using openssl:
https://communities.cisco.com/docs/DOC-68287.
f. Click Test. If the connection fails click Test again. In any case, click on Additional Logs
to see details
e. In the Available Attributes column, select Device Type. Confirm that the Available
Metadata column auto-populates.
f. In the Available Attributes column, select Location IP. Confirm that the Available
Metadata column auto-populates.
Step 6 In the Firefox browser you have been using to manage the FMC, open another tab and click on
the ISE bookmark on the bookmark toolbar.
a. Login to IS
b. Navigate the Administration pxGrid Services. Notice that in the list of clients, there are
two entries related to FMC.
d. Note the 6 capabilities, or topics of information, that the FMC is subscribed to. These
include the 3 capabilities already available in 6.0:
• EndpointProfileMetaData – contains the ISE device information
• SessionDirectory – defines the ISE session attributes
• TrustSecMetaData – defines the Security Group Tag (SGT) information
The other capabilities are related to the remediation capabilities covered later in this lab.
Step 7 Since the FMC is subscribed to the pxGrid capabilities, changes to ISE session attributes should
be synchronously communicated to the FMC. In this step this will be confirmed.
a. In ISE, navigate to Work Centers TrustSec Components.
b. Click Add. For Name, enter 0TestTag. Click Submit.
c. In the FMC, you were editing a rule. In the Available Attributes column, switch from
Location IP back to Security Group Tag. Note that the SGT 0TestTag is now available.
d. In the FMC, navigate to System Monitoring Syslog.
e. Search for pxgrid. This can be useful for troubleshooting ISE integration issues.
Note: If you need to troubleshoot ISE communication issues, in the FMC, navigate to System Monitoring
Syslog, Search for pxgird in the syslog messages.
Step 8 Keep the Add Rule window open, and go on to the next task.
b. At the bottom of the Edit Instance page, select Mitigate Source from the Add a new
remediation of type drop-down list. Click Add.
d. Back in the Correlation Policy Information page, click the responses icon to the right of
the rule that was just added.
f. Confirm that your Correlation Policy information matches what is in the following picture.
Click Save.
Step 19 On one endpoint you are using for testing, log is as a member of the AD group that you will block
from using SSH.
a. Confirm that you can surf the web.
b. Confirm that you can connect to SSH to pov.developmentserver.com using SSH to port
9922. You do not need to log in.
Step 20 Deploy the access control policy.
Step 21 Return to the endpoint you are using for testing.
a. Confirm that you can still surf the web.
b. Confirm that you can no longer use SSH, even to port 9922.
Step 23 In FMC syslogs, search on pxgrid and notice the Quarantine Remediation was sent to ISE.
Step 24 Next time the user tries to In ISE, navigate to Operations RADIUS Livelog. You should see the
users new SGT Tag is Quarantine_Systems. This was configured on ISE.
Step 25 Wait a minute. In the FMC, navigate to Analysis Users User Activity. You should see that
the Quarantined_Systems SGT is now assigned to the end-user.
Step 26 Back on the endpoint used for testing, confirm that the only website you can browse to is
http://www.developmentserver.com.
Demonstration Objectives
The objective of this demonstration is to perform either or the following (or both).
• Firepower Safe Search feature
• Firepower YouTube EDU feature
These features can be independently demonstrated, but since there configurations are closely related, we
include both in this use case
Demonstration Requirements
• FTD
• NGFW, NGIPS or ASA with Firepower Services
• NGFW: Firewall mode may be :routed or transparent
• NGIPS: Interface mode must be inline (not tap).
• An endpoint with any standard browser to serve as a client
• For the YouTube EDU feature, a valid YouTube EDU account
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Configure an SSL decryption
Task 2: Modify the access control policy
Tash 3: Deploy access control policy
Task 4: Test the configuration
Step 3 Install the certificate into the browser you will be using for your testing.
Step 4 Navigate to Policies Access Control SSL.
Step 5 Click the text Add a new policy or click the New Policy button.
a. For Name, enter Demo SSL Policy.
b. Leave the default action to Do not decrypt.
c. Click Save. Wait a few seconds, and the policy will open for editing.
Step 6 Click Add Rule.
a. For Name, enter Search Engines and YouTube.
b. Set Action to Decrypt – Resign.
c. Select the only CA available from the drop-down list to the right of the word with.
e. Important: uncheck the search engine checkbox before you proceed to the next sub-step.
f. Still in the Applications tab, under Available Applications, search for You. You will see
YouTube and Youtube Upload. Select these two applications, and click Add to Rule.
g. Select the Logging tab, and check the Log at End of Connection checkbox.
h. Click Add to add this rule to the SSL policy.
Step 7 Click Save to save the SSL policy.
ii. Check the Enable Safe Search checkbox. Select Block with reset from the
Action for non supported engines drop-down list
Click OK.
e. Select Logging tab. Check the Log at Beginning of Connection and Log at End of
Connection checkboxes.
f. Click Save to add the rule to the policy.
Step 10 Click Add Rule.
a. Call the rule YouTube EDU.
b. Leave the action set to Allow.
c. Select Applications tab.
i. In the upper-right corner of the rule editing page, click the YouTube EDU icon
ii. Check the Enable YouTube EDU checkbox. Enter the Custom ID. Click OK.
d. Select Logging tab. Check the Log at Beginning of Connection and Log at End of
Connection checkboxes.
e. Click Save to add the rule to the policy.
Note: The order of rules is critical. Since YouTube is a supported safe search, it will match the Safe Search rule, if
that rule is first. That would mean it would not match the YouTube EDU rule.
Step 14 Check the checkbox for the NGFW device, and click the Deploy Button.
Step 15 Click on the icon to the right of the Deploy link in the upper right-hand corner of the FMC. Wait
until the deployment is complete.
Note: If you want to see how the URIs are being re-written to support Safe Search and YouTube EDU, you can run
the following command on the NGFW CLI.
system support firewall-httpmod-debug
When prompted for the client IP, enter the client IP of your endpoint. You can leave the other choices alone.
Step 16 On your test endpoint, test the Safe Search feature using the following sub-steps.
a. Navigate to https://www.google.com.
b. Click on the lock icon, and confirm that the certificate was issued by the CA you created,
so SSL decryption is taking place.
c. Click the Settings button in the lower right of the web page, and select Search settings.
d. Confirm that Safe Search is disabled by looking at the search settings.
e. Click the back button in the browser.
f. Perform a search, for example using the word test.
g. Note that in the upper right of the Google web page, it says that safe search is on, or that
explicit content is being filtered.
h. Navigate to http://aol.com. You should see the default Firepower block page.
Step 17 On your test endpoint, test the YouTube EDU feature using the following sub-steps.
a. Navigate to https://www.youtube.com.
c. You should see the YouTube, Google and AOL Notice that the Action is always Allow,
even for AOL.
d. Click on the Table View of Connection Events in the upper left-hand corner. This will
provide details about each connection event.
Demonstration Objectives
The objective of this demonstration is to show FMC analytics for contextual and network visibility, auto-
correlation for IOCs and Impact Level generation.
This demonstration will use Cisco dCloud.
Demonstration Requirements
• This demonstration requires access to, and familiarity with Cisco dCloud.
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Utilize the Content Explorer
Task 2: Explore Indication of Compromise and Host Network Map
Task 3: Explore application protocol information
Task 4: Explore Security Intelligence
Task 5: Explore intrusion information and impact levels
Task 6: Explore file, geolocation and URL information
Tasks
Task 1: Utilize the Content Explorer
Step 1 Navigate to Analysis Context Explorer.
Note: You use the Context Explorer to investigate a predefined set of recent data in granular detail and clear
context: for example, if you notice that only 15% of hosts on your network use Linux, but account for almost
all YouTube traffic, you can quickly apply filters to view data only for Linux hosts, only for YouTube-
associated application data, or both.
Step 2 Notice you can configure the Context Explorer time range to reflect a period as short as the last
hour (the default) or as long as the last year.
Step 3 You have the option to filter that data for a more granular contextual picture of activity on your
network. Filters encompass all types of Firepower System data except URL information, support
exclusion as well as inclusion, can be applied quickly by clicking on Context Explorer graph data
points, and affect the entire explorer. You can apply up to 20 filters at a time.
a.
Note: The system auto-correlates data from multiple sources to determine a host’s compromised status, including
intrusion events, Security Intelligence, and Cisco Advanced Malware Protection (AMP).
Step 5 Left click on it and View Host Information. Notice it opens up the Host Profile.
Step 7 At the same time, open in another tab – Analysis Hosts Network Map. Talk about how the
topology was passively learnt by due to turning on Network Discovery.
Step 10 You can pick an application and Drill into Analysis which would open the Analysis Hosts
Applications
Step 11 You can further view the Table View of Applications and even get more details on which User or
IP Address is using that particular application.
address.
Step 14 Notice with our new IP and Geolocation Lookup feature in 6.1 you can also get “Whois”
information about that Ip Address.
Step 16 Notice the Intrusion Events by Impact. The impact level in this field indicates the correlation
between intrusion data, network discovery data, and vulnerability information.
Step 17 Here is a description on what those Impact Levels mean and how the security admin can
prioritize his
incidents
Step 19 The geolocation information section of the Context Explorer contains three interactive donut
graphs that display an overall picture of countries with which hosts on your monitored network are
exchanging data: unique connections by initiator or responder country, intrusion events by source
or destination country, and file events by sending or receiving country. You can go to eicar.org
and try to download some test malware files.
Step 20 The URL Information section of the Context Explorer contains three interactive bar graphs that
display an overall picture of URLs with which hosts on your monitored network are exchanging
data: traffic and unique connections associated with URLs, sorted by individual URL, URL
category, and URL reputation. You cannot filter on URL information.
Demonstration Objectives
In this demonstration you will custom dashboards and standard or risk reports for executive visibility.
This demonstration will use Cisco dCloud.
Demonstration Requirements
• This demonstration requires access to, and familiarity with Cisco dCloud.
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Create a custom dashboard
Task 2: Convert the custom dashboard to a report template
Task 3: Explore other reporting templates
Task 4: Generate a risk report
Tasks
Task 1: Create a custom dashboard
Step 1 Navigate to Overview Dashboards Management.
Step 2 Copy one of the existing dashboards.
Step 3 Once you have that, you can add and delete tabs, add and delete widgets. The Custom Analysis
widget is very powerful. And you can create most of the statistical data widgets by modifying the
fields. You can also leverage Custom Tables if you have created any.
Step 6 You can click on that and then save it as a report template, Generate a Report, Include cover
page, logo, header and footer from Advanced Settings and create a Custom Report.
Step 11 For the Standard Reports, you can generate a report, copy and customize, even Export and
Import into another FMC.
Demonstration Objectives
This use case will demonstrate configure site to site VPN between one NGFW and another NGFW/ASA
using Firepower Management Center. A VPN deployment specifies the endpoints and networks that are
included in a VPN and how they connect to each other. The system supports three types of VPN
deployments:
• Point-to-Point VPN Deployments
• Hub and Spoke VPN Deployments
• Full Mesh VPN Deployments
For this use case, we will be using the Point-to-Point topology. For more information on VPN
Deployments please refer to -
http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-
v61/fpmc-config-guide-v61_chapter_01110010.html
Demonstration Requirements
• FMC
• NGFW to NGFW, or NGFW to ASA
• NGFW: Firewall mode may be: routed or transparent
• An endpoint with any standard browser to serve as a client
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Spin up another NGFW or ASA
Task 2: Configure site-to-site VPN on the NGFW
Task 3: Create NAT exemption
Task 4: Modify the access control policy and deploy changes
Task 5: Test site to site VPN
Tasks
Task 1: Spin up another NGFW or ASA
Step 1 Follow the installation and upgrade guides/instructions and spin up another external device.
Note: Each topology mentioned above can have external devices, which are Cisco or Non-Cisco. For details on
NGFW VPN Deployments -
http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-
v61/fpmc-config-guide-v61_chapter_01110011.pdf.
checked.
Step 5 Add Node A and Node B based on your Endpoints. You might want to create objects to define
Protected Networks.
Note: The Automatic setting can only be used if the FMC is managing both endpoints. In this case, the FMC can
generate and distribute a random shared key.
c. Under IKEv2 Settings, for Key, enter cisco123, and confirm the entry.
d. Select the Advanced tab, and check the Do not proxy ARP on Destination Interface
checkbox.
Demonstration Objectives
This use case will demonstrate the all new RESTful configuration API for Firepower Management Center.
The REST API is an application programming interface (API), based on “RESTful” principles, which you
can quickly enable on any Firepower device and use with any REST client, or programming language.
Through the REST client or software, you can contact the specific Firepower device's REST agent and
use standard HTTP methods to access current configuration information, and issue additional
configuration parameters.
Demonstration Requirements
• FMC
• NGFW, NGIPS or ASA with Firepower Services
• An endpoint with any standard browser to serve as a client
• Postman software client available https://www.getpostman.com
• Client machine running python 2.7 or later
Demonstration Outline
This demonstration consists of the following tasks.
Task 1: Enabling REST API in FMC
Task 2: Explore API using onboard API Explorer
Task 3: Execute API commands and Write configuration using Third Party clients (Postman)
Task 4: Completely automate Firepower Configuration with software scripts
Tasks
Task 1: Enabling REST API in FMC
Step 1 Login to FMC and navigate to System Configuration REST API preferences
Note: REST API configuration is only available in Firepower Management Center v6.1 or greater
Step 2 Select the checkbox to Enable REST API and press Save
Note: Using same credentials as FMC admin will disconnect any other users logged in with that account. It is
recommended to create a unique user for API related tasks.
Note: Any test GET request can be made from any category to get a better understanding of the JSON format for
said command when writing data (POST). Showcase this as a way to help in preparing to create custom
scripts
Task 3: Execute API commands and Write configuration using Third Party clients
(Postman)
Step 10 Open Postman and select POST method in the center pane
https://[IP/Hostname of FMC]:[port]/api/fmc_platform/v1/auth/generatetoken
Step 12 Select the Authorization tab and choose Basic Auth from the dropdown
Step 13 Enter your API user credentials and press Update Request
Step 15 In the response pane navigate to the Headers tab and locate the “X-auth-access-token”
Note: This generated token will need to be used as a header in every subsequent request made to the API
Step 16 Return to the request Headers tab and add the token to the new request
Step 17 Change the URL to reflect desired object to modify (in this case access policies)
Step 18 Switch to the Body section and chose Raw format to enter the JSON Data for the request
Step 19 Press Send to complete the request and take note of the response data/code
Note: REST API will use traditional HTTP error/response codes to indicate successful or failed requests
Note: For this example, we will be using Python scripting to create a network object, the logic and process outlined
here can be adapted to any scripting/software language
Step 20 To begin our python script must contain three sections to successfully run
a. Authentication sequence to generate and request a token
b. HTTP POST URL and data in JSON format
c. Make request and read response
Step 21 Sample script below shows steps to complete authentication sequence
Step 23 Sample script below makes HTTP request and reads response
Step 24 Run python script, output response should read a status code 201, Post was successful…
Note: For help writing scripts you can start with generated scripts made from the API explorer window at the
bottom of the console pane