Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0

Cisco dCloud
Cisco Firepower Next-Generation Firewall 6.5 Features

Lab v1.0 dCloud: The Cisco Demo Cloud
Last Updated: 13-DECEMBER-2019
IMPORTANT! This content is community developed and is not subject to standard dCloud verification or support. Please contact
dCloud Support for more information.
About This Guide

This guide for the preconfigured demonstration includes:
• Requirements
• About the 6.5 Release and this Lab
• Scenario Dependencies
• Topology
• Get Started
• Scenario 1. FMC User Interface Enhancements
• Scenario 2. Firepower User Agent to ISE Migration
• Scenario 3. Destination SGTs
• Scenario 4. SLA Monitor for FDM
• Scenario 5. LDAP Attribute Maps for RA VPN
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
● Laptop ● Cisco AnyConnect®
About the 6.5 Release and this Lab

The purpose of this lab it to cover new features provided by the 6.5 release. Because of limitations in the pods and time constraint,
only selected features were included.
Other new features, such as configuration backup and restore, can be performed, but were left out of the lab for practical purposes.
The lab pods provide an FTD (NGFW3) that is not used in the scenarios, so students may try configuring and testing features not
covered in the lab without fear of interfering with the lab Scenarios.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 23
Cisco dCloud
dCloud: The Cisco Demo Cloud

Scenario Dependencies
Scenario 2 Sourcefire User Agent to ISE Migration must be performed before Scenario 3 Destination SGTs. However, you may
omit the section Test passive authentication. Other than that, there are no scenario dependencies.
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active dCloud session and
in the scenario steps that require their use.
NOTE: For simplicity, not all IP addresses and VLANs are shown.
Figure 1. Lab Topology
Credentials
Login credentials are provided in line in the guide steps as needed. However, for your convenience, the following table lists the
credentials used in these scenarios.
Table 2. Device Login Credentials
VM Login Password
FMC admin C1sco12345

All NGFWs admin C1sco12345
Cisco dCloud
All Windows Workstations Administrator C1sco12345

Splunk admin C1sco12345
ISE and ISE PIC admin C1sco12345
Inside Linux Server root C1sco12345
Outside Linux Server root C1sco12345
CSR admin C1sco12345
There are also several users that have been created for purposes of passive authentication and RBAC.
Table 3. User Credentials
Login Password Details
dilbert C1sco12345 Active Directory user in Engineering group

harry C1sco12345 Active Directory user in HR group
ira C1sco12345 Active Directory user in Finance and Investment groups
rita C1sco12345 Active Directory user in IT group
alicia C1sco12345 ISE local user, FDM Admin user
oliver C1sco12345 ISE local user, FDM Read Only user
victoria C1sco12345 ISE local user, VPN user
william C1sco12345 ISE local user, FDM Read Write user
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Follow the steps to schedule a session of the content and configure your presentation environment.
1. Initiate your dCloud session. [Show Me How]
NOTE: It may take up to 10 minutes for your session to become active.
2. It is assumed in this guide that you are connecting to all devices from the Jumpbox RDP session, using the provided details.
NOTE: You can also connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on your
laptop [Show Me How]
Jumpbox: 198.18.133.50, Username: administrator, Password: C1sco12345
Cisco dCloud
Scenario 1. FMC User Interface Enhancements

There are several FMC User Interface Enhancements introduced in the 6.5 release.
The objectives of this scenario are:
• Enable the Light Theme for the FMC UI.
• Utilize the access control policy rule filter
• Utilize the new FMC SSH CLI.
In addition to these enhancements, the student is invited to examine the improved How-To functionality.
NOTE: Chrome loads pages faster than Firefox (particularly for the FMC). However, Chrome will generate more security warnings
and will not cache credentials for NGFW2 and NGFW3. Either or both browsers can be used.
In Chrome, the bookmarks where imported from Firefox, so they are in a subfolder on the bookmark bar, as shown below.
Choose between Chrome and Firefox based on your own preferences.
Enable the Light Theme for the FMC UI
1. On the Jumpbox, open Firefox. The homepage is the FMC UI and the credentials (login admin, password C1sco12345) will
auto-populate.
2. In the FMC, in the upper right corner, navigate to admin > User Preferences.
3. Select Light (experimental) from the UI Theme drop-down menu.
Cisco dCloud
4. When presented with the Switch to Light Theme dialog box, select Use Light theme.
5. You will use the Light UI theme as you work through the remaining scenarios.
NOTE: If you find the new theme hard to use, you can, at any time, switch back to the classic theme. Just click admin in the upper
right of the FMC UI and select Switch to Classic Theme.
However, the instructions and screenshots in this guide are based on the Light Theme.
Utilize the access control policy rule filter
1. In the FMC, navigate to Policies > Access Control > Access Control. Edit the Base_Policy.
2. Enter 198.18.129.0 into the search box and hit Enter.
NOTE: Wild cards and name-value pairs are supported. Example: src:198.18.1*9.0
3. Observe that the rules using this network are highlighted.
NOTE: This feature was already available in 6.4.
Cisco dCloud
4. Note that in the search box a filter icon that was added in 6.5. This converts a search into a filter. Click this icon.
5. Note that now only two rules are now visible. You can click the icon again to go from filter back to search.
6. While you are in the policy edit page, you can observe one more added feature. The FMC can hide columns in the rules, if you
wish. Click the cog at the upper-right of the page, and deselect the columns you wish to hide.
Utilize the new FMC SSH CLI
In the 6.3 release, a custom FMC CLI was introduced, similar to the FTD CLI. However, the default CLI if you connected by SSH
to the FMC was a Linux BASH shell. The FMC CLI needed to be enabled manually (FMC UI: System > Configuration> Console
Configuration > Enable CLI access). For this reason, familiarity with the FMC CLI was limited. In 6.5, the FMC CLI has become
the default CLI for the FMC.
1. On the Jumpbox open the predefined PuTTY session to the FMC.
2. Log in as admin, password C1sco12345. Note that you are presented with a > prompt. In 6.4 you have a shell prompt $.
3. Type ?. Note that like the FTD , a BASH shell is available by typing expert.
4. Drill down by typing the following.
a. configure ?. Note that you can change the Linux BASH shell password, the user agent password and the maximum
number of concurrent logins to the FMC.
Cisco dCloud
b. show ?. Version and maximum number of concurrent logins to the FMC can be displayed
c. system ?. You can shut down or reboot the device, generate trouble-shooting files, or you can lockdown (disable)
Linux BASH shell access. Shell access is potentially dangerous and should only be used in conjunction withDemo
dCloud: The Cisco Cisco
Cloud
support. Be aware that to re-enable the BASH shell requires contacting Cisco support.
Cisco dCloud
Scenario 2. Firepower User Agent to ISE Migration

The Cisco Firepower User Agent is being phased out. Here is the EOL announcement
• https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/product-bulletin-c25-742894.html
As a result, customers must migrate to ISE or ISE-PIC. For customers that only require passive authentication, then ISE-PIC is
sufficient. However, for the SXP service used for the Scenario 3 Destination SGTs ISE is required. From the FMC configuration
perspective, ISE and ISE-PIC integration are identical.
ISE has many mechanisms to create IP-to-user mappings. In the pods, ISE is configured to receive IP-to-user mappings from two
sources.
• The security audit log on the AD server
• 802.1x
Because it is more time consuming to work with domain members, 802.1x is used in this scenario. ISE thinks that the Jumpbox is
a switch because a RADIUS simulator is run on the Jumpbox to send 802.1x login and logoff messages to ISE.
Perform migration
1. In the FMC UI, click on the cog in the upper right and, under Configuration, select Integration.
2. Select Identity Sources. Observe that the identity source is now the Cisco Firepower User Agent. Also, notice the warning
about deprecation of this agent.
3. Select the Identity Services Engine tab. There is no need to delete the user agent configuration.
a. For Primary Host Name/IP Address, enter ise.dcloud.local.
b. For pxGrid Server CA, click the plus (+). Enter the name dCloud-CA. Click Browse. Navigate to the Certificates
folder on the Jumpbox desktop. Open the certificate called dCloud-CA. Click Save.
Cisco dCloud
c. For MNT Server CA, select dCloudCA.
d. For FMC Server Certificate, click the plus (+). Enter the name FMC-pxGrid. For Certificate Data click Browse.
Open the certificate called FMC-pxGrid. For Key Data click Browse. Open the key called FMC-pxGrid.key. Click
Save.
e. Under Subscribe To:, leave the setting as is. You will enable the SXP topic in the next lab.
4. Click Test. In the Status pop-up, open Additional Logs. Quickly review the output.
5. This can be critical for troubleshooting. Click OK.
6. Click Save and note the Warning. Click, Yes.
Cisco dCloud
Test passive authentication
1. On the Jumpbox desktop, open the folder RADIUS Simulator. Click StartSessions, TerminateSessions and then
StartSessions again. This will generate 802.1x log in and log out events to ISE. ISE will pass the information to the FMC.
2. In the FMC UI, navigate to Analysis > Users > User Activity. You should see login and logoff activity for dilbert, rita, ira
and harry.
3. On the Jumpbox desktop, open the folder Remote Desktop. Click on the icon named Wkst1.
4. There is an access control policy rule to block members of the HR group from using SSH. You will now test that rule.
a. On the Wkst1 desktop, open the folder Users. Open the folder called NGFW1 is your gateway. The scripts change
the IP of the primary NIC on Wkst1. This allows you to simulate different users.
b. Double-click Dilbert (Engineering). Dilbert should be allowed to use SSH. Confirm this by opening PuTTY and
clicking on any of the outside predefined session – the FTD will detect SSH on any port. You do not need to login,
bur you can as root, password C1sco12345, if you wish.
c. Double-click Harry (HR). Harry should not be allowed to use SSH. Confirm this by opening PuTTY and clicking on
any of the outside predefined session. FTD will detect SSH on any port. The connection should be reset.
Enable ISE connection status monitoring
Since ISE is now critical, you should enable ISE status monitoring on the FMC. This module is disabled by default.
1. In the FMC UI, click on the cog in the upper right and, under Health, select Policy.
Cisco dCloud
2. Edit the initial health policy.
3. For ISE Connection Status Monitor, change Enabled from Off to On. Click Save Policy and Exit.
4. Click the green check to apply the modified health policy.
5. Check all three devices. Click Apply.
Cisco dCloud
Scenario 3. Destination SGTs

Before 6.5 source SGTs were available for access control policy rules, but destination SGTs were not. This limitation was
removed in 6.5.
The objectives of this scenario are the following.
• Configure ISE to publish IP-to-SGT mappings via SXP.
• Configure the FMC to receive them IP-to-SGT mappings from ISE.
• Create an access control policy rule that utilizes destination SGTs.
• Test the destination SGT feature.
Publish static IP-to-SGT mappings via SXP
1. On the Jumpbox, open the predefined PuTTY session to the ISE. Log in as admin, password C1sco12345. Type show
application status ise. Confirm that the SXP Engine Service is disabled.
NOTE: This is a useful command to monitor and troubleshoot the SXP service on ISE. By the end of this exercise, it should be
running.
2. Open a new tab in Firefox. Click the ISE bookmark from the bookmarks bar. The credentials (admin/C1sco12345) will
prepopulated. Log into ISE.
3. Navigate to Work Centers > TrustSec > Components and select IP SGT Static Mapping. The IP address 198.18.133.201
will be used in this scenario as the destination; 198.19.10.201 will be used as a source. You can add more tags and static
mappings, if you wish.
Cisco dCloud
4. Navigate to Work Centers > TrustSec > SXP and select All SXP Mapping. Note that the static mappings have not been
published via SXP.
5. Navigate to Work Centers > TrustSec > Setting. Select SXP Settings. Check the Publish SXP bindings on PxGrid
checkbox. Click Save.
6. When warned about the SXP service restarting, click Yes. You can monitor the restart on the ISE CLI if you with.
7. One requirement for publishing with SXP is the existence of an SXP device. But such a device requires a PSN that is running
an SXP service. This is a stand-alone ISE deployment, so ISE is the PSN.
a. Navigate to Administration > System > Deployment.
b. Select and edit ise.
c. Under Policy Service, check the Enable SXP Service.
Cisco dCloud
d. Click Save.
8. Now you will create an SXP device. The device does not exist, but at least one SXP device must be configured.
NOTE: The need for an SXP device configuration to publish IP-to-SXP mappings is a known ISE defect CSCvg26624.
a. Navigate to Work Centers > TrustSec > SXP and select SXP Devices.
b. Click + Add.
c. For name enter Dummy. For IP enter 1.1.1.1. For Connected PSNs, select ise. Set Password Type to NONE.
d. Click Save.
9. If the status of the SXP device is UNKNOW, wait until it changes to OFF.
NOTE: The is usually fast. But occasionally can take a few minutes. If you are concerned about time, jump ahead and perform
Scenario 4 SLA Monitor for FDM. Then return and complete this scenario.
10. Navigate to All SXP Mapping. Note that the static mappings have been published via SXP.
Cisco dCloud
Enable SXP on the FMC
1. In the FMC UI, click on the cog in the upper right and select Integration. Select Identity Sources.
2. Under Subscribe To:, check the SXP Topic checkbox.
3. Click Test. In the Status pop-up, open Additional Logs. Observe that the bulk download of IP-to-SGT mapping succeeded.
4. Click OK. Click Save.
Create an access control rule to test destination SGTs
1. Navigate to Policies > Access Control > Access Control.
2. Edit the Base_Policy.
3. Add a rule named Block Contractors, above the first rule, to block with reset any traffic from to IP addresses with SGT
Contractors to IP addresses with SGT Development_Servers. Enable logging for this rule.
4. Save the access control policy changes.
Deploy and test the new configuration
1. Deploy the configuration and wait for the deployment to complete.
2. On the Jumpbox, if it is not already open, open the predefined PuTTY session to the Inside Linux Server. Log in as root,
password C1sco12345. We will use Wget to make HTTP requests. It is similar to cURL. Run the following 3 Wget commands.
You should use the up-arrow to avoid retyping anything but the last character.
wget --bind-address=198.19.10.201 198.18.133.200
The first and last commands should succeed, but second command should fail.
Cisco dCloud
3. You will now add a new IP SGT static mapping on ISE. It should immediately propagate to the FMC and take effect on
NGFW1.
a. Navigate to Work Centers > TrustSec > Components and select IP SGT Static Mapping. dCloud:
Click Add.
The Cisco Demo Cloud
4. Enter the following information and click Save.
5. Navigate to Work Centers > TrustSec > SXP and select All SXP Mapping. Confirm that the new static mapping has been
published via SXP.
6. Rerun the 3 Wget commands you ran before.

Now the first command should succeed, but the last two commands should fail.
7. In the FMC, navigate to Analysis > Connections > Events. Click on Table View of Connection Events. Scroll to the right.
Observe that source and destination SGTs are included in the default view.
Cisco dCloud
Scenario 4. SLA Monitor for FDM

With the Service Level Agreement (SLA) Monitor, or route tracking, you can track the health of a static route and automatically
dCloud:
replace a failed route with a new one. Prior to 6.5 this feature was available in the FMC, but not in the FDM. The it
In 6.5, Cisco
wasDemo Cloud
added
to the FDM.
The objective of this scenario is to configure route tracking on with the FDM.
Test non-SLA behavior
1. On the Jumpbox, if it is not already open, open the predefined PuTTY session to the Inside Linux Server. Log in as root,
password C1sco12345.
a. Type the command netstat -rn. Note that traffic to the 1.2.3.0/24 network is directed to NGFW2 (192.19.10.2).
b. Start a ping to 1.2.3.4. It should succeed.
2. On the Jumpbox open the predefined PuTTY session to the CSR. Log in as admin, password C1sco12345.
a. Type the following commands.
config t
int g1
shut
Observe that the pings from the Inside Linux server to 1.2.3.4 stop. Wait a few seconds, the ping does not resume.
b. On the CSR, type the command no shut. Observe that the pings from the Inside Linux server to 1.2.3.4 resume.
3. On the Jumpbox, open a new tab in Firefox, and click the NGFW2 (FDM) bookmark from the bookmarks bar. The credentials
(admin/C1sco12345) will prepopulated. Log into NGFW2.
a. Under Routing, click View Configuration. Note that there are two routes to the 1.2.3.0/24 network. The lower cost
route uses 198.18.133.111 (GW123_1) as the next hop. This is the CSR.
b. Open the FDM console, and type show route. Observe that only this lower cost route has been inserted into the
RIB. Type show track. Observer that no route tracking is configured.
Configure an SLA on FDM
1. In the FDM, navigate to Objects > SLA Monitors. Click CREATE SLA MONITOR.
a. Enter any name, for example, SLA1.
b. For Monitor Address, select GW123_1.
c. For Target Interface, select Outside.
d. Change the Threshold and Timeout from 5000 to 1000.
Cisco dCloud
e. Change the Frequency from 60000 to 2000.
f. Click OK.
Cisco dCloud
2. In the FDM, return to the static routing configuration page.

a. Edit the route named Net123_1.
b. At the bottom of the Edit Static Route page, select your SLA object from the from the SLA Monitor drop-down list.
c. Click OK.
Deploy and test the configuration.
2. In the FDM console, run the following commands.
a. Type show route. Observe that the route to 1.2.3.0/24 is still 198.18.133.111.
b. Type show track. Observer reachability is up.
3. On the CSR, type the command shut. Observe that the pings from the Inside Linux server to 1.2.3.4 are interrupted for a few
seconds, but then resume.
4. In the FDM console, run the following commands.
a. Type show route. Observe that the route to 1.2.3.0/24 is now via 198.18.133.200.
b. Type show track. Observer reachability is down.
5. On the CSR, type the command no shut.
6. Wait a few seconds. In the FDM console, run the following commands.
a. Type show route. Observe that the route to 1.2.3.0/24 is now via 198.18.133.111.
b. Type show track. Observer reachability is back up.
Cisco dCloud
Scenario 5. LDAP Attribute Maps for RA VPN

LDAP attribute maps all group policies to be assigned to RA VPN users based on LDAP attributes. For example, in this scenario,
you will use AD group membership to assign group policies. Currently, this feature is only available using the device API.
The objective of this are:
• Create an LDAP attribute map to give members of the IT group unlimited access to the Corporate LAN. All other AnyConnect
users will be restricted to the corporate webservers.
• Associate the LDAP attribute map with a realm.
• Confirm that group policy assignment depends on the AD group of the AnyConnect user.
Test RA VPN without an LDAP attribute maps
1. In the Remote Desktops folder on the Jumpbox desktop, click on the Wkst2 (Outside PC) link. This will connect you via
RDP to a Windows server outside the NGFW2 firewall.
2. Open the AnyConnect client on the bottom right of the desktop. Connect to NGFW2. Log in as harry, password
C1sco12345. Harry is not a member of the IT group.
3. You will be presented with a banner that says you now have access to the corporate webservers. Click Accept.
4. Open Firefox. Using the three bookmarks on the bookmark tab, confirm that you can browse the three corporate webservers.
5. Open a command prompt. Ping the AD server at 198.19.10.100. It should fail.
6. In the FDM console, run the command show vpn-sessiondb anyconnect. Confirm that Harry has been assigned the group
policy WebserverGP.
7. On Wkst2, disconnect AnyConnect. Reconnect to NGFW2. Log in as rita, password C1sco12345. Rita is a member of the
IT group.
8. You will again be presented with a banner that says you now have access to the corporate webservers. Click Accept. Your
goal in this exercise it to give Rita unlimited access to the corporate network.
9. In the FDM console, run the command show vpn-sessiondb anyconnect again. Confirm that Rita has also been assigned
the group policy WebserverGP. The goal of this exercise is to give Rita a different group policy.
10. In the FDM console, run the command show running-config all aaa-server. Note that the second to the last line of output
indicates that there is no associated LDAP attribute map.
Inspect the existing RA VPN configuration on NGFW2 (optional)
1. In the FDM, under Remote Access VPN, click on View Configuration.
2. Click on the eye icon for the DefaultCP connection profile.
a. Select Summary to view the configuration.
b. Confirm that the group policy associated to this connection profile is WebserverGP.
3. Click the browser back button.
Cisco dCloud
4. Select Group Policies in the left navigation pane.
5. Edit ITaccessGP and WebserverGP. Observe that the only difference is that WebserverGP has a traffic filter.
Deploy and LDAP attribute map
1. In Firefox, open a new tab. Click on the NGFW2 (API Explorer) bookmark.
2. Click on LdapAttribueMap and click POST.
3. On the Jumpbox desktop, open the file LDAPattributeMap.txt. Above the dashed line is the LDAP attribute map. Inspect the
JSON. You should see that it will assign the group policy ITaccessGP to any user who’s memberOf attribute contains the IT
group. Below the dashed line is a snippet of JSON that will be added to the realm configuration.
4. Copy the text above the dashed line and paste into the body text field I the Parameters section.
5. Scroll down and click TRY IT OUT!.
Associate the LDAP attribute map to the realm
1. In the API Explorer, click on ActiveDirectoryRealm and click on GET.
3. Copy the response body and past into the text file you have open. Save this to help with the next task.
a. Remove the first two lines

{
items [
b. Remove the last 10 lines. Everything from

],
“paging”:{
. . .
to the bottom.
4. Replace the line

“ldapAttributeMap”: null,
with
"ldapAttributeMap": {
"name" : "ITaccessAM",
"type": "ldapattributemap"
},
Note that you can cut and paste this piece of JSON from the text document to save typing.
5. In the ActiveDirectoryRealm API, click on PUT.
a. Copy the object ID (“id”) value near the bottom of the modified JSON and paste into the objId field In the
Parameters section.
b. Copy the modified JSON for the realm and paste into the body field In the Parameters section.
Cisco dCloud

Deploy and test the configuration
2. On Wkst2, note that AnyConnect has been disconnected. Click OK.
3. Reconnect to NGFW2. Log in as rita, password C1sco12345. Rita is a member of the IT group.
4. You will be presented with a banner that says you now have unlimited access to the corporate LAN. Click Accept.
5. Ping the AD server at 198.19.10.100. It should succeed. You should be able to ping any corporate IP.
6. In the FDM console, run the command show vpn-sessiondb anyconnect. Confirm that Rita has been assigned the group
policy ITaccessGP.
7. On Wkst2, disconnect AnyConnect. Reconnect to NGFW2. Log in as harry, password C1sco12345.
8. You will be presented with a banner that says you now have access to the corporate webservers. Click Accept.
9. Ping the AD server at 198.19.10.100. It should fail.
10. In the FDM console, run the command show vpn-sessiondb anyconnect. Confirm that Harry has been assigned the group
policy WebserverGP.
11. In the FDM console, run the command show running-config all aaa-server. Note that the second to the last line of output
indicates that there is the associated LDAP attribute map is ITaccessAM.
(optional) Disassociate and delete the LDAP attribute map
1. In the API Explorer, click on ActiveDirectoryRealm and click on GET.
NOTE: You cannot use the JSON you retrieved from your previous ActiveDirectoryRealm GET. The version number is different.
3. Copy the response body and past into the text file you have open. Save this to help with the next task.
a. Remove the first two lines

{
items [
Cisco dCloud
b. Remove the last 10 lines. Everything from

],
“paging”:{
. . .
to the bottom.
1. Replace the line

"ldapAttributeMap": {
"name" : "ITaccessAM",
"type": "ldapattributemap"
},
with
“ldapAttributeMap”: null,
2. In the ActiveDirectoryRealm API, click on PUT.
a. Copy the “id” near the bottom of the modified JSON and paste into the objId field In the Parameters section.
b. Copy the modified JSON for the realm and paste into the body field In the Parameters section.
3. Click on LdapAttribueMap and click GET.
5. Near the bottom of response body, copy the object ID (“id”) value.
6. Click on LdapAttribueMap and click DELETE.
7. Paste the object ID value into the objId text field in the parameters section.
9. Deploy the configuration.

Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0

Uploaded by

Copyright:

Available Formats

Cisco dCloud

Cisco Firepower Next-Generation Firewall 6.5 Features

Last Updated: 13-DECEMBER-2019

About This Guide

• About the 6.5 Release and this Lab

• Scenario 1. FMC User Interface Enhancements

• Scenario 2. Firepower User Agent to ISE Migration

• Scenario 3. Destination SGTs

• Scenario 4. SLA Monitor for FDM

• Scenario 5. LDAP Attribute Maps for RA VPN

About the 6.5 Release and this Lab

dCloud: The Cisco Demo Cloud

Figure 1. Lab Topology

Table 2. Device Login Credentials

FMC admin C1sco12345

All Windows Workstations Administrator C1sco12345

Table 3. User Credentials

Login Password Details

dilbert C1sco12345 Active Directory user in Engineering group

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

Scenario 1. FMC User Interface Enhancements

• Enable the Light Theme for the FMC UI.

• Utilize the access control policy rule filter

• Utilize the new FMC SSH CLI.

Choose between Chrome and Firefox based on your own preferences.

Enable the Light Theme for the FMC UI

3. Select Light (experimental) from the UI Theme drop-down menu.

Utilize the access control policy rule filter

2. Enter 198.18.129.0 into the search box and hit Enter.

3. Observe that the rules using this network are highlighted.

NOTE: This feature was already available in 6.4.

dCloud: The Cisco Demo Cloud

Utilize the new FMC SSH CLI

1. On the Jumpbox open the predefined PuTTY session to the FMC.

4. Drill down by typing the following.

Scenario 2. Firepower User Agent to ISE Migration

• The security audit log on the AD server

a. For Primary Host Name/IP Address, enter ise.dcloud.local.

c. For MNT Server CA, select dCloudCA.

5. This can be critical for troubleshooting. Click OK.

6. Click Save and note the Warning. Click, Yes.

Test passive authentication

Enable ISE connection status monitoring

2. Edit the initial health policy.

dCloud: The Cisco Demo Cloud

4. Click the green check to apply the modified health policy.

5. Check all three devices. Click Apply.

Scenario 3. Destination SGTs

The objectives of this scenario are the following.

• Configure ISE to publish IP-to-SGT mappings via SXP.

• Configure the FMC to receive them IP-to-SGT mappings from ISE.

• Create an access control policy rule that utilizes destination SGTs.

• Test the destination SGT feature.

Publish static IP-to-SGT mappings via SXP

dCloud: The Cisco Demo Cloud

a. Navigate to Administration > System > Deployment.

b. Select and edit ise.

c. Under Policy Service, check the Enable SXP Service.

dCloud: The Cisco Demo Cloud

Enable SXP on the FMC

4. Click OK. Click Save.