#Clus

#CLUS
Cisco Firepower
NGIPS Tuning and
Best Practices
John Wise
Security Instructor
BRKCRT-2215
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKCRT-2215

by the speaker until June 18, 2018.
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
#CLUS BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Security
Instructor:
Cisco High
Touch
Delivery
Your Speaker
Started with
Sourcefire
many many
years back!
John Wise - johnwis@cisco.com

Win FTD Help! At the End of This Session!
#CLUS © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reference Slides
When you see this

icon it is a slide for
your reference!
Firepower Platforms
Dedicated NGIPS
Cisco ASA 5500-X with FirePOWER Services
Traditional ASA with

FirePOWER software
module
Firepower Threat Defense – 2100 NGFW
Up to 3 security modules available
Software Availability
Classic Device 5.x/6.x Firepower Threat Defense (FTD) 6.x
• NGIPS 7000 • ASA 5500-X (reimaged as FTD)

• NGIPS 8000 • 4100 Series
• ASA FirePOWER Services • 9000 Series
• NGIPSv for VMware • 2100 Series
• FTD for ISR
• FTDv
Managed by the Firepower Management Center
FMC
FMC was previously called the Defense Center
• 6.x code
• What Implementation
• FTD or Classic Device
Does this Session Help Software
With?
• Utilizing Firepower’s security
inspection capabilities
• Managed by the FMC
BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Security Inspection Path
Firepower Security Inspections
• Inspect, Block,
Store files
• Detect and
Block known or
suspected
Malware
• Blocks blacklisted • Decrypts, blocks and • Application-aware • IPS… your

IPs, DNS, and URLs controls SSL/TLS Firewall SNORT rules
before inspection by traffic • Direct traffic to
ACP • Decrypted traffic can further security
• Traffic blocked here be seen by the later inspections
never enters the later policies • Trust and Block
policies traffic
Firepower Threat Defense Packet Flow
This session covers

the SNORT
component of FTD
Network Discovery
What is Network Discovery?
Firepower’s ability to SNORT your

traffic
Which is a much deeper sniff
To Build
Host
Profiles
Is Your Network Discovery Policy Defined?
Firepower will automatically build Host Profiles Based on your Network
Discovery Policy
When you define this, Firepower builds these
automatically
Firepower Management Center

Host Profiles
Network Vulnerabilities
Discovery
Services Protocols
Policy
Applications Ports
Operating Systems
Managed Device
Network Discovery Policy Processing Order
Discovery occurs here
Malware & File

Policy
Traffic Fast Security SSL Access Control Network
Flow Path Intelligence Policy Policy Discovery
Intrusion
Policy
If traffic does not reach this inspection point no discovery information is captured!
Enabling Network Discovery Policy
You must go in and define this
policy to match your protected network
Caution! Not defining your Network Discovery Policy can cause you to
exceed your host limits!
Define By Discover And Exclude
This is how
you enable
• Discover – build host profile information Network
• Your internal network – what you are protecting Discovery
• Note: Prior to 6.x this was on by default
• Exclude – don’t build host profile information
• Load Balancers, NAT Devices, anything you don’t want to build host profiles on
Network Discovery Discover Rule
Notice only Private IP spaces? This has been changed to represent
only internal IP addresses. By default its all IPs, and you need to
change this! Otherwise you will build host profiles for public hosts.
Common Configuration
Mistakes and Tuning
Opportunities
URL Filtering
URL Filtering
URL Filtering
Category Reputation License
required!
URL Filtering– How does it work?
URL Database
• Ensure you have a URL Filtering
license and enable it in the FMC
This forces the

FMC to query the Firepower
cloud every 30 Management
minutes for Center
updates
URL Database on the Managed Device may

not have all URLs. This is based on the Firepower
available memory. Select this to query for Managed
unknown URLs. Device
URL Filtering with SSL
URL Filtering For Well-Known Sites
Consider not decrypting well—known sites
URL Filtering To Prevent Decrypting Financial
Do not decrypt Financial websites
URL Filtering For Uncategorized Websites
Decrypt all uncategorized websites
URL Filtering with Security Inspections
Uncategorized websites are suspicious – consider inspecting for malware
Don’t forget to also

inspect with an
Intrusion Policy!
Identifying Traffic to not
inspect
Understanding Trust
• In Firepower Trust means do not inspect
• You will want to Trust certain types of traffic, especially:
• Voice Traffic
• Backup Traffic
• Scanner Traffic
Why Trust?
• Certain types of traffic can cause issues in Firepower:
• Example 1 – Backup traffic (a type of ‘elephant flow’)

Any sort of flow that is large and continuous – we call this an
elephant flow, and these can cause performance issues
• Example 2 – Scanner Traffic (from a network scanner or pen test)

Scanner traffic can trigger large numbers of false positive events
Fast Path
Try to ‘Fast Path’ Trusted Traffic
You can also block at this point in the flow on certain platforms
Fast-pathed traffic is
trusted here
Fast Pathing on Different Platforms
Cisco ASA with

FirePOWER Firepower Threat
FirePOWER 7000/8000
Services Defense
2100/4100/9300,
FTDv, ASA5500-X
(Reimaged as FTD)
Fast path is done differently
on each platform
Fast Path on the ASA with FirePOWER Services
Fast Path is done on

the ASA, not in
FirePOWER
Fast Path on the 8000 Series Appliance
Under the Devices tab
However, Cisco Recommends fast pathing on in your Access Control Policy

instead
Rule Promotion in FirePOWER 7000/8000 Series
ACP rules can be Promoted, which

will allow Firepower to process the
traffic in hardware
Traffic identified by:
VLAN Security
Zone
IP Port
How to Promote Rules on the 7000/8000 Series
They must:
1. Trust or Block Action Example:
2. Contain only IP, Port, VLAN, Sec Zone conditions The first two rules will be promoted
3. Be placed above all other rules
You will not see this in the GUI, as this is an automatic

system process.
Promoted Rule Processing
The rules are promoted and processed here once you deploy the Policy
In the GUI, however, you will still see the rules in your ACP
Fast Pathing with Firepower Threat Defense
FTD has a Prefilter Policy, which uses

limited outer-header criteria to fast
path traffic
You can Trust and Block here, using the same network-based
conditions. In addition, you can also log the traffic.
Prefilter Policy in FTD
Prefilter Policy in
GUI
Action of Fastpath
for trusting
Same traffic conditions:

• IP
• Port
• VLAN
• Sec Zone
Firepower Threat Defense Packet Flow
Prefiltering
occurs here
Connection Events
Connection Event Logging
In Firepower, a ’Connection Event’ is any packet seen going through the
device.
All events are
FMC stored here
‘Event Viewer’ refers to your FMC
Event
data
Managed
Device
Traffic Flow All events on the FMC are first in

first out!
Logging Options
Should I log at beginning or the end?
Log at beginning only if Cisco
you are tying this event recommends
to an alert! logging at the
end of the
connection.
Logging at beginning and

end will cause two
connection events!
Automatic Connection Event Logging
Security Events will automatically log connection events!
With logging off, if the

packet triggers any security
event, an end of connection
is automatically logged!
EStreamer
EStreamer is Firepower’s proprietary tool for streaming events to a SIEM
The FMC uses eStreamer

The 7000/8000
series also lets you
use eStreamer to
Note you can also send stream events
connection events directly to a SIEM
directly to a syslog server
You Will Need to Tune Connection Events
In most environments you do not have the option to log every connection
Logging all connections

can result in performance
WHY? issues on your FMC and
unrealistic retention times
For all security events, the system will

automatically log a connection event at
the end of the connection even when
you have logging off!
How Do I Tune?
Use your ACP rules to create rules to tune connection logging
Every ACP rule allows you to specify

To turn logging off simply
logging options!
select no options under the
logging tab
Choose ‘Log at
End’ unless you are
tying this to an
event you wish to
see immediately
DNS No Logging Rule Example
DNS request rule to reduce logging
Notice you are still Connection logging is off

sending this traffic
through SNORT (your
Intrusion Policy)
Database Settings in Your FMC
You can adjust the retention amount in your FMC
Under System-Configuration-Database you can
adjust how many events you retain…
Caution! It is not
recommended to
change these
settings unless
recommended by
support!
Malware and File Policy
Strategies
Mapping ACP to Your Malware and File Policy
Map your Access Control Policy to the Protocols to the Malware/File Policy
Intrusion
Policy Malware/File
Policy
SafeSearch YouTube
EDU Logging
Application Protocols
available in your
Malware/File Policy
Malware Blocking Behavior
Test the behavior when Blocking Malware in Email Protocols
The way Firepower blocks

malware is by dropping the last
packet, which may not play
nicely with email servers
File Storage This stores the
File on the
Don’t be overzealous with storing files Managed Device,
and selecting all
The 8000, 2100/4100/9300 all have an optional Malware Storage Pack for this!
might over-
burden the
device
Consider
instead storing
only Unknown
so you can
submit them
later for
analysis
Pop Quiz!
How many packets of a 10 packet file do we need to see
to determine if it’s malware?
Misc. Firepower
Settings
Automatic Application Bypass
AAB
Allows you to catch (and automatically

resolve) hung SNORT processes
• Available in all
Classic Device
versions
• Available in FTD
effective 6.2.1
Automatic Application Bypass Settings
Disabled by Default, consider enabling!
• Per packet timer

• SNORT core file is
collected
• Process manager will
restart SNORT
Note: Do not change the

Bypass threshold unless
recommended by TAC!
SNORT Performance Thresholds
Firepower has two threshold settings
Latency-Based Rule-Based
Prevents latency for packets Prevents SNORT

going through SNORT rules from
causing latency
Disables and re-

enables SNORT rules
automatically when
thy are causing
Note: These are set by default issues
and Cisco does not
recommend you change these
in most environments
Latency Threshold Alerting
By default you are not alerted when these are triggered
Consider alerting on these – select the ‘Generate Events’ to
generate an Intrusion Event
Packet-
latency time
exceeded
Rule disabled
Rule re-
enabled
You can also set these events

to drop
Intrusion Policies
Understanding Base Policies
Base Polices are provided for you by Talos
These are also updated for you regularly during Rule Updates
Great Starting Policy!
Base Policies
Connectivity Balanced Security Security
over and over
Security Connectivity Connectivity
-1,000 rules enabled +- 8,000 rules enabled +- 12,000 rules enabled
Increasing Protection Level
Intrusion Policy Key Points to Remember
For each Managed Device, you can have only one ACP, however:
Each Intrusion Policy

can use its own
Base Policy The more rules enabled the more
performance is impacted, but the
more security secure you have.
You can have multiple

Intrusion Policies
Less Common Base Intrusion Policies
• Maximum Detection is not typical for

production networks
• No Rules Active does not give you a
starting point based on the importance
of the rules
Caution! Be careful with maximum

Detection. We highly recommend
Security Over Connectivity instead!
Firepower Recommendations
Maps your Host Host

Profile CVEs to the Profiles
CVEs in the Snort
Rules automatically!
Firepower
Recommendations
Disable Enable
• SNORT
No CVE seen in CVE seen in host Rules
Host Profiles? Turns profile but rule is
rule with this CVE off? Turns rule with
OFF. this CVE ON.
Firepower Recommendations Gone Wrong
Scenario 1:
• Network Discovery ON, but left to Any/Any for Discovery (the default)
• Remember this MUST define only your protected network, and all of the network
spaces you are protecting
What would happen? It would enable rules that are not part of your network, and would likely
oversubscribe the box
Scenario 2:
• Network Discovery ON, but host profiles are not identifying host
information correctly because of Asymmetric Routing
• If Firepower does not see all parts of the conversation, it cannot properly identify
host data, and would cause this feature to be completely inaccurate
Firepower Recommendations Tips
Make sure this
matches your
Network Discovery!
This can work

against you if
you do not have
accurate host
data. Do not
enable unless
Generate first then spend time you have time to
looking at what it recommended by ensure your host
getting familiar with your host data looks good.
profiles! do not rush its initial setup.
Variables
Variables in your SNORT Rules
Rule Header
Rule header determines what traffic the enabled rules will run against
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:”WEB_IIS newdsn.exe access”; flow:to_server,established;

uricontent:”/scripts/tools/newdsn.exe”; nocase;
reference:cve,cve-1999-0191;
classtype:web-application-activity; sid:1024; rev:5;)
Rule body is where SNORT inspects the traffic

Rule Body
So, this rule will only run against a packet coming

from $EXTERNAL_NET destined to $HTTP_SERVERS
Variables in the Flow 1) Packet 2) It’s an
matches ’Allow’ rule,
the ACP and sends the
rule traffic to the
specified
Intrusion Policy
3) The Variable Set is also assigned here, so

the variable definitions assigned in the
‘Default Set’ Variable Set will be used to
match against the rules
4) The SNORT Rule header’s variable definitions are

used to determine if the rule is run against the packet
Default-Set
In your Objects, you will find your ‘Default-Set’ Variable set. This is what is used for all
variable definitions unless otherwise specified.
HOME_NET Variable Tuning
• You will need to ensure you have
defined HOME_NET
Server definitions reference

HOME_NET
Notice by default HOME_NET is

set to ‘any’
How to Define HOME_NET Variable
Define Your
HOME_NET as all
RFC1918 Private IP
spaces and any
public spaces you
own
Caution! If you choose to define

server variables, do so with
extreme caution as missing a
server network space will result
in no inspection by SNORT
rules referencing that variable.
EXTERNAL_NET Variable
EXTERNAL_NET is
defined as ‘any’ by
default
Defining EXTERNAL_NET
It is typical to define this

as !HOME_NET which
excludes these networks,
but doing so can result in
missing attacks!
Why? Consider this rule

header
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
If it is an internal to internal attack, the rule will not be run against that traffic!
Consider Two Definitions of EXTERNAL_NET
This set will be for all internal to This set will be for all external to
internal traffic internal traffic
Use Security Zones To Identify Inbound Traffic
In this example, you are using Security Zones to identify external to internal traffic
The EXTERNAL_NET
definition is excluding
HOME_NET
Internally Sourced Traffic EXTERNAL_NET
Security Zones to identify internally-sourced traffic
The EXTERNAL_NET
definition is left to ANY for the
Default Set
Advanced Variable Tuning Caution
Please note that incorrectly defining or

mapping your variables can have the
effect of no inspection for certain rules
and/or networks.
In other words, do not make mistakes here!
Tuning False Positives
False Positive Tuning
Intrusion Events can generate False Positives
Remember and Intrusion

Event comes from
SNORT, and is either a
SNORT or Preprocessor
rule.
So what is a false positive?
When we have an intrusion event that

is benign.
False Positive Example
Consider this example:
You can’t change how the
A server at 10.2.2.3 has an in-house application operates, so you
application triggering a SNORT rule that need to address the rule is
drops the packet and breaks the breaking the application.
application
X
SNORT drops
the packet 10.2.2.3
because it
Internet matched the
rule
False Positive Option 1
Suppress or Threshold the event
FMC FMC
Intrusion Event
generated and
sent to FMC
when SNORT Suppression
rule fires
If you suppress, the

Dropped event is never Dropped
packet generated, but packet packet
still dropped! This does
not fix the issue.
Disable the Rule
Unless this rule does not apply to your environment, this is clearly not a viable option
Use your ACP and a new Intrusion Policy to fix this
Here you see a rule written
just for the traffic destined to
that server
You create a second

Intrusion Policy with that
rule disabled
Technically this
solution would
work, but is not
what Cisco
recommends!
A big solution to a
small problem.
Rewrite the SNORT rule
This does not fix the issue, since the

rule is written correctly in this scenario.
It is not the rule's fault!
If you re-wrote the rule, it would no

longer work like it was intended to, and
would no longer be protecting your
environment.
Write a Pass Rule
A Pass Rule is a rule designed match on specific traffic conditions that when
met, pass the respective packet through SNORT.
Pass rules are
processed first!
Intrusion Intrusion
Pass Rules Rules
A Pass rule can be written to identify just the traffic destined to that server, and if it
matches the rule, it passes the traffic through SNORT without being inspected by the
other rule that was dropping the packet.
In this example, a Pass Rule is the solution!
Steps to Writing a Pass Rule
Identify the SNORT Rule causing the issue
The objective: Identify the rule:

Prevent the rule from
dropping traffic for
just your one host, In our example, we know
while leaving it the rule causing the issue is
enabled and set to SID 40134
drop for all the
remaining hosts
Identify the Rule Header
The rule header is what we change in writing a pass rule
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
Identify the Rule Header Modification Needed
The header destination IP is what needs to be changed in our example
Change the destination to the IP or subnet you wish to ‘pass’
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> 10.2.2.3 any
Locate the Rule in your FMC
Remember all your SNORT rules are in your FMC
Click ‘edit’
SID is 40134
Change the Rule Header to Match as Required
Changing the action to pass

puts the rule in the pass
area of SNORT and will be
processed before any alert
rules!
1’st change the

Action to Pass
2’nd change the

required rule header
value
3’rd click ‘Save As New’
Save the New Rule
You just wrote a new SNORT rule!
You cannot modify All imported and

SNORT rules. What created rules in the
you did was create system have a SID of
a new rule 1,000,000+
Find The Rule in Your Intrusion Policy
All imported and created

rules are stored in Local
Rules
Set The Rule to Generate Events
1’st Select ‘Rule State’
2’nd change to ‘Generate Events’
Optionally Add a Suppression
If you wish to now

have the pass rule
silent, suppress
your new rule
Use a New Variable For Frequent Changes
You can use a

custom Variable in
the Pass rule
instead
This allows you to quickly add

new hosts to the PASS rule
Commit Changes and Deploy
Once deployed traffic destined to that IP that matches the rule will be
processed by the Pass rule, and will not match on the unmodified rule!
All Done!
Commit your changes and deploy!
Pass Rule Logic
Pass Rules Alert Rules
Intrusion
Rules
All other
traffic
Triggers SID
Traffic to 1,000,000
10.2.2.3
Where To Go Next
Support Documentation
Cisco’s Support Page
Find the Appliances You Have
Here is an example of the

documents available for the
9300 series appliance
Download the Correct FMC User Guide
The User Guide is

called the
‘Configuration Guide’
Download the guide

that matches the
version you are
currently using!
This is officially the FMC user

guide, but it really is your user
guide for everything Firepower
including the devices you are
managing!
Understand Your Managed Devices
‘Classic’ refers to the 7000/8000, NGIPSv,
and the ASA/FP module
‘Firepower Threat Defense’ refers FTD,

which would be the 2100/4100/9000,
FTDv, and ASA 5500-X (if reimaged as
FTD)
Product Updates Perspective
Remember
Classic FTD there are
two
• 5.4 software
• 6.0 types
• 6.0
• 6.0.1 available!
• 6.0.1
• 6.1
• 6.1
• 6.2
• 6.2
• 6.2.1 FTD software
• 6.2.1 updates have
• 6.2.2
• 6.2.2 significant
• 6.2.3 new features
• 6.2.3
available since
it is bringing
over ASA
features!
Cisco Firepower Training
We offer Cisco Training for Firepower,

SNORT Rule writing and AMP for
Endpoints!
Just ask me for more information!
Offered In-Person and as a Virtual Class
Win the Book!
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you
#CLUS
Q&A
#CLUS

#Clus

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

#Clus

Uploaded by

Copyright:

Available Formats

#CLUS

Webex Teams will be moderated cs.co/ciscolivebot#BRKCRT-2215

Give us your feedback to be entered

John Wise - johnwis@cisco.com

When you see this

Traditional ASA with

Up to 3 security modules available

• NGIPS 7000 • ASA 5500-X (reimaged as FTD)

• ASA FirePOWER Services • 9000 Series

• NGIPSv for VMware • 2100 Series

• FTD for ISR

FMC was previously called the Defense Center

• Managed by the FMC

• Blocks blacklisted • Decrypts, blocks and • Application-aware • IPS… your

This session covers

Firepower’s ability to SNORT your

Which is a much deeper sniff

Firepower Management Center

Malware & File

This forces the

URL Database on the Managed Device may

Don’t forget to also

• You will want to Trust certain types of traffic, especially:

• Example 1 – Backup traffic (a type of ‘elephant flow’)

• Example 2 – Scanner Traffic (from a network scanner or pen test)

Cisco ASA with

Fast Path is done on

Under the Devices tab

However, Cisco Recommends fast pathing on in your Access Control Policy

ACP rules can be Promoted, which

Traffic identified by:

You will not see this in the GUI, as this is an automatic

FTD has a Prefilter Policy, which uses

Same traffic conditions:

Traffic Flow All events on the FMC are first in

Logging at beginning and

With logging off, if the

The FMC uses eStreamer

Logging all connections

For all security events, the system will

Every ACP rule allows you to specify

Notice you are still Connection logging is off

The way Firepower blocks

Allows you to catch (and automatically

• Per packet timer

Note: Do not change the

Prevents latency for packets Prevents SNORT

Disables and re-

You can also set these events

Great Starting Policy!

Increasing Protection Level

Each Intrusion Policy

You can have multiple

• Maximum Detection is not typical for

Caution! Be careful with maximum

Maps your Host Host

This can work

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:”WEB_IIS newdsn.exe access”; flow:to_server,established;

Rule body is where SNORT inspects the traffic

So, this rule will only run against a packet coming

3) The Variable Set is also assigned here, so

4) The SNORT Rule header’s variable definitions are