Professional Documents
Culture Documents
#Ciscolivela
#Ciscolivela
Cisco Firepower
NGIPS Tuning and
Best Practices
John Wise
Security Instructor
BRKCRT-2215
#CiscoLiveLA
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CiscoLiveLA © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Complete your online session evaluation
#CiscoLiveLA Presentation ID © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Security
Instructor:
Cisco High
Touch
Delivery
Your Speaker
Started with
Sourcefire
many many
years back!
#CiscoLiveLA © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reference Slides
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Firepower Platforms
Dedicated NGIPS
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco ASA 5500-X with FirePOWER Services
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Firepower Threat Defense – 2100 NGFW
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Firepower Threat Defense – 4100 NGFW
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Firepower Threat Defense – 9300 NGFW
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Software Availability
Classic Device 5.x/6.x Firepower Threat Defense (FTD) 6.x
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Managed by the Firepower Management Center
FMC
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
• 6.x code
• What Implementation
• FTD or Classic Device
Does this Session Help Software
With?
• Utilizing Firepower’s security
inspection capabilities
BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Security Inspection Path
Firepower Security Inspections
• Inspect, Block,
Store files
• Detect and
Block known or
suspected
Malware
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower Threat Defense Packet Flow
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Network Discovery
What is Network Discovery?
To Build
Host
Profiles
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Is Your Network Discovery Policy Defined?
Firepower will automatically build Host Profiles Based on your Network
Discovery Policy
When you define this, Firepower builds these
automatically
Network Vulnerabilities
Discovery
Services Protocols
Policy
Applications Ports
Operating Systems
Managed Device
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Network Discovery Policy Processing Order
Discovery occurs here
Intrusion
Policy
If traffic does not reach this inspection point no discovery information is captured!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Enabling Network Discovery Policy
You must go in and define this
policy to match your protected network
Caution! Not defining your Network Discovery Policy can cause you to
exceed your host limits!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Define By Discover And Exclude
This is how
you enable
• Discover – build host profile information Network
• Your internal network – what you are protecting Discovery
• Note: Prior to 6.x this was on by default
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Network Discovery Discover Rule
Notice only Private IP spaces? This has been changed to represent
only internal IP addresses. By default its all IPs, and you need to
change this! Otherwise you will build host profiles for public hosts.
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
URL Filtering
URL Filtering
URL Filtering
Category Reputation License
required!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
URL Filtering– How does it work?
URL Database
• Ensure you have a URL Filtering
license and enable it in the FMC
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
URL Filtering with SSL
URL Filtering For Well-Known Sites
Consider not decrypting well—known sites
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
URL Filtering To Prevent Decrypting Financial
Do not decrypt Financial websites
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
URL Filtering For Uncategorized Websites
Decrypt all uncategorized websites
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
URL Filtering with Security Inspections
Uncategorized websites are suspicious – consider inspecting for malware
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Identifying Traffic to not
inspect
Understanding Trust
• In Firepower Trust means do not inspect
• Voice Traffic
• Backup Traffic
• Scanner Traffic
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Why Trust?
• Certain types of traffic can cause issues in Firepower:
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Fast Path
Try to ‘Fast Path’ Trusted Traffic
You can also block at this point in the flow on certain platforms
Fast-pathed traffic is
trusted here
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Fast Pathing on Different Platforms
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Fast Path on the ASA with FirePOWER Services
Fast Path is done on
the ASA, not in
FirePOWER
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Fast Path on the 8000 Series Appliance
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Rule Promotion in FirePOWER 7000/8000 Series
VLAN Security
Zone
IP Port
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
How to Promote Rules on the 7000/8000 Series
They must:
1. Trust or Block Action Example:
2. Contain only IP, Port, VLAN, Sec Zone conditions The first two rules will be promoted
3. Be placed above all other rules
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Promoted Rule Processing
The rules are promoted and processed here once you deploy the Policy
In the GUI, however, you will still see the rules in your ACP
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Fast Pathing with Firepower Threat Defense
You can Trust and Block here, using the same network-based
conditions. In addition, you can also log the traffic.
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Prefilter Policy in FTD
Prefilter Policy in
GUI
Action of Fastpath
for trusting
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Firepower Threat Defense Packet Flow
Prefiltering
occurs here
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Connection Events
Connection Event Logging
In Firepower, a ’Connection Event’ is any packet seen going through the
device.
All events are
FMC stored here
‘Event Viewer’ refers to your FMC
Event
data
Managed
Device
Traffic Flow
All events on the FMC are first in
first out!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Logging Options
Should I log at beginning or the end?
Log at beginning only if Cisco
you are tying this event recommends
to an alert! logging at the
end of the
connection.
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Automatic Connection Event Logging
Security Events will automatically log connection events!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
EStreamer
EStreamer is Firepower’s proprietary tool for streaming events to a SIEM
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
You Will Need to Tune Connection Events
In most environments you do not have the option to log every connection
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Tune Using an Access Control Policy Rule
Use your ACP rules to create rules to tune connection logging
Choose ‘Log at
End’ unless you are
tying this to an
event you wish to
see immediately
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
DNS No Logging Rule Example
DNS request rule to reduce logging
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Database Settings in Your FMC
You can adjust the retention amount in your FMC
Under System-Configuration-Database you can
adjust how many events you retain…
Caution! It is not
recommended to
change these
settings unless
recommended by
support!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Malware and File Policy
Strategies
Mapping ACP to Your Malware and File Policy
Map your Access Control Policy to the Protocols to the Malware/File Policy
Intrusion
Policy Malware/File
Policy
SafeSearch YouTube
EDU Logging
Application Protocols
available in your
Malware/File Policy
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Malware Blocking Behavior
Test the behavior when Blocking Malware in Email Protocols
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
File Storage This stores the
File on the
Don’t be overzealous with storing files Managed Device,
and selecting all
The 8000, 2100/4100/9300 all have an optional Malware Storage Pack for this!
might over-
burden the
device
Consider
instead storing
only Unknown
so you can
submit them
later for
analysis
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Pop Quiz!
How many packets of a 10 packet file do we need to see
to determine if it’s malware?
6
BRK
2
Misc. Firepower
Settings
Automatic Application Bypass
AAB
• Available in all
Classic Device
versions
• Available in FTD
effective 6.2.1
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Automatic Application Bypass Settings
Disabled by Default, consider enabling!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SNORT Performance Thresholds
Firepower has two threshold settings
Latency-Based Rule-Based
These are found in
the ACP Advanced
Tab!
Prevents latency for packets Prevents SNORT
going through SNORT rules from
causing latency
Disables and re-
enables SNORT rules
automatically when
thy are causing
Note: These are set by default issues
and Cisco does not
recommend you change these
in most environments
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Latency Threshold Alerting
By default you are not alerted when these are triggered
Consider alerting on these – select the ‘Generate Events’ to
generate an Intrusion Event
Packet-
latency time
exceeded
Rule disabled
Rule re-
enabled
Base Policies
Connectivity Balanced Security Security
over and over
Security Connectivity Connectivity
-1,000 rules enabled +- 8,000 rules enabled +- 12,000 rules enabled
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Intrusion Policy Key Points to Remember
For each Managed Device, you can have only one ACP, however:
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Less Common Base Intrusion Policies
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Firepower Recommendations
Disable Enable
SNORT
No CVE seen in CVE seen in host Rules
Host Profiles? Turns profile but rule is
rule with this CVE off? Turns rule with
OFF. this CVE ON.
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Firepower Recommendations Gone Wrong
Scenario 1:
• Network Discovery ON, but left to Any/Any for Discovery (the default)
• Remember this MUST define only your protected network, and all of the network
spaces you are protecting
What would happen? It would enable rules that are not part of your network, and would likely
oversubscribe the box
Scenario 2:
• Network Discovery ON, but host profiles are not identifying host
information correctly because of Asymmetric Routing
• If Firepower does not see all parts of the conversation, it cannot properly identify host data,
and would cause this feature to be completely inaccurate
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Firepower Recommendations Tips
Make sure this
matches your
Network Discovery!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Variables
Variables in your SNORT Rules
Rule Header
Rule header determines what traffic the enabled rules will run against
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Variables in the Flow 1) Packet 2) It’s an
matches ’Allow’ rule,
the ACP and sends the
rule traffic to the
specified
Intrusion Policy
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Your Default-Set
In your Objects, you will find your ‘Default-Set’ Variable set. This is what is used for all
variable definitions unless otherwise specified.
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
HOME_NET Variable Tuning
• You will need to ensure you have
defined HOME_NET
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
How to Define HOME_NET Variable
Define Your
HOME_NET as all
RFC1918 Private IP
spaces and any
public spaces you
own
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
EXTERNAL_NET Variable
EXTERNAL_NET is
defined as ‘any’ by
default
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Defining EXTERNAL_NET
If it is an internal to internal attack, the rule will not be run against that traffic!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Consider Two Definitions of EXTERNAL_NET
This set will be for all internal to This set will be for all external to
internal traffic internal traffic
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Use Security Zones To Identify Inbound Traffic
In this example, you are using Security Zones to identify external to internal traffic
The EXTERNAL_NET
definition is excluding
HOME_NET
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Internally Sourced Traffic EXTERNAL_NET
Security Zones to identify internally-sourced traffic
The EXTERNAL_NET
definition is left to ANY for the
Default Set
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Advanced Variable Tuning Caution
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Tuning False Positives
False Positive Tuning
Intrusion Events can generate False Positives
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
False Positive Example
Consider this example:
You can’t change how the
A server at 10.2.2.3 has an in-house application operates, so you
application triggering a SNORT rule that need to address the rule is
drops the packet and breaks the breaking the application.
application
X
SNORT drops
the packet 10.2.2.3
because it
Internet
matched the
rule
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
False Positive Option 1
Suppress or Threshold the event
FMC FMC
Intrusion Event
generated and
sent to FMC
when SNORT Suppression
rule fires
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
False Positive Option 3
Disable the Rule
Unless this rule does not apply to your environment, this is clearly not a viable option
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
False Positive Option 4
Use your ACP and a new Intrusion Policy to fix this
Here you see a rule written
just for the traffic destined to
that server
Technically this
solution would
work, but is not
what Cisco
recommends!
A big solution to a
small problem.
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
False Positive Option 5
Rewrite the SNORT rule
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
False Positive Option 6
Write a Pass Rule
A Pass Rule is a rule designed match on specific traffic conditions that when
met, pass the respective packet through SNORT.
Pass rules are
processed first!
Intrusion Intrusion
Pass Rules Rules
A Pass rule can be written to identify just the traffic destined to that server, and if it
matches the rule, it passes the traffic through SNORT without being inspected by the
other rule that was dropping the packet.
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Steps to Writing a Pass Rule
Identify the SNORT Rule causing the issue
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Identify the Rule Header
The rule header is what we change in writing a pass rule
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Identify the Rule Header Modification Needed
The header destination IP is what needs to be changed in our example
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Locate the Rule in your FMC
Remember all your SNORT rules are in your FMC
Click ‘edit’
SID is 40134
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Change the Rule Header to Match as Required
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Find The Rule in Your Intrusion Policy
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Set The Rule to Generate Events
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Optionally Add a Suppression
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Use a New Variable For Frequent Changes
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Commit Changes and Deploy
Once deployed traffic destined to that IP that matches the rule will be
processed by the Pass rule, and will not match on the unmodified rule!
All Done!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Pass Rule Logic
Intrusion
Rules
All other
traffic
Triggers SID
Traffic to 1,000,000
10.2.2.3
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Where To Go Next
Support Documentation
Cisco’s Support Page
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Find the Appliances You Have
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Download the Correct FMC User Guide
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Understand Your Managed Devices
‘Classic’ refers to the 7000/8000, NGIPSv,
and the ASA/FP module
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Product Updates Perspective
Remember
Classic FTD there are
two
• 5.4 • 6.0 software
• 6.0 • 6.0.1 types
available!
• 6.0.1 • 6.1
• 6.1 • 6.2
• 6.2 • 6.2.1
FTD software
• 6.2.1 • 6.2.2 updates have
• 6.2.2 • 6.2.3 significant
• 6.2.3 • 6.3 new features
available since
it is bringing
over ASA
features!
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Win Cisco’s Official FTD Book!
Cisco Firepower Training
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
#CiscoLiveLA BRKCRT-2215 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Complete your online session evaluation
#CiscoLiveLA Presentation ID © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Thank you
#CiscoLiveLA
Q&A
#CiscoLiveLA