Professional Documents
Culture Documents
RADIUS
Copyright © www.ine.com
Module Overview
External Authentication overview
Copyright © www.ine.com
External Authentication Overview
FMC supports two types of external authentication servers
LDAP & RADIUS
Copyright © www.ine.com
Configuration
Add External Authentication Object for a RADIUS server
System -> Users -> External Authentication
Specify server settings
Configure Permissions
Optional Configuration
Restrict Shell access
Add Custom Attributes
Enable External Authentication
Save and Apply
Copyright © www.ine.com
FlexConfig
Copyright © www.ine.com
Module Overview
FlexConfig overview
Configuration
Copyright © www.ine.com
FlexConfig Overview
A tool used to configure features not yet supported through FMC
Use cases
ASA to FTD migration
Problem solving
Copyright © www.ine.com
Configuration
Prerequisites
Software version
show version (GUI: System -> Health -> Monitor -> Advanced Troubleshooting)
CLI syntax
show running-config [all]
Copyright © www.ine.com
High Availability
Copyright © www.ine.com
Module Overview
High Availability options
Failover configuration
Copyright © www.ine.com
High Availability Options
Interface
Redundant Interface
EtherChannel
FTD System
Active/Standby Failover
Clustering
4100 & 9300 platforms
FMC
Active-Standby redundancy
System -> Integration -> High Availability
Copyright © www.ine.com
Failover Configuration
Prerequisites
The following must match between the units
Model
Number & types of interfaces
Firewall mode
Major/minor/maintenance software version
NTP configuration
Licenses
Both devices must be registered with FMC with no uncommitted changes
Copyright © www.ine.com
SSL Policy
Copyright © www.ine.com
Module Overview
SSL Policy & components overview
HTTPS decryption
Configuration
Copyright © www.ine.com
SSL Policy Overview
FTD cannot inspect encrypted traffic by default
Copyright © www.ine.com
HTTPS Decryption
FTD supports two SSL/TLS decryption methods
Known Key
Used for traffic coming to your network/servers
Server’s Private Key is uploaded to FTD
FTD decrypts the client-server traffic on the fly
Resign
Used for traffic to external servers
FTD splits the original session into two : client – FTD & FTD - server
The original server’s certificate is modified & resigned by FTD
Copyright © www.ine.com
Decryption Considerations
Decryption may pose severe load on FTD
SSL Policy can block traffic selectively without decrypting it
URLs, certificate status, SSL/TLS version, cipher suite & more
URL handling
Server’s certificate
Does not work for wildcard certificates
Server Name Indication (SNI)
A browser includes website’s hostname inside of the TLS Client Hello
Copyright © www.ine.com
SSL Policy Actions
Monitor
Log & check other rules
Don’t Decrypt
Typically used for adding exceptions
Copyright © www.ine.com
Configuration
Define PKI objects by importing the right certificates
Objects -> Object Management -> PKI
Internal CA
Internal CA’s certificate (“keyCertSign” usage) & keys
Needed for “Decrypt Resign” rules
Internal Certificate
Your server’s certificate & keys
Needed for “Decrypt Known Key” rules
Copyright © www.ine.com
Configuration
Create a new SSL Policy & add rules
Policies -> Access Control -> SSL
Copyright © www.ine.com
QoS Policy
Copyright © www.ine.com
Module Overview
QoS Policy overview
Configuration
Copyright © www.ine.com
QoS Policy Overview
FTD supports traffic rate-limiting through a QoS Policy
Requires traffic to match the ACP’s „Allow” or „Trust” rules
It is never used for prefiltered or blocked traffic
Copyright © www.ine.com
Configuration
Define a QoS Policy
Devices -> QoS
Add rule(s)
Deploy configuration
Verfication
show service-policy
Copyright © www.ine.com
Correlation Policy
Copyright © www.ine.com
Module Overview
Correlation overview
Policy components
Configuration
Copyright © www.ine.com
Correlation Overview
Allows to tie events together to trigger a violation
E.g. for security decision automation
Correlation Policy
Correlation Rules
Criteria for violations
Built using Event Types and/or Constraints
Compliance White Lists
Host criteria for violations
Correlation Responses
Triggered in response to a violation
Configured as Alerts or Remediations
Copyright © www.ine.com
Correlation Rules
Event Types
Intrusion/Malware/Discovery/Host Input/Connection Event
User activity
Traffic profile change
Constraints
Host Profile Qualification
User Qualification
Connection Tracker
Snooze Period
Inactive Period
Copyright © www.ine.com
Compliance White Lists
Host-specific criteria for a violation
Targets
Host Profiles
Operating System, applications & more
Copyright © www.ine.com
Correlation Responses
Alerts
Email, SNMP, Syslog
Remediations
ISE Endpoint Protection Service (EPS)
IOS Null Route
NMAP Scanning
Set Attribute Value
Copyright © www.ine.com
Configuration
Prepare Policy components
Rules
Policies -> Correlation -> Rule Management
White Lists
Policies -> Correlation -> White List
Responses
Policies -> Actions -> Alerts
Policies -> Actions -> Instances
Copyright © www.ine.com
FTD VPN
Copyright © www.ine.com
Module Overview
VPN on FTD overview
Supported features
Certificate considerations
Copyright © www.ine.com
VPN on FTD Overview
Supported VPN Types
Site-to-Site
IPsec IKEv1/IKEv2
Remote Access
IPsec IKEv2 or SSL/TLS
Copyright © www.ine.com
Supported Features
General
IPv6
Remote Access
Split Tunneling
AnyConnect
Core features (check documentation)
Copyright © www.ine.com
Supported Features
Authentication
Site-to-Site
Certificates or PSK
Remote Access
Gateway - certificates
Clients - certificates, AAA (RADIUS, LDAP, AD) or both
Authorization & Accounting is available via RADIUS only
Local database is not supported for AAA
Copyright © www.ine.com
Certificate Considerations
Supported CA’s include Microsoft, Cisco IOS & ASA
FTD cannot act as a CA
Enrollment methods
Self-signed
SCEP
Manual
Copyright © www.ine.com
Site-to-Site
IPsec IKEv1
Copyright © www.ine.com
Module Overview
Configuration
Implementation scenario
Copyright © www.ine.com
Configuration
Certificate Setup (optional)
Devices -> Certificates
Tunnel Configuration
Devices -> VPN -> Site To Site
Copyright © www.ine.com
Remote Access
SSL/TLS
Copyright © www.ine.com
Module Overview
Configuration
Implementation scenario
Copyright © www.ine.com
Configuration
Prerequisites
Identity Certificate
Devices -> Certificates
Objects -> Object Management -> PKI -> Cert Enrollment
AnyConnect image
Objects -> Object Management -> VPN -> AnyConnect File
AD/LDAP Realm
System -> Integration -> Realms
RADIUS Server Group
Objects -> Object Management -> RADIUS Server Group
FTD sends two attributes during Authentication & Authorization
Client Type (150) & Connection Profile Name or Tunnel Group Name (146)
Copyright © www.ine.com
Configuration
Create a VPN Policy
Devices -> VPN -> Remote Access
Optional Configurations
Modify ACP
Unless using sysopt permit-vpn
NAT Exemption
Split Tunneling
Copyright © www.ine.com
Configuration
Optional Configurations
IP Address Pool
E.g. Objects -> Object Management -> Address Pools
Connection Profile Settings
Group Policy attributes are NOT inherited
DfltGroupPolicy attributes are only used if no custom policy was specified
Routing for VPN Authentication
Management-only RIB routes are preferred over the data interface routes
Make sure that your AAA server is reachable via the correct interface
Copyright © www.ine.com