FTD Part II

External Authentication with
RADIUS
Copyright © www.ine.com
Module Overview
External Authentication overview
Hands-on example : RADIUS on ISE
External Authentication Overview
FMC supports two types of external authentication servers
LDAP & RADIUS
Represented through an External Authentication Object

Server settings
Permissions (User Roles)
User List
AV pair
Default User Role
Platform Default Role is used if none was defined in the object (certain platforms)
CLI/Shell
Configuration
Add External Authentication Object for a RADIUS server
System -> Users -> External Authentication
Specify server settings
Configure Permissions
Optional Configuration
Restrict Shell access
Add Custom Attributes
Enable External Authentication
Save and Apply
FlexConfig
Module Overview
FlexConfig overview
Configuration
FlexConfig Overview
A tool used to configure features not yet supported through FMC
Use cases
ASA to FTD migration
Problem solving
Implemented through FlexConfig Policies

A series of FlexConfig Objects
ASA CLI code
(Optional) Scripts and/or Variables
See configuration guide “FlexConfig Policies for Firepower Threat Defense”
Objects can be appended (default) or prepended
A set of predefined Objects exist to provide tested configurations
Configuration
Prerequisites
Software version
show version (GUI: System -> Health -> Monitor -> Advanced Troubleshooting)
CLI syntax
show running-config [all]
Look for existing Objects or create your own

Objects -> Object Management -> FlexConfig
Don’t add enable or configure terminal
Adjust Variables if needed (Text Objects and/or other)
Configure Policy (Devices -> FlexConfig) & deploy
High Availability
Module Overview
High Availability options
Failover configuration
High Availability Options
Interface
Redundant Interface
EtherChannel
FTD System
Active/Standby Failover
Clustering
4100 & 9300 platforms
FMC
Active-Standby redundancy
System -> Integration -> High Availability
Failover Configuration
Prerequisites
The following must match between the units
Model
Number & types of interfaces
Firewall mode
Major/minor/maintenance software version
NTP configuration
Licenses
Both devices must be registered with FMC with no uncommitted changes
Add a failover pair

Device -> Device Management -> Add High Availability
SSL Policy
Module Overview
SSL Policy & components overview
HTTPS decryption
Configuration
SSL Policy Overview
FTD cannot inspect encrypted traffic by default
SSL Policy applications

HTTPS decryption
Selective blocking of encrypted traffic
Activating SSL Policy changes encrypted traffic handling behavior

SSL Policy is used before ACP
HTTPS Decryption
FTD supports two SSL/TLS decryption methods
Known Key
Used for traffic coming to your network/servers
Server’s Private Key is uploaded to FTD
FTD decrypts the client-server traffic on the fly
Resign
Used for traffic to external servers
FTD splits the original session into two : client – FTD & FTD - server
The original server’s certificate is modified & resigned by FTD
Decrypted web traffic is still subject to ACP inspections
Decryption Considerations
Decryption may pose severe load on FTD
SSL Policy can block traffic selectively without decrypting it
URLs, certificate status, SSL/TLS version, cipher suite & more
URL handling
Server’s certificate
Does not work for wildcard certificates
Server Name Indication (SNI)
A browser includes website’s hostname inside of the TLS Client Hello
SSL Policy Actions
Monitor
Log & check other rules
Block (with Reset)

Immediately block traffic
Don’t Decrypt
Typically used for adding exceptions
Decrypt Known Key / Decrypt Resign

Perform decryption & send clear-text traffic to the ACP
Configuration
Define PKI objects by importing the right certificates
Objects -> Object Management -> PKI
Internal CA
Internal CA’s certificate (“keyCertSign” usage) & keys
Needed for “Decrypt Resign” rules
Internal Certificate
Your server’s certificate & keys
Needed for “Decrypt Known Key” rules
Configuration
Create a new SSL Policy & add rules
Policies -> Access Control -> SSL
Activate the Policy

Policies -> Access Control -> Advanced
QoS Policy
Module Overview
QoS Policy overview
Configuration
QoS Policy Overview
FTD supports traffic rate-limiting through a QoS Policy
Requires traffic to match the ACP’s „Allow” or „Trust” rules
It is never used for prefiltered or blocked traffic
Only one active QoS Policy is supported per managed device
Configuration
Define a QoS Policy
Devices -> QoS
Add rule(s)
Deploy configuration
Verfication
show service-policy
Correlation Policy
Module Overview
Correlation overview
Policy components
Configuration
Correlation Overview
Allows to tie events together to trigger a violation
E.g. for security decision automation
Correlation Policy
Correlation Rules
Criteria for violations
Built using Event Types and/or Constraints
Compliance White Lists
Host criteria for violations
Correlation Responses
Triggered in response to a violation
Configured as Alerts or Remediations
Correlation Rules
Event Types
Intrusion/Malware/Discovery/Host Input/Connection Event
User activity
Traffic profile change
Constraints
Host Profile Qualification
User Qualification
Connection Tracker
Snooze Period
Inactive Period
Compliance White Lists
Host-specific criteria for a violation
Targets
Host Profiles
Operating System, applications & more
Default White List

Talos-recommended settings
Applies to all endpoints (0.0.0.0/0)
Compliance White List rules & Correlation rules are independent
Correlation Responses
Alerts
Email, SNMP, Syslog
Remediations
ISE Endpoint Protection Service (EPS)
IOS Null Route
NMAP Scanning
Set Attribute Value
Configuration
Prepare Policy components
Rules
Policies -> Correlation -> Rule Management
White Lists
Policies -> Correlation -> White List
Responses
Policies -> Actions -> Alerts
Policies -> Actions -> Instances
Create a Correlation Policy

Policies -> Correlation -> Policy Management
Add rules & enable it
FTD VPN
Module Overview
VPN on FTD overview
Supported features
Certificate considerations
VPN on FTD Overview
Supported VPN Types
Site-to-Site
IPsec IKEv1/IKEv2
Remote Access
IPsec IKEv2 or SSL/TLS
Supported Features
General
IPv6
Remote Access
Split Tunneling
AnyConnect
Core features (check documentation)
Supported Features
Authentication
Site-to-Site
Certificates or PSK
Remote Access
Gateway - certificates
Clients - certificates, AAA (RADIUS, LDAP, AD) or both
Authorization & Accounting is available via RADIUS only
Local database is not supported for AAA
Certificate Considerations
Supported CA’s include Microsoft, Cisco IOS & ASA
FTD cannot act as a CA
RSA are the only keys working as of 6.2
Enrollment methods
Self-signed
SCEP
Manual
Site-to-Site
IPsec IKEv1
Module Overview
Configuration
Implementation scenario
Configuration
Certificate Setup (optional)
Devices -> Certificates
Tunnel Configuration
Devices -> VPN -> Site To Site
Verification & Troubleshooting

Overview -> Dashboards -> Access Controlled User Statistics -> VPN
Devices -> VPN -> Troubleshooting
Remote Access
SSL/TLS
Module Overview
Configuration
Implementation scenario
Configuration
Prerequisites
Identity Certificate
Devices -> Certificates
Objects -> Object Management -> PKI -> Cert Enrollment
AnyConnect image
Objects -> Object Management -> VPN -> AnyConnect File
AD/LDAP Realm
System -> Integration -> Realms
RADIUS Server Group
Objects -> Object Management -> RADIUS Server Group
FTD sends two attributes during Authentication & Authorization
Client Type (150) & Connection Profile Name or Tunnel Group Name (146)
Configuration
Create a VPN Policy
Devices -> VPN -> Remote Access
Add an AnyConnect Profile XML

AnyConnect Profile Editor
Optional Configurations
Modify ACP
Unless using sysopt permit-vpn
NAT Exemption
Split Tunneling
Configuration
Optional Configurations
IP Address Pool
E.g. Objects -> Object Management -> Address Pools
Connection Profile Settings
Group Policy attributes are NOT inherited
DfltGroupPolicy attributes are only used if no custom policy was specified
Routing for VPN Authentication
Management-only RIB routes are preferred over the data interface routes
Make sure that your AAA server is reachable via the correct interface

FTD Part II

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FTD Part II

Uploaded by

Copyright:

Available Formats

External Authentication with

Hands-on example : RADIUS on ISE

Represented through an External Authentication Object

Implemented through FlexConfig Policies

Look for existing Objects or create your own

Configure Policy (Devices -> FlexConfig) & deploy

Add a failover pair

SSL Policy applications

Activating SSL Policy changes encrypted traffic handling behavior

Decrypted web traffic is still subject to ACP inspections

Block (with Reset)

Decrypt Known Key / Decrypt Resign

Activate the Policy

Only one active QoS Policy is supported per managed device

Default White List

Compliance White List rules & Correlation rules are independent

Create a Correlation Policy

RSA are the only keys working as of 6.2

Verification & Troubleshooting

Add an AnyConnect Profile XML

You might also like