Tecsec 2600

Firewall Innovation and
Transformation
-a closer look at ASA and Firepower-
Ciara Campbell - Bart Van Hoecke - Dragan Novakovic - Gyorgy Acs - Stefan Duernberger
TECSEC-2600
Picture Puzzle
+
Berlin Ale
= Berlinale (the film festival)
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Ciara Campbell | Ireland
Bart Van Hoecke | Belgium
Stefan Duernberger | Germany Gyorgy Acs | Hungary
Dragan Novakovic | Serbia

Agenda
• Hardware | Software Overview

• Cisco NextGen Firewall Management
• Major Software Features
• Cross-Architectural integration
• What we won´t cover

• FWSM, ASA-SM, AnyConnect, Clientless SSLVPN, cloud-based NGFW
Housekeeping
• We value your feedback- don't forget to complete your online session
evaluations after each session
• Visit the World of Solutions
• Meet the Expert
• Please remember this is a 'non-smoking' venue
• Please switch off your mobile phones
Housekeeping (cont.)
• Please note the handout-material has much more slides than presented
• Various slides are marked as Reference for your own rehearsal
and will not be covered in detail
For Your
• Breaks for coffee and lunch Reference
• 11.00 – 11.15
• 13.15 – 14.15
• 16.15 – 16.30
• Techtorial ends 6.30pm
Session Objectives
• This is an intermediate level technical seminar
• At the end of this session, participants should have:
• Understanding of the in-depth hardware and software capabilities
• Knowledge of Cisco´s NextGen Security
• Cross-Architectural integration
• We want this class to be informal, with open discussion
• Be collaborative, curious and ask questions
• Enjoy your time
Related sessions
• Protecting the Network with Firepower NGFW LTRSEC-2101
• NGFW Clustering Deep Dive BRKSEC-3032
• A Deep Dive into using the Firepower Manager BRKSEC-2058
• Firepower Platform Deep Dive BRKSEC-3035
• ASA Firepower NGFW typical deployment scenarios BRKSEC-2050
• Dissecting Firepower-NGFW(FTD) & Firepower-Services: Design &
Troubleshooting BRKSEC-3455
Hardware | Software Overview
Security Software Convergence
Two Appliances One Appliance – Two Images One Appliance – One Image
Two Management Consoles Two Management Consoles One Management Console
ASA with Firepower Services

ASA FW
Firepower NGIPS Firepower Threat

Defense (FTD)
Firepower NGIPS ASA FW
Security Software Convergence
ASA FirePOWER
• L2-L4 Stateful Firewall • Threat-centric NGIPS

• Scalable CGNAT, ACL, routing • AVC, URL Filtering for NGFW
• Application inspection • Advanced Malware Protection
Firepower Threat Defense (FTD)
• New converged NGFW/NGIPS image

• Full FirePOWER functionality for NGFW/NGIPS deployments
• ASA Datapath with TCP Normalizer, NAT, ACL, dynamic routing, failover functions
Hardware Platforms Firepower 9300
Firepower
4110/20/40/50
ASA 5516-X
ASA 5508-X ASA 5585-X

SSP10/20/40/60
ASA 5545-X
ASA 5555-X
ASA 5506-X
FTDv
ASA 5525-X
NGIPSv
ASA 5512/15-X FirePOWER 7000/8000
ISA3000 NGIPS
ASAv
SMB/Teleworker Branch Office Internet Edge + Campus Data Center
100-250Mb 450Mb-1Gb 1.2Gb-60Gb Up to 225Gb
Software Support by Platform
Firepower
Firepower Threat Firepower ASA
Services
Defense NGIPS Firewall
on ASA
FirePOWER 7000 Series ✗ ✓ ✗ ✗

FirePOWER 8000 Series ✗ ✓ ✗ ✗
ASA Low-end (5506/08/16) ✓ ✗ ✓ ✓
ASA Mid-Range (5512/15/25/45/55) ✓ ✗ ✓ ✓
ASA High-end (5585 SSP-10/20/40/60) ✗ ✗ ✓ ✓
Firepower 2100 ✓ ✗ ✗ ✗
Firepower 4100, 9300 (SSP 3RU - SM-24/36) ✓ ✗ ✓ ✗
VMware ✓ ✓ ✓ ✗
AWS ✓ ✗ ✓ ✗
For Your
Reference
Performance Highlights ASA 5500-FTD-X Model
Cisco ASA 5500-FTD-X Model
5506-FTD-X 5508-FTD-X 5516-FTD-X 5525-FTD-X 5545-FTD-X 5555-FTD-X
Firewall Throughput
750 Mbps 1 Gbps 1.8 Gbps 2 Gbps 3 Gbps 4 Gbps
(ASA)
Throughput:
FW + AVC 250 Mbps 450 Mbps 850 Mbps 1100 Mbps 1500 Mbps 1750 Mbps
(FTD)1
Throughput:
FW + AVC + NGIPS 125 Mbps 250 Mbps 450 Mbps 650 Mbps 1000 Mbps 1250 Mbps
(FTD)1
1 HTTP sessions with an average packet size of 1024 bytes.
For Your
Reference
Performance Highlights Cisco Firepower Model

Cisco Firepower Model
9300 9300 9300 9300
with with with with
4110 4120 4140 4150 1 SM-24 1 SM-36 1 SM-44 3 SM-44
Firewall Throughput
(ASA)
35 Gbps 60 Gbps 70 Gbps 75 Gbps 75 Gbps 80 Gbps 80 Gbps 234 Gbps
Throughput:
FW + AVC 12 Gbps 20 Gbps 25 Gbps 30 Gbps 30 Gbps 42 Gbps 54 Gbps 135 Gbps
(FTD)1
Throughput:
FW + AVC + NGIPS 10 Gbps 15 Gbps 20 Gbps 24 Gbps 24 Gbps 34 Gbps 53 Gbps 133 Gbps
(FTD)1
1 HTTP sessions with an average packet size of 1024 bytes.
Firepower Management Center
Firepower Management Center (FMC)
• Defense Center -> FireSIGHT Management -> Firepower Management Center
• Physical and Virtual Appliances
• Physical FMC Models:
• DC750
• FS2000
• FS4000
• Models are based on the UCS C220 M3 series except for the DC750
For Your
Reference
Firepower Management Center Scaling

FS750 FS2000 FS4000 FS-VMW-SW
Managed
10 70 300 2*, 10*, 25
Sensors
Max IPS Events 20 million 60 million 300 million 10 million
Max Network
Map 2k/2k 150k/150k 600k/600k 50k/50k
(hosts/users)
Max Flow Rate
2k fps 12k fps 20k fps Varies**
(fps)
2 x 1Gbps 2 x 1Gbps
Network
2 x 1Gbps 2 x 10Gbps 2 x 10Gbps --
Interfaces
(optional) (optional)
*The 2- and 10-device Virtual Firepower Management Centers are part of a promotional offer to manage
FirePOWER Services or Firepower Threat Defense on ASA-X series hardware. They should not be used for
managing independent FirePOWER sensors.
**Depends on VM Resources TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Firepower 9300
Firepower 9300 Overview
Supervisor Network Modules
• Application deployment and orchestration • 10GE, 40GE, and 100GE
• Network attachment and traffic distribution • Hardware bypass for inline NGIPS
• Clustering base layer for ASA/FTD
3RU
Security Modules
• Embedded Smart NIC and crypto hardware
• Cisco (ASA, FTD) and third-party (Radware DDoS) applications
• Standalone or clustered within and across chassis
Supervisor Module
RJ-45 1GE Management Built-in 10GE Data Optional Network
Console (SFP) (SFP+) Modules (NM)
1 2
• Overall chassis management and network interaction

• Network interface allocation and module connectivity (960Gbps internal fabric)
• Application image storage, deployment, provisioning, and service chaining
• Clustering infrastructure for supported applications
• Smart Licensing and NTP for entire chassis
Supervisor Simplified Hardware Diagram
System Bus
Security Security Security
RAM
Module 1 Module 2 Module 3
2x40Gbps 2x40Gbps 2x40Gbps Ethernet
Internal Switch Fabric

x86 CPU
(up to 24x40GE)
2x40Gbps 5x40Gbps 5x40Gbps
On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
Standard Network Modules
• All interfaces are called “Ethernet” (i.e. Ethernet 1/1)
• All standard network modules require fiber or copper transceivers
8x10GE 4x40GE 2x100GE
• Firepower 4100 and • Firepower 4100 and • Firepower 9300 only

9300 9300 • Double width
• Single width • Single width • QSFP28 connector
• 1GE/10GE SFP • 4x10GE breakouts for • No breakout support
each 40GE port
Hardware Bypass Fail-to-Wire Network Modules
• Fixed interfaces, no removable SFP support
• NGIPS inline interfaces for standalone FTD 6.1 only
• Sub-second reaction time to application, software, or hardware failure
8x1GE 6x1/10GE 2x40GE
• Firepower 4100 only • Firepower 4100 and • Firepower 4100 and 9300
• Single width 9300 • Single width
• 1GE copper • Single width • 40GE SR4
• 1GE fiber SX,10GE • No 10GE breakout support
SR or LR
Firepower 9300 Security Modules
• Same modules must be installed across entire chassis or cluster
• SM-44: 88 x86 CPU cores (10-15% higher performance than SM-36)
• SM-36: 72 x86 CPU cores
• SM-24: 48 x86 CPU cores
• x86 Turbo Mode for all security modules

• Triggered when 25% of ASA cores reach 80% load
• Disabled when all ASA cores drop below 60% load
• Increases performance by 10-20%
Security Module Simplified Diagram
System Bus
RAM
256GB x86 CPU 1 x86 CPU 2
SM24: 24cores SM24: 24cores
SM36: 36cores SM36: 36cores Ethernet
SM44: 44cores SM44: 44cores
2x100Gbps
Smart NIC and

Crypto Accelerator
2x40Gbps
Backplane Supervisor Connection
Firepower 9300 Software
• Supervisor and security modules use multiple independent images
• All images are digitally signed and validated through Secure Boot
• Security application images are in Cisco Secure Package (CSP) format
Security Module 1 Security Module 2 Security Module 3

Decorator application from third-party (KVM*)
DDoS
ASA ASA
Primary application from Cisco (Native) ASA
FXOS FXOS FXOS
FXOS upgrades are applied to Supervisor
and resident provisioning agent on modules
Firepower Extensible Operating System (FXOS)
Supervisor stores CSP application images Supervisor
*3rd party packages will run on KVM

Security Services Architecture
Logical
Device ASA Cluster
Security Module 1 Security Module 2 Security Module 3 Primary
Logical
Device Unit ASA ASA ASA Application
DDoS DDoS Decorator

Link DDoS
Decorator Application
Logical
Supervisor Data Outside Data Inside Packet Flow
PortChannel2 PortChannel1
Ethernet1/7
(Management)
On-board 8x10GE 4x40GE NM 4x40GE NM Application

interfaces Slot 1 Slot 2 Image Storage
Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4
BRKSEC-3032
Clustered
Firewall Clustering Firewall
• Centralized configuration mirrored to all

members
.
• Connection state preserved after a single .
.
member failure
Inside Outside
• Stateless load-balancing via Spanned
Etherchannel
• Out-of-band Cluster Control Link to
compensate for external asymmetry
• Elastic scaling of throughput and maximum
concurrent connections
FTD Inter-chassis vs Intra-chassis clustering
FTD Inter-Chassis Cluster (with FTD 6.2)
• Cluster of up to 6 modules (in 2 chassis)
• Off-chassis flow backup for complete redundancy
Switch 1 Switch 2
Nexus vPC
FP9300 Chassis 1 FP9300 Chassis 2
Supervisor Supervisor
FTD FTD FTD FTD
Cluster
FTD Cluster FTD
FTD Intra-Chassis Cluster

• Modules can be clustered within chassis
• Bootstrap configuration is applied by Supervisor
Inter-chassis clustering
• FTD Inter-chassis clustering 6-blade units
• 6 x 1 RU (4100)
• 3 x 2 SM (9300)
• 2 x 3 SM (9300)
• ASA Inter-chassis clustering 16-blade units

• 16 x 1 RU (4100)
• 8 x 2 SM (9300)
• 4 x 3 SM (9300)
Firepower 4100
Firepower 4100 Overview
Solid State Drives
Built-in Supervisor and Security Module • Independent operation (no RAID)
• Same hardware and software architecture as 9300 • Slot 1 today provides limited AMP storage
• Fixed configurations (4110, 4120, 4140, 4150) • Slot 2 provides optional AMP storage
1RU
Onboard Connectivity Network Modules

• 8 x 10G SFP
• 10GE/40GE interchangeable with 9300
• Partially overlapping fail-to-wire controller options
Firepower 4100 Logical Diagram
RAM
4110: 64Gb x86 CPU 1 x86 CPU 2
4120: 128Gb 4110: 12 cores 4110: N/A
System Bus
4140: 256Gb 4120: 12 cores 4120: 12 cores
4150: 256Gb 4140: 36 cores 4140: 36 cores
4150: 44 cores 4150: 44 cores RAM
4110: 1x100Gbps Ethernet
4120-4150: 2x100Gbps
Smart NIC and
Crypto Accelerator
4110: 1x40Gbps
4120-4150: 2x40Gbps

(up to 18x40GE)
x86 CPU
On-board 8x10GE NM NM
interfaces Slot 1 Slot 2
Firepower 4110 - HW Components
SSD
Security Engine
Supervisor Module SSD
• Console and Management Port 100Gbps

• 8 x 10G Fixed Ethernet Ports
• 2 x Network Modules Smart NIC + Crypto Accelerator RAM
Security Engine 40Gbps

• Single CPU connected with a
Smart NIC and Crypto accelerator X86
Internal 720G Switch Fabric CPU
card
• Two SSD (1 Default + 1 Optional
For AMP service)
• SSD Size Built-in NM NM
• 200GB 8x10GE
Slot 1 Slot 2 Console Mgmt. Port
interfaces
…… ……
8x 10G (or) 4x 40G Network

Module
Firepower 4120, 4140 and 4150 - HW Components
SSD
Security Engine
Supervisor Module SSD
• Console and Management Port 2 x 100Gbps

• 8 x 10G Fixed Ethernet Ports
• 2 x Network Modules Smart NIC + Crypto Accelerator RAM
Security Engine 2 x 40Gbps

• Dual CPU, each connected with a
Smart NIC and Crypto accelerator X86
Internal 720G Switch Fabric CPU
card
• Two SSD (1 Default + 1 Optional
For AMP service)
• SSD Size Built-in NM NM
• 200GB for 4120 8x10GE
Slot 1 Slot 2 Console Mgmt. Port
interfaces
• 400GB for 4140 and 4150 …… ……
8x 10G (or) 4x 40G Network

Module
For Your
Reference
Firepower 4100 Series Hardware Specification

Description FP 4110 FP 4120 FP 4140 FP 4150
Chassis & I/O 1RU, 2xNetwork Module slots, 8 Fixed SFP+ ports, 2 SSD slots, Dual PSU Slots
PSU – Default CFG Single AC Single AC Redundant AC Redundant AC

Processor - Xeon Single Dual Dual Dual
12 Core 12 Core 18 Core 22 Core
DDR4 RAM 64GB 128GB 256GB 256GB
SSD – Default CFG. 1 x 200GB 1 x 400GB 1 x 400GB

Security Acceleration Single Accelerator
Module Card Dual Accelerator Card
• 10 and 40G Port Modules are same for both FP 9300 and FP 4100 Series
• DC Power Supply optional
• NEBS Certification completion for FP 4120 and FP 4140
Firepower 4100 Software
Decorator application from third-party
• FXOS provides interface for (KVM)
device management and
provisioning of the security Primary application
application on security engine from Cisco (Native)
• All images are digitally signed

and validated through Secure
Boot DDoS
Security
• Security application images are ASA or FTD Engine
in Cisco Secure Package (CSP) FXOS
format
Firepower Extensible Operating System (FXOS)
• DDoS support on Firepower
4120 - 4150 Supervisor
ASA Appliances
ASA 5500-X Appliances
On-Board
• 6 GE copper 5512-5525-X Solid State Drives
• 8 GE copper 5545-5555-X • One Hard Disk Drive 5512-5525-X
• Dual Power Supplies 5545-5555-X • Redundant Hard Disk Drives 5545-5555-X
ASA5512-X
ASA5515-X
ASA5525-X
ASA5545-X
ASA5555-X
Expansion Slot
• 6 GE copper or 6 GE Small Form-Factor Pluggable (SFP)
Management0/0
1GE
CPU System Bus
RAM
Bus 1 Bus 0 Ethernet

Crypto
Engine
IPS
Accelerator**
Expansion Card External NICs
6x1Gbps 6x1Gbps* or
8x1Gbps**
External Interfaces On-board Interfaces
6x1GE 6x1GE* or 8x1GE**
*ASA5512-X and ASA5515-X

** ASA5525-X and higher
ASA 5585-X Chassis
On-Board Security Service Processors
• 2 10GE Fiber + 8 GE copper 5585-SSP10/20 Solid State Drives
• 4 10GE Fiber + 6 GE copper 5585-SSP40/60 • Two hard disk drives in a RAID 1 configuration
• Dual Power Supplies • Only on FirePOWER SSP
2RU
Security Service Processors

• Multi-services capable
• Dedicated 64bit multi-core processors
• SSP-10, SSP-20, SSP-40, SSP-60
ASA 5585-X Extended Performance Models
• S10F40 - ASA5585-S10F40-K9
• S20F60 - ASA5585-S20F60-K9
ASA 5585-S10F40 ASA 5585-S20F60
• Requires ASA 9.3.2 and FP 5.4.0.1

• Optimized performance when running multiple services at once (e.g., IPS+AVC+AMP)
• Offers predictable/constant performance as additional services are activated
• Offers scalable growth for future services
CPU Complex
SSP-10: 1 CPU 4 cores Crypto
RAM SSP-20: 1 CPU 8 cores System Bus
Complex
SSP-40: 2 CPU 16 cores
SSP-60: 2 CPU 24 cores
Management Ethernet
2x1GE
MAC 2
MAC 1
SSP-40/60
2x10Gbps 2x10Gbps

4x10Gbps 10Gbps 6x10Gbps
On-board 10GE On-board 1GE Expansion Slot

interfaces* interfaces SSP
*2 on SSP-10/20 and 4 on SSP-40/60
Firepower Threat Defense (FTD) -
Packet Processing
Day in a life of a packet
Packet Processing - Overview
• A packet enters the ingress interface and it is handled by the datapath
• If the policy dictates so the packet is inspected by the advanced inspection
engines
• Advanced inspection engines returns a verdict for the packet
• Datapath drops or forwards the packet based on the verdict
Advanced Inspection Engines
Packets Verdict
Datapath
FTD CLI configuration modes
• Three CLI modes:
CLISH mode
> expert
admin@FTD5506-1:~$ sudo su Expert mode
Password:
root@FTD:/home/admin# lina_cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower#
FTD CLI
For Your
Reference
FTD troubleshooting tools

• FTD datapath capture is the same as the one on classic ASA appliances
> system support diagnostic-cli
firepower# capture CAP interface inside match ip host 1.1.1.1 host 2.2.2.2
> capture CAP interface inside match ip host 1.1.1.1 host 2.2.2.2
• FTD advanced inspection engine capture is the same as on classic NGIPS

Firepower appliances
> system support capture-traffic
• Additionally, ‘expert’ mode tcpdump can be used to capture control-plane traffic

to and from the br1 interface
For your reference: http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200867-Working-with-Firepower-Threat-Defense-F.html
For Your
Reference

• As on classic ASA appliances the FTD datapath capture can be combined with
Packet Tracer to show how a real packet was processed
> show capture CAPI packet-number 1 trace
Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Snort Verdict: (pass-packet) allow this packet
For Your
Reference

• FW Engine Debug comes from classic Firepower appliances
• It is executed in CLISH CLI and it runs against the following advanced
inspection engine components:
> system support firewall-engine-debug
Please specify an IP protocol: tcp

Please specify a client IP address: 192.168.75.14
Please specify a client port:
Please specify a server IP address: 192.168.76.14
Please specify a server port:
Monitoring firewall engine debug messages
Packet Processing – Ingress Interface
• Packet arrives on ingress interface.

• Input counters are incremented by NIC and periodically retrieved by CPU
• Similarly to classic ASA, input queue (RX ring) is an indicator of packet load
> show interface g1/2 detail
…
47770671 packets input, 7620806887 bytes, 0 no buffer
Received 23734506 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
input queue (blocks free curr/low): hardware (1008/800)
output queue (blocks free curr/low): hardware (1023/985)
Packet Processing – Defrag Policy
• In case a packet is fragmented, datapath fragment

policy drops or reassembles the fragments
• Datapath fragment settings are globally configured
• Global fragment settings can be overwritten by interface-
specific settings
> show fragment
Interface: inside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Packet Processing – Connection Lookup
• Datapath checks for existing connection

• If a match is found, packet uses Fast Path bypassing basic checks
firepower# show capture CAPO packet-number 2 trace
2 packets captured
2: 12:51:51.094691 192.168.76.14 > 192.168.75.14: icmp: echo reply
...
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Found flow with id 1541, using existing flow TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Packet Processing – VPN Decryption
• IKEv1 and IKEv2 are supported

• no sysopt connection permit-vpn is enforced
• This implies that VPN decrypted traffic has to be explicitly allowed
Packet Processing – VPN Decryption
• ‘same-security-traffic permit intra-interface’ implicitly enabled (hairpinning
capable)
• Only Tunnel mode is supported (no Transport mode)
• Supports tunnel with a 3rd party VPN device (Extranet)
• 3 different VPN deployment topologies
• Point-to-Point, Hub and Spoke, Full Mesh
• No GETVPN, DMVPN, EzVPN support
Packet Processing – UN-NAT/Egress Interface
• Egress interface determination

• In case there is Destination NAT (UN-NAT) the egress interface will be determined
based on the NAT rule, unless route lookup is preferred (identity NAT)
firepower# show capture DMZ packet-number 3 trace detail
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static Host-A Host-B
NAT divert to egress interface inside
Untranslate 192.168.76.100/0 to 192.168.75.14/0 TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
For Your
Reference
Packet Processing – UN-NAT/Egress Interface

• UN-NAT Example
firepower# show capture DMZ packet-number 3 trace detail
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static Host-A Host-B
NAT divert to egress interface inside
Untranslate 192.168.76.100/0 to 192.168.75.14/0
• Route Lookup Example

firepower# show asp table routing
route table timestamp: 449
in 192.168.75.0 255.255.255.0 inside
in 192.168.76.0 255.255.255.0 dmz
in 192.168.77.0 255.255.255.0 outside
in 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 255.255.255.255 255.255.255.255 outside
out 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 10.1.1.0 255.255.255.0 via 192.168.77.1, outside
Packet Processing – Prefilter Policy
• Adds additional flexibility when it comes to handling tunneled traffic

• Provides Early Access Control (EAC) which allows a flow to bypass completely
advanced inspection engines
• FTD datapath checks the outer IP header while the advanced inspection engine
checks the inner IP header
Packet Processing – Prefilter Policy, Tunnel
• Adds additional flexibility when it comes to handling tunneled traffic:
• GRE, IP-in-IP, IPv6-in-IP, Teredo Port 3544
• Block – Drops the tunneled traffic
• Fastpath – Allows the tunneled traffic and bypasses advanced inspection engines
• Analyze – Will send the tunneled traffic to advanced inspection engines.
Optionally allows traffic Tagging
Prefilter Demo
Packet Processing – Prefilter Policy, EAC
• Block – Drops the traffic

• Fastpath – Allows the traffic and bypasses advanced inspection engines
• Analyze – Will send the traffic to advanced inspection engines
For Your
Reference
Packet Processing – Prefilter Policy, EAC

• Prefilter Rules are deployed to datapath as L3/L4 ACEs and are placed above
the normal L3/L4 ACEs
EAC
firepower# show access-list Prefilter
access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268434457: PREFILTER POLICY: FTD_Prefilter_Policy Rules
access-list CSM_FW_ACL_ line 2 remark rule-id 268434457: RULE: Fastpath_Rule1
access-list CSM_FW_ACL_ line 3 advanced trust ip host 192.168.75.16 any rule-id 268434457 event-log both (hitcnt=0)
access-list CSM_FW_ACL_ line 4 remark rule-id 268434456: PREFILTER POLICY: FTD_Prefilter_Policy
access-list CSM_FW_ACL_ line 5 remark rule-id 268434456: RULE: DEFAULT TUNNEL ACTION RULE
Tunnel
access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268434456 (hitcnt=0) 0xf5b597d6 Prefilter
access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268434456 (hitcnt=0) 0x06095aba
access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268434456 (hitcnt=2) 0x52c7a066 Rules
access-list CSM_FW_ACL_ line 9 advanced permit udp any any eq 3544 rule-id 268434456 (hitcnt=0) 0xcf6309bc
access-list CSM_FW_ACL_ line 10 remark rule-id 268434445: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ line 11 remark rule-id 268434445: L4 RULE: Block ICMP
access-list CSM_FW_ACL_ line 12 advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start (hitcnt=0) 0x8bf72c63
access-list CSM_FW_ACL_ line 13 remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1
access-list CSM_FW_ACL_ line 14 remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268434434 (hitcnt=410) 0xa1d3780e L3/L4
ACEs
For Your
Reference
Packet Processing – L3/L4 ACL
• Pushed to datapath (CSM_FW_ACL_) and to advanced inspection engine

/var/sf/detection_engines/UUID/ngfw.rules
• 7 possible actions to the traffic:
Packet Processing – L3/L4 ACL, Allow
• Allow Rule will be pushed to datapath as permit action and to advanced

inspection engine as allow action.
For Your
Reference
• The rule ID correlates datapath rules with the advanced inspection rules
firepower# show access-list

access-list CSM_FW_ACL_ line 8 remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
access-list CSM_FW_ACL_ line 9 advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ line 11 remark rule-id 268435457: L4 RULE: ACP_Rule2_Allow_ICMP_Type

access-list CSM_FW_ACL_ line 12 advanced permit icmp host 2.2.2.2 host 3.3.3.3 echo rule-id 268435457
root@FTD:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules

268435456 allow any 1.1.1.1 32 any any 2.2.2.2 32 any any any (appid 3501:1)
268435457 allow any 2.2.2.2 32 8 any 3.3.3.3 32 any any 1 TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
For Your
Reference

> packet-tracer input inside icmp 1.1.1.1 8 0 2.2.2.2
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
This packet will be sent to snort for additional processing where a verdict will be reached
firepower# show capture CAPI packet-number 1 trace

1: 09:17:18.996149 1.1.1.1 > 2.2.2.2: icmp: echo request
!
Phase: 4
Type: ACCESS-LIST
...
This packet will be sent to snort for additional processing where a verdict will be reached
...
Application: 'SNORT Inspect'
Phase: 14
Type: SNORT
...
Packet Processing – L3/L4 ACL, Trust
• Trust Rule will be pushed to datapath as trust action and to advanced inspection
engine as fastpath action

access-list CSM_FW_ACL_ line 17 remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
access-list CSM_FW_ACL_ line 18 advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477

268435477 fastpath any 4.4.4.4 32 any any 5.5.5.5 32 53 any 17
For Your
Reference
• Packet-tracer shows that datapath will not send any packets to advanced
inspection engine
> packet-tracer input inside udp 4.4.4.4 1111 5.5.5.5 53 Information means the packet
No Additional
Phase: 4 is not going to be redirected to advanced
Type: ACCESS-LIST inspection engine
Subtype: log
Result: ALLOW
Config:
access-list CSM_FW_ACL_ advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477 event-log
flow-end
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
• In case one or more of the following is true the Trust Rule will be pushed to
datapath as permit action:
• Application is used as a condition and/or SI, QoS, Identity Policy, SSL Policy

access-list CSM_FW_ACL_ line 14 remark rule-id 268435458: L7 RULE: ACP_Rule3_Trust_DNS_App

268435458 fastpath any 3.3.3.3 32 any any 4.4.4.4 32 any any any (appid© 2017
TECSEC-2600 617:1)
Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Phase: 4
Type: EXTERNAL-INSPECT Few packets to
Application: 'SNORT Inspect' advanced inspection
Phase: 5 engines
Type: SNORT

Phase: 3 The remaining
Type: FLOW-LOOKUP packets
Found flow with id 23429, using existing flow bypass the advanced
Phase: 4 inspection engines
Type: SNORT
Snort Verdict: (fast-forward) fast forward this flow
Packet Processing – L3/L4 ACL, Monitor
• Monitor Rule will be pushed to datapath as a permit action and to advanced

inspection engine as an audit action
• Monitor Rule doesn’t drop or permit traffic, but it generates a Connection Event. The
packet is checked against subsequent rules and it is either allowed or dropped
Packet Processing – L3/L4 ACL, Block
• Block Rule will be pushed to datapath as a permit or deny action depending on

the rule conditions and to advanced inspection engine as deny rule
• Application takes precedence over Destination Ports
Packet matching this
rule will be dropped
by datapath
according to the
verdict

access-list CSM_FW_ACL_ line 20 remark rule-id 268435460: L7 RULE: ACP_Rule5_Block_Telnet_App
access-list CSM_FW_ACL_ line 23 remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port

access-list CSM_FW_ACL_ line 24 advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id 268435464

268435460 deny any 5.5.5.5 32 any any 6.6.6.6 32 any any any (appid 861:1)
268435464 deny any 6.6.6.6 32 any any 7.7.7.7 32 23 any 6
Packet matching this
rule will be dropped by
datapath
For Your
Reference

• In case traffic matches a datapth deny rule tracing of a real packet shows that
the packet is dropped by the datapath and it is not being forwarded to advanced
inspection engine
1: 12:29:00.844438 6.6.6.6.18791 > 7.7.7.7.23: S 2574076177:2574076177(0) win 4128 <mss 536>
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-list CSM_FW_ACL_ advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id 268435464 event-log
flow-start
access-list CSM_FW_ACL_ remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port
For Your
Reference

• For Block Rule that uses Application the tracing of a real packet shows that the
packet is dropped by the datapath due to advanced inspection engine verdict
7: 13:42:53.655971 192.168.75.14.36775 > 192.168.76.14.23: P 4147441466:4147441487(21) ack 884051486
win 16695
Type: SNORT
Subtype:
Result: DROP
Snort Verdict: (black-list) black list this flow Advanced inspection engine
needs to process few packets
before determines the
Application type
For Your
Reference
Packet Processing – L3/L4 ACL, Block/RST
• Block Rule will be pushed to datapath as a permit or deny action depending on

the rule conditions and to advanced inspection engine as reset rule

access-list CSM_FW_ACL_ line 26 remark rule-id 268435461: L7 RULE: ACP_Rule7_Block_RST_Youtube

268435461 reset any 7.7.7.7 32 any any 8.8.8.8 32 any any any (appid 929:7) 76
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
Packet Processing – L3/L4 ACL, Block/RST
• When matching Block with Reset rule FTD sends a TCP Reset packet or an
ICMP Type 3 Code 13 Destination Unreachable (Administratively filtered)
message
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 match rule order 7, 'ACP_Rule7_Block_RST_Youtube', action Reset
7.7.7.7-36778 > 8.8.8.8-80 6 AS 1 I 0 reset action
firepower# show capture CAPI

…
8: 15:10:56.985376 192.168.75.14.36776 > 192.168.76.14.80: P 894520673:894521071(398) ack 3490934049 win
65520
9: 15:10:56.994211 192.168.76.14.80 > 192.168.75.14.36776: R 3490934049:3490934049(0) ack 894521071 win 0
Packet Processing – L3/L4 ACL, Interactive Block
• Interactive Block Rule will be pushed to datapath as a permit or deny action

depending on the rule conditions and to inspection engine as bypass rule

access-list CSM_FW_ACL_ line 29 remark rule-id 268435462: L7 RULE: ACP_Rule8_Interactive_Block

268435462 bypass any 8.8.8.8 32 any any 9.9.9.9 32 any any TECSEC-2600
any (appid 61:7)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Packet Processing – L3/L4 ACL, Interactive Block
• Interactive Block Rule will prompt the user that the destination is forbidden
• The user can click on Continue button or Refresh the browser page to bypass
and continue
For Your
Packet Processing – L3/L4 ACL, Interactive Reference
Block with Reset
• Interactive Block Rule will be pushed to datapath as a permit or deny action

depending on the rule conditions and to advanced inspection engine as intreset
rule

access-list CSM_FW_ACL_ line 32 remark rule-id 268435463: L7 RULE: ACL_Rule9_Interactive_Blck_RST

268435466 intreset any 9.9.9.9 32 any any 10.10.10.10 32 anyTECSEC-2600
any any (appid 623:3)
For Your
Packet Processing – L3/L4 ACL, Interactive Reference
Block with Reset
• Similar to Block with Reset, the user can click on Continue button
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 Starting with minimum 9,
'ACL_Rule9_Interactive_Blck_RST', and IPProto first with zones 3 -> 1, geo 0(0) -> 0,
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 match rule order 9, 'ACL_Rule9_Interactive_Blck_RST',
action Interactive Reset
192.168.75.14-36815 > 192.168.76.14-80 6 AS 1 I 1 bypass action sending interactive response of 1093 bytes
BRKSEC-3455
Packet Processing – DAQ
• DAQ (Data Acquisition Library) communicates with ASA Datapath processes

through Packet Data Transport System (PDTS)
For Your
Reference
Packet Processing – DAQ
> show asp inspect-dp snort queues > show asp inspect-dp snort
SNORT Inspect Instance Queue Configuration SNORT Inspect Instance Status Info
RxQ-Size: 1 MB Id Pid Cpu-Usage Conns Segs/Pkts

TxQ-Size: 128 KB Status
TxQ-Data-Limit: 102.4 KB (80%) tot (usr | sys)
TxQ-Data-Hi-Thresh: 35.8 KB (28%) -- ----- ---------------- ---------- ---------- -----
-----
Id QId RxQ RxQ TxQ TxQ 0 4024 0% ( 0%| 0%) 5 0 READY
(used) (util) (used) (util) 1 4023 0% ( 0%| 0%) 0 0 READY
-- ---- ---------- ------ ---------- ------ Snort instance Process ID
0 All 0 0% 0 0%
1 All 0 0% 0 0%
PDTS Queue utilization
Packet Processing – Packet Decoding
• Packet Decoder – Prepares the packets for

preprocessor analysis
• Converts packet headers and payloads into
a format that preprocessors and the rules
engine can easily use.
For Your
Reference
Packet Processing – Packet Decoding
• Packet Decoder – Prepares the packets for preprocessor analysis

• Decoder options that can be applied depend on FTD interface mode
Packet Processing – L2-L4 Preprocessors
• TCP Stream Preprocessor (Stream5) defines how Snort handles TCP streams.
Troubleshooting Tip
You can enable Intrusion Rule ID
(129:SID) to generate events for
TCP Stream Preprocessor
Packet Processing – SI (IP)
• Security Intelligence (SI) can Blacklist (drop) or Whitelist (allow) IP addresses

early in the packet processing lifetime within the Snort engine
• Whitelist overwrites the Blacklist
• The Blacklist can be populated in 2 ways:
• Manually by the FMC administrator
• Automatically by Intelligence Feed (Talos or custom) or List
For Your
Reference
• Snort returns to datapath a verdict about a packet being blacklisted

Phase: 14
Type: SNORT
Subtype:
Result: DROP
Snort Verdict: (black-list) black list this flow
For Your
Reference
• The files containing the IPs from Talos SI Feed are in

/ngfw/var/sf/iprep_download directory
root@FTD:/ngfw/var/sf/iprep_download# ls -alt | grep blf

-rw-r--r-- 1 root root 1252278 Jun 12 16:06 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba.blf
-rw-r--r-- 1 root root 227696 Jun 12 16:05 032ba433-c295-11e4-a919-d4ae5275a468.blf
For Your
Reference
Packet Processing – Defrag Policy
• The interface mode dictates which engine (datapath or Snort) handles the
fragments
• Frag3 Snort preprocessor handles fragmented traffic at Snort level
Packet Processing – SSL Decryption
• SSL Inspection Policy controls which traffic will be decrypted by FTD so that
other policies (ACP, File, Snort) can inspect the traffic
For Your
Reference
Packet Processing – SSL Decryption
• SSL Policy is attached to Access Control Policy (ACP)

• Client Hello features (enabled by default) allows FTD to modify (TLS ver,
Ciphers) the Client Hello message (Required for Safe Search and YouTube
EDU)
Packet Processing – SI (DNS/URL)
• Security Intelligence (DNS)

• With this feature DNS Requests can get one of the following actions:
Packet Processing – SI (DNS/URL)
• Security Intelligence (URL)

• Works similarly to IP Security Intelligence and provides 3 actions
• Whitelist
• Blacklist (Block)
• Blacklist (Monitor)
Packet Processing – Identity Policy
• Identity Policy enables user-based authentication. The user info can be obtain
in various ways:
Active Authentication Passive Authentication
Captive Portal (Basic, NTLM, Kerberos) Integration with LDAP (SFUA)
Integration with ISE (pxGRID)
Integration in VDI (Identifying multiple users behind one IP)
Network Discovery (Traffic-based Detection (LDAP, FTP etc))
Packet Processing – L7 ACL
Packet Processing – QoS Rate Limiting
• Compared to other policies, a QoS Policy is not attached to Access Control

Policy, but directly to FTD device
• Classification is done by Snort engine and Rate limiting is enforced by the
datapath
BRKSEC-2058
Packet Processing – Network Discovery
• Network Discovery is used in 2 main places

• FMC Dashboards
• Intrusion Prevention FMC Recommendations
Packet Processing – File Policy (AMP)
• File Policy provides few different functionalities:
For Your
Reference
• For files whose SHA-256 lookup disposition is Unknown, Local

Malware Analysis (AKA File Preclassification) which uses ClamAV
signatures can determine if they are good or if there is need for
Dynamic Analysis (sandbox)
• A SHA-256 disposition (Clean, Unknown, Malware)
is cached on FMC
• Capacity Handling can store on FMC a file intended
for Dynamic Analysis until Cloud resources become available
For Your
Reference

• When a File Policy decides that a file should be blocked a verdict is returned to
ASA DATAPATH. In that case FW engine debug and Snort debug show:
.. L7 ACL allows the FT control channel traffic, but
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 New session File Policy blocks the malicious file transfer
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 using HW or preset rule order 2, 'Allow Rule1', action Allow
and prefilter rule 0
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 allow action
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 Allowing expected session for service 166
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File policy verdict is Type, Malware, and Capture
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File type verdict Reject, fileAction Block, flags 0x00003500,
and type action Reject for t0
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File type event for file named fu.exe with disposition Type
and action Block
> debug snort generic

snort_insp: flow created: TCP: 192.168.76.14 (tzone: 0) to 192.168.75.14 (tzone 0)
snort-insp: Flow from 192.168.76.14/20 to 192.168.75.14/36952 is black listed.
Packet Processing – Intrusion Policy
• Intrusion Policy (Snort Rules) is the same as on classic Firepower devices

• Packets dropped by a Snort Rule (signature) can be tracked with the
following debug
firepower# debug snort generic
snort_insp: flow created: ICMP: 192.168.75.39 (tzone: 0) to 192.168.77.40 (tzone 0)
snort-insp: Flow from 192.168.75.39/61 to 192.168.77.40/0 is black listed.
Packet Processing – Snort Verdict and Flow Update
• At this point the Snort Engine returns to ASA DATAPATH through the DAQ and
PDTS framework a Verdict (Pass, Blacklist (Block), Fast-Forward etc)
> show logging | include connection
Jun 13 2016 13:32:49: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.76.14/0 gaddr 192.168.75.14/0
laddr 192.168.75.14/0
Jun 13 2016 13:33:00: %ASA-6-302016: Teardown UDP connection 357875 for inside:192.168.75.14/60131 to
dmz:192.168.76.14/53 duration 0:02:01 bytes 43
> show conn address 192.168.75.179

UDP outside 192.168.75.179:138 inside 192.168.75.255:138, idle 0:00:19, bytes 35306, flags - N
UDP outside 192.168.75.179:137 inside 192.168.75.255:137, idle 0:00:19, bytes 6350, flags - N
>
Packet Processing – ALG Checks
• Application Layer Gateway (ALG) are the classic Modular Policy

Framework (MPF) rules applied on datapath
• MPF is tunable by FlexConfig
Packet Processing – NAT IP Header
• The source/destination IP addresses and Ports (in case of PAT) are

rewritten
..
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface
Dynamic translate 192.168.75.14/1 to 192.168.77.6/1
Packet Processing – VPN Encryption
> show crypto ipsec sa

interface: outside
Crypto map tag: CSM_outside_map, seq num: 1, local addr: 192.168.77.6
access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.75.0 255.255.255.0 10.1.1.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.75.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.77.40
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
Packet Processing – L3 Route Lookup
• Based on the outcome of the UN-NAT/Egress interface determination the ‘out’

entries of the ASP routing table will be checked to determine the next hop IP
..
Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
found next-hop 192.168.77.40 using egress ifc outside TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
For Your
Reference
Packet Processing – L3 Route Lookup

firepower# show asp table routing
route table timestamp: 449
in 192.168.75.0 255.255.255.0 inside
in 192.168.76.0 255.255.255.0 dmz
in 192.168.77.0 255.255.255.0 outside
in 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 255.255.255.255 255.255.255.255 outside
out 5.5.5.5 255.255.255.255 via 192.168.77.1, outside
out 10.1.1.0 255.255.255.0 via 192.168.77.1, outside

..
Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
found next-hop 192.168.77.40 using egress ifc outside
Packet Processing – L2 Address Lookup
• Based on the outcome of the L3 Route Next Hop determination the

local ARP table is being checked for an entry
3: 09:11:54.814395 192.168.75.39 > 192.168.77.40: icmp:
> show arp echo request
inside 192.168.75.14 000c.2930.2b78 8 ..
inside 192.168.75.12 000c.29d0.ebcf 1286 Phase: 16
inside 192.168.75.39 0004.deab.681b 3923 Type: ADJACENCY-LOOKUP
inside 192.168.75.122 000c.29ec.80e1 12451 Subtype: next-hop and adjacency
dmz 192.168.76.14 000c.2998.3fec 55 Result: ALLOW
dmz 192.168.76.1 c84c.758d.4981 3413 Config:
dmz 192.168.76.39 0004.deab.681a 3743 Additional Information:
outside 192.168.77.23 6c41.6aa1.2bf5 1305 adjacency Active
outside 192.168.77.40 c84c.758d.4980 4613 next-hop mac address
TECSEC-2600
c84c.758d.4980 hits 140
Flow Offload
Flow Offload – Use Cases
• Trusted flow processing with limited security visibility
• Maximize single-flow throughput and packet rate, minimize latency
• High performance compute, frequency trading, demanding data center applications
DC1 DC2
Flow Offload Operation
 Dynamically program offload engine after flow establishment
Full Inspection
 Bring flows out of and back to full inspection on demand
Application Instance
New and fully
inspected flows Full Cisco® ASA,
NGFW, or NGIPS
Incoming traffic NPU Engine
Offload instructions Flow updates
Classifier
Established trusted Lightweight Data
and jumbo flows Path
Flow Offload  Limited pseudo-stateful inspection in x86 or NPU

 Bidirectional byte count and TCP state tracking
Cisco Firepower Threat Defense
Firewall Architecture
INGRESS EGRESS
Rate Limiting IPS, AVC, Files,

NAT Lookup Clustering
Discovery,
Flow Update
Correlation
Route Lookup VPN Decrypt
ALG
Flow Lookup User Auth

Routing
TCP
L4 Decode
Normalization NAT
TCP Intercept TCP Proxy

Rate Limiting
DHCP Relay L2/L3 Decode
Ingress NIC Egress NIC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall Architecture
• The traffic could be impacted (dropped, denied, modified, etc.) when traversing
the Datapath and Advanced Inspection Engines
• Datapath keeps track for flows and maintains states (Full ASA data plane
function)
• Advanced Inspection Engines has access to complete packet from L2
• Advanced Inspection Engines performs the normalization and defragmentation
FTD Initial Setup
Installing Firepower Threat Defense
Management Center Smart License FirePOWER Services on ASA
Firepower Firepower 5.4

1. FireSIGHT 5.4
2. Management 3.
Center 6.0 ASA 9.4.x
Upgrade/
Register Reimage
Install
Firepower
Cisco Smart Firepower
Management
Software Manager Threat Defense
Center 6.0
FTD Initial Setup – FTD Console
• Initial setup through console interface is prompted. Default username/password

is admin/Admin123
Cisco ASA5506W-X Threat Defense v6.1.0 (build 254)
firepower login: admin
Password: Admin123
• Prompts to configure both password and management connectivity (IPv4 and/or
IPv6):
You must change the password for 'admin' to continue.
<snip>
You must configure the network to continue.
<snip>
FTD Initial Setup – FTD Console
• 5506-X, 5508-X and 5516-x include a easy to use/simplistic local manager

• Local manager only manages local appliance (not HA pair)
• For the nonSMB use cases recommendation is using FMC for central management
Manage the device locally? (yes/no) [yes]: no
• Firewall mode is one of the few features configured locally. We will cover modes
in more detail later on
Configure firewall mode? (routed/transparent) [routed]:
• Connection to FMC must be preconfigured on FTD, single line command

• Registration key can be any string you want – just remember it!
configure manager add [hostname | ip address ] [registration key ]
FTD Initial Setup – Adding a Device to FMC
Either hostname
or IP address
Registration key
we used in CLI
Access Control
Policy
Select based
upon
subscriptions
purchased
Firewall Deployment Modes
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
10.1.1.1
Router and Gateway for local hosts
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
Firewall Design: Modes of Operation 192.168.1.1
• Routed Mode is the traditional mode of the firewall. Two or

more interfaces that separate L3 domains – Firewall is the VLAN192
Router and Gateway for local hosts
• Transparent Mode is where the firewall acts as a bridge
functioning at L2
• Transparent mode firewall offers some unique benefits in the DC VLAN1920
• Transparent deployment is tightly integrated with our ‘best
practice’ data center designs 192.168.1.0/24
• Note:
IP:192.168.1.100
• No multiple context mode and RA VPN available on FTD today GW: 192.168.1.1
• Routed or transparent mode configured with setup dialog
• Changing between these modes requires re-registering with FMC
• Policies will be re-deployed
IPS/IDS Modes
• Traffic processed by minimal Datapath functions and all Advanced

Inspection Engines processes
• Packet not impacted in Inline Tap or Passive modes, but could be
dropped by either Datapath or Advanced Inspection Engines in Inline
with control mode after policy and security checks
• Datapath to track flow
• Advanced Inspection Engines might ask Datapath to fast forward the
flow
IPS Mode Deployment
• Inline Mode
• Two physical interfaces paired together
• Paired interfaces must be assigned to an inline set
• Bump in the wire, entirely transparent to the network
• Bypass functionality with hardware bypass interfaces on 4100 and
9300
• Easy to insert into an existing network
• Multiple Pairs can be configured on same sensor as sets
• Inline with tap mode
• Same as Inline, but packets are never dropped
• Used for evaluating and tuning of rules
Inline Pair Architecture
INGRESS EGRESS

NAT Lookup
Discovery,
Clustering Flow Update
Correlation
ALG

Routing
TCP
L4 Decode
Normalization NAT

Rate Limiting
Inline TAP Architecture
INGRESS EGRESS

NAT Lookup
Discovery,
Correlation
ALG

Routing
TCP
L4 Decode
Normalization NAT

Rate Limiting
Copy
Passive (IDS) mode deployment
• Separate device must send copies of the packets

• Span (or monitor) from a switch
• Network Taps
• One ore more physical ports designated as passive Passive Interface
• Only copies of the packets are sent to the sensor

SPAN Destination Port
• Does not impact network traffic
Ethernet Switch
• Easy to insert into an existing network
• Visibility and Detection
• Optional prevention through remediation modules
Passive Architecture
INGRESS EGRESS

NAT Lookup
Discovery,
Correlation
TCP DROP
L4 Decode
Normalization
For Your
Reference
High Level Matrix for Deployment
Routed Transparent Inline Inline Tap Passive
Highlights Same as ASA Same as ASA Same as Same as Same as

NGIPS NGIPS NGIPS
Interfaces All except IPS All except IPS All except All except All except
Firewall Firewall Firewall
Operational Firewall Firewall NGIPS NGIDS NGIDS
Mode
Access Control Yes Yes Yes Yes Yes
NAT Yes Yes No No No
ALG Yes Yes No No No
Snort/ Yes Yes Yes Yes Yes
Discovery
Captive Portal Yes Yes No No No
TCP State Datapath Datapath Snort Snort Snort
Tracking
Routing Yes No No No No
Break
Working With FTD Interfaces
FTD Security Zones
• True zone based firewall
• Security Zones are collections of interfaces or sub-interfaces
• Policy rules can apply to source and/or destination security zones
• Security levels are not used
Optional Interface Modes
• By default, all interfaces are firewall
interfaces (routed or transparent)
• Optionally, specific interfaces can be
configured for use as IDS or IPS
• IDS Mode
• Inline Tap
• Passive
• ERSPAN
• IPS Mode
• Inline
Mix and Match Interface Modes
A Routed/Transparent
F Interfaces
Passive Policy Tables
B G
Inline Pair 1 H
C
Inline Set
Inline Pair 2
D I
Inline Tap
E J
Integrated Routing and Bridging
• Allows configuration of bridges in routed firewall mode

• Regular routed interfaces can now co-exist with BVI interfaces and
interfaces that are members of bridge groups.
• Available with FTD 6.2 release
FTD
BVI 1 BVI 2 DMZ Outside
Integrated Routing and Switching Via FMC
• BVI interface can now have name assigned to it - this
enables it to participate in routing
• Only static routing is enabled on BVI interfaces in
Intra BVI use case
ACLs and other
Inspections
H3 H4
1/3 Inside 1/4 Outside
No routing needed
BVI 2 (Micro-Segmentation)
BVI 1
1/1 DMZ1 1/2 DMZ2
H1 H2
Inter BVI use case
H3 H4
1/3 Inside 1/4 Outside

Traffic is routed using
connected/static routes
BVI 2
ACLs and other BVI 1
Inspections
1/1 DMZ1 1/2 DMZ2
H1 H2
Traffic between BVI and regular routed interface
H3 H4
1/3 Inside 1/4 Outside Traffic is routed using

connected/static routes
ACLs and other BVI 1

Inspections
1/1 DMZ1 1/2 DMZ2
H1 H2
Features supported
• BVI interface specific features

• Static Routing
• DHCP Server can only be configured on BVI interface not on member interface
• Static ARP entries can be configured on BVI interfaces
• Member interface specific features

• NAT (44 and 66 on Member interfaces for intra BVI. All variants in other scenarios)
• ACL
Routing on FTD
Routing on FTD
• FTD performs L3 route lookup as part of its normal packet processing flow
• FTD is optimized as a flow-based inspection device
• For smaller deployments, FTD is perfectly acceptable as the router
• For larger deployments, a dedicated router (ISR, ASR, Nexus) is a much better option
• FTD Supports static routing and most IGP routing protocols:

• BGP-4 with IPv4 & IPv6 (aka BGPv4 & BGPv6)
• OSPFv2 & OSPFv3 (IPv6)
• RIP v1/v2
• Multicast
• EIGRP (flexconfig)
• Complete IP Routing configuration in config guides:
http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-
config-guide-v601.pdf
FTD Routing – Static Use Case
Outside Network
FHRP 128.107.1.1
G1/1 DMZ Network

Static Default
G1/3
Static or IGP
G1/2
Inside 10.120.1.0/24
Inside Network
FTD Routing – Dynamic Use Case
Step 1 – Enable the OSPF Process
Step 2 – Add an Area
Step 3 – Add Redistribution
NAT on FTD
NAT on FTD
• NAT on FTD is built around objects, with two types of NAT:
• Auto NAT
• Only source is used as a match criteria
• Only used for static or dynamic NAT
• Manual NAT
• Source (and possibly destination) is used as a match criteria
• More flexibility in NAT rules (one-to-one, one-to-many, many-to-many, many-to-one)
NAT on FTD
• Auto NAT
• When configuring, it is configured within a network object (internally)
• Device automatically orders the rules for processing:
• Static over dynamic
• Quantity of real IP addresses – from smallest to largest
• IP address – from lowest to highest
• Name of network object – in alphabetical order
• Manual NAT
• Supports NAT of the source and destination in a single rule
• Only the order matters for processing
NAT on FTD Processing
• Single NAT rule table (matching on a first match basis)
• Uses a simplified “Original Packet” to “Translated Packet” approach:
• NAT is ordered within 3 sections

• Section 1 – NAT Rules Before (Manual NAT)
• Section 2 – Auto NAT Rules (Object NAT)
• Section 3 – NAT Rules After (Manual NAT)
• By default only Sections 1 and 2 are used. Select “NAT Rule After” category
when configuring a Manual NAT rule to place it within Section 3
Auto NAT Use Case
Dynamic NAT translation of 10.120.1.0/24 to the using Interface PAT
Auto NAT Use Case
Static NAT translation of 172.16.25.200 to a public IP of 128.107.1.200
Auto NAT Use Case
Dynamic NAT translation of 10.120.1.0/24 to 128.107.1.10-128.107.1.20
Manual NAT Use Case
Static NAT of 192.168.1.10  128.107.1.242 to 192.168.1.155  128.107.1.155
Sample NAT Policy
Easy to understand
NAT logic
Manual NAT Rules
Auto NAT Rules
FTD NGFW Policies
Access Control Policy
The glue that ties everything together
Prefilter SSL Identity

DNS Policy
Policy Policy Policy
Inspection Options
Access Control Criteria Action

Rule (to match) Intrusion Malware & File
Policy Policy
For Your
Reference
NGFW Policy Types in FTD
Policy Type Function
Access Control Specify, inspect and log network traffic
Intrusion Inspect traffic for security violations (including block or alter)
Malware & File Detect and inspect files for malware (including block)
SSL Inspect encrypted traffic (including decrypt and block)

DNS Controls whitelisting or blacklisting of traffic based on domain
Identity Collect identity information
Prefilter Early handling of traffic based L1-L4 criteria
For Your
Reference
Access Control Policy Overview
• Controls what and how traffic is allowed, blocked, inspected and logged
• Simplest policy contains only default action
• Block All Traffic
• Trust All Traffic – Does not pass through Intrusion and Malware & File inspection
• Network Discovery – Discovery applications, users and devices on the network only
• Intrusion Prevention – Using a specific intrusion policy
• Criteria can includes zones, networks, VLAN tags, applications, ports, URLs and
SGT/ISE attributes
• The same Access Control Policy can be applied to one or more device
• Complex policies can contain multiple rules, inherit settings from other access
control policies and specify other policy types that should be used for inspection
For Your
Reference
Intrusion Policy Overview
• Controls how IDS or IPS inspection is performed on network traffic
• Simple policy inherits settings from 1 of 5 Cisco Talos maintained base policies:
• Balanced Security and Connectivity – Default and recommended
• Connectivity Over Security – Fewer rules enabled, only most critical rules block
• Maximum Detection – Favors detection over rated throughput
• No Rules Active
• Security Over Connectivity – More rules enabled, deeper inspection
• Individual rules can be set to generate events, drop and generate events, or
disabled
• Layers allow for grouping of settings/rules for easier management
• Complex policies can contain multiple layers and multiple levels of inheritance
For Your
Reference
Malware & File Policy Overview
• Controls what and how files are allowed, blocked and inspected
• Simple policy applies the same action (Malware Cloud Lookup) to all files
• Actions are:
• Detect Files – Detect and log the file transfer, perform no inspection
• Block Files – Block and log the file transfer, perform no inspection
• Malware Cloud Lookup – Inspect the file to determine disposition (Malware, Unknown or
Clean) and log
• Block Malware – Inspect the file to determine disposition, log and block if Malware
• Inspection includes static analysis of the file (via Spero), dynamic analysis (via
AMP Threat Grid) and local analysis (via ClamAV)
• Complex policies can include different actions and levels of inspections for
different application protocols, directions and file types
For Your
Reference
SSL Policy Overview
• Controls how and what encrypted traffic is inspected and decrypted
• Simple policy blocks all encrypted traffic that uses a self-signed certificate
• Actions are:
• Decrypt - Resign – Used for SSL decryption of public services (Google, Facebook, etc.)
• Decrypt - Known Key – Used when you have the certificate’s private key
• Do not decrypt
• Block
• Block with reset
• Monitor
• Many actions can be taken on encrypted traffic without decryption by inspecting
the certificate, DN, cert status, cipher suite and version (all supported by FTD)
Firepower Threat Defense (FTD)
Upgrade/Migration
What can I migrate to FTD?
• Running ASA software 9.1+ on ASA 5500-X, FP4100, FP9300 or ASAv
• ASA with FirePOWER services
ASA Device Requirements for Migration Tool
• Any platform running the following ASA software 9.1+
• ASA must be in single context mode (multi-context is not supported)
• It must be the active unit if in a failover pair
• The master unit if it is part of a cluster
• The ASA can be running transparent or routed mode
• http://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-
migration-guide-620.html
Firepower Device Requirements
• A migration tool running on a dedicated Firepower Management Center virtual
for VMware. The migration tool is not supported in a production environment.
• Migration FMC – to enable migration tool Run as root: enableMigrationTool.pl
• The customer FMC must be running a supported environment on a supported
platform. The migration FMC must be the same software version as the
production FMC e.g. Migration FMC 6.1- Production FMC 6.1
• Firepower Management Center FS750, FS1500, FS2000, FS3500, FS4000, Virtual
• Supported FMC environments Firepower System Version 6.1
• The migration tool does not migrate license information, you must purchase
new FTD licenses, as they are a different license to the ASA. If you have
existing FirePOWER licenses, work with licensing at cisco.com to convert to
FTD licesning.
For Your
Reference
Migration Capabilities
ASA Features supported for Migration Migration Limitations
Extended access rules (can be assigned to Only converts ASA configurations
interfaces and assigned globally)
Twice NAT and network object NAT rules ACL and ACE limit of 600,000 access
rule elements.
Any network objects/groups associated with the It will only convert ACLs that are applied
extended access rules and NAT rules that the to an interface, must be paired access-list
tool converts and access-group commands. EtherType
or Webtype ACLs are not supported.
ASA software version 9.1 onwards ACL and NAT exceptions are Users, Time
Range, FQDN, SGT and Per session
NAT rules.
Migration Checklist
• ASA device meets all the requirements
• ASA configuration file is in either .cfg or .txt format
• The ASA configuration file contains only supported configurations and meets the
required limits for migration
• The ASA configuration file only contains valid ASA CLI configurations. Correct
any incorrect or incomplete commands before continuing or the migration will
fail.
• Download the .ovf file of Firepower Management Center on VMWare platform to
install the migration tool. The migration tool is not supported in a production
environment.
• In the migration FMC - Run as root: enableMigrationTool.pl
Import as ACL or Pre-
Migration at a Glance filter policies
Run as root: enableMigrationTool.pl Import Tool

FMC .sfo
Migration Production
file
FMCv FMC
(deployed as (managing
Migration FTD
Tool) Devices)
 ASA version 9.1.x or higher
Apply Migrated
 Single Context Mode
Migration
Configs
 Transparent or Routed ASA .cfg
Register
Report
 Active Unit (in HA pair) or .txt file
ASA FTD
Manual Reimage
For Your
Reference
Best Practices and Recommendations
• Policy for Migration
• Pre-filter Policy: Action Fastpath or Analyze - Use analyze for inspection
• Access Policy: To use advance layer 7 inspections and does not involve tunneled
traffic
• Configuration Size for Migration
• 600K expanded ASA rules and 10K UI rules in version 6.1
• show access-list acl_name | i elements (determines how many entries in the ACL)
• Targeting 1M expanded ASA rules and 20K UI rules in version 6.2
• Steps for Validation

• Assess report to identify un-supported rules before migration
• View Disabled rules on FMC post import
FTD Migration Demo
Import as ACL or Pre-
Migration Summary filter policies
Run as root: enableMigrationTool.pl Import Tool

FMC .sfo
file
Migration Production
FMCv FMC
 ASA version 9.1.x or higher
Apply Migrated
 Single Context Mode
Migration
Configs
 Transparent or Routed ASA .cfg
Register
Report
 Active Unit (in HA pair) or .txt file
ASA FTD
Manual Reimage
Management
Managing NGFW
Adaptive Security Device Manager

Firepower Cisco Defense
(ASDM) and Firepower Device
Management Center Orchestrator
Manager, FDM on-box managers
Firepower Device Manager, FDM
• OS : Firepower Threat Defense
• Supported platforms in 6.1: ASA 5506-X (all), 5508-X, 5512-X, 5515-X, 5516-X,
5525-X, 5545-X, 5555-X
• Available from version 6.1
• State of the art infrastructure (HTMLv5, REST and others), UI based on REST
API, No more java 
• Typical home user feature set
• Subset only of the FMC feature set
• FDM or FMC (FDM will be disabled if you add device to FMC)
• No historical database, No host database, …
• Rule, VDB, GeoDB regular update from TALOS (no rollback support)
User Experience
• Only WEB UI (only HTTPS, no CLI) • Not all features are exposed (no
page (no thick client), parity with FMC)
• 1st release : Access, NAT, Identity,
• Configuration, monitoring and Basic IPS, AMP, Device settings, …
events, new GUI
• No EtherChannel, PPPoE, dynamic
• Simplified user experience routing, advanced IPS & Malware in
6.1
• Easy Setup Wizard
• Default Policies • From 6.2 :
• Targeting users who are not security • VPN support, site-2-site support
experts • Physical and virtual options, Integrated
Routing and Switching, SoftSwitch
For Your
Reference
Smart Licensing
90 day with Smart License evaluation :
• Base (Firewall, AVC, networking, perpetual)
• Threat (IPS, SI, DNS Sinkhole), Malware
(AMP/File/TG) and URL licenses, time
based, no satellite license yet,
• You can disable/enable licenses these 3
licenses
For Your
Reference
FDM Installation
• After the setup (Admin account, IP address, GW, DNS, NTP)
Manage the device locally? (yes/no) [yes]:
• If you would like to change the manager, standard FTD command helps
> configure manager local | add | delete
• Cabling in 6.1: Cabling from 6.2:
Tasks
• Task list :
• Backup/ restore
• GeoDB/SRU/VDB
• Deployments
• Generating troubleshooting logs
• Licensing task, like license
registration, update
• Current task limitations:
• You can re-schedule but no re-run
• Cannot stop a task
• You can delete Failed / Success task
Backup – restore
• Only complete config, compressed and encrypted files
• You can upload/download file, folder: /var/sf/backup
• If the platforms and versions are the same, you can upload other device’s
backup file
• Restore cannot be scheduled
For Your
Reference
Troubleshooting in Expert Mode

• Detailed log in the these file
• /var/log/cisco/ngfw-onbox.log - tomcat and other log
• /var/log/messages - error log, URL DB download
• /var/log/sf/<update-name>/status.log - in progress info
• On ngfw-onbox.log look out for “error-info id”
• Go to “Datapath”
• system support diagnostic-cli
• After you can use ASA commands, like:
• show run interface GigabitEthernet 0/1.1
VPN Enhancements in FTD 6.2
• Site-to-Site VPN configuration support from FDM
• Wizard to walk you through creation of a IPsec VPN Tunnel
• Only pre-shared key supported currently
• Encryptions:
• Evaluation Mode: only DES encryption available
• Registered Smart License: Strong encryptions available (AES,3DES)
• Pre-created IKE v1 and v2 policies available for user

• IKE Policies are global (not per VPN)
For Your
Reference
FDM Site-to-Site VPN Wizard
For Your
Reference
Step 2 : Privacy Configuration
For Your
Reference
Step 3: Summary and Verification

• IKE Policies:
• Peer that initiates the IKE negotiation
sends its policies to remote peer
• It contains encryption, hash,
authentication, Diffie –Hellman values,
and SA lifetime
• If lifetimes are not identical, the shorter
from remote peer policy applies
• IKE Policies are global (not per VPN)
• IPSec Proposals (Transform Sets)

• One of more (IKEv1 or v2) can be
associated to a connection profile
• Max of 11 IKEv1 and 11 IKEv2 can be
associated to one connection profile
Demonstration :
Firepower Device Manager, FDM
FXOS
Firepower eXtensible Operating System (FXOS)
and Firepower Chassis Manager
• FP4100 and FP9300 platforms only
• Used for:
• Managing the device hardware
• Managing decorator applications
(Radware vDP)
• Configuring boot images
• Configuring physical (up/down) and
EtherChannel interfaces
• Cluster hardware setup
• Packet capture
• REST API management
BRKSEC-3555
Managing Modules from FXOS

• Connect to the Firepower 9300
supervisor CLI from console
• Initial Configuration
• If you change something :
commit-buffer
• Connect to the ASA/FTD
connect module slot console
connect asa
connect ftd
TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inter-Chassis Clustering .
.
.
• Intra-Chassis Clustering was
already supported on FP9300 Inside Outside
before 6.2
• Inter-chassis requires at least FXOS
2.1.1 and FTD 6.2
• All NGFWs in cluster must be
identical:
• 9300 – modules must be the same
type
• 4100 – chassis must be the same
model • Only Spanned EtherChannel mode
(L2) is supported,
• Equal-Cost Multi-Path (ECMP) mode
(L3) is not supported
Steps Involved in Bringing up a FTD Cluster
Configure Add Create

Configure
Cluster Members Cluster
Interfaces
Members to FMC in FMC
Detailed configuration steps are in the “hidden” deck.
Clustering Setup – Firepower Chassis Manager
Interface #1 – Management Interface for FTD
Type Mgmt - Used for

Firepower Management
Center connections and
other management
connections
Interface #2 – Cluster Control Link
Type Cluster - Used for

the Cluster Control Link
and exchange data
between cluster members
Interface #3 – Data Link
None
VPC
VPC
Blue lines are the Data Links

Interfaces All Configured

Configure
Interfaces
Creating Cluster Member #1
Name of the individual Template to use – ASA or

device, not the cluster FTD
Images uploaded by the

user into the Firepower
Chassis Manager
Port-channel48 is
automatically selected as the
cluster interface if configured
Chassis ID of the
unit in the cluster
Name of the Key to

cluster to join, authenticate units
must be the same joining the cluster,
on all devices must be the same
Out-of-band on all devices
management port
Key to authenticate
the management
connection from
FMC
Admin password to
login to FTD
Needed for
uploading files to
AMP, etc. Routed or
Transparent
This must work for

communications
to the FMC
This is the cluster

configuration.
Copy this to the
clipboard, as it
helps to avoid a
lot of retyping
when setting up
other units

Configure
Interfaces
If this isn’t
checked, you will
need to enter
each cluster
detail manually in
the next step
Paste the config

you copied from
the first cluster
member here
Must be different
than other units
Cluster Key – Enter

the same as before
Populated from the
pasted config
Key to authenticate
the management
connection from
FMC
Admin password to
login to FTD
Populated from the
pasted config
Change to be
unique
Change to be
unique
Populated from the
pasted config

Configure
Interfaces
Clustering Setup – Firepower Management Center
Creating the Cluster
Each cluster member

must be individually
added to FMC before
you can create a cluster
Cluster Successfully Added
Clustering is coming up
Summary
• FXOS manages the interfaces, images and hardware
• FXOS can install software (ASA/FTD) and provision ASA or FTD cluster
configuration
• But FMC will manage the security services
• Do not forget the role of interface 
Cisco Defense Orchestrator (CDO)
What is Cisco Defense Orchestrator (CDO)?
• CDO is a Cloud-based policy management platform
• Centralized policy configuration of ASA, NGFW and OpenDNS
• Enable FirePower Services without FMC
• Analyzes security policy configurations for ASA, NGFW and OpenDNS
• Identifies and resolves policy inconsistencies
What devices can I manage with CDO today?
• ASA 5500-X with ASA software version 8.4+
• Firepower 4100 and 9300 with ASA software
• ASAv
• ASA with FirePOWER Services (ASA image only on 5585-X)
• OpenDNS Umbrella
Key capabilities of CDO
• Device onboarding
• Object and policy analysis
• Security templates
• Simple search-based management
• Change impact modelling
• Out-of-band notifications
• Automatic reports
Cisco Defense Orchestrator Is Secure at Every
Level, Regardless of Connection Method
Secure multitenant architecture

1
Cisco® Defense within Cisco Defense Orchestrator
Orchestrator
Data in motion is encrypted with

Customer Customer 2 Secure Sockets Layer (SSL)
3 2FA 2FA 3 on a per-customer basis
4 4
1 Secure multitenant architecture

SSL 2 2 SSL Two-factor authentication (2FA)
3 is required for users to connect
to their tenant
Customer Data Center Customer Data Center Data at rest is encrypted on a

4 per-customer basis in a separate
database instance
Secure data connector in the cloud Secure data connector in the
customer data center
Demo of
Cisco Defense Orchestrator
Comparison of Management Tools
ASDM : OnBox Manager Firepower Services
Status
• OnBox Manager: Remove
configured manager on
Firepower services module
(configure manager
delete)
• By default, the Firepower
Services module is visible to
the manager. You don’t have
to add the module (device) to
the manager. In case the
device is managed by central
FMC, the module will be
disabled on ASDM.
• Both Firepower Services and Onbox Reporting
the ASA can be managed using and Dashboard
the same ASDM manager.
Configure Firepower Services: ASDM
Other policies (SSL, ID,…)
Access Control Policies are available and similar
IPS policies to FMC
Files Policies
To test traffic, leave the default

Action as Trust All Traffic.
Firepower Device Manager (FDM)
• Web-based
On-Box
Manager
• Manages FTD Wizard Setup

software on
ASA5500-X
models
• Workflows,
diagrams and
default
configuration
options
Firepower Device Manager (FDM)
Change displayed
time range
Can change to
show a particular
interface
Firepower Management Center - FMC
• Centralized, role
based manager
• Manages firewall,
applications, files
and threats
• Rule
recommendations
• Impact
Assessment
• Customizable
dashboards
• REST API
Cisco Defense Orchestrator
• Cloud based
policy
management
• Object and
policy
Objectanalysis
and Policy
• Analysis
Device
onboarding
• Security
Templates
Different device
types - not just
firewalls
Cisco Security Manager - CSM
• Centralized Manager for Cisco
ASA firewall, VPN and Cisco IPS
(ASA, IPS, FWSM, ISR/ASR)
• Log Management
• Image Management
• Application Programming
Interface (API)
• Network Health
• Policy Management
• Reports
For Your
Reference
Features FMC ASDM FDM
Manageability Centralized Web On-Box, Java based Web-based On-Box
Based GUI – manage for a single device manager for a single
up to 500 sensors. comes with ASA device with FTD image.
image.
Form Factor Physical, Virtual, AWS Available on all ASA’s Available on mid-range
ASA’s (5500-X)
FirePower Services on Yes Yes – limited No
ASA
FirePower Appliances (SF) Yes No No
ASA Software No Yes No
FTD Software Yes (limitations)6.0.1 + No Yes 6.1 +
S2S VPN Yes 6.1 Yes, ASA 6.2 (pre-shared keys)
For Your
Reference
Features FMC ASDM FDM
RA VPN No Yes, ASA No – future release
Routing no EIGRP, Multicast in 6.1 Yes, ASA Static only
Interfaces Static, DHCP, PPPoE Static, DHCP, PPPoE Static, DHCP
NAT Manual NAT (Twice NAT), Object NAT, Twice NAT Manual NAT (Twice
Auto NAT, FirePower NAT NAT), Auto NAT (Object
– static or dynamic NAT) – static or dynamic
High Availability A/S from 6.1 onwards A/S No
A/A in 5.4 A/A
Domain Management 6.0 + No No
Risk Reports 6.1 + No No
Reporting Extended functionality Base Functionality Base Functionality
Smart Licensing
Smart Licensing – Smart Accounts
• Smart Licensing is a cloud-based approach to licensing. Centralized account to
pool all assets.
• Purchase your licenses and they get deposited to your Virtual account for usage
and flexible licensing.
• Eliminates the need to install license file on every device.
• Manage product registration and monitor smart license consumption on Cisco
Smart Software Manager (CSSM).
• Moving away from Classic Licensing based on Product Activation Keys (PAK).
Security Products Smart-Enabled
Products Using Smart Licensing
ASAv & FTDv
Firepower 9300
Firepower 4100
Firepower 2100
Firepower Threat Defense
How Does Smart Software Licensing Work?
Smart Licensing provides a Software Inventory Management System that provides Customers,
Cisco, and Selected Partners with information about Software Ownership and Software
Utilization
Ownership Usage
Commerce ‘Smart’ Cisco

(CCW) Account Product
Hello, I am Device-East5, I belong to BigU.edu
and I am using 1x Advanced License
I Have Purchased 5 additional ‘Advanced’

Licenses for BigU.edu Hello, You are Device-East5, belonging to
BigU.edu and the Physics department
you are ‘In-Compliance’
Smart Account Types
• Holding Smart Account – where partners/distributors can temporarily deposit
order until the end customer smart account is identified. Licenses can not be
consumed from a holding account.
• Customer Smart Account – where smart account enabled products are

deposited. Licenses can be managed by customer directly, channel partner, or
authorized party.
• Virtual Account – create virtual accounts according to your needs i.e. to reflect
your company organization, geography, budgeting or other structure. Share
licenses across virtual accounts. Maintained by CSSM Administrator (Cisco
Smart Software Manager).
Connectivity Options
Direct cloud access (Default)
Cisco product sends usage information directly over the internet. No additional
components are needed.
Your Cisco
Software Manager
HTTPs
Cisco.com
Cisco Product
Direct cloud access through an HTTP proxy
Cisco products send usage information over the internet via a Proxy Server
Your Cisco
Software Manager
HTTPs Proxy Cisco.com

Cisco Product
Mediated access through an on-premises satellite - connected
Cisco products send usage information to a local connected collector, which acts
as a local license authority. Periodically, an exchange of information is done to
keep databases in sync.
Your Cisco
Software Manager
HTTPs Satellite Cisco.com

Cisco Product
Mediated access through an on-premises satellite - disconnected
Cisco products send usage information to a local disconnected collector, which
acts as a local license authority. Once a month, an exchange of information will be
performed to keep the databases in sync.
File Transfer
File
Transfer
Your Cisco
Software Manager
HTTPs Satellite Cisco.com

Cisco Product
https://software.cisco.com
Create a Smart Account
Your smart
account
Create smart Smart Holding

account Account
Smart account
properties, list them if
Training and more than one
Documentation
Firepower Management Center – Smart License
Steps to register FTDv for smart licensing
Manage smart and

classiclicenses in
FMC
First time you will

need to click here to
be redirected to
CSSM to obtain a
token for FMC
Cisco Smart Software Manager Portal - CSSM
CSSM Portal – See all your
purchased licenses for
your organization
CSSM Portal – Obtain a

new token for your FMC
here and copy it
Firepower Management Center – Smart Licenses
Register your FMC

to the smart license
account with your
token
Firepower Management Center – Device
Management
Go to Devices,
Device Management
and register your The smart licenses
FTDv or new device, you purchased can
apply the licenses be applied to your
you require or want. device here.
The FTDv now has

the licenses applied
from your smart
license account.
You can expand this

section to see what
devices this license is
applied to.
Permanent License Reservation (PLR) Overview
• PLR is an enhancement to the Smart Licensing feature on the ASAv
• Designed for highly secure environments where communication with either
Cisco Smart Software Manager (CSSM) or a local Smart Software Satellite is
not allowed
• Allows license reservation from virtual account, tie them to a device’s UDI, and
use the device with these reserved licenses in a disconnected mode
• Includes ability to return the license into the Smart virtual account
• Available from ASA 9.5.2.200, 9.6.2 and onward
• Licenses are permanent, not time based
• Provides off-line method of licensing similar to PAK (Product Activation Key)
Permanent License Reservation (PLR) Overview
 Supported on VMware ESXi, KVM
and Hyper-v Hypervisors CSSM
Internet
 Support for AWS public cloud
 No support for Azure
 PLR is available at appliance level x xSmart Software
and not available on feature basis Satellite
 Available through controlled

mechanism
ASAv
Show commands
# show license status
ASAv# sh license status

Smart Licensing is ENABLED
License Reservation is ENABLED
Registration:
Status: REGISTERED - UNIVERSAL LICENSE RESERVATION
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Aug 10 22:59:39 2016 UTC
License Authorization:
Status: AUTHORIZED - RESERVED on Aug 10 22:59:39 2016 UTC
Show commands
# show license summary
ASAv# show license summary

Smart Licensing is ENABLED
Registration:
Status: REGISTERED - UNIVERSAL LICENSE RESERVATION
Export-Controlled Functionality: Allowed
Status: AUTHORIZED - RESERVED
Show commands
# show version
ASAv# show version

License mode: Smart Licensing
License reservation: Enabled
ASAv Platform License State: Licensed
Active entitlement: ASAv-UNIVERSAL-V10, enforce mode: Authorized
Licensed for maximum of 1 vCPU
Show commands
# show license udi
ASAv# sh license udi

UDI: PID:ASAv,SN:9A6B443AKSK
# show license usage
ASAv# sh license usage

Status: AUTHORIZED - RESERVED on Aug 10 22:59:39 2016 UTC
ASA REST API
ASA REST API : Introduction/Overview
• Provides programmatic model based interface to configure/monitor
classic ASA
• Classic ASA refers to ASA which doesn’t include Firepower module.
• Provides different use cases of firewall and VPN features support
such as access control, NAT etc.
• Support for OOB by co-existing CLI and API, Bulk API and
providing CLI pass-through API for features not supported in API
• Provides critical Monitoring API
• 2 phases : ASA version 9.3 and 9.4
• Token based authentication authentication in addition to existing basic authentication
• Adds limited support for Multi-context ASA
• Performance improvements over Phase1
Restful API basics
• Each policy is modelled as a resource
• Use HTTP methods (POST, GET, PUT/PATCH, DELETE) for CRUD
(Create/Read/Update/Delete) operations on a given resource
• Uses JSON as the interface
• JavaScript Object Notation {
"host": {
• Sample JSON for a resource : "kind": "IPv4Address",
"value": "1.10.8.10"
},
"kind": "object#NetworkObj",
"name": "ASA_Demo_NObj_1190",
"objectId": "ASA_Demo_NObj_1190"
}
For Your
Reference
Request Structure
Available request methods are: (non-bulk)
• GET – Retrieves data from the specified object.
•PUT – Adds the supplied information to the specified object; returns a 404
Resource Not Found error if the object does not exist.
• POST – Creates the object with the supplied information.
• DELETE – Deletes the specified object.
• PATCH – Applies partial modifications to the specified object.
Available request methods are: (bulk)
• POST – create/update/partial-update/remove of several resource objects
Example for PUT method
HTTP request will be a POST instead of a GET when the data parameter is provided.
req = urllib2.Request(url, json.dumps(put_data), headers) Urllib2 in python makes it

easy
base64string = base64.encodestring('%s:%s' % (username,
password)).replace('\n', '')
req.add_header("Authorization", "Basic %s" % base64string)
Authorization header
req.get_method = lambda: 'PUT'
try:
f = urllib2.urlopen(req,context=ctx) Other methods: DELETE,
status_code = f.getcode() PATCH
print "Status code is "+str(status_code)
if status_code == 204: Different context for non-
print "PUT operation was successful trusted certificate
More info : Using Python to Access Web Data by Dr. Charles Severance
https://www.coursera.org/learn/python-network-data
REST Agent setup/installation
• The REST Agent + JRE is packaged separately, and is not part of the ASA
image.
• The Agent is published separately on Cisco.com (latest: v1.3.2)
• To use REST API, you need to download this separate package, put it on flash
and invoke CLI commands to start REST API Agent.
• CLIs:
[no] rest-api image disk0:/<package>
[no] rest-api agent
Additional bootstrapping
• Enable http server and let clients connect over management interface:
http server enable
http 0.0.0.0 0.0.0.0 <mgmt interface nameif>
• Set the authentication approach for http:

aaa authentication http console LOCAL
• Create a local user with privilege 15 (for read/write operations):
username <user> password <pass> encrypted privilege 15
• Configure (static) routes
• Note: After installation, you can go to https://<asa_ip>/doc/ for live
documentation of REST API and console.
ASA REST API Documentation and Console
Python, JavaScript or
Perl
For Your
Reference
„show config” generated output – part 1

#
# Generated ASA REST API sample script - Python 2.7
#
import base64
import json
import sys
import urllib2
server = "https://<IP ADDRESS OF ASA>"
username = "cisco"
if len(sys.argv) > 1:
username = sys.argv[1]
password = "cisco"
password = sys.argv[2]
headers = {'Content-Type': 'application/json’} Path determines the

api_path = "/api/cli" # param
url = server + api_path resource
f = None
For Your
Reference
„show config” generated output – part 2

# POST OPERATION
Command in JSON
post_data = { format
"commands": [
"show config" URL request with
]
} headers class
req = urllib2.Request(url, json.dumps(post_data), headers)
base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')
try: Access URL as a File-like
f = urllib2.urlopen(req)
status_code = f.getcode()
handler
if status_code == 201:
print "Create was successful"
except urllib2.HTTPError, err:
print "Error received from server. HTTP Status code :"+str(err.code)
try:
json_error = json.loads(err.read())
if json_error:
print json.dumps(json_error,sort_keys=True,indent=4, separators=(',', ': '))
except ValueError:
pass
finally:
if f: f.close()
For Your
Reference
Certificate
• REST API client requires a trusted ASA certificate
• For non production environment:
import urllib2
import ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib2.urlopen("https://your-test-server.local", context=ctx)
More info:
http://stackoverflow.com/questions/19268548/python-ignore-certicate-validation-
urllib2
For Your
Reference
Add new host object – part 1

import base64
import json
import sys
import urllib2
server = "https://(<IP ADDRESS OF ASA>"
username = "cisco"
username = sys.argv[1]
password = "cisco"
password = sys.argv[2]
headers = {'Content-Type': 'application/json'}
api_path = "/api/objects/networkobjects" # param

url = server + api_path
f = None
For Your
Add new host object – part 2 Reference
# POST OPERATION
post_data = {
"host": {
"kind": "IPv4Address", Network Object in JSON
"value": "1.10.8.10"
}, format for POST data
"kind": "object#NetworkObj",
"name": "ASA_Demo_NObj_1190",
"objectId": "ASA_Demo_NObj_1190"
}
req = urllib2.Request(url, json.dumps(post_data), headers)
base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')
try:
f = urllib2.urlopen(req)
status_code = f.getcode()
if status_code == 201:
print "Create was successful"
except urllib2.HTTPError, err:
print "Error received from server. HTTP Status code :"+str(err.code)
try:
json_error = json.loads(err.read())
if json_error:
print json.dumps(json_error,sort_keys=True,indent=4, separators=(',', ': '))
except ValueError:
pass
finally:
if f: f.close() TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 265
ASA REST API Demo
FMC REST API
REST API from FMC 6.1 Managed devices
• The REST API provides Setup,

Monitoring, & Config Programmability APIs
for Firepower devices
• Secure API (Token Based Authentication) Web
Browser 1. Invoke the
• API Explorer/Browser, with Example Code API Explorer
FMC with
• Packaged with FMC software, no license API Explorer
required
FMC REST API
• For FTD and FTDv, type of interfaces
supported depends on: 2. Use API Explorer
UI for making REST
mode (routed/transparent) API Calls
form-factor (physical/virtual)
What we support in 6.1 via FMC?
Management for : Feature Access Rights
C(register) RUD(Deregister)
• FTD Setup Device
Device Group - CRUD
• Firepower Services
Read only for FTD, CRUD on FP
Interfaces
• Firepower appliances Appliance/Services

CRUD
and Rules
IPS Policy Read only on All
Deploy Supported on All

Operational Status -
Supported on All
Statistics
FMC 6.2 : Automate FTD provisioning with REST
API
Feature Access Rights
• Interface configuration of FTD devices
Physical RU
Sub-Interfaces CRUD
• Use Cases:
• Cisco ACI solutions Etherchannel R
• SDN controllers traffic path
Bridge Group CRUD
Redundant CRUD
Inline Set CRUD
Register/ Deploy ACL Monitor

Setup Device Create ACL
Deregister Policies/ Operational
Interface Policies
FTD to FMC Changes Statistics
API Service : Default off
• FMC 6.1 : version 1 API

• Main features :
• Different methods :
Best Practices
• Keep UI users and script users
separate. Especially do not use the
admin account as an API user
• There is no specific REST API role
for admins
• Do not give script users more
privilege than needed
• Always validate the content coming
from the server
API Explorer
Free tool built into the FMC that can be used to use the REST API
https://<management_center_IP_or_name>:<https_port>/api/api-explorer
For Your
Reference
Domain Overview
• Separate devices, policies,
objects, events based on
geographic, functional,
customers or organizational
requirements
• Supports up to 50 domains
and 3 levels, available for all
platforms running from FMC
6.0
• Perfect RBAC for policies
and object, and so on
• Domain => UUID
(Universally Unique
Identifier)
API Explorer and Access Policy
Example Request and Exported python script:
Token based
Authentication
• Open your REST API Client.
• Set the client to make a
POST command to the
following URL:
https://<management_center_
IP_or_name>/api/fmc_platfor
m/v1/auth/generatetoken Add the header X-auth-access-
• Include the username and token:<authentication token
password as a basic value> in requests to the API
authentication header. The
POST body should be blank.
Postman plugin:
Token and Domain UUID

• When you run a post to the following
URI:
• https://[FMCIP]/api/fmc_platform/v1/auth/g
eneratetoken
• Using your API credentials (username
and password) in basic authentication
header, the return headers will include
DOMAIN and token details .
• When you retrieve the token, the
domains UUIDs for which the user is
authorized are sent in the HTTP header
along with the tokens.
For Your
Reference
Path to cert
Trusted Certificate
• SSL cert verification:
• Python library checks SAN and IP address / CN matching:
Bypass: “verify=False”
Default CN of the FMC cert
Result of a GET “Access Policy” request
• Hierarchical structure with IDs
Domain UUID
Each object has own unique URL
FMC REST API Demo
Motivation : time based policy,

Facebook configuration
Lunch Break
User Identity Sources
Identify Information Is192.68.0.23
192.68.0.23
UserIs1 User 1 2?
or User
192.68.0.23
User 1 10110110010101001010100101010010100100100 10110110 Internet
10100101001010001001010100010101001010010 10101111
1
10101111
192.68.0.24
User to IP mapping
User 2
User 1
User 2
User 3
The Firepower System supports the following identity sources:
• Traffic-based detection
• User Agent Passive Authentication
• Identity Services Engine (ISE)
• Cisco Terminal Services (TS) Agent
• Captive portal authentication Active Authentication
Access Control Identity Policy
Access Control -> Identity

Configure the Identity Policy First
Add Rule
Add Rule
Active or Passive Authentication
Access Control -> Access Control

Bind the Identity Policy to the
For Your
Reference

User Identity Policy Server Source Type Authentication User User For more information,
Source Requirements Type Awareness? Control? see...
User Agent identity Microsoft Active authoritative passive Yes Yes The User Agent
Directory logins Identity Source
ISE identity Microsoft Active authoritative passive Yes Yes The Identity Services
Directory logins Engine (ISE) Identity
Source
TS Agent identity Microsoft Windows authoritative passive Yes Yes The Terminal Services
Terminal Server logins (TS) Agent Identity
Source
Captive portal identity LDAP or authoritative active Yes Yes The Captive Portal
Microsoft Active logins Active Authentication
Directory Identity Source
traffic-based network n/a non-authoritative n/a Yes No The Traffic-Based
detection discovery logins Detection Identity
Source
Traffic Based Detection
Traffic Based Detection
• Passive Network Discovery
• Real-time Network/User Awareness
(RNA/RUA)
• Network Discovery Policy -> Users
Collects user data from

different protocols
FMC – Network Discovery Process
• Limited Database -> Discover only the important hosts (internal network)
• Discovery levels: application, host, users

• Passive network discovery, populating
the Host Profiles
• Host Limit Behaviour: drop hosts or don’t
insert new host
User Based IoC
• Before 6.2, Indications of compromise (IoCs) where associated with hosts
• Host profiles contained list of indications of compromise for that host
• Dashboard widgets for IoCs by host
• Dedicated events page: Analysis  Hosts  Indications of Compromise
• With 6.2, IoCs can now be associated directly with users

• User profiles contained list of indications of compromise for that user
• Dashboard widgets for IoCs by user
• Dedicated events page: Analysis  Users  Indications of Compromise
User Based IoC
User Agent
Firepower User-Agent
• AD-Connector Agent for up to 5 AD-
Servers
• Requires WMI/DCOM instrumentation
for AD communication
• IP to Identity mapping by scraping AD-
Login/Logout events
• Creates local database of USER/IP-
mappings
• Can run on AD-DC, AD-Member-Server
or any AD-Member
FP-User-Agent Integration with Firepower
Passive Authentication ID policy is required
Identity Services Engine (ISE)
BRKSEC-3697
Identity Services Engine (ISE)

Cisco Platform Exchange Grid (pxGrid)
• ISE shares user and context

pxGrid
information via pxGrid controller
• Username
• Device Type
• Location IP
• Security Group Tag
• FMC can use this information for ISE Cisco and Partner
Ecosystem
context and enforcement
• FMC can direct ISE to take
remediation or other network Cisco Network
action
pxGrid Configuration in FMC
3 topics:
• Session
• MetaData
FMC configuration: • TrustSec
pxGrid and FMC certificates
ISE Integration – AD Group Information
• User and AD group information directly

from ISE
• Authenticated users are supported for
enforcement scenarios
Use of ISE Metadata in FMC (6.0 & 6.1)
• FMC can consume ISE Metadata to use in access control policies
• Security Group Tag
• Device type
• Location IP
• FMC can use

ISE for passive
authentication
• Realm must be
created
• Identity policy
with passive Security Group Tag
authentication
rule must be
created
FMC 6.0 and 6.1 ISE Metadata Processing
• ISE metadata are part of user attributes in authentication database
• Realm and identity policy with passive authentication rule are required
(even if ISE is not used for passive authentication)
IP Address Username
ID Policy
Src IP Attribute Group
Src Port Attribute ISE SGT
Packet
Dst IP Attribute ISE Attr2
Dst Port ISE Attr3
FMC 6.2 ISE Metadata Processing
• ISE metadata are part of IP attributes in authentication database.
• Realm and identity policy with passive authentication rule are not required
(unless ISE is used for passive authentication).
IP Address Username
Src IP Attribute
Src Port Attribute
Packet
Dst IP Attribute
Dst Port ISE SGT
ISE Attr2
ISE Attr3
Inline Security Group Tags (SGT)
• Behavior in 6.0
• SGTs in network traffic were not utilized
• Access policy rules used IP to SGT mapping provided by ISE
• SGTs could not be defined locally on the FMC
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options
16 bit (64K SGTs)
Inline Security Group Tags (SGT)
• Behavior in 6.1
• SGTs in network traffic are utilized
• SGTs seen in traffic take precedence SGT to IP mapping provided by ISE
• Untagged traffic is still matched to rule using IP to SGT mapping provided by ISE
• ISE integration is no longer needed – SGTs can be defined in FMC
• If ISE integration is enabled, locally defined SGTs are not available
• Sensor does not add or remove tags from traffic
Inline Security Group Tags (SGT) Configuration
• Locally defined SGTs are Objects on the FMC
ISE Passive Identity Connector
ISE Passive Identity Connector (ISE-PIC)
• Input to ISE-PIC
• WMI, ISE-PIC Agent, Kerberos SPAN
FMC
• REST API
• Syslog
Output
• Endpoint Probe
• Output ISE-PIC
• Legacy CDA-RADIUS
Input
• pxGrid Publish/Subsribe
Identity Information
Terminal Services Agent
Identify threats hidden by desktop virtualization
Virtual Desktop Infrastructure (VDI) Identity 192.68.0.23:4001
Is 192.68.0.23
user Is user
1 or 1 2?
user
User 1 Shared IP 1011011001010100101010010 10110110 Internet

1010010100100100101001010 10101111
192.68.0.23 01
10101111
User IP/Port Range

User 2 VDI

Terminal Services Agent
User IP/Port Range

User 1
User 1: 192.68.0.23:4000-4200
User 2: 192.68.0.23:4400-4600 REST User 2
User 1: 192.68.0.23:4800-5000 API
User 3
Firepower Terminal Services Agent (TSAgent)
• Monitor user logon/logoff User
session events User Space
• Port range allocation and port User App TS Agent

address translation per user
• Notify port range per user Ephemeral Port Kernel Space (OS)
bindings to the FMC via a Network Filter Driver

REST API
Network Driver
• Port address translation
(PAT) via a Windows Kernel
Driver
Network Interface Card (NIC) www
User Identity REST API
• Allows any user agent to feed user session bindings to FMC using REST
requests
• add/delete a user session binding whenever a new user logs on/off
• Both single IP session binding as well as shared-IP session binding
• Shared-IP will contain IP + port range
• patRangeStart: start port for the full range allocated by TS Agent to perform user
specific PAT
• userPatStart: start port for the user pat range, traffic from the user will originate
from a source port within this range
• userPatEnd: end port for user pat range
Username :
Start Port/Range User Role with permissions "REST VDI"
and "Modify REST VDI"
• REST VDI gives read only
permissions, e.g. GET request
• Modify REST VDI gives both read-write
permissions, e.g. POST/GET/DELETE
For Your
Reference

Port Range
For Your
Reference
TSAgent Troubleshooting
FMC now shows port range for shared-IP users
Start Port End Port
User Name
For Your
Reference
TSAgent Environment Requirements

• You install the TS Agent on a Microsoft Windows Terminal Server. This version
of the TS Agent supports the following 64-bit servers:
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012
• Microsoft Windows Server 2012 R2
• The TS Agent is compatible with any of the following terminal services solutions
installed on your server:
• Citrix XenDesktop
• Citrix XenApp
• Xen Project Hypervisor
• VMware vSphere Hypervisor/VMware ESXi 6.0
• Windows Terminal Services/Windows Remote Desktop Services (RDS)
Terminal Services Agent Demo
Captive Portal Authentication or
Active Authentication
Active Authentication
• HTTP Basic: In this method, the browser prompts for user credentials.
• NTLM: NTLM uses windows workstation credentials and negotiates it with Active
directory using a web browser. You need to enable the NTLM authentication in
the browser.
• Kerberos: This selection is available only when you select an AD realm for a
server with secure LDAP (LDAPS) enabled.
• HTTP Negotiate: In this type, the system tries to authenticate using NTLM, if it
fails then the sensor will use HTTP Basic authentication type as a fallback
method and will prompt a dialog box for user credentials.
• HTTP Response page: This is similar to HTTP basic type, however, here user
is prompted to fill the authentication in an HTML form which can be
customized.
Active Authentication Response Page
Custom web page for

Guest Login
authentication (Editable HTML)
Active Authentication Rule
Application Visibility and Control and
Intrusion Prevention System
Network
network
Advanced Inspection Engines DAQ libraries
High-level architecture
• Packet sniffer Packet decoder
• Packets are read using the Data AcQuisition library (DAQ)
• Packet decoder
Preprocessors
• Decodes datalink, network and transport protocols
• Preprocessors
• Normalize traffic Detection engine
• Detection engine
• Uses Snort rules to create signatures for threats
Output module
• Output module
• Handles the task of writing and displaying events
Alert and log files
Packet sniffer (DAQ)
• Snort uses a Data Acquisition Module Network
(DAQ) to collect packets DAQ libraries
• There is no native Snort packet capture library Packet decoder
• Different capture libraries may be used without

the need to recompile Snort Preprocessors
• DAQ mode – inline, passive or read from file
• DAQ type Detection engine
• PCAP
• AFPacket Output module
• IPQ
• NFQ IPFW Alert and log files
Packet decoder
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
Alert and log files
For Your
Advanced Inspection Engines Reference
Packet decoder
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
Alert and log files
Packet decoder
• Decodes Layer 2 and Layer 3 protocols
• Focused on TCP/IP protocol suite
• Stores decoded packet information in data structures help in memory
• Data structures are utilized by the detection engine
• Configured at Snort start time (using CLI options of the configuration file)
• Specify DAQ mode
• Specify DAQ type
Preprocessors
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
Alert and log files
For Your
Advanced Inspection Engines Reference
Preprocessors
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
Alert and log files
Preprocessors
• Preprocessors play a vital function in network traffic inspection
• Present packets to the detection engine in a contextually relevant way
• Normalize traffic
• Alert if they detect anomalous conditions as defined by their settings
• Major preprocessors include the following

• frag3 – Used to reassemble packet fragments prior to inspection
• stream5 – Used to reconstruct TCP data streams so that inspection can be done in the
context of a TCP conversation
• Protocol decoders – Normalize TCP streams including: telnet, ftp, smtp, and rpc.
• http_inspect – Normalizes http traffic
• sfPortscan – Used to detect portscans
Detection engine
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
Alert and log files
Detection engine
• Consists of two components to perform inspection
• Rules builder
• Inspection component
• Rules builder
• On Snort startup, assembles rules into rule chains
• Optimizes rule matching by the inspection component
• Sources, destinations and port sources and destinations redundancies are eliminated
• Implements rules chains as linked lists
• Inspection component
• Matches traffic to a rule chain
• Further inspects traffic against the options in the matching rule chain
Output module
Network
DAQ libraries
Packet decoder
Preprocessors
Detection engine
Output module
Alert and log files
Output module
• Handles the task of writing and displaying events
• Supports several output formats
• Can send output to files or Syslog
• Can send logs and alerts in straight ASCII
• Can send packets in PCAP format
• Can use Unified2 format (the replacement for Unified format)
• Fast and lightweight binary format
• Can be converted to other formats by utilities such as Barnyard2
• The output module can receive input from several sources

• The packet decoder sends data that can be use to produce PCAP output
• Preprocessors send alerts on detection of anomalous conditions
• The detection engine sends log and alert data when rules are matched
For Your
Snort Language Reference
Overview
• A simple lightweight language for identifying
• Security policy violations
• Known network attacks and IDS/IPS evasion techniques
• Snort language supports event filters

• Limit – Alert on the a specified number of events during a specified time interval, then
ignore events for the rest of the specified time interval
• Threshold – Only alert if the event is seen a specified number of times within a
specified time interval
• The basic unit of the Snort language is the Snort rule
• Communication between rules is accomplished using flowbits
For Your
Snort Language Reference
Rule structure
• Rule header
• Used to match traffic and perform
Action (pass, drop, sdrop, alert, log)
• Protocol, Source, Destination 5-tuple
• Rule body
• Contains the message used for alerts
• Contains flow attributes
• Contains the Signature ID and revision number
• Can specify content or regular expressions
in combinations and locations in packet
• Can read packet contents to calculate offsets
• Can set and read flowbits to link to other rules
AVC – Application Visibility and
Control
Network Discovery
Overview
• Host discovery
• Application identification
• User discovery
• Control access for applications, users and devices
Network Discovery
Application identification
• Firepower can identify over 3000 unique applications
• Applications can be used as criteria for access control
• Application awareness is crucial for app-based access control
• Three types of applications that system detects
• Application protocols (communications between hosts)
• Client applications (software running on host)
• Web applications (HTTP content)
Application Detection
Overview
• Two sources of application detectors
• System-provided detectors
• Custom application protocol detectors
System-provided detectors
Internal Detectors
Client Detectors
Web App Detectors
Port Detectors
Firepower Detectors
Custom Application Detectors
OpenAppID
OpenAppID Overview
• What is OpenAppID?
• Application Visibility and Control (AVC) done the right way
• An open source application-focused detection language
• Enables users to create, share and implement custom application detection
• Available for download as an extension of Snort 2.9.7 from http://www.snort.org
• Key advantages
New simple Lua scripting language to detect apps
Reduces dependency on vendor release cycles
Build custom detections for new or specific (ex. Geo-based) app-based threats
Easily engage and strengthen detector solutions
Application-specific detail with security events
For Your
Reference
The AppID Preprocessor
• Identifies the application
• Generates appid attributes (payload, misc, client, service) that can be used in
snort rules.
alert tcp any any -> any any (msg:"FTP CWD to root"; appid:ftp;
pcre:"/cwd.*root/i"; gid:1000001; sid:1018758; rev:4; )
• Leverages Snort HTTP preprocessor for header extraction
• Generates application statistics
• Statistics are stored in Uniform2 format
• Statistics file can be read with the u2openappid or u2spewfoo commands
• Statistics can be forwarded to Syslog by using the u2streamer command
Custom Application Demo
Application Visibility
Application Visibility
Application Control
Access Control
Access control policy Demo
Intrusion Prevention System
Policy Definition
What are the different Base IPS Policies ?
• Connectivity over Security: ~ 500
Rules
• CVSS Score of 10
• Age of Vulnerability: 1 year before
last and newer
• Balanced: ~ 8770 Rules
• CVSS Score of 9 or greater
• Age of Vulnerability: 1 year before
last and newer
• Or: Rule category equals Malware-
CnC, blacklist, SQL Injection,
Exploit-kit
• Security over Connectivity: ~ 12350
Rules
• CVSS Score of 8 or greater
• Age of Vulnerability: 2 years before last
and newer
• Or: Rule category equals Malware-
CnC, blacklist, SQL Injection, Exploit-
kit, App-detect
Implementation - Audit mode
• Inline deployment without actually affecting

traffic
• Disable “Drop when inline” when creating
IPS Policy
• In passive deployments, the system cannot
affect traffic regardless of the drop behavior
• Events will show “Would have dropped”
when the sensor is deployed passively or
when “drop when inline” is disabled
Audit Mode
Policy Architecture
IPS Policy Layering
Allows Users to create Policy Components that can be added to individual
inspection policies
For Your
Reference
Rule Details
Rule Details
Rule Details
For Your
Reference
Own Rules
Policy Definition
Access Control – IPS inspection
Access Control – IPS inspection
Network Discovery
How is the Information used ?
• Firepower Recommendations
• Users information we learned about each host
• Automatically selection of rules that apply to your environment
• Impact Assessment
• Correlation of IPS Events with Impact on the Target host
• Preprocessors send alerts on detection of anomalous conditions
• Indications of Compromise
• Tags that indicate a likely host infection has occurred
• FMC tracks and correlations IoCs across all sensor points with Security Intelligence and
Malware Active
Network Discovery
Host Discovery
• Identifies OS, protocols and
services running on each host
• Reports on potential vulnerabilities
present on each host based on the
information it’s gathered
Firepower Recommendations
Why Recommended rules are important
• Context enabled the detections that
are relevant to your specific network
• Firepower Recommendations makes
sure your system has the right
detections enabled
Impact Assessment
How Relevant is the Attack ?
ADMINISTRATOR
• Prevents information overload IMPACT FLAG
ACTION
WHY
Act Immediately, Host Event corresponds to

1 vulnerable or vulnerability mapped to
Compromised host
Investigate, Potentially Relevant port open or
2 Vulnerable protocol in use, but no
vulnerability mapped
Good to Know, Relevant port not open
3 Currently Not or protocol not in use
Vulnerable
Good to Know, Monitored network, but
4 Unknown Target unknown host
Good to Know, Unmonitored network

0 Unknown Network Event outside profiled
networks
If you have a fully
profiled network this
may be a critical event!
IPS policy Demo
Operational Insights
Correlation Rules / Correlation Policy
Respond in real time to threats and
network traffic deviates from its
normal profile
Correlation Policy
Correlation Correlation
Rule Event
Correlation
Action
Rule
Email
Syslog
SNMP
Remediation Module
Correlating Event Data
Flow and connection conditions Data from User Table (name,
Data from Host Profiles
over time or volume. group info, etc)
When a…
Intrusion Event ✔ ✔ ✔
Discovery Event ✔ ✔ ✔
Connection Event ✔ ✔ ✔
Host Input Event ✔ ✔ ✔
User Activity Occurs ✔ ✔
Traffic Profile Changes
Malware Event
For Your
Reference
Network traffic deviates from its normal
Correlation Rule to:
• Ensure only HTTPS traffic is
used on port 443
• Ensure traffic is initiated by a
Host with a defined Location
(host Attribute) is POS
• Ensure the HTTPS traffic
from the POS host is received
on hosts in the PCI network.
• Any traffic outside this profile

will generate an event.
For Your
Reference
Production Network Change
As new IP addresses
appear on the network,
Firepower Correlation
Polices can trigger
Nmap to perform an
active scan of the new
hosts
Correlation Rule example
For Your
Action example Reference
NMAP Scan
Correlation policy Demo
Rapid Threat Containment
Rapid Threat Containment with Firepower Management
Center and ISE
pxGrid controller
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
Rapid Threat Containment with Firepower Management
Center and ISE
4. Endpoint Assigned
Quarantine + CoA-
Reauth Sent
pxGrid controller
Controller MnT
FMC
i-Net
Rapid Threat Containment
• FMC 6.1 and pxGrid / Fire+ISE is supported in as an integrated solution
• No more pxGrid connection agent / external remediation module is needed
• Session information obtained from ISE via pxGrid
• SGTs can be used in FMC 6.1 access control policies
• ISE remediation capabilities:
• Quarantine, Un-quarantine (VLAN, dACL, SGT), port shutdown
• Quarantine actions triggered per policy with FMC and ISE
• Infected users can be notified and re-directed to portal for remediation
Correlation and Remediation
Automating Response – FMC Remediation API
Boolean
Remediation Modules : Intrusion Events
Discovery Events
Conditions
Correlation Rules
• Cisco RTC User Activity

Host Inputs
• Guidance Encase Connection Events
Traffic Profiles
Correlation Policies
• Set Host Attributes Malware Event Correlation Rules

Actions
(API, Email, SNMP)
Correlation Events
• Security Intelligence
Blacklisting
• Nmap Scan
• SSH / Expect Scripts
• F5 iRules
• Solera DeepSee
• Netscaler
• PacketFence
• Bradford
ISE Remediation in 6.1 Using pxGrid
Configure
remediation action
RTC Demo
Configuration Guide
• https://communities.cisco.com/docs/DOC-68292
Break
Security Intelligence
• TALOS dynamic feed, 3rd party feeds and lists
• Network_Intelligence-<category>
• URL_Intelligence-<category>
• DNS_Intelligence-<category>
• Multiple Categories: Attacker, Bogon, Bots, CnC, DGA, Exploitkit, Malware,

OpenProxy, OpenRelay, Phishing, Response ,Spam ,Suspicious, TorExitNode
• Multiple Actions: Allow, Monitor, Block, Interactive Block,…
Security Intelligence Policy Configuration
IPs
URLs
Security Intelligence Dashboard
Network_Intelligence-<category>
URL_Intelligence-<category>
DNS_Intelligence-<category>
DNS
DNS Protection
• Attackers are leveraging DNS !
• Blacklist domains associated with Bots,
CnC, Malware Delivery
• Fast-flux: High Frequency DNS Record
Changes
• Control C&C traffic and Botnets
• Restrict access to domains violating
corporate policy
DNS Inspection
• Security Intelligence extended to inspect DNS lookups
• Drop or monitor DNS connections to malicious sites
• Support all of the functionality in IP/URL based SI (i.e., custom lists/feeds/global
blacklists/whitelists)
• Blocking DNS connections should support the following additional actions
• Sinkhole
• NXDOMAIN
Adds new DNS Policy
Configuring DNS Policy
Create new DNS

policies
DNS Policy
DNS Rule Configuration
Actions
Associate DNS Policy with an Access Control Policy
DNS Policy
Action: DNS Sinkhole
• NGFW Policy
Sinkhole Server
• DNS SI: C&C servers
• Action: DNS Sinkhole
Local
DNS Server
C&C over DNS C&C over DNS
10110110 Internet
10101111
Sinkhole IP Sinkhole IP
Connection to Sinkhole IP
Generate SI Event
& IOC
For Your
Reference
Security Intelligence Events

Category
Action: Sinkhole
Identifying an Infected endpoint via DNS Sinkholing
Generate SI Event
& IOC
SSL Decryption
The Importance of SSL
• Google, Facebook, Twitter
encrypting all traffic
• Google ranking influenced by using
HTTPS
• Browser Vendors aggressively
pushing HTTPS
• Problems with older TLS versions
leading to upgrade of servers to
newer protocols and ciphers
• Poodle, Freak, Beast, ….
SSL/TLS Decryption Hardware and Service IPS rules
• Dedicated SSL appliances (1500, 2000, 8200) -> different

solution, topic here : Integrated SSL/TLS decryption service
NGFW rules
• Firepower appliances (7000 and 8000 3D) from Firepower 5.4
• ASA Firepower Services (5506/08/16-X, 5512-5555-X, 5585-X) App ID
from Firepower Services 6.0 detection
• Firepower Threat Defense, FTD (ASA, Firepower 4100/9300,

Packet, TCP
virtual (only FTD, not virtual NGIPS) stream
processing
• Transparent, routed, in-line set
• Passive and Inline TAP can only decrypt using "known key" modes (No
Decrypt Resign, no Ephemeral Diffie-Hellman Enhanced and ECDHE Decrypt if
SSL
cypher). These modes do NOT modify traffic.
Data acquisition
SSL/TLS Decryption
• It works on any port, not just 443 and HTTPS :
• SMTPS, IMAPS, POP3S, FTPS…
• SSL 3.0, TLS 1.0, 1.1, 1.2 (SSLv2 : based on the config)
• Certificate Revocation List, CRL
• No SSH, Spdy, Quic
• No additional SSL license is needed
With known
server keys
Use Cases
• Inspect incoming SSL traffic to an internet
internal server.
• passive (with known keys) or inline (with or
without known keys)
• Inspect outgoing SSL traffic to the

internet (inline without known keys)
internet
• Control SSL flows based on SSL
characteristics
• SSL version, cipher suite, subject common
name, etc.
• Control SSL flows based on their internet

decrypted content
SSL Session : Without SSL Decryption
Client Server
Client Hello
I can speak I choose to speak :
TLS1.2 or less, Server Hello / Certificate and key exchange / TLS1.2 AES256 and
Cypher list, Server Hello Done this is my cert
extensions
Client Key Exchange / Change Cipher Spec /
Subject and Subject
Server Name Finished Alternate Names:
Indication (SNI) Fields in the
extension : Change Cipher Spec / Certificate that
client indicates Finished identify the server
which hostname hostname (FQDNs)
it is attempting
to connect Cannot filter HTTP
[raw data] Application data (encrypted), for example, HTTP request request and content,
since it is encrypted.
Configuration
For Your
Reference
Access Control Policy – Revisited
The glue that ties everything together
Prefilter SSL Identity

DNS Policy
Policy Policy Policy
Inspection Options
Access Control Criteria Action

Rule (to match) Intrusion Malware & File
Policy Policy
For Your
Reference
SSL Policy Overview

• Controls how and what encrypted traffic is inspected and decrypted
• Simple policy blocks all encrypted traffic that uses a self-signed certificate
• Actions are:
• Decrypt - Resign – Used for SSL decryption of public services (Google, Facebook, etc.)
• Decrypt - Known Key – Used when you have the certificate’s private key
• Do not decrypt
• Block
• Block with reset
• Monitor
• Many actions can be taken on encrypted traffic without decryption by inspecting
the certificate, distinguished name (DN), certificate status, cipher suite and
version (all supported by FTD)
For Your
Reference
SSL/TLS Decryption Configuration

• You can configure one or more SSL policies
• Controls which SSL traffic to decrypt and how to decrypt it.
• Attach to an Access Control policy in order to apply to a device.
SSL Policy Rule Actions
• Each rule can specify how to process the matching
SSL traffic
• The system matches traffic to rules in top-down order
• It does not continue to evaluate (except in the case of
Monitor rules) after that traffic matches a rule
• Decrypt using known certificate and key (for traffic
destined to internal server)
• Decrypt using certificate re-sign (for outgoing traffic)
• Do-not-decrypt and Block/Block with Reset
• Monitor evaluates encrypted traffic next. Monitor rules
track and log encrypted traffic but do not affect traffic
flow
SSL Inspection on Passive Interface
NGFW with
copy of Server ABC
key and cert
ABC
ABC #$* #$*
Client TAP Server
DHE and ECDHE cannot be supported in passive mode since traffic

must be modified.
For Your
SSL Inspection on Passive Interface Reference
Configuration
Action: decrypt One of the

with known key known keys
SSL Inspection on Inline Interface for Outgoing
Traffic
NGFW with CA generated

key/cert used to resign modified ABC
server cert
ABC
ABC #$* >!?
Modified server cert Original server cert

Client Server
It cannot inspect outgoing traffic in passive mode since it requires modifying (re-signing) the server cert.
Certificate Installation and Usage
• The NGFW needs a CA certificate to be installed for TLS decryption
• Not a WEB SERVER CERTIFICATE!!! TAC will say thank you for this! 
• Key Usage=Certificate Signing, Extension : Basic Constraints
• After receiving the HTTPS Request, the NGFW will grab the server certificate
from the destination
• It will create a new certificate with (nearly) all the fields and sign this with its own
certificate
• CRL is not replicated because it would not match the “new” certificate
• Client needs to trust the certificate from the NGFW
• Use a trusted Enterprise subordinate CA certificate or roll out your self-signed
cert to the clients via GPO
For Your
Reference
Intermediate CA Certificate
• A CA certificate that is issued by
another CA
• It is signed by either another
intermediate CA or by a root CA
• Intermediate CAs can sign server
certificates in exactly the same way
a root CA can
• Subject Type=CA
• Key Usage=Certificate Signing
• Issuer = the CA CN
Inline SSL Decryption- Man in the Middle (MitM)
Proxy Server
Client
Client Hello
Proxied Client Hello
Server Hello / Certificate and key

Server (proxy) Hello / exchange / Server Hello Done
Proxy Certificate and key exchange /
Server (Proxy) Hello Done
Client Key Exchange / Change Cipher
Spec / Finished Client Key Exchange / Change Cipher
Spec / Finished
Change Cipher Spec /
Change Cipher Spec /
Finished
Finished
HTTP Request
(encrypted) HTTP Request
(encrypted)
For Your
Reference
Inspect Outgoing Traffic
Action: Decrypt
and resign
It replaces the key ONLY in the Self-Signed

Certificate, instead of the whole certificate.
It causes the client browser does warn that the
certificate is self-signed.
Rule
Resign Explained
Internal CA
Original certificate
Generated certificate
For Your
Reference
SSL Policy Rules

• Network Parameters • Similar to Access Control Rules
• Source and Dest Zones • URL category
• Source and Dest Endpoints/Networks • User (IP based)
• Source and Dest Ports
• Server Certificate parameters
• VLAN tags
• Subject Distinguished Name
• Geolocation
• Issuer Distinguished
• Application
• ServerHello contains:
• SSL, HTTPS
• Cipher Suites, Versions
• STARTTLS-based apps such as
SMTPS, POP3S, etc. • Several other info in ClientHello
• Applications tunneled within SSL that • Like Zones, Networks, Users, ..
can be identified by AppID using their • Server Name Indication extension :
server certificate. App, categories
SSL Policy Rules (continued)
• Certificate Status:
• Revoked, self-signed, not yet valid, expired, invalid
issuer, invalid signature, valid.
• Cipher suite
• SSL version
if the certificate
matches any of the
selected statuses,
the rule matches
the traffic.
Block Page; End User Notification, EUN
• From 6.1 : The system now displays
an HTTP response page for
connections decrypted by the SSL
policy, then blocked by access
control rules.
• However, the system does not
display a response page for
encrypted connections blocked by
access control rules (or any other
configuration)
• NGFW cannot support EUN for bad
certs at the moment (6.2)
Monitoring page
Global SSL Rule Settings
• Default action (Block, Block with
reset, Do not decrypt)
• Uncached session ID/Ticket
• SSL Compression
• SSLv2
• Unsupported cipher suite
• Handshake or decryption error
• External CA list – used to validate
server certs
Trusted CA’s CRL
• You can upload CRLs to a trusted CA
object. Supported formats: DER, PEM
• If you reference that trusted CA object in
an SSL policy, you can control encrypted
traffic based on whether the CA that
issued the session encryption certificate
subsequently revoked the certificate.
• There is no limit to the number of CRLs
you can add to a trusted CA object. You
must save the object each time you
upload a CRL, before adding another
CRL.
• Add CA who signed the CRL
Bad Certificate Handling – The Risk

key/cert used to resign modified
server cert
Expired or
Modified server cert revoked
server cert
Client Server
Bad Certificate Handling
Block Certificate Issue
• Test with non trusted cert:
• Log:
PKI Objects : Independent of SSL design
• Internal CA – Used to resign certificates.
• External CA list – Used to validate server certificates
• Known certificates and keys – Used to decrypt traffic going to internal servers.
Trusted external certificates :

Used to whitelist trusted sites
for which CA validation is not
available (self-signed certs).
SSL Decryption Use Case:
Block Connections That Use a Self-
Signed Certificate
For Your
Reference
SSL Policy Use Case
Block Connections That Use a Self-Signed Certificate
For Your
Reference
SSL Policy Use Case
For public servers (you don’t control)
For servers you control
For Your
Reference
SSL Policy Use Case
For Your
Reference
SSL Policy Use Case – Cert Status Tab
None of these require

decryption of traffic
Additional Design Questions
Decryption and Access Policies IPS rules
• If you need to “DROP” a category in the access policies,

good to also drop it in the decryption Policies NGFW rules
• HTTPS request is otherwise decrypted first and then matched
against access policies
App ID
• This will give a performance gain detection
Packet, TCP
stream
processing
Decrypt if
SSL
Data acquisition
Do Not Decrypt Well Known (high rep.) and Finance,
Block Weak Ciphers, Decrypt Uncategorized
Switch ON logging (Default : No logging) TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 447
HTTP Strict Transport Security (HSTS) and MiTM
• HSTS is a web security policy

mechanism which helps to protect
websites against protocol downgrade
(https->http) and MiTM attacks
• users cannot click
through warnings • Browser dependent
(no override),
• Does not protect if you've never visited
automatically turn
the website before
any http:// links
into https:// links • An HSTS enabled server can include the administrator's intention, a list of
following header sites that are hardcoded into
browsers
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
the time, in sec, that the browser should

remember that this site is only to be
accessed using HTTPS © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 448
Certificate Pinning
• Cert Pinning is the process of associating a host with their expected X.509 certificate(s)
or public key, hard-code in the client/app the SSL cert(s) known to be used by server
• No rouge CA, example: google services from Chrome 13, mobile apps, twitter, box.com,
...
• trust-on-first-use (TOFU) mechanism able to detect and prevent a MITM attacks

key/cert used to resign modified
server cert cert
Modified server cert

Client Server
Monitoring
BRKSEC-3006
Tobias Mayer, CSE
For Your
Reference
SSL Connection Summary

SSL has own Summary
page, start here
For Your
Reference
Test the SSL Service

• https://www.ssllabs.com/ssltest/analyze.html
Check a Website for all things

around TLS
Ciphers
Certificates
Handshake Simulations
…
Powered by Qualys
For Your
Test Your Configuration Reference
Badssl.com, revoked.grc.com
For Your
Reference
Checking the CRL

Long list of
revoked
certificate serial
numbers and
Dates
Download the CRL:
• curl -o crl.der http://crl.globalsign.com/gs/gsdomainvalg2.crl
Let’s see it :
• openssl crl -inform DER -text -noout -in crl.der
Is this cert (1121B4..) on the list?
• openssl crl -inform DER -text -noout -in crl.der | grep 1121B4 CA signature
algorithm and
Or : openssl verify -crl_check -CAfile crl_chain.pem wikipedia.pem signature
For Your
Reference
Example : Testing CRL checking

• 1. Download https://revoked.badssl.com cert and add the intermediate CA
(DigiCert) to FMC as a Trusted CA who signed the CRL
• 2. Add this cert to FMC as a Trusted CA with CRL

• 3. Add this cert to the SSL policy
• 4. Check the logs
Table view
Very useful;
Default = No SSL info
For Your
Reference
Connection Events with Detailed SSL Information
Detailed SSL Information
Debug Command
> system support ssl-debug debug_policy_all
Parameter debug_policy_all successfully added to configuration file.
Configuration file contents:
debug_policy_all
You must restart snort before this change will take affect
This can be done via the CLI command
'system support pmtool restartbytype DetectionEngine'.
In order to view the new logs and pcaps:

> expert
admin@hostname:~$ cd /var/common
admin@hostname:/var/common$ ls
ssl_debug_27598
SSL Flow Status: 2 - success - SSL Rule successfully
Example Transaction applied.
SSL Flow Error: 0x00000000 - NSLIB:Logging
from the Log File [0x00000000;code:0;sub:0] Succe

SSL Flow Messages: 0x00000038 -
CLIENT_HELLO, SERVER_HELLO, SERVER_CERTIFICATE,
Process ID: 27598
SSL Flow Flags: 0x40820000048181c3 - VALID,
Flow context: 0x153129a0 INITIALIZED, SSL_DETECTED, CERTI
Flow info: 0x7fff8d81e7c0 FICATE_DECODED, FULL_HANDSHAKE, CLIENT_HELLO_SESSTKT,
flowid: 0x80000005 SERVER_HELLO_SESSTKT, CH_P
error: 0x00000000 ROCESSED, SH_PROCESSED, (null)
cipher_suite: 49199 - SSL Session ID:
TLS_ECDHE_RSA_WITH_A_128_GCM_SHA256 SSL Session Ticket:
ssl_version: TLS1.2
server_cert_h: 27
cert summary: CN=secure.eicar.org;
flags: 0x40820000048181c3
Network parameters:
messages: 0x00000038 src_addr: 10.1.1.33
Connection Event: 0x7fff8d81e500 src_port: 49423
Policy ID: 4a68e4cc-e26c-11e6-af30-8a017b52b77f src_intf: 3
Rule ID: 7 src_zone: 0
Logging is on: 0 dst_addr: 213.211.198.58
Cipher Suite: 49199 - dst_port: 443
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 dst_intf: 2
SSL Version: 16 - TLS1.2
dst_zone: 1
Server Cert Status: 2
Status str: valid ca chain,
vlan: 0
URL Category Matched: 0 Matching Rule:
App ID Matced: 0 ordinal rule id: 7
Client Hello Server Name: (null) rule id: 7
Actual Action: 6 - Decrypt and resign. rule name: TEST Decrypt
Expected Action: 6 - Decrypt and resign. Verdict:
Flow action: 6 Decrypt and resign.
Advanced Malware Protection
Demonstration
Advanced Malware Protection, AMP – overview
It handles the unknowns!
• File reputation and type based analysis,
control, store and tracking system
• Key : hash value (SHA256 or SHA1 on mobile
platform)
• Decisions by TALOS or using local sandbox
(AMP Threat Grid) or custom
• Dispositions: malware, clean, unknown,
unavailable or custom [on Firepower]
• Different detection engines (Spero, local
malware analysis, dynamic analysis)
• Collaboration between host and network based
solutions (full solution : host+network together)
Community Based Navigation
• Community based collaboration
• First victim reports*
• Rest of the community is protected
*Email Security with AMP can wait

more, can protect immediately
AMP Analysis
Action
• Action
Y
In Cloud AMP
Cloud
Threat Grid
Interval
Talos DGA Parsing Analysis
Talos Sandbox
AMP Retrospective Security
AMP
Cloud
Check
Change
Changes
Who has seen Lookup

these files ? database
Initiate
Retrospective
Event /
Quarantine
For Your
Reference
AMP for Networks Inspection

Incoming packet
Rule 1 : Monitor
Matching traffic continues

No inspection
Rule 2 : Trust
No match
No inspection Destination
Rule 3 : Block
Intrusion
File/Malware blocked blocked
Network File Policy Intrusion Policy

Rule 4 : Allow
Discovery Policy (optional) (optional)
Default Rule : Network Intrusion Policy

intrusion prevention Discovery Policy (default action)
Intrusion
blocked
Malware and File Policy Order of Processing
Y
File size > limit? Stop file capture AMP
N
Entire File Seen?
N
Y
FMC
Calc SHA256 Analysis Engine Cache lookup
Action (Malware Y Drop last packet SHA256 lookup Sensor

Cloud Lookup |
Force Retransmit Local cache Analysis Engine Cache lookup
Block Malware)
Y Malware Event
File is Malware?
and Block
N Known Malware
N Y No further
File was captured? File is Clean? end or Clean file
processing
Y
For Your
Reference
Malware File Policy

File Policy inspects files in the following order:
• Spero Analysis - eligible executable file, the device can analyse the file's
structure and submit the resulting Spero signature to the AMP cloud
• Local Malware Analysis - Using a local malware inspection engine, the device
examines an eligible file. The device also generates a file composition report
detailing a file's properties, embedded objects, and possible malware.
• Dynamic Analysis - device pre-classifies files as possible malware, submits
these files to the AMP Threat Grid cloud or on-premises appliance for dynamic
analysis, regardless of whether the device stores the file. Runs the file in a
sandbox environment. View a dynamic analysis summary report that details
why was assigned the threat score.
Malware and File Policy Order of Processing
(unknown file)
Y
Inspect archive? Extract contents Uninspectable archive
N
Y
Store files? Capture file
N
Y Y
Spero? Spero Supported File Compute spero hash AMP
N
Y Y ClamAV
Local Malware Office, pdf, exe,
Analysis? match? Pre-class + High
Fidelity Scan
N
Y Y Threat Grid
ClamAV File Submission (Cloud or
Dynamic Analysis?
Pre-class Flagged Appliance)
N
File Event Capacity Handling()
FMC 6 : File Property Analysis
• The device generates a file composition report detailing a file's properties,
embedded objects, and possible malware.
• Pre-classification engines : byte-code rules that detect suspicious indicators, like
• embedded macros, exe’s, flash, exe packed,
• JavaScript in PDF, Corrupt headers, VBA in OLE, etc.
Submitted
• High fidelity signatures pushed by TALOS (every 30 minutes) to Sandbox
…..
….. File Composition
….. Suspect
Report File
File
Normal
File
Not submitted
FMC 6 : Local Malware Checks and File Property
Analysis
• Identify popular/common malware on the
appliance
• Reduced need to send samples to the
cloud for dynamic analysis
• Local assessment of container files for
malware viability inside nested content.
• File Composition report with risk
assessment File Composition Report
• Expand file type support for automatic
dynamic analysis: • Using a local malware inspection engine,
• PDF blocks it if the file contains malware and the
• Office Documents file rule is configured to do so, and generates
• Others: EXE/DLL, MSOLE2…
malware events.
Protection Technic: Spero Engine
SPERO = Machine Learning using active heuristics
Hypothesis Customer
Featureprint Data
(file)
Clean
Data Predictive
Machine
Feature Vectors Model Expected Label
Learning [Disposition]
Decision
Algorithm
Dirty Trees
Data Clean
Performance
Unknown
Labels System environment
export, keyboard API
Monitoring
Malware
hook, DLL loaded,… TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 474
Protection Framework: Spero Engine
• AMP Labels = Attributes derived
during execution
• Network connections? Machine Learning Decision Tree
• Non-standard protocols for an Confirmed
application? Possible
malware
Confirmed
• Hooking which APIs? malware
clean file
• Filesystem changes?
Confirmed
• Copies itself Possible malware
• Moving files clean file
Confirmed
• Launching other processes? clean file
• Over 400 attributes analyzed to

identify malware
attributes
Day Outlook Humidity Wind Play

Predict if John will play tennis D1 sunny high weak No
D2 sunny high strong No
• Try to understand when John plays Training D3 overcast high weak Yes
• Hard to guess examples :
D4 rain high weak Yes
• Let’s build a decision tree! 9 Yes / 5 No D5 rain normal weak Yes
D6 rain normal strong No
• Divide and Conquer D7 overcast normal strong Yes
• Split into subsets D8 sunny high weak No
• Are they pure ? (all Yes or all No) D9 sunny normal weak Yes
• If Yes : stop, If Not: repeat D10 rain normal weak Yes

D11 sunny normal strong Yes
• See which subset new data falls into D12 overcast high strong Yes
• Pick outlook D13 overcast normal weak Yes
D14 rain high strong No
New data: D15 rain high weak ???
https://www.youtube.com/watch?v=eKD5gxPPeY0 TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 476
9 Yes / 5 No For Your
Reference
outlook
overcast
sunny Day Outlook Humidity Wind Play

D3 overcast high weak Yes
rain
Day Outlook Humidity Wind Play D7 overcast normal strong Yes
D1 sunny high weak No D12 overcast high strong Yes Day Outlook Humidity Wind Play
D2 sunny high strong No D13 overcast normal weak Yes D4 rain high weak Yes
D8 sunny high weak No 4 Yes / 0 No D5 rain normal weak Yes
D9 sunny normal weak Yes Pure subset D6 rain normal strong No
D11 sunny normal strong Yes D10 rain normal weak Yes
D14 rain high strong No
3 Yes / 2 No
Split further 3 Yes / 2 No
Split further
Reference
outlook
overcast

rain
D7 overcast normal strong Yes
humidity
D12 overcast high strong Yes Day Outlook Humidity Wind Play
D13 overcast normal weak Yes D4 rain high weak Yes
high normal 4 Yes / 0 No D5 rain normal weak Yes
Pure subset D6 rain normal strong No

Day Humid Wind Play Day Humid Wind Play D10 rain normal weak Yes
D1 high weak No D9 normal weak Yes D14 rain high strong No
D2 high strong No D11 normal strong Yes
3 Yes / 2 No
D8 high weak No
Split further
Reference
outlook
overcast

rain
D7 overcast normal strong Yes
humidity
D12 overcast high strong Yes
wind
D13 overcast normal weak Yes
high normal 4 Yes / 0 No weak strong

Pure subset
Day Humid Wind Play Day Humid Wind Play
Day Outl. Humid Play Day Outl. Humid Play
D1 high weak No D9 normal weak Yes
D4 rain high Yes D6 rain normal No
D2 high strong No D11 normal strong Yes
D5 rain normal Yes D14 rain high No
D8 high weak No
D10 rain normal Yes
Reference
outlook
4/ 0
2/ 3 overcast
sunny Yes 3/ 2
rain
humidity
wind
0/ 3 2/ 0 3/ 0 0/ 2
high normal weak strong
No Yes Yes No
New data: D15 rain high weak Yes

???
Sandboxing with Threat Grid
BRKSEC-2029
AMP Threat Grid Processes Sleep() Value and Crypto API Manipulation
Injects into interesting processes
Outside & invisible to the Guest OS User Land Instrumentation
Sample
Static Artifact Runtime Kernel Dynamic Cloak & Post Dynamic Static Artifact
Classification
Analysis Analysis Monitor Disk Analysis Dagger Processing Disk Analysis Analysis
Tool
Precise file type Forensic parsing of a “physical” disk

detection Keep log of changes at block/sector level Report / Threat Score
Diff of changes is parsed Video, network pcap, artifacts, …
Glovebox
CiscoLive BRKSEC-2029 - An Introduction to Malware / Advanced Threats and the response methods used
Indicator Engine
• Observations
forensics
attribute
• Indicator Types
weakening
• Behavioral
artifact
• Static
network
• Malware
enumeration
• Compromise
malware
• Evasion
file
• Compound
evasion
• Feeds
persistence
Inner Workings of a Compound Indicator
Dynamic Analysis Report
Ransomware
• Excessive Suspicious
Activity
• Generic Ransomware
• Desktop Background
Change
• Generic Ransom
Note
• Shadow Copy
Deletion
AMP Configuration on FMC
Malware Configuration Flexibility
Rule1 :allow (inside) Matching traffic Inside malware policy
No match
Rule2 :allow (internet) Matching traffic Internet malware policy Different malware
No match policies
Default action :allow Access rule
Default action =
No Malware policy
Action Options:
Detect files, Block Files,
File Rule Configuration Malware Cloud Lookup,
Block Malware
Application
Protocol
options:
Any, HTTP,
SMTP,
IMAP,
POP3, FTP,
NetBIOS-
ssn (SMB)
File Rules – No order of Precedence
Order does not matter!
If two or more rules match for the same file type:
1. Block Files 2. Block Malware
3. Malware Cloud Lookup 4. Detect Files
Configure AMP Cloud Connection
• Allows FMC to get events from AMP Cloud or Private Cloud for AMP Clients
• Each FMC can have only one AMP for Firepower connection
login
AMP Privacy Cisco®
Talos
Federated Data
Files to be analysed Files hashes
Customer Premise
Cisco AMP AMP Threat Grid
Private Cloud Dynamic Analysis
Appliance 2.2 Appliance
Cisco ASA with Cisco Cisco Email Cisco Web

FirePOWER Services FirePOWER Sensor Security Appliance Security Appliance
v6.1 v6.1
Endpoint
Local AMP Threat Grid Configuration from FMC 6.0
• Add cloud or local dynamic analysis (sandboxing) under Dynamic Analysis Connections
• Only a Single connection can be configured for file submissions
• When a local connection is configured, the public cloud configuration will still be used for public threat
report lookups
For Your
AMP and Threat Grid Private Reference
Hybrid mode problems

Public
AMP
1-1 SHA, SPERO, Cloud
PING2
FMC
1-1 No info sent

SHA Threat
NO POKE to
SPERO Score Public Cloud
File
Threat Grid
NGFW Appliance
Risk of mismatch between local FMC decision and AMP cloud !

No info sent from Threat Grid Appliance to AMP Cloud
Advanced Malware - File Policy Medium: 25-69
High: 70-94
Very high : 95-100
If you disable this option, files detected for

the first time are marked with an Unknown
disposition.
Local exceptions
Override AMP Cloud
Disposition based on
dynamic analysis threat
score
Compressed file level

configuration
Firepower Services, FTD Software 6.1-6.2
• Support for AMP Private Cloud Virtual Appliance
• AMP Private Cloud Virtual Appliance instance in the Internal Network
• Can be used for file disposition lookup and AMP for Endpoints Event Feeds
• Extended IoC Support from AMP for Endpoints

• As new IoCs are made, FireSIGHT consume them
• They will appear in host profiles, IoC correlation
• IoC Examples
• Multiple infected files detected by AMP for Endpoints
• Microsoft calculator compromise detected by AMP for Endpoints
• Unicode Filename Support

• Non-western character display in file names
• Associate FMC with specific Threat Grid account
For Your
Reference
FMC 6.2 – User Based IoC

• Before 6.2, Indication of Compromise (IoC) was associated with hosts
• Host profiles contained list of IoCs, Dashboard widget for IoC by host, Dedicated events
page
• With 6.2, IoCs can now be associated directly with users
• User profiles contained list of indications of compromise for that user
• Dashboard widgets for IoCs by user, Dedicated events page: Analysis -> Users ->IoC
• The extra visibility helps to create a full picture of each IoC

• Who (user), What (IoC), Where (host)
• Configuration identical to pre-6.2

• Navigate to Policies: Network Discovery -> Network tab -> Edit Rule. Make sure Users
is checked
For Your
User Based IoC Reference
User Identity, Dashboard, User -> IoC
AMP Monitoring on FMC Demo
AMP 4
Endpoint
collaboration
For Your
Reference
For Your
Reference
Report For Your
Reference
Report
For Your
Reference
For Your
Reference
Before Retrospection
For Your
Reference
After Retrospection
For Your
Reference
Conclusion
• Modern malware is engineered specifically to bypass point-in-time detection
• Detection innovation is still important, but you need more
• Retrospection gives visibility of what was missed
• AMP Everywhere gives administrators control of their entire environment
FTDv on KVM
FTDv KVM installation- Prerequisites
• Supported and tested on Ubuntu 14.04 LTS and RHEL
cisco@ubuntu:~$ cat /proc/version
Linux version 4.4.0-51-generic (buildd@lgw01-18) (gcc version 4.8.4 (Ubuntu 4.8.4-
2ubuntu1~14.04.3) ) #72~14.04.1-Ubuntu SMP Thu Nov 24 19:22:30 UTC 2016
• Install necessary packages

cisco@ubuntu:~$ sudo apt-get install qemu-kvm libvirt-bin bridge-utils virt-manager
virtinst genisoimage
• Correct libvirt and QEMU version is very
important
cisco@ubuntu:~$ virsh version
setlocale: No such file or directory
Compiled against library: libvirt 1.2.2
Using library: libvirt 1.2.2
Using API: QEMU 1.2.2
Running hypervisor: QEMU 2.0.0
For Your
Reference

• The CPU must support SSSE3 instruction set
cisco@ubuntu:~$ cat /proc/cpuinfo
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 47
model name : Intel(R) Xeon(R) CPU E7- 8837 @ 2.67GHz
…
…
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi
mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good
nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr
pdcm pcid dca sse4_1 sse4_2 x2apic popcnt aes lahf_lm epb tpr_shadow vnmi flexpriority ept vpid dtherm ida
arat
The Firepower Threat Defense Virtual on KVM supports the following
• Processors
• Requires 4 vCPUs
• Memory
• Requires 8 GB RAM
• Host storage per Virtual Machine

• FTDv requires 50 GB Management and
• Supports virtio block devices Diagnostic Interface
• Networking
• Supports virtio drivers
• Supports a total of 10 interfaces
• Requires two management interfaces and two data interfaces to boot
FTDv KVM installation- License and Day0 config
• Firepower Threat Defense Virtual devices require Smart Software Licensing
• As an option you can prepare a Day0 configuration file before you launch the
Firepower Threat Defense Virtual
FTDv KVM installation- Create Day0 config file
cisco@ubuntu:~$ more day0-config
{
"EULA": "accept",
"Hostname": "FTDv-CiscoLive",
"AdminPassword": "Admin123",
"FirewallMode": "routed", File must be named
"DNS1": "10.1.200.102",
"DNS2": "none", day0-config
"DNS3": "none",
"IPv4Mode": "manual",
"IPv4Addr": "10.10.10.10",
"IPv4Mask": "255.255.255.0",
"IPv4Gw": "10.10.10.254",
"IPv6Mode": "disabled",
"IPv6Addr": "",
"IPv6Mask": "",
"IPv6Gw": "",
"FmcIp": "10.1.200.171",
"FmcRegKey": "123Cisco123",
"FmcNatId": ""
}
FTDv KVM installation- Create day0.iso file
• Generate the virtual CD-ROM by converting the text file to an ISO file
cisco@ubuntu:~$ genisoimage -r -o day0.iso day0-config
I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 250
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
176 extents written (0 MB)
cisco@ubuntu:~$ file day0.iso

day0.iso: # ISO 9660 CD-ROM filesystem data 'CDROM'
For Your
Reference
FTDv KVM
• Download FTDv from CCO
For Your
Reference
FTDv KVM
• Verify SHA checksum
cisco@ubuntu:~$ ls -l
-rw-r--r-- 1 cisco cisco 1025310720 Jan 24 22:15 Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2
cisco@ubuntu:~$ sha512sum Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2

15099d91b1a5bb8ef42063656b7ee14c84b2866fb00f0bd22272010c4ab2d11f7a3902e4a3d97a8f482553c6b5a6346904711c6a
00a7c0b384351a12a091325d Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2
cisco@ubuntu:~$ echo
"15099d91b1a5bb8ef42063656b7ee14c84b2866fb00f0bd22272010c4ab2d11f7a3902e4a3d97a8f482553c6b5a6346904711c6
a00a7c0b384351a12a091325d *Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2" | sha512sum -c -
Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2: OK
FTDv KVM installation- working with virsh
• Create bridge XML files and interfaces
Create XML files for all
cisco@ubuntu:~$ more virbr1.xml interfaces. Make
<network> appropriate modifcations
<name>MGMT</name>
<bridge name='MGMT' stp='on' delay='0' />
for MAC and name.
<mac address='DE:AD:00:00:BE:EF' />
</network>
cisco@ubuntu:~$ virsh net-create virbr1.xml

Network MGMT created from virbr1.xml Create virtual bridges.
Repeat this step for all
interfaces
cisco@ubuntu:~$ brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.fe5400110ec1 yes vnet0
DIAG 8000.c0de0000abba yes DIAG-nic
INSIDE 8000.cafe0000babe yes INSIDE-nic
MGMT 8000.dead0000beef yes MGMT-nic
OUTSIDE 8000.cafe0000beef yes OUTSIDE-nic
For Your
Reference

• Verify interfaces
cisco@ubuntu:~$ virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
default active yes yes
DIAG active no no
INSIDE active no no
MGMT active no no
OUTSIDE active no no
cisco@ubuntu:~$ virsh net-dumpxml DIAG

<network>
<name>DIAG</name>
<uuid>2fd77968-09bc-4cc4-a47e-95466f3ab45d</uuid>
<bridge name='DIAG' stp='on' delay='0'/>
<mac address='c0:de:00:00:ab:ba'/>
</network>
For Your
Reference
FTDv KVM installation- Routing / Forwarding packets

• Setting up the interfaces really depends on
how your infrastructure is set up
• Useful reference
• https://libvirt.org/formatnetwork.html
• https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/5/html/Virtualizat
ion/chap-Virtualization-
Managing_guests_with_virsh.html
• The previous 2 slides is an example to set

up an isolated network
For Your
Reference
FTDv KVM installation- Routing / Forwarding packets

cisco@ubuntu:~$ more virbr1.xml
<network>
<name>MGMT</name>
<forward mode='passthrough'>
<interface dev='eth5'/>
</forward>
</network>
FTDv KVM installation- create install script
cisco@ubuntu:~$ more install_ftdv.sh
virt-install \
--connect=qemu:///system \
--network network=MGMT,model=virtio \
--network network=DIAG,model=virtio \
--network network=INSIDE,model=virtio \ Order of Interfaces
--network network=OUTSIDE,model=virtio \
--name=FTDv_6.2_day0 \
is important!
--arch=x86_64 \
--cpu host \
--vcpus=4 \
--ram=8192 \
--os-type=linux \
--os-variant=generic26 \
--virt-type=kvm \
--import \
--watchdog i6300esb,action=reset \
--disk path=/home/cisco/Cisco_Firepower_Threat_Defense_Virtual-6.2.0-
362.qcow2,format=qcow2,device=disk,bus=virtio,cache=none \
--disk path=/home/cisco/day0.iso,format=iso,device=cdrom \
--console pty,target_type=serial \
--serial tcp,host=127.0.0.1:4495,mode=bind,protocol=telnet \
--force
For Your
Reference
FTDv KVM installation- install script

cisco@ubuntu:~$ lsmod | grep kvm
kvm_intel 167936 0
kvm 536576 1 kvm_intel
irqbypass 16384 1 kvm Check if KVM is installed otherwise “modprobe” it
cisco@ubuntu:~$ sudo modprobe kvm
cisco@ubuntu:~$ sudo chmod +x install_ftdv.sh
FTDv KVM installation- execute install script
cisco@ubuntu:~$ ./install_ftdv.sh
warning: failed to set locale, defaulting to C
Starting install...
Creating domain...
| 0 B 00:01
Connected to domain FTDv_6.2_day0
Domain creation completed. You can restart your domain by running:

virsh --connect qemu:///system start FTDv_6.2_day0
cisco@ubuntu:~$ virsh list

Id Name State
----------------------------------------------------
1 FTDv_6.2_day0 running
FTDv KVM installation- interact with FTDv
• Enable X11 Forwarding and make sure you run a X-Server on your host
• X-Server for Windows: Xming
cisco@ubuntu:~$ virt-manager &
[1] 4637 Interact with new VM – Power on,
Power off, Reset, Console, Take
Snapshots
For Your
Reference

• Troubleshooting TIP
• After installation enter expert mode
and check for any errors
/ngfw/var/log/firstboot.S96ovf-data.pl
For Your
Reference

cisco@ubuntu:~$ virsh destroy FTDv_6.2_day0
Domain FTDv_6.2_day0 destroyed
cisco@ubuntu:~$ virsh undefine FTDv_6.2_day0

setlocale: No such file or directory XML output of your VM
Domain FTDv_6.2_day0 has been undefined
cisco@ubuntu:~$ virsh dumpxml FTDv_6.2_day0
FTDv on Openstack
What is Openstack
• A feature rich set of software tools for building and managing cloud computing
platforms for public, private, and hybrid clouds.
• Core components: compute, network, storage, analysis, and management
• Massively scalable
• Open APIs above and below for interoperability
• Open Source- entirely community driven
Openstack- High Level Overview
Source: openstack.org
For Your
Reference
Neutron
• Neutron is an OpenStack project to provide "networking as a service" between
interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
nova)
• Plugins
• Cisco Nexus1000v Plugin
• Modular Layer 2 Plugin
• … and much more
For Your
Reference
Neutron
• ML2 plugin architecture facilitates the type drivers to support multiple networking
technologies, and mechanism drivers to facilitate the access to the networking
configuration in a transactional model
• Following Type and Mechanism Drivers are supported
Type Drivers Mechanism Drivers
Flat Cisco Nexus Driver
Local Tail-f NCS Driver
VLAN …
GRE
VXLAN
Horizon Demo
Openstack – Use Cases
• Single Flat
• Multiple Flat
• Mixed Flat and Private Network
• Provider Router with Private Networks
• Per-tenant Routers with Private Networks
Getting started with Openstack
cisco@ubuntu:~$ openstack router list
cisco@ubuntu:~$ openstack network list
cisco@ubuntu:~$ openstack subnet list
For Your
Reference

cisco@ubuntu:~$ openstack subnet show 11e0c6d7-5c78-480c-b504-93525c2d939c
cisco@ubuntu:~$ openstack project list
For Your
Reference
change to demo project
FTDv needs 4
Openstack- FTDv Prerequesities Interfaces
• Create Network and Subnet
cisco@ubuntu:~$ openstack network create Net2 --description Mgmt_Net
cisco@ubuntu:~$ openstack subnet create Subnet2 --network Net2 --subnet-range 10.0.2.0/24
cisco@ubuntu:~$ openstack network create Net3 --description Diagnostic_Net
cisco@ubuntu:~$ openstack network create Net4 --description Inside_Net
cisco@ubuntu:~$ openstack network create Net5 --description Outside_Net
cisco@ubuntu:~$ openstack subnet list
For Your
Reference
Openstack- FTDv Prerequesities

• Download FTDv .qcow2 from CCO and create day0-config (optional)
cisco@ubuntu:~$ more day0-config
{
"EULA": "accept",
"Hostname": "FTDv-CiscoLive",
"AdminPassword": "Admin123",
"FirewallMode": "routed",
"DNS1": "10.1.200.102",
"DNS2": "none",
"DNS3": "none",
"IPv4Mode": “auto",
"IPv6Mode": "disabled",
"IPv6Addr": "",
"IPv6Mask": "",
"IPv6Gw": "",
"FmcIp": "10.1.200.171",
"FmcRegKey": "123Cisco123",
"FmcNatId": ""
}
• Create an Image
cisco@ubuntu:~$ openstack image create FTDv --disk-format qcow2 --container-format bare -
-public --file /home/cisco/Cisco_Firepower_Threat_Defense_Virtual-6.2.0-362.qcow2
cisco@ubuntu:~$ openstack image list
• Create Security Groups and Rules
cisco@ubuntu:~$ openstack security group create SecGroup1 --description
Security_Group_for_Tenant1
cisco@ubuntu:~$ openstack security group rule create SecGroup1 --protocol tcp --dst-port
22:22 --remote-ip 0.0.0.0/0
cisco@ubuntu:~$ openstack security group show SecGroup1
I know this is barely

readable TECSEC-2600 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 548
For Your
Reference

• Generate public/private RSA key pair to access your VM after spin-up
cisco@ubuntu:~$ ssh-keygen
For Your
Reference

• Create keypair
cisco@ubuntu:~$ openstack keypair create --public-key ~/.ssh/id_rsa.pub SSH_Key
cisco@ubuntu:~$ openstack keypair list
Openstack- Spin up FTDv
• Create your Server (VM)
cisco@ubuntu:~$ openstack server create --image FTDv NGFW_1 \

--flavor m1.large \
--config-drive true --file day0-config=/home/cisco/day0-config \
--key-name SSH_Key \
--security-group SecGroup1 \
--nic net-id=ddbc21bc-e70d-4992-bbeb-40016915413c \
--nic net-id=7da2ffa1-6cf6-4102-bd71-c22c98b637ff \
--nic net-id=1a115031-56d9-497f-8aa4-a81eda71caf4 \
--nic net-id=e47dfb88-f9b5-436f-aaff-c9381d66e39d \
cisco@ubuntu:~$ openstack server list
Openstack- How to access your FTDv
• Connect FTDv to ´the outside´ - attach port to Router1
cisco@ubuntu:~$ openstack port create --network Net2 Router_Port_Net2
cisco@ubuntu:~$ openstack router add port 08948b15-429d-4482-965b-24edb4a24070

0018e8fb-a801-4c4f-a2e9-bf92380991ab
• Assign a Floating IP
cisco@ubuntu:~$ openstack floating ip create public
cisco@ubuntu:~$ openstack server add floating ip NGFW_1 192.168.2.135
Openstack- How to access your FTDv IT´S ALIVE
• SSH to your FTDv VM
cisco@ubuntu:~$ ssh admin@192.168.2.135

The authenticity of host '192.168.2.135 (192.168.2.135)' can't be established.
ECDSA key fingerprint is 8f:64:40:be:31:06:98:8f:8c:39:ca:09:9a:53:5a:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.135' (ECDSA) to the list of known hosts.
Password:
Copyright 2004-2017, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.
Cisco Fire Linux OS v6.2.0 (build 42)

Cisco Firepower Threat Defense for KVM v6.2.0 (build 362)
>
For Your
Reference

Output tailored to fit
• Verify day0-config file
admin@host-10-0-2-11:~$ more /ngfw/var/log/firstboot.S96ovf-data.pl

Found a day0 config file: /mnt/cdrom/openstack/content/0000
EULA has been accepted.
Password provided.
Valid DNS server provided.
Invalid DNS server provided: none
Invalid DNS server provided: none
Valid hostname provided - FTDv-CiscoLive
Using DHCP for IPv4.
Creating AQ Task to set firewall mode to routed.
Valid Management Host provided.
Valid Registration Key provided.
No Unique NAT ID provided.
Creating AQ Task to set manager.
Created task to set manager.
Openstack- Dashboard View
For Your
Reference
Application Centric Infrastructure -
ACI
Applications All Around Us
…are the driving force of business that are

being…
• Rapidly developed and
• Deployed at scale
…while requiring…
• Frequent updates and
• Highest Availability (SLAs)
Challenge for Infrastructure
…to keep up with the pace of change

imposed on the:
• Network
• Security
…functions, while maintaining app:
• Capacity
• Resiliency
For Your
Reference
Software-Defined Networking
…Comes to the Rescue
“…is an emerging architecture that is dynamic, manageable, cost-
effective, and adaptable, making it ideal for the high-bandwidth,
dynamic nature of today's applications. This architecture decouples the
network control and forwarding functions enabling the network control to
become directly programmable and the underlying infrastructure to be
abstracted for applications and network services.”
Source: www.opennetworking.org
ACI Security - Orchestrates the security services

and enables programmable networking.
For Your
Reference
Terminology
• ACI Fabric – hardware infrastructure made up of spine and leaf nodes from N9K.
• Device Package - contains xml file and python scripts, xml file tells you what configuration options you have in the
APIC- vendor specific configuration.
• APIC – centralized controller for ACI, single point of policy management and automation.
• EPG – Endpoint Group logical group that can contain virtual machines or physical servers.
• Contracts - a set of rules to govern communication between EPG’s, it defines specific ports and protocols between
EPG’s eg. TCP 80 or TCP 443. These are bi-directional.
• Service Graphs - L4-7 services such as security, you can add a service graph to a contract (ACL) to redirect traffic to
a Service Producer such as an ASA or NGIPS or Load Balancer.
• VRF – (also known as contexts) are defined within a tenant to allow isolated and potentially overlapping IP addresses
• Bridge Domain - Used to define a L2 boundary (Flood Domain) and impose additional constraints (such as no
broadcast) within that L2 boundary. NOT A VLAN, simply a container for subnets. EPGs can only be a member of a
single BD.
Application Centric Infrastructure
Nexus9000 Switch Fabric Centralized Management – APIC Controller
Orchestrate networking
and L4-L7 Services
Add any hypervisor or
physical workloads
Controls CLOS of N9ks
VLAN pooling
Any subnet anywhere
Embrace open systems, APIs, and abstracted models to benefit any type of workload
LTRSEC-3001
ACI Infrastructure
ACI Fabric
Spine Nodes
Leaf Nodes
APIC x3
Virtual Leaf
(AVS)
L3Out EPG
“Outside” L4-L7 Devices Provider EPG Consumer EPG
Logical/Concrete “Files” “Users”
ACI Whitelist Policy supports “Zero Trust” Model
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2
allowing traffic between their members
TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE

(Traditional DC Switch) (Nexus 9K with ACI)
1 2 3 4
1 2 3 4
EPG 1 EPG 2
“WEB” “APP”
Servers 2 and 3 can No communication allowed between

communicate unless blacklisted Servers 2 and 3 unless there is a whitelist policy
Endpoint Groups Communications
“EPG Web” “EPG App” “EPG DB”
EP EP EP EP EP EP
EP EP EP EP EP EP
Devices within an Endpoint Group can communicate, provided that they

have IP reachability (provided by the VRF/Domain).
Communication between Endpoint Groups is, by default, not permitted.
Contract
Contracts
EP EP EP EP EP EP
EP EP EP EP EP EP
Once we have our EPG’s defined, we need to create policies to

determine how they communicate with each other. These are called
contracts. Contracts are bi-directional.
Service Graph
EP EP EP EP EP EP
Contract Contract
EP EP EP EP EP EP
In order to add L4-L7 services such as security, you can add a Service
Graph to a contract to redirect traffic to a Service Producer such as an
ASA or Firepower NGIPS
ACI Communication Abstraction
APIC All TCP/UDP:
- Accept
- Redirect to FW and IPS
Security Policy All Other :
“App” → “DB” - Drop
ACI Fabric
“DB” “App”
Security Services
ACI Modeling
Tenant “University”
Infrastructure
PN/VRF “Engineering” PN/VRF “Business”
Bridge Domain 172 Bridge Domain 10 Bridge Domain 100
Subnet 172.16.1.0/24
Subnet 10.1.1.0/24
Subnet 172.16.2.0/24
…
Subnet 10.1.1.0/24 Subnet 10.1.2.0/24
Subnet 172.16.10.0/24 …
EP
EPG EPG G Policy “HTTP”
Web Web
DB EP
Apps
Policy “HTTP”
G
Policy “SQL” EP
App
G
EPG Policy “SQL”
DB
App
Service Graph requires a Can NOT install a Service

Contract that governs two Graph two EPGs in the
different Bridge Domains same Bridge Domain
ACI L2 Fabric ACI No Package ACI by Design
• APIC defines Tenants • Fabric GW/Routing • Orchestrate it ALL!
• EPG is VLAN/Subnet • No Device Package • Vendor Device Package
• ‘Happier’ SecOps
APIC
APIC in
Control
Unmanaged Service Graphs Managed Service Graphs
EPG EPG EPG EPG EPG EPG EPG EPG EPG

Web App DB Web App DB Web App DB
ACI Fabric is L2
Easing Customers into ACI

Service attaches to EPG EPG
Firewalls managed VLANs/PGs and serves as Out
separately from APIC a host gateway to steer
by security team. traffic between VLANs.
SECURITY
EPG EPG EPG EPG EPG EPG

Web App DB Web App DB
Allow flexibility to enable ACI fabric for EPG management, and attach security directly into EPGs.
Endpoint Group (EPG): Contract: Service Chain: Programmability:
Creation of EPG segments still Not implemented yet. Not implemented yet. Northbound API to script
done on APIC, EPs are virtual Firewalls control traffic Firewalls are GWs and full Tenant network
machines or physical servers. flows between EPGs. peer with external© routers. creation.
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
No Device Package
Services Independent of APIC

Firewalls still Physical appliance Virtual appliance data
managed separately attaches to the given plane vNICs get
from APIC by the fabric ports and must attached to proper
SECURITY security team. match VLANs. PGs via APIC.
Unmanaged Service Graphs Unmanaged Service Graphs

Customers enable full ACI fabric benefits with out forcing a device package.
Creation of EPG segments still Is between EPGs and Graphs in fabric and Northbound API to script
done on APIC, EPs are virtual adds unmanaged Service Firewalls match SG fabric full Tenant network and
machines or physical servers. Graphs (no device pkg). attached VLANs/PGs.
TECSEC-2600
unmanaged SG creation.
Full Orchestration – One Controller
ACI Fabric and Managed Services

Firewalls managed within Physical appliance Virtual appliance data
APIC GUI. Security team attached to fabric and plane vNICs get
can now program L4-L7 APIC configures DP attached to proper
Function Profiles. with matching VLANs. PGs via APIC.
Managed Service Graphs Managed Service Graphs

SECURITY

Leverage the full benefits of ACI fabric with ability to program L4-L7 using device package.
Creation of EPG segments still Is between EPGs and Graphs in fabric and Northbound API to script
done on APIC, EPs are virtual adds Managed Service Firewalls match SG fabric full Tenant network, SG
machines or physical servers. Graphs via device pkg attached VLANs/PGs. creation, and FW config.
ACI Micro-Segmentation – Two Parts
Isolate Workloads within Application Tier uSeg with
VM Attribute
OS=‘Linux’
APP EPG
uSeg EPG isolates
Intra-EPG Isolation EPs from base EPG
All Workloads Can Communicate FW FW
APP EPG
ACI Benefits
IP OS
‘10.1.1.1’
‘Linux’
Name
‘Finance’
Attribute-based
Intra-EPG Isolation
Micro-Segmentation
Cisco ACI and Cisco Advanced Security
Cisco Advanced Security – ASA / Firepower / AMP
APIC
APIC Threat- Deep traffic Real-time Dynamic Forensic

integration Centric inspection Threat Workload Analysis
Protection Intelligence Quarantine
Native ACI Security
vm vm vm
Centralized Secure Multi- Attribute-Based VM-Based ACI Group Industry

Policy Tenancy with Microsegmentation Segmentation Policy Compliance
Automation Whitelisting Standards (PCI)
Cisco ACI + Cisco Advanced Security Advantages: • Industry’s most comprehensive threat intelligence with TALOS
• Addresses key DC challenges: threat-centric, visibility, compliance • Highest rated Next Generation Intrusion Prevention System*
• Only complete Before, During, and After approach to threats • Highest rated Breach Detection System – 99.2% effective**
*NSS NGIPS SVM Report, April©2015.
2017 **NSS
Cisco Breach Detection
and/or its affiliates.SVM Report,
All rights August 2015..
reserved. Cisco Public
Cisco Advanced
ASA Cluster 2-16x
Security Platforms Firepower9300
ASA 5585-X SSP60
Firepower4100
ASA 5585-X SSP40
ASA 5516-X
ASA 5585-X SSP20
ASA 5508-X
ASA 5506(W/H)
ASA 5555-X ASA 5585-X SSP10 FTDv
ASA 5545-X
ASA 5525-X
ASA 5512/15-X FPv
ASA 5505**
FirePOWER 7000/8000 ASA SM (Cat6500)**
ASAv**
SOHO/Teleworker Branch Office Internet Edge Campus Data Center
** Platform runs only ASA code, no FirePOWER features

Inserting Advanced Security into
ACI
Cisco Security Features in the ACI Fabric
FTDv FPv
ASAv
FirePOWER(v)
Nexus9000 ASA(v) FTD(v), FMC
Leverage Service Graph Stateful FW Inspection NGFW / NGIPS / AMP

Layer 4 – 7 • Micro-app + URL filtering
• Stitch-in FW, IPS, LB • Traditional Firewall • SSL decryption (physical)
Policy • SPAN to Monitor Traffic • Dynamic Pin-Holes • Intrusion Prevention
• Add TrustSec PEP • Malware Protection
Filtering in Hardware Filtering in Software Filtering

Layer 1 – 4 • No-Trust Fabric • Layer 2–4 ACLs (2M) • Layer 3-4 ACL
Policy • Distributed Stateless • Dynamic Routing • Fail-to-Wire
Filtering (whitelist) • FHRP with Clustering
• QoS & real-time metrics
Service Automation Through Device Package Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
• Service automation requires a vendor <param name= “vip”>

<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
device package. It is a zip file <locked=“yes”>
containing Cisco APIC – Policy Element

• Device specification (XML file)
Device Model
• Device scripts (Python)
• Download the device package and
Cisco APIC Script Interface
import into the APIC
• APIC interfaces with the device using Device-Specific Python Scripts
device Python scripts Device Interface: REST/CLI
• APIC uses the device configuration Script Engine

model provided in the package to pass Service automation
requires a vendor device
package. It is a zip file
containing APIC Node
configurations to the device
Device specification
(XML file)
Device scripts (Python)
• Device script handlers interface with Device Manager Console

the device using its REST or CLI
interface Service Device
Advanced Security in Application Centric
Infrastructure
Insert L4-L7 Services into the fabric – Unmanaged Devices or using a Device
Package in Managed Mode
FirePOWER Device
ASA Device Package Unmanaged Devices
Package
• ASA5500-X • NGIPSv • Can be used for any

• ASA5585-X • FirePOWER device
• ASAv Appliances • FTDv
• Firepower 4100 & • FTD
9300
Advanced Security in Application Centric
Infrastructure
FTDv
Unmanaged
ASA Device Package – firewall FirePOWER Device Package –

devices are connected to any physical devices connect to any
leaf switch. leaf switch
For Your
Reference
Cisco Security Devices in ACI Fabric
Device Package L4-7 Insertion
Cisco L4-7 Device Supported Platforms HA Mode
Device Version Mode
Active/Standby Failover
FTD on physical FP9300, FP4100, Go-To
DP N/A Active/Active FP9300
appliance ASA5500-X (Routed, L3out ok),
Use unmanaged intra-chassis cluster
Go-Through
6.0.1
FTDv virtual VMware (L2FW, inline IPS) Active/Standby Failover
ASA5585-X, DP 1.2.5.5 Go-To (Routed, ASA Active/Standby Failover,

ASA physical appliance
ASA5500-X 8.4+ L3out supported) ASA Clustering (Active/Active)
ASAv5, v10, v30 DP 1.2.5.5
ASAv virtual Go-Through (L2FW) ASA Active/Standby Failover
VMware, KVM, Hyper-V 9.4+
FP71x0, FP71x5,
FirePOWER physical
FP70x0, FP8100, DP 1.0.1.13 Go-Through Fail-to-Wire
appliance
FP8300
FirePOWER virtual 5.4.1 (inline IPS)
VMware N/A
appliance
Cisco Security Device Packages
APIC Managed Service Graph APIC Unmanaged Service Graph
FirePOWER 1.0 Device Manager Run Any ASA or Fire(power)
ASA 1.2 Device Package
Package Platform, Code, and Features
GoTo (Routed FW) GoThrough (L2 NGIPS) APIC orchestrates the service graph on
GoThrough (Transp. FW) Inline Sensor Nexus leaf switches
ACL, DPI, Netflow, Syslogs, TrustSec APIC orchestrates Data Plane
L3out Dynamic Routing (BGP/OSPF) FMC installs policy on Sensors Security devices (ASA, FirePOWER, or
Dynamic Update EPG ACL Access Control / NGIPS Policy FTD) are managed using CLI, REST-
Active / Standby Failover Show real-time Events API, or purpose-built management
Divert to embedded Firepower Advance Malware Policy tools (ASDM, CSM, FMC), and we now
must match unmanaged service graph
settings (plug into configured ports, and
match interface static/dynamic VLANs)
Partial orchestration: APIC controls

networking and policy on fabric leaf
switches but not L4-L7 devices
Why use Unmanaged Service Graph
• SecOps management workflows and tools remain intact

• Security products do not require a device package from a Vendor
• Quicker migration of security services and policies into ACI fabric
• Allow use of the full spectrum of product features, not just the
features supported by the device package
• Relieves Services of the APIC config, validation and monitoring
Cisco Security ACI Device Package Integration
Netflow and Syslogs Stealthwatch Visibility and
Real-Time Alerts
FirePOWER 6.0 Services

Embedded Module Threat Policy Configuration
Access Policy Configuration

Service Graph Segmentation
Data Plane to ACI Fabric Data Plane to ACI Fabric

FirePOWER 5.4 Device Manager Package
ASA Device Package
ASA with FirePOWER FirePOWER
Fully Managed ASA Device Partially Managed Firepower Device

BRKSEC-2048
Why use Managed Service Graph
• Full Tenant orchestration with L4-L7 services

• ACL changes on the firewall can be offloaded to custom tools, using
Northbound API
• ASA-like device package allows for very fast deployment of security
and enables use of special APIC features
• Flexibility gained with Device Manager model where APIC
orchestrates data plane while allowing SecOps team to manage the
policy with the same tools
• APIC monitors the service health and validates configuration
ACI Fabric Building Blocks
End Point Groups Service Graphs
Virtual or Physical Workloads Virtual or Physical L4-L7 Devices

L3 or L2
Outs
40G 10G 1G 40G 10G 1G 40G 10G
Leaf Nexus9000 Switches – Distributed Anycast GW

40G 40G 40G
Spine Nexus9000 Switches – MP BGP Control Plane
ASA Device Package
Dynamic Security - TrustSec on ASA in ACIPolicy Contract

ACI Fabric Corp →App: Allow, Redirect to ASA
All Other : Drop
Coarse filtering: ACI Policy Contract

3 allows all traffic from campus to DC
application, redirects to ASA
Marketing SXP
Engineering App EPG
Corp EPG ASA learns group mappings

2 through SXP protocol 4 Fine filtering: ASA permits only
1 Engineering to access application
Source Destination Action
from campus based on group
Campus users in Corp EPG Engineering
get tagged to groups by ISE Any Allow
[SGT 333]
ISE Any Any Deny
ACI End Point (EP) Isolation within EPG
Intra-EPG Isolation Added in APIC 1.2(2g)+
Bare Metal, VMware DVS, AVS*, Openstack OVS (ML2)
Makes “ALL” endpoints in an EPG isolated
Isolates a mix of Physical and Virtual EPs in the same EPG
Configured under an EPG (Enforced)

Intra-EPG contracts are not yet supported
APP EPG
Permit ALL or Deny ALL
AVS on Vmware (Q2CY16*)
ACI Attribute-based Micro-Segmentation
Quarantine Infected
VMs With
VM Name = Added in APIC 1.2
VDI-MARKET*
Bare-metal, Cisco AVS (VMware), Hyper-V,
IP = 1.1.1.x VM Name = VDI Name = Finance-* Vmware DVS*
FW Attributes: MAC/IP sets, vNIC (DN), VM (ID), VM name,

FW
Hypervisor, Domain (DVS), Datacenter (VMW) or Fabric Cloud
(Hyper-V), Custom (VMW only), Guest OS
Attributes Based Micro-Segments

Bare-metal supports only IP-based EPG
(DVS, AVS, Hyper-V Switch, OVS*)
Derive EPG from VLAN, VXLAN VNID, IP, MAC,
and now from a VM attribute.
Virtual Switch (any)
Bare-Metal MAC-EPG (Q4CY16) and
Hypervisor VMware DVS (Q2CY16*)
Closing
Thank you!
• Thank you very much for your attendance and interaction
• Speakers
• Ciara Campell (FTD Migration, CDO, ACI,…)
• Bart Van Hoecke (Hardware, Identity, TS-Agent, …)
• Gyorgy Acs (FDM, RestAPI, SSL, AMP,…)
• Dragan Novakovic (AVC, IPS, Software offerings,…)
• Stefan Duernberger (Packet Processing, FTDv on KVM/Openstack,…)
Complete Your Online Session Evaluation
• Please complete your Online
Session Evaluations after each
session
• Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Don’t forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions

Tecsec 2600

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tecsec 2600

Uploaded by

Copyright:

Available Formats

Firewall Innovation and

Bart Van Hoecke | Belgium

Stefan Duernberger | Germany Gyorgy Acs | Hungary

Dragan Novakovic | Serbia

• Hardware | Software Overview

• What we won´t cover

• Techtorial ends 6.30pm

ASA with Firepower Services

Firepower NGIPS Firepower Threat

Firepower NGIPS ASA FW

• L2-L4 Stateful Firewall • Threat-centric NGIPS

Firepower Threat Defense (FTD)

• New converged NGFW/NGIPS image

ASA 5508-X ASA 5585-X

FirePOWER 7000 Series ✗ ✓ ✗ ✗

Performance Highlights ASA 5500-FTD-X Model

Cisco ASA 5500-FTD-X Model

5506-FTD-X 5508-FTD-X 5516-FTD-X 5525-FTD-X 5545-FTD-X 5555-FTD-X

1 HTTP sessions with an average packet size of 1024 bytes.

Performance Highlights Cisco Firepower Model

4110 4120 4140 4150 1 SM-24 1 SM-36 1 SM-44 3 SM-44

1 HTTP sessions with an average packet size of 1024 bytes.

Firepower Management Center Scaling

• Overall chassis management and network interaction

2x40Gbps 2x40Gbps 2x40Gbps Ethernet

Internal Switch Fabric

2x40Gbps 5x40Gbps 5x40Gbps

8x10GE 4x40GE 2x100GE

• Firepower 4100 and • Firepower 4100 and • Firepower 9300 only

8x1GE 6x1/10GE 2x40GE

• x86 Turbo Mode for all security modules

Smart NIC and

Security Module 1 Security Module 2 Security Module 3

*3rd party packages will run on KVM

DDoS DDoS Decorator

On-board 8x10GE 4x40GE NM 4x40GE NM Application

Ethernet 1/1-8 Ethernet 2/1-4 Ethernet 3/1-4

• Centralized configuration mirrored to all

FP9300 Chassis 1 FP9300 Chassis 2

FTD Intra-Chassis Cluster

• ASA Inter-chassis clustering 16-blade units

Onboard Connectivity Network Modules

Internal Switch Fabric

2x40Gbps 5x40Gbps 5x40Gbps

• Console and Management Port 100Gbps

Security Engine 40Gbps

8x 10G (or) 4x 40G Network

• Console and Management Port 2 x 100Gbps

Security Engine 2 x 40Gbps

8x 10G (or) 4x 40G Network

Firepower 4100 Series Hardware Specification

PSU – Default CFG Single AC Single AC Redundant AC Redundant AC

SSD – Default CFG. 1 x 200GB 1 x 400GB 1 x 400GB

• All images are digitally signed

Bus 1 Bus 0 Ethernet

Expansion Card External NICs

*ASA5512-X and ASA5515-X

Security Service Processors

• Requires ASA 9.3.2 and FP 5.4.0.1

Internal Switch Fabric

On-board 10GE On-board 1GE Expansion Slot

*2 on SSP-10/20 and 4 on SSP-40/60

Advanced Inspection Engines