BRKSEC-2093 Hardening The Secure Firewall - 2023

#CiscoLive
Hardening
The Secure Firewall
Srinivasa Rao Munagala , NGFW Technical Leader
BRKSEC-2093
#CiscoLive
About the Speaker
Srinivasa Munagala
Double CCIE (Security and DC)
• Technical Leader in CX Security organization. More than 11 years in Cisco.
• Came from ASA background originally and currently focused on Next-Gen

Firewalls.
• Passionate FW Technologies.
• Hobbies include playing volleyball, Cricket and watch Crime thriller movies.
#CiscoLive BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

by the speaker until June 9, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2093
• Introduction
• Dataplane Hardening
• Control Plane Hardening
• VPN Hardening
• Logging and Monitoring
• Software and Content Updates
Agenda • Disaster Recovery
• Compliance
• Performance Best Practices
• Conclusion
BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
Introduction to Hardening
• Firewall is the critical component of the network perimeter that
protects most of the enterprise networks.
• It is very important to harden the Firewall configurations to reduce
potential threats in your network.
• Firewall hardening is an ongoing process which involves..
• Enhancing network security
• Minimizing risks
• Preventing unauthorized access
• Mitigating malware and cyber threats
• Maintaining Compliance requirements
Secure Firewall Terminology
Term Definition
Firepower Threat Defense (OR Secure Firewall) – unified software image
FTD
(ASA + Firepower)
Lina Underlying ASA-derived process that is integrated into the FTD product
The Inspection engine of the Firepower product integrated into FTD doing
Snort
the IPS functionality
Secure Firepower Management Center – Off-box GUI used to manage
FMC
FTD devices (Configuration, reporting, monitoring, etc.)
Firepower Extensible Operating System – System that manages the

FXOS hardware platforms for Firepower 9300, 4100, 3100, 2100 and 1100
series products
Dataplane
Hardening
Reference Slide: FTD Routed Packet Flow
Drop
Yes
Blacklist
Packet PDTS L2-L4
Existing No UN-NAT/ Global Rule Action: Frag3
arrives on DAQ Decode SI (IP)
Conn? Egress Int ACL Permit Preproc
interface Extensions Preproc
VPN Decrypt Drop Drop

SI Stream5
URL/DNS SSL Policy AppID
Blacklist Preproc
Rule Action: Advanced Trust
Prefilter Fastpath or
QOS Network
Top L3/L4 Trust Rules Identity L7 ACL
APP/URL (Classify) Discovery
Policy
Drop
Snort File
Drop Rules Policy
Drop
Yes Application PDTS
Yes L3 VPN QOS NAT IP Flow
TX L2 Addr Layer DAQ
Route Encrypt (Enforce) Header Gateway Update
Extensions
No No
Drop Drop
LINA ASA Engine = BLUE Snort Engine = ORANGE

Access Control Rules - Case Study
Problem - NMAP detects All Listening ports on an Internal Server
1 SYN SYN
Outside FTD Inside 2
SYN ACK SYN ACK
Nmap
Internal
Scanner
Servers
1 Outside host sends a SYN to the Inside Server
2 Inside Server responds with a SYN-ACK
Problem - NMAP detects All Listening ports on an Internal Server
There are no Access Control Rules which allows traffic on following ports
• FTP (tcp/21)
• SMB (tcp/445)
• NFS (tcp/2049)
• RDP (tcp/3389) so on
• NMAP receives response for SYN packet, it shows as OPEN.
• Application Services can run on custom ports . Example: HTTP can run on Port 8081.
FW has to inspect the first few data packets after the TCP 3-way handshake to
determine the application.
• FW allows the first few data packets temporarily (*with IPS inspection) until the
application is determined.
• Once the application is a Non-HTTP, this rule will not be a match and will move on to
the next rules.
FW Trace w/ Engine Debugs:
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Packet 5327: TCP ******S*, 05/23-22:49:09.534075, seq 3605876215, dsize 0
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Session: new snort session
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall: starting rule matching, zone 2 -> 1, geo 0(0) -> 0, vlan 0, src sgt: 0, src sgt type:
unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, 'Inbound-Web_server', pending AppID
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 AppID: service: (0), client: (0), payload: (0), misc: (0)
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall: pending rule-matching, 'Inbound-Web_server', nothing has changed
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Policies: Network 0,
192.168.212.115 62249 -> 192.168.250.10 21 6 AS=0 ID=0 GR=1-1 pending rule id 268434435 nothing has changed
Access Control Rules - Case Study - Solution
Previous Rule Config
Modified Rule Config
Verification
34: 23:07:28.873917 192.168.212.115.36634 > 192.168.250.10.21: S 2744652541:2744652541(0) win

…
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 0 ns
Port 21-FTP SYN
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434438
access-list CSM_FW_ACL_ remark rule-id 268434438: ACCESS POLICY: FTD-ACP1 - Default
access-list CSM_FW_ACL_ remark rule-id 268434438: L4 RULE: deny_block
Additional Information:
Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: Inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 3294 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055f948cc64e7 flow (NA)/NA
1 packet shown
Access Control Rules - Best Practices
Rule ordering Base line Rule Action - ordering
• Geolocation Rules Rule Match Incoming Packet
Top to
• Layer-3/4 rules Bottom
• Block > Trust > Allow Rules Rule 1: Monitor
Matching traffic
• Layer-7 (App/URL) Outbound Rules Continues
No
• Block > Trust > Allow Rules Rule 2: Trust Inspection
• Default Action No match
Always order rules
No
Guidelines: to suite your Rule 2: Block Inspection
organization needs
No match
• Specific rules should come before general rules.
Network File Intrusion
• Avoid L7(App/URL) based rules from Untrust to Rule 2: Allow Discovery Policy Policy
Trust network when possible. No match
Network Intrusion
• Subject Untrust to Trust traffic W/IPS inspection. Default Action Discovery Policy
Access Control Rules - Best Practices
Rule Order Example
Geolocation Rules
Layer-3/4 Rules
Inbound Web Access
URL Rules
App Rules
Catch all outbound
Default Action
Drop
Yes
Blacklist
Packet PDTS L2-L4

SI Stream5
Blacklist Preproc
QOS Network
Policy
Drop
Snort File
Drop Rules Policy
Drop
Yes Yes QOS NAT IP Application

Flow PDTS
L3 VPN
Route Encrypt (Enforce) Header Update
Gateway Extensions
No No
Drop Drop

Security Intelligence
IP and URL Block
Block Threats detected by Cisco provided Security Intelligence feeds.
Use the Talos provided IP and URL list/feeds to block known threats before the AC policy evaluation.
Edit Access control Policy >> Security Intelligence
Security Intelligence – DNS
DNS Domain Not Found
1
DNS SI performs a “man Policies >> DNS >>
in the middle” for DNS Edit DNS Policy
queries.
3 Edit Access control Policy >> Security Intelligence
Security Intelligence - Events
Analysis > Connections > Security-Related Events
Drop
Yes
Blacklist
Packet PDTS L2-L4

SI Stream5
Blacklist Preproc
Top L3/L4 Trust Rules Identity L7 ACL QOS Network
Policy APP/URL (Classify) Discovery
Drop
Snort File
Drop Rules Policy
Drop
Yes Yes QOS NAT IP Application Flow PDTS

L3 VPN
TX L2 Addr (Enforce) Header Layer Update DAQ
Route Encrypt Gateway Extensions
No No
Drop Drop

TLS Server Identity Discovery
1 Edit Access control Policy >> Advanced
2
• The Certificate is encrypted in TLS

1.3
• Enabling TLS Server Identity

3
Discovery provides visibility into the
certificate without Decryption
Policy. Disabled by default.
• The information in the certificate

can be used in URL/Application
based Policies for effective Rule
match.
Encrypted Visibility Engine
2
• It is difficult to identify applications and 3

detect threats in an encrypted traffic
without incurring the cost of decryption.
• By using TLS fingerprinting techniques,

the EVE library can identify following 3
things about an encrypted session over
supported protocols.
• Client Process name
• Client OS detection
• Probability that the traffic was generated
by a malicious process
• Requires snort3, Threat license and FMC
Encrypted Visibility Engine …Cont’d
Client OS discovery – How It Works
• To see Client OS detection by EVE, the feature toggle must be enabled from AC
Policy’s advanced UI under the Encrypted Visibility Engine
• Next, Hosts must be enabled under Policies > Network Discovery
Encrypted Visibility Engine cont'd
OS information can be viewed here:
Analysis > Network Map > Select required Host.
Encrypted Visibility Engine
Events View with Application Assignment
• This feature allows applications to be
assigned to processes identified by EVE.
• Customers can add AC rules to allow,
block or trust applications mapped to
processes.
TLS Decryption Policy
Policies >> Decryption policy >> Advanced
Advanced Options
• By default, Do not decrypt is the default action.
• Customize based on your organization Needs if using Decryption
Policy.
Drop
Yes
Blacklist
Packet PDTS L2-L4

SI Stream5
Blacklist Preproc
QOS Network
Policy
Drop
Snort File
Drop Rules Policy
Drop

L3 VPN
TX L2 Addr (Enforce) Header Layer
Update DAQ
No No
Drop Drop

Network Discovery
• Used to build a comprehensive map of your network and understanding devices and
applications present in the network.
• Useful for maintaining the Firepower Recommended Rules in the Intrusion Policy.
Policies Network Discovery
• To begin collecting host or user data Default Network Discovery Policy
you must edit the discovery rule with
host and user option checked and
deploy to all devices.
• By default, all the networks are

monitored.
• Define the networks protected by

Firewall.
Network Discovery
With Default any policy
Drop
Yes
Blacklist
Packet PDTS L2-L4

SI Stream5
Blacklist Preproc
QOS Network
Policy
Drop
Snort File
Drop Rules Policy
Drop
Extensions
No No
Drop Drop

Intrusion Policy
Base Policies
Policy Description
Connectivity Over Security Built for organizations where connectivity takes precedence over
network infrastructure security.
Balanced Security and These policies are built for both speed and detection. This policy
Connectivity is a good starting point for most organizations and deployment
types.
Security Over Connectivity These policies are built for organizations where network
infrastructure security takes precedence over user convenience
Maximum Detection Built for organizations where network infrastructure security is
given even more emphasis than is given by the Security Over
Connectivity policies, with the potential for even greater
operational impact
Intrusion Policy
Cisco Recommendations Rules Configurations
1 Policies > Intrusion > Edit the snort3 policy > Recommendations
• Cisco Recommended
Rules automatically tune
your snort rules for the
applications, servers and
hosts on your network
• To enable Cisco
Recommended Rules
• Hosts need to be enabled in
Network Discovery Policy.
• Add Protected Network
2
During configuration
Variable Sets Objects > Object Management > Variable Set
• Variable Set define IP address

and ports which are used in
intrusion rules.
• You can either edit and use the
default set or you can create a
new one.
Variable Sets
• Variables provide directionality.
• This sample rule triggers for traffic from External net to Home net
on http port with the content as described.
• This might also be useful to detect events within your network, if
your IPS is deployed separating different network segments.
Client IP Client port Server IP Server port
Sample Rule
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Accellion FTA
arbitrary file read attempt"; flow:to_server,established; http_uri;
content:"/courier/intermediate_login",fast_pattern,nocase; http_cookie; content:"statecode",nocase;
content:"%00"; metadata:policy max-detect-ips drop,policy security-ips drop; service:http;
reference:cve,2015-2856; classtype:attempted-recon; sid:35302; rev:2; )
Variable Sets
Recommendations
SecOps Managed Or Internal IPS Internet Perimeter Deployment
If your team is interested in Threat If you team wants a simple IPS
Hunting and is willing to spending deployment with minimal amount
time tuning: of alerts:
a. Leave EXTERNAL_NET as “any” a. Configure HOME_NET to match
all RFC-1918 IPv4 addresses,
b. Make an internal decision on
your Internet routable
how to configure, or not
addresses, and your IPv6
configure, HOME_NET.
space.
b. Configure EXTERNAL_NET as
!HOME_NET
Access Control Rules – Best Practices
What happens to the traffic during pending rule evaluation?
Edit Access control Policy >> Advanced
• The highlighted IPS policy will be used for inspection when Firewall Engine is trying
to determine the application/URL Category for a specific traffic.
Drop
Yes
Blacklist
Packet PDTS L2-L4
SI Stream5
Blacklist Preproc
QOS Network
(Classify) Discovery
Policy APP/URL
Drop
Snort File
Drop Rules Policy
Drop
Extensions
No No
Drop Drop

Network Analysis Policy Policies > Intrusion > Network Analysis Policies
NAP
• Network Analysis Policy (NAP) control the
preprocessors and defines how network traffic is
analyzed.
• Preprocess all traffic handled by an access control
policy.
• Network analysis and intrusion policies work
together to examine traffic
• By default, there is no tunable policy. Create new to
tune the NAP.
Network Analysis Policy
Snort2
• Some Preprocessors are disabled by

default
o Portscan Detection
o Rate-Based Attack Prevention
o SCADA Preprocessors
o Inline Normalization
• Enable these as per your
requirement.
Snort3
Policies > Intrusion > Network Analysis Policies
Inline Normalization
• Disabled by default in some base policies

(snort2).
• Enforces protocol compliance for TCP and
IP protocols.
• Enabling normalization will block some non-
standard implementations and many
attacks. However, it potentially can block
poorly-written legitimate traffic.
Enable the Network Analysis Policy
Policies
Access control
Edit the policy
Advanced
PortScan Detection and Prevention
• Can detect different port-scans
and port sweep.
• Supported with Snort3 starting
from 7.2 2
• Configuration Settings is granular.
• Can be enabled in Detection or 3
Prevention mode
• By default, port scan detection
will be done on Allowed traffic
but can also be enabled on
Denied traffic.
• Traffic Selection
• Monitor
• Ignore Scanner
• Ignore Target
• User can tune port scan detection

by choosing preconfigured
sensitivity levels–Low, Medium,
High.
• Once detection, the host is
blocked for 3600 sec (1 Hour)
Example
FTDv-152# show threat-detection portscan shun

Shunned Host List: 192.168.212.115
FTDv-152# show threat-detection portscan statistics
ICMP Outside:192.168.212.115, hosts 1, ports 0
TCP Outside:192.168.212.115, hosts 1, ports 260
UDP Inside:192.168.250.50, hosts 1, ports 1 FTDv-152# show shun
TCP Inside:192.168.200.232, hosts 1, ports 1 shun (Outside) 192.168.212.115 0.0.0.0 0 0 0
UDP Inside:192.168.250.10, hosts 1, ports 1
TCP Inside:192.168.250.200, hosts 1, ports 1
FTDv-152# show asp drop
TCP Inside:192.168.200.241, hosts 1, ports 1
Frame drop:
Packet shunned (shunned)
1577
Anti Spoof or Reverse Path check
Recommendations
• Checks the Ingress packet is being received on the right interface
based on routing table.
Edit Device >> Device Management >> Edit the device >> Edit the interface
CLI Command
ip verify reverse-path interface <interface_name>
Anti Spoof or Reverse Path check
CLI show commands
FTD#show asp drop
Frame drop:
…
Reverse-path verify failed (rpf-violated) 90
FTD# show ip verify statistics

interface inside: 11 unicast rpf drops
interface outside: 79 unicast rpf drops
Syslogs
FTD-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
FTD-1-106021: Deny protocol reverse path check from source_address to dest_address on interface
interface_name
FTD-1-106022: Deny protocol connection spoof from source_address to dest_address on interface
interface_name
Fragmentation
Recommendations
• Default behavior is to do Edit Device >> Device Management >>
virtual re-assembly. Edit the device >> Edit the interface
• Can be modified to do Full

Reassembly if needed.
CLI Commands
Fragmentation
Logs
Syslog:
FTD-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address
FTD-4-209003: Fragment database limit of number exceeded: src = source_address, dest = dest_address, proto = protocol, id
= number
FTD-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = source_address, dest = dest_address,
proto = protocol, id = number
FTD-4-209005: Discard IP fragment set with more than number elements: src = Too many elements are in a fragment set.
FTD-4-209006: Fragment queue threshold exceeded, dropped TCP fragment from IP address/port to IP address/port on
outside interface
Show asp drop
Fragment Full reassembly failed (fragment-full-reassembly-failed) 2378

Fragment reassembly failed (fragment-reassembly-failed) 8218901
capture asp type asp-drop fragment-reassembly-failed
Drop
Yes
Blacklist
Packet PDTS L2-L4

SI
SSL Policy AppID Stream5
URL/DNS
Blacklist Preproc
QOS Network
Policy
Drop
Snort File
Drop Rules Policy
Drop

L3 VPN
TX L2 Addr (Enforce) Header Layer
Update DAQ
No No
Drop Drop

Application Layer Protocol Inspections
Inspections enabled by default
Inspection engines
• These protocols require the FW to do deep packet
inspection.
• Required for services that embed IP addressing
information in the user data packet or that open
secondary channels on dynamically assigned
ports.
CLI
• To enable
• > configure inspection <protocol> enable
• To Disable
• > configure inspection <protocol> disable
Application Layer Protocol Inspections cont'd
Examples
ICMP
➢ Keeps track for echo request and allows the echo response back without the need of
an Access-list
➢ The ICMP inspection engine ensures that there is only one response for each
request, and that the sequence number is correct.
➢ This helps with ICMP attacks
DNS
➢ DNS inspection is enabled by default, using the preset_dns_map inspection class map:
➢ The maximum DNS message length is 512 bytes.
➢ DNS Guard is enabled, so the FTD tears down the DNS session associated with a DNS
query as soon as the respective DNS reply is forwarded by the FTD.
➢ Protocol enforcement is enabled, which enables DNS message format check, including
domain name length of no more than 255 characters, label length of 63 characters,
compression, and looped pointer check.
Management
Access
AND
Control Plane
FMC Access-list
Access to FMC GUI and SSH
• By default, SSH and HTTPS is set to any. It is suggested to add
Rules to allow specific hosts/subnets and remove the any.
• SSH
Default ACL
• HTTPS 2
1
System >> Configuration >> Access List 3
FMC Authentication
FMC login FMC
Auth
External Internal FMC roles
LDAP/S RADIUS
SSO
Okta OneLogin Azure PingID Other
FTD login can be authenticated using FTD roles

FTD Auth
Basic Config
External Internal
LDAP/S RADIUS
FMC – Internal Users
Recommendations
• Customize these options based on Organization
Security Policy
• Set the Maximum Number of Failed Logins.
• Set the Minimum Password Length.
• Set the Days Until Password Expiration.
• Set the Days Before Password Expiration
Warning.
• Set user Options.

• Force Password Reset on Login
• Check Password Strength.
FMC User Configuration
Recommendations
• By default, these settings are disabled. Password Reuse Limit:
The number of passwords in a user’s most recent history
• Customize these options based on that cannot be reused.
Organization Security Policy
Track Successful Logins:
System ( ) > Configuration > User Configuration The number of days that the system tracks successful
logins to the management center GUI/CLI.
Max Number of Login Failures:

The number of times in a row that users can enter
incorrect web interface login credentials before the
system temporarily blocks the account from access for a
configurable time period.
FMC User Configuration
Set Time in Minutes to Temporarily Lockout Users:
The duration in minutes for a temporary web
interface user lockout if Max Number of Failed
Logins is non-zero.
Max Concurrent Sessions Allowed
Max Sessions Allowed for User with same Privilege

type.
FMC Login Timeout
Recommendations • Web interface (management center only): Configure
the Browser Session Timeout (Minutes). The default
value is 60; the maximum value is 1440 (24 hours).
• Customize these options based on
Organization Security Policy
• To exempt users from this session timeout, see Add
an Internal User.
System ( ) > Configuration.
• CLI: Configure the CLI Timeout (Minutes) field. The
default value is 0; the maximum value is 1440 (24
hours)
External Authentication
System ( ) > Users > External Authentication.
• LDAP can be hardened by
making them Secure.
• Port tcp/389 – None or TLS
• Port tcp/636 - SSL
• RADIUS – Set a Complex

RADIUS Key.
• SSO – All the communication
is encrypted. So completely
secure
FMC Login Banner
Recommendations
• Login Banner serves as a System ( ) > Configuration >> Login Banner
Warning for Unauthorized
users.
• You can use ASCII
characters and carriage
returns to create a
custom login banner.
FTD - Mgmt Access
Recommendations
• Few things which could help Harden – FTD User Accounts
• Maxfailed logins - Set maximum failed logins configure user maxfailedlogins <user> <count>
• Minpasswdlen - Set minimum password length configure user minpasswdlen <user> <length>
• User aging - Set user password aging configure user minpasswdlen <user> <days>
• Strengthcheck - Set strength requirement on user password configure user strengthcheck <user> <enable>
SSH Access-list (Any allowed by default on Mgmt Interface)
configure ssh-access-list <CIDR>
Mgmt Access – Restrict Expert mode
• Restrict Linux Shell Access
• Users with Config level access can use the CLI expert command to
access the Linux shell.
system lockdown-sensor – Use with caution
NTP
Recommendations
• Certain features on Secure Firewall depend on system time for its
operations like syslog, Writing log files, time-based ACLs,
Certificate functions etc.
• Recommended to use a Trusted NTP Server for time sync of FMC
and FTD.
• FMC Supports 3 Authentication types.
• MD5
• SHA-1
• AES-128 CMAC
DNS
Recommendations
Used by Secure Firewall to resolve FQDN objects

used in ACL and threat updates
FMC needs DNS for Content and Software Updates
Recommended to use a Trusted DNS resolver -

Local or Cisco Umbrella Servers.
VPN
Deprecated Ciphers based on version
Deprecated Hash Algorithms, Encryption Algorithms, and Diffie-Hellman Groups
• As Newer and more Secure Ciphers get added, the older and less secure
Algorithms are deprecated.
• Update your IKE proposals and IPSec policies to maintain the Security
standards.
• Example:
• In version 6.7, The following less secure ciphers have been removed or deprecated in
FTD 6.7 onwards:
• Diffie-Hellman GROUP 5 is deprecated for IKEv1 and removed for IKEv2
• Diffie-Hellman groups 2 and 24 have been removed.
• Encryption algorithms: 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256 have been removed.
High to low secure Ciphers
TLS configuration for Remote Access VPN.
Devices >> Platform Settings >> SSL
1 2
Security Level can be modified to

include the ciphers based on your
Security policy to meet Compliance.
Logging and
Monitoring
FMC - Monitoring
SNMP Polling Recommendations
• SNMPv1 and 2 is supported. But not secure as the data is in Clear text.
• SNMPv3 is preferred to ensure security. 1 System ( ) > Configuration >> SNMP
2
3
4 System ( ) > Configuration >> Access List
FMC – Monitoring
Syslog Alerts Recommendations
• FMC can send Alerts using 3 New SNMP Server
ways New syslog Server
Policies >>Actions >> Alerts
FMC – Monitoring
Email Configuration Recommendations
2 Policies >>Actions >> Alerts
1 System >> Configuration >> Email Notification
FMC – Monitoring
Health Alert Configuration
Health Alert Configuration
Example SNMP Trap
FMC – Monitoring
Emails for Intrusion
• Emails can be setup based on
Specific Signatures.
• Specifically useful if there is a
Team reviewing these IPS alerts.
Monitoring
FTD
• SNMPv3 is preferred to ensure security.
• Supported User Types
• Auth—Authentication but No Privacy
• No Auth—No Authentication and No Privacy,
• Priv—Authentication and Privacy
FTD Logging
• FTD Logging can be Event Data or System Messages
• Send event data to centralized logging system.
• Regularly monitor and analyze intrusion alerts to identify potential threats.
• Review and fine tune the IPS policy based on the alerts to improve the detection
accuracy.
Policies Access control Edit the policy
Logging
Devices Platform Settings Syslog
FTD Logging
Syslogs
• Can be configured to be generated using Source interface as
Management or any Data Interface.
• Connection Events and system messages are both generated from
the FW.
430001: Intrusion event
430002: Connection event logged at beginning of connection
430003: Connection event logged at end of connection
430004: File events
430005: File malware events
• These are the events which can be logged to FMC as well.
FTD Logging
Syslogs 1
• LINA messages can be
sent over to syslog server
as well.
2
• Recommended to be set at
Informational (TAC
suggestion)
FTD Logging cont’d
Secure Syslog
• Only Supported on Data Interface.
• Needs to be TCP
Netflow
• Supports NSEL to track connection info and trends.
Netflow
• Disable Syslogs which provides redundant information as Netflow
• Helps with performance too.
Audit Logs
• Logs all Login/Logout and changes for Audit purposes.
• Compare View is available on what changes were made within the policies.
System ( ) > Monitoring > Audit
Audit Logs - Screenshot
System Configuration
• Logs can be sent using Syslog

and HTTP/S
Enabling TLS by loading a Certificate

makes it secure.
Audit Logs - Syslogs
• Has details on User Activity.
• But does not have the compare view in the syslogs.
SW and Content
Updates
Different Updates
Update type Manual Scheduled Frequency of
updates
Software Yes Yes Every few
update months
GeoDB Yes Yes 1-2/Month
VDB Yes Yes 3-6/Quarter
SRU/LSP Yes Yes 2-3/Week
Security Yes Yes Multiple

Intelligence times/day
URL DB Yes Yes Multiple
times/day
Software Update
• Need to have a software Life cycle strategy based on your
company’s security needs.
• PSIRT Releases
• Monitor Security Advisories and Field Notices.
• Lookout for the PSIRT releases.
• Golden star releases.
• Most stable version available.
• Golden Star release is usually tagged to a Long term or Extra Long term
release.
Intrusion Policy
Keep your rules up to date
• Regularly update your IPS rule
set to ensure latest protection.
• Schedule recurring automatic
updates of intrusion rules on n
FMC with internet access.
Different Updates
• VDB install and some other configuration changes may require
Snort restart.
• Recommended to schedule these updates during low traffic times.
URL Filtering
• URL Query Source (Available from
7.3)
• Local Database Only
• Local Database and Cisco Cloud
• Cisco Cloud Only
• Cached URLs Expire is set to

Never
• Recommended to change this
setting to avoid
categorization/reputation.
Disaster Recovery
Backup
Why do we need a backup
• If you don’t have a backup,
its Implications could be.
• Manual effort in restoring
FTD and rule set.
• Extended Downtime.
• Use remote storage and

should not be stored on the
FMC itself.
Compliance
Security Certifications Compliance
• Some organization might be required to use only equipment and software complying
with security standards established by the U.S. Department of Defense and global
certification organizations.
• Firepower supports compliance with the following security certifications standards:
• Common Criteria (CC): a global standard established by the international Common Criteria
Recognition Arrangement, defining properties for security products
• Unified Capabilities Approved Products List (UCAPL): a list of products meeting security
requirements established by the U.S. Defense Information Systems Agency (DISA)
• Federal Information Processing Standards (FIPS) 140: a requirements specification for
encryption modules
Security Certifications Compliance Characteristics
PS: After you enable this setting, you cannot disable it. If you need to take an appliance out of CC or UCAPL mode, you must reimage.
Performance
Best Practices
Intrusion
Snort2 vs Snort3
Snort 2 Snort 3
Multi-Threaded Architecture Yes
Capable of running Multiple Snort Processes Yes Yes

Port Independent Protocol Inspection Yes
IPS Accelerators / Hyperscan Support Yes
Modularity – Easier TALOS contributions Yes
Scalable Memory Allocation Yes
Next Gen Talos Rules – E.g., Regex/Rule Options/Sticky Yes
Buffers
New and Improves HTTP Inspector – E.g., HTTP/2 Support Yes
Lightweight content updates from TALOS Yes
Elephant Flows
• Flows that are large, continuous, long duration and fast flows with
high ability to cause duress for snort CPU cores.
• By default, elephant flows are those larger than 1GB/10 seconds.
• EF Example: VM migration, database replication, nightly backup etc.
• NEF Example: Web searching.
Note: Elephant flow can be interchangeably used with other terms like fat flow, single flow as
well. We will be using Elephant flow during the rest of the presentation.
Overview of Elephant Flow Detection
• You can use the elephant flow detection feature to take action on
elephant flows.
• Bypass elephant flow – Bypass from snort inspection.
• Throttle elephant flow – Apply rate-limit to the flow and continue to
inspect. The flow rate is calculated dynamically and 10% of the flow rate
is reduced.
7.1 – feature introduced in FTD CLI (only with detection). Snort3 must be the detection engine.
7.2 - feature introduced on FMC GUI (with remediations). Doesn’t apply to encrypted traffic.
Configure Elephant Flow Detection
Access control policy → Advanced → Elephant
Flow
> show elephant-flow

detection-config Show elephant-flow-detection config
status Show elephant-flow-detection status
(Enabled/Disabled)
> show elephant-flow status

Elephant flow inspector is enabled
> show elephant-flow detection-config

bypass_apps(List of App IDs) = '0:1'
bypass_enabled = true
cpu_utilization(in Percentage) = 40
high_cpu_check = true
bytes_threshold(in MBs) = 1024
packet_drop_threshold(in Percentage) = 5
Throttle the flow qos_enabled = false
time_threshold(in Seconds) = 10
window_duration(in Seconds) = 30
Elephant Flows – Identification 7.1 and later
> show elephant-flow status

Elephant flow inspector is enabled
> show elephant-flow detection-config Elephant flow

high_cpu_check = false detection is enabled
bytes_threshold(in MBs) = 1024 by default on 7.2
time_threshold(in Seconds) = 10
Elephant Flow
All Options to remediate Elephant Flow
Platform Snort2 Snort3 IAB Static Dynamic Elephant Flows
(FMC)
Offload Offload 7.1 (only detection) snort3
7.2 + detection and remediation
SFR Module Yes No Yes NA NA NA
9300 FTD Yes Yes - Yes Yes Yes – 6.3 Yes – 7.1 +
7.0 + +
4100 FTD Yes Yes - Yes Yes Yes – 6.3 Yes – 7.1 +
7.0 + +
3100 FTD Yes Yes - Yes Planned - Yes – 7.1 +
7.0 +
2100 FTD Yes Yes - Yes NA NA Yes – 7.1 +
7.0 +
1000 FTD Yes Yes - Yes NA NA Yes – 7.1 +
7.0 +
DDOS Protection – Threat Detection
Option 1
1
DDOS Protection-TCP intercept in MPF
Option 1
1 3
Access-List Recommended Limit
• Every Platform has a Cisco recommended ACL limit for optimal
Performance.
• A Health Alert gets generated when this limit is exceeded.
PS: Any number of New rules can be deployed if you have Free memory as there is no hard limit. However, these limits are recommended
limits for optimal performance.
Access-List Limit
• Memory required for rule usage can be reduced by enabling object
group search.
Access-List Limit
Without OGS- 10K rules
After OGS is deployed- 107 rules
Access-List Limit
With OGS – 107 rules
With OGS after removing the

Zones from the rule. – 8 rules
Interface Object Optimization
• Needs to be enabled with OGS.
• When both enabled, the system will
instead
deploy a single rule per access
control/prefilter rule.
Reduces to just 1 rule
Transactional Commit
• Default behavior (Without Transactional Commit )
• New applied rule gets immediately effective.
• When large ACL is deployed, this immediacy comes at a slight cost in performance and
becomes noticeable in high Conns/sec environment.
• When enabled, a rule update is applied after the rule compilation is completed; without affecting
the rule lookup performance.
• Very effective in dealing with High CPU during loading startupconfig/config replication in
HA/Cluster/compiling large ACL rulebase.
Transactional Commit – Configuration
Create a FlexConfig Object
1 Objects >> Object Management >> FlexConfig >> FlexConfig Object
Transactional Commit – Configuration
Add the FlexConfig Object to the FlexConfig Policy
Objects >> Object

2 Management >> FlexConfig
>> FlexConfig Object
Save and Deploy
FMC Database Limits
System ( ) > Configuration >> Database
• Every Event type has a Configured

limit based on platform.
• Suggested to limit the Events being

sent to the FMC to maximize the
retention period.
• Trusted flows or traffic which

generates lot of noise can be
avoided to be logged to FMC but
can be logged to syslog.
Conclusion
Conclusion
• We touched multiple features in the product

• Dataplane hardening – Rule writing, Ordering , SI, L7 features, IPS ,
Network Discovery so on
• Mgmt hardening – Mgmt ACL, Authentication and User account
parameters and so on
• Logging and Monitoring – All Logging and Monitoring options and how
to configure them.
• VPN , Software and Content Updates and Disaster Recovery.
As we’ve come to realize, the idea
that security starts and ends with
the purchase of a prepackaged
firewall is simply misguided.
-Art Wittmann
Fill out your session surveys!
Attendees who fill out a minimum of four session

surveys and the overall event survey will get
Cisco Live-branded socks (while supplies last)!
Attendees will also earn 100 points in the

Cisco Live Game for every survey completed.
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKSEC-2093 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
2 Click on 'Cisco Live Challenge’ in the side menu.
3 Click on View Your Badges at the top.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive

BRKSEC-2093 Hardening The Secure Firewall - 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC-2093 Hardening The Secure Firewall - 2023

Uploaded by

Copyright:

Available Formats

#CiscoLive

Srinivasa Rao Munagala , NGFW Technical Leader

Double CCIE (Security and DC)

• Technical Leader in CX Security organization. More than 11 years in Cisco.

• Came from ASA background originally and currently focused on Next-Gen

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

Firepower Extensible Operating System – System that manages the

VPN Decrypt Drop Drop

LINA ASA Engine = BLUE Snort Engine = ORANGE

2 Inside Server responds with a SYN-ACK

Modified Rule Config

34: 23:07:28.873917 192.168.212.115.36634 > 192.168.250.10.21: S 2744652541:2744652541(0) win

Inbound Web Access

Catch all outbound

VPN Decrypt Drop Drop

Yes Yes QOS NAT IP Application

LINA ASA Engine = BLUE Snort Engine = ORANGE

Edit Access control Policy >> Security Intelligence

VPN Decrypt Drop Drop

Yes Yes QOS NAT IP Application Flow PDTS

LINA ASA Engine = BLUE Snort Engine = ORANGE

• The Certificate is encrypted in TLS

• Enabling TLS Server Identity

• The information in the certificate

• It is difficult to identify applications and 3

• By using TLS fingerprinting techniques,

• Requires snort3, Threat license and FMC

Analysis > Network Map > Select required Host.

VPN Decrypt Drop Drop

Yes Yes QOS NAT IP Application Flow PDTS

LINA ASA Engine = BLUE Snort Engine = ORANGE

• By default, all the networks are

• Define the networks protected by

With Default any policy

VPN Decrypt Drop Drop

LINA ASA Engine = BLUE Snort Engine = ORANGE

• Variable Set define IP address

LINA ASA Engine = BLUE Snort Engine = ORANGE

• Some Preprocessors are disabled by

• Disabled by default in some base policies

• User can tune port scan detection

FTDv-152# show threat-detection portscan shun

ip verify reverse-path interface <interface_name>

FTD# show ip verify statistics

• Can be modified to do Full

Show asp drop

Fragment Full reassembly failed (fragment-full-reassembly-failed) 2378

capture asp type asp-drop fragment-reassembly-failed

VPN Decrypt Drop Drop

Yes Yes QOS NAT IP Application Flow PDTS

LINA ASA Engine = BLUE Snort Engine = ORANGE

External Internal FMC roles

Okta OneLogin Azure PingID Other

FTD login can be authenticated using FTD roles

• Set user Options.

Max Number of Login Failures:

Max Concurrent Sessions Allowed

Max Sessions Allowed for User with same Privilege

• RADIUS – Set a Complex

SSH Access-list (Any allowed by default on Mgmt Interface)

configure ssh-access-list <CIDR>