This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Also available in other formats.
Register your product to gain access to bonus material or receive a coupon.
The authoritative visual guide to Cisco Firepower Threat Defense (FTD)
This is the definitive guide to best practices and advanced troubleshooting techniques for the Cisco flagship Firepower Threat Defense (FTD) system running on Cisco ASA platforms, Cisco Firepower security appliances, Firepower eXtensible Operating System (FXOS), and VMware virtual appliances.
Senior Cisco engineer Nazmul Rajib draws on unsurpassed experience supporting and training Cisco Firepower engineers worldwide, and presenting detailed knowledge of Cisco Firepower deployment, tuning, and troubleshooting. Writing for cybersecurity consultants, service providers, channel partners, and enterprise or government security professionals, he shows how to deploy the Cisco Firepower next-generation security technologies to protect your network from potential cyber threats, and how to use Firepower’s robust command-line tools to investigate a wide variety of technical issues.
Each consistently organized chapter contains definitions of keywords, operational flowcharts, architectural diagrams, best practices, configuration steps (with detailed screenshots), verification tools, troubleshooting techniques, and FAQs drawn directly from issues raised by Cisco customers at the Global Technical Assistance Center (TAC). Covering key Firepower materials on the CCNA Security, CCNP Security, and CCIE Security exams, this guide also includes end-of-chapter quizzes to help candidates prepare.
· Understand the operational architecture of the Cisco Firepower NGFW, NGIPS, and AMP technologies
· Deploy FTD on ASA platform and Firepower appliance running FXOS
· Configure and troubleshoot Firepower Management Center (FMC)
· Plan and deploy FMC and FTD on VMware virtual appliance
· Design and implement the Firepower management network on FMC and FTD
· Understand and apply Firepower licenses, and register FTD with FMC
· Deploy FTD in Routed, Transparent, Inline, Inline Tap, and Passive Modes
· Manage traffic flow with detect-only, block, trust, and bypass operations
· Implement rate limiting and analyze quality of service (QoS)
· Blacklist suspicious IP addresses via Security Intelligence
· Block DNS queries to the malicious domains
· Filter URLs based on category, risk, and reputation
· Discover a network and implement application visibility and control (AVC)
· Control file transfers and block malicious files using advanced malware protection (AMP)
· Halt cyber attacks using Snort-based intrusion rule
· Masquerade an internal host’s original IP address using Network Address Translation (NAT)
· Capture traffic and obtain troubleshooting files for advanced analysis
· Use command-line tools to identify status, trace packet flows, analyze logs, and debug messages
Introduction xxv
Part I Troubleshooting and Administration of Hardware Platform
Chapter 1 Introduction to the Cisco Firepower Technology 1
History of Sourcefire 1
Evolution of Firepower 2
FirePOWER Versus Firepower 3
Firepower Threat Defense (FTD) 6
FirePOWER Service Versus Firepower Threat Defense (FTD) 6
Firepower System Software Components 7
Firepower System Hardware Platforms 9
Firepower Accessories 10
Summary 11
Chapter 2 FTD on ASA 5500-X Series Hardware 13
ASA Reimaging Essentials 13
Best Practices for FTD Installation on ASA Hardware 14
Installing and Configuring FTD 16
Fulfilling Prerequisites 16
Upgrading Firmware 18
Installing the Boot Image 26
Installing the System Software 32
Verification and Troubleshooting Tools 44
Navigating to the FTD CLI 44
Determining the Version of Installed Software 46
Determining the Free Disk Space on ASA Hardware 47
Deleting a File from a Storage Device 48
Determining the Availability of Any Storage Device or SSD 48
Determining the Version of the ROMMON Software or Firmware 50
Summary 52
Quiz 52
Chapter 3 FTD on the Firepower eXtensible Operating System (FXOS) 55
Firepower 9300 and 4100 Series Essentials 55
Architecture 57
Software Images 58
Firepower Extensible Operating System (FXOS) 59
FTD Software 60
Firmware 60
Web User Interfaces 61
Best Practices for FTD Installation on Firepower Hardware 62
Installing and Configuring FTD 64
Fulfilling Prerequisites 64
Deleting Any Existing Logical Devices 64
Upgrading the FXOS Software 65
Enabling Interfaces 67
Installing FTD 71
Uploading the FTD Software Image 72
Adding a Logical Device for FTD 73
Completing the Initialization of FTD 77
Verification and Troubleshooting Tools 79
Navigating to the FTD CLI 79
Verifying the FXOS Software 81
Verifying the Status of a Security Application 82
Verifying the Security Modules, Adapters, and Switch Fabric 84
Verifying the Hardware Chassis 87
Verifying the Power Supply Unit (PSU) Modules 90
Verifying the Fan Modules 92
Summary 94
Quiz 94
Chapter 4 Firepower Management Center (FMC) Hardware 97
FMC Component Essentials 97
On-Box Managers 98
Off-Box Managers 99
Cisco Integrated Management Controller (CIMC) 101
Internal USB Storage for the System_Restore Image 104
User Interfaces 104
Best Practices for FMC Reimage 105
Pre-installation Best Practices 105
Post-installation Best Practices 108
Installing and Configuring the FMC 109
Fulfilling Prerequisites 109
Configuration Steps 110
Step 1: Load the System_Restore Image 111
Step 2: Configure the Network Settings 114
Step 3: Choose a Transport Protocol 114
Step 4: Download and Mount an ISO File 116
Step 5: Run the Installation 117
Step 6: Initialize the System 120
Verification and Troubleshooting Tools 122
Identifying the FMC on a Rack 122
Determining the Hardware and Software Details of the FMC 124
Determining the RAID Battery Status 124
Determining the Status of a Power Supply Unit (PSU) 125
Checking Logs on the CLI 125
Enabling Alerts on the GUI 127
Performing a Complete Power Cycle 129
PSU Checklist 129
Verifying the Fans 129
Summary 132
Quiz 132
Chapter 5 Firepower System Virtual on VMware 135
FMC and FTD Virtual Essentials 135
Supported Virtual Environments 135
ESXi Versus VI 136
VMware Installation Package in a Tarball 136
Disk Provisioning Options 137
Best Practices for Firepower Virtual Appliance Deployment 138
Pre-deployment Best Practices 138
Post-deployment Best Practices 140
Installing and Configuring a Firepower Virtual Appliance 141
Fulfilling Prerequisites 142
Creating a Virtual Network 144
Creating a Network for FMC Virtual 145
Creating a Network for FTD Virtual 148
Using Promiscuous Mode 152
Deploying an OVF Template 154
Initializing an Appliance 160
Initializing an FMC Virtual Appliance 161
Initializing an FTD Virtual Appliance 162
Verification and Troubleshooting Tools 163
Determining the Status of Allocated Resources 164
Determining the Status of a Network Adapter 165
Upgrading a Network Adapter 166
Summary 170
Quiz 170
Part II Troubleshooting and Administration of Initial Deployment
Chapter 6 The Firepower Management Network 173
Firepower System Management Network Essentials 173
The FTD Management Interface 173
Designing a Firepower Management Network 176
Best Practices for Management Interface Configuration 180
Configuring a Management Network on FMC Hardware 180
Configuration Options 180
Using the GUI During the First Login 180
Using the GUI On Demand 182
Using the Command-Line Interface 183
Verification and Troubleshooting Tools 184
Configuring a Management Network on ASA Hardware 186
Configuration 186
Verification and Troubleshooting Tools 187
Configuring a Management Network on a Firepower Security Appliance 190
Configuring the FXOS Management Interface 190
Verification of the FXOS Management Interface Configuration 191
Configuring the FTD Management Interface 192
Verification of the FTD Management Interface Configuration 194
Summary 197
Quiz 197
Chapter 7 Firepower Licensing and Registration 199
Licensing Essentials 199
The Smart Licensing Architecture 199
Cisco Smart Software Manager (CSSM) 200
CSSM Satellite 201
Firepower Licenses 202
Best Practices for Licensing and Registration 203
Licensing a Firepower System 203
Licensing Configuration 204
Evaluation Mode 205
Registering with the CSSM 206
Verifying a Smart License Issue 209
Registering a Firepower System 211
Registration Configuration 211
Setting Up FTD 211
Setting Up the FMC 212
Verifying the Registration and Connection 215
Analyzing the Encrypted SFTunnel 221
Summary 229
Quiz 230
Chapter 8 Firepower Deployment in Routed Mode 231
Routed Mode Essentials 231
Best Practices for Routed Mode Configuration 233
Configuring Routed Mode 233
Fulfilling Prerequisites 234
Configuring the Firewall Mode 234
Configuring the Routed Interface 235
Configuring an Interface with a Static IP Address 235
DHCP Services 238
FTD as a DHCP Server 240
FTD as a DHCP Client 241
Verification and Troubleshooting Tools 243
Verifying the Interface Configuration 243
Verifying DHCP Settings 246
Summary 249
Quiz 249
Chapter 9 Firepower Deployment in Transparent Mode 251
Transparent Mode Essentials 251
Best Practices for Transparent Mode 252
Configuring Transparent Mode 253
Fulfilling Prerequisites 254
Changing the Firewall Mode 254
Deploying Transparent Mode in a Layer 2 Network 255
Configuring the Physical and Virtual Interfaces 256
Verifying the Interface Status 261
Verifying Basic Connectivity and Operations 264
Deploying an FTD Device Between Layer 3 Networks 267
Selecting the Default Action 268
Adding an Access Rule 269
Creating an Access Rule for SSH 272
Verifying Access Control Lists 274
Summary 276
Quiz 276
Part III Troubleshooting and Administration of Traffic Control
Chapter 10 Capturing Traffic for Advanced Analysis 277
Traffic Capture Essentials 277
Best Practices for Capturing Traffic 278
Configuring Firepower System for Traffic Analysis 278
Capturing Traffic from a Firepower Engine 279
tcpdump Options 280
Downloading a .pcap File Generated by Firepower Engine 285
Capturing Traffic from the Firewall Engine 288
Downloading a .pcap File Generated by Firewall Engine 291
Enabling HTTP Service in FTD 293
Capturing Traffic from the FMC 298
Downloading a .pcap File Generated by FMC 299
Verification and Troubleshooting Tools 302
Adding an Access Rule to Block ICMP Traffic 302
Analyzing the Traffic Flow by Using a Block Rule 303
Packet Processing by an Interface 306
Summary 309
Quiz 309
Chapter 11 Blocking Traffic Using Inline Interface Mode 311
Inline Mode Essentials 311
Inline Mode Versus Passive Mode 312
Inline Mode Versus Transparent Mode 314
Tracing a Packet Drop 314
Best Practices for Inline Mode Configuration 316
Configuring Inline Mode 316
Fulfilling Prerequisites 317
Creating an Inline Set 317
Verifying the Configuration 321
Verifying Packet Flow by Using packet-tracer 324
Verifying Packet Flow by Using Real Packet Capture 328
Enabling Fault Tolerance Features 333
Configuring Fault Tolerance Features 334
Verifying Fault Tolerance Features 335
Blocking a Specific Port 336
Configuring Blocking a Specific Port 337
Verifying Blocking of a Specific Port 339
Analyzing a Packet Drop by Using a Simulated Packet 340
Analyzing a Packet Drop by Using a Real Packet 342
Summary 344
Quiz 345
Chapter 12 Inspecting Traffic Without Blocking It 347
Traffic Inspection Essentials 347
Passive Monitoring Technology 347
Inline Versus Inline Tap Versus Passive 350
Best Practices for Detection-Only Deployment 352
Fulfilling Prerequisites 352
Inline Tap Mode 352
Configuring Inline Tap Mode 353
Verifying an Inline Tap Mode Configuration 354
Passive Interface Mode 357
Configuring Passive Interface Mode 357
Configuring Passive Interface Mode on an FTD Device 357
Configuring a SPAN Port on a Switch 359
Verifying a Passive Interface Mode Configuration 359
Analyzing Traffic Inspection Operation 362
Analyzing a Connection Event with a Block Action 362
Analyzing Live Traffic 362
Analyzing a Simulated Packet 364
Analyzing an Intrusion Event with an Inline Result 366
Summary 370
Quiz 371
Chapter 13 Handling Encapsulated Traffic 373
Encapsulation and Prefilter Policy Essentials 373
Best Practices for Adding a Prefilter Rule 375
Fulfilling Prerequisites 375
Transferring and Capturing Traffic on the Firewall Engine 377
Scenario 1: Analyzing Encapsulated Traffic 379
Configuring Policies to Analyze Encapsulated Traffic 379
Prefilter Policy Settings 379
Access Control Policy Settings 381
Verifying the Configuration and Connection 382
Analyzing Packet Flows 385
Scenario 2: Blocking Encapsulated Traffic 391
Configuring Policies to Block Encapsulated Traffic 391
Verifying the Configuration and Connection 392
Analyzing Packet Flows 395
Scenario 3: Bypassing Inspection 397
Configuring Policies to Bypass Inspection 397
Custom Prefilter Policy 397
Access Control Policy Settings 401
Verifying the Configuration and Connection 403
Analyzing Packet Flows 405
Summary 407
Quiz 407
Chapter 14 Bypassing Inspection and Trusting Traffic 409
Bypassing Inspection and Trusting Traffic Essentials 409
The Fastpath Rule 409
The Trust Rule 410
Best Practices for Bypassing Inspection 412
Fulfilling Prerequisites 412
Implementing Fastpath Through a Prefilter Policy 413
Configuring Traffic Bypassing 413
Configuring a Prefilter Policy 413
Invoking a Prefilter Policy in an Access Control Policy 418
Verifying the Prefilter Rule Configuration 420
Enabling Tools for Advanced Analysis 421
Analyzing the Fastpath Action 422
Establishing Trust Through an Access Policy 427
Configuring Trust with an Access Policy 427
Verifying the Trust Rule Configuration 429
Enabling Tools for Advanced Analysis 430
Analyzing the Trust Action 432
Using the Allow Action for Comparison 440
Summary 442
Quiz 442
Chapter 15 Rate Limiting Traffic 445
Rate Limiting Essentials 445
Best Practices for QoS Rules 447
Fulfilling Prerequisites 448
Configuring Rate Limiting 449
Verifying the Rate Limit of a File Transfer 454
Analyzing QoS Events and Statistics 458
Summary 462
Quiz 462
Part IV Troubleshooting and Administration of Next-Generation Security Features
Chapter 16 Blacklisting Suspicious Addresses by Using Security Intelligence 463
Security Intelligence Essentials 463
Input Methods 466
Best Practices for Blacklisting 468
Fulfilling Prerequisites 468
Configuring Blacklisting 468
Automatic Blacklist Using Cisco Intelligence Feed 468
Manual Blacklisting Using a Custom Intelligence List 472
Immediate Blacklisting Using a Connection Event 477
Adding an Address to a Blacklist 477
Deleting an Address from a Blacklist 479
Monitoring a Blacklist 480
Bypassing a Blacklist 482
Adding an Address to a Whitelist 483
Deleting an Address from a Whitelist 484
Verification and Troubleshooting Tools 485
Verifying the Download of the Latest Files 486
Verifying the Loading of Addresses into Memory 489
Finding a Specific Address in a List 491
Verifying URL-Based Security Intelligence Rules 491
Summary 494
Quiz 494
Chapter 17 Blocking a Domain Name System (DNS) Query 497
Firepower DNS Policy Essentials 497
Domain Name System (DNS) 497
Blocking of a DNS Query Using a Firepower System 499
DNS Rule Actions 500
Actions That Can Interrupt a DNS Query 500
Actions That Allow a DNS Query 502
Sources of Intelligence 504
Best Practices for Blocking DNS Query 506
Fulfilling Prerequisites 507
Configuring DNS Query Blocking 508
Adding a New DNS Rule 508
Invoking a DNS Policy 510
Verification and Troubleshooting Tools 511
Verifying the Configuration of a DNS Policy 511
Verifying the Operation of a DNS Policy 515
Summary 520
Quiz 520
Chapter 18 Filtering URLs Based on Category, Risk, and Reputation 523
URL Filtering Essentials 523
Reputation Index 523
Operational Architecture 525
Fulfilling Prerequisites 526
Best Practices for URL Filtering Configuration 529
Blocking URLs of a Certain Category 532
Configuring an Access Rule for URL Filtering 532
Verification and Troubleshooting Tools 534
Allowing a Specific URL 537
Configuring FTD to Allow a Specific URL 538
Verification and Troubleshooting Tools 540
Querying the Cloud for Uncategorized URLs 543
Configuring FMC to Perform a Query 544
Verification and Troubleshooting Tools 546
Summary 550
Quiz 550
Chapter 19 Discovering Network Applications and Controlling Application Traffic 553
Application Discovery Essentials 553
Application Detectors 553
Operational Architecture 555
Best Practices for Network Discovery Configuration 557
Fulfilling Prerequisites 558
Discovering Applications 560
Configuring a Network Discovery Policy 561
Verification and Troubleshooting Tools 564
Analyzing Application Discovery 564
Analyzing Host Discovery 566
Undiscovered New Hosts 567
Blocking Applications 570
Configuring Blocking of Applications 570
Verification and Troubleshooting Tools 572
Summary 575
Quiz 576
Chapter 20 Controlling File Transfer and Blocking the Spread of Malware 577
File Policy Essentials 577
File Type Detection Technology 579
Malware Analysis Technology 579
Licensing Capability 582
Best Practices for File Policy Deployment 583
Fulfilling Prerequisites 584
Configuring a File Policy 586
Creating a File Policy 586
Applying a File Policy 592
Verification and Troubleshooting Tools 593
Analyzing File Events 594
Analyzing Malware Events 599
The FMC Is Unable to Communicate with the Cloud 599
The FMC Performs a Cloud Lookup 603
FTD Blocks Malware 607
Overriding a Malware Disposition 610
Summary 615
Quiz 615
Chapter 21 Preventing Cyber Attacks by Blocking Intrusion Attempts 617
Firepower NGIPS Essentials 617
Network Analysis Policy and Preprocessor 619
Intrusion Policy and Snort Rules 621
System-Provided Variables 624
System-Provided Policies 626
Best Practices for Intrusion Policy Deployment 632
NGIPS Configuration 637
Configuring a Network Analysis Policy 637
Creating a New NAP with Default Settings 637
Modifying the Default Settings of a NAP 639
Configuring an Intrusion Policy 641
Creating a Policy with a Default Ruleset 641
Incorporating Firepower Recommendations 642
Enabling or Disabling an Intrusion Rule 646
Setting Up a Variable Set 648
Configuring an Access Control Policy 650
Verification and Troubleshooting Tools 654
Summary 665
Quiz 665
Chapter 22 Masquerading the Original IP Address of an Internal Network Host 667
NAT Essentials 667
NAT Techniques 669
NAT Rule Types 670
Best Practices for NAT Deployment 672
Fulfilling Prerequisites 673
Configuring NAT 676
Masquerading a Source Address (Source NAT for Outbound Connection) 676
Configuring a Dynamic NAT Rule 677
Verifying the Configuration 681
Verifying the Operation: Inside to Outside 683
Verifying the Operation: Outside to Inside 690
Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection) 695
Configuring a Static NAT Rule 695
Verifying the Operation: Outside to DMZ 696
Summary 706
Quiz 706
Appendix A Answers to the Review Questions 707
Appendix B Generating and Collecting Troubleshooting Files Using the GUI 713
Generating Troubleshooting Files with the GUI 713
Appendix C Generating and Collecting Troubleshooting Files Using the CLI 717
Generating Troubleshooting Files at the FTD CLI 717
Downloading a File by Using the GUI 718
Copying a File by Using the CLI 719
Generating Troubleshooting Files at the FMC CLI 719
9781587144806 TOC 11/9/2017