Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP)

Description

• Copyright 2018
• Dimensions: 7-3/8" x 9-1/8"
• Pages: 800
• Edition: 1st

• eBook
• ISBN-10: 0-13-467951-2
• ISBN-13: 978-0-13-467951-8

The authoritative visual guide to Cisco Firepower Threat Defense (FTD)

This is the definitive guide to best practices and advanced troubleshooting techniques for the Cisco flagship Firepower Threat Defense (FTD) system running on Cisco ASA platforms, Cisco Firepower security appliances, Firepower eXtensible Operating System (FXOS), and VMware virtual appliances.

Senior Cisco engineer Nazmul Rajib draws on unsurpassed experience supporting and training Cisco Firepower engineers worldwide, and presenting detailed knowledge of Cisco Firepower deployment, tuning, and troubleshooting. Writing for cybersecurity consultants, service providers, channel partners, and enterprise or government security professionals, he shows how to deploy the Cisco Firepower next-generation security technologies to protect your network from potential cyber threats, and how to use Firepower’s robust command-line tools to investigate a wide variety of technical issues.

Each consistently organized chapter contains definitions of keywords, operational flowcharts, architectural diagrams, best practices, configuration steps (with detailed screenshots), verification tools, troubleshooting techniques, and FAQs drawn directly from issues raised by Cisco customers at the Global Technical Assistance Center (TAC). Covering key Firepower materials on the CCNA Security, CCNP Security, and CCIE Security exams, this guide also includes end-of-chapter quizzes to help candidates prepare.

·        Understand the operational architecture of the Cisco Firepower NGFW, NGIPS, and AMP technologies

·         Deploy FTD on ASA platform and Firepower appliance running FXOS

·         Configure and troubleshoot Firepower Management Center (FMC)

·         Plan and deploy FMC and FTD on VMware virtual appliance

·         Design and implement the Firepower management network on FMC and FTD

·         Understand and apply Firepower licenses, and register FTD with FMC

·         Deploy FTD in Routed, Transparent, Inline, Inline Tap, and Passive Modes

·         Manage traffic flow with detect-only, block, trust, and bypass operations

·         Implement rate limiting and analyze quality of service (QoS)

·         Blacklist suspicious IP addresses via Security Intelligence

·         Block DNS queries to the malicious domains

·         Filter URLs based on category, risk, and reputation

·         Discover a network and implement application visibility and control (AVC)

·         Control file transfers and block malicious files using advanced malware protection (AMP)

·         Halt cyber attacks using Snort-based intrusion rule

·         Masquerade an internal host’s original IP address using Network Address Translation (NAT)

·         Capture traffic and obtain troubleshooting files for advanced analysis

·         Use command-line tools to identify status, trace packet flows, analyze logs, and debug messages



Sample Content

Table of Contents

Introduction xxv

Part I Troubleshooting and Administration of Hardware Platform

Chapter 1 Introduction to the Cisco Firepower Technology 1

History of Sourcefire 1

    Evolution of Firepower 2

    FirePOWER Versus Firepower 3

Firepower Threat Defense (FTD) 6

    FirePOWER Service Versus Firepower Threat Defense (FTD) 6

    Firepower System Software Components 7

    Firepower System Hardware Platforms 9

    Firepower Accessories 10

Summary 11

Chapter 2 FTD on ASA 5500-X Series Hardware 13

ASA Reimaging Essentials 13

Best Practices for FTD Installation on ASA Hardware 14

Installing and Configuring FTD 16

    Fulfilling Prerequisites 16

    Upgrading Firmware 18

    Installing the Boot Image 26

    Installing the System Software 32

Verification and Troubleshooting Tools 44

    Navigating to the FTD CLI 44

    Determining the Version of Installed Software 46

    Determining the Free Disk Space on ASA Hardware 47

    Deleting a File from a Storage Device 48

    Determining the Availability of Any Storage Device or SSD 48

    Determining the Version of the ROMMON Software or Firmware 50

Summary 52

Quiz 52

Chapter 3 FTD on the Firepower eXtensible Operating System (FXOS) 55

Firepower 9300 and 4100 Series Essentials 55

    Architecture 57

    Software Images 58

        Firepower Extensible Operating System (FXOS) 59

        FTD Software 60

        Firmware 60

    Web User Interfaces 61

Best Practices for FTD Installation on Firepower Hardware 62

Installing and Configuring FTD 64

    Fulfilling Prerequisites 64

        Deleting Any Existing Logical Devices 64

        Upgrading the FXOS Software 65

        Enabling Interfaces 67

    Installing FTD 71

        Uploading the FTD Software Image 72

        Adding a Logical Device for FTD 73

        Completing the Initialization of FTD 77

Verification and Troubleshooting Tools 79

    Navigating to the FTD CLI 79

    Verifying the FXOS Software 81

    Verifying the Status of a Security Application 82

    Verifying the Security Modules, Adapters, and Switch Fabric 84

    Verifying the Hardware Chassis 87

    Verifying the Power Supply Unit (PSU) Modules 90

    Verifying the Fan Modules 92

Summary 94

Quiz 94

Chapter 4 Firepower Management Center (FMC) Hardware 97

FMC Component Essentials 97

    On-Box Managers 98

    Off-Box Managers 99

    Cisco Integrated Management Controller (CIMC) 101

    Internal USB Storage for the System_Restore Image 104

    User Interfaces 104

Best Practices for FMC Reimage 105

    Pre-installation Best Practices 105

    Post-installation Best Practices 108

Installing and Configuring the FMC 109

    Fulfilling Prerequisites 109

    Configuration Steps 110

        Step 1: Load the System_Restore Image 111

        Step 2: Configure the Network Settings 114

        Step 3: Choose a Transport Protocol 114

        Step 4: Download and Mount an ISO File 116

        Step 5: Run the Installation 117

        Step 6: Initialize the System 120

Verification and Troubleshooting Tools 122

    Identifying the FMC on a Rack 122

    Determining the Hardware and Software Details of the FMC 124

    Determining the RAID Battery Status 124

    Determining the Status of a Power Supply Unit (PSU) 125

        Checking Logs on the CLI 125

        Enabling Alerts on the GUI 127

        Performing a Complete Power Cycle 129

        PSU Checklist 129

    Verifying the Fans 129

Summary 132

Quiz 132

Chapter 5 Firepower System Virtual on VMware 135

FMC and FTD Virtual Essentials 135

    Supported Virtual Environments 135

    ESXi Versus VI 136

    VMware Installation Package in a Tarball 136

    Disk Provisioning Options 137

Best Practices for Firepower Virtual Appliance Deployment 138

    Pre-deployment Best Practices 138

    Post-deployment Best Practices 140

Installing and Configuring a Firepower Virtual Appliance 141

    Fulfilling Prerequisites 142

    Creating a Virtual Network 144

        Creating a Network for FMC Virtual 145

        Creating a Network for FTD Virtual 148

        Using Promiscuous Mode 152

    Deploying an OVF Template 154

    Initializing an Appliance 160

        Initializing an FMC Virtual Appliance 161

        Initializing an FTD Virtual Appliance 162

Verification and Troubleshooting Tools 163

    Determining the Status of Allocated Resources 164

    Determining the Status of a Network Adapter 165

    Upgrading a Network Adapter 166

Summary 170

Quiz 170

Part II Troubleshooting and Administration of Initial Deployment

Chapter 6 The Firepower Management Network 173

Firepower System Management Network Essentials 173

    The FTD Management Interface 173

    Designing a Firepower Management Network 176

Best Practices for Management Interface Configuration 180

    Configuring a Management Network on FMC Hardware 180

    Configuration Options 180

        Using the GUI During the First Login 180

        Using the GUI On Demand 182

        Using the Command-Line Interface 183

    Verification and Troubleshooting Tools 184

Configuring a Management Network on ASA Hardware 186

    Configuration 186

    Verification and Troubleshooting Tools 187

Configuring a Management Network on a Firepower Security Appliance 190

    Configuring the FXOS Management Interface 190

    Verification of the FXOS Management Interface Configuration 191

    Configuring the FTD Management Interface 192

    Verification of the FTD Management Interface Configuration 194

Summary 197

Quiz 197

Chapter 7 Firepower Licensing and Registration 199

Licensing Essentials 199

    The Smart Licensing Architecture 199

        Cisco Smart Software Manager (CSSM) 200

        CSSM Satellite 201

    Firepower Licenses 202

Best Practices for Licensing and Registration 203

Licensing a Firepower System 203

    Licensing Configuration 204

        Evaluation Mode 205

        Registering with the CSSM 206

    Verifying a Smart License Issue 209

Registering a Firepower System 211

    Registration Configuration 211

        Setting Up FTD 211

        Setting Up the FMC 212

    Verifying the Registration and Connection 215

    Analyzing the Encrypted SFTunnel 221

Summary 229

Quiz 230

Chapter 8 Firepower Deployment in Routed Mode 231

Routed Mode Essentials 231

Best Practices for Routed Mode Configuration 233

Configuring Routed Mode 233

    Fulfilling Prerequisites 234

    Configuring the Firewall Mode 234

    Configuring the Routed Interface 235

        Configuring an Interface with a Static IP Address 235

        DHCP Services 238

    FTD as a DHCP Server 240

    FTD as a DHCP Client 241

Verification and Troubleshooting Tools 243

    Verifying the Interface Configuration 243

    Verifying DHCP Settings 246

Summary 249

Quiz 249

Chapter 9 Firepower Deployment in Transparent Mode 251

Transparent Mode Essentials 251

Best Practices for Transparent Mode 252

Configuring Transparent Mode 253

    Fulfilling Prerequisites 254

    Changing the Firewall Mode 254

    Deploying Transparent Mode in a Layer 2 Network 255

        Configuring the Physical and Virtual Interfaces 256

        Verifying the Interface Status 261

        Verifying Basic Connectivity and Operations 264

    Deploying an FTD Device Between Layer 3 Networks 267

        Selecting the Default Action 268

        Adding an Access Rule 269

    Creating an Access Rule for SSH 272

        Verifying Access Control Lists 274

Summary 276

Quiz 276

Part III Troubleshooting and Administration of Traffic Control

Chapter 10 Capturing Traffic for Advanced Analysis 277

Traffic Capture Essentials 277

Best Practices for Capturing Traffic 278

Configuring Firepower System for Traffic Analysis 278

    Capturing Traffic from a Firepower Engine 279

        tcpdump Options 280

        Downloading a .pcap File Generated by Firepower Engine 285

    Capturing Traffic from the Firewall Engine 288

        Downloading a .pcap File Generated by Firewall Engine 291

        Enabling HTTP Service in FTD 293

    Capturing Traffic from the FMC 298

        Downloading a .pcap File Generated by FMC 299

Verification and Troubleshooting Tools 302

    Adding an Access Rule to Block ICMP Traffic 302

    Analyzing the Traffic Flow by Using a Block Rule 303

    Packet Processing by an Interface 306

Summary 309

Quiz 309

Chapter 11 Blocking Traffic Using Inline Interface Mode 311

Inline Mode Essentials 311

    Inline Mode Versus Passive Mode 312

    Inline Mode Versus Transparent Mode 314

    Tracing a Packet Drop 314

Best Practices for Inline Mode Configuration 316

Configuring Inline Mode 316

    Fulfilling Prerequisites 317

    Creating an Inline Set 317

        Verifying the Configuration 321

        Verifying Packet Flow by Using packet-tracer 324

        Verifying Packet Flow by Using Real Packet Capture 328

    Enabling Fault Tolerance Features 333

        Configuring Fault Tolerance Features 334

        Verifying Fault Tolerance Features 335

    Blocking a Specific Port 336

        Configuring Blocking a Specific Port 337

        Verifying Blocking of a Specific Port 339

        Analyzing a Packet Drop by Using a Simulated Packet 340

        Analyzing a Packet Drop by Using a Real Packet 342

Summary 344

Quiz 345

Chapter 12 Inspecting Traffic Without Blocking It 347

Traffic Inspection Essentials 347

    Passive Monitoring Technology 347

    Inline Versus Inline Tap Versus Passive 350

Best Practices for Detection-Only Deployment 352

Fulfilling Prerequisites 352

Inline Tap Mode 352

    Configuring Inline Tap Mode 353

    Verifying an Inline Tap Mode Configuration 354

Passive Interface Mode 357

    Configuring Passive Interface Mode 357

        Configuring Passive Interface Mode on an FTD Device 357

        Configuring a SPAN Port on a Switch 359

    Verifying a Passive Interface Mode Configuration 359

Analyzing Traffic Inspection Operation 362

    Analyzing a Connection Event with a Block Action 362

        Analyzing Live Traffic 362

        Analyzing a Simulated Packet 364

    Analyzing an Intrusion Event with an Inline Result 366

Summary 370

Quiz 371

Chapter 13 Handling Encapsulated Traffic 373

Encapsulation and Prefilter Policy Essentials 373

Best Practices for Adding a Prefilter Rule 375

Fulfilling Prerequisites 375

    Transferring and Capturing Traffic on the Firewall Engine 377

Scenario 1: Analyzing Encapsulated Traffic 379

    Configuring Policies to Analyze Encapsulated Traffic 379

        Prefilter Policy Settings 379

        Access Control Policy Settings 381

    Verifying the Configuration and Connection 382

    Analyzing Packet Flows 385

Scenario 2: Blocking Encapsulated Traffic 391

    Configuring Policies to Block Encapsulated Traffic 391

    Verifying the Configuration and Connection 392

    Analyzing Packet Flows 395

Scenario 3: Bypassing Inspection 397

    Configuring Policies to Bypass Inspection 397

        Custom Prefilter Policy 397

        Access Control Policy Settings 401

    Verifying the Configuration and Connection 403

    Analyzing Packet Flows 405

Summary 407

Quiz 407

Chapter 14 Bypassing Inspection and Trusting Traffic 409

Bypassing Inspection and Trusting Traffic Essentials 409

    The Fastpath Rule 409

    The Trust Rule 410

Best Practices for Bypassing Inspection 412

Fulfilling Prerequisites 412

Implementing Fastpath Through a Prefilter Policy 413

    Configuring Traffic Bypassing 413

        Configuring a Prefilter Policy 413

        Invoking a Prefilter Policy in an Access Control Policy 418

    Verifying the Prefilter Rule Configuration 420

    Enabling Tools for Advanced Analysis 421

    Analyzing the Fastpath Action 422

Establishing Trust Through an Access Policy 427

    Configuring Trust with an Access Policy 427

    Verifying the Trust Rule Configuration 429

    Enabling Tools for Advanced Analysis 430

    Analyzing the Trust Action 432

    Using the Allow Action for Comparison 440

Summary 442

Quiz 442

Chapter 15 Rate Limiting Traffic 445

Rate Limiting Essentials 445

Best Practices for QoS Rules 447

Fulfilling Prerequisites 448

Configuring Rate Limiting 449

Verifying the Rate Limit of a File Transfer 454

Analyzing QoS Events and Statistics 458

Summary 462

Quiz 462

Part IV Troubleshooting and Administration of Next-Generation Security Features

Chapter 16 Blacklisting Suspicious Addresses by Using Security Intelligence 463

Security Intelligence Essentials 463

    Input Methods 466

Best Practices for Blacklisting 468

Fulfilling Prerequisites 468

Configuring Blacklisting 468

    Automatic Blacklist Using Cisco Intelligence Feed 468

    Manual Blacklisting Using a Custom Intelligence List 472

    Immediate Blacklisting Using a Connection Event 477

        Adding an Address to a Blacklist 477

        Deleting an Address from a Blacklist 479

    Monitoring a Blacklist 480

    Bypassing a Blacklist 482

        Adding an Address to a Whitelist 483

        Deleting an Address from a Whitelist 484

Verification and Troubleshooting Tools 485

    Verifying the Download of the Latest Files 486

    Verifying the Loading of Addresses into Memory 489

    Finding a Specific Address in a List 491

    Verifying URL-Based Security Intelligence Rules 491

Summary 494

Quiz 494

Chapter 17 Blocking a Domain Name System (DNS) Query 497

Firepower DNS Policy Essentials 497

    Domain Name System (DNS) 497

    Blocking of a DNS Query Using a Firepower System 499

    DNS Rule Actions 500

        Actions That Can Interrupt a DNS Query 500

        Actions That Allow a DNS Query 502

    Sources of Intelligence 504

Best Practices for Blocking DNS Query 506

Fulfilling Prerequisites 507

Configuring DNS Query Blocking 508

    Adding a New DNS Rule 508

    Invoking a DNS Policy 510

Verification and Troubleshooting Tools 511

    Verifying the Configuration of a DNS Policy 511

    Verifying the Operation of a DNS Policy 515

Summary 520

Quiz 520

Chapter 18 Filtering URLs Based on Category, Risk, and Reputation 523

URL Filtering Essentials 523

    Reputation Index 523

    Operational Architecture 525

Fulfilling Prerequisites 526

Best Practices for URL Filtering Configuration 529

Blocking URLs of a Certain Category 532

    Configuring an Access Rule for URL Filtering 532

    Verification and Troubleshooting Tools 534

Allowing a Specific URL 537

    Configuring FTD to Allow a Specific URL 538

    Verification and Troubleshooting Tools 540

Querying the Cloud for Uncategorized URLs 543

    Configuring FMC to Perform a Query 544

    Verification and Troubleshooting Tools 546

Summary 550

Quiz 550

Chapter 19 Discovering Network Applications and Controlling Application Traffic 553

Application Discovery Essentials 553

    Application Detectors 553

    Operational Architecture 555

Best Practices for Network Discovery Configuration 557

Fulfilling Prerequisites 558

Discovering Applications 560

    Configuring a Network Discovery Policy 561

    Verification and Troubleshooting Tools 564

        Analyzing Application Discovery 564

        Analyzing Host Discovery 566

        Undiscovered New Hosts 567

Blocking Applications 570

    Configuring Blocking of Applications 570

    Verification and Troubleshooting Tools 572

Summary 575

Quiz 576

Chapter 20 Controlling File Transfer and Blocking the Spread of Malware 577

File Policy Essentials 577

    File Type Detection Technology 579

    Malware Analysis Technology 579

    Licensing Capability 582

Best Practices for File Policy Deployment 583

Fulfilling Prerequisites 584

Configuring a File Policy 586

    Creating a File Policy 586

    Applying a File Policy 592

Verification and Troubleshooting Tools 593

    Analyzing File Events 594

    Analyzing Malware Events 599

        The FMC Is Unable to Communicate with the Cloud 599

        The FMC Performs a Cloud Lookup 603

        FTD Blocks Malware 607

    Overriding a Malware Disposition 610

Summary 615

Quiz 615

Chapter 21 Preventing Cyber Attacks by Blocking Intrusion Attempts 617

Firepower NGIPS Essentials 617

    Network Analysis Policy and Preprocessor 619

    Intrusion Policy and Snort Rules 621

    System-Provided Variables 624

    System-Provided Policies 626

Best Practices for Intrusion Policy Deployment 632

NGIPS Configuration 637

    Configuring a Network Analysis Policy 637

        Creating a New NAP with Default Settings 637

        Modifying the Default Settings of a NAP 639

    Configuring an Intrusion Policy 641

        Creating a Policy with a Default Ruleset 641

        Incorporating Firepower Recommendations 642

        Enabling or Disabling an Intrusion Rule 646

        Setting Up a Variable Set 648

    Configuring an Access Control Policy 650

Verification and Troubleshooting Tools 654

Summary 665

Quiz 665

Chapter 22 Masquerading the Original IP Address of an Internal Network Host 667

NAT Essentials 667

    NAT Techniques 669

    NAT Rule Types 670

Best Practices for NAT Deployment 672

Fulfilling Prerequisites 673

Configuring NAT 676

    Masquerading a Source Address (Source NAT for Outbound Connection) 676

        Configuring a Dynamic NAT Rule 677

        Verifying the Configuration 681

        Verifying the Operation: Inside to Outside 683

        Verifying the Operation: Outside to Inside 690

    Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection) 695

        Configuring a Static NAT Rule 695

        Verifying the Operation: Outside to DMZ 696

Summary 706

Quiz 706

Appendix A Answers to the Review Questions 707

Appendix B Generating and Collecting Troubleshooting Files Using the GUI 713

Generating Troubleshooting Files with the GUI 713

Appendix C Generating and Collecting Troubleshooting Files Using the CLI 717

Generating Troubleshooting Files at the FTD CLI 717

    Downloading a File by Using the GUI 718

    Copying a File by Using the CLI 719

Generating Troubleshooting Files at the FMC CLI 719

9781587144806    TOC    11/9/2017



Updates

Submit Errata

