Cisco Firepower Threat Defense: pxGrid and Firepower for User to IP Mappings

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

cisco firepower threat defense px grid and firepower for user identity all right we're going to start nice and we're going to go do administration system settings or you could have went to deployment i will pivot over deployment now now you're going to enable this on your nodes that you want px grid to run on i only have a single node here but um again you'll you'll do this on your distributed deployment most likely go ahead and enable this hit save this is going to take some time so you're going to be a little bit patient here while all the the services get started now you can check that by going into the ice console and run show application status ice and then include px grid now this will take some time generating this output takes some time and running that or getting all those services take some time so be a little patient here you can see the first time i run the command it's still showing is not running and we'll go ahead and run that command again and now we see that the processes are all running so we've got px grid up and running everything's looking good so far and from here what we're going to do is we're going to go into px grid services and we're going to validate that we also see everything looking good there as well and it'll show or highlight an area within the console that lets you know that it's running so we'll do that now we'll go ahead and click px grid services all clients here and you can see at the bottom here connected via xmpp and then it's got the ice node that it's enabled on okay perfect so now we're going to jump to firepower and we're going to go ahead and generate a certificate signing request for firepower where we can use our our enterprise root ca to sign it and then we're going to trust between ice and and firepower so let's go ahead sudo open ssl generate rsa our output is going to be fmc.key and then the size is 4096 in this case go ahead and put in a password because we're using sudo and generating rsa private key so now we've got the private key created now we're going to create the certificate signing request so sudo open ssl we're going to do a request and we're going to go dash new dash key fmc.key so the private key that we just generated the output is going to be fmc.csr and we'll go ahead and enter the fields here so country state province locality maybe your organization name if you want to put an ou name in there common name fmc-1 in my case and then maybe an email address perfect okay we'll come back to that now let's go to microsoft uh certificate authority so this is started what we're going to do is we're going to take that web server certificate template and we're going to modify it for px grid and really the only thing that we're doing here is outside of changing the name we're going to call it px grid and we're going to give the validity five years right maybe one year is good enough obviously shorter means more renewals but obviously more secure as well and what we're going to do is make sure that we have both server and client authentication so the web server already had server authentication what we're going to do is add client authentication as well so now we have server and client everything looks good there in the subject name we make sure supply in the request and that was part of that web server certificate template already so we're good there so now we've got this template created but as you can see it's not available so we have to do is come in here and say new template to issue and we're going to find our px grid template that we just created and we're going to say okay make sure your services is up and running so make sure that you go in and start the certificate authority and i did that so we're good so now we've got we can go ahead and grab that csr and all we have to do is cat it like you can save it out if you want to putty into it or whatever um or when uh scp but you can just cut it anyways copy it in request px grid and it's auto um uh provisioned and and go ahead and maybe rename that cert new uh in my case rename it to something a little bit more meaningful and that's great and now we're going to download the ca certificate as well so let's go ahead and do that and again rename that into something more meaningful so i got ca cert.sir and then fmc.sir so i've got the fmc certificate the client certificate for fmc and or the px certificate for both server and client authentication and now i've got the trusted ca so we want to import that trusted ca into fmc we're going to do that with ice as well so they trust the certificate from active directory so we've done that everything looks good let's pivot back over to ice and we'll go into trusted certificates we're going to import that trusted certificate so that's ca cert that we downloaded from microsoft root ca maybe give it a friendly name and you can see here you can enable a bunch of different capabilities that the certificate's going to be used for we're just going to use trust for authentication within ice for now you can extend that capabilities i might do that in later videos so we've got that in and now what we need to do is again do the csr so we need to create a certificate signing request and we're going to go ahead and this is for this node fill in the same types of thing that we just filled in in the other one and you can see it's got a wild card for common name and we'll go ahead and generate that we'll export it we can see ice one multi-use dot pem go into active directory we're going to request a certificate advanced certificate i'm going to pick pxgrid and we're going to go back to that export here and we're going to edit it and we're going to grab it and paste it in and we'll hit submit and we'll download the certificate and again give it a name that is meaningful perfect now what we're going to do is we're going to actually bind the certificate to that certificate signing request we're just going to grab that ice-1 and give it px grid usage and again there's multiple different services that you can leverage it for go ahead and check it out in system certificates we should see it there and now available for px grid okay so now we're back to fmc i know we're bouncing back and forth but there's a method to this madness here we're going to go ahead and add an identity source and that's going to be identity services engine so we got to pick the pxgrid server ca so that's going to be the imported ca that we just imported into fmc we're going to use that for mnt the monitoring and troubleshooting node and then fmc certificate this is where we're going to finish off that csr request that we just did earlier so let's go ahead and grab fmc.sir so there's the certificate but we need the private key as well and so that's where we're going to jump back to the fmc console and we're going to cat fmc dot key and that's the private key and we'll copy and paste that in and we'll go ahead and hit save do a quick test let's see if we got some connectivity with ice this is a server certificate and client certificate working on both ends and it looks good right success and it gives you some output here that you can analyze as required so beauty we've got it up and running we'll go look at px grid services and we can see this st dot fmc or dash ft fmc.cisco local. okay awesome so it looks like that's working so far so let's go ahead and we'll jump back into fmc we'll save this out we're going to go to realms and we're going to add a new realm so go ahead and give it a name the type is active directory type in the primary domain put in your 80 join username go ahead and type in a password directory username directory password your base dn your group dn and then your group attribute is going to be member so again you can use le a more restrictive account in doing this as well now we'll go ahead and add a directory this is the server itself we'll go ahead and save it so we've got our realm and we've got our server you might have multiple most likely you're going to have multiple you have to make sure you enable that state but it's not going to do anything yet so let's go back in and edit it because what we have to do is tell it what groups that we want to pull from so let's go into user download we're going to download users and groups and you can schedule when you want to do that we're going to add a couple here vpn group domain users i t sales maybe hr maybe domain admins we want to restrict that their ability to do certain things from certain areas in the environment right if they're logged into a server do you want them surfing the internet maybe not so again these what could be used in policy later and the whole idea around and go ahead and hit download but the whole idea around using identity services engine and pxgrade is is that even though you have the identity access policy is not going to work until that identity can be translated into an ip address remember the firewall is an l3 l4 type control so well l72 with application but for for um to invoke a policy you need an ip address all right so now what we need to do is create an identity policy and this is going to be attached to our access control policy so i like looking at these as objects or more advanced objects where you're building a policy it could be ssl policy a malware policy an ips policy once you build them they still don't do anything until you apply it to an access control policy so this is going to be passive it's cisco ad it's all zones maybe right then you come into realm settings go ahead and select the realm that we just created and we can go ahead and hit add and we can save this out and as i said earlier this does nothing until you apply it to an access control policy so it's just a like i said an advanced object at this point in time go ahead and go into policy access control go ahead hit hit edit and here we're going to add identity policy and drop that down we'll have one or more options we only have one in this case because that's what we created and now i can build access control policy using user identity like hr it or a user in hr as an example i'm not going to do that all i want to do is show you the user to ip mappings actually being shared between the platforms okay so go ahead and hit deploy we'll push this out go ahead let's double check the settings here and go ahead and hit deploy we're not going to wait for this it's going to take a minute or so to deploy in the meantime i've got a vpn head end it's actually asa it's not even firepower and we're going to log in and it's going to authenticate using identity services engine so there's a radius request identity services engine that's going to leverage active directory and we're going to go ahead and look at the ip that we got and if everything's good we should see this translated into firepower so we can see that identity services sees it you can see the ip address we can look at the live session we see hr1 right there's the ip got the user identity so i obviously you know passed uh the authentication authorization so we're good here and look at that in firepower in analysis user active sessions look at that we see hr we even see some of the attributes from from active directory but we got that ip address you can see that as well and that's what's going to be important in all of this right there's a piece that can be pulled using that realm that we created but we need the user to ip mapping so let's go ahead and triple check this and look at the actual firepower device to see if we see any mappings so you can use a system support firewall engine dump user identity data go ahead and run that go into expert mode the best way i found this was just do a pseudo find that user underscore identity dump and you can i think it's var the ngfw var one i can use volume one and i i saw the data as well but you can see here's that that 172 let's just scroll down here so we can see number of hosts number of users 1-1 let's scroll back down and we should see the ip address in here and there you go so this was not even part of that flow right it was an asa vpn head end that i terminated to but yet firepower knows about it again looking at table events we can see the ip address and i've got a passive port for ids functionality and so i can see some of the traffic and you can see here sales one and the initiator ip now ultimately you probably want to run a policy just to validate but since we see the ip address actually on firepower which is not in the flow whatsoever we know that it's passing here we can pivot into context explorer and see some specific details around that user network information ssl information you got applications whether it's app web app client app or application protocols and again i don't have any data here because i didn't generate anything but you get the idea i can see you know trojan events file types i can see geolocation information i can see traffic by url so pretty neat we're talking 20 minutes we've got actually maybe even 18 minutes and we've got identity services engine integrated with firepower sharing user to ip mappings pretty cool

Info

Channel: Jason Maynard

Views: 1,176

Rating: undefined out of 5

Keywords: Cisco Securtiy, Talos, Firepower, FTD, Firepower Threat Defense, ISE, User to IP Mappings, User Identity, pxGrid, Certificates

Id: y0Tj1b6X0UE

Channel Id: undefined

Length: 17min 45sec (1065 seconds)

Published: Sun Jan 24 2021