Configuring NAT and Access Control for Next-Generation Firewall with Firepower Device Manager

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to firepower device managers objects NAT and access control learning module this video is part of the mini series called Cisco firepower device manager if you haven't already please take a look at the introduction video to get an overview of what is firepower device manager it is a new web-based simplified device manager to manage Cisco's integrated next-generation firewall or firepower threat defense of their offering in this session we will look at the different objects tanks supported by firepower device manager and NAT and unified access control policy for deploying the next-generation firewall let's start with objects objects are reusable containers that define criteria that you want to use in policies or other settings for example network objects define host and subnet addresses in FDM when you update an object all policies that use the object are automatically updated your is a list of different object types which far apart device manager support it includes Network hold zones application filters URL geolocation and syslog servers you can configure objects directly through the objects page or you can configure them while editing policies either method use the same results a new and updated object next let's talk about NAT you can implement address translation through fire powered device manager in two ways alternate or manual not in our own at all add alternate rules that are configured or a parameter of the network object and are considered as to be Auto Naturals this is a quick and easy way to simply configure an ad for a network object you cannot create these rules for a group object however manual not on the other hand lets you identify both the source and destination address in a single rule specifying both the source and destination addresses lets you specify that a source a destination a can have a different translation than source a destination be the destination address is optional we recommend using Auto not unless you need the extra features that man who not provides it is easier to configure or not and it might be more reliable for applications such as wipe next let's talk about access control access policies are used to control access to network resources the policy consists of a set of ordered rules which are evaluated from top to bottom the rule apply to traffic is the first one where all the traffic criteria are matched you can control access based on traditional firewall network characteristics such as the source and destination IP addresses protocol ports and interfaces in the form of security zones you can also control access based on application that is being used the destination URL of a web request including the generalized category of the URL and also on the based on a user who's making the request all the users group to which the user belongs for all unencrypted traffic that you allow or the interested tagged traffic that we call you can apply an IPS inspection to check for threats and block traffic that appears to be an attack you can also use file policies to check for prohibited files and malware and we will talk about IPS and file policies more in the next video any traffic that does not match an access rule is handled by the access control default action if you allow traffic by default you can then apply another level of IPS inspection to the traffic however you cannot apply a file or a maou inspection on traffic that is handled by the default action with that let's jump into the demo this is the topology we will be using for our demo today in this session we will change the default nak and access control rules create an object from both the object management screen as well as from within an access control rule we will create and test an auto natural to enable users to access the inside web server and we will create and test access control rules based on puerile categories and applications during the steps above we will also check out some of the cool features like the topology view create an object from within the policy screen and also explore the events or the connection event that are generated because of the testing so going back to our topology I actually have a web server running on the UNIX on the inside so what we'll do now is for the alternate testing we want to enable users to access this web server on the inside hosted on the inside network from the outside let's see what are the changes we need to make to get this going so here's a device dashboard let's go head to policies and look at a default not policy we want to edit this default nap policy and change that from any to outside to inside to outside so let's change the sauce interface from any to inside next we need to add some objects so let's an object for our inside web server which is a host object and enter an IP address let's also add an object for our mat host server which will be the translated address from the outside notice you're creating the objects from the object management page this is a random IP address on the outside which I'm going to use to access the inside web server just 192 168 1 dot 250 for example also notice the deploy button has an indicator that we have pending changes next let's go back to policy and add an auto natural let's create a rule for Auto NAT and give it a name notice with Auto NAT your placement option is grayed out because it's automatically placed in the auto nod section it doesn't have an order to follow let's also change the original address which is going to be on inside web server and the translated address packet to be the out mapped inside web server which is our outside address notice the show diagram gives you a flow of the packet from original to translate it is a cool addition to our firepower device manager' so we built our auto natural next we want to add an access controlled rule to actually allow the access so let's build an access control rule for our auto not it's basically allowing access from outside to inside web server in the outside networks let's pick any ipv4 and for destination Network let's pick the inside web server to be specific so any access from ipv4 on the outside to inside web server should be allowed let's go ahead and deploy these changes once it is deployed we can now go to a PC on the outside in our topology let's go to PC 3 and try to access this out inside web server using the outside subnet and notice how we were able to do that let's now add some access control rules to block based on URL categories or applications let's go ahead and add the rule to actually block based on Ural category of gambling the URL categories are automatically downloaded as long as you have a URL filtering license applied the URL categories let's add gambling hit okay notice the order of the rules let's also add another rule to block PC one specifically from accessing YouTube and for this let's go head to networks to select PC one notice we have objects but no PC one but we're able to create a network object from within the access rule so let's create a network object called PC one which is a host object and give it an IP address of our PC one now you should be able to select it from the drop-down let's move on to applications and search for YouTube applications also are downloaded in advance let's turn on logging and if you also look at the show diagram it will actually tell you what the rule is doing so it has one network and one application on the remaining l/r any however if you notice we didn't change the order so by default it's placed at the bottom let's go ahead and change that order to one and now notice the order of the rules in an access control policy you want all the blocked rules to be on the top let's go ahead and deploy these changes once it's deployed let's go head to our PC one like before to test these changes from pc1 we open firefox and try to access PartyPoker comm and notice how we get a block access denied' page so also go to youtube.com and notice the same system generated access denied page this is how we're going to block based on access control let's look at monitoring as well by default clicking on monitoring brings us to the system dashboard that gives us an overview of your device in network overview you can get more information aggregating information about what's going on on your device in terms of policies hate web categories top destination signatures etc we can drill down by clicking on one of these labels for example gambling which would take us to the more specific dashboard in this case web categories and here you can see how many times the policy was hit and other details for this particular transaction also let's look into the events that were generated for this transaction in particularly the connection events we can go ahead and filter our events on any of these categories let's try to do it on rule action in this case because we know that is blocked so rule action equal to block and as the events start coming in for the block notice these are real-time events you will see how pc1 & pc2 were blocked from accessing PartyPoker while only PC one was blocked for accessing YouTube you can get a lot more information about each of these connection events by clicking on the view detail of each of these events thank you for joining me today in this session for objects not in access control don't forget to look at our other videos to learn more about firepower device manager thank you again

Info

Channel: Managing Cisco Advanced Security

Views: 28,509

Rating: undefined out of 5

Keywords: Cisco NGFW, Firepower Device Manager, FDM

Id: A4y7bpEkOmA

Channel Id: undefined

Length: 15min 42sec (942 seconds)

Published: Tue Aug 30 2016