Firepower 1010 & Firepower Device Manager

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey what's up everybody i wanted to talk to you today about the new firepower 10 10. i got one of these boxes shipped to me today and i wanted to go over the features of this box maybe some use cases and then jump in and do a demo of the firepower device manager which is the on box device manager for for firepower now we'll talk about this also but you can still manage this with fmc uh firefighter management center or cisco defense orchestrator cdo but today we're going to look at the firepower device manager for management if you want to see a demo of the fmc or cdo go check out some of my other videos on the youtube channel but for now let's jump in here and talk about uh this device so we'll start by talking about you know where it fits and some of the features so uh this this is a replacement for the asa 5505 or the 5506 so a branch small office or you know a home office would be you know kind of your typical use cases i do have some customers that you know put this type of firewall behind or in front of you know pos devices point of sale devices i have a bank that connects their atms to it so really good small form factor great for retail but it does have a rack mount kit that could be used to rack mount this in your typical rack so that is an option now as far as features go this is a 650 meg uh you know per second next-gen firewall that supports running asa code and ftd code which is pretty cool right it can support both of those those code sets run both of them um you know but i think two of the you know the best features are features that were on originally on our firepower or asa 5505 but we they didn't make it to the 5506 platform and we had a lot of customers uh ask for those features back and so we brought them back in this firepower 1010 and those are one the uh switch ports back here on the back they are layer two switch functionality built into these so if you remember that was on the 5505 was it in the 5506 and then in addition we've got two uh poe plus ports here that are built into the device again it was on the 5505 not on the 5506 so we listened to our customers brought those two features back here on this box so now you know with the poe you could you could plug in an access point or a phone and provide power there in a small office environment now like i said this is a next-gen firewall so in addition to the layer 7 application aware firewall features that allow you to do application visibility and control it also has a next-gen ips built into the box that's backed by cisco talos which as you know is the industry's leading threat research team and provides a lot of value there in providing rules to go into this box for ids ips uh in addition we've got amp built into the box allows us to inspect files for malware that are coming into the box so if it's a known good file we will pass it on through if it's known bad we'll block it but if it's got an unknown disposition we can send that to threat grid which is our cloud sandbox solution so threat grid will analyze that file maybe you know look for some sort of indicator or compromise suspect quite long flow maybe hooking the keyboard or changing a registry key something like that uh if we see something like that we'll we'll return a score that uh of a bad file so a a bad disposition uh if it looks good everything's good we'll return a disposition of good so um so that's pretty cool built into the box again advanced malware and then we've got our url filtering built in uh layer we've got our site to site vpn and then we've got remote access vpn with uh you know about 70 sessions so if you need to scale above that we've got other boxes for that but this box will support about 70 sessions on it like i was talking about earlier for management we've got the option for the onboard firepower device manager which you know is a significant upgrade from the days of asdm if you're used to that on the asa but we also support uh fmc and cisco defense orchestrator or cdo for management options and those two are really good if you're managing a lot of boxes right the firepower device manager is good for managing one or two boxes you know but if you're managing 50 plus boxes 20 plus boxes something like that you don't want to be logging into one box at a time and making a change i want a single pane of glass where i can manage all the firewalls that i support from that one location and push policy from there so that's fmc and cdo now a lot of times i'll position fmc for companies that have really secure uh mature socks uh secure you know security operations center uh and then i will position um the cdo for for teams or companies that are managing the network engineers managing the firewall so maybe a knock is managing the firewall or if the company supports like asas firepowers and maybe even meraki mx's all three of those are supported in cdo so the cdo allows me to have a unified policy across all those platforms managed from one spot so that is very cool now on the box here we'll look at some of the features here you can like we talked about we've got the layer 2 switching functionality back here we've got the poe ports you've got your power port here and then you also got your two console ports you've got your small usb console port and you got your standard uh rj45 console and then you got a management port here you've got a kensington secure lock here so if you're in like retail or something you want to secure the device lock it down so it doesn't walk off that's it that's a good function feature there you've got a usb port here that allows you to do image upgrades and then right here you see that little little spot right there that's a little reset button hold that down for about three seconds uh power off the device power back on and it'll be factory defaulted so some pretty cool features um we're gonna power this thing up and we're gonna jump in and take a look at firepower device manager but before we do that one thing i want to let you guys know is when you get one of these for the first time and you know that first boot it takes about 40 minutes to boot up it it's kind of crazy so when you do that and you power it up for uh you know don't get concerned that you you got a doa uh you know device you know or something like that uh you know maybe go drink a couple couple cups of coffee or something like that and come back 40 minutes later and you'll be good to go but um you know and after that it's just a normal boot process that you you're used to with an asa or a firepower it's pretty quick so let's plug this thing in and jump into firepower device manager and take a look all right here we are at the firepower device management screen and before we get started here um with this uh setup i want to just talk about the interfaces real quick so on the firepower 1010 interface one by default is your outside interface so that's what we're going to have plugged into our isp then uh interfaces two through eight are on subnet 192 168 1.0 24 and dhcp is going to be enabled there so you can see in the gateway is a dot one you can see i'm connected to that right here in my browser but i could also connect to the management interface that i showed you earlier um and that has dhcp enabled also for the subnet of 192 168 45.0 and it's a slash 24 and it has a gateway of 192 168 45.45 so you can connect to that get an ip address in that subnet and connect to this same management screen here now to log into this management screen the default username is admin and the default password is admin with a capital a one two three so we use that to log in and it's going to pop up a eula screen here to accept the base license so just scroll down there to the end and click accept and this will take us to a screen to change that default password so again default password admin with a capital a one two three and then you're going to put in a strong password here let me click change and this will pop us up into a configuration wizard that'll just go through configuring a yes a base configuration of that outside interface um ntp and we have an option to start configuring our inside interfaces and our policy so here i've actually got mine con set up on my actual firewall um so i'm not connected directly to my isp so i'm going to enter in a manual address and then give it a gateway here of 10 2010 one not going to use ipv6 and then i'm going to use the opendns recursive dns solution for my dns both primary and secondary you don't have to have an umbrella licensing policy to use these ip addresses they're actually very very fast performance very good recursive dns solution and then i'm going to give it a host name and i'm going to click next this is going to go through and deploy this uh config here on the device and it says you can see there it takes about two minutes so i'm gonna pause the recording we'll come back whenever this deployment is finished okay so that deployment completed and now we're here to at the ntp time setting configuration screen so i'm just going to keep the defaults here use the default servers utc so i'll click next and i'll save this setting and then last it's looking at licensing so i could i could go to my smart account and generate a token and put the token in right here and it would register this device to my smart account but i'm going to go ahead and accept the 90-day evaluation period because i'm going to show you guys how to do register this device with your smart account once we've gone through this wizard so i'll select that 90 day eval click finish and then it should pop up a screen here you know to allow me to configure interfaces or start configuring policy so i just want to show you here if i click on this interface button here it's got the information for the outside interface that i just configured my ip address gateway is going to be in there also if i hit edit so it's got that information in there [Music] i click ok you can see that's in a routed mode interface but at the same time you can see here i've got my uh bvi for my data interfaces two through eight so i you can see that it's a default gateway of 192.168.11 for those if i wanted to i could come change that for these interfaces right here like i could select what interfaces i want to be a part of this bridge group i could create multiple bridge groups maybe put interfaces two through four and one bridge group and uh five through eight in another but i'm gonna leave that as is but you can come down here and i'll just show you you can you can change the uh subnet maybe you don't wanna use the uh dot one one but if you do that you need to come here and shoot change the dhcp pool if you're going to do that so change that to two two and uh there we go let me click okay and so now we you can see here we need to deploy that change so if i come here it's going to show me what all i'm changing with this deployment and i can go ahead and click deploy so i'm going to go ahead and do that i'll pause the video and then we'll come back when this is done deploying again okay we're back here that deployment's finished you can see here my interfaces are now 2.1 so let's move on and let's start looking at let's go over to this home screen back to the home screen and you can see here routing i can come here and configure routing i got my default route in there right now that we entered during that wizard i could add additional routes if i want to just by clicking the plus button here all right i don't need to do that right now but just showing you that you can and then updates so i come here i click configure updates and this gives me the ability to set up some scheduling for my geolocation database my rules database vulnerabilities database and then my security intelligence feed so first of all i'm going to go ahead and start that security intelligence feed update because we're going to need that for a policy here in a minute and i'm going to schedule that to update hourly my vulnerability database i'm going to schedule that daily we'll do it at about 1am and then i'm going to tell it to deploy this after it downloads any updates same thing with our rules database i'll go 1am and we'll choose to have that deployed after it's downloaded also our geolocation uh doesn't update a ton so i'm going to choose to do that weekly let's say sundays maybe 3 a.m there we go save now you can see here also it shows us our current version we're running for the ftd operating system and we could browse and select a an upgraded image and deploy that from here also we're not going to do that right now but that's where you would go to do that so if i come over here i can continue i could configure um my backups i'm going to go over here and we're going to enable a couple features on the device right now so i'm going to come here and this is where we're going to actually register our device with our smart smart net our smart account portal here in a little bit but for now i'm going to enable some licensing subscriptions i'm going to enable the threat subscription so i can get talos threat intelligence i'm going to enable malware licensing and url licensing now you can see the base licensing is already enabled that was the eulo we accepted at the very beginning and then i could also [Music] install a remote access vpn licensing that is included right so go back here you can see here i could come configure site to site vpn i could config configure my remote access vpn now down here on the side under system settings a lot of this was configured during the wizard but one thing like the management access i might want to come in here i want to set up aaa or even on my management interfaces or my data interfaces i want to come here and maybe i select what subnets can connect in to manage right so let's say i come here and i want to allow my inside networks like to to connect in but i want to limit it to a subnet right so i could choose you know maybe a certain subnet to to utilize and so like right now i could come here and i could create a subnet and this is just going to create a network object and we'll look at objects here in a minute and we'll go ahead and create one right now because we're going to need it for some uh some policies so we'll go there and there's our inside subnet right so i could choose that um right there and i could create a uh a rule that said you got to be in this inside subnet to connect to um you know through the inside one of our data ports for management maybe i create an it subnet or something like that so that's where you'd come to manage that management access and you can see logging settings i can come here and i can set up a syslog server and some different logging stuff you know send malware uh logging to a syslog server all that stuff so that's where you'd come to do that at but one thing we're going to actually do is with our dhcp server you remember we actually changed our scope and so you can see that was changed when we did that when we changed our subnet but the one thing we need to do is we need to set up dns to push to our clients whenever they get a dhcp address so i'm going to go ahead and just use opendns for that there too i'm going to hit save and now when we connect up to a computer up it will actually get dns and you can see i'm connected right now here and if i actually reset this connection well first of all if you remember we've got to deploy this config so i might have saved that but that that config's not deployed so let's go ahead and deploy that and then we'll look at getting a new ip address now the one thing i wanted to show you guys and i didn't show you earlier is this this shows you you know kind of what's being deployed in this deployment but i could also come down here to more actions and i could download a text to this or copy this to a clipboard so maybe i need to put it in a change ticket or something like that pretty cool feature there you could put in you know exactly what all you're going to push and deploy as part of a change so i'm going to go ahead and deploy that now we'll pause the video we'll come back and we'll look at we'll renew our ip address and get that dhcp information okay we're back here that deployment has been pushed and i should be able to come here and get a renew my ip address and get the dhcp or the dns server information that we just configured and there we go you can see my d my dns server information now all right so we'll go ahead and move that over and we'll continue with this uh configuration so you know now we want to go let's go and before we start configuring policy why don't we go actually register this device so if i come down here and we go back over to licensing right we talked about this just a minute ago so if you've never registered a device you're going to go to software cisco.com and you should have a smart account so you'll have to log in we got two factor authentication here with duo so i'll go ahead and send a push i'll go ahead and authenticate and you can see here i'm going to go to my smart account i'm going to go to smart software licensing here click on that and i have actually already created a token but you can see this token down here that i created for my firepower 1010 you could do this just by click clicking new token and entering a description of that expiration date so i've already done this so i'm going to go ahead and choose this token here choose that token copy this i'll go over here to my firepower register the device paste that token in there and now i'm going to register so it should go through the registration process register that and then pull down my licensing so we'll give that a second to complete i'll pause the video we'll come back when the registration is done all right so we're back here i've registered my device now but it's still showing that i'm in an evaluation period because if you look over here in my my smart account that i registered to actually don't have any licensing so um i need to get that updated with the licensing so we'll give that a second to update i put the licenses in there [Music] and now it should pull those but we'll see give that a second we'll go ahead and continue on with the configuration and come back and look at that in a little bit so let's look at the creating a few policies now so if i go over here to my policies but before we do that actually i'm going to i'm going to look at objects because i need to set up an object before we start doing policies so you can see here under objects i've got a couple network objects already configured there's the one that we configured earlier right there the inside net now i've got a couple ports that are configured here port objects and then i've got my security zones my inside zone my outside zone and then so on and so forth but what i want to do here is i want to go down to my geo location i'm going to create a geolocation object i'm going to call this uh let's call it geo block so we're going to shoot like maybe i could choose some continents that i want to block here right maybe i don't have any business i don't do business in asia at all so i just want to i'm going to choose that that to block and then let's say let's just do like brazil how about that so let's bought brazil i don't do any business in brazil i want to block that let's choose okay so we'll use this on a policy here in a minute for geo blocking you can see here to use that though i'm going to have to do a deployment so i'm going to go ahead and show you that we can actually hit deploy here and i and it's working on this deployment i could click ok and just continue working on this box while that deployment's uh in the process and you can see here this orange dot will go away once that happens so if i click policy let's actually go start working on some policy you can see here i've got some two policies already in place one that allows inside to outside and one that's allowing my inside inside for that layer two switching but first before we configure any access control policies i want to go configure some security intelligence policies and security intelligence is really cool this is where the power of talos comes in and if you're if you're familiar with telos it's the largest threat research organization in the industry um seeing you know more data more emails just uh you know several white hat hackers threat researchers analysts just constantly providing threat intel and enriching you know your your the data and the context on your systems um if you've bought cisco security solutions right and there's you can see here i it kind of gives you a description of what this works looks like so an incoming packet yeah we're gonna it's gonna be inspected by the security intelligence policy right away as it comes in and if it's a bad packet we're gonna drop it all right before we go to any other policy that we can figure all right so let's go enable that and let's look at exactly what this looks like so we should have these so you can see known hackers known bank fraud known bogon known bots known cnc crypto mining just go down through here exploit kits right i mean malware newly seen domains fishing we're just going to select all these this is threat until the talos is gathered and we're going to add those to that block list now we're also going to do the same thing we did that for networks we're going to do the same thing for urls here so we're going to go select all these right here i wish there was a way to select all but there is not i have submitted that request so we'll see if it gets added maybe in a new release at some point so go ahead and click ok and now we are going to be blocking uh those packets that come into our device before we even see them with any of our other policies right so that is very very cool we'll go over to our access control policy now now you see that in order to again in order for that to take effect we actually got to deploy that policy but let's go ahead and configure a couple uh a couple of different access control policies right now so let's let's just show you that we can go out and browse to uh you know amazon.com how about that let's choose a shopping site so we can go there we can get to amazon um so let's come in here and let's deploy maybe a url policy an app policy a malware policy and a geo block policy so at the top of our policies let's start with the geo block we don't want to anyone inside our network going to any of those locations that we put in our geo block right so from inside zone and that subnet to outside we are going to block we want to choose block here any of those choose geo location for network we'll scroll down and we'll choose our geo block object we're going to block any of this traffic now we want to log it so we'll go over here to logging and we'll log at the beginning at the uh at the beginning and end of the connection so so we just put a block policy in we'll put it at the top of our order there click okay oh we need to give it a name so let's do geo block out so now we've got a policy that's going to block anyone from inside our network to for to not give them block them from connecting to any of those geolocations let's do the same thing in we don't we we're not doing business with any of those locations let's do a geo block in for those same locations we'll block it so we want to say from outside [Music] the network is any of those countries we want to block it coming to the inside and you know we could we could just leave it as inside but i like to be more specific we'll choose the network there so we're going to block that we're going to log it make sure we log it if that happens as you can see i didn't choose the order here so it put it at the very end of this um access control policy so these are processed from the top down i need to move this up right there so you can see we can just drag it and drop it and put it in order so we've got that let's go and add um actually let's go to our so one thing you'll notice here this is this our our inside outside is a trust right so if i come in here and try to edit that i can't add an intrusion policy to that an intrusion policy or even a file malware policy it has to be it cannot be on a trust or in a block it has to be on an allow so i'm going to change that to an allow so that i can add a malware policy to it so i want to block all malware that would be coming in and i want to do an intrusion policy here so let's enable that intrusion policy and let's do balance security over connectivity okay so we choose that we click ok and now we've got a malware policy and an intrusion policy on that uh that's part of that inside outside rule and you can see here over here if i click on intrusion i can actually look and see what all is included in the connectivity over security and the balance security over connectivity security over connectivity so on and so forth so you can see the balance rule has 9764 rules that are provided by talos if i went to security over connectivity obviously we're choosing more secure so it's going to have more rules right so you see 14 000 rules there and then maximum detection would be the most amount of rules so we go back over here we've got that set up let's let's go ahead and we did so we've added a malware let's go ahead and set up a url rule so let's call this um i'll call it url block out i like to have the direction in my in my title so i'm going to have this going from inside i can choose the network inside net i'll choose that to outside and then we'll define a url policy so let's go ahead and say you know we don't want adult pornography we don't want how about nudity and then for the purpose of uh testing this let's go ahead and block shopping so we'll go ahead and shopping there we'll choose that uh and you know what i forgot to do one i forgot to set my order but so i'll drag that up there in order but i also forgot to set the logging on this so i want to log this i want to know if i'm blocking something so i'll go ahead and log that i could choose to send that to a syslog server if i had that configured i don't so go ahead and hit ok there and then you know the last thing we'll do before we start testing it is we'll configure an application block so let's block you can see there block facebook so we'll do you can see here before we do that www dot so i can get there so let's go from the inside zone network to the outside zone we'll log it oh didn't mean that okay i need to go choose my application so we're wanting to block facebook so you can see i can block facebook altogether i could block facebook comments games likes messages pretty granular there i'm just going to block facebook all together click block facebook and i'm going to go ahead and hit ok and i'll drag that into the order i want it so now we've got those set up you can see here we can choose our tart of this little target icon here and you can see it pulls up and shows you the hit count for each one of these so right now none of these have been hit because it mainly because i haven't deployed it so let's deploy that real quick hit deploy and we'll wait for this to deploy i'll give it a second i'll pause the video and we'll come back when it's done deploying and then we'll look and see if we can block facebook and uh amazon okay we're back here that deployment is finished so go ahead and hit okay here hit our target there let's go over here and let's refresh this amazon page and see if we can get that should block it refresh should fail same with facebook you can see those are just churning your way let's get back over here and see if we've got a hit count on our policy there you go see our url and our app policy both got hit counts now you can come over here and you can see those pages couldn't be reached so that works uh so just some basic policies that you we configured there you get the idea of how to configure those uh let's take a look at uh the monitoring piece now so i could come over here i can just get some basic system monitoring information through put you know basically resource utilization i've got my network overview i don't have identity set up right now so you can just see ip addresses top destinations url categories things like that but you you get the idea here so just some good monitoring statistics that you can get on the device so um this has been kind of a high-level overview of this device [Music] i hope you enjoyed it and if you've got any questions please throw those in the comment section and i'll try to get back to you as soon as possible just wrapping it up here we're showing you these event sections here so a lot of cool features on this box great box for using at branch locations i'll talk to you guys on the next video have a good one
Info
Channel: Aaron McDaniel
Views: 14,180
Rating: 4.9731545 out of 5
Keywords: Firepower, Cisco, FDM
Id: cqD_--e77LY
Channel Id: undefined
Length: 37min 53sec (2273 seconds)
Published: Fri Jul 17 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.