FMC 101: A Network Administrators Perspective

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
already popular demand the FMC 101 this is going to be focused on the latest version of both firepower and firepower Management Center version 6.2 and you know have a look at the YouTube but note I break down kind of all the things that we're going to cover during this one-hour session but before we kick things on up I just want to review this topology that we're going to be using and you're going to see this reference throughout the the video in certain areas feel free deposits have a look references to what I'm doing on the interface and it should help give you a deeper understanding of exactly what we're trying to accomplish so if you have a look at the the orange switch for example this is where our dmz is going to hang off of them we're going to have a web server we're going to do some static map there the purple switch is actually a layer two grouping of devices where we're going to actually put policy in place and we're going to VLAN stitch even though they're all on the same layer 3 network we're actually going to stitch the two hosts together because they're both on separate VLANs and that's how we're going to enforce policy we have a span session for the blue device there we're actually going to just pop a port and monitor all the sessions the green switch is the inside switch with a host on it we're going to do dynamic map there some Active Directory Integration and then we move over to the management network where we've got a you know a active directory it is a management side as well as Cisco's fire power user agent to give us integration with user to IP mappings so we can do a course management in fire power itself so so reference the the diagram as needed pause the video at any point in time but let's get this started so FFC 101 really focused on the network administrator so again there's the topology we ran through it but the idea is that we'll reference this throughout the the video and and if you have any questions you can always just refer back to it so the first thing we're going to do so I've already deployed the OBS I'm using a virtual infrastructure here to do this scenario and I already have deployed the OVF for firepower threat defense as well as firepower Management Center so once you do that there's a basic setup and it's fairly basic and has other videos that show each one of those steps but it's just basically you're going to give it an IP address and bring it up and at that point once you do that then you can connect to the GUI and finalize the configuration for the base setup so as you can see here IPs were already there but we're going to add some post me DNS information we can also go through here is add the updates I'm not doing that in this session but you can certainly schedule updates as needed I'm really focused on getting the box the core box up and running and passing traffic so we have policy in place and doing the certain level of inspections so here we're picking a time zone and we'll hit apply so throughout the video itself what you're going to notice is I or you may not know this but the idea is that I fast forward certain areas that take some time so when you hit the apply here that takes some time to crunch in this case I'm jumping to the the next-gen firewall or some may call it a sensor and I'm actually configuring the manager so the the box that we just configured was the manager and now we're on the next-gen firewall and configure manager add the IP address and then a a key that we're going to use to establish a secure connection between the devices and obviously that way we can authorize the device as well so in our case were using Cisco one two three so this is all pre-configured and I really didn't have to show this part I could have done this as part of my my finalizing the setup but I wanted to show you you that it's a fairly clean installation and and how easy it is to ask the manager so effective and at that point the box comes up we now have the device the next-gen firewall or sets are pointing to FM C but we haven't allowed it on the fire power management Center but first we're going to an evil smart licensing so it and in our case we're just going to use a 90-day vela evaluation sorry you can also go and register your smart licensing and there's lots of videos on YouTube in regards to the steps that are required for or to enable smart licenses so we have that next-gen firewall trying to connect to SMC but we have to add the device itself so here we go we're going to add the device we'll give it a name we'll put in that key that we mentioned earlier Cisco one two three we could put it in a group in our case we're not going to do that and we'll apply an access control policy now we don't have one created so what we're going to do is create a very simple policy we're just going to enable network discovery at this point in time and then we'll come back to it we'll configure it it is a manner of which that we want to deploy the policy itself we're going to enable some licensing and I'll probably get an error here because see IP address there it is the IP address is I forgot the the dot between one and two five three and now we'll hit register now again this will take some time right and when I take time of talking minutes right so this will establish it's a one-time setup once it's done it'll come in and again the device should show is great now and look it may look in the video that it went fairly fast but I just quickly paused and then came back to it so now we can see it's green so that's fantastic now we've added the device right so now we have the ability to start building your policy so again here's a rest is back to the topology that we're using and we're going to go back now and add a couple of interfaces because by default the firepower threat defense OVF or virtual instance only comes with four interfaces and as you can see we have a couple that are required for the inline set right so where we're going to do layer two VLAN switching between devices now that that could be a series of devices that talk to a router and we would just move the router spi for example into a different VLAN and we stitch it together or it could be a still a layer 3 network where we break it up where we have a weft here and asked here in a DMZ tear and we build policy around that so we're going to add a couple of interfaces here I'm adding them to the proper network that I've built already and this one here is going to be a passive interface and what you're going to see here is I'm just going to grab I've got a network here that's already capturing all the VLANs it promiscuous mode so we're good we've added them fantastic right now we've got some additional interfaces but in order for the virtual machine to to leverage these interfaces we're going to have to reboot the the box itself and and then we'll have a refresh now again if we're going to reboot the next-gen firewall that does take some time for it to restart as well as in a minute you're going to see I'm going to go in and refresh the interfaces in the meantime we can still use the platform right it's still fully available to live so what we're going to do here is we're going to create a platform policy that's specific to the devices themselves so what this allows us to do is again you're going to see this throughout the video is fire power management Center empowers you to create object like things throughout the platform so whether that's an IPS policy a malware policy whether that you know identity or our platform policy you build up these you add the elements that are that you are interested in and then you apply to multiple devices or a single device for that matter but but for most cases it's about you that are creating once and using many and here I'm just going through and just showing you a couple of settings right secure shell that's a TP time synchronization etc now now that that is applied we still have to deploy we're going to come back and stages throughout the series or this video and we're going to deploy through us now again that initial interface and we're rebooting the the next-gen firewall that we when we added those interfaces we're still using the platform the manager right so what we're going to do here is we're going to create a couple of objects and these objects are going to reference the topology that I showed you earlier where we're going to grab things like the inside Network the DMZ Network the host which is a PCI environment as well as other objects of interest now we're in this case I'm just using single objects right but you can also group these objects together and if you look on the left side what you're going to see on the left side is you know the network core interface tunnels own you know geolocation variable set security intelligence sync holding you name it you have the ability to create objects and then use them through the manager itself whether that's in policy or other you certainly can leverage them right so for example you create objects and leverage them in search right so it's quite powerful because you know it saves the admin some time from how you could always go and recreate things right so for example you could be a Coliseum we'll see this later on in the video and you don't have an object created you don't have to jump out of here or out of access policy that you're building for example and then jump into object create the object go back to you can actually create them within the active policy itself so we should be getting close this is probably a you know one of the longer tops of doing but obviously fairly a trivial it's just a matter of capturing the objects giving you a name based on whatever naming convention you come up with and and be done with this so here's a you know that's the VLAN fifteen host right so these these two hosts that we're going to create here are part of that inline set where we're going to fit two meal and fifteen and sixteen together even though those hosts are on the same network all right so we get a bunch of objects created fantastic okay so let's go back to that device manager and let's have a look care devices up let's go into interfaces and then we're going to refresh this and what's going to happen again this takes a little bit we're actually going to program the device and now we're pulling those interfaces that we just added now that we have them will save them out and now we're going to go through and to figure the interfaces based on the topology that we create it so we're going to create a outside network and enable right make sure that you'd enable that interface okay now what we're going to do here is build out the outside zone so this is an example of where object doesn't create it isn't available but we don't have to go to objects tab to create it and I'll show you later we'll go back in and we'll look at those zones that we've created here right so give it an IP address in our case that's all we got to do here and I did a typo slash 24 right so if you could certainly use you know variable length subnet masks here you know the day of where you could do that is obviously long gone but but here you can do that like slash 24 or 32 or whatever bit count from us up meant perspective that you want to leverage and any time that you seem to make a mistake a lot of times the box will turn red so you'll know exactly where you've made an error so we've got the inside outside now dmz right so these are all layer 3 interfaces right we're going to use them is if we're going to route between them we're going to create that policy where appropriate we're going to have access control policy with maybe some additional advanced stress now in this video I didn't get into security specific items like configuring IPS even though you can create a base template with two seconds I didn't show that nor did I show things like malware policy again very simple and trivial to create but I wanted to focus on the network administrator right and those elements if if you like could be contributed to more of a security centric focus or a security administrator themselves right so I just I kept those two pieces out again I've got lots of youtube videos on how to do each one of those tabs and again they're fairly trivial so here we're going to create the inline set melt now we're going to create the two interfaces here but that's it so you can see there's IP v4 v6 but we're not touching any of that right so all I'm doing right now is just giving it a name so I can reference or know what the object is later on even though you know I can all probably look at the interface but so I've given it a name we're not touching any of that stuff we're not changing the mode right so now that we have it we'll save it and we will jump over to inline set so while I was talking to you may have seen that we already created the passive interface so that bottom interface the very last one we created a passive zone and we actually selected a passive in regards to the mold so this is where we can put our tap in and this is up and running at this point right this is available so here we've created the inline set just double check here we'll look at the advanced you can see there's tap mode propagate link state tcp enforcement and then there's some snort fail open capabilities there we wanted to to leverage those we'll go back to that interface and we can see now when we go into it that it's changed right we've removed all the IP stuff right so let's create a zone just a weakened leverage a zone it within policy later on so maybe we'll just simplify this and call VLAN 15 zone and then we'll do the same for VLAN 16 except we'll call it VLAN 16 zones and like it says that gig 0 5 you can see that we create the passive interface okay save this Oh looks good and let's just jump over here to object and ensure that you can see the object so we're going to break down each one of these just so you can see them but you can see you know the device that's coming to that object in arcade zone or security zone and you could you get to see the interfaces so so seeing or to them alright so we're going to hit a deploy and the magical wonders of video is going to make this goal obviously a lot faster than typical deployment roughly a deployments about a minute and 40 seconds so but it can vary depending on what you're pushing and how much you're pushing there's obviously a sanity check that that happens when it when it pushes policy so you know if you add something configured in a wrong well we'll give you a message letting you know what that might be so here we're going to create a nap policy and again we associated as the device that we're interested and we're going to use dynamic now here right and what we're going to do basically is go from the inside to the outside and we're going to translate the inside network to the interface IP address on the outside and that's it now you have Matt up and running there's a couple other advanced settings that you could leverage but in this case that's it and once we push this we have Matt keep abilities but sorry but so what we're going to do first though is in order to get outbound we're going to have to add a rep right so we can not only like but once we get into the external Network it's not going to know necessarily how to get to the default gateway right to the Internet so you know there's a lot to ask there's rip bgp multicast you can a multi-process these with OSPF like you know traditional a sa but in this case what we're going to do is on the outside interface we're going to use any you know network and the Gateway is two one two forty five got one in my environment we're not to do any road tracking and now we can route to the Gateway and items beyond the the external Network we'll know how to get back to us and we'll know how to get out to that right so quick view of the topology you can see all the interfaces of turn green if you missed that you can certainly cause that any points go back oh so now we'll go and create a couple of quick rules right in our case we're going to create a monitor URL rule you can add rules here you can add rules up on the right as well right so here or add category right or you can go up and just hit as usual at the top four add category so it looks fairly convenient but we're going to create that monitor URL as that monitor URL is going to allow us to monitor all URLs but the monitoring action itself is actually going to do exactly that monitor but allow us to hit the next policy in one great so just because it matches this policy it doesn't end the the access control hierarchy process right and we're going to start at the top and if it's longer we'll go to the next policy if it is something like an allow then once the match is hit the matches head so we give it a name will change the action to monitor we've got the inside Network right now we'll go to URLs and in our case we're just going to grab a couple of items here so we're going to say any except on category on categorized all reputation and then on categorized as well but it really doesn't matter once we start capturing the URLs it's going to capture regardless of the category here we're going to do an or we're going to create an arcade threat inspection so we're going to allow the flow from inside to outside and we're going to add the inside network for example and then we're going to create we're going to add an inspection so the Assumption here is is that we're using the default but the assumption here would be the Security Administrator may create these policies already for you right so the IPS policies they develop as well as the malware policy and then you would just attach it based on the requirements so what we did from from that initial screen and we'll come back to it as we pivoted to the objects screen instantly to change some of the variables that we have in place right so we're going to reference some objects that we've created like the DNS server right and I'm not going to go through this and extensively create all of them but but you get the idea right we have it for home networks we've got our inside network or DMZ Network you could also add you know the PGI environment for example but it doesn't well it does matter because what you want to do is ensure that we understand where in the environment these asset sits so we can make better decisions in regard to threats coming in and what they mean to you right a lot of times the threat will come in and it'll be a Linux and Apache attack for example but you have no idea whether the asset on the other and is prone to that type of attack so we we simplify that by understanding possibly your environment and and can make sense to give you an impact level now you may have seen real quick a whole bunch of policies got created because I've isolated my environment I didn't have DMS setup so when I went into security telogen I did have the feeds completely there yet right because a fire power management Center couldn't go out to the Internet yeah and what I've done is I've done it later on in the series and then just obviously ended this video to fit it in here so disregard the extra stuff that you saw there it was just just showing you how to add security intelligence about a block no bad IP addresses as well as no bad URLs now we've jumped over to network discovery now this is very very important and really a differentiator right this is where we're going to say what assets within our environment our assets of interests that we want to discover certain things about them in our case we're going to discover hosts users and applications that could be associated with certain networks in our organization and the reason why this is important is because we want to be able to truly understand that threat and the asset that's being targeted right we want to be able to give you an impact score that is meaningful and in order to do that we need to assess the environment to understand what we're protecting so that's great we have that I'm going to add ipv6 here and I'm just going to look for applications I don't care about the hosts of users because in my environment and like many others maybe we don't have ipv6 running or we think we don't and we want to know capture banner is just going to give higher levels of stability in regards to the access users tab that you just saw there are protocols that we can pull user names up right so IMAP or or LDAP for example we can pull because they're the user name or FTP right we can pull those user names how does the packet because you're in clear tax and associated with the access here we're going to deploy the policy and we're going to kick it off here fantastic and you know as like many other time so you see a minute sex minute next few seconds that it cooked to deploy obviously I've got practice there because that was way faster than a minute and now let's just see if we can get into the internet and top it so we know DNS is getting it we know our inside network is getting out we can quickly go and look at some events and we can see that there's a bunch of events coming in as we speak and if we look at the asset we can see that we've discovered a Windows seven asset we're going to go in this and detail through the video itself as we're you know building a certain element and then we're coming in and testing it so if we come in here and if we so we've gotten out to the Internet with no issues but what if we try to go to the DMV directly what happens now well the answer should be you can't get to it because we didn't build any policy to allow them we have a default block policy apply to the access control rule right so anything that doesn't match above it is going to get dropped and anything in our keys is anything allowed is really from the inside to the outside zone so what we're going to do here is well we'll go through and obviously we're going to build these policies as we go along and we can see some of the things that we're pulling down we could see the blue indicates the blue around that little computer indicates that we profile the device so the 2:44 dot 100 device we profile as well as many others as time goes on right all right so let's go through the access control policy and build a policy so we can get to that VNC server in our case we're not there is no need to map rights or come from the inside network into the DMZ and then the DMV will provide us a response page and again no matting required so again inside to dmz right and we're going to take the inside network and we can be very specific here we're going to use the dub dub dub serve one object for the server itself and you know what let's just use HTTP here right as far as the application is concerned and really restrict it even further and again this is an example I only have HTTP running all I did was create a you know a boon to box with apache on it and using the default pages right just to show that that there is a web page now this is where you could add additional security in our case were again using the default and adding IPs now if we assume that the security administrator has already developed these there would be a custom one specific maybe to the flow or going into this entire network race well deploy that policy and then at some point we'll come back and we'll we'll test it and make sure that we can actually now get to that page all right and you can see here the health with interface status we're showing you that we're not seeing packets on interfaces and as we don't you can have an alert that is generated and you can see it very quickly look at that we're back and we can get to that web server so that takes care of the inside to the DMZ the inside to the outside we've done the span interface we've done that all up to this point now what we'll do is let's let's create a little more complexity so to speak where we're going to rate limit application so let's just quickly check in will go to BBC comm and you can see that is you know fairly responsive and remember this is my home environment so I've got decent stuff but I don't have the same stuff that you have in a data center right so you can see that we we've got to BBC I'm just going to flush the DNS here just so there's no residual that's saved or cache and let's add a policy now again this cue QoS policy is almost like an object right I can create it modify it and then add the devices to this policy as I see fit so well add a rule and this is going to be a fairly simple rule inside to both sides right we got we grab this networks that were of interest and we're going to grab the BBC application so let's grab that insight network at it as a source and we're going to go anywhere and let's grab the BBC application there we go right there's some other things there that we might want to do you can do download upload but you can also be very sis if you hit the advanced and say you know download I want X and upload I want Y right in our case I'm going to keep them the same it's pretty much going to make this application unusable alright so say okay save that build and then again we'll deploy that Beltway or that policy now you don't have to deploy as often as I am here you could do multiple different steps along the way so you can add a little bunch of different elements the reason why I like doing it in stages is I have the opportunity to test the policy as I move along so here I'm just going to quickly clean our clear connections to make sure there's no residual there right no open connection currently in play we'll let that policy push and again a minute or so that policy should be deployed and then we can test the actual application and see whether or not we accomplish what we set out to do right and basically in our case is all about it's all about making this app unusable right okay so now what we're going to do is until people don't realize this so this is looking at connections without teach detail but you could look at the tableview connection event and this is where it breaks up into obviously a table form you can see there's tons and tons of things here and I can add or remove any elements of my choosing right so when I go through here I'm going to add a bunch of QoS specific parameters right because in our case that's what we want to look at but I can build these out I can say the bookmark there's lots of different things that you can do but there's no shortage or shortage of capabilities when it comes to searching now you'll see this throughout the video itself right so there's that MSN came up fantastic right pretty good BBC so we know we resolved let's see and the circle goes round and round right so let's just have a quick look at the logs itself and we'll do that by searching or leveraging our search capabilities and what we're going to do is we're going to search based on the application or the web app called BBC perfect okay so we can see that we we've got a bunch of hips here we know it's allow so they can get through we can see HTTP there's BBC so we see the web application itself we scroll over and we can see the QoS rule that was hit and the QoS policy and finally we can see QoS is drop packets there so fantastic that we achieve what we set out to do and now we've got rate limiting taking place so you know we're a few halfway through the session we've got inside outside inside EMC we've got rate limiting now let's have a quick look at troubleshooting we've got a couple of things done at this point time we know people are interested in you know the troubleshooting capabilities of the platform so let's just touch on those a little bit great so you can see I want to do device itself and then I went to the little wrench and then into advanced and and now we have a packet tracer now people that know the traditional a sa know about this tool right is be able to come in here simulate the traffic and see what policy it may hit or trigger right and that could be whether that's an access control list that could be an app policy etc we're going to highlight each one of those phases and let you know where the issue may lie right so we might say whether it's a path but we'll also say this is where it's salient right and it's pretty handy so you can see we can pick source port here in my case we're just going to grab an upper layer pork for example and we're going to use port 80 and we're actually coming into what will be that webserver itself okay and as you go through you can see some areas say allow some areas they drop but you just scroll down and at the bottom you can see it was an ACL drop right so it was based on there was no little to love it now there's two things happening here the first one is we haven't created any static Matt rule for the DMZ servers so that IP doesn't even exist right and when we come in here we're going to do a packet capture you're going to see that again we're going to actually go to a host and the host that I'm actually using here to connect the firepower is is on the outside Network right it is part of the management network but it is on the outside of the apology that I showed you and we're going to connect to that web server and you're going to see that we're going to get no packets because that IP address like I said doesn't exist so now we have this packet capture it's running at this point time and this includes packet trees all in one now you can turn off the trade portion if you choose to but in my case I want to see it because I want to know where the actual packet maybe drop it and what's causing the draw you can also download this packet and look at it in white or shirt okay so you can see that is you know we try to go to that web server turning and turning and turning and turning it timed out and we'll pause this and you can see there's no packets being refreshed below right because we're not capturing into so in order to do that we're going to have to create a policy right and and we'll do that right but before we do that we're going to quickly show you how you can jump on to the firepower threat defense next-generation firewall flash sensor those tools the mains are interchangeable or a lot of times and we're going to do a capture process here and we're going to see real-time you know we can look at you know the router itself right the passive interface or the inline set so here this quickly kills the passive zone you can see some spanning tree protocol stuff happening and we'll hit the one which is the rubber and again we're not seeing anything and the reason why is I only have one host and there's very little communication from the inside to the outside so we're not seeing anything traverse it so let's just quickly log into this box login is that HR user remember we don't have Active Directory Integration yet but we're going to do that all of that's going to be part of this one-hour session so now we hit Google and you'll start now starting to see the stick at the packets come in right so fantastic great so we see that that's good and what we'll do now is we'll go to that access control policy review the diagram so we're going to take that orange server and we're going to now publish it to the internet so we're actually going to jump back to Mac first and we're going to configure the NAT policy now I jumped to access control but you have to remember first we need the NAT VIP I mean we could have created the access rule but the reason why is a lot of times some are not a lot of times some people come in a crease in that rule and they'll think that okay well I'm not again why I can't get to that box and the reason why you can't get to that box is because you still need to create a rule to allow access right from the outside in so we're going from DMZ to outside we're translating the source network dub-dub-dub serve one to a new object that we're going to create called dub-dub-dub serve one - exe we're going to add this as two one two forty five dot one hundred and it's a slash 32 and we'll select it now that we've created it and again we've created an object without having to go back and jump into the objects tab right because we did it from here we'll add HTTP on both the original source port original desk or translated source port we're not going to do any translation of port but we could have said you know EE for exam and then translate it to ad or vice versa so there's the rule we save it out again and we could deploy here but we also need that access rule so we're going to quickly quickly create that access policy and again in my case I'm Bill Leo these policies but they're not very like I'm not following any real standard based naming convention and you know typically you would certainly creating a new convention that's meaningful to your organization as you build these things so where we go we're going from the outside source to the DMZ zone which is the destination right we are going to grab the networks of interest so we'll scroll down and we're going to grab the actual IP address we're not going to grab the mattad IP we're going to actually do this based on protocol right so we'll do it based on HTTP fairly simple rule labsim logging just for being able to see the connection the best come in but I have to know here is if you do additional inspections you don't need to pack it or log every single packet right so again use it where appropriate but you don't have to turn it on for example just to give an IPS trigger that if you have IPS enables we will generate a vest regardless of whether you're logging the connection and you end up optimizing the platform even further so let's deploy this again this takes a minute or so to fully deploy and in the meantime what we'll do is is that what sorry once we get that set we're going to go back to troubleshooting and what I want to do here is finish or close the loop on the original troubleshooting packet capture that we did earlier remember we weren't seeing any packets so I just want you to get full visibility into the capability of the capture itself so now we'll turn it on right and we're going to try to get to that site and you can see here we're using the actual it's external IP address and look at that so we know Matt's working we know the access policy is working let me pause this and we should start seeing the results show up below we could then go through and look at this we go okay make it fullscreen and you can now go through and you can see where unmad access list it may go to snort for additional processing will tell you what the results were in the snort processing I see options again the flow creation any additional inspections there's the start process there it was passed and then the ultimate action at the end is allowed right so we passed or we made it through all the other inspections and and obviously get the webpage up so we're good here again now we've got lots of pieces working let's let's let's close the loop on that inline set so that's this is where we're taking that VLAN 15 and 16 which is part of the same layer 3 network and stitching that flow together so currently if we go in and we look at the hosts themselves they wouldn't be able to ping each other ok and and the reason being is is because they don't have an access policy stitching them together so in our case we're using a physical connection to stitch the flows together but we also have the ability to actually VLAN stitch like logically taking an interface and then stitching it together so here we're going 15 16 - 16 - 15 right so it's bi-directional where we don't care in this case we're just going to do an ICMP allows and that's the only traffic in our case but this could be a specific PCI application that you might want to control right so allows this and it's an allow policy so we have the ability to you know add additional inspections that we chose to do so in our case we're not going to do that we're going to move the rule up a bit and we'll add that rule now now that we have that rule we could deploy the policy and then test to see whether or not we're seeing any flow right so we as a result should be is that we're able to ping the devices on either side right in our case you can see we're still deploying the policy but currently we cannot pay anyway right and there's two reasons for that what is the in line set isn't fully in play yet because we haven't built policy around it and the second thing is is that you'll see after this is that I have the firewall and able so policy is now pushed we're still seeing it drop we're going to come in here we're going to disable the firewall on windows not recommending that you disable anything but in my case I don't care there's a lot of environment for one and I don't want to go through and just tweak it just for ICMP traffic so you can see there now I can ping on the website and again once I do this on this side the other side should start seeing a success as well and here we go and fantastic so they'd like that the inline sets work it right so that purple network is done we've got the DMZ the orange network completely done the blue completely done the green pretty much done but hey let's do a little bit more right so now what we're going to do is we're going to actually integrate with Active Directory so the first step in this is that we're going to add a realm and that realm is going to be the Active Directory domain it will add some credentials you don't have to use the administrator username and password I am in my case but you could use a subset a lease privileged user which would be recommended in most cases but in my case I'm just going to show you how quickly we can get this up and running and integrated and fully working so we added the domain to schools new and then we're going to add the base B M and the group distinguished name so in our case is BC equals Cisco comedy C equals new and that's the same for both and you could test here I'm going to test this in a second so that's great now we have any realm that's available now again this becomes an object right that I can use later on so here's our settings again just if you want to reference it you can also tweak some settings in here if you chose do so and at any point you can come in and test now we'll go back to directory we'll add the actual design controller itself and my case I only have one you can also use encryption if you chose to do so in my case I'm not I'll do a quick test and it succeeded fantastic I'll say ok and now I have the directory so the actual domain controllers at the route configuration and now I'm going to download the actual user groups of interest so in my case I'm really only here about sales and HR but you can add a couple extra if you chose to do so if you want to go policy but you don't need to add all of these right in most cases you're not building policy around every single group object that you have within Active Directory okay so there we go we got the sales get HR let's add the main events for fun right well we're not actually going to use that but what I wanted to do we show you that you can certainly add multiple different groups to this to include you can also do exclusions as well so now that we have it is they're configured what we'll have to do is actually click enable so this you look at the state you see just go to the right side of that that will enable it and then for my case I'm just going to download just to make sure I have the groups and you can see here three groups or downloaded grades and the task list three groups and three users so the three users will be sales 1 HR 1 and the administrator would be the users and each one associated to a group obviously so now that we have the realm configure what we want to do now is get the user to IEP mappings in order to do that we use an agent and that agent would pull you know the the event Wiggles event logs security logs to see login and log off event so we've got that configured on the fire power management side now you can install this on Windows you can install this on multiple versions right they don't have to be the domain controller it could be a member server it could be a workstation for that matter in my case I've got it on with those 2012 r2 and I'm configuring it as a member server so I'm going to come in here I'm going to add Active Directory they connect it and then once this is complete I'm going to move over to fire power management center itself our story the tab fire power management and add the IP address to fire columns management center once I do that now I'm pulling a user to IP mappings and because I have two interfaces on this network I just I'm capturing the one that I'm interested in which is this which is the interface that I selected okay so this is where again I'm adding the FFC IP so that's the got 170 that's what we've been connected to this whole time what we building out our configurations it will save this though as a you know will be available throughout any exclusions that we might have and you can see here it's pretty nice and green so we can visually see very quickly whether or not things are working now what we have to do again is create an identity policy now we can do active at consummate n occation in our case we're just going to use passive and today we use the cisco fire car user each tomorrow what you'll be leveraging in many in most cases moving forward is what we call identity services engine and you can use that if you purchase the product or if you want a lighter version there's what we call is a passive identity connector and again it's ice and but it's a subset of ice it's still a full version of ice and you can leverage it but but that's what we're doing moving forward now you can see here we created a insides and outsides and B and V and then we added that domain that we we selected so so that's great now when we come in here I'm going to show you something and and people sometimes miss it so they'll come in and they'll build that in our case EHR policy now that we have the identity policy created we should be able to start leveraging users right from Active Directory so again this is an access control list with multiple rules in it and in our case we're creating an HR policy inside Network to any rate so basically what we're saying is HR is allowed we're going to give it we're going to move it up a little bit we're going to enable some logging and then we're just going to go to the user tab but the things here and you can see the little yellow up beside the users icon and that means we forgot to add the ID of ecology so no worrys all we do is just add the policy you can see now we've superseded some lower policies right because this overrides it now because it encompasses all the ones below but that's all we have to do to add it so now we've added that the identity policy right that we created we'll go back to access control we could have just done that from just moving over to the tab but I chose to go to the top and come back in here and now we should see the active directory that we created or the identity that we created and now we have the HR group save it and you can see the policies under that have got rid of that yellow warning light in our case we're going to copy and paste this and then we're just going to modify so it's in our case we got the HR user that's allowed to go anywhere and then we're going to have the sales user blocked from going to the DMV server and then we'll have them allowed to go anywhere else but this will obviously be higher up in the chain but we'll have to remove the outside zone so inside the B and Z we're going to take block we're going to get rid of the HR user and now we'll add the sales group sorry so I should have said Group user but we could have selected user all right now we'll copy this and for the rest of this we're just going to allow them inside the outside and it'll be full access but it will be based on the sales group right so get rid of the DMV ads the outside users should be good yeah sales the fantastic and we're just add the logging things this way and then we're going to deploy here so we're coming to the end of the session here right so this will deploy here's the HR user will quickly login we'll make sure that the HR user can go to both site meeting outside as well as the DMZ and then we'll quickly do in our case we're going to quickly do a reboot and I'm going to login as sales one user so there's the internet you can see MSN behind now we're going to go to that DMZ server which is internal to us so that's why we're not using the external IP and we're good quick reboot we're going to log in as the sales user and we're going to do the same thing but the difference should be is that they get to the internet but they cannot get to that DMZ web server all right so there's the web page there's MSN and let's go to the DMZ server thanks Internet Explorer for letting me know about my browser's out-of-date and you can see that we're turning now I could have also added things I can interact a block that gives the user a message in my case I didn't get them anything so let's just look around here actually you can see you know some things in the connection events you can toggle between you can also look at users of what user data that we're pulling we can also use search right and we can look for a specific user connection event and see whether or not we see that block action so let's look at connection events and you can see the amount of search capabilities and attributes that we can leverage here we're going to do the sales want I could say this as a search for example lifetimes we see this with things like DNS sync cooling rate you want to know all the elements that were think hold you create an object fairly quickly so we can see that we've got some block here we can see the sales one user right we got that to LDAP if I click on the actual asset so this is the responding this is a web server this is the profiling I was talking about earlier you can see that we've seen it as good too and it's got a patchy two-for-one zero again all the ports when we're trying to associate threat to the assets if we go back and look at the assets as the user is connected to you're going to see that the user is associated to it the version we picked up as Windows 7 and there's the applications that are currently running on and other users that may have logged into that asset so there's HR 1 and sale tool so if that was an asset that should be leveraged we would certainly as a shared asset we would know that other people were loving it anyways that's it for this session thank you
Info
Channel: Jason Maynard
Views: 8,040
Rating: undefined out of 5
Keywords: FMC, Firepower Threat Defense, Firepower Management Center, FTD, FTD 6.2, FMC 6.2, Cisco Security, Network Administrators, NGFW, NGIPS, Threat-Focused, Threat-Centric
Id: _ml_6EviEH4
Channel Id: undefined
Length: 59min 17sec (3557 seconds)
Published: Mon Mar 20 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.