FMC 101v2: A Network Administrators Perspective on Steroids

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] fire power management center f MC 101 this session is focused on deploying fire power threat defense using fire power management center the version used in the session is six to two and we build out this topology from start to finish in the session this includes the following in outside host the scary internet fire power threat defense on the internet edge a management network with fire power management center Cisco fire power user agent and Active Directory this includes users and groups we also have an inside network with a couple of hosts that are part of AD and are leveraging a dynamic NAT to get outside to the Internet we also have a span session tapping the network passively and we can build policy again this is running at the same time as the rest of the configuration we have inline sets where we may have a control point between a couple of assets in the same layer 2 network in this case we are using a virtual switch and I have two port groups of VLAN 198 and VLAN 98 that create the inline set and allows for Policy and additional inspection we have a DMZ with a web server that is gonna do static NAT so we're gonna offer this service not only to the internal hosts but also out to the Internet and we're gonna do this all within an hour and a half from start to finish okay let's build this and have some fun so all I've done up to this point is I've deployed the OVF file but no configurations have been completed so I've done the base OVF deployment and that is it so first we will configure fire power management center so we're gonna login with admin and the password is admin 1-2-3 with a capital A and then we're going to go into the configuration mode to complete the configuration so that's sudo configure - network and we're gonna give it an IP address netmask and gateway again enter the password here right love the little comments there respect the privacy of others think before you type and with great power comes great responsibility so we're gonna do ipv4 we'll enter in the management IP the netmask is 255 255 255 dot 0 and the gateway address are these configuration settings correct yes they are and we're not going to configure ipv6 in this case so to finish off fire power management Center we will go into a web GUI so before we do that bill let's get the pre configuration of fire power threat defense they're complete again you login with admin password admin 1 2 3 you accept the end-user license agreement that is by saying yes right make sure you read it thoroughly we'll enter a new password here and now we want to configure ipv4 we're not going to do ipv6 it's going to be manual we'll enter the IP address of the device will include the mat mask and we'll add the gateway address we will give this serve or the the firepower at threat defense platform at a hostname so an fqdn here and you can see here that Cisco umbrella I DNS is available right so you can use this as the DNS server in our case we're going to use an internal DNS server but that's already there for you and ready to go you can put in the domain search domains as well and there's a link to learn more about umbrella if you choose to understand what umbrella has beyond just DNS or recursive DNS alright so this is going to take a few seconds to get done or completed right the configuration is building once complete we're gonna have an option to how we want to manage the device in our case we're gonna manage it using fire power management center so we're not gonna have local management you will see a fire power or a fire power device management 101 going to be released shortly after the fire power management center 101 so in this case it's gonna be no because we're gonna manage the device using the centralized manager so and the one thing people don't realize fire power management Center is is a centralized manager but it's also an analytics platform right focused on threats and and context so here we're gonna go firewall mode is going to be routed because we are at the Internet edge of this case right but you could do a layer 2 or transparent mode firewall if you wanted to and here we're gonna add the fire power manager Center right so we're selling firepower threat defense that we want this manager to manage our device so configure manager add the IP address of fire power management center and then the shared secret all right that's it for the pre configuration to get the Box box is accessible and being able to be managed so what we'll do now is we're gonna fire up a web browser and we're actually gonna come configure fire power management center itself so we'll go HTTP 10 1 2 5 4 . 200 will accept the certificate warning you can create a trusted certificate to FMC if desired right we'll login with it men in the password again is admin 1 2 3 uppercase a and we'll have an opportunity to change that at this point in time so I'll enter a new password will confirm the settings that we've already completed in the pre configuration we'll change the host name we'll put in the domain we'll put in our primary DNS server and in most cases you would have a secondary I don't in my case this is just a lab environment we can then go in and configure our time settings right so we use NTP traditionally but you can enter your own here you can change the time zone select with it whatever is appropriate for you and we can do rule up the HDO location updates automatic backup will do some of that during the configuration licensing we're gonna do later and now you do accept the end-user license agreement as always read it thoroughly like we all do and then select apply now this will take a couple of seconds to finalize the configuration and what we'll do now is we'll look at our topology so at this point we have deployed firepower threat defense we've tied it to firepower management center for management we have completed the base configuration of FMC and we need we now need to add firepower threat defense to FMC and then we will start tackling the configuration one step at a time right remember with firepower threat defense we told it what manager we want to be managed by but we haven't actually added the device to the manager itself so there's lots to do in this this session right I tried to include as much as possible to empower you folks to complement you know the guide with video that you can walk through so here we're gonna enable licensing so here if you had smart licensing you would just go in and register in my case I'm just using the evaluation license now there's a link there that you can jump to learn more about smart licensing basically smart licensing provides greater flexibility by removing the nuisance from the device this allows you to move the license to the appropriate device as needed ok so now let's get started here right so let's go to device management and add firepower threat defense at the same time let's go to firepower threat defense console and run show managers you can see that it's pending alright let's add a device here so we'll add the host we'll give it a display name you can use the IP if you like or give it something more meaningful we'll add the Reg key this will be the same as what we entered earlier in firepower threat defense and we need to add a policy but we don't have one created the nice thing about firepower is we can do this from here we don't have to jump out of here go to access control policy and build a brand new policy now in this case we're gonna create a vanilla policy with the default action of block because this is going to be deployed as a next-gen firewall not in next-gen IPS obviously the action typically would be blog alright now that we've got it created we actually have to apply it ok so make sure you go back and make sure that that drop-down list says the the policy that you created and now include the licensing that you want to license the product for now this will take some time to add the device so let's jump to firepower threat defense and show managers and what we'll see is it says it's still pending now we'll run it again a couple of times again you don't need to do this necessarily unless maybe the device was not getting added or if you had some issues that you might have to start troubleshooting but at this point in time I'm doing it to give you additional insight into what's actually happening right instead of just showing you the configurations I'm showing you the results of some of that right so bill the policy test the policy so in this case Adam Adam and a device to the manager and let's see the result now we can see that it is completed so at least from firepower threat defense or the ng FW you or ng IPS is perspective it's actually added to the proper manager or the manager that you wanted to add now there's still some stuff that's happening in the back end here right it's looking at the configuration what it is and establishing a connection bla bla bla right so that's all happening but we're not at the mercy of this taking place like we can now jump into configurations and move forward with things that we need in order to make the solution effective so while that's continually being added now I'm gonna jump in to build out a bunch of objects now this is gonna be probably the longest task that we are going to do at least in this session and it's because we're building all of the objects by scratch right if you were migrating from a si what you would do is you would leverage the migration tool and these objects would be created for you as part of the migration process so you can see we've added an object already right and we're gonna go through so we've got the DNS server built right the object and again the idea here is to build the object once and use it many times right and you're gonna see that throughout the platform is a lot of times you're gonna go in and build whatever it is that you're gonna build in objects or even some policy and then they're going to be able to be used all over the platform right over and over again so let's build out inside host one and we'll also build out inside host two and as you can see fire power management center is working away right we're getting messages on the side there as we continue to add these objects all right so now we've got a couple objects let's do the PCI Network I think is a good place to start now now just kind of visualize the topology or pause and go back and look at it I do reference it throughout the session but again we've already done a little bit of the inside right we've done the actual host objects now we're doing the PCI environment and we're doing its host objects and we could also create a group right so we could say PCI host 1 PCI host 2 is part of a group called PCI I'm not going to do this in this session I think it's self-explanatory at this point but you get the idea now we'll do host 2 and then what we'll do is we'll move on to adding the web server and the DMZ so again apply the IP addressing and now we'll add that web server in the DMZ and like I said right this is this is takes a little bit of time right and the more objects you have obviously the longer this is gonna take so now we've got a couple of host objects let's create a couple Network objects that are the entire network so the inside network for example and this will be a slash 24 and again you can see the messages at the top coming in I know we've zoomed in a little bit here but you can still see them pop popping up every once in a while let's do the DMZ Network as well and again you could have if the say for example if you went and bought the next-gen firewall or next-gen IPS platforms and haven't received the devices and you are managing it with the virtual manager you could actually start building out the configuration before your devices are there right you can go in and start building out a lot of the objects within fire power management center that you're gonna leverage so now that we have it all the the objects at least in this lab that that we're building here configured now we'll move back to the device and make sure that it's added and we can see that it is which is great right so the device is added we haven't lost any time right we've been building since we've started and now what we're gonna do is we're gonna add additional interfaces now because we're using a virtual offering right we've got a couple other networks I'm not doing a trunk port and so we're gonna have to build or add a couple more interfaces in my case what how we're gonna do that because we're using a virtual platform is we're gonna add a couple more interfaces to the virtual machine so again folks that have a physical platform you can certainly skip this section because obviously the interfaces will already be available to you in the in the manager in my case like I said we're gonna have to add a couple so let's do first our inline sets interfaces so we have the first neck VLAN a 2b and then we'll do VLAN b2c or mean sorry B to a and and the other thing to note here these networks I've actually created ahead of time right so I went into V the V switch and created a couple of port groups all right so that's good we've got that created now let's create a in my case I'm going to use a trunk port that has multiple VLANs on it and we're gonna span that essentially to the virtual firepower threat defense now this could be a span port that comes off of a switch right and plugged in in my case I've got vmware and and this is a way of getting visibility into multiple different networks and again it's fans so it's going to be effectively an IDs right and the next thing we need to do is restart that device so while this is rebooting right again we're not at the mercy of waiting for this to happen right we can continue to build policy or other configuration items so the first one we're going to do is platform settings so we grab firepower threat defense platform setting this ensures consistent configuration of device settings we will leverage a firepower threat defense platform policy because this is the device that we're actually leveraging in this lab you can see here a bunch of options right so once we add the device over and I say save you're gonna see a variety of options here now we can go in and configure a banner for example but you can see that because there's a lot of options here to configure you can get some consistency across the entire organization one of the biggest items in here is to make sure time synchronization is done properly right especially when it comes to security and vest your breach you want to make sure that it's consistent so save that oh if you wanted to assign a policy you can just click policy assignment and add additional devices we already did that from the very beginning and we could hit deploy right now you're gonna see as I go through we're gonna build some configuration and then we're gonna deploy you could have built a whole lot of configuration all up front and wait for the deploy the difference is I want to see the change and the behavior of that change right I want to test it here we're gonna create a health policy okay so this allows us to ensure consistent health policies across our platforms please note that both platform and health policies can be configured and assigned accordingly you may have to be or may have specific needs based on where the device resides and therefore Cisco firepower accommodates that right because I can create multiple different health policies and platform policies right as you can see there's a bunch of health policies here that you can configure and disable or enable right you have the ability to tweak some of these as well at the end of the day interface status what you can see is on you're gonna see that a lot in at least a lab environment right if I don't see traffic on an interface we're gonna alert you in production that's probably something that you want to have right because most interfaces should be receiving traffic so we'll save the policy right and again make sure that you have it assigned right we could see a couple of health messages up there that little yellow triangle with - and here we are making sure that the devices that we want are assigned to this policy and again we can hit apply here and now it's fetching that those those new interfaces from the device now what we'll end up getting is a message that the interface configuration has changed so what we'll want to do is click Save and now we're really in are going to start can figuring the interfaces themselves so we'll configure the interfaces as our topology requires and the first one we're going to configure is the outside interface so you can see a couple choices here right passive ER span and none in this case it's a layer 3 interface and it is gonna be configured as the outside interface so we'll give it a name will create the zone we'll call that outside - zone again this is an object that could have been pre-created already in the objects management tab but in this case we haven't created any right and again we don't have to jump out of this interface and go create it we were able to do it from here the one thing to note is make sure that you enable that interface okay we'll give it an IP address of ten one two five 3.99 slash twenty four you can see ipv6 we have advanced settings we have hardware configuration settings that could be tweaked as well okay looks good now let's move to the inside in her face and again it's more the same now right this is just becomes a repetitive process at least for the layer three interfaces read the zone we could give it a description as well and we'll give it an IP address up 192.168.1 slash twenty four and again you have advanced configurations ipv6 etc right click ok now I'm going to jump to the the DMZ now and we'll create that again it's more the same right it's a layer 3 interface we need a zone assigned to it we want to enable the interface we're gonna give it an IP address of 192 166 T 6.1 / 24 make sure that's enabled I see that missed every once in a while and you're obviously gonna hit ok so now we've got the three layer three interfaces configured so let's move on to the span interface and we'll click Edit and this time the mode is gonna be passive we give it a name of passive we create a zone called passive - zone ensure to enable the interface but notice one thing that we do not have any IP addressing or very little additional tabs right we have hardware configuration and that's it so pretty good so far so quickly look at the topology and refresh what we need in regards to in line sets ok member pause if you need to okay time to configure the first interface so all we'll do is give it a name and enable it and again give it something meaningful right that you understand and keep that naming convention throughout we'll do that to the second interface remember we're gonna tie these two interfaces together right and we're gonna show that later on so now that we have the two interfaces created now you'll see I hit save a lot and that's to do with coming from the command line right copy run start our right ma'am etc right you're always safe save save as you move along so here I'm gonna create an inline set so we'll add the interfaces perfect and you can see there's others there that that you could modify but if you do this it clears the configuration outside of what we already did and you can see additional things like tap mode settings propagate link state strict TCP enforcement snort fail open so there's some advanced configurations that you may want to do now this is giving us a warning to let us know that any existing security zone mappings etc would be removed and that's why we didn't do any of that so now we'll go back to those interfaces and we'll finalize the configuration so we'll create a zone remember this is in line a so we'll create an in line a zone and again you only have the two tabs as opposed to all the layer 3 stuff that you get when you have a layer 3 interface and this one's gonna be in line - B - a zone perfect we'll save that out and again we're doing a lot of different things right and we haven't actually deployed it to the device yet right so this doesn't have any impact until we deploy or change right maybe a better word it actually hasn't changed the device yet so let's do some routing right so you can see multiple dynamic routing protocols supported but we just need a simple default static route so we're gonna add a route select the outside interface and we leverage any ipv4 for the selected network and now we need to create a gateway object in our case the IP is 10 1 250 3.1 you have some additional options available like route tracking in our case we don't need that but first make sure that you add that object that you just created click Save and maybe this is a good time to deploy now we can see the settings that we're pushing while this deploys we can continue using the manager to build out additional configuration items and we're going to do that so we're well on our way right we've got our interfaces created we've got routing setup we've now deployed the configuration and what we can do now is we can jump to building out than that policy now I'm not gonna build out the entire nap policy all up front right I'm just gonna do the very simple inside to outside dynamic that so let's add a threat defense nap policy we'll give it a name okay again something meaningful make sure the device is added or you can add it later right there with policy assignment let's add a rule we'll create a dynamic automat rule and we're gonna use the inside to outside zones for translation the original source is the inside Network object and the translated packet is the outside interface and that's it let's save the configuration set hit OK hit save quickly reviewing what we've done up to this point right we can see the one NAT rule at this point we will do another one later for the DMZ and that static NAT rule for the web servers so now that we saved it again we can deploy this and continue to build out additional policies if we wanted to write or we could jump into additional policies and just keep building and then push this all out together right doesn't really matter there's no right or wrong way per se right it just depends on what policies you're pushing and when and and the impact that may occur while you're pushing policies right to make sure that you understand what's taking place all right so that's deploying I think at this point we can let that do what it's doing and we'll jump to policies access control and intrusions so the first FMC 101 that i've done in the past I was really focused on network only so we didn't actually talk about IPS or malware in this case we're gonna add both of those elements and we're gonna look at there's a couple of default policy so there's balance security and connectivity there's connectivity over security so connectivity is more important than security then you have security over connectivity now most people start with balance security and connectivity they start with that and then they tune they use firepower recommendations to further tune that later so let's start from there and I'm going to what I'm gonna do is I'm gonna jump into some of the rules just to show you how easy it is to add additional rule sets if you wanted to so if you want to modify that default policy that you're using yet right in our case balance security and connectivity and add a couple of other things that are important to your organization whether that specific rule sets for specific assets like web servers or database servers or etc right outside of the default or it's other things like and I'm gonna show you here you don't want to enable more of the malware type policies or exploit kits that lots are enabled by default but there's some that aren't right so you can search based on category etc here all we did was put in the word malware and now we're gonna drop generate events for all of those and again it took a second to do to actually you know search for those and and run that rule change against all of them now here we'll do exploit kits or exploit kit and we'll drop and generate events now you see the green arrow turn into red so on the right side they were green some of them now they're all red right because we're saying drop generate events and you can see that drop one in line is checked so we're actually gonna drop if you match a signature we're actually gonna drop now please note that that since this IPS policy is not assigned to an access policy and not deployed to an ng fw rng IPS nothing is being inspected at this stage we will do that we will deploy this shortly right but first we need to apply it to an access policy before we can do anything because at this point they're really just advanced objects right they're an IPS policy object that could be leveraged to an access control policy so here we're going to create a malware and file policies so we'll give it a name it will add a few rules so let's add a rule and here we can be very very granular right and you should be again just because all the attributes are available you don't need to use them all but you want to be granular where it makes sense so you could be HTTP pick the protocol and then upload or download or both right here we're just gonna detect files now you can see I just grabbed everything and I moved it over and then there's a couple that I can quickly delete because I don't need to do file analysis or detect those files and click ok so now I'll detect all those file types right so now I just gave a good idea of the sense of files that are in my organization now here what I want to do is I want to build out a policy to block malware so the most restrictive applies right just just because I detect if it falls under a malware policy that has a block we're gonna block so spiro is a machine learning for executables dynamic analysis is our outside looking in sandbox called threat grit capacity handling this in case this is for if we can't submit to the cloud it'll store the file and submit in later time local malware analysis is high fidelity signatures we can reset the connection and in our case we want to store malware and unknown files we can save it and then this needs to be applied just like the next-gen our IPS policy that we created to an access policy until then nothing's happening right it's just an advanced object for lack of better words or term that is enabled now we can see here a couple of health alerts being triggered right and this is typical in the lab environment we see the interfaces are not receiving any packets and because I don't have very many hosts okay so we've jumped back into our interfaces now we can see that they're all green right so that looks pretty good and again there's that health alert saying that we're not receiving any packets on specific interfaces again expect did in this lab environment in production there could be something else going on right most likely you have packets flowing across those interfaces at all times again if you didn't want to see that alert like in this case you can go to the health policy and then disable that alert in a lab environment maybe you want to do that in production probably not okay so we've got those interfaces they're all showing green they're all built we've got some access policies configured but before we go let's just before we assign the IPS policies let's go into security intelligence okay and let's go to access policy our sorry is security intelligence and we can see that we're not seeing any of the intelligence feeds comes in okay I jump back out and then just to see if there's a change that means something's wrong and we're gonna come back to that in a second right there could be a slight delay but in most cases there's something may be blocking upstream so we'll come back we'll troubleshoot that maybe offline but I I'm showing that because I see that from time to time in some environments right so let's add a rule in the meantime and we're gonna do inside to outside zones and we're gonna grab the inside Network object as a source okay but we could have a destination Network if we want to but in this case we don't need it we'll give it a name this is gonna be monitored all URLs and what that's gonna do is it'll monitor and then move on to the next rule so there's no block but it will monitor right or there's no really allow right because it's just monitoring it and all we have to do is add a single URL over and it'll start capturing right because it has to look at the URLs at that point in time in this case we are going to add the uncatalyzed and the NE except Uncategorized okay for the for when when you build out these policies the one thing you can see there's a lot of options ohms networks VLANs users applications ports URLs secure group tags with ice for ice attributes and then you get your Advanced inspections you want to use as little as possible right all you need to do is uniquely define the flow once you do that that's all you need to add so don't go crazy adding all kinds of different attributes because it's just gonna be a increase the amount of performance degradation on the box right there's no need for it you just got to uniquely identify it so we've added our two URL categories right so we have except on categorised reputations one two five and on categorized and you can see logging is set to end of connection and quickly reviewing that rule now let's add another one so this is going to be inside to outside zone we will use the inside network object as the source we'll give it a name this will be a threat inspection policy right again there's lots of attributes that you can leverage but use only what you need to uniquely identify the flow okay again it's allow so here we're gonna add some inspection so inside outside is allowed right there's nothing really being blocked but we are gonna do IPS and we're gonna do malware and and file inspection and we're gonna log at end of connection now one thing to note here logging every connection event is not necessary to generate alerts security intelligence IPS and malware still generate events regardless of the connection logging settings as you can see the icons highlighted in yellow indicate the IPS and file of malware policies have been enabled for this specific rule IPS shown as the shield and file a malware policies shown as a group of files and here what we're gonna do is go to http response and we're gonna generate a block page and we're going to use the system provided one but we can also go in and create a custom one also if you look at the Advanced Settings tab leverage the documentation right if you don't know what these settings are go ahead and use help and and and get a better understanding of it for the most part we don't change anything here by default right for most environments unless required now I will come back and make one change to one of them after once we troubleshoot the security intelligence feeds but you got to stay tuned for that alright so now we have again we're checking security intelligence we see that it's not working again this could be due to upstream filtering a configuration issues etc but we're gonna deploy in the meantime and at this point while it's being deployed let's go to and look at connection events so we don't see anything just yet and the tableview connection events provide additional insight into the event and allows for additional attributes to be added as columns so when we went back to application with details we can now our connection with application details we can now start seeing some of the events coming in with the passive zone being blocked right so now we knew we know that the next-gen firewall at least the IPS component is functioning properly right we have some other blocks based on policy or the current policy itself now let's go to the table view connection events and when you hit that X you now get all these columns but the one thing you have to be aware of is when you hit that X you actually disable or remove that initial column so go back and check it if you require it but you can see additional columns that are available they it's tremendous the amount of data that you have in our case we're gonna add a bunch of QLS stuff and we're gonna use that later on again you've got SSL user agent web application category etc and then we click apply so it's time to get a machine to generate traffic from the inside network to the outside all right let's get some news right let's get our daily fix of news and perfect so I know for a fact that the inside-outside is actually working right so let's look at the logs right we're gonna do this a lot we're gonna come back in and check the logs to make sure that you know what we're seeing even though the result appears to be working I want you to be able to come back and reference that to the logs itself so again we can see a lot of the DMZ stuff happening here with block right that's expected there's no policy to allow that at this point in time but the one thing to note here is is when you're logging every connection event you you're gonna drown it here right so if you think you're gonna test something click go and then jump back into connection log events and be able to see exactly that flow without using search or edit the search criteria you got to be kidding right like there's just too many connection events that would be taking place so make sure that you use the searching capabilities of the platform you can see here lots of LOC right and a lot of this has to do with you know that passive zone that we've got enabled it's actually seeing everything and then there's no policies at this point in time so from here let's edit the search and let's be a little more granular in what we're looking for so in this case we go to networking and we enter the IP address of the host and then we can click search we can also save the search here right so if you're looking for things very specifically it could be malicious URLs as you can see on the left side right but you can save these out once you build them and use them okay once this comes up once we generate the filtered search we can now see very quickly the allow we can see the inside hose and as we scroll across we can see the HTTP request right the Internet Explorer the version of Internet Explorer right the application the medium risks rate so the risk of that application itself scroll across we can see the URI or URL we can see access control policies right the the the device that it's coming from and here there's those QoS fields now again we're not dropping anything at this point time we're not even leveraging QoS so but we will and we'll come back to that very shortly all right let's go back at this point and check out that security intelligence so I had an upstream issue that I had to resolve and I've certainly done that and again this is just to show you that just if you're not seeing things like security intelligence feeds coming inbound most likely it's got to do with something in your environment filtering that and you can check the guides if you're looking for specific outbound access and what's required to get those security intelligent feeds all right so now look at that now we're good now now we can add these ok so now these in our case and in most environments they're gonna block these right now you can do networks like we've done here now and the reason why people block these mostly is they trust the intelligence that's coming in right and here we'll add the blacklist right and and once we do that this is gonna happen as it's getting updated right here we make sure the Logging's where we want it to be you hit save right we can see that default policy let's just go back in here and now we'll jump to network discovery right so everything's good we are going to remove the any Network but we are going to keep the ipv6 because we want to just capture anything internally that's ipv6 a lot of people don't realize that they don't think they're running ipv6 but they actually are and here we're gonna be very granular so what we want to do is we want to discover hosts operating systems users and applications this is key and understanding the environment in order to effective or to be effective and minimize the noise that's a challenge with most IPS is right they really don't understand what they're protecting so we'll keep the ipv6 will add host users and we'll add those inside objects the objects or the environment that we trust even if it's semi trusts right but we want to discover all of those assets and again it's good to know it's Windows 2003 running is version version 7 that way when a threat comes in we understand the operating system the application and potentially the vulnerabilities here this is our ability to pull user identity out of clear text protocols so for example I can pull out the user identity of a guest network if someone was using FTP right I can do that in the non guest environment as well right or the corporate environment the Advanced Settings for network discovery actually this is what I meant earlier around Advanced Settings is that I want to capture the banner right so the banner itself as things like Apache and the version right and that just helps me again understand the asset that I'm protecting the more you know the better you can protect and if you don't know some of these settings which you most likely won't know all of them right use help so it's time to go back to object management and check out variable sets right so variable sets provide deeper accuracy in terms of detection and reduce the amount of noise it's critical that you populate variable sets with information that reflects your environment and you should also update your variable sets as your environment changes so for example majority of the rules use the variable HomeNet to specify the protected network and a variable called external network to specify an unprotected or outside network so also specialized rules often use other predefined variables for example rules that detect exploits against web servers use HTTP servers and HTTP ports those variables right so rules are more effective when variables more accurately reflect your network environment at a minimum you should modify default variables in a deef in the default set or create your own right in this case I'm modifying the default but you should create your own if you just want to copy the default and then apply it by ensuring that the variable set as home net correctly defines your network and say HTTP servers include all web servers on your network processing is optimized and all relevant systems are monitored for suspicious activity in this case I've just shown you DNS and home nap but you would go through here and add you know FTP HTTP etc right as much more that you can add here the better and again this now is applied to the policies that that variable set is been associated with and I just wanted to include that to make sure that folks know that that's available now I'm trying to do as much in this as possible this platform can do a lot right it's more than a next-gen firewall or next-gen IPs right there's things in it that we can do like rule correlation etc and just don't have enough time to go through everything but here what we're gonna do is the rule updates so we're gonna reapply all policies after rule updates import completes and then we're gonna make sure that we have recurring and we're gonna schedule this off-peak hours now when you're reapplying the policy after an update you probably want to have this scheduled at low low peak times right so that's the rule updates now we'll jump to geolocation again very much the same here right we're gonna download and install the geolocation update from the site and then we're also gonna pick a specific time to do the update so we've made a bunch of changes at this point in time so we can save this and we can go ahead and deploy now again when you deploy policy you can drop down that box to give an idea of what changes are gonna be pushed it gives you an overview of what elements are going to be changed and again just because it's deploying a policy we can still build configuration so as before let's go to the connection events okay we're gonna do that a lot right we're gonna make change then we're gonna come in and jump to connection events now what you'll notice here is when this populates you're gonna see that the host icon is greyed out now remember we built that network discovery policy now this is gonna help us identify the environment and give us an understand of what we're protecting so you can see these are grayed out so this means it's not enabled for those networks right Blue means profile so if they're actually blue it means that we've profiled it red means the asset has an indication of compromised and grey means the asset has not being profiled once the policy is deployed this should change for our internal assets okay because that's the policy that we just finished configuring shortly okay let's refresh where things are at we have an inside-outside complete and we will move on to the span or tap configuration now we can see the events the connection events show up and we can see some blocks let's create an access control policy for the span or the tap traffic right so basically in my keys I'm gonna build a policy where I'm actually not blocking anything because it's IDs anyway and you're not gonna block you're not actively blocking even though the it says it would have blocked it but it is creating a bunch of noise so what I'm gonna do is I'm gonna create this source zone as that passive zone again I can leverage any of the attributes as I see fit I'll give it in a name of inspect - passive zone and then the actions gonna be allowed but what I can do here is I can add that IPs and follow file policy so I can see in other areas of the environment that might not be directly traversing the next-gen firewall or next-gen IPs I can actually see if I have some intrusions taking place and or malware running on the network I want to log at the end of connection and again role placement is important right in this case we've got an attribute in here that that uniquely defines it but if you had something like any above this then this policy would never get hit so I'll make sure that you're placing these in the correct spot hit save and again we can go ahead and deploy now we've done a lot up to this point right we're plugging away we've got some inside to outside configured we've got the span now we've just finished completing that configuration and we've got lots more to do right but we've done a fair bit we've got the box up and running and we've got you know production data right - lab but we got production data going through it so let's fire up a VM and check the DMZ from the inside now we'll connect to the web server and the DMZ which happens to be 192 168 66 dot 100 now most of you are already know that this will not work why well there's no policy allowing the inside to the DMZ but let's confirm this by looking at the connection logs okay or connection events right we know that based on the results we see here right we don't see that page being rendered but again I just want to make sure that we're looking at the connection events and we're actually seeing that behavior or that result on the connection log events as well right so let's hit it a couple more times right so we can generate a couple of events themselves but it's good to come back and correlate this especially if the platform is new right there's lots of different ways of blocking traffic as opposed to a traditional l3 l4 firewall so we can see some block here but that's not the traffic that we're interested in right we're trying to find the inside to the DMZ now we can see from the DMZ to other networks it's being blocked right we can see the passive zones again being blocked that'll change as that policy got pushed right but you can see here look at that that's a blue icon that means we've profiled the device and we can see it's a Windows 7 machine we can see the applications running on it right make this a little bit bigger look at all the applications in the versions again very important when you're mitigating risk right we want to understand the threat and whether or not it could ever been realized on the asset and look at this we've we've pulled down passively the vulnerabilities that could be associated with that asset now you could tie this into a third-party vulnerability scan and get real-time information about that I bought those vulnerabilities on that asset so let's create that rule right we saw that block statement just a second ago and now we'll build out that inside to DMZ zone rule and we'll take maybe the inside network and we could be very granular here if we wanted to right we can all actually just grab the the web server in the DMZ right not even the DMZ Network itself now what we'll do here is again I'm gonna leverage lots of different ways of building policy there's no right or wrong way per se as long as you can uniquely identify the flow itself and based on the needs of the organization so here I'm gonna do application so I'll do HTTP HTTPS and HTTP 2.0 the server only has HTTP running it doesn't have a TLS or SSL SSL now here I might want to create a very specific web based IPS policy right I'm gonna use security / connectivity because I haven't created one but you get the idea right I can now say okay this is for a web farm and therefore that I have specific things in the web form that I may want a specific IPS policy for that environment and you can do that again placement of the rule is very very important make sure logging is at end of connection and now we can quickly review that role you see allow and we can see little yellow icon there with the shield we can save this out and we can deploy now that'll get pushed out as that's getting pushed out what we could do now is again get ready to look at the events themselves so connection connection events and remember before right all those connection events it makes a little more difficult to find that block rule right and we were able to because I have a lab environment but in most environments you're never gonna be able to find that right very easily unless you're being you know that that rule is being triggered a lot right so here let's just be a little more granular and we'll just look for initiator IP of that inside host and that's gonna make life a little bit easier for us won't searching even in a lab environment so we can see a lot of blocks here and that's from the previous connection attempts and here right away we can see it's already enabled now we're able to get to that DMZ server so let's hit it a couple more times and then we'll refresh the connection logs here and we should if everything's working as expected we should be able to see and allow and here we go perfect so again and you can see wow that that host has already been profiled right a couple of connection events so we've already profiled that device and look oh let me bounce back to that there we go you can see here right version of Linux already right right vendor it's running Apache 2 for 18 right again the more you know about that asset the better you can protect it all right so topology check so we have completed the inside to the outside the inside to the DMZ and the span we include some IPS and file policies and have a working solution at this point so let's move on to creating the application rate limiting policy so first let's check BBC comm because that's the application I'm gonna use and let's see and it works pretty good that's what we expect right we're not blocking anything at this point we're not throttling any application so big deal really right when it works the way it should so it's time to go to devices and then we'll go to the QoS tab and we're gonna build a QoS policy so give it a name we add the proper devices again you can add them all right here now or you can come back and do it later so again if you purchase the platform and you've you've got the virtual instance here you can still go ahead and build all this out a lot of this out and then associate those devices later okay let's add a rule so inside to outside the source network is gonna be the inside net we'll give it a name and we'll set the limits so we can do both download and upload and we and and in our case we're gonna make the application unusable so we're gonna use the minimum amount of throughput now we could have just blocked it but then if we block it then they call the help desk and say hey what's going on if we reduce the speed to unusable the worst thing yes we might still get a call but we'll say well it's use it's working it might be the other amp right we can pass the buck a little bit so let's use the application of BBC and click OK and then we'll save now remember nothing happens until we deploy so again lots of little attributes that we can leverage but all we need to do is uniquely identify it so let's go ahead and deploy this now we could do more configuration changes but let's ensure that we are taking a little bit right we're doing a little bit of cheese we're coming back and we're testing that to make sure that the results are what is expected all right so let's go to connection events and we'll generate some traffic to BBC now what's gonna happen here is that it'll take forever for the page to render if it even makes if it even fully ret renders right and it's gonna take forever and pages are so dynamic anymore that by the time it gets rendered it's almost useless anyway right so now I could make it usable and just throttle it right so say you know it's Olympic time right and you want to be able to reduce the amount of bandwidth at certain sites might have well you can do that and make it usable but make sure that you're still not over subscribing the link with that specific application so here we'll refresh the connection events and scroll as where is it here we can see there we go we can see the web application of BBC there it is Internet Explorer the URL we can scroll across we see the policies that are assigned we can see they're secure let's roll a BBC - rate limit and let's keep going to the QoS columns remember we added earlier we can see it is working as expected right both the user experience and the logging is reflects the same behavior all right I think it's time for a topology check right so we've done a lot up to this point we've got a fully working configuration and we're actually now starting to you know do a little more of the advanced capabilities right like rate-limiting so let's review the topology make sure everybody's on board of what's taking place now so we have completed the inside to the outside Network inside to the DMZ right you can see both of those there we've done the span we've included some IPS and file policies and we're we have that working solution with application rate limiting we can now move to some troubleshooting and then we'll come back and finish off the outside to the DMZ the in line set of the PCI environment and 80 integration on the inside network so troubleshooting alright so let's go to the devices click the tools icon on the device of interest now we can see some alerts already you can see that interface is not receiving packets again what is expected at this point in time we can then click we can dig into that specific event if we wanted to but in our case we're going to go to advanced troubleshooting and we're gonna start with the packet tracer now folks that come from a si know the value of this right this is where we can build or we can actually simulate traffic to see how it stacks up against our existing policies right so we could test whether or not user calls and says this isn't working we can actually enter the information in here and simulate it across the it actually doesn't do anything to the box right it's not actually pushing traffic but it simulates a traffic goes through the all the different eases right that we have and then validates where that drop might be so it could be an app rule that's making the the the flow not flow right it could be a support process it could be our snort policy it could be an access control list etc so here I'm just I'm gonna use Cisco umbrella as the source the destination is ten one two five three one hundred this will be the DMZ server on the outside the destination port of course would be port 80 and at this point I can hit start and it'll go through and simulate that now you can see all the fees is here right so what's allowed what's not allowed so let's focus in on here and we'll scroll down and we can see you know here's phase one phase two route look up phase three access list we can see drop already right and then the final result drop reason right flow is denied by configured role okay fair enough and many of you already knew that rate was the goal why is he testing that that we haven't created that yet well that's fine the idea here is just to show you the capabilities so what we'll do here is this is packet trace tracer with capture so we're actually gonna push the traffic as well okay so this is gonna happen at the same time so here we're gonna do TCP the host we can put down maybe the umbrella server right I just need something external destination host again it's gonna be the same and here you can see we can do change packet size buffer size stop one fall traces on by default and then we can hit save and you can have this here already pre-configured right and then just turn it on when you need it so in my case it's it's running and I just realized that I'm using the source host of Briella which isn't gonna work because i actually am going to generate traffic from an external host so let me go grab a host on the outside and add that here and that's it remember that destination host 10 1 2 5 3 100 is actually a DMC server so that's just the IP address on the outside or what should be on the outside ok so now we know it's running let's generate some traffic and you know I know some of you are already saying it's never gonna work right you haven't built policy and you're absolutely a hundred percent correct so we stopped that and we could see zero packets captured ok so what we need to do is create that policy and that NAT rule right we need both of them you need the NAT rule to translate that DMZ server to the outside world and then you need an ACL to allow the outside world to be able to communicate with that DMZ server so the first thing that we're gonna do is create that NAT policy so DMC to outside and the original source is going to be the web server object that we created at the very beginning and in this case the original source part is HTTP now we're gonna create another object here now this object is going to be the external IP address of that DMZ server all right so we give it a name and don't forget to go back and grab that right so grab that object so that's the translation we know it's a static NAT and our translated port is gonna be HTTP as well now we could do something else here right we could say 8080 on the outside and 80 on the inside etc placement of the rule is very important as always right have a quick review hit save okay so that's good and again you can see policy assignment there if I click that I can add additional firepower devices right so access control list now this time it's outside right to the DMZ but let's edit this first let's go in and add to rule outside - DMZ networks it's gonna be any source and again we can be very granular here we can just say you know what I want the web server but the one thing to note here is you're going to use the original IP you're not gonna use the NAT at IP here okay so there we go WW surf so that's 192 168 66 . 100 all right so we can do in this case let's do ports right HTTP and HTTPS but again you could do applications I'm just showing you different of building policy and give it a name right so outside - dub dub dub inspection here we can add specific IPS inspection rules for web or malware type policy rate or block certain files from being uploaded so let's log it in and again placement is key right so just quickly review but again we could stretch this we can minimize the screen we can copy and paste policies and move them around we can disable and enable up just by right-clicking all right so we save that out and we're gonna deploy there's a quick summary of the elements that we've touched let's go to connection events because it's time to test like everything else right now again search can be your friend now look how quick that page comes up right it was already rendered by the time we got to it now we can see the event of allow right so there's the source the destination you can see that we didn't profile that outside host right because we don't want to profile the outside world right we only have so many device devices depending on the fire power management platform you have so we don't want to waste them soul topology check time so outside - or inside the outside inside the DMZ we know the span is complete we know outside - DMZ is complete we've done some rate limiting we've done some IPS and file policy and we have the PCI Network and the ad integration portion left but let's go back to that capture remember earlier we did that capture and we weren't seeing anything but now we know the connection is there so let's go ahead and refresh this a couple times I just want to close the loop on these things right I want to show you it wasn't working and the reason why it wasn't working and then how to get it working great and I want to make sure that you get some insight into as much as possible so you can see here's you know the packet captured and then here's the packet tracer so we can scroll down you can see all the phases here connection settings allow that allow per session scroll down let's go down to the very bottom sort and snort inspect is allow and snort verdict is allow okay and the final result is allow perfect that's exactly what we expect all right Wow we've done a lot up to this point right so let's go now and build out that inline set now these hosts are on the same layer 3 network and we want to introduce controls and perhaps some inspections so you can see the firewall on these boxes that have been disabled but I can't pay either one of them right and in my case I'm using VMware so on the V switch these are actually two separate port groups VLAN 198 and VLAN 98 and what I'm going to use is I'm gonna use the inline set to tie them together to make sure that they're both on the same broadcast domain and that they can communicate with each other right they have to hit the firepower threat defense to go through but at least they can communicate now you can do that physically with an inline set as well in an environment but I have virtual switch and it's alive and that's why I've done it this way so we do in line A to B a B to C or B to a sorry and then we'll grab our objects here right again we're gonna do it very specific to the host itself and we're gonna say from the no host 1 to host 2 to host two the host 1 right so all we're doing is inspecting now this could be as simple as just putting additional intrusion and file policies on it with an access control list that's very tight in regards to what it can communicate as and it's just adding a layer of control that you might not have otherwise so let's add ICMP here is the application and again we could have done some advanced inspection as well and we're gonna log at end of connection and rule placement again as always as important if you're not sure if a rule is working properly you can always go back to packet tracer right and run that packet tracer to find out where it was blocked alright so we'll save that out everything looks good there then we can deploy like always right everybody is reading my mind at this point right we've got to go back and look at the connection events so once this deploys those pings that we're doing will start obviously giving a return right as opposed to timing out so in this case let's go ahead and get the policy or the event connection event search criteria down and let's go into the ingress security zone and what we'll do is we'll grab the either the a and the B right so we don't care as long as it matches either one of those we want to search on we want those events to be shown and let's reload and at the same time let's go ahead and look at those two hosts oh look at that already right if we're already seeing that the one signs one side is communicating so is the other side so fantastic so again these are two hosts being tied together with an inline set on the same layer 3 network so you can see here you know like oh request the code the application protocol etc all right time to check the topology so we have completely inside the outside right inside two dmz outside the dmz the span we've got the pci network complete we included IPS and file policies and have a working solution including application rate limiting and covered some basic troubleshooting so last step now is Active Directory Integration on the inside network so let's go to systems integration and we need to add a realm so we're getting really close to the end here folks and I know it's a lot but hopefully this helps get a good understanding of you know how to build policy some of the more the advanced configurations even though this is a 101 type session here I'm using administrator in your environment most likely you're going to create a service account so you do this for the ad join username password in the directory username and password as well then you will configure the base DN distinguished name and the group distinguished name so in my case I'm using it at the root right so anything under that I want included you could be very specific if you want you can see the example on the side where includes the o u and then click OK now the realm allows us to add user objects to policy so let's put in the directory server so the ad server itself and you can hit test and hit okay so that's it they're right you could do TLS etc right LDAP baths or whatever I did in their round configuration we're not touching user download but you can tweak some things in there right so again based on your environment you may want to do that now user download again just because you can select everything it doesn't make a whole lot of sense if you're not using those objects so pick the objects that you're gonna use right so in our case sales and HR is gonna be the focus but I'm just showing you I could do policy with the main admins as well right I can also exclude groups so here I'm gonna save this oh and the big thing here folks is to hit that enable right a lot of people miss this hit enable and if I hit this little download button here it'll actually go and download those groups now those groups now are available in policy so I can actually use them to build policy the challenge is is that I don't have the user - IP mappings so in order to do that we use an agent for that right so that marries the IP address to the user ID now moving forward you want to leverage identity services engine or our identity services engine our pick platform so both of those are gonna centralize user - IP mappings for all of our security products instead of having one for each different security product doing it different ways this is to consolidate that so let's add that Cisco firepower user agent so it's dot 202 and that's it on this side right we save that out and and that's it the rest is is that we've got to go and build out that application crate or that service so let's go to the windows box write that we're gonna be running it on and go ahead and let's find the installation I have it in the Downloads directory and this is gonna install the agent right obviously but what what does the agent include well that includes sequel compact server 3 5 sp2 and the agent itself so follow the wizard and then once that's complete we'll do the final configuration to make sure that we're getting the IP to user mappings and this will take a second or two but every time I say that it's like not right so here we go again so hit next and then you'll hit next here and now we have the application wait close and we go ahead and open that now and we're going to enter the fire power management center IP address and the domain name we are using but first I'm going to add the Active Directory server so again we are using administrator you would use a service account for this and go ahead and click add just double-check just making sure I'm not using this IP okay perfect and we're gonna process real-time events as well so we'll add this in and now again we can hit save or you could you know continue on to the next task like I said earlier I have a habit of always saving now coming from the command line so here will give an IP address of fire power management center and hit add now everything should turn green in here right all right so there's the green there for the FMC and ad that's good we could make sure logs go to the Windows application log for example we could come in here and stop and start the service and here's the logout frequency so we want to know when people log out right so that we can make sure that the rate user gets married to the right IP address sooner in my case because it's a lab I'm just gonna turn it down to one minute you would obviously select what's relevant to your organization all right so now that we've got the realm and the firepower user agent configured we can build out that identity policy so I'll add a new policy let's add a rule this is going to be inside to outside and inside to DMZ so both will grab the inside network as a source we'll give it a name and we will use passive authentication and we'll need to select the realm so this will be the realm that we just created right and there's some additional things that we can do ready to act of authentication etc but in this case we're using passive so go ahead and add this rule at this point and it's the only rule so we don't we're not worried about placement now we can see here a quick summary hit save now this is still doing nothing right everything that we've done up to now hasn't done anything for identity right well we want to actually leverage it in policy we have to go and add this to access control policy just like we did with IPS and just like we did with file or malware policy right so click Edit you see pre-filter policy we see SSL policy now we see the identity policy so let's grab that identity and now it's available for us to use right so now it's going to do the user - IP mappings as well as it's going to allow us to grab the users and groups all right so let's go ahead and build policy now we've zoomed in here at times and it's made it difficult to see things or better to see things but now it's crunches so I've used the control minus key just so you know to shrink the page properly and now we'll add a rule so again give it a name this is going to be the HR policy the actions allowed so inside to outside and dmz okay the inside met object is going to be the source and this time we're going to use the users right so Cisco ad and now we can see there's that HR now we could do a specific user but in our case we're gonna use the group now we can go in and be again a little more granular depending on the policy right we could add IPS and file policy to this and now will login end of connections and we'll hit add but remember the placements important right and as we go along you're gonna see there's a point where it actually placement does bite me and I explain that in a second so go ahead and hit add again you could review your policy here and you can see I drag and drop it to move the policy so that's pretty cool that you can do that well I'll come to find is is that I actually have to move it a little bit further up but here nor there right that's why we're testing and now I've copied that policy so I'm gonna call this sales policy so HR basically is allowed to go anywhere the sales individual though is going to be restricted so this will be block DMZ so we'll change that to block now one thing and I did this on purpose right is that you got to be very careful when you're copying policy right because I've got here inside zone to outside zone and DMZ okay so I'll go through the process but what I come to find is that I don't want to block the outside right so let's get rid of the user add the correct user for this policy but these are things you got to remember right when copying policy you might want to go through every tab that's edited and make sure that it makes sense and because this is a block policy you can only log at beginning right because there is no end of connection because we don't let the connection stablish so click save and we can see here there's the sales policy we'll paste the allow policy so the first ones a block this one's going to be allowed but we need to edit it first and this is actually at the point where I realize wait a minute this is a this one's the allow I got to go back and clean up the other policy so we want this to be inside the outside inside net and the user is sales and logging well we could add some inspection because remember this is allowed policy and now we want this at antic connection again a couple little attributes that depending on the rule set it may need to be modified now let's go back and clean up this one right we are only want to block to the DMZ all right so now we've got these policies right we quickly review them so inside the dmz inside network sales inside zone okay these all look good but make sure you review them before you deploy them right and again I'll clarify in a second because anybody that you know pauses and really focuses on the pulse is gonna notice that how did it work right but I actually had to go back and move the policies because I was overriding and I'll explain that in one second but first let's get that deployed and let's get the connection events up and ready and we're gonna open up two windows for the connection events and this is gonna allow us to be able to look at the user and HR users very specifically so we want to edit the search and we're gonna select the proper user right initiator user so the first one will be HR and actually that should be HR one so I'll get probably have to come back and edit that and this one will be sales one again you can pivot if you want to with the sections over there this is where I realize sales one and let's go to the first one and put HR one ok search and you can save them remember I said earlier that you can save all your predefined searches so you don't have to keep building these each time all right so I want to clarify that I had to go back and reorder the rule as I had issues with the insight to DMC rule higher up taking precedence and not allowing a match okay so that was my biggest challenge so we're starting to see traffic come in you can see the connection events right but let's go ahead and let's give these hosts up and running and let's do some testing so the HR user this is where that I was mentioning the policy right I had to move some things around to make sure that they were properly in order and let me shrink the page here so you can see a little bit better so that you have to make sure that you don't have a policy higher up overriding maybe a more granular policy right so just again always make sure that you've got the policy in the right place but as you're copying and things like that you you sometimes will make some mistakes because you're trying to streamline the process or configuration but at the same time there might be a you know an element that needs to be changed and you forget to change it so both HR and sales can get to the Internet so that's good that's an expected behavior now let's double check okay HR 1 is on the right side and sales 1 is on the left side so HR can get to outside and it can get to the DMZ now sales can get to outside it wait wait a minute and the D no they're not supposed to ok remember caching right caching can bite you a connection events or connection the timing of that connection might also bite you in this case I just had to refresh and it was blocked so as you can see the user side the behavior is expected right we got the results that we are expecting based on the policy that we configured now let's reload these connection events and remember the difference connection with application details you can see here but you can't see the user identity right so let's go to table events because table events is going to allow us to see the user identity and again remember you can add columns right very specific columns and you can save or what we call a bookmark these searches - right so now we can see there's the sales there's an allow policy and the top ones a block right so that's exactly what we expect it right they are allowed to go to the internet but they're not allowed to go to the dmz which is the one 92168 66 dot 100 and again you can see all the details we capture you know a significant amount of of attributes now HR we can see is allowed right alright so in summary we've completed inside to outside we can we've also done inside the dmz we've done span or top segment we built in line sets with pci network we've done the outside to the DMZ we included IPS policies and file policies we included auto dynamic NAT and manual static NAT now we did a bunch of testing throughout this concludes the session and remember this is a small snippet of the power of cisco firepower threat defense platform thank you you [Music]

Info

Channel: Jason Maynard

Views: 3,181

Rating: undefined out of 5

Keywords: FMC, FMC 101, FTD, 6.2, 6.2.2, 6.2.3, Cisco Security, NGFW, NGIPS, Threat-Focused

Id: R6b_C3ss0oM

Channel Id: undefined

Length: 102min 18sec (6138 seconds)

Published: Wed Apr 04 2018