Introduction to Cisco Firepower and Firepower Device Manager

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to entranz in this video we're going to be looking at the firepower device manager for the firepower 1010 appliance by cisco now this firepower 1010 is pretty much a direct replacement for cisco's 5506 x asa firewall but one of the really nice things about this firewall appliance is that it can run both firepower os and it can run the asa operating system so we're going to take a look at these two devices really quick and then we're going to get into a look of the firepower device manager so let's come down here i'm gonna take a look we have the firepower 1000 series that's a 1010 and of course the old 5506 x taking a look at both of these devices you're going to notice there is very little difference between them except for maybe the port layout they both have eight data ports or internal ports they have a management port console port well they actually have two of those rj45 and a usb style and they also have a usb connector we've been having issues with the usb connector on the asa providing storage capabilities so when we look at the firepower hopefully that will be fixed so once again let's get into the firepower device manager so let's log in and get started start here with the admin account which is by default now we get in here so the firepower appliance requires it be connected to cisco's smart licensing hence requiring a connection to the internet as you can see here we have the ability to modify the outside interface address and the management interface we need to connect ethernet one slash one the outside interface to whichever isp or rand device it provides access to the internet we can configure the outside interface to be allocated via dhcp if your internet connected device hosts dhcp or we can specify a manual ip address and gateway or simply turn off the outside interface cisco smart licensing requires access to cisco's cloud hence the requirement for dns and a hostname of the device if you don't have access to the internet during the initial setup the firepower appliance you can skip setup and start the 90-day evaluation though after the 90 days are up you may lose complete access to the device and have to reset it so for now let's click to skip the device setup and start the 90-day evaluation if you skip the device setup you will have to configure the device manually and cannot restart this device setup you must either do the evaluation or connect to the internet for smart licensing once we get past the initial evaluation page we are presented with the devices configuration dashboard at the top we see a depiction of the firepower appliance and its corresponding connections we will notice first off that the inside network is connected via a bridge virtual interface that links to all of the default assigned interfaces inside two through eight keep in mind that the 1010 is a switch firewall basically it contains switch technology kind of like the old 5505 asa had any other device will not have this switching functionality the e1 1 interface is considered the outside interface by default and shows its connection to the isp or default gateway for internet access keep in mind that the management interface uses the same configurations and you don't necessarily need to plug in the ethernet one slash one interface to complete the initial setup for the internet connectivity we just need to provide the dns server ntp server for time and get the smart licensing done to make sure that cisco knows this is a online unlicensed device as you see here we have the 90-day evaluation and it will remind you how many days you have left or if it is licensed properly viewing the smart license configuration we will see all the various licensing options available and required in order to use it we start with the perpetual base license that allows you to configure base firewall capabilities as well as the application visibility and control which of course include the access policies and nat under the policies tab threat prevention for intrusion policy url license for url filtering malware file policy and are a vpn license for the anyconnect remote access virtual private network but let's go back to the device management page from here we see interface configuration routing information which for some reason only gives us the ability to create static routes apparently the newer versions of code include dynamic routing protocols but we shall see we can view the settings for geolocation updates its rules vdb processing system upgrades and of course the security intelligence feeds we have the ability to backup and restore configurations create troubleshooting files for working with cisco tac creating connections for site-to-site vpns which can be done statically or dynamically now in another video we will go through this thoroughly remote access vpn configuration if we have the proper licensing we can do advanced configuration using flex config and smart cli for those things not able to be done in the existing gui it seems that any cli configuration such as ospf bgp or ergrp will have to be done using these in this version keep in mind i'm running version 6.4 and 6.7 has been released we will go over the updates and the changes in that six seven upgrade video and last we have the device administration for auditing deployment history and downloading of the configurations as a backup getting into the meat of the system configuration we have many options once we click on one of these options we'll see what we can configure out of the box under management access we start with aaa configuration allowing us to specify server groups for management in http and ssh access next we have the network addresses available to connect via https and ssh to the management interface by default any ipv4 and any ipv6 are allowed we have the same access allowed on the data interface zones for the inside zone and its interfaces by default https is allowed but not ssh from any ipv4 and any ipv6 lastly under management access we can provide a web server certificate which allows trusted certificates allowing for secure web connectivity on the logging tab we can configure data logging and specific syslog servers we have the ability to filter based on fx os chassis severity levels from emergency down to debug these are pretty much the same levels that exist in cisco ios devices we can also do message filtering for firepower threat defense specifically and it contains the same list of severity levels we can also specify a custom logging filter by creating an event list filter we can also configure file and malware logging if we have the licensing and the configured file policies on under access control rules under the policies tab and enable the file event log files we have the ability to also provide logging for an internal buffer with the same options as well as how large you want that buffer size to be from 4 kilobytes to 52 megabytes lastly we can configure a console filter for those items you see within the console itself the firepower 1010 appliance by default contains a dhp server functionality providing a range from the inside zone in the 192.168.1.5 through 192.168.1.254 range data interfaces and management interfaces we can configure a dns server interface for a dns server group and various poll information that we'll see later next we can modify the management interface configuration firstly you can configure to use the data interfaces as the gateway or a unique gateway for the management interface here we can also configure the management interface or ipv4 and ipv6 i believe by default it's 192.168.45.45 but as you see here it can be changed to a static ip address and can enable the dhcp server so a computer can access the device via a web gui rather than by console cli for configuration we can then specify a host name here's a good new understanding of how firepower commits configurations if you are aware of how the asa asdm you may be annoyed as i am because the asa configuration is quick and efficient just apply the config and it's done for firepower you need to go to the top and deploy the configuration as you see here there are many options and objects that the firepower does in the background before the system is active from the pending changes page you have the ability to discard all copy all changes to the clipboard or download all the changes to a text file you have the ability to cancel all the changes and or give the deployment a name and simply deploy the one thing i'm concerned about is not having the ability to cancel specific changes it seems you must deploy all or cancel all and reconfigure here we have the ability to specify ntp time servers which is an object group for ntp for cisco cloud services we have cisco defense orchestrator and with cdo you can configure multiple devices of different types from a cloud-based configuration portal from customer configuration to policies to the cloud down to the device cisco success network provides usage information and statistics to cisco to provide direct support for this device web analytics provides anonymous usage information to cisco based on page hits pages viewed time spent on a page browser version product version etc this helps cisco improve their products and lastly the cisco threat response which allows the product to send high fidelity security or ips events and observations to the cisco threat response in the cloud this connectivity provides the analysis and evaluation of threats the device encounters we also have the ability to specify url filtering preferences to improve efficiency of the url resolution for cisco networks these are all the objects used in policy by default any ipv4 and any ipv6 are defined as networks and 0.0.0.0 0 as well as colon colon 0 respectively for ipv4 and ipv6 port lists shows existing known port numbers for many of the different applications and protocols this is all layer 4 information the security zones lists the information for zone based firewalls by default we have an inside zone and the outside zone and they are both routed we can modify the existing zones or create new zones to place interfaces into them some zone options may be inside outside dmz public private web database or whatever depending on what different zones are required for different policy in your organization application filters provide some built-in application groups and we have the ability to create new application groups ourselves the defaults are system defined and cannot be deleted let's click on the plus sign and create a new application filter group we can name this what the group is used for in this case we'll create a web underscore applications group as you can see there are a lot of applications pre-created and it can be pretty complicated finding exact applications we can click on advanced filter to get a listing of applications via risk business relevance types categories and tags so let's specify very low risk and very high business relevance and look around a little bit from these two filters we have about 196 possible applications some would be things like active directory backup the active directory replication service file replication anyconnects ca certificates and too many to look through so let's just create an application filter using the basic filter we can see http can include the http http 2.0 https over ssl tunnel etc so let's choose these two http and https and that's it we've created a new application filter including only those two application protocols for urls you can specify custom urls if they're not in the existing url database for geolocation we can specify specific continents [Music] do we send all of our logging to a central location here we have ike policies that allow us to specify ike version 1 and ike version 2. keep in mind that ike version 2 is the better of the two because it has more security and it's an updated protocol on this page we can enable or disable each individual object as well as create new lists ipsec policies are the second step after ike ike provides the session setup and ipsec is the process of encrypting and accessing vpn connectivity for ipsec it's best to use a minimum of aes-256 but using the aes-256-gcm and shot 512 is the ideal security and hashing for security and safety you can specify ipsec protocols for both ike version 1 and ike version 2 here let's create a new proposal aes gcm dash only this would include the aes gcm 256 and the sha 512 to be used so with this particular policy it'll only create a vpn if these two protocols are negotiated the anyconnect profile provides a profile for any connect clients to download if you have a license and configure the firepower appliance for the anyconnect connectivity identity sources allow us to specify how we authenticate users either locally sourced through radius servers and groups through active directory or through cisco ice based authentication servers the users are local users of the system and it seems a new user is for any connect remote access vpn certificates include internal certificates and internal certification authority certificates you can add new internal cas internal certificates and trusted certificate authorities if you have an enterprise ca secure keys allow you to save keys on the system i'm guessing to call them back later you can't really see the key after you've created it so hopefully you have a backup or remember what that key is used for dns groups are groups of dns servers you can use for name resolution on the firepower appliance lastly we can configure event log filters if you need to filter on events moving on to monitoring system shows a dashboard of the appliance itself it shows the model software version vdb role update date management ip address interfaces and use average throughput of the device number of events cpu usage memory usage and disk usage the network overview provides information on access and intelligence rules user usage application usage number of threats seen url categories seen and top destinations from the network the users tab provides an identity how many transactions allowed and denied total bytes and total bytes sent and received applications web applications url categories access and si rules zones destinations attackers targets threats file logs malware and ssl decryption all of these events including received times action taken first packet last packet reason initiator initiator ip responder ip source port and icmp type destination port icmp code and url all events connections intrusions files malware files and security intelligence and sessions connected as you see the admin username has been connected for 20 minutes so now lastly and probably most important is the policies we start out on access control basically it's an access list portion of the firewall so let's create a new access rule we start on the source destination tab we have a source zone network ports and destination zone network and ports we'll enter a name and allow inside to the outside we now have to worry about this action type block denies the connection allow will allow the connection and send through the rest of the access policies and lastly trust will allow the connection without further consideration so let's specify allow as we want the next phases to be considered the source zone is going to be the inside zone destination zone is going to be outside zone the network is going to be the united states only and the ports and protocols allowed is http and https keep in mind that these are layer 4 port numbers only if you wish to consider the layer 7 information you would now go to the applications tab let us choose the web underscore applications group filter we specified earlier for http and https for the url's user and intrusion policy and file policy they all require licensing i have acquired the intrusion policy license and will discuss intrusion more in depth in another video lastly we have logging we can choose the beginning and end of a connection the end of the connection and no logging at all depending on how much information you need to know and how secure your environment will be depends on the logging level for trusted traffic you may not need to log for external to internal connections you may want to log at both beginning and end to know when they start and when they end we also have the ability to view a diagram with the traffic flow based on the previous selections once done you will see the rule listed under access control but let's create another rule blocking all traffic to internal address space or rfc 1918 for ipv4 we go to objects then networks and we'll add three network objects 10.0.0.08 172.16.0.0.12 and 192.168.0.0.16 and create and add those to the group rfc 1918 so let's go back to policies and create a new rule from source zone inside source networks is going to be any source ports is also going to be any destination zone will be any but the destination networks will now be that rfc 1918 filter group that we just made make sure to specify block and order it number one at the top and give it a title looking at the policy all internal addressing is blocked and the internet is allowed this creates a zero trust inside policy or you must specify explicitly what is allowed to communicate inside or through other zones the last thing here we need to look at is the default action typically you would block all traffic by default but you have the ability to specify allow block and trust the nice thing about firepower is the ability to log based on the default action looking now in that configuration we have the ability to specify manualnet and autonet autonet as you can see is the easier of the two but manual nat should remind you of the twice nat from the asa configuration under advanced options you can translate dns replies matching the rule fall through to interface pat on the destination interface perform route lookup for destination interface and to or not to proxy arp on that destination interface so let's create a nat rule allowing internet access for packet translation we can specify inside underscore 2 as the source interface let's create a new network object for the source network so we create 10.0.100.0-24 with the network of 10.0.100.0.24 as that's my computer network here we'll do any original port translated packet destination will be interface we'll select the outside interface as outside e one slash one we'll leave the translated source as the ip address assigned to the outside interface e171 and we'll leave the translated port to any or original now remember to give it a title inside outside pat keep in mind one of the things i forgot to do is change my net type to dynamic so this probably won't work for but a single source address so now we have our net rule and our access control rule allowing the internet access you can limit the nat via either nat configuration as we did here only allowing 10.0.100.0.24 and or from the access control policies but we left that as the inside source zone in any source network so only the inside zone with an ip address 10.0.100.0 can get to the internet moving forward we look at intrusion configurations here we have four options connectivity over security with 505 rules balanced security and connectivity with 9764 rules security over connectivity with 14 320 rules and maximum detection with 14 768 rules like i said though the intrusion policy requires a license so we'll talk about this later now the last few options we can do ssl decryption decrypting with known keys or decrypting with resigning the ssl connections for identity it can be done in two ways passive authentication by querying an identity source like active directory or ice and providing a captive portal for direct authentication of said user you may have seen this in hotels when connecting to their networks you can't get to the internet until you basically authenticate and security intelligence that gives you an early opportunity to drop unwanted traffic based on source destination ip addresses and destination urls this information is provided by cisco intelligence to block known bad networks and urls it's a very good idea to use this if you have the license and that's pretty much it for the introduction to firepower ftd fdm we'll be doing another couple videos on how to upgrade the firepower software how to reinstall the firepower os as well as how to convert from the firepower os to the asa os and back again stay tuned and thank you for watching you
Info
Channel: NTRaaS
Views: 1,057
Rating: undefined out of 5
Keywords: 1010, asa, cisco, fdm, firepower, ftd
Id: AfWq0cAAT08
Channel Id: undefined
Length: 28min 3sec (1683 seconds)
Published: Sun Mar 14 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.