Firepower NGFW Lab Advanced - Guide
Firepower NGFW Lab Advanced - Guide
IMPORTANT! This content is community developed and is not subject to standard dCloud verification or support.
Please contact dCloud Support for more information.
REQUIREMENTS 2
TOPOLOGY 3
GET STARTED 4
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 52
Cisco dCloud
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built
platforms or as a software solution. The system is designed to help you handle network traffic in a way that complies with your
organization’s security policy-your guidelines for protecting your network.
This allows the Cisco Firepower NGFW to evolve with a focus on enabling enterprises to stop, prioritize, understand, and automate
responses to modern threats in real-time. Firepower NGFW is unique in its threat-focus, with a foundation of comprehensive network
visibility, best-of-breed threat intelligence and highly effective threat prevention to address both known and unknown threats.
Firepower NGFW also enables retrospective security, through Advanced Malware Protection, that can “go back in time” to quickly
find and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in time-to-
detection (TTD) for Cisco customers compared to industry averages.
In this lab you will build a multi-site network Next Generation Firewall (NGFW) solution at between a corporate and two branch sites.
Using the Firepower Management Console (FMC) you will build High Availability NGFWs at the corporate site and manage a branch.
In this lab, you will also configure a NGFW using the FDM (Firepower Device Manager). You will also configure remote access and
site to site VPNs. You will also configure Cisco Threat Intelligence Director to accept and implement third party updates to your NGFW
devices.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 52
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 52
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
3. From the jumpbox, open Firefox. It should open with FMC login page as the default page. The login name and password will
be prepopulated. Click Login.
4. Alternatively, open the Quick Launch from the task bar, and click the FMC Web to login to the GUI of the FMC automatically.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 52
Cisco dCloud
In the lab, there is a Linux server on separate VLAN that is connected to GigabitEthernet0/2. The FQDN for this server
isolated.dcloud.local, and it has the IP address of 198.19.10.220/24. Note that this is address is in the same subnet as the inside
network. The objective is to join these VLANs using a bridge-group on the NGFW. Traffic between these VLANs will be inspected.
NOTE: In this exercise, both interfaces in the bridge group are put in same security zones. However, a bridge group can contain
interfaces in different security zones. Putting the bridge-group interfaces in different zones allows more granular control of traffic
between interfaces in the same bridge group.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 52
Cisco dCloud
Steps
2. Access the Firepower Management Center using the Chrome browser. The login name and password will prepopulate.
NOTE: The Switched type of interface is used to change the interface to L2 software switched mode when this zone is assigned to
the member interfaces of the BVI.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 52
Cisco dCloud
d. Click Save.
In this section, we will create a BVI interface with G0/1 and G0/2 as its members.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 52
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 52
Cisco dCloud
g. Click OK.
h. Please take a moment to read the information in the popup box. Click Yes to proceed.
7. Click Save to save the configuration. A new BVI1 BridgeGroup interface should appear in the interface list.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 52
Cisco dCloud
Tip: Prior to BridgeGroup interface configuration, the IP address should be removed from the member interfaces, such as,
GigabitEthernet0/1 and GigabitEthernet0/2. Otherwise, the BridgeGroup interface configuration attempt may fail at this stage. In this
case, remove the IP addresses from the physical interfaces and try to configure the BridgeGroup interface again.
d. Click OK.
d. Click OK.
NOTE: If you want the static NAT rule to work with the BVI interfaces, you must include this step. This is because object NAT does
not allow zones with more than one interface.
e. Click Save.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 52
Cisco dCloud
Create an access control policy for inspecting traffic between BVI interfaces
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 52
Cisco dCloud
2. Add an access control rule to allow (but inspect) traffic between interfaces in BVIZone.
a. Click on Add Rule button on the policy editor.
b. For Name, enter Allow Internal Traffic.
c. Select into Default rule from the Insert drop-down list.
d. The Zones tab should already be selected.
e. Select BVIZone and click Add to Source.
f. Select BVIZone and click Add to Destination.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 52
Cisco dCloud
NOTE: Deploy the configuration changes and wait for the deployment to complete.
1. From the Inside Linux Server [root/C1sco12345] CLI, test connectivity by typing ping isolated. This should succeed.
a. If the ping does not succeed check the Mandatory rules for the Base_Policy and change the Destination Zone from
any to a different zone.
2. From the Inside Linux Server CLI, test the IPS capabilities.
a. Run the following command from the Inside Linux server CLI:
ftp isolated
b. Login as guest, password C1sco12345
c. Type cd ~root. You should see the following message:
421 Service not available, remote server has closed connection
d. From the Inside Linux server CLI, test the file and malware blocking capabilities.
i. As a control test, use WGET to download a file that is not blocked. This should succeed:
wget -t 1isolated/files/ProjectX.pdf
ii. Next use WGET to attempt to download the file blocked by type:
wget -t 1 isolated/files/test3.avi
NOTE: Very little of the file is downloaded. This is because the NGFW can detect the file type when it sees the first block of data.
The Demo File Policy is configured to block AVI files.
wget -t 1 isolated/files/Zombies.pdf
NOTE: About 99% of the file is downloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up. The Demo File Policy is configured to block malware
detected in PDF files.
1. Devices > Device Management > click the pencil icon on the NGFW1 line
2. Click Remove Icon from the BVI1 Interface
3. Go to GigiabitEthernet 0/1 and click the pencil icon
a. Name inside
b. Click Enabled
c. Security Zone InZone1
d. IPv4 198.19.10.1/24
e. Click OK
4. Go to GigabitEthernet 0/2 and remove the name from the interface and make sure it is enabled. You need an enabled
interface with no name, security zone or IP address to use as a failover link in the next scenario.
d. You can delete the line with BVIZone to BVIZone used for the Allow Internal Traffic
e. You can delete the line with Allow GRE Traffic also
f. Click Save
7. Click Deploy
a. Select NGFW1
Test the Connectivity after removing IRB configuration
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 52
Cisco dCloud
The objective of this exercise is to understand and configure High Availability for NGFW. You will configure the second firewall and
then add it to the High Availability group.
Steps
NGFW device onboarding onto the FMC is done in two parts. First, configuration settings are added on the NGFW to configure
FMC as the device manager and establish communication with the FMC on the management interface. Secondly, the NGFW
device is added onto the Devices page on the FMC to initiate and establish communication. Here, we use the jumpbox to
complete both the steps.
1. For configuring the backup NGFW, go to the Windows machine labelled jumpbox and open the PUTTY Session - Select
NGFW3, Select Load and Select Open
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 52
Cisco dCloud
NOTE: The NGFW can be added to the FMC for management using the FMC UI. However, here we are going to use REST API
to demonstrate the automated capabilities of the solution. A python script is present on the Inside Linux Server called
runapiscript at the location /usr/local/bin. It invokes the REST APIs on the FMC to register the NGFW3 with the FMC, applies the
Health Policy to the NGFW3, discovers the interfaces, configures the IP addresses and deploys the Access Control Policy with the
name specified during the execution of the script.
2. For adding the backup NGFW to the FMC, open the PUTTY Session and Select Inside Linux server, Select Load and Select
Open
Note: The ‘Registration is in progress” count may vary during the execution of the script.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 52
Cisco dCloud
3. Verify that the NGFW3 is added successfully to the FMC by checking the registration status of NGFW3 on the FMC. You
might need to allow some time for the device to register. It should show a Green symbol in front of the device name.
4. Verify the GigabitEthernet0/2 interface for NGFW3 is set to blank configuration. This interface is to be used as the failover
interface during the formation of the HA pair.
5. Select the Device sub-tab. In the Inspection Engine section, click on Revert to Snort 2.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 52
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 52
Cisco dCloud
NOTE: The NGFW3 Management Interface (198.19.10.83) was preconfigured. Interfaces G0/0 and G0/1 were configured by the
REST API script. They do not have security zones listed on the interface, but they will inherit the security zones and the interface
IP Address’ from NGFW1 when the HA process is run.
a Name: HA_TEST
b Device Type: Firepower Threat Defense (This is the device type associated with the NGFW)
c Primary Peer: NGFW1
d Secondary Peer: NGFW3
e Then Continue
f The formation of HA pair restarts the snort engine on both the Primary and Secondary NGFW devices. This is entirely
expected behavior. Select Yes
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 52
Cisco dCloud
NOTE: If you have done configuration tasks on either of the HA Peers and have not deployed then you will get the above
message. Click on Close and then click Cancel. Deploy the changes to NGFW3 by clicking the Deploy button in the FMC. Go
back and repeat step 1
NOTE: If Interfaces do not show up go back to Devices > Device Manager. Click on the Pencil Icon for each firewall click on the
Interfaces to make sure that the interfaces do not have names.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 52
Cisco dCloud
NOTE: The Failover ‘State link’ can be a separate dedicated link as well. However, for simplicity in this lab we are using the LAN
failover link as the State link also.
NOTE: Creating or breaking a Firepower Threat Defense high availability pair immediately restarts the Snort process on the primary
and secondary devices, temporarily interrupting traffic inspection on both devices. Whether traffic drops during this interruption or
passes without further inspection depends on the model of the managed device and how it handles traffic. See Snort® Restart
Traffic Behavior for more information. The system warns you that continuing to create a high availability pair restarts the Snort
process on the primary and secondary devices and allows you to cancel.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 52
Cisco dCloud
NOTE: The configuration of the HA will take some time you will see status updates from time to time if you watch the Tasks next to
the deployment button.
5. Go to Devices > Device Management Click on the pencil icon next to the HA pair name - HA_Test
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 52
Cisco dCloud
When you configure your interfaces, you can specify an active IP address and a standby IP address on the same network.
Although recommended, the standby address is not required. Without a standby IP address, the active unit cannot perform network
tests to check the standby interface health; it can only track the link state. You also cannot connect to the standby unit on that
interface for management purposes.
When the primary unit or failover group fails over, the secondary unit assumes the IP addresses and MAC addresses of the primary
unit and begins passing traffic.
The unit that is now in standby state takes over the standby IP addresses and MAC addresses.
Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the
network.
If the secondary unit boots without detecting the primary unit, the secondary unit becomes the active unit and uses its own MAC
addresses, because it does not know the primary unit MAC addresses. However, when the primary unit becomes available, the
secondary (active) unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network
traffic. Similarly, if you swap out the primary unit with new hardware, a new MAC address is used.
Virtual MAC addresses guard against this disruption because the active MAC addresses are known to the secondary unit at startup
and remain the same in the case of new primary unit hardware. In multi-instance capability the FXOS chassis autogenerates only
primary MAC addresses. You can overwrite the generated MAC address with a virtual MAC address with both the primary and
secondary MAC addresses, setting the secondary MAC address does ensure that to-the-box management traffic is not interrupted
in the case of new secondary unit hardware.
If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow.
The FTD does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not
learn of the MAC address change for these addresses.
The IP address and MAC address for the state link do not change at failover; the only exception is if the state link is configured on a
regular data interface.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 52
Cisco dCloud
7. Physical Interface: GigabitEthernet0/1 Active Interface MAC Address: student choice (IP Address of interface used in
example) Standby Interface Mac Address: Student Choice of input [example below] Click Ok
NOTE*: The above step is an example of how to configure an Interface Mac Address
8. Configure Monitored Interfaces Go to the pencil icon next to inside under the list of Monitored Interfaces
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 52
Cisco dCloud
9. Enter the Standby IP Address: 198.19.10.31. Repeat for the outside Interface 198.18.133.132
10. Click OK, Save and then Deploy Select HA_Test and then Deploy
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 52
Cisco dCloud
1. Let’s look at some of the configuration parameters that NGFW3 received during the HA setup
2. Go to the Jump PC open PUTTY and select NGFW3
3. Login into the NGFW Username: admin Password: C1sco12345 Type:
Testing Failover
1. On the Jump PC go to PUTTY and open up a session to the Inside Linux Server
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 52
Cisco dCloud
2. Login: root Password: C1sco12345 Type: “ping outside” and let the script continue to run
3. Go to the web interface of the FMC Devices > Device Management. Click on the three vertical dots at the right of the
HA_TEST row, and select Switch Active Peer. Click Yes when it prompts to make NGFW3 Active.
4. Resize the Firefox window so you can also see the results of the pinging from the Inside Linux Server.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 52
Cisco dCloud
NOTE: The Active HA status of the NGFW implies that it is participating in the traffic processing and owns the Active Interface
MAC addresses. Only the Primary or the Secondary NGFW can be Active at a given time and therefore handle traffic.
IMPORTANT: You can do the remaining scenarios with the HA pair, or you can first break the HA
pair. The scenario steps and screenshots reflect a non-HA environment. If you have completed the
HA scenario, substitute HA_Test for NGFW1.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 52
Cisco dCloud
• Packet-Tracer
• Capture with Trace
a. Verify if traffic to a specific port is allowed by the Lina Data path and Snort
i. Security Intelligence (IP Reputation)
ii. L3/L4 IPS Intrusion Rules
b. Packet Tracer Does Not currently work with: (Because it cannot emulate a L7 packet) i. Identity-
based rules ii. L7-related (SI DNS/URL, App ID, File Policy, L7 Intrusion Rules)
Packet-Tracer Lab
1. On the FMC go to Policies > Access Control > Edit the Base_Policy
i. Click Add
j. Click Save and Deploy to HA_Test or [NGFW1]
NOTE: We selected all the applications related to ICMP and FTP in a production environment you would be more specific with
what particular applications you are blocking.
a. Look at Phases you will notice that the packet has been handed off to SNORT for further processing
b. You will see that SNORT used block w/reset a rule id to order a drop of the packet.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 52
Cisco dCloud
9. FMC opens the Advanced Troubleshooting page. By default, you will enter the Packet Tracer page.
e. Destination: 198.18.133.200
f. Click Start
NOTE: You will get the same results that you saw in the Command Line of the NGFW1 it is just shown in the window.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 52
Cisco dCloud
NOTE: Phase 2 is still checking the rule you created Look at Phase 14 you will see that SNORT looked at the rule and the verdict
was to pass the packet. The first part of the packet is passed but not the next packets. To test this, go to the Jump PC and open
the inside linux server session and type ftp outside you will be prompted: login: guest you will receive a message that states
No Control connection for command Transport endpoint is not connected. You can go to Analysis Connection Events and see
that FTD was Blocked with reset.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 52
Cisco dCloud
NOTE: There are two types of Traffic Captures the Lina based and the Snort based.
For capturing packet with traces using the FMC, perform the following steps:
1. Go to Devices > Device Management page.
2. Click on the three dots next to the device name, such as NGFW1. You will find the options for Packet Tracer and Capture
w/Trace.
3. Select Capture w/Trace
4. Click Add Capture button:
a. Name: Capturewtrace
b. Interface: inside
c. Protocol: ICMP
d. Source Host: 198.19.10.200 (Inside Linux Server)
e. Destination Host: any
f. Buffer Size: 33554432 (32 MB)
g. Trace Count 100
h. Save
NOTE: We have not removed the access policy denying ICMP so the pings will fail, but you will be able to see the packet shown.
Also, you will export the file in PCAP format to Wireshark in this lab.
5. Go to the Jump PC and on the Inside Linux Server type ping outside.
6. If you don’t see information in the Packets Shown Window in about 10 seconds hit the refresh.
7. Once you see packets stop the ping.
8. Click on the Save icon for the packet capture you created.
a. Save the file as PCAP.
9. When Prompted Save File and click OK.
10. Go to the downloads arrow of Firefox and select the file just downloaded.
11. Minimize the Browser and you will see the file opened in Wireshark.
12. Notice that the messages have been administratively filtered.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 52
Cisco dCloud
Information on Scenario
• Flat files - Lists of simple indictors such as IP addresses, URLs or SHA256 hashes.
• STIX files - XML files that can describe simple or complex indicators There are 3 ways these files can be retrieved:
Steps
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 52
Cisco dCloud
4. Navigate to Intelligence > Elements. Confirm that the NGFW1 is an element. This means that CTID can publish observables
to the NGFW1 retrieved from a STIX file from a web server.
NOTE: The CTID can be enabled or disabled globally. Clicking Pause will stop the CTID publishing to all elements.
6. Click the plus sign (+) on the right to add an intelligence source.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 52
Cisco dCloud
c. For TYPE, select Flat File. The CONTENT drop-down list will appear.
d. For CONTENT, select URL.
e. Click in the FILE area and select URL_LIST.txt from the Files folder on the Jump desktop.
8. Click Save.
9. Wait a few seconds. Navigate to Intelligence > Sources > Indicators. Delete the default time-based filter. Replace it with a
filter to only show published indicators, as shown in the following screenshot.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 52
Cisco dCloud
10. Click Apply to apply the filter. Confirm that two URL indicators have been added.
NOTE: The incidents may not appear for a while if the original time-based filter remains applied.
11. Navigate to Intelligence > Sources > Observables. Confirm that two type URL observables have been added.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 52
Cisco dCloud
1. Navigate to Intelligence > Sources > Sources. Click the plus sign (+) on the right to add an intelligence source.
2. For DELIVERY, select TAXII.
3. For URL, enter http://hailataxii.com/taxii-discovery-service.
NOTE: It may take several seconds for the FEEDS drop-down list to populate.
8. Click Save.
9. Wait until the Status column for this source changes to Parsing, which may take several minutes. Do not wait for the parsing
to complete - this would take too long.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 52
Cisco dCloud
10. Navigate to Intelligence > Sources > Indicators. Delete the default time-based filter. Replace it with a filter to only show
published indicators, as you did for the previous source you configured.
11. Click Apply to apply the filter. Confirm that several URL indicators have been added.
12. Navigate to Intelligence > Sources > Observables. Confirm that several URL observables have been added.
1. It can take several minutes for the observables to be published to the sensor. In this step, you will see how to confirm the
publication of a particular observable. Use Putty on the Jump PC to SSH to the NGFW1 CLI and perform the following: (logged in
as admin / C1sco12345)
2. Type ls -d /var/sf/*download.
Four of these (iprep_download, sidns_download, sifile_download and siurl_download) are used by security intelligence and CTID.
3. Type grep developmentserver /var/sf/*download/*lf (lf has a lower-case L) to confirm the observable has been published to
the firewall observables list.
1. Use putty on the Jump PC, to SSH to the Inside Linux server and perform the following: (logged in as root/C1sco12345)
2. On the FMC, navigate to Intelligence > Incidents. Confirm that there is an incident.
3. Drill down into the incident and observe the details for this incident.
4. Confirm that there is an incident for a URL indicator. Drill down into the incident and observe the details for this incident
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 52
Cisco dCloud
Steps
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 52
Cisco dCloud
d Click Save. Ignore the warning and click OK, when prompted.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 52
Cisco dCloud
4. Click Add File Rule. This rule will block RIFF files. You will use an AVI file to test this rule, since an AVI file is a type of RIFF
file. But Note that AVI is not listed separately as a file type.
NOTE: You cannot change the order of the rules you create. The order of the rules does not matter. The action of the rule
determines its precedence. The precedence of actions is as follows.
1 - Block Files
2 - Block Malware
3 - Malware Cloud Lookup 4 - Detect Files
4 Select the Advanced tab. Confirm that Enable Custom Detection List is selected.
5 Check the Inspect Archives checkbox.
NOTE: Archives unable to be inspected are corrupt archive, or archives with a depth that exceeds the Max Archive Depth.
5. Click the Save button in the upper-right to save the file policy.
NOTE: Archives unable to be inspected are corrupt archive, or archives with a depth that exceeds the Max Archive Depth.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 52
Cisco dCloud
NOTE: This file contains 2 simple Snort rules that are useful for testing IPS. They do not resemble published snort rules.
alert tcp any any -> any any (msg:"ProjectQ replaced"; content:"ProjectQ"; replace:"ProjectR"; sid: 1001001; rev:1;) alert
tcp any any -> any any (msg:"ProjectZ detected"; content:"ProjectZ"; sid: 1001002; rev:1;)
The first rule replaces the string ProjectQ with ProjectR. The second detects the string ProjectZ. Since the rules do not specify
where the string is in the flow, they could cause issues in a production deployment.
c. Click Import. The import process will take a minute or two. When it completes you will see the Rule Update Import
Log page. Confirm that 2 rules were successfully imported.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 52
Cisco dCloud
4. You will now modify the rules states for this new policy.
a. Click Rules under Policy Information menu on the left-hand side of the Edit Policy page.
b. Select local from the Category section of the rules. You should see the 2 uploaded rules. The light green arrows on
the right of each rule indicate that the rules are disabled for this policy.
c. Check the checkbox next to the first rule. Select Generate Events from the Rule State drop-down menu. Click OK.
Uncheck the checkbox next to the first rule.
d. Check the checkbox next to the second rule. Select Drop and Generate Events from the Rule State drop-down menu.
Click OK.
e. Clear the filter by clicking on the X on the right side of the Filter text field.
f. Select SID from the Rule Content section of the rules. Enter 336 into the Enter the SID filter popup. Click OK.
g. Check the checkbox next to the rule. Select Drop and Generate Events from the Rule State drop-down menu. Click
OK.
NOTE: This rule looks for a change to the root home directory in FTP traffic established on port 21. It only looks for traffic coming
from the external network, but in our lab, we use the default value of $EXTERNAL_NET, which is any, so the rule can be triggered
in both directions. An interesting exercise would be to modify this rule to search in FTP traffic in any direction, and to use the appid
attribute to detect FTP traffic on any port.
Click OK.
1. Navigate to Objects > Object Management > PKI > Internal CAs.
a. Click Import CA.
2. You will exempt from decryption infrastructure devices, such as the FMC and AMP Private Cloud. To do this, create a network
object that includes these devices.
3. Click the text Add a new policy or click the New Policy button.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 52
Cisco dCloud
NOTE: The Replace Key checkbox deserves explanation. Whenever the action is set to Decrypt - Resign, Firepower will replace
the public key. The Replace Key checkbox determines how the decrypt action is applied to self-signed server certificates.
If Replace Key is deselected, self-signed certificates are treated like any other server certificates. Firepower replaces the key and
resigns the certificate. Generally, the endpoint is configured to trust Firepower, and therefore will trust this resigned certificate.
If Replace Key is selected, self-signed certificates are treated differently. Firepower replaces the key, and generates a new self-
signed cert. The browser on the endpoint will generate a certificate warning. In other words, checking the Replace Key checkbox
makes the resign action preserve lack-of-trust for self-signed certificates.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 52
Cisco dCloud
There is a harmless file called Zombies.pdf that will trigger a malware event, assuming the cloud lookup succeeds. Sometimes labs
have issues with cloud connectivity. Therefore, this is added to the custom detection list to ensure it will trigger a malware event.
It is convenient to have a separate use to use the API Explorer. This allows use of both the FMC and API Explorer at the same
time.
By default, the FMC UI uses a self-signed certificate. This is replaced by a certificate signed by the pod AD server, which the Jump
browsers trust.
1. Navigate to Objects > Object Management > PKI > Trusted CAs.
e. Upload AD-ROOT-CA-CERT.cer.
f. Click Save.
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 52
Cisco dCloud
2. Connect to the FMC CLI via SSH. Become root by typing sudo -i. The Sudo password is C1sco12345
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 52
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 52
Cisco dCloud
"duplex": "AUTO",
"speed": "AUTO"
},
"enabled": True,
"MTU": 1500,
"managementOnly": False,
"ifname": "outside",
"enableAntiSpoofing": False,
"name": "GigabitEthernet0/0",
"id": interface 1 id,
"ipv4" : {
"static": {
"address":"198.18.133.2",
"netmask":"18"
}
} } put_data = json.dumps(interface_put) connect.interfacePUT (headers, uuid, server,
put_data,device_id,interface_1_id) interface_put = {
"type": "PhysicalInterface",
"hardware": {
"duplex": "AUTO",
"speed": "AUTO"
},
"enabled": True,
"MTU": 1500,
"managementOnly": False,
"ifname": "inside", "enableAntiSpoofing": False,
"name": "GigabitEthernet0/1",
"id": interface_2_id,
"ipv4" : {
"static": {
"address":"198.19.10.1",
"netmask":"24"
}
} } put_data = json.dumps(interface_put) connect.interfacePUT (headers, uuid,
server, put data,device id,interface 2 id)
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 52
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 52
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 52
Cisco dCloud
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 52