You are on page 1of 54

GSSO Channel Engineering

dCloud
Proof of Value
NGIPSv Lab
dCloud NGIPSv Lab
Browse to https://dcloud.cisco.com

Select Login

Login in with CCO ID

Select US East Region

Select Dashboard from the toolbar

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Capture Relevant FMC Information
The Dashboard will reflect scheduled sessions

Select View for the Firepower Proof of Value

Select Details

Note the Owner and Session ID information


Owner with @ symbol is not supported
If present, use dcloud instead

Scroll down and note the Public Address

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Capture Relevant VPN Information
Return to the Dashboard

Select View for the Firepower Virtual Appliance


Connection Lab

Select Details

Scroll down and note the AnyConnect Credentials

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Establish AnyConnect VPN to dCloud
Establish an AnyConnect VPN to the host using
to copy the User and Password
Select the if you need to download
AnyConnect or require additional assistance

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Connect to Active Directory

Return to the Firepower Virtual Appliance


Connection Lab
Select the Active Directory server and note the
IP Address and Credentials

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Connect to Active Directory

Open your native RDP Client and connect to the


Active Directory IP Address
Authenticate with
Username: dcloud\administrator
Password: C1sco12345

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
SSH to NGIPSv

Select putty.exe on the desktop


Open the NGIPS session
Authenticate with
Username: admin
Password: C1sco12345

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Configure NGIPSv via CLI
Change the management-port to 8443

Configure FMC IP as Public Address from dCloud session details

Use a registration key of C1sco12345 and a nat-id of 12345

> configure network management-port 8443


Management port changed to 8443.
> configure manager add <FMC IP> <Registration Key> <nat-id>
Manager successfully configured.

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Login to the FMC
Return to your Host PC and open a browser

Using https, connect to the FMC Public Address from dCloud session details

Login using Owner for the FMC username and Session ID for the password

170716

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Add the NGPISv to the FMC

Navigate to Devices > Device Management

Select Add > Add Device

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Connect NGIPSv to FMC
Use the Host of DONTRESOLVE, Registration Key of C1sco12345, and select Cisco POV
Access Control Policy
Select the Protection, Control, Malware, and URL Filtering Licenses

Expand the advanced settings and enter a Unique NAT ID of 12345

Click Register

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Troubleshoot NGIPSv to FMC Connection

Use show managers from FTD CLI to confirm FMC IP address and view status

> show managers


Host : 64.100.11.49
Registration Key : ***
Registration : Pending
RPC Status :
>

Ensure registration key and unique NAT-ID match with FMC

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Troubleshoot NGIPSv to FMC Connection

Enter expert mode

Use sudo pigtail to review debugging information

> expert
admin@ftd5506:~$ sudo pigtail

********************************************************************************
** Displaying logs: HTTP ACTQ DCSM VMSS MOJO NGUI NGFW TCAT VMSB DEPL USMS MSGS
********************************************************************************
[]

MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Connect to 64.100.11.216 on port 8443 -
br1
MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 64.100.11.216
(via br1)
MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to
64.100.11.216:8443/tcp
MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Wait to connect to 8443 (IPv6):
64.100.11.216
MSGS: 10-07 02:21:37 ciscoasa sudo: admin : TTY=ttyS1 ; PWD=/home/admin ; USER=root ;
COMMAND=/ngfw/usr/local/sf/bin/pigtail

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Troubleshoot NGIPSv to FMC Connection

Confirm:
NGIPSv management-port is 8443
Shared secrets of NGIPSv and FMC match: C1sco12345
Unique NAT-ID of NGIPSv and FMC match: 12345
Configured FMC Public IP (not Private IP)
Allow adequate time for the sensor to be added and view pigtail for
current status

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Deploy Access Control Policy to NGIPSv (If Required)
The Deployment may fail due to a Rule Update as a result of Bug CSCvb82371

This is mitigated by upgrading the FMC and will be fixed in a future dCloud FMC POV
Demo

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Deploy Access Control Policy to NGIPSv (If Required)
If you receive this error, select Deploy

Select the checkbox next to DONTRESOLVE and click Deploy

Monitor the Task Status and wait until the deployment is successful; May take 10+ minutes

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Confirm Traffic Flow to NGIPSv

Browse to Analysis > Connections > Events

If events are not populating, verify that interfaces are connected,


enabled, and the SPAN port or tap is functional.

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Risk Reports
Risk Reports
Integrated into the FMC with 6.1 or later
Browse to Overview > Reporting
Select Report Templates
Generate Advanced Malware, Attacks, and Network Risk Reports

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Risk Reports
Generate Advanced Malware, Attacks, and Network Risk Reports

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Delete NGIPSv
to Prepare for FTD POV Lab
Delete the NGIPSv

Navigate to Devices > Device Management

Select next to DONTRESOLVE


Confirm that you want to delete DONTRESOLVE

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
SSH to NGIPSv

Select putty.exe on the desktop


Open the NGIPS session
Authenticate with
Username: admin
Password: C1sco12345

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Remove the FMC configuration via CLI
Enter the configure manager delete command to remove the FMC configuration

Confirm the FMC is removed with the show managers command

> configure manager delete


> show managers
No managers configured.
>

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
dCloud
Proof of Value
FTD Lab
SSH to FTDv

Select putty.exe on the desktop


Open the FTD session
Authenticate with
Username: admin
Password: C1sco12345

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Configure FTDv via CLI
Change the management-port to 8443

Configure FMC IP as Public Address from dCloud session details

Use a registration key of FTD123 and a nat-id of 123

> configure network management-port 8443


Management port changed to 8443.
> configure manager add <FMC IP> <Registration Key> <nat-id>
Manager successfully configured.

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Login to the FMC
Return to your Host PC and open a browser

Using https, connect to the FMC Public Address from dCloud session details

Login using Owner for the FMC username and Session ID for the password

170716

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Enable Smart License Evaluation Mode
Navigate to System > Licenses > Smart Licenses

Select Evaluation Mode

Confirm by selecting Yes

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Add the FTDv to the FMC

Navigate to Devices > Device Management

Select Add > Add Device

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Connect FTDv to FMC
Use the Host of DONTRESOLVE, Registration Key of FTD123, and select Cisco POV
Access Control Policy
Select the Malware, Threat, and URL Filtering Licenses

Expand the advanced settings and enter a Unique NAT ID of 123

Click Register

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Troubleshoot FTDv to FMC Connection

Use show managers from FTD CLI to confirm FMC IP address and view status

> show managers


Host : 64.100.11.49
Registration Key : ***
Registration : Pending
RPC Status :
>

Ensure registration key and unique NAT-ID match with FMC

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Troubleshoot FTDv to FMC Connection

Enter expert mode

Use sudo pigtail to review debugging information

> expert
admin@ftd5506:~$ sudo pigtail

********************************************************************************
** Displaying logs: HTTP ACTQ DCSM VMSS MOJO NGUI NGFW TCAT VMSB DEPL USMS MSGS
********************************************************************************
[]

MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Connect to 64.100.11.216 on port 8443 -
br1
MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 64.100.11.216
(via br1)
MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to
64.100.11.216:8443/tcp
MSGS: 10-07 02:21:19 ciscoasa SF-IMS[10849]: [15490] sftunneld:sf_ssl [INFO] Wait to connect to 8443 (IPv6):
64.100.11.216
MSGS: 10-07 02:21:37 ciscoasa sudo: admin : TTY=ttyS1 ; PWD=/home/admin ; USER=root ;
COMMAND=/ngfw/usr/local/sf/bin/pigtail

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Troubleshoot FTDv to FMC Connection

Confirm:
Manager configuration removed from NGIPSv
FTDv management-port is 8443
Shared secrets of FTDv and FMC match: FTD123
Unique NAT-ID of FTDv and FMC match: 123
Configured FMC Public IP (not Private IP)
Allow adequate time for the sensor to be added and view pigtail for
current status

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Deploy Access Control Policy to FTDv (If Required)
The Deployment may fail due to a Rule Update as a result of Bug CSCvb82371

This is mitigated by upgrading the FMC and will be fixed in a future dCloud FMC POV
Demo

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Deploy Access Control Policy to FTDv (If Required)
If you receive this error, select Deploy

Select the checkbox next to DONTRESOLVE and click Deploy

Monitor the Task Status and wait until the deployment is successful

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
DO NOT Confirm Traffic Flow to FTDv

The traffic generator in the virtual appliance connection lab,


vNeoFlow, has large resource requirements and is only configured
to send events through the NGIPSv, not the FTDv
Steps that follow simulate a customer POV deployment
You will not be able to verify the configuration or run Risk Reports
There is a work request with dCloud to offer a separate virtual
appliance connection demo that does push events through the
FTDv

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Configuration
Object Management
Object Management: Edit HOME_NET Variable
Browse to Objects > Object Management
Select Variable Set on the left hand side
Select to edit the Default-Set

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Object Management: Edit HOME_NET Variable

Select next to HOME_NET

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Object Management
Click to create a new
Network Object

Provide a Name
Enter Network information
that matches the customer
environment
Click Save
2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Object Management: Edit HOME_NET Variable
Include the New Network Object in the HOME_NET Variable
Click Save, Save, Yes

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Object Management: Edit Network Discovery Policy
Browse to Policies > Network Discovery
Select to delete the IPv4-Private-All-RFC1918
Click Yes to confirm

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Object Management: Edit Network Discovery Policy
Select to Add a New Rule
Select the Users checkbox
Add the newly created HOME_NET variable to the right hand
pane
Click Save

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Configuration
Configure Passive Interface
Configure Passive Interface

Navigate to Devices > Device Management


Select to Edit Device

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Configure Passive Interface
A passive interface needs to be configured for the FTD to accept traffic
from the SPAN port or tap on the customer network
Select next to GigabitEthernet0/0

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Configure Passive Interface

Set Interface to Passive Mode


Define a new Security Zone
named Zone_C
Click OK
Click Save

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Configure Passive Interface
Click the Deploy button at top right to push interface configuration to
FTD

Select the checkbox by your FTD device

Click Deploy

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Deployment Status

View the status of deployment by clicking the green checkmark

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Deployment Status

At a customer site, the interface status for the passive


interface should turn green when the deployment completes.
In the dCloud lab, the status is not updated

2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53