Beruflich Dokumente
Kultur Dokumente
• Requirements
• Topology
• Get Started
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 119
Cisco dCloud
Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built
platforms or as a software solution. The system is designed to help you handle network traffic in a way that complies with your
organization’s security policy-your guidelines for protecting your network.
This allows the Cisco Firepower NGFW to evolve with a focus on enabling enterprises to stop, prioritize, understand, and automate
responses to modern threats in real-time. Firepower NGFW is unique in its threat-focus, with a foundation of comprehensive
network visibility, best-of-breed threat intelligence and highly-effective threat prevention to address both known and unknown
threats. Firepower NGFW also enables retrospective security, through Advanced Malware Protection, that can “go back in time” to
quickly find and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in
time-to-detection (TTD) for Cisco customers compared to industry averages.
In this lab you will build a multi-site network Next Generation Firewall (NGFW) solution at between a corporate and two branch
sites. Using the Firepower Management Console (FMC) you will build High Availability NGFWs at the corporate site, and manage
a branch. In this lab you will also configure a NGFW using the FDM (Firepower Device Manager). You will also configure remote
access and site to site VPNs. You will also configure Cisco Threat Intelligence Director to accept and implement third party
updates to your NGFW devices.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 119
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 119
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 119
Cisco dCloud
In the lab, there is a Linux server on separate VLAN that is connected to GigabitEthernet0/2. The FQDN for this server
isolated.dcloud.local, and it has the IP address of 198.19.10.220/24. Note that this is address is in the same subnet as the inside
network.
The objective is to join these VLANs using a bridge-group on the NGFW. Traffic between these VLANs will be inspected.
NOTE: In this exercise, both interfaces in the bridge group are put in the same security zone. However this is not required. A
bridge group can contain interfaces in different security zones. This allows more granular control of traffic between interfaces in the
same bridge group.
Steps
1. Open Firefox and open the Firepower Management Center (labeled FMC) on the Jump desktop. The login name and
password will prepopulate.
3. Navigate to Objects > Object Management > Interface. Select Interface from the left navigation panel.
b. For Name, enter BViZone. Select Switched from the Interface Type drop-down menu.
c. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 119
Cisco dCloud
a. Click on the pencil icon to edit the NGFW device configuration, and select the Interfaces tab.
c. Remove the IPv4 address and click OK. This IP must be removed, so it can be used on another interface.
i. Click OK.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 119
Cisco dCloud
d. Click OK.
d. Click OK.
NOTE: If you performed the routing scenario, and you want the static NAT rule to work with the BVI interfaces, you must include
this step. This is because object NAT does not allow zones with more than one interface.
1. Navigate to Objects > Object Management. Select Interface from the left navigation panel.
e. Click Save.
a. If you did routing scenario , replace InZone with InZone1 in the auto NAT rule.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 119
Cisco dCloud
3. Click on the pencil icon to edit the NGFW device configuration, and select the Interfaces tab.
b. Add an access control rule to allow (but inspect) traffic between interfaces in BVIZone.
i. Select Demo Intrusion Policy from the Intrusion Policy drop-down list.
j. Select Demo File Policy from the File Policy drop-down list.
NOTE: Deploy the configuration changes, and wait for the deployment to complete.
6. From the Inside Linux Server CLI, test connectivity by typing ping isolated. This should succeed.
7. From the Inside Linux Server CLI, test the IPS capabilities.
a. Run the following command from the Inside Linux server CLI. ftp isolated
ii. 421 Service not available, remote server has closed connection
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 119
Cisco dCloud
c. From the Inside Linux server CLI, test the file and malware blocking capabilities.
i. As a control test, use WGET to download a file that is not blocked. wget -t 1 isolated/files/ProjectX.pdf
iii. Next use WGET to attempt to download the file blocked by type. wget -t 1 isolated/files/test3.avi
NOTE: Very little of the file is downloaded. This is because the NGFW can detect the file type when it sees the first block of data.
The Demo File Policy is configured to block AVI files.
NOTE: About 99% of the file is downloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up. The Demo File Policy is configured to block malware
detected in PDF files.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 119
Cisco dCloud
The objective of this exercise is to understand and configure High Availability for NGFW. You will configure the second firewall and
then add it to the High Availability group.
Steps
NOTE: Do to current Lab limitations we will need to remove the IRB configurations from the NGFW1 we will be using
GigabitEthernet 0/2 for the Failover HA Link
1. Devices > Device Management > click the pencil icon on the NGFW1 line
a. Name LAN-Side
b. Click Enabled
c. Security Zone InZone
d. IPv4 198.19.10.1/24
e. Click OK
f. Click Save
c. Click Save
c. You can delete the line with BViZone to BViZone used for the Allow Internal Traffic
d. Click Save
6. Click Deploy
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 119
Cisco dCloud
i. Ping Outside
c. Go to the Jump PC and open up the Remote Desktop Folder click on Wkstbr1
c. Type the following: configure manager add fmc.dcloud.local C1sco12345 select yes (must type yes in full)
d. When command prompt returns type: show managers make sure fmc.dcoud.local says status pending
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 119
Cisco dCloud
Creating or breaking a Firepower Threat Defense high availability pair immediately restarts the Snort process on the primary and
secondary devices, temporarily interrupting traffic inspection on both devices. Whether traffic drops during this interruption or
passes without further inspection depends on the model of the managed device and how it handles traffic. See Snort® Restart
Traffic Behavior for more information. The system warns you that continuing to create a high availability pair restarts the Snort
process on the primary and secondary devices and allows you to cancel.
NOTE: If you are completing the Basic lab starting from Scenario 1, proceed to Step 2.
If you are completing the Advanced Lab starting from Scenario 6, complete the steps below [Modifying REST API script to register
and configure the NGFWs]. Then complete the rest of the lab starting with Step 2.
1. On the Jump PC Firefox Browser Click on the + Tab to open a new tab
2. Tab for FMC API (API Explorer) The unsername/password will prepopulate (restapiuser/C1sco12345)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 119
Cisco dCloud
3. Click on Policy
4. Go to Policy and then the first Policy which is accesspolicies and the GET Icon
6. Copy the Access Policy ID # that matches the name of the Access Control Policy you created
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 119
Cisco dCloud
8. Go to the folder API_Scripts on the Jump PC Desktop and select NGFW2 folder
9. Select and Open runapiscript2 from the scripts folder with Notepad++
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 119
Cisco dCloud
10. Go to line 37 paste the Access Policy ID into the quotes marked ID
NOTE: Just use the Save Function and not the Save As. This will keep the same file type as referenced in the script. Repeat for
the Register_Config2.py.
12. When the registration completes go back to the PUTTY session of the inside server and continue the script.
NOTE: The script will not ask you to choose an access policy name. You modified the script to use the id of the script name you
configured as part of NGFW1 setup.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 119
Cisco dCloud
4. Navigate to the folder home/guest/API and copy the files (ngfw_config2) from the Jump PC to Inside Linux Server.
5. Right click on the files you just copied and select File Permissions.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 119
Cisco dCloud
6. Click on all the File Attributes so that the Numeric value is 777.
NOTE: This enables all attributes to allow you to run the scripts on the Linux server. This is for this lab testing only. Consult with
your IT team to see which file permissions they want to enable).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 119
Cisco dCloud
12. Enter mv *(x)* /usr/local/bin (This will move any file that has an “x” to the usr/local/bin directory. The “x” is used to signify the
script number) If you are prompted to overwrite files select [y].
NOTE: You can also copy and move the all the files from the Jump PC in bulk. The above steps were to show the process of
moving the scripts to the host server.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 119
Cisco dCloud
15. Go back to Firefox and check the registration status of NGFW2 on the FMC
16. When the registration completes go back to the PUTTY session of the inside server and continue the script
NOTE: The script will not ask you to choose an access policy name. You modified the script to use the id of the script name you
configured as part of NGFW1 setup.
NOTE: The NGFW2 Management Interface (198.19.10.81) was preconfigured during initial setup. Interfaces G0/0 and G0/1 were
configured by the script. They do not have security zones listed on the interface, but they will inherit the security zones and the
interface IP Address’ from NGFW1 when the HA process is run.
2. Name: HA_Test Device Type: Firepower Threat Defense Primary Peer: NGFW1 Secondary Peer: NGFW2 Then Continue
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 119
Cisco dCloud
NOTE: If you have done configuration tasks on either of the HA Peers and have not deployed then you will get the following
message:
3. Select Interface: GigabitEtherent0/2 Name: Failover_Link Primary IP: 198.19.254.1 Secondary IP: 198.19.254.2 Subnet
Mask: 255.255.255.0 State Link: Interface Same as LAN Failover IPsec Encryption: Enabled (OPTIONAL)
NOTE: If Interfaces do not show up go back to Devices > Device Manager > Click on the Pencil Icon for each firewall click on the
Interfaces to make sure they are enabled.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 119
Cisco dCloud
NOTE: The configuration of the HA will take some time you will see status updates from time to time if you watch the Tasks next to
the deployment button.
6. Go to Devices > Device Management Click on the pencil icon next to the HA Policy
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 119
Cisco dCloud
8. Physical Interface: GigabitEthernet0/0 Active Interface MAC Address: student choice (IP Address of interface used in
example) Standby Interface Mac Address: Student Choice Click Ok Repeat for Interface GigabitEthernet0/1
When you configure your interfaces, you can specify an active IP address and a standby IP address on the same network.
Although recommended, the standby address is not required. Without a standby IP address, the active unit cannot perform network
tests to check the standby interface health; it can only track the link state. You also cannot connect to the standby unit on that
interface for management purposes.
When the primary unit or failover group fails over, the secondary unit assumes the IP addresses and MAC addresses of the
primary unit and begins passing traffic.
The unit that is now in standby state takes over the standby IP addresses and MAC addresses.
Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the
network.
If the secondary unit boots without detecting the primary unit, the secondary unit becomes the active unit and uses its own MAC
addresses, because it does not know the primary unit MAC addresses. However, when the primary unit becomes available, the
secondary (active) unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network
traffic. Similarly, if you swap out the primary unit with new hardware, a new MAC address is used.
Virtual MAC addresses guard against this disruption because the active MAC addresses are known to the secondary unit at
startup, and remain the same in the case of new primary unit hardware. In multiple context mode, you can configure the ASA to
generate virtual active and standby MAC addresses automatically. In single context mode, you can manually configure virtual MAC
addresses.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 119
Cisco dCloud
If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow.
The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not
learn of the MAC address change for these addresses.
The IP address and MAC address for the state link do not change at failover; the only exception is if the state link is configured on
a regular data interface.
10. Select LAN-Side and enter the Standby IP Address: 198.19.10.2 Repeat for the ISP-Side Interface
11. Click Save and then deploy Select HA_Test and then Deploy
1. Let’s look at some of the configuration parameters that NGFW2 received during the HA setup
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 119
Cisco dCloud
3. Login into the NGFW Username: admin Password: C1sco12345 Type: Show running-config
NOTE: Interface G0/0 and G0/1 have assumed the IP Address of NGFW1. Also Interface G0/2 is shown as a failover interface
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 119
Cisco dCloud
Testing Failover
1. On the Jump PC go to PUTTY and open up a session to the Inside Linux Server
2. Login: root Password: C1sco12345 Type: ping outside and let continue to run
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 119
Cisco dCloud
3. Go to the web interface of the FMC Devices > Device Management Click on the Switch Peers icon and click Yes
4. Resize the Firefox window so you can also see the results of the pinging from the Inside Linux Server.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 119
Cisco dCloud
The objective of this exercise is to understand and configure AnyConnect remote access VPN feature available on the Cisco
Firepower NGFW.
Steps
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 119
Cisco dCloud
a. In the FMC, navigate to Objects > Object Management > VPN > AnyConnect File.
d. Click Browse and navigate to the RA VPN folder on the Jump desktop.
f. Click Open. Note that the File Type text field prepopulates with the correct value.
g. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 119
Cisco dCloud
c. Click Browse and select the anyconnect-macos-4.4.01054-webdeploy-k9.pkg file from the RA VPN folder on the
Jump desktop.
d. Click Open. Note that the File Type text field prepopulates with the correct value.
e. Click Save.
c. Click Browse and select the AC-Profile1.xml file from the RA VPN folder on the Jump desktop.
d. Click Open. Note that the File Type text field prepopulates with the correct value.
e. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 119
Cisco dCloud
NOTE: AnyConnect client profiles can be create using the VPN Profile Editor tool, which is available on cisco.com. The VPN
Profile Editor tool is also available in the Jump. It can be access as Start > All Programs > Cisco > Cisco AnyConnect profile editor
> VPN Profile Editor.
4. Create an IP pool.
a. In the FMC, navigate to Objects > Object Management > Address Pools > IPv4 Pools.
f. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 119
Cisco dCloud
d. Under Selected Networks, in the bottom text field, enter 198.19.13.0/24 and click Add.
e. Click Save.
c. Under Selected Networks, in the bottom text field, enter 198.19.10.0/24 and click Add.
d. Click Save.
NOTE: There is a reason you are asked to use network object groups instead of network objects. In the next lab exercise you will
add another subnet. Since you are using a network group, all you will have to do is modify this object. You will not have to directly
modify the access control and NAT policies.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 119
Cisco dCloud
a. In the FMC, navigate to Objects > Object Management > Access List > Extended.
d. Select Inside-NW from the Available Networks and click Add to Source.
e. Click Add.
f. Click Save.
a. In the FMC, navigate to Objects > Object Management > PKI > Cert Enrollment.
e. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 119
Cisco dCloud
a. In the FMC, navigate to Object > Object Management > RADIUS Server Group.
NOTE: In order to save time, ISE has been pre-configured with all required configuration for all of the lab exercises. If you want to
inspect the ISE configuration, see Appendix 3.
1. In FMC, navigate to Objects > Object Management > VPN > Group Policy.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 119
Cisco dCloud
d. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 119
Cisco dCloud
1. In FMC, navigate to Devices > VPN > Remote Access. Click Add. This will launch the wizard.
d. Click Next
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 119
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 119
Cisco dCloud
6. Confirm that Group Policy is step to DfltGrpPolicy. Click Next. Remote Access VPN Policy Wizard
b. Click Next.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 119
Cisco dCloud
c. Click Next.
b. Click Finish.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 119
Cisco dCloud
d. For PKCS12 File, click Browse PKCS12 File. Navigate to the Certificates folder on the Jump desktop and select
ngfw-outside. Click Open.
f. Click Add.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 119
Cisco dCloud
2. Select and edit the access control policy (Base_Policy). Click Add Rule.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 119
Cisco dCloud
a. Select Demo Intrusion Policy from the Intrusion Policy drop-down list.
b. Select Demo File Policy from the File Policy drop-down list.
d. Click Save to save the changes to the access control policy changes.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 119
Cisco dCloud
NOTE: NAT exemptions are used so that the IP Address’s used in VPN connectivity are not translated by NAT. This rule will need
to be put in NAT Rules Before in order to make sure these networks are not translated.
2. Select and edit the existing NAT policy (Default PAT). Click Add Rule.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 119
Cisco dCloud
8. Select the Advanced tab, and select Do not proxy ARP on Destination Interface.
NOTE: Enabling Do not proxy ARP on Destination Interface is critical in this lab exercise. If you miss this step, your pod may
have access issues, since all devices are managed in band.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 119
Cisco dCloud
5. You should still have an open PuTTY session to the NGFW1 CLI. Run some or all of the following commands.
7. You can cut and paste this command from the Strings to cut and paste.txt text file on the Jump desktop.
test aaa-server authentication ISE-AAA host 198.19.10.130 username ira password 'C1sco12345’
IHFO: Attempting Authentication test to IE address (198.19.10.130) (timeout: 32 seconds)
IHFO: Authentication Successful
1. Open the Remote Desktops folder on the Jump desktop, and double click on Outside-PC.
3. Open up Internet Explorer click on NGFW-outside on the favorites bar. (If presented choose Continue to this website)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 119
Cisco dCloud
4. For Username, enter ira. For Password, enter C1sco12345. Click Logon.
5. Click the Install button at the bottom of the page. When prompted, click Install again.
7. Open the AnyConnect client UI from the bottom right of the Outside-PC, as shown below.
8. Open the Advance Window of the AnyConnect client UI, by clicking on the gear icon, as shown below.
9. Select the Statistics tab to confirm the client and server IP addresses.
a. Select the Route Details tab to confirm the split tunneling: only traffic to 198.19.10.0/24 is considered a secure route.
In other words, only traffic to 198.19.10.0/24 is tunneled through the VPN. Note that 198.19.10.100/32 is also listed
as a secure route. This is because the VPN group policy assigns 198.19.10.100 to the client as the DNS server.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 119
Cisco dCloud
a. Run nslookup inside.dcloud.local. Confirm that PC-outside is using the internal DNS server with IP address
198.19.10.100.
c. Login as guest, password C1sco12345. This confirms access to the internal server.
d. Type cd ~root. You should see the following message: Connection closed by remote host.
12. In Internet Explorer, click on Inside Linux Server click on the favorites bar.
14. Click on the ProjectX.pdf link, and click on the Open button at the bottom of the web page, to confirm that you can download
PDFs.
15. Click on the Zombies.pdf link, and click on the Open button at the bottom of the web page You will see the following message
at the bottom of the web page. This is because the file was blocked by AMP for Networks.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 119
Cisco dCloud
18. Drill down to the Table View of Events to confirm that the source IP address was from the VPN pool.
19. In the FMC, navigate to Analysis > Files > Malware Events.
21. Drill down to the Table View of Malware Events to confirm that the source address was from the VPN pool.
22. Disconnect the AnyConnect VPN before you to onto the next lab exercise.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 119
Cisco dCloud
In this exercise, we will use ISE RADIUS attributes to dynamically allocate group policy, IP pool and downloadable ACL (DACL)
based on the AD group of the user.
• If the RA VPN user is a member of the IT group, they should have full access to any device on the internal network
(198.19.10/24).
• If the RA VPN user is not a member of the IT group, they should only be able to access two internal devices.
The domain controller, ad1.dcloud.local (198.19.10.100). The inside Linux server, inside.dcloud.local (198.19.10.200).
Users that are members of the IT group should be given IP addresses from a separate IP pool.
NOTE: In order to save time, ISE is pre-configured with all required configuration for all the lab exercises. This includes the
selection of group policy and IP pool based on AD group membership. Because of this, the name of the new group policy and
IP pool must be exactly the names given in the instructions. If you want to review the ISE configuration, see Appendix 3.
Steps
Create a new group policy
1. In the FMC, navigate to Object > Object Management > VPN > Group Policy.
3. For Name, enter ITGP. This must be the exact group name, because of the ISE configuration.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 119
Cisco dCloud
d. In the General tab select DNS/WINS. For Primary DNS Server, select Inside-DNS click Save
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 119
Cisco dCloud
1. In the FMC, navigate to Objects > Object Management > Address Pools > IPv4 Pools.
b. For Name, enter AC-IP-Pool-IT. This must be the exact group name, because of the ISE configuration.
e. Click Save.
To modify both the access control and NAT policies, all you have to do is modify the AC-NW network group object.
b. Under Selected Networks, in the bottom text field, enter 198.19.14.0/24 and click Add.
c. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 119
Cisco dCloud
a. Edit AnyConnect-VPN. Then select and edit the AC-Default-Profile connection profile.
d. Under Address Pools, click the (+) icon and select IPv4.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 119
Cisco dCloud
a. Select the Advanced tab of the AnyConnect-VPN page, and select Group Policies from the left navigation pane.
1. Deploy the changes to the NGFW. Wait for the deployment to complete.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 119
Cisco dCloud
3. Once AnyConnect is connected run the following two commands from the Outside-PC command prompt.
b. ping NGFW1.dcloud.local . This should fail. The DACL that ISE assigns by default only allows access to the domain
controller and inside Linux server.
c. On the NFGW1 CLI, run the following command. show vpn-sessiondb detail anyconnect Observe below values on
the output.
i. Username: harry
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 119
Cisco dCloud
8. Once AnyConnect is connected run the following two commands from the Outside-PC command prompt.
b. ping NGFW1.dcloud.local. This should also succeed. The DACL that ISE assigns to the IT group allows access to
any internal device.
9. On the NFGW CLI, run the following command. show vpn-sessiondb detail anyconnect. Observe below values on the output.
a. Username: rita
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 119
Cisco dCloud
The objective of this exercise is to configure a site-to-site VPN tunnel between the NGFW and an ASA.
Steps
1. Navigate to Objects > Object Management. The Network object page will be selected.
d. Click Save.
c. Click Save.
1. Navigate to Devices > VPN> Site To Site. Click Add VPN > Firepower Threat Defense Device.
NOTE: The other VPN choice, Firepower Device, is for configuring secure tunnels between Firepower devices.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 119
Cisco dCloud
a. Confirm that for Network Topology, Point to Point is selected. Confirm that for IKE Version, IKEvI is not checked, and
IKEv2 is checked.
3. Click the green plus to the right of Node A. Fill out as in the figure below, and then click OK.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 119
Cisco dCloud
4. Click the green plus to the right of Node B. Fill out as in the figure below, and then click OK.
7. Under IKEv2 Settings, for Authentication Type, select Pre-shared Automatic Key.
NOTE: The Automatic setting can only be used if the FMC is managing both endpoints. In this case, the FMC can generate a
random shared key.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 119
Cisco dCloud
8. Select the IPsec tab, change the IKEv2 IPsec Proposal to DES_SHA-1.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 119
Cisco dCloud
NOTE: NAT exemption is used so that the addresses are not translated by NAT. To do this you have to have the packets
translated by the NAT process back to their original addresses. This must be done before any other NAT statements so you will
put the rule in the NAT Rules Before Category.
a. Leave In Category and NAT Rules Before from the NAT Rule drop-down list selected.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 119
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 60 of 119
Cisco dCloud
6. Click Save
1. Go to Devices > NAT > Branch1 NAT > click the pencil icon to edit the NAT policy
a. Interface Objects
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 119
Cisco dCloud
b. Translation
i. Original Packet
c. Advanced
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 119
Cisco dCloud
3. OK
You will now create a rule to allow traffic between the Branch office and Main office.
1. Navigate to Policies > Access Control > Access Control. Edit the Base_Policy Access Control Policy.
3. Select into Default from the Insert drop-down list. This will become the last rule in the access control policy.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 119
Cisco dCloud
8. Select the Networks tab, select Branch1OfficeNetwork, and click Add to Source.
9. Select the Networks tab, select MainOfficeNetwork, and click Add to Destination.
11. Select Demo Intrusion Policy from the Intrusion Policy drop-down list.
12. Select Demo File Policy from the File Policy drop-down list.
13. Click Add to add this rule to the access control policy.
15. Now Modify the Branch1 Access Policy to allow inbound connections
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 119
Cisco dCloud
NOTE: If you are starting this lab from Scenario 6 you MUST go to Configuring Branch 2 Management Using Firepower Device
Manager (FDM ON BOX) section of Scenario 2 if you want to complete this section. This is due to a licensing limitation.
NOTE: In this configuration Branch 2 is controlled by the FDM (On Box Manager). The setting for the Site to Site VPN will be
Extranet and you will have to manually configure the IKEv2 keys.
1. Go to Devices > VPN > Site to Site > Add VPN > Firepower Threat Defense
3. For Node A follow steps 2 and 3 from Node A configuration changing the Connection Name to whatever you want.
4. Node B
a. Device NGFWBR1
c. On Protected Networks click the “+” sign and create a network Object called Branch2Officenetwork with the
network: 192.168.45.0/24
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 65 of 119
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 66 of 119
Cisco dCloud
7. Name Branch2-HQ
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 119
Cisco dCloud
9. Local Network click the “+” and select Create New Network
i. Name: Branch2Network
b. Click Ok
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 68 of 119
Cisco dCloud
12. For Remote Network build a Network Object click the “+” sign and Create New Network
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 69 of 119
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 70 of 119
Cisco dCloud
i. C1sco12345
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 71 of 119
Cisco dCloud
i. C1sco12345
d. Select Next
1. Deploy the changes on the FMC and wait for the deployment to complete.
2. Go to the Jump PC Open PUTTY Connect to NGFW1 NGFWBR1 Login: admin Password: C1sco12345
3. From the NGFW1 CLI, type show crypto ipsec sa peer 198.18.133.142. There should be no IPSec security associations.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 72 of 119
Cisco dCloud
4. Go to NGFWBR1 and type: show crypto ipsec sa peer 198.18.133.2 There should be no connections
5. Open a PUTTY Session to Inside Linux Server Login: root Password: C1sco12345
6. From the Inside Linux server CLI, type ping branch. Wait a few seconds, and the ping should succeed.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 73 of 119
Cisco dCloud
7. From the NGFW1 CLI, type show crypto ipsec sa. There should now be an IPSec security association.
8. On the Jump desktop, open the PUTTY link. Double click on the preconfigured session called Branch Linux Server.
11. Go Back to the Inside Linux Server and type: ping 192.168.45.225 this should succeed.
12. Go back to NGFW1 CLI and type show ipsec sa peer 198.18.3.2
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 74 of 119
Cisco dCloud
13. Do not disconnect the AnyConnect VPN. Continue immediately to the next lab exercise.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 75 of 119
Cisco dCloud
• Troubleshooting
You will use the FMC for Monitoring AnyConnect User activity and troubleshooting.
Steps
In this section, you can monitor all active users who have logged in through AnyConnect.
1. In the FMC, navigate to Overview > Dashboards > Access Controlled User Statistics
2. Select the VPN tab. Note that there are 7 widgets dedicated to VPN traffic.
b. Check the checkbox to the left of Rita's session and click Logout. When prompted, click Continue.
NOTE: You may also see other active sessions discovered with network discovery. For example, you may see guest discovered
through an FTP session. For brevity, those sessions were left out of the figure above. If you want more details about users and
how they were discovered, navigate to Analysis > Users > Users.
5. In the FMC, navigate to Analysis > Users > User Activity. In this window you will see details of current and past user
sessions. Spend a couple minutes reviewing the information on this page.
Troubleshooting
In this section, you will modify the Syslog level for VPN events on the NGFW. You will also run some basic troubleshooting
commands from the NGFW1 CLI.
1. In the FMC, navigate to Device > VPN > Troubleshooting. Note that no records are displayed.
d. Click SAVE
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 76 of 119
Cisco dCloud
a. Under VPN Logging Settings change the logging level to informational. Note that in a production environment, it is
recommended that you set this to errors or alerts.
b. Click Save.
6. On the Outside-PC, generate some VPN activity. For example, connect and disconnect a VPN session.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 77 of 119
Cisco dCloud
7. In the FMC, return to Device > VPN > Troubleshooting. You should see records. If you do not, try adjusting the time window
on this page.
8. On the NGFW1 CLI run some of the following commands to get a rough scope of the troubleshooting capabilities. These are
useful when troubleshooting RA VPN. They are primarily included for your reference.
a. show vpn-sessiondb ?
b. test aaa-server ?
e. debug ldap ?
f. debug aaa ?
a. Go To Devices > Device Management > Click Add and Add Device
3. Add Device
a. Host: 198.19.10.83
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 78 of 119
Cisco dCloud
e. Licensing
i. Check Malware
f. Click Register
NOTE: You can read the output from the PUTTY session or you can copy the output to Jump PC Notepad++.
5. Check for the error message (Hint the output will state an authentication error)
7. Type sftunnel-status
NOTE: If you cannot find the authentication error *hint check password* then you can do the following on the NGFW3 from the
command prompt type expert then type sudo su you will be in the /home/admin#
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 79 of 119
Cisco dCloud
10. Type show managers and you will see that the registration is still pending
11. Go back to the FMC web page and click OK on the Error
NOTE: You can turn pigtail on again by typing pigtail to watch the registration process.
1. If you did not do this in the previous lab in the FDM (Branch 2) go to Device Routing View Configuration
a. Name: tsroute
7. Click OK
8. Click Deploy
12. Open PUTTY on the Desktop and Login to the FDM (192.168.45.45:22)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 80 of 119
Cisco dCloud
14. Right click on the PUTTY session at the top next to the FDM and select Copy All to Clipboard
15. Open the Notepad ++ and Paste the contents into Notepad ++
16. In Notepad ++ Select Search Find and search for ERROR select Match case
17. You will see an error that references the next hop address
NOTE: As of 6.2 you can also select See Details under the Failed Status. This does not catch every error so it is still
recommended to run pigtail on both the FTD and FMC and copy the output for TAC calls.
1. Pigtail Commands
a. Pigtail –help
b. Pigtail all
c. Pigtail ui
a. Verify if traffic to a specific port is allowed by the Lina Data path and Snort
b. Packet Tracer Does Not currently work with: (Because it cannot emulate a L7 packet)
i. Identity-based rules
ii. L7-related (SI DNS/URL, App ID, File Policy, L7 Intrusion Rules)
Packet-Tracer Lab
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 81 of 119
Cisco dCloud
f. Applications: Available Applications type ICMP and Select All apps matching the filter click Add to Rule
g. Available Applications type: FTP select All apps matching the filter and click Add to Rule
h. Click Logging
i. Click Save
NOTE: We selected all the applications related to ICMP and FTP in a production environment you would be more specific with
what particular applications you are blocking.
3. Go to the Jump PC and open a PUTTY session to the Inside Linux Server Username: root Password: C1sco12345
a. Look at Phase 2 you will notice that the packet has been handed off to SNORT for further processing
b. Look at Phase 12 You will see that SNORT used block w/reset a rule id to order a drop of the packet.
7. Go to Devices > Device Management.> NGFW1 click on the Trouble shooting Icon
b. Interface: LAN-Side
c. Source: 198.19.10.200
e. Destination: 198.18.133.42
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 82 of 119
Cisco dCloud
f. Click Start
NOTE: You will get the same results that you saw in the Command Line of the NGFW1 it is just shown in the window. Check
phase 2 and phase 12.
b. Source: 198.19.10.200
f. Click Clear
g. Click Start
NOTE: Phase 2 is still checking the rule you created Look at Phase 14 you will see that SNORT looked at the rule and the verdict
was to pass the packet. The first part of the packet is passed but not the next packets. To test this go to the Jump PC and open
the inside linux server session and type ftp outside you will be prompted: login: guest you will receive a message that
states No Control connection for command Transport endpoint is not connected. You can go to Analysis Connection Events and
see that FTD was Blocked with reset.
NOTE: There are two types of Traffic Captures the Lina based and the Snort based.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 83 of 119
Cisco dCloud
3. Go to Devices > Device Management > click on the Troubleshooting Icon for NGFW1
a. Name: Capturewtrace
b. Interface: LAN-Side
c. Protocol: ICMP
h. Save
NOTE: We have not removed the access policy denying ICMP so the pings will fail, but you will be able to see the packet shown.
Also you will export the file in PCAP format to Wireshark in this lab.
7. Go to the Jump PC and on the Inside Linux Server type ping outside
8. If you don’t see information in the Packets Shown in about 10 seconds hit the refresh.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 84 of 119
Cisco dCloud
10. Click on the Save icon for the packet capture you created
12. Go to the downloads arrow of Google Chrome and select the file just downloaded
13. Minimize the Browser and you will see the file opened in Wireshark.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 85 of 119
Cisco dCloud
The CTID is a component of the FMC that can consume third party cyber threat intelligence indicators; CTID parses these
indicators to produce observables that can be detected by the NGFW. The NGFW reports detection of the observables to CTID.
Then CTID determines whether the observations constitute an incident.
• Flat files - Lists of simple indictors such as IP addresses, URLs or SHA256 hashes
• Threat Intelligence Director is enabled by default You can find it under Policies > Access Control > Then the policy under
Advanced
STIX files - XML files that can describe simple or complex indicators There are 3 ways these files can be retrieved:
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 86 of 119
Cisco dCloud
Steps
2. Edit the access control policy by clicking the pencil icon to the right of the policy.
3. Select the Advanced tab.Using this advanced setting, CTID can be enabled or disabled at the access policy level.
5. Confirm that the NGFW1 is an element. This means that CTID can publish observables to the NGFW1 retrieved from a STIX
file from a web server.
NOTE: The CTID can be enabled or disabled globally. Clicking Pause will stop the CTID publishing to all elements.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 87 of 119
Cisco dCloud
7. Click the plus sign (+) on the right to add an intelligence source.
NOTE: You cannot change the action from Monitor to Block for STIX files. STIX files can represent complex indicators, so it is
impossible for the NGFW, based on an observable, to decide if the criteria of the indicator has been satisfied.
However, even for complex indicators, you can set the action for individual observables to Block.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 88 of 119
Cisco dCloud
13. Wait few seconds. Navigate to Intelligence > Sources > Indicators. Confirm that a complex indicator has been added.
14. Click on the name of the indicator Weatherman PUA. Observer the details of the indicator.
16. Navigate to Intelligence > Sources > Observables. Confirm that two SHA-256 and one IPv4 observables have been added.
a. Navigate to Intelligence > Sources > Sources. Click the plus sign (+) on the right to add an intelligence source.
c. For TYPE, select Flat File. The CONTENT drop-down list will appear.
e. Click in the FILE area, and select URL_LIST.txt from the Files folder on the Jump desktop.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 89 of 119
Cisco dCloud
19. Wait a few seconds. Navigate to Intelligence > Sources > Indicators. Confirm that two URL indicators have been added.
20. Navigate to Intelligence > Sources > Observables. Confirm that two type URL observables have been added.
1. Navigate to Intelligence > Sources > Sources. Click the plus sign (+) on the right to add an intelligence source.
NOTE: It may take several seconds for the FEEDS drop-down list to populate.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 90 of 119
Cisco dCloud
8. Click Save.
9. Wait until the Status column for this source changes to Parsing. Do not wait for the parsing to complete - this would take too
long.
10. Navigate to Intelligence > Sources > Indicators. Confirm that several URL indicators have been added.
11. Navigate to Intelligence > Sources > Observables. Confirm that several URL observables have been added.
1. It can take several minutes for the observables to be published to the sensor. In this step, you will see how to confirm the
publication of a particular observable. In the NGFW CLI, perform the following:
3. Type ls -d /var/sf/*download.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 91 of 119
Cisco dCloud
Four of these (iprep_download, sidns_download, sifile_download and siurl_download) are used by security intelligence and CTID.
4. Type grep developmentserver /var/sf/*download/*lf. You should see a type URL CTID observable. admin@ngfw:~$ grep
developmentserver /var/sf/*download/*lf var/sf/siurl_download/731625d4-9512-11e7-915c-
7e7252ae92ac.lf:developmentserver.com/misc/Tron.html/
NOTE: If you do not, wait a minute and try again. You must wait for this to be published before you go on.
5. Type grep 198.18.133.200 /var/sf/*download/*lf. You should see a type URL CTID observable. admin@ngfw:~$ grep
198.18.133.200 /var/sf/*download/*lf var/sf/siurl_download/731625d4-9512-11e7-915c-
7e7252ae92ac.lf:developmentserver.com/misc/Tron.html/
NOTE: If you do not, wait a minute and try again. You must wait for this to be published before you go on.
3. On the FMC, navigate to Intelligence > Incidents. Confirm that there are 2 incidents.
4. Drill down into the incident and observe the details for this incident.
5. Confirm that there is an incident for a URL indicator. Drill down into the incident and observe the details for this incident
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 92 of 119
Cisco dCloud
• The objective of this exercise is to familiarize the student with the migration tool.
• How it is configured
• How it is used
After converting an FMC to a migration tool, two configurations will be migrated. Several aspects of migration will be revealed,
including object flattening and how unsupported features are handled.
Steps
1. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called Migrator. Login as admin,
password cisco12345.
NOTE: Note that this is a separate FMC from the one you are using to manage the NGFW. You should not try to use a production
FMC as a migration tool.
e. Click on the bookmark bar link Migration Tool. Click Advanced, and Add Exception. When prompted, click
Confirm Security Acceptation.
NOTE: This FMC, which will be used as a migration tool, was not modified after installation. The FMC you have been using up to
now was preconfigure. This pre-configuration included adding a trusted certificate. See Appendix A for details.
g. Confirm that you see the banner in red at the top of the UI that reads:
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 93 of 119
Cisco dCloud
• Understand how network and service objects and object groups migrate.
b. Observer that there is an access list and access group that reference these objects. Without the access group, the
objects would not migrate, since they would have no effect on the policy configuration.
2. In the Migrator UI (not the FMC), navigate to System > Tools > Import/Export.
b. Click Browse, and select the file ASA_config_1.txt from the Files folder.
c. Click Upload.
3. . On the next page, leave all the settings unchanged, as below, and click OK.
1.
b. Click on the Task tab and wait for the tasks to compete.
c. Click on the text Click to download the FMC import file(.sfo) and save the SFO file.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 94 of 119
Cisco dCloud
d. Click on the text Click and select the default Open with Google Chrome to open the migration report in a new tab.
Confirm that the conversion report contains no errors. Close Chrome.
5. On the (production) FMC UI, navigate to System > Tools > Import/Export.
b. Click on Browse, and select the SFO file from the Downloads folder. It will have a name of the form
c. ExportForMigration-<some UUID>.sfo.
d. Click Upload.
9. The Network object page will be selected. Notice the objects that were created.
NOTE: These are exactly the network objects and network-group object that existed in the ASA configuration.
10. In the left navigation pane, select Port. Notice the objects that were created.
NOTE: The ASA port groups, p1 and p2, have been flattened, and there is no p12.
a. Notice that there is a new prefilter policy. Edit it so you can inspect the rules.
b. Notice that this single ACE is the ASA configuration is now 2 separate prefilter rules.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 95 of 119
Cisco dCloud
There are three separate goals in this task. They are not directly related. They have been bundled for expedience.
Try to migrate a time-based ACL, and see how the unsupported feature is treated.
a. Observe that two network objects in the ASA configuration already exist in the FMC.
i. The network object net1, which has a different definition than the existing object of the same name
ii. The network object net2, which has the same definition as the existing object with the same name
c. Observe that there is a time-based ACL. This feature is not currently supported.
2. In the Migrator UI (not the FMC), navigate to System > Tools > Import/Export.
b. Click Browse, and select the file ASA_config_2.txt from the Files folder.
c. Click Upload.
b. Click on the Task tab and wait for the tasks to compete.
c. Click on the text Click to download the FMC import file(.sfo) and save the SFO file.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 96 of 119
Cisco dCloud
d. Click on the text Click and select the default Open with Google Chrome to open the migration report in a new tab.
Observe that this migration report warns that the time-based ACL was not supported. Close Chrome.
4. In the (production) FMC UI, navigate to System > Tools > Import/Export.
b. Click on Browse, and select the SFO from the Downloads folder. It will have a name of the form
ExportForMigration-<some UUID>.sfo. Be sure to select the more recently created SFO file.
c. Click Upload.
6. On the next page perform the following sub-steps. See the following figure.
b. Create two interface groups using the drop-down lists on this page. Interfaces references in migrated NAT rules must
be placed in interface groups. Security zones are not allowed. You could call them IF1 and IF2
c. Click Import.
7. Navigate to Objects > Object Management. The Network object page will be selected.
a. Notice the object net1_1 was created. This is because the definition of netl was different in the two migrated ASA
configurations. Therefore the object is renamed.
b. Notice the object net2_1 was not created. This is because the definition of net2 was the same in the two migrated
ASA configurations. Therefore the object is reused.
NOTE: This behavior changed in the Firepower 6.2.1 release. In Firepower 6.2, both objects are renamed.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 97 of 119
Cisco dCloud
a. Notice that there is a new NAT policy. Edit it so you can inspect the rules.
b. Notice that the objects net1_1 and net2 are referenced in this policy.
a. Notice that there is a new access control policy. Edit it so you can inspect the rules.
b. Note that there is one rule, and that the source and destination network agree with the ACL from the ASA
configuration:
d. Notice that the rule is disabled. If you wish, you can enable the rule.
NOTE: The migration tool was presented with an ACL that included both network and time-based criteria. Because time based
ACLs are currently not supported, the migrated rule could only include the network criteria. Since this may not be acceptable, the
rule is disabled, and must be enabled manually.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 98 of 119
Cisco dCloud
• The objective of this exercise is to familiarize the student with the migration tool.
• How it is configured
• How it is used
After converting an FMC to a migration tool, two configurations will be migrated. Several aspects of migration will be revealed,
including object flattening and how unsupported features are handled.
Steps
1. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called Migrator. Login as admin,
password cisco12345.
NOTE: This is a separate FMC from the one you are using to manage the NGFW. You should not try to use a production FMC as a
migration tool.
d. Wait for the script to complete. This will take less than a minute.
a. Click on the bookmark bar link Migration Tool. Click Advanced, and Add Exception. When prompted, click Confirm
Security Acceptation.
NOTE: This FMC, which will be used as a migration tool, was not modified after installation. The FMC you have been using up to
now was preconfigure. This pre-configuration included adding a trusted certificate. See Appendix A for details.
c. Confirm that you see the banner in red at the top of the UI that reads:
MIGRATION TOOL INSTALLED / You are limited to ASA conversions only
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 99 of 119
Cisco dCloud
• Understand how network and service objects and object groups migrate.
b. Observer that there is an access list and access group that reference these objects. Without the access group, the
objects would not migrate, since they would have no effect on the policy configuration.
2. In the Migrator UI (not the FMC), navigate to System > Tools > Import/Export.
b. Click Browse, and select the file ASA_config_1.txt from the Files folder.
c. Click Upload.
3. . On the next page, leave all the settings unchanged, as below, and click OK.
2.
b. Click on the Task tab and wait for the tasks to compete.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 100 of 119
Cisco dCloud
c. Click on the text Click to download the FMC import file(.sfo) and save the SFO file.
d. Click on the text Click and select the default Open with Google Chrome to open the migration report in a new tab.
Confirm that the conversion report contains no errors. Close Chrome.
5. On the (production) FMC UI, navigate to System > Tools > Import/Export.
b. Click on Browse, and select the SFO file from the Downloads folder. It will have a name of the form
c. ExportForMigration-<some UUID>.sfo.
d. Click Upload.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 101 of 119
Cisco dCloud
9. The Network object page will be selected. Notice the objects that were created.
d. Four network objects net1, net2, net3 and net4
e. Two network groups net12 and net34
f. One nested network group net1234
NOTE: These are exactly the network objects and network-group object that existed in the ASA configuration.
10. In the left navigation pane, select Port. Notice the objects that were created.
g. Four port objects p1_dst_1, p1_dst_2, p2_dst_1 and p2_dst_2
h. Zero port groups
NOTE: The ASA port groups, p1 and p2, have been flattened, and there is no p12.
a. Notice that there is a new access control policy. Edit it so you can inspect it.
b. Notice that there are no rules and that the default action is set to block.
c. Notice that the prefilter policy is set to the prefilter policy inspected in the previous step.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 102 of 119
Cisco dCloud
There are three separate goals in this task. They are not directly related. They have been bundled for expedience.
Try to migrate a time-based ACL, and see how the unsupported feature is treated.
a. Observe that two network objects in the ASA configuration already exist in the FMC.
i. The network object net1, which has a different definition than the existing object of the same name
ii. The network object net2, which has the same definition as the existing object with the same name
c. Observe that there is a time-based ACL. This feature is not currently supported.
2. In the Migrator UI (not the FMC), navigate to System > Tools > Import/Export.
b. Click Browse, and select the file ASA_config_2.txt from the Files folder.
c. Click Upload.
b. Click on the Task tab and wait for the tasks to compete.
c. Click on the text Click to download the FMC import file(.sfo) and save the SFO file.
d. Click on the text Click and select the default Open with Google Chrome to open the migration report in a new tab.
Observe that this migration report warns that the time-based ACL was not supported. Close Chrome.
4. In the (production) FMC UI, navigate to System > Tools > Import/Export.
b. Click on Browse, and select the SFO from the Downloads folder. It will have a name of the form
ExportForMigration-<some UUID>.sfo. Be sure to select the more recently created SFO file.
c. Click Upload.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 103 of 119
Cisco dCloud
6. On the next page perform the following sub-steps. See the following figure.
b. Create two interface groups using the drop-down lists on this page. Interfaces references in migrated NAT rules must
be placed in interface groups. Security zones are not allowed. You could call them IF1 and IF2
c. Click Import.
7. Navigate to Objects > Object Management. The Network object page will be selected.
a. Notice the object net1_1 was created. This is because the definition of netl was different in the two migrated ASA
configurations. Therefore the object is renamed.
b. Notice the object net2_1 was not created. This is because the definition of net2 was the same in the two migrated
ASA configurations. Therefore the object is reused.
NOTE: This behavior changed in the Firepower 6.2.1 release. In Firepower 6.2, both objects are renamed.
a. Notice that there is a new NAT policy. Edit it so you can inspect the rules.
b. Notice that the objects net1_1 and net2 are referenced in this policy.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 104 of 119
Cisco dCloud
a. Notice that there is a new access control policy. Edit it so you can inspect the rules.
b. Note that there is one rule, and that the source and destination network agree with the ACL from the ASA
configuration:
d. Notice that the rule is disabled. If you wish, you can enable the rule.
NOTE: The migration tool was presented with an ACL that included both network and time-based criteria. Because time based
ACLs are currently not supported, the migrated rule could only include the network criteria. Since this may not be acceptable, the
rule is disabled, and must be enabled manually.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 105 of 119
Cisco dCloud
Steps
d. Click Save.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 106 of 119
Cisco dCloud
2. Click New File Policy. Enter a name Demo File Policy. Click Save.
3. Click Add File Rule. This rule will block malware found in files MSEXE, MSOLE2, NEW_OFFICE and PDFs.
6. Under File Type Categories, check Dynamic Analysis Capable. Note that several file types belong to this category. Click
Add.
8. Click Save. Ignore the warning and click OK, when prompted.
9. Click Add File Rule. This rule will block RIFF files. You will use an AVI file to test this rule, since an AVI file is a type of RIFF
file. But note that AVI is not listed separately as a file type.
11. Under File Types, type rif into the search box. Select RIFF from the list. Click Add.
12. Use default values for other settings. Your screen should look like the figure below.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 107 of 119
Cisco dCloud
NOTE: You cannot change the order of the rules you create. The order of the rules does not matter. The action of the rule
determines its precedence. The precedence of actions is as follows.
1 - Block Files
2 - Block Malware
3 - Malware Cloud Lookup
4 - Detect Files
5 - Select the Advanced tab. Confirm that Enable Custom Detection List is selected.
6 - Check the Inspect Archives checkbox.
NOTE: Archives unable to be inspected are corrupt archive, or archives with a depth that exceeds the Max Archive Depth.
14. Click the Save button in the upper-right to save the file policy.
NOTE: Archives unable to be inspected are corrupt archive, or archives with a depth that exceeds the Max Archive Depth.
15. Click the Save button in the upper-right to save the file policy.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 108 of 119
Cisco dCloud
a. Select the Rule update or text rule file to upload and install radio button.
b. Click Browse, and open the Snort_Rules.txt file in the Files folder of the Jump desktop.
NOTE: This file contains 2 simple Snort rules that are useful for testing IPS. They do not resemble published snort rules.
alert tcp any any -> any any (msg:"ProjectQ replaced"; content:"ProjectQ"; replace:"ProjectR"; sid: 1001001; rev:1;) alert tcp any
any -> any any (msg:"ProjectZ detected"; content:"ProjectZ"; sid: 1001002; rev:1;)
The first rule replaces the string ProjectQ with ProjectR. The second detects the string ProjectZ. Since the rules do not specify
where the string is in the flow, they could cause issues in a production deployment.
c. Click Import. The import process will take a minute or two. When it completes you will see the Rule Update Import
Log page. Confirm that 2 rules were successfully imported.
4. You will now modify the rules states for this new policy.
a. Click Rules under Policy Information menu on the left-hand side of the Edit Policy page.
b. Select local from the Category section of the rules. You should see the 2 uploaded rules. The light green arrows on
the right of each rule indicate that the rules are disabled for this policy.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 109 of 119
Cisco dCloud
c. Check the checkbox next to the first rule. Select Generate Events from the Rule State drop-down menu. Click OK.
Uncheck the checkbox next to the first rule.
d. Check the checkbox next to the second rule. Select Drop and Generate Events from the Rule State drop-down menu.
Click OK.
e. Clear the filter by clicking on the X on the right side of the Filter text field.
f. Select SID from the Rule Content section of the rules. Enter 336 into the Enter the SID filter popup. Click OK.
g. Check the checkbox next to the rule. Select Drop and Generate Events from the Rule State drop-down menu. Click
OK.
NOTE: This rule looks for a change to the root home directory in FTP traffic established on port 21. It only looks for traffic coming
from the external network, but in our lab we use the default value of $EXTERNAL_NET, which is any, so the rule can be triggered
in both directions.
An interesting exercise would be to modify this rule to search in FTP traffic in any direction, and to use the appid attribute to detect
FTP traffic on any port.
Click OK.
1. Navigate to Objects > Object Management > PKI > Internal CAs.
c. Click the Browse button to the right of the text Certificate Data or, choose a file.
e. Upload Verifraud_CA.cer.
f. Click the Browse button to the right of the text Key or, choose a file.
g. Upload Verifraud_CA.key.
h. Click Save.
2. You will exempt from decryption infrastructure devices, such as the FMC and AMP Private Cloud. To do this, create a network
object that includes these devices.
e. Click Save to save the network object. 3. Navigate to Policies > Access Control > SSL.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 110 of 119
Cisco dCloud
3. Click the text Add a new policy or click the New Policy button.
c. Click Save. Wait a few seconds, and the policy will open for editing.
c. In the Networks tab, under Networks, select Infrastructure, and click Add to Source.
c. Select Verifraud from the drop-down list to the right of the word with.
d. In the Applications tab, under Application Filters, search for Sear. You will see Search Engine under Categories.
Check this checkbox, and click Add to Rule.
e. Select the Logging tab, and check the Log at End of Connection checkbox.
c. Select Verifraud from the drop-down list to the right of the word with.
d. Select the Logging tab, and check the Log at End of Connection checkbox.
NOTE: The Replace Key checkbox deserves explanation. Whenever the action is set to Decrypt - Resign, Firepower will replace
the public key. The Replace Key checkbox determines how the decrypt action is applied to self-signed server certificates.
If Replace Key is deselected, self-signed certificates are treated like any other server certificates. Firepower replaces the key, and
resigns the certificate. Generally the endpoint is configured to trust Firepower, and therefore will trust this resigned certificate.
If Replace Key is selected, self-signed certificates are treated differently. Firepower replaces the key, and generates a new self-
signed cert. The browser on the endpoint will generate a certificate warning.
In other words, checking the Replace Key checkbox makes the resign action preserve lack-of-trust for self-signed certificates.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 111 of 119
Cisco dCloud
There is a harmless file called Zombies.pdf that will trigger a malware event, assuming the cloud lookup succeeds. Sometimes labs
have issues with cloud connectivity. Therefore, this is added to the custom detection list to ensure it will trigger a malware event.
b. Click Browse.
f. Click Save.
It is convenient to have a separate use to use the API Explorer. This allows use of both the FMC and API Explorer at the same
time.
By default the FMC UI uses a self-signed certificate. This is replaced by a certificate signed by the pod AD server, which the Jump
browsers trust.
1. Navigate to Objects > Object Management > PKI > Trusted CAs.
c. Click the Browse button to the right of the text Certificate Data or, choose a file.
e. Upload AD-ROOT-CA-CERT.cer.
f. Click Save.
2. Connect to the FMC CLI via SSH. Become root by typing sudo -i. The Sudo password is cisco12345
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 112 of 119
Cisco dCloud
c. From the Certificates folder on the Jump desktop edit the file fmc.cer with Notepad++.
d. Select all, and then copy and paste into the FMC CLI
e. Type Ctrl+D.
g. From the Certificates folder on the Jump desktop edit the file fmc.key with Notepad++.
h. Select all, and then copy and paste into the FMC CLI
i. Type Ctrl+D.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 113 of 119
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 114 of 119
Cisco dCloud
"enabled": True,
"MTU": 1500,
"managementOnly": False,
"ifname": "outside",
"enableAntiSpoofing": False,
"name": "GigabitEthernet0/0",
"id": interface 1 id,
"ipv4" : {
"static": {
"address":"198.18.133.2",
"netmask":"18"
}
}
}
put_data = json.dumps(interface_put)
connect.interfacePUT (headers, uuid, server, put_data,device_id,interface_1_id) interface_put = {
"type": "PhysicalInterface",
"hardware": {
"duplex": "AUTO",
"speed": "AUTO"
},
"enabled": True,
"MTU": 1500,
"managementOnly": False,
"ifname": "inside", "enableAntiSpoofing": False,
"name": "GigabitEthernet0/1",
"id": interface_2_id,
"ipv4" : {
"static": {
"address":"198.19.10.1",
"netmask":"24"
}
}
}
put_data = json.dumps(interface_put)
connect.interfacePUT (headers, uuid, server, put data,device id,interface 2 id)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 115 of 119
Cisco dCloud
r.raise_for_status()
print("error occured in POST -->"+resp)
except requests.exceptions.HTTPError as err:
print ("Error in connection --> "+str(err))
finally:
if r: r.close()
return json response
def deviceGET (headers, uuid, server): api_path= "/api/fmc_config/v1/domain/" + uuid +
"/devices/devicerecords" url = server+api_path try:
r = requests.get(url, headers=headers, verify=False) status_code = r.status_code resp = r.text
json_response = json.loads(resp) print("status code is: "+ str(status_code)) if status_code == 200:
print("GET was sucessfull...") else:
r.raise_for_status()
print("error occured in POST -->"+resp)
except requests.exceptions.HTTPError as err:
print ("Error in connection --> "+str(err))
finally:
if r: r.close()
return json_response
def interfaceGET (headers, uuid, server, device_id):
api_path= "/api/fmc_config/v1/domain/" + uuid + "/devices/devicerecords/"+device
id+"/physicalinterfaces" url = server+api_path try:
r = requests.get(url, headers=headers, verify=False) status_code = r.status_code resp = r.text
json_response = json.loads(resp) print("status code is: "+ str(status_code)) if status_code == 200:
print("GET was sucessfull...") else:
r.raise_for_status()
print("error occured in POST -->"+resp)
except requests.exceptions.HTTPError as err:
print ("Error in connection --> "+str(err))
finally:
if r: r.close()
return json_response
def interfacePUT (headers, uuid, server, put_data,device_id, interface_id):
api_path= "/api/fmc_config/v1/domain/" + uuid +
"/devices/devicerecords/"+device_id+"/physicalinterfaces/"+interface_id
url = server+api_path try:
r = requests.put(url, data=put_data, headers=headers, verify=False) status_code = r.status_code resp =
r.text
json_response = json.loads(resp) print("status code is: " + str(status_code)) if status_code == 200 :
print("Put was sucessfull...") else:
r.raise_for_status()
print("error occured in POST -->"+resp)
except requests.exceptions.HTTPError as err:
print ("Error in connection --> "+str(err))
finally:
if r: r.close()
return json_response
def accesspolicyPOST (headers, uuid, server, post_data):
api_path= "/api/fmc_config/v1/domain/" + uuid + "/policy/accesspolicies"
url = server+api_path
try:
r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False) status_code =
r.status_code resp = r.text
json_response = json.loads(resp) print("status code is: "+ str(status_code)) if status_code == 201 or
status_code == 202: print("Post was sucessfull...")
else:
r.raise_for_status()
print("error occured in POST -->"+resp) except requests.exceptions.HTTPError as err:
print ("Error in connection --> "+str(err)) finally:
if r: r.close() return json_response
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 116 of 119
Cisco dCloud
NOTE: This appendix is not a tutorial on ISE. It does not go into details about how ISE is configured. It only covers the details
required to configure RA VPN components for the lab exercises in this guide. The configurations are described in a top-down
manor. To create this configuration, you would probably prefer to build these objects from the bottom-up.
Authorization policies
1. Navigate to Policy > Authorization. The first two policies were created for this lab: AC-IT-Policy and AC-Default-Policy.
These policies reference two authorization profiles: AC-Auth-IT and AC-Auth-Default.
Authorization profiles
1. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. The first two profiles were created
for this lab: AC-Auth-Default and AC-Auth-IT.
2. If you drill down into AC-Auth-Default, you will see that it references the DACL AC-DACL-Default, described below.
3. If you drill down into AC-Auth-IT, you will see that it references the DACL AC-DACL-IT, described below. It also has two
advanced attributes: one for the address pool, and one for the group policy.
Downloadable ACLs
1. Navigate to Policy > Policy Elements > Authorization > Downloadable ACLs. The first two DACLs were created for this
lab: AC-DACL-Default and AC-DACL-IT.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 117 of 119
Cisco dCloud
2. If you drill down into AC-DACL-Default, you will see that it restricts access to 198.19.10.100 and 198.19.10.200.
3. If you drill down into AC-DACL-IT, you will see that there are no restrictions.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 118 of 119
Cisco dCloud
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 119 of 119