Cisco Firepower Threat Defense (FTD): Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and A(Networking Technology: Security)

The authoritative visual guide to Cisco Firepower Threat Defense (FTD) This is the definitive guide to best practices and advanced troubleshooting techniques for the Cisco flagship Firepower Threat Defense (FTD) system running on Cisco ASA platforms, Cisco Firepower security appliances, Firepower eXtensible Operating System (FXOS), and VMware virtual appliances. Senior Cisco engineer Nazmul Rajib draws on unsurpassed experience supporting and training Cisco Firepower engineers worldwide, and presenting detailed knowledge of Cisco Firepower deployment, tuning, and troubleshooting. Writing for cybersecurity consultants, service providers, channel partners, and enterprise or government security professionals, he shows how to deploy the Cisco Firepower next-generation security technologies to protect your network from potential cyber threats, and how to use Firepower’s robust command-line tools to investigate a wide variety of technical issues. Each consistently organized chapter contains definitions of keywords, operational flowcharts, architectural diagrams, best practices, configuration steps (with detailed screenshots), verification tools, troubleshooting techniques, and FAQs drawn directly from issues raised by Cisco customers at the Global Technical Assistance Center (TAC). Covering key Firepower materials on the CCNA Security, CCNP Security, and CCIE Security exams, this guide also includes end-of-chapter quizzes to help candidates prepare. ·        Understand the operational architecture of the Cisco Firepower NGFW, NGIPS, and AMP technologies ·         Deploy FTD on ASA platform and Firepower appliance running FXOS ·         Configure and troubleshoot Firepower Management Center (FMC) ·         Plan and deploy FMC and FTD on VMware virtual appliance ·         Design and implement the Firepower management network on FMC and FTD ·         Understand and apply Firepower licenses, and register FTD with FMC ·         Deploy FTD in Routed, Transparent, Inline, Inline Tap, and Passive Modes ·         Manage traffic flow with detect-only, block, trust, and bypass operations ·         Implement rate limiting and analyze quality of service (QoS) ·         Blacklist suspicious IP addresses via Security Intelligence ·         Block DNS queries to the malicious domains ·         Filter URLs based on category, risk, and reputation ·         Discover a network and implement application visibility and control (AVC) ·         Control file transfers and block malicious files using advanced malware protection (AMP) ·         Halt cyber attacks using Snort-based intrusion rule ·         Masquerade an internal host’s original IP address using Network Address Translation (NAT) ·         Capture traffic and obtain troubleshooting files for advanced analysis ·         Use command-line tools to identify status, trace packet flows, analyze logs, and debug messages  

Table of Contents:
  Introduction xxv Part I Troubleshooting and Administration of Hardware Platform Chapter 1 Introduction to the Cisco Firepower Technology 1 History of Sourcefire 1     Evolution of Firepower 2     FirePOWER Versus Firepower 3 Firepower Threat Defense (FTD) 6     FirePOWER Service Versus Firepower Threat Defense (FTD) 6     Firepower System Software Components 7     Firepower System Hardware Platforms 9     Firepower Accessories 10 Summary 11 Chapter 2 FTD on ASA 5500-X Series Hardware 13 ASA Reimaging Essentials 13 Best Practices for FTD Installation on ASA Hardware 14 Installing and Configuring FTD 16     Fulfilling Prerequisites 16     Upgrading Firmware 18     Installing the Boot Image 26     Installing the System Software 32 Verification and Troubleshooting Tools 44     Navigating to the FTD CLI 44     Determining the Version of Installed Software 46     Determining the Free Disk Space on ASA Hardware 47     Deleting a File from a Storage Device 48     Determining the Availability of Any Storage Device or SSD 48     Determining the Version of the ROMMON Software or Firmware 50 Summary 52 Quiz 52 Chapter 3 FTD on the Firepower eXtensible Operating System (FXOS) 55 Firepower 9300 and 4100 Series Essentials 55     Architecture 57     Software Images 58         Firepower Extensible Operating System (FXOS) 59         FTD Software 60         Firmware 60     Web User Interfaces 61 Best Practices for FTD Installation on Firepower Hardware 62 Installing and Configuring FTD 64     Fulfilling Prerequisites 64         Deleting Any Existing Logical Devices 64         Upgrading the FXOS Software 65         Enabling Interfaces 67     Installing FTD 71         Uploading the FTD Software Image 72         Adding a Logical Device for FTD 73         Completing the Initialization of FTD 77 Verification and Troubleshooting Tools 79     Navigating to the FTD CLI 79     Verifying the FXOS Software 81     Verifying the Status of a Security Application 82     Verifying the Security Modules, Adapters, and Switch Fabric 84     Verifying the Hardware Chassis 87     Verifying the Power Supply Unit (PSU) Modules 90     Verifying the Fan Modules 92 Summary 94 Quiz 94 Chapter 4 Firepower Management Center (FMC) Hardware 97 FMC Component Essentials 97     On-Box Managers 98     Off-Box Managers 99     Cisco Integrated Management Controller (CIMC) 101     Internal USB Storage for the System_Restore Image 104     User Interfaces 104 Best Practices for FMC Reimage 105     Pre-installation Best Practices 105     Post-installation Best Practices 108 Installing and Configuring the FMC 109     Fulfilling Prerequisites 109     Configuration Steps 110         Step 1: Load the System_Restore Image 111         Step 2: Configure the Network Settings 114         Step 3: Choose a Transport Protocol 114         Step 4: Download and Mount an ISO File 116         Step 5: Run the Installation 117         Step 6: Initialize the System 120 Verification and Troubleshooting Tools 122     Identifying the FMC on a Rack 122     Determining the Hardware and Software Details of the FMC 124     Determining the RAID Battery Status 124     Determining the Status of a Power Supply Unit (PSU) 125         Checking Logs on the CLI 125         Enabling Alerts on the GUI 127         Performing a Complete Power Cycle 129         PSU Checklist 129     Verifying the Fans 129 Summary 132 Quiz 132 Chapter 5 Firepower System Virtual on VMware 135 FMC and FTD Virtual Essentials 135     Supported Virtual Environments 135     ESXi Versus VI 136     VMware Installation Package in a Tarball 136     Disk Provisioning Options 137 Best Practices for Firepower Virtual Appliance Deployment 138     Pre-deployment Best Practices 138     Post-deployment Best Practices 140 Installing and Configuring a Firepower Virtual Appliance 141     Fulfilling Prerequisites 142     Creating a Virtual Network 144         Creating a Network for FMC Virtual 145         Creating a Network for FTD Virtual 148         Using Promiscuous Mode 152     Deploying an OVF Template 154     Initializing an Appliance 160         Initializing an FMC Virtual Appliance 161         Initializing an FTD Virtual Appliance 162 Verification and Troubleshooting Tools 163     Determining the Status of Allocated Resources 164     Determining the Status of a Network Adapter 165     Upgrading a Network Adapter 166 Summary 170 Quiz 170 Part II Troubleshooting and Administration of Initial Deployment Chapter 6 The Firepower Management Network 173 Firepower System Management Network Essentials 173     The FTD Management Interface 173     Designing a Firepower Management Network 176 Best Practices for Management Interface Configuration 180     Configuring a Management Network on FMC Hardware 180     Configuration Options 180         Using the GUI During the First Login 180         Using the GUI On Demand 182         Using the Command-Line Interface 183     Verification and Troubleshooting Tools 184 Configuring a Management Network on ASA Hardware 186     Configuration 186     Verification and Troubleshooting Tools 187 Configuring a Management Network on a Firepower Security Appliance 190     Configuring the FXOS Management Interface 190     Verification of the FXOS Management Interface Configuration 191     Configuring the FTD Management Interface 192     Verification of the FTD Management Interface Configuration 194 Summary 197 Quiz 197 Chapter 7 Firepower Licensing and Registration 199 Licensing Essentials 199     The Smart Licensing Architecture 199         Cisco Smart Software Manager (CSSM) 200         CSSM Satellite 201     Firepower Licenses 202 Best Practices for Licensing and Registration 203 Licensing a Firepower System 203     Licensing Configuration 204         Evaluation Mode 205         Registering with the CSSM 206     Verifying a Smart License Issue 209 Registering a Firepower System 211     Registration Configuration 211         Setting Up FTD 211         Setting Up the FMC 212     Verifying the Registration and Connection 215     Analyzing the Encrypted SFTunnel 221 Summary 229 Quiz 230 Chapter 8 Firepower Deployment in Routed Mode 231 Routed Mode Essentials 231 Best Practices for Routed Mode Configuration 233 Configuring Routed Mode 233     Fulfilling Prerequisites 234     Configuring the Firewall Mode 234     Configuring the Routed Interface 235         Configuring an Interface with a Static IP Address 235         DHCP Services 238     FTD as a DHCP Server 240     FTD as a DHCP Client 241 Verification and Troubleshooting Tools 243     Verifying the Interface Configuration 243     Verifying DHCP Settings 246 Summary 249 Quiz 249 Chapter 9 Firepower Deployment in Transparent Mode 251 Transparent Mode Essentials 251 Best Practices for Transparent Mode 252 Configuring Transparent Mode 253     Fulfilling Prerequisites 254     Changing the Firewall Mode 254     Deploying Transparent Mode in a Layer 2 Network 255         Configuring the Physical and Virtual Interfaces 256         Verifying the Interface Status 261         Verifying Basic Connectivity and Operations 264     Deploying an FTD Device Between Layer 3 Networks 267         Selecting the Default Action 268         Adding an Access Rule 269     Creating an Access Rule for SSH 272         Verifying Access Control Lists 274 Summary 276 Quiz 276 Part III Troubleshooting and Administration of Traffic Control Chapter 10 Capturing Traffic for Advanced Analysis 277 Traffic Capture Essentials 277 Best Practices for Capturing Traffic 278 Configuring Firepower System for Traffic Analysis 278     Capturing Traffic from a Firepower Engine 279         tcpdump Options 280         Downloading a .pcap File Generated by Firepower Engine 285     Capturing Traffic from the Firewall Engine 288         Downloading a .pcap File Generated by Firewall Engine 291         Enabling HTTP Service in FTD 293     Capturing Traffic from the FMC 298         Downloading a .pcap File Generated by FMC 299 Verification and Troubleshooting Tools 302     Adding an Access Rule to Block ICMP Traffic 302     Analyzing the Traffic Flow by Using a Block Rule 303     Packet Processing by an Interface 306 Summary 309 Quiz 309 Chapter 11 Blocking Traffic Using Inline Interface Mode 311 Inline Mode Essentials 311     Inline Mode Versus Passive Mode 312     Inline Mode Versus Transparent Mode 314     Tracing a Packet Drop 314 Best Practices for Inline Mode Configuration 316 Configuring Inline Mode 316     Fulfilling Prerequisites 317     Creating an Inline Set 317         Verifying the Configuration 321         Verifying Packet Flow by Using packet-tracer 324         Verifying Packet Flow by Using Real Packet Capture 328     Enabling Fault Tolerance Features 333         Configuring Fault Tolerance Features 334         Verifying Fault Tolerance Features 335     Blocking a Specific Port 336         Configuring Blocking a Specific Port 337         Verifying Blocking of a Specific Port 339         Analyzing a Packet Drop by Using a Simulated Packet 340         Analyzing a Packet Drop by Using a Real Packet 342 Summary 344 Quiz 345 Chapter 12 Inspecting Traffic Without Blocking It 347 Traffic Inspection Essentials 347     Passive Monitoring Technology 347     Inline Versus Inline Tap Versus Passive 350 Best Practices for Detection-Only Deployment 352 Fulfilling Prerequisites 352 Inline Tap Mode 352     Configuring Inline Tap Mode 353     Verifying an Inline Tap Mode Configuration 354 Passive Interface Mode 357     Configuring Passive Interface Mode 357         Configuring Passive Interface Mode on an FTD Device 357         Configuring a SPAN Port on a Switch 359     Verifying a Passive Interface Mode Configuration 359 Analyzing Traffic Inspection Operation 362     Analyzing a Connection Event with a Block Action 362         Analyzing Live Traffic 362         Analyzing a Simulated Packet 364     Analyzing an Intrusion Event with an Inline Result 366 Summary 370 Quiz 371 Chapter 13 Handling Encapsulated Traffic 373 Encapsulation and Prefilter Policy Essentials 373 Best Practices for Adding a Prefilter Rule 375 Fulfilling Prerequisites 375     Transferring and Capturing Traffic on the Firewall Engine 377 Scenario 1: Analyzing Encapsulated Traffic 379     Configuring Policies to Analyze Encapsulated Traffic 379         Prefilter Policy Settings 379         Access Control Policy Settings 381     Verifying the Configuration and Connection 382     Analyzing Packet Flows 385 Scenario 2: Blocking Encapsulated Traffic 391     Configuring Policies to Block Encapsulated Traffic 391     Verifying the Configuration and Connection 392     Analyzing Packet Flows 395 Scenario 3: Bypassing Inspection 397     Configuring Policies to Bypass Inspection 397         Custom Prefilter Policy 397         Access Control Policy Settings 401     Verifying the Configuration and Connection 403     Analyzing Packet Flows 405 Summary 407 Quiz 407 Chapter 14 Bypassing Inspection and Trusting Traffic 409 Bypassing Inspection and Trusting Traffic Essentials 409     The Fastpath Rule 409     The Trust Rule 410 Best Practices for Bypassing Inspection 412 Fulfilling Prerequisites 412 Implementing Fastpath Through a Prefilter Policy 413     Configuring Traffic Bypassing 413         Configuring a Prefilter Policy 413         Invoking a Prefilter Policy in an Access Control Policy 418     Verifying the Prefilter Rule Configuration 420     Enabling Tools for Advanced Analysis 421     Analyzing the Fastpath Action 422 Establishing Trust Through an Access Policy 427     Configuring Trust with an Access Policy 427     Verifying the Trust Rule Configuration 429     Enabling Tools for Advanced Analysis 430     Analyzing the Trust Action 432     Using the Allow Action for Comparison 440 Summary 442 Quiz 442 Chapter 15 Rate Limiting Traffic 445 Rate Limiting Essentials 445 Best Practices for QoS Rules 447 Fulfilling Prerequisites 448 Configuring Rate Limiting 449 Verifying the Rate Limit of a File Transfer 454 Analyzing QoS Events and Statistics 458 Summary 462 Quiz 462 Part IV Troubleshooting and Administration of Next-Generation Security Features Chapter 16 Blacklisting Suspicious Addresses by Using Security Intelligence 463 Security Intelligence Essentials 463     Input Methods 466 Best Practices for Blacklisting 468 Fulfilling Prerequisites 468 Configuring Blacklisting 468     Automatic Blacklist Using Cisco Intelligence Feed 468     Manual Blacklisting Using a Custom Intelligence List 472     Immediate Blacklisting Using a Connection Event 477         Adding an Address to a Blacklist 477         Deleting an Address from a Blacklist 479     Monitoring a Blacklist 480     Bypassing a Blacklist 482         Adding an Address to a Whitelist 483         Deleting an Address from a Whitelist 484 Verification and Troubleshooting Tools 485     Verifying the Download of the Latest Files 486     Verifying the Loading of Addresses into Memory 489     Finding a Specific Address in a List 491     Verifying URL-Based Security Intelligence Rules 491 Summary 494 Quiz 494 Chapter 17 Blocking a Domain Name System (DNS) Query 497 Firepower DNS Policy Essentials 497     Domain Name System (DNS) 497     Blocking of a DNS Query Using a Firepower System 499     DNS Rule Actions 500         Actions That Can Interrupt a DNS Query 500         Actions That Allow a DNS Query 502     Sources of Intelligence 504 Best Practices for Blocking DNS Query 506 Fulfilling Prerequisites 507 Configuring DNS Query Blocking 508     Adding a New DNS Rule 508     Invoking a DNS Policy 510 Verification and Troubleshooting Tools 511     Verifying the Configuration of a DNS Policy 511     Verifying the Operation of a DNS Policy 515 Summary 520 Quiz 520 Chapter 18 Filtering URLs Based on Category, Risk, and Reputation 523 URL Filtering Essentials 523     Reputation Index 523     Operational Architecture 525 Fulfilling Prerequisites 526 Best Practices for URL Filtering Configuration 529 Blocking URLs of a Certain Category 532     Configuring an Access Rule for URL Filtering 532     Verification and Troubleshooting Tools 534 Allowing a Specific URL 537     Configuring FTD to Allow a Specific URL 538     Verification and Troubleshooting Tools 540 Querying the Cloud for Uncategorized URLs 543     Configuring FMC to Perform a Query 544     Verification and Troubleshooting Tools 546 Summary 550 Quiz 550 Chapter 19 Discovering Network Applications and Controlling Application Traffic 553 Application Discovery Essentials 553     Application Detectors 553     Operational Architecture 555 Best Practices for Network Discovery Configuration 557 Fulfilling Prerequisites 558 Discovering Applications 560     Configuring a Network Discovery Policy 561     Verification and Troubleshooting Tools 564         Analyzing Application Discovery 564         Analyzing Host Discovery 566         Undiscovered New Hosts 567 Blocking Applications 570     Configuring Blocking of Applications 570     Verification and Troubleshooting Tools 572 Summary 575 Quiz 576 Chapter 20 Controlling File Transfer and Blocking the Spread of Malware 577 File Policy Essentials 577     File Type Detection Technology 579     Malware Analysis Technology 579     Licensing Capability 582 Best Practices for File Policy Deployment 583 Fulfilling Prerequisites 584 Configuring a File Policy 586     Creating a File Policy 586     Applying a File Policy 592 Verification and Troubleshooting Tools 593     Analyzing File Events 594     Analyzing Malware Events 599         The FMC Is Unable to Communicate with the Cloud 599         The FMC Performs a Cloud Lookup 603         FTD Blocks Malware 607     Overriding a Malware Disposition 610 Summary 615 Quiz 615 Chapter 21 Preventing Cyber Attacks by Blocking Intrusion Attempts 617 Firepower NGIPS Essentials 617     Network Analysis Policy and Preprocessor 619     Intrusion Policy and Snort Rules 621     System-Provided Variables 624     System-Provided Policies 626 Best Practices for Intrusion Policy Deployment 632 NGIPS Configuration 637     Configuring a Network Analysis Policy 637         Creating a New NAP with Default Settings 637         Modifying the Default Settings of a NAP 639     Configuring an Intrusion Policy 641         Creating a Policy with a Default Ruleset 641         Incorporating Firepower Recommendations 642         Enabling or Disabling an Intrusion Rule 646         Setting Up a Variable Set 648     Configuring an Access Control Policy 650 Verification and Troubleshooting Tools 654 Summary 665 Quiz 665 Chapter 22 Masquerading the Original IP Address of an Internal Network Host 667 NAT Essentials 667     NAT Techniques 669     NAT Rule Types 670 Best Practices for NAT Deployment 672 Fulfilling Prerequisites 673 Configuring NAT 676     Masquerading a Source Address (Source NAT for Outbound Connection) 676         Configuring a Dynamic NAT Rule 677         Verifying the Configuration 681         Verifying the Operation: Inside to Outside 683         Verifying the Operation: Outside to Inside 690     Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection) 695         Configuring a Static NAT Rule 695         Verifying the Operation: Outside to DMZ 696 Summary 706 Quiz 706 Appendix A Answers to the Review Questions 707 Appendix B Generating and Collecting Troubleshooting Files Using the GUI 713 Generating Troubleshooting Files with the GUI 713 Appendix C Generating and Collecting Troubleshooting Files Using the CLI 717 Generating Troubleshooting Files at the FTD CLI 717     Downloading a File by Using the GUI 718     Copying a File by Using the CLI 719 Generating Troubleshooting Files at the FMC CLI 719     9781587144806    TOC    11/9/2017

About the Author :
Nazmul Rajib is a senior engineer and leader of the Cisco Global Technical Services organization focusing on next-generation security technologies. He leads cybersecurity training initiatives, develops internal training programs, and trains the current generation of Cisco engineers who support Cisco security solutions around the world. He also reviews design specifications, tests security software, and provides solutions to businesscritical networking issues. Nazmul has authored numerous technical publications at Cisco.com and in the Cisco support community. Nazmul is a veteran engineer of Sourcefire, Inc., which developed Snort–the most popular open-source intrusion prevention system in the world. He created and managed the global knowledge base for Sourcefire and designed Sourcefire security certifications for partner enablement. Nazmul trained security engineers from many managed security service providers (MSSP) in the United States. He supported the networks of numerous Fortune 500 companies and U.S. government agencies. Nazmul has a master of science degree in internetworking. He also holds many certifications in the areas of cybersecurity, information technology, and technical communication. He is a Sourcefire Certified Expert (SFCE) and Sourcefire Certified Security Engineer (SFCSE).