Professional Documents
Culture Documents
FirePOWER is IPS , URL Filtration & Reputation , Application Identification & Control , File
Filtration & Deposition (can be enhanced using AMP) , User traffic filtration , SSL decryptor
and more.
Products Overview
They are just IPS with URL filtering capabilities and also AMP if you have the licenses for them
FP 7000 Series :
7010 , 7020 , 7030 , 7050 , 7110 , 7115 , 7120 , 7125
FP 8000 Series :
8120 , 8130 , 8140
8250 , 8260 , 8270 , 8290
8350 , 8360 , 8370 , 8390
NGIPSv
64-bit virtual appliance. Virtual appliances are supported on VMware ESXi and VMware vCloud
Director environments.
They are ASA firewall with FirePOWER capabilities but use one image (system software) for ASA
and another one for FirePOWER
1
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
These are ASA firewall with FirePOWER capabilities but use one image with to provide Firewall &
Firepower capabilities.
remember 9300 came with Radware DefensePro distributed denial of service (DDoS) mitigation
capability.
This is AMP capabilities we can have on all above products and also we can install as separate
application on servers, PCs , Smartphones , ESA and WSA..etc.
The AMP solution can enable malware detection and blocking, continuous analysis and
retrospective alerting with File Reputation , File Sandboxing and File Retrospection.
In Cisco AMP can be enabled in the following devices and we will call it [AMP for Networks] :
ASA with FirePOWER (you will need Malware License )
FirePOWER 7000, 8000 (you will need Malware License )
FirePOWER 4100 , 9300 (you will need Malware License )
ISR G2
In Cisco we can enable AMP in the following devices and we will call it [AMP for Contents] :
ESA
WSA
CWS (cloud version of WSA)
CES (cloud version of ESA)
Finally In Cisco we can enable AMP in windows , linux , Mac OS...etc , and we will call it [AMP for
Endpoints]
Lets not forget AMP can be used also with Threat Grid
(To get advanced threat intelligence and static and dynamic malware analysis.
Can be a hardware appliance or cloud deployment.)
Best Practice is adding AMP to all devices including ASA with SFR , WSA ,ESA, PC, Servers and
smartphones
The much you distribute AMP the much threat catching rate increased
2
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Management Products
ASDM 7.3 , 7.4 , 7.5 used to manage ASA
ASDM 7.3 , 7.4 , 7.5 can be used to manage FirePOWER too (with limitations)
FireSIGHT 6.0 (officially named FirePOWER Management Console FMC) used to manage both
ASA and FirePOWER .
As you can see FireSIGHT will apply policies & licenses to your FirePOWER devices
Your FirePOWER will send to FireSIGHT , events , information about his HW status and
Discovery information..etc.
3
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Remember FirePOWER support more than 800 open source applications including SNORT, nmap
, Wireshark , ClamAV ....etc
4
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
FireSIGHT required its own License , we add license to FireSIGHT and apply it him self
For FirePOWER appliance ( managed device)We add licenses to FireSIGHT then apply it to
managed devices
Protection IPS aka This includes entitlement to Rule, Engine, Vulnerability, Signatures and
Geolocation updates.
Advanced Malware Protection (AMP) aka Malware provides cloud-based malware lookup
and sandbox analysis, including file trajectory and tracking across the network.
VPN enables site-to-site VPN capabilities between devices, and it can be used to create a
secure tunnel to a remote office location without having to install separate VPN hardware.
We purchasing License for for one, three or five years. Also we must have in mind that
each license is bound to specific ASA model. So, if we buy/lease the license for 5525-X,
this license will not be valid for other ASA boxes.
Notice in ASA with FirePOWER we do not need VPN licenses since VPN capabilities for
firepower will not be exists .
Notice you can not have AMP (malware lic ) without having Protection lic (IPS lic ) first.
All licenses except VPN can applied to 7000 and 8000 Series , ASA FirePOWER and
NGIPSv .
VPN license applied ONLY to 7000 and 8000 Series .
When apply Control license to 7000 or 8000 Series it will add the following additional
capabilities :
Switching and routing
7000 and 8000 Series device high availability
7000 and 8000 Series network address translation (NAT)
Protection license must be exists to install Malware , URL Filtering and Control licenses .
5
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
For example Lets focus on ASA5525-X model. Having the above picture in mind, we have the
following licenses:
L-ASA5525-URL-1Y
L-ASA5525-URL-3Y
L-ASA5525-URL-5Y
These URL licenses provide us with URL filtering capabilities for one, three or five years.
L-ASA5525-TA-1Y
L-ASA5525-TA-3Y
L-ASA5525-TA-5Y
The TA license enables the IPS capabilities of SFR module.
L-ASA5525-TAC-1Y
L-ASA5525-TAC-3Y
L-ASA5525-TAC-5Y
The TAC enables the IPS plus the URL filtering.
6
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Terminology
Behind Firewall
External ----------FW-----FP-------Assets
Now days most of FP deployment is Inline But we still can use passive deployment between
internal segments (inside the assets networks) or in Honeypots.
7
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
You can Configure Many Polices in your FireSIGHT and he will apply it to your managed devices
such as FIrePOWER 7000,8000 ,ASA with FirePOWERetc.
First of all you should care about three policies (Intrusion Policy, File Policy and Access Control
Policy) , these policies are the main policies you will work with .
1-Intrusion policy
Some time we call it IPS Policy, this policy responsible for inspecting your packets and match it
with SNORT Rules.
All your policy settings saved in (snort.conf) file , all your rules saved in files with extension
(.rules)
Normally when you create this policy, you will not need to create rules for it , rules already
created by Cisco Intel Sec Cloud (Talos Team) but still you can create a SNORT rule by yourself
if you want to using FireSIGHT GUI , for instance maybe you would like to create SNORT rule to
match Credit Cards numbers sent in plain text in your network.
Each Rule has State , it could be disable , Generate events , Drop & Generate events
Event here means Alert , so if we found Traffic match SNORT Rule we could trigger alert or even
trigger alert and drop packets in the same time .
When you first create Intrusion Policy , you should choose Base Policy for it
Base Policy is just telling your FirePOWER what SNORT rules should be enabled or disabled
8
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Finally Just Remember, you should Generate (FireSIGHT Recommendations) from time to time
for your Policy .. FireSIGHT Recommendations is Feature will try to find what is the best Rules
should be enabled or disabled in your network and applied that for you .
FireSIGHT Recommendations can knows that by analyzing information got from Cisco Cloud and
also from FireSIGHT network discovery features.
For example FireSIGHT Recommendations may knows that all machines in your network running
windows OS , so it will disable all SNORT rules for Linux OS since there is no need to keep it
enabled.
2-File Policy
We use this Policy for File Filtering such as deny or permit specific type of files
Also we use this Policy for File Disposition (AMP inspection), which means to find out if files
goes through our network are clean or Malware .
Remember it like this if you will create rule for file filtering , action should be Detect or Block
If you create rule for AMP inspection ,action should be Malware Cloud Lookup or Block
Malware
Remember you will need Malware License applied to your managed device so you can make
use of Malware Cloud Lookup & Block Malware actions
9
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Normally when you create Access Control Policy you will be asked to choose Default Action
This Default Action will be applied to your traffic IF your Access Control Rules did not find any
match on this traffic.
After creating your Access Control Policy you should start creating Rules
As you can each Rule can have one of the following Actions:
Allow: it will pass traffic through the device. You can optionally inspect this traffic using an
Intrusion policy, a file policy, or both.
Trust: it will pass traffic through the device without further inspection. So you cannot use
Intrusion policy, a file policy, or both with this action.
Monitor: Only log a connection event.
10
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Block and Block with Reset: Block action stops the traffic from passing, while Block with Reset
also resets the connection. Blocked traffic is not inspected via IPS, file, or discovery policy rules.
So you cannot use Intrusion policy, a file policy, or both with this action.
Interactive Block and Interactive Block with Reset: For HTTP traffic, these actions allow users to
bypass a website block by clicking through the warning page.
These rules can be associated with IPS and file policies the same way that Allow rules can.
Remember we associate File Policy & Intrusion Policy to Access Control policy Rule
On the Right side of the Edit rule window go to Inspection Tab
Always remember to configure FirePOWER you will need to configure at least Intrusion, File
and Access Control Policy
Now lets talk about other policies that you might need to configure
Action for rule is (discover or exclude) the Networks or zones you will mention in the rule.
11
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Correlation Policy
Used for detection of unusual activity rather than specific intrusion or malware events.
By using correlation rules, white lists, and traffic profiles, we can detect network or host
behaviors that may be an indication of malicious activity.
You can also add another Remediation Modules made by Cisco or by your Dev team
Read :
ISE and FirePower integration - remediation service example
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200240-ISE-and-
FirePower-integration-remediat.html
12
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
In correlation Policy we can set also two important things: White List and Traffic Profile
White list
White list is a set of criteria you can use to define operating systems, client/server apps, and
protocols that are allowed to run on your network.
For example, if you only allow Linux operating systems on a given network segment, by
creating a white list that contains only these operating systems, you can be alerted if FireSIGHT
detects any other OS on that segment.
Once the white list is created, it is treated in the same manner as a correlation rule.
So it must be implemented via a correlation policy.
Traffic Profiles
You can think of a traffic profile as a baseline of activity.
The profile defines the criteria for the baseline, such as IP address, application protocol,
transport protocol, and so on. Then, once activated, the profile collects a number of data points
about the traffic over the profile period.
Once the profile is built, you can add it to a correlation rule and specify the deviation that would
cause the rule to trigger.
Last, you add the rule to a correlation policy and select an appropriate response.
13
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
NAT Policy Predictably, this policy configures Network Address Translation (NAT).
System Policy This controls a variety of device settings like local firewall, time synchronization,
and so on. The system policy is applied to all appliances, meaning to the Defense Center and all
devices.
Health Policy This policy sets warning and critical thresholds for various health parameters such
as disk space and CPU usage. You can also enable or disable various health checks as your heart
desires.
14
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
FP (FirePOWER)
CLI -Initial setup
-Add (register) to FS
Configure manager add 192.168.45.46 cisco123
FS (FireSIGHT)
GUI -Initial setup
-Add licenses
System Licenses click add new license
-Add (register) managed devices (FP)
Devices Devices Management click add click device
-Apply licenses to FP
Devices Devices Management click add click device
-Configure FP interfaces & network features (device management)
Devices Devices Management click managed devices click the ip add
Click inline set tab click add inline set
Click interfaces tab click yellow pencil click inline
Polices users add ldap connection
Polices users add user agent
-Configure FMC user accounts (accounts management)
System User Management Users tab click Create User
System User Management User Roles tab click Create User Role
System User Management Login Authentication tab click Authentication Object
-Create Objects (object management)
Objects Objects Managements
-Configure Intrusion (IPS) policy
Policies Intrusion click Create New Policy
Choose your base policy and dont forget your FireSIGHT Recommendations
-Configure File (AMP) policy
Policies Files (in v6 its called malware & File Policy)
Click Create New policy
Click New Rule
15
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
After you save the changes, navigate to Policies Access Control click the pencil icon in
order to edit the Access Control policy.
Select Add Rule.
Add your URL Object to the rule with the Allow action and place it above the URL Category rule,
so that its rule action is evaluated first.
There are several views available for analyzing the events generated by file policy rules found
under
Analysis Files:
Malware Events
File Events
Captured Files
Network File Trajectory
16
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Network Discovery Policy info collected about Networks can be viewed by Analysis
Connection Events
Devices can also collect connection data, and you can check out the events by going to Analysis
Connection Events.
Once user discovery is enabled, the users table and user activity in the database will populate.
You can see their contents by navigating to
Analysis Users Users
Analysis Users User Activity
17
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
To create Policy:
Policies Correlation, then click the Policy Management tab.Create Policy , then later to add
rule click Add Rules
To create Respond:
Actions Alerts
Or
Actions Remediation instance
Once the white list is created, it is treated in the same manner as a correlation rule.
So it must be implemented via a correlation policy.
These events can be found by navigating to Analysis Correlation White List Events
To begin, click the New Profile link on the right. This loads the profile configuration screen
Now that you have one or more traffic profiles, they must be added to a correlation policy to be
of any use.
Traffic profiles cant be added directly to a policy; you must first create rules that will trigger for
certain profile conditions
18
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
FirePOWER Resources
Exclusion of EIGRP OSPF and BGP Messages from the Firepower Intrusion Inspection
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200205-
Exclusion-of-EIGRP-OSPF-and-BGP-Message.html
How to configure Clustering on Cisco FirePOWER 7000 and 8000 Series Devices
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200316-
Configuration-of-Clustering-on-Cisco-Fir.html
Steps and Tips to Create, Import and Manage Custom Local Rules on a FireSIGHT System
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117924-
technote-firesight-00.html
19
Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda
Free Videos
http://www.labminutes.com/video/sec/ASA%20FirePower
http://www.ciscopress.com/store/cisco-asa-5500-x-series-next-generation-firewalls-livelessons-
9781587205736
http://www.amazon.com/Cisco-Next-Generation-Security-Solutions-All/dp/1587144468
http://www.amazon.com/Securing-Networks-Sourcefire-Intrusion-Prevention/dp/1119155037
https://www.lammle.com/firepower-video-training/
Good Luck
CCIE & CCSI: Yasser Auda
https://www.facebook.com/YasserRamzyAuda
https://learningnetwork.cisco.com/people/yasserramzy
https://www.youtube.com/user/yasserramzyauda
20