Professional Documents
Culture Documents
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Firepower Sessions: Building Blocks
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Cisco Firepower NGFW Overview
• Use Case Introduction
• Deploying the L3 Firewall at the Edge
• Interfaces, Routing & NAT
• NGFW Policies
• High Availability
Firepower 9300
Performance and Scalability
Firepower 4140 /
Firepower 4150
ASA 5555-X
Firepower 4110 /
ASA 5545-X Firepower 4120
ASA 5516-X / ASA 5525-X
ASA 5506H-X
ASA 5508-X / ASA 5515-X
ASA 5506W-X ASA 5512-X
ASA 5506-X
FTDv
SMB & Distributed Enterprise Commercial & Enterprise Data Center, High Performance Computing, Service
Provider
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Firepower Threat Defense (FTD) Software
ASA (L2-L4)
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing Continuous Feature Firewall URL Visibility Threats
Firepower Management
Center (FMC)*
* Also manages Firepower Appliances and FirePOWER Services (not ASA Software)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Use Case Network – CLINET
(clinet.com)
CLINET (clinet.com)
Cisco LIVE Information Networking Company
• CLINET (clinet.com) is a fictional company created for understanding use cases
in FTD firewall deployment.
• CLINET has embarked on a network/security deployment project entitled
“The Security 20/20 Project” which serves as the basis for the use case.
• Company requirements and configuration examples are based upon real-life
customer conversations and deployments.
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Overview – clinet.com Logical Network Diagram
Firewall Deployment
ISP-A ISP-B
Data Center
Core
(Routed)
Core VDC
Data Center
Aggregation
Deploy Redundant Firepower NGFWs
in Transparent Mode for Data Center / Agg VDC
Access Fabric
Virtual Access /
Deploy FTD Virtual Compute
(FTDv) in Virtual
Environment
Note: Storage architecture not depicted in this layout, nor will it be discussed
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
clinet.com Edge FTD Deployment Details
General Requirements
clinet.com ASN 65345
ISP-A ISP-B IP Range 128.107.1.0/24
1
Edge Routers Edge
running HSRP –
FHRP address is
Aggregation
1
128.107.1.1 6
DMZ Network(2) Two DMZ Zones will be created:
3 1 – Web Public (www, DNS, SMTP)
Outside and DMZ (Public Web/DB) 2 – Partner Intranet (wwwin, Oracle
using Redundant 3 link)
Interfaces G1/1
G1/2 G1/3 6
2
3 VLAN 150
FW deployed in L3 ‘routed’ mode, 2 G1/5
7
with NAT and ACLs – Routing G1/4 Public Web DMZ – 10.200.1.0/24
protocol will be used on inside G1/6
G1/7 VLAN 151
G1/8 Partner Intranet – 10.100.100.0/24
4 Web/App/DB – 172.16.25.250
VPC VPC
4
Inside Interface
using 7
EtherChannel Edge Aggregation Active/Standby HA
VDC will be used at the
5 VLAN VLAN edge
VLAN 2
120 1299 DMZ 5
Diversion Use-case specific Internal Zones:
Inside Zone for
network VL2 – Security Diversion network for
Network contractor
for scanning questionable traffic
‘Trusted / BYOD
Scanning VL120 – Primary Internal Zone - services the
Zone” unknown primary internal network
VL1299 – Isolated Internal DMZ for BYOD /
contractor / unknown – Internet access only
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
clinet.com Data Center FTD Deployment Details
General Requirements
1 VLAN 1299
VLAN 2 VLAN 120
Use-case specific Internal DMZ Zone
Zones from Edge Aggregation Sidecar Inside
1 1 for
into core network Network
contractor / Data Center
for ‘Trusted
BYOD Core
Scanning Zone”
unknown (Routed)
Core VDC 2
DC Core is routed using OSPF.
Routing will remain in place (on
OSPF Routed Core DC Switches). FTD must be
deployed without disrupting
2 current L3 architecture
Data Center
Aggregation
Aggregation
VDC
3
Firepower 9300 is used
for scale and flow offload
Virtual Access /
Compute Networks
4
Virtual FTD (FTDv) deployed
within hypervisor to protect
East/West Traffic Flows
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
FTD Initial Setup
FTD Deployment Checklist (Edge)
Primary NGFW: (after initial setup)
1 – Determine Deployment Mode – Routed or Transparent
2 – Examine Interface Types ISP-A ISP-B
3 – Interface Configuration(s) Edge
EtherChannel / LACP / Redundant Aggregation
VLAN Tagging / Sub-Interfaces / Trunk 4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Installing Firepower Threat Defense
Management Center Smart License FirePOWER Services on ASA
Upgrade/
Register Reimage
Install
Firepower
Cisco Smart Firepower
Management
Software Manager Threat Defense
Center 6.0
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Management Connections
Layer-2 Switch
FTD Management
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
FTD Initial Setup – FTD Console
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
FTD Initial Setup – FTD Console
• Firewall mode is one of the few features configured locally. We will cover modes
in more detail later on.
Configure firewall mode? (routed/transparent) [routed]:
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
FTD Initial Setup – Adding a Device to FMC
Either hostname
or IP address
Registration key
we used in CLI Add device
drop down
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Firewall Deployment Modes
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or 10.1.1.0/24
more interfaces that separate L3 domains – Firewall is the
10.1.1.1
Router and Gateway for local hosts.
NAT
DRP
192.168.1.1
192.168.1.0/24
IP:192.168.1.100
GW: 192.168.1.1
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Firewall Design: Modes of Operation 192.168.1.1
• Note:
IP:192.168.1.100
• No multiple context mode available on FTD today. GW: 192.168.1.1
• Routed or transparent mode configured with setup dialog.
• Changing between these modes requires re-registering with FMC.
• Policies will be re-deployed.
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Working With FTD Interfaces
FTD Security Zones
• True zone based firewall
• Security Zones are collections of interfaces or sub-interfaces
• Policy rules can apply to source and/or destination security zones
• Security levels are not used
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Optional Interface Modes
• By default, all interfaces are firewall interfaces (routed or transparent)
• Optionally, specific interfaces can be configured for use as IDS or IPS
• IDS Mode
• Inline Tap
• Passive
• ERSPAN
• IPS Mode
• Inline TAP
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Mix and Match Interface Modes
Routed or Transparent
A F Interfaces
Policy Tables
Passive
B G
Inline Pair 1
C H
Inline Set
Inline Pair 2
D I
Inline Tap
E J
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Reference
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Basic Interface Configuration
Interface in RED
Just an example – final config will be different
once redundancy is added
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Deploying the Redundant Outside Interfaces
Edge Use Case
outside
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
G1/1 G1/2
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Deploying the Redundant DMZ Interfaces
Will use sub-interfaces to accommodate the 2 VLANs
ISP-A ISP-B
No security
Edge
zone this time Aggregation
DMZ Network(2)
(Public Web/DB)
GigabitEthernet1/3
VPC VPC
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Deploying the Redundant DMZ Interfaces
Will use sub-interfaces to accommodate the 2 VLANs
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Reference
ISP-A ISP-B
Edge
Aggregation
DMZ Network(2)
(Public Web/DB)
VPC VPC
Edge Aggregation
VDC
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Deploying Changes
Changes don’t take affect until you deploy the policy
Can optionally
check for rule
conflicts
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
FTD EtherChannel Link Aggregation
What is an EtherChannel?
• EtherChannel LAG (IEEE standard is 802.3ad) allows
up to 16 physical Ethernet links to be combined into one
logical link. 16 links can be active and forwarding data.
• Ports must be of same capabilities: duplex, speed, type, etc.
• Benefits of EtherChannel are increasing scale, load-
balancing and HA
• Load balancing is performed via a load-balancing hashing
algorithm (src-dst-ip, src-dst-ip-port, etc.)
LACP Load Balance
• EtherChannel uses LACP (Link Aggregation Control src-dst-IP (hash)
Protocol) to allow dynamic bundling and dynamic
recovery in case of failure
• Static LAG can be used, but should be aware of potential
traffic black holes this may cause
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
What is a vPC EtherChannel?
• vPC (like VSS) is known as Multi-Chassis EtherChannel
• Virtual Port Channels (vPC) are common EtherChannel
deployments, especially in the data center, and allow
multiple devices to share multiple interfaces 20G
• All links are active – no STP blocked ports
• vPC can maximize throughput since each port channel is LACP Load Balance
treated as a single link for spanning-tree purposes src-dst-IP (hash)
• Spanning Tree is not disabled, but does not affect the network
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
EtherChannel on FTD
• Supports 802.3ad and LACP standards
• Direct support for vPC/VSS - CVD
• No issues with traffic normalization or asymmetry
• Up to 16 active links
• 100Mb, 1Gb, 10Gb, 40Gb are all supported – must match
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Deploying the Inside Interfaces with EtherChannel
We will use sub-interfaces to accommodate the 3 internal VLANs
No security
zone again
No IP either
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Deploying the Inside Interfaces with EtherChannel
We will use sub-interfaces to accommodate the 3 internal VLANs
VLAN 120
Repeat 2x for VLAN 2 and VLAN 1299
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Reference
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Reference
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
FTD Deployment Checklist (Edge)
Primary NGFW: (after initial setup)
1 – Determine Deployment Mode – Routed or Transparent
2 – Examine Interface Types ISP-A ISP-B
3 – Interface Configuration(s) Edge
EtherChannel / LACP / Redundant Aggregation
VLAN Tagging / Sub-Interfaces / Trunk 4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Routing on FTD
Reference
No DROP No
RX Ingress Existing NAT Advanced No
Pkt Conn Fastpath? DROP
Interface Untranslate ACL
Permit
Yes
No
No No
No No
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Routing on FTD
• FTD performs L3 route lookup as part of its normal packet
Outside Network
processing flow
• FTD is optimized as a flow-based inspection device FHRP 128.107.1.1
• For smaller deployments, FTD is perfectly acceptable as the router
• For larger deployments, a dedicated router (ISR, ASR, Nexus) is a
much better option. G1/1 DMZ Network
• FTD may originate routes depending on the network design Static Default
G1/3
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Reference
BGP
• FTD supports BGPv4 and BGPv6 for dynamic routing across all platforms
• Standard communities and all path attributes, route redistribution; up to 100K prefixes and 2000 neighbors
• Null0 and Remotely-Triggered Black Hole (RTBH) support
• RTBH – DDoS mitigation
• Confederations, route reflectors, tagging, neighbor source-interface, and BFD are not supported
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Reference
• Non Stop Forwarding (NSF) and Graceful Restart (GR) support in FTD:
• Cisco or IETF compatible for OSPFv2, OSPF3; RFC 4724 for BGPv4
• FTD notifies compatible peer routers after a switchover in failover
• FTD acts as a helper to support a graceful or unexpected restart of a peer router in all modes
1. Active FTD fails over to standby; newly active 2. Router re-establishes OSPF adjacency with the
unit initiates OSPF adjacency with the router OSPF FTD while retaining the stale routes; these routes
indicating that traffic forwarding should continue. are refreshed when the adjacency reestablishes.
4. FTD continues normal traffic forwarding until OSPF 3. Primary Route Processor undergoes a restart,
the primary RP restarts or the backup takes over signals the peer FTD to continue forwarding while
or the timeout expires. Forwarding Plane the backup re-establishes adjacencies.
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
FTD Routing – Static Use Case
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
FTD Routing – Dynamic Use Case
Step 1 – Enable the OSPF Process
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
FTD Routing – Dynamic Use Case
Step 2 – Add an Area
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
FTD Routing – Dynamic Use Case
Step 3 – Add Redistribution
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
FTD Deployment Checklist – Summary
Primary NGFW: (after initial setup)
1 – Determine Deployment Mode – Routed or Transparent
2 – Examine Interface Types ISP-A ISP-B
3 – Interface Configuration(s) Edge
EtherChannel / LACP / Redundant Aggregation
VLAN Tagging / Sub-Interfaces / Trunk 4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
NAT on FTD
Reference
No DROP No
RX Ingress Existing NAT Advanced No
Pkt Conn Fastpath? DROP
Interface Untranslate ACL
Permit
Yes
No
No No
No No
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
NAT on FTD
• NAT on FTD is built around objects, with two types of NAT:
• Auto NAT – Only source is used as a match criteria
• Only used for static or dynamic NAT
• When configuring, it is configured within a network object (internally)
• Device automatically orders the rules for processing:
• Static over dynamic
• Quantity of real IP addresses – from smallest to largest
• IP address – from lowest to highest
• Name of network object – in alphabetical order
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
NAT on FTD Processing
• Single NAT rule table (matching on a first match basis).
• Uses a simplified “Original Packet” to “Translated Packet” approach:
• By default only Sections 1 and 2 are used. Select “NAT Rule After” category
when configuring a Manual NAT rule to place it within Section 3.
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Auto NAT Use Case
Dynamic NAT translation of 10.120.1.0/24 to the using Interface PAT
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Reference
Auto NAT Use Case
Static NAT translation of 172.16.25.200 to a public IP of 128.107.1.200
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Reference
Auto NAT Use Case
Dynamic NAT translation of 10.120.1.0/24 to 128.107.1.10-128.107.1.20
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Manual NAT Use Case
Static NAT of 192.168.1.10 128.107.1.242 to 192.168.1.155 128.107.1.155
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Sample NAT Policy
Easy to understand
NAT logic
Manual NAT Rules
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
FTD Deployment Checklist (Edge)
Primary NGFW: (after initial setup)
1 – Determine Deployment Mode – Routed or Transparent
2 – Examine Interface Types ISP-A ISP-B
3 – Interface Configuration(s) Edge
EtherChannel / LACP / Redundant Aggregation
VLAN Tagging / Sub-Interfaces / Trunk 4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
FTD NGFW Policies
Reference
No DROP No
RX Ingress Existing NAT Advanced No
Pkt Conn Fastpath? DROP
Interface Untranslate ACL
Permit
Yes
No
No No
No No
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
NGFW Policy Types in FTD
Policy Type Function
Access Control Specify, inspect and log network traffic
Intrusion Inspect traffic for security violations (including block or alter)
Malware & File Detect and inspect files for malware (including block)
SSL Inspect encrypted traffic (including decrypt and block)
DNS Controls whitelisting or blacklisting of traffic based on domain
Identity Collect identity information via captive portal
Prefilter Early handling of traffic based L1-L4 criteria
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Access Control Policy Overview
• Controls what and how traffic is allowed, blocked, inspected and logged
• Simplest policy contains only default action:
• Block All Traffic
• Trust All Traffic – Does not pass through Intrusion and Malware & File inspection
• Network Discovery – Discovery applications, users and devices on the network only
• Intrusion Prevention – Using a specific intrusion policy
• Criteria can includes zones, networks, VLAN tags, applications, ports, URLs and
SGT/ISE attributes
• The same Access Control Policy can be applied to one or more device
• Complex policies can contain multiple rules, inherit settings from other access
control policies and specify other policy types that should be used for inspection
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Access Control Policy Use Case #1
Allow MS SQL from inside to pubdmz
Displays block
page over HTTP
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Access Control Policy Use Case #1
Allow MS SQL from inside to pubdmz
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Access Control Policy Use Case #1 – Applications
Allow MS SQL from inside to pubdmz
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Access Control Policy Use Case #1 – Logging Tab
Allow MS SQL from inside to pubdmz
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Access Control Policy Use Case #2 – Introduction
CLINET requirements:
• Allow all outbound HTTP/HTTPS traffic, regardless of port
• Perform IDS inspection of the traffic (with all Chrome rules enabled)
• Block any malware
• Block any HTTPS connections that use a self-signed certificate
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Intrusion Policy Overview
• Controls how IDS or IPS inspection is performed on network traffic
• Simple policy inherits settings from 1 of 5 Cisco Talos maintained base policies:
• Balanced Security and Connectivity – Default and recommended
• Connectivity Over Security – Fewer rules enabled, only most critical rules block
• Maximum Detection – Favors detection over rated throughput
• No Rules Active
• Security Over Connectivity – More rules enabled, deeper inspection
• Individual rules can be set to generate events, drop and generate events, or
disabled
• Layers allow for grouping of settings/rules for easier management
• Complex policies can contain multiple layers and multiple levels of inheritance
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Intrusion Policy for Use Case #2
Detection Only (No Inline Blocking) + Alert on Chrome Attacks
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Intrusion Policy for Use Case #2
Detection Only (No Inline Blocking) + Alert on Chrome Attacks
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Intrusion Policy for Use Case #2 – Rules Menu
Detection Only (No Inline Blocking) + Alert on Chrome Attacks
Freeform search
Selecting browser-chrome
populates the appropriate
filter in the filter bar
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Intrusion Policy for Use Case #2 – Rules Menu
Detection Only (No Inline Blocking) + Alert on Chrome Attacks
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Intrusion Policy for Use Case #2 – Rules Menu
Detection Only (No Inline Blocking) + Alert on Chrome Attacks
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Malware & File Policy Overview
• Controls what and how files are allowed, blocked and inspected
• Simple policy applies the same action (Malware Cloud Lookup) to all files
• Actions are:
• Detect Files – Detect and log the file transfer, perform no inspection
• Block Files – Block and log the file transfer, perform no inspection
• Malware Cloud Lookup – Inspect the file to determine disposition (Malware, Unknown or
Clean) and log
• Block Malware – Inspect the file to determine disposition, log and block if Malware
• Inspection includes static analysis of the file (via Spero), dynamic analysis (via
AMP Threat Grid) and local analysis (via ClamAV)
• Complex policies can include different actions and levels of inspections for
different application protocols, directions and file types.
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Malware & File Policy for Use Case #2
Block malicious Office, Executable and PDF files transferred over HTTP
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Malware & File Policy for Use Case #2
Block malicious Office, Executable and PDF files transferred over HTTP
Detection only
(no blocking)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Malware & File Policy for Use Case #2
Block malicious Office, Executable and PDF files transferred over HTTP
Stores files on
sensor for further
investigation by
Spero = Static Analysis analyst
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Malware & File Policy for Use Case #2 – Rule Added
Block malicious Office, Executable and PDF files transferred over HTTP
Rule we just
created
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
SSL Policy Overview
• Controls how and what encrypted traffic is inspected and decrypted
• Simple policy blocks all encrypted traffic that uses a self-signed certificate
• Actions are:
• Decrypt - Resign – Used for SSL decryption of public services (Google, Facebook, etc.)
• Decrypt - Known Key – Used when you have the certificate’s private key
• Do not decrypt
• Block
• Block with reset
• Monitor
• Many actions can be taken on encrypted traffic without decryption by inspecting
the certificate, DN, cert status, cipher suite and version (all supported by FTD)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
SSL Policy for Use Case #2
Block Connections That Use a Self-Signed Certificate
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SSL Policy for Use Case #2
Block Connections That Use a Self-Signed Certificate
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SSL Policy for Use Case #2
Block Connections That Use a Self-Signed Certificate
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SSL Policy for Use Case #2 – Cert Status Tab
Block Connections That Use a Self-Signed Certificate
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Access Control Policy – Revisited
The glue that ties everything together
Inspection Options
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Access Control Policy Use Case #2 – Recap
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
• CLINET requirements:
• Allow all outbound HTTP/HTTPS traffic, regardless of port
• Perform IDS inspection of the traffic (with all Chrome rules enabled)
• Block any malware
• Block any HTTPS connections that use a self-signed certificate
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Access Control Policy Use Case #2 – Graphically
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
Edge SSL
Policy
Inspection Options
Criteria Action
Access Control
Rule All HTTP Allow Edge Intrusion Edge Malware &
Traffic Policy File Policy
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Access Control Policy Use Case #2
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Access Control Policy Use Case #2 – Applications
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Access Control Policy Use Case #2 – Inspections
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
Intrusion policy we
created previously
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Access Control Policy Use Case #2 – Logging
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Access Control Policy Use Case #2 – Rule Added
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
Rule we
just created
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Access Control Policy Use Case #2 – Advanced Tab
Inspect Outbound HTTP/HTTPS Connections (IDS, Malware and SSL)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
FTD Deployment Checklist (Edge)
Primary NGFW: (after initial setup)
1 – Determine Deployment Mode – Routed or Transparent
2 – Examine Interface Types ISP-A ISP-B
3 – Interface Configuration(s) Edge
EtherChannel / LACP / Redundant Aggregation
VLAN Tagging / Sub-Interfaces / Trunk 4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
FTD High Availability
Firepower Threat Defense High Availability
• Supported on all models (except in AWS)
• Stateful Active/Standby failover only
• All features are supported with failover
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Firepower Threat Defense High Availability (Part 2)
• Two nodes connected by one or two
dedicated connections called “failover links”
• Failover and state
• Can use the same link for both
• Best practice is to use a dedicated link for
each if possible (cross-over or VLAN) Primary Failover Backup
NGFW NGFW
(active) State (standby
• When first configured, Primary’s policies )
are synchronized to Secondary
• Configuration/policy updates are sent to
current active node by FMC
• Active unit replicates policies to standby
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
How Failover Works
Failover link passes Hellos between active
and standby units every 15 seconds
(tunable from 200msec - 15 seconds)
HELLO HELLO
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
How Failover Works
HELLO
HELLO
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
How Failover Works
Failover Secondary
FTD
State (active)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Reference
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Easier Way: Stateful Failover Unsupported Features
• Every feature is supported, except:
• Sessions inside plaintext tunnels
• Inspection after decryption
• TLS Decryption State
• The HTTP connection table
• DHCP client
• DHCP server address leases
• Multicast routing
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
HA with Interface Redundancy
Before… After with redundant interfaces
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
HA with Interface Redundancy
Before… After with redundant interfaces
Failures 11 - 7,
7 still
no FAILOVER
1
1 2 3
Any Causes
1 4
1
FAILOVER
1 6 7
Port Channel feature makes this concept somewhat obsolete if switches support VSS/vPC
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Deploying Active/Standby Failover
With both devices added to FMC, use “Add High Availability” dropdown
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Deploying Active/Standby Failover
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Deploying Active/Standby Failover – Secondary IPs
Required to send hellos between data interfaces
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
FTD Deployment Checklist (Edge)
Primary NGFW: (after initial setup)
1 – Determine Deployment Mode – Routed or Transparent
2 – Examine Interface Types ISP-A ISP-B
3 – Interface Configuration(s) Edge
EtherChannel / LACP / Redundant Aggregation
VLAN Tagging / Sub-Interfaces / Trunk 4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Deploying FTD in Transparent Mode
FTD Deployment Checklist (Data Center)
Specific Items for FTD in the Data Center
1 – Verify Deployment Mode – Routed or Transparent
2 – Transparent Mode Firewalls
Deploying Transparent Mode
How Transparent Mode Works
3 – Flow Bypass
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
A Note about the ASA for DC Deployments
• ASA image is still a very common deployment for many use cases:
• Scalability – ASA supports 16 node clusters, over 1 TBPS of throughput
• Spanned DC – ASA supports clustering across physical DCs
• Firewall Consolidation – ASA supports up to 250 contexts
• FTD supported hardware (ASA5555-X, FP9300, etc.) are all capable of running
the ASA software image and are field upgradeable from the ASA image to the
Firepower Threat Defense (FTD) image
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Review: Modes of Operation 192.168.1.1
IP:192.168.1.100
GW: 192.168.1.1
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Why Deploy Transparent Mode?
• Very popular architecture in data center environments
• Existing Nexus/DC network fabric does not need to be modified to employ L2 Firewall!
• It is as simple as changing host(s) VLAN ID
• Firewall does not need to run routing protocols / become a segment gateway
• Firewalls are more suited to flow-based inspection (not packet forwarding like a router)
• Routing protocols can establish adjacencies through the firewall
• Protocols such as HSRP, VRRP, GLBP can cross the firewall
• Multicast streams can traverse the firewall
• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
• Much faster deployment time for brown field (months vs. years)
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Firewall – Transparent Mode
• Firewall functions like a bridge
• “Bump in the wire” at L2
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Transparent Mode Configuration in the DC (2 interfaces)
Step 1 – Create Port-Channel to Nexus
SVI VLAN200 172.16.25.253 SVI VLAN200 172.16.25.254
FHRP – 172.16.25.1 FHRP – 172.16.25.1
North Zone
VLAN 200
None
No Security
Zone
VPC
VLAN 200
Outside
VLAN 201
Inside
VPC BVI 172.16.25.86/24
No IP either
Server in
VLAN 201
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Transparent Mode Configuration in the DC (2 interfaces)
Step 2 – Create Sub Interfaces (1 for each VLAN)
SVI VLAN200 172.16.25.253 SVI VLAN200 172.16.25.254
FHRP – 172.16.25.1 FHRP – 172.16.25.1
North Zone
VLAN 200
VPC
VLAN 200
Outside
VLAN 201
Inside
VPC BVI 172.16.25.86/24
Server in
VLAN 201
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Transparent Mode Configuration in the DC (2 interfaces)
Part 3 – Stitch everything together with a Bridge Group Interface
SVI VLAN200 172.16.25.253 SVI VLAN200 172.16.25.254
FHRP – 172.16.25.1 FHRP – 172.16.25.1
North Zone
VLAN 200
VPC
VLAN 200
Outside
VLAN 201
Inside
VPC BVI 172.16.25.86/24
Server in
VLAN 201
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Reference
FTD L2 Mode: Local Packet
10.10.44.100
Destination 1
1
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Reference
FTD L2 Mode: Remote Packet
10.10.44.100
Destination 5
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
FTD Deployment Checklist (Data Center)
Specific Items for FTD in the Data Center
1 – Verify Deployment Mode – Routed or Transparent
2 – Transparent Mode Firewalls
Deploying Transparent Mode
How Transparent Mode Works
3 – Flow Bypass
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
FTD Flow Bypass
FTD Flow Offload
• Trusted flow processing with limited security visibility
• Maximize single-flow throughput and packet rate, minimize latency
• High performance compute, frequency trading, demanding data center applications
• Targeting 30Gbps+ per single flow (TCP/UDP) and 2.9us of 64-byte UDP latency
• Unicast IPv4 TCP/UDP/GRE and VLAN encapsulation only, no CMD/SGT
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Reference
Incoming Established
Flow Classifier Rewrite Engine
traffic trusted flows
Smart NIC
Flow Offload
• Limited state tracking, NAT/PAT, TCP Seq Randomization
• 30-40Gbps per single TCP/UDP flow, 2.5us UDP latency, 32K tracked flows
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
FTD Virtual Firewall Deployment
clinet.com Virtual DC FTD Deployment Details
General Requirements
VLAN 1299
VLAN 2 VLAN 120
DMZ Zone
Sidecar Inside
for
network Network
contractor / Data Center
for ‘Trusted
BYOD Core
Scanning Zone”
unknown (Routed)
Core VDC
Data Center
Aggregation
Aggregation
VDC
Virtual Access /
Compute Networks
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Cisco Virtual FTD and FMC
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Reference
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Reference
VM VM VM VM
VM Port-Group Failover VM VM
Port-Group A
VM VM VM VM
Port-Group B
Distributed Virtual Switch
ESXi-1 ESXi-2
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
FTDv Deployment Scenario – Passive
• Monitoring traffic between Server A
ESXi Host
and Server B
Management
• Dedicated FTDv per ESXi host
Sensing
• Promiscuous mode enabled in ESXi FTDv
for FTDv Sensing port group vSwitch2
Virtual
Server A
Virtual
Server B
NIC2 NIC3
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
FTDv Deployment Scenario – Routed
• L3 NGFW gateway for servers
ESXi Host
• Configure 2 vSwitches: Management
• One with external interface (Outside)
• One with without (Inside) Outside Inside
FTDv
• Servers connect to Inside vSwitch vSwitch2
Virtual
Server A
• Port groups used for the Outside
interface must have only 1 active Virtual
Server B
uplink
vSwitch4 vSwitch3 | P Port Group
Protected vSwitch
NIC2 NIC4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
FTDv Deployment Scenario – Transparent
• NGFW segmentation between hosts
ESXi Host
• Bridge up to 4 segments per BVI Management
• Configure 2 vSwitches:
Outside Inside
• One with external interface (Outside) FTDv
• One with without (Inside) vSwitch2
Virtual
Server A
• Servers connect to Inside vSwitch
Virtual
• Promiscuous mode enabled in ESXi Server B
for FTDv Inside port group
vSwitch4 vSwitch3 | P Port Group
• Use port channels to avoid loops – Protected vSwitch
disable any NIC teaming NIC2 NIC4
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
FTD Deployment Checklist (Data Center)
Specific Items for FTD in the Data Center
1 – Verify Deployment Mode – Routed or Transparent
2 – Transparent Mode Firewalls
Deploying Transparent Mode
How Transparent Mode Works
3 – Flow Bypass
Project
Complete!
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Wrapping Up
Session Summary
You should now be able to:
• Describe the core capabilities of Firepower Threat Defense (FTD)
• Determine the firewall deployment that is appropriate for which use case
• Describe how resilience is provided through high availability
• Deploy FTD at the edge, in the data center and virtually
• Utilize next-generation firewall features to provide effective network security
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
• Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
BRKSEC-2020 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Continue Your Education
• Demos in the Cisco campus
• Hands-On NGFW Demo
• Central and Local Firepower Management
• Related sessions
• BRKSEC-2050 – ASA Firepower NGFW typical deployment scenarios
• Mon @ 1:30 PM & Tue @ 1:30 PM
• BRKSEC-2058 – A Deep Dive into using the Firepower Manager
• Wed @ 8:00 AM & Wed @ 1:30 PM
Presentation ID © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Security Joins the Customer Connection Program
Customer User Group Program
19,000+
Members
• Who can join: Cisco customers, service Strong
providers, solution partners and training partners
• Private online community to connect with Join in World of Solutions
peers & Cisco’s Security product teams
Security zone Customer Connection stand
• Monthly technical & roadmap briefings via
WebEx Learn about CCP and Join
New member thank-you gift*
• Opportunities to influence product direction Customer Connection Member badge ribbon