Cisco Press has published a step-by-step visual guide to configuring and troubleshooting of the Cisco Firepower Threat Defense (FTD). Each consistently organized chapter on this book contains definitions of keywords, operational flowcharts, architectural diagrams, best practices, configuration steps (with detailed screenshots), verification tools, troubleshooting techniques, and FAQs drawn directly from issues raised by Cisco customers at the Global Technical Assistance Center (TAC). Covering key Firepower materials on the CCNA Security, CCNP Security, and CCIE Security exams, this guide also includes end-of-chapter quizzes to help candidates prepare.
Successful completion of the lab exercises on this book allows a user to accomplish the following:
Understand the operational architecture of the Cisco Firepower NGFW, NGIPS, and AMP
Use command-line tools to identify status, trace packet flows, analyze logs, and debug messages
Deploy FTD on ASA platform and Firepower appliance running FXOS
Configure and troubleshoot Firepower Management Center (FMC)
Plan and deploy FMC and FTD on VMware virtual appliance
Design and implement the Firepower management network on FMC and FTD
Understand and apply Firepower licenses, and register FTD with FMC
Deploy FTD in Routed, Transparent, Inline, Inline Tap, and Passive Modes
Manage traffic flow with detect-only, block, trust, and bypass operations
Implement rate limiting and analyze quality of service (QoS)
Blacklist suspicious IP addresses via Security Intelligence
Block DNS queries to the malicious domains
Filter URLs based on category, risk, and reputation
Discover a network and implement application visibility and control (AVC)
Control file transfers and block malicious files using advanced malware protection (AMP)
Halt cyber attacks using Snort-based intrusion rule
Masquerade an internal host’s original IP address using Network Address Translation (NAT)
Capture traffic and obtain troubleshooting files for advanced analysis
Table of Contents
Chapter 1: Introduction to the Cisco Firepower Technology
The book begins with the history and evolution of the Cisco Firepower technology. This chapter introduces various software components that may be installed on a Firepower system. It also provides a quick overview of the hardware that supports the Cisco Firepower Threat Defense (FTD) technology.
Chapter 2: FTD on ASA 5500-X Series Hardware
This chapter describes the differences between various software images that may be installed on ASA 5500-X Series hardware. It demonstrates the detailed process of reimaging ASA 5500-X Series hardware to the FTD software. In addition, this chapter provides the command-line tools you can use to verify the status of the hardware and software.
Chapter 3: FTD on the Firepower eXtensible Operating System (FXOS)
This chapter describes the architecture, implementation, and installation of FTD on a Firepower security appliance running Firepower eXtensible Operating System (FXOS). It demonstrates several command-line tools you can use to determine the status of various components of the appliance.
Chapter 4: Firepower Management Center (FMC) Hardware
This chapter discusses and compares various hardware platforms for the FMC. It illustrates the complete reimaging process (also known as System Restore) and describes the best practices for doing it. You can also learn many different command-line tools to determine any issues with FMC hardware.
Chapter 5: Firepower System Virtual on VMware
This chapter describes various aspects of the Firepower virtual appliance, such as how to deploy a virtual appliance, how to tune the resources for optimal performance, and how to investigate issues with a new deployment.
Chapter 6: The Firepower Management Network
This chapter describes the best practices for designing and configuring a management network for the Firepower System. It also discusses the tools you can use to verify any communication issues between the management interfaces of the FMC and FTD. Before you begin the registration process, which is described in Chapter 7, you must ensure that the FMC and FTD are successfully connected through your network.
Chapter 7: Firepower Licensing and Registration
This chapter discusses licensing and registration—two important initial tasks in a Firepower system deployment. It describes the capabilities of different Firepower licenses and the steps involved in registering the FMC with a Smart License Server. It also demonstrates the registration process and the tools to investigate any communication issues.
Chapter 8: Firepower Deployment in Routed Mode
This chapter explains Routed Mode, which is a widely deployed firewall mode. It describes the steps involved in configuring the routed interfaces with static IP addresses as well as dynamic IP addresses. In addition, this chapter discusses various command-line tools you can use to determine any potential interface-related issues.
Chapter 9: Firepower Deployment in Transparent Mode
This chapter discusses another mode, Transparent Mode, including how to configure the physical and virtual interfaces, and how to use various command-line tools to investigate any potential configuration issues.
Chapter 10: Capturing Traffic for Advanced Analysis
This chapter describes the processes involved in capturing live traffic on an FTD device by using the system provided capturing tool. To demonstrate the benefit of the tool, this chapter shows how to use various tcpdump options and BPF syntaxes to filter and manage packet capture.
Chapter 11: Blocking Traffic Using Inline Interface Mode
This chapter demonstrates how to configure an FTD device in Inline Mode, how to enable fault tolerance features on an inline set, and how to trace a packet in order to analyze the root cause of a drop. This chapter also describes various command-line tools that you can use to verify the status of an interface, an inline pair, and an inline set.
Chapter 12: Inspecting Traffic Without Blocking It
This chapter explains the configuration and operation of various detection-only modes of an FTD device, such as Passive Mode, Inline Tap Mode, and Inline Mode with the Drop When Inline option disabled. It also provides various command-line tools that you can use to determine the status of interfaces and traffic.
Chapter 13: Handling Encapsulated Traffic
This chapter shows you how to analyze and block traffic that is encapsulated with the GRE protocol. This chapter also demonstrates the steps to bypass an inspection when the traffic is transferred over a tunnel. Besides showing configurations, this chapter also shows various tools to analyze an action applied by the Prefilter and Access Control policy of an FTD device.
Chapter 14: Bypassing Inspection and Trusting Traffic
This chapter discusses the techniques to bypass an inspection. It provides the steps to configure different methods. The chapter also analyzes the flows of bypassed packets to demonstrate how an FTD device acts during different bypassing options. You will learn how to use various debugging tools to determine whether the bypass process is working as designed.
Chapter 15: Rate Limiting Traffic
This chapter goes through the steps to configure QoS policy on an FTD device. It also provides an overview to the common ratelimiting mechanisms and the QoS implementation on an FTD device. This chapter also provides the command-line tools to verify the operation of QoS policy in an FTD device.
Chapter 16: Blacklisting Suspicious Addresses by Using Security Intelligence
This chapter illustrates the detection of a malicious address by using the Security Intelligence feature. It describes how to configure an FTD device to block, monitor, or whitelist an address when there is a match. This chapter also discusses the backend file systems for the Security Intelligence feature. You can apply this knowledge to troubleshoot an issue with Security Intelligence.
Chapter 17: Blocking a Domain Name System (DNS) Query
This chapter demonstrates various techniques to administer DNS queries using a Firepower DNS policy. Besides using traditional access control rules, an FTD device can incorporate the Cisco Intelligence Feed and dynamically blacklist suspicious domains. This chapter shows various ways to configure and deploy a DNS policy. This chapter also demonstrates several command-line tools you can run to verify, analyze, and troubleshoot issues with DNS policy.
Chapter 18: Filtering URLs Based on Category, Risk, and Reputation
This chapter describes techniques to filter traffic based on the category and reputation of a URL. It illustrates how a Firepower system performs a URL lookup and how an FTD device takes action based on the query result. This chapter explains the connection to a URL through debugging messages, which is critical for troubleshooting.
Chapter 19: Discovering Network Applications and Controlling Application Traffic
This chapter shows how a Firepower system can make you aware of the applications running on your network and empowers you to control access to any unwanted applications. It also shows the techniques to verify whether an FTD device can identify an application properly.
Chapter 20: Controlling File Transfer and Blocking the Spread of Malware
Cisco integrates the Advanced Malware Protection (AMP) technology with the Firepower technology. This chapter explains how the technologies work together to help you detect and block the spread of infected files across your network. In this chapter, you will learn the configurations and operations of a file policy on a Firepower system. This chapter also demonstrates various logs and debugging messages, which are useful for determining issues with cloud lookup and file disposition.
Chapter 21: Preventing Cyber Attacks by Blocking Intrusion Attempts
This chapter describes the well-known feature of a Firepower system: the Snort-based next-generation intrusion prevention system (NGIPS). In this chapter, you will learn how to configure an NGIPS, how to apply any associated policies, and how to drill down into intrusion events for advanced analysis. This chapter discusses the Firepower Recommendations feature and demonstrates how the recommended ruleset can reduce system overhead by incorporating discovery data.
Chapter 22: Masquerading the Original IP Address of an Internal Network Host
This chapter discusses various types of NAT on an FTD device. It shows the steps to configure a NAT rule and demonstrates how FTD can leverage NAT technology to masquerade internal IP addresses in a real-world scenario.