For reporting and correlation of events on a Firepower Management Center (FMC), you may find the following two documents useful:
Working with Reports
Correlation and Compliance Events
If the events are generated by the Advanced Malware Protection (AMP) system, then you can find some directions from this document as well. Depending on your support entitlement level, you may get direct assistance from the Cisco TAC for false positive analysis. In that case, you will be requested to provide the related packets (PCAP files) to the Cisco TAC. This document provides instruction on how to collect them.
As a side note, Cisco also offers advanced services to prepare, manage, detect, and respond to any network threats. The following programs provide that level of in-person assistance:
Managed Security Services
Incident Response Services
Hoping, the above links are helpful.
... View more
Cisco Press has published a step-by-step visual guide to configuring and troubleshooting of the Cisco Firepower Threat Defense (FTD). Each consistently organized chapter on this book contains definitions of keywords, operational flowcharts, architectural diagrams, best practices, configuration steps (with detailed screenshots), verification tools, troubleshooting techniques, and FAQs drawn directly from issues raised by Cisco customers at the Global Technical Assistance Center (TAC). Covering key Firepower materials on the CCNA Security, CCNP Security, and CCIE Security exams, this guide also includes end-of-chapter quizzes to help candidates prepare.
Author: Nazmul Rajib, Publisher: Cisco Press www.ciscopress.com/title/9781587144806
Successful completion of the lab exercises on this book allows a user to accomplish the following:
Understand the operational architecture of the Cisco Firepower NGFW, NGIPS, and AMP
Use command-line tools to identify status, trace packet flows, analyze logs, and debug messages
Deploy FTD on ASA platform and Firepower appliance running FXOS
Configure and troubleshoot Firepower Management Center (FMC)
Plan and deploy FMC and FTD on VMware virtual appliance
Design and implement the Firepower management network on FMC and FTD
Understand and apply Firepower licenses, and register FTD with FMC
Deploy FTD in Routed, Transparent, Inline, Inline Tap, and Passive Modes
Manage traffic flow with detect-only, block, trust, and bypass operations
Implement rate limiting and analyze quality of service (QoS)
Blacklist suspicious IP addresses via Security Intelligence
Block DNS queries to the malicious domains
Filter URLs based on category, risk, and reputation
Discover a network and implement application visibility and control (AVC)
Control file transfers and block malicious files using advanced malware protection (AMP)
Halt cyber attacks using Snort-based intrusion rule
Masquerade an internal host’s original IP address using Network Address Translation (NAT)
Capture traffic and obtain troubleshooting files for advanced analysis
Table of Contents
Chapter 1: Introduction to the Cisco Firepower Technology
The book begins with the history and evolution of the Cisco Firepower technology. This chapter introduces various software components that may be installed on a Firepower system. It also provides a quick overview of the hardware that supports the Cisco Firepower Threat Defense (FTD) technology.
Chapter 2: FTD on ASA 5500-X Series Hardware
This chapter describes the differences between various software images that may be installed on ASA 5500-X Series hardware. It demonstrates the detailed process of reimaging ASA 5500-X Series hardware to the FTD software. In addition, this chapter provides the command-line tools you can use to verify the status of the hardware and software.
Chapter 3: FTD on the Firepower eXtensible Operating System (FXOS)
This chapter describes the architecture, implementation, and installation of FTD on a Firepower security appliance running Firepower eXtensible Operating System (FXOS). It demonstrates several command-line tools you can use to determine the status of various components of the appliance.
Chapter 4: Firepower Management Center (FMC) Hardware
This chapter discusses and compares various hardware platforms for the FMC. It illustrates the complete reimaging process (also known as System Restore) and describes the best practices for doing it. You can also learn many different command-line tools to determine any issues with FMC hardware.
Chapter 5: Firepower System Virtual on VMware
This chapter describes various aspects of the Firepower virtual appliance, such as how to deploy a virtual appliance, how to tune the resources for optimal performance, and how to investigate issues with a new deployment.
Chapter 6: The Firepower Management Network
This chapter describes the best practices for designing and configuring a management network for the Firepower System. It also discusses the tools you can use to verify any communication issues between the management interfaces of the FMC and FTD. Before you begin the registration process, which is described in Chapter 7, you must ensure that the FMC and FTD are successfully connected through your network.
Chapter 7: Firepower Licensing and Registration
This chapter discusses licensing and registration—two important initial tasks in a Firepower system deployment. It describes the capabilities of different Firepower licenses and the steps involved in registering the FMC with a Smart License Server. It also demonstrates the registration process and the tools to investigate any communication issues.
Chapter 8: Firepower Deployment in Routed Mode
This chapter explains Routed Mode, which is a widely deployed firewall mode. It describes the steps involved in configuring the routed interfaces with static IP addresses as well as dynamic IP addresses. In addition, this chapter discusses various command-line tools you can use to determine any potential interface-related issues.
Chapter 9: Firepower Deployment in Transparent Mode
This chapter discusses another mode, Transparent Mode, including how to configure the physical and virtual interfaces, and how to use various command-line tools to investigate any potential configuration issues.
Chapter 10: Capturing Traffic for Advanced Analysis
This chapter describes the processes involved in capturing live traffic on an FTD device by using the system provided capturing tool. To demonstrate the benefit of the tool, this chapter shows how to use various tcpdump options and BPF syntaxes to filter and manage packet capture.
Chapter 11: Blocking Traffic Using Inline Interface Mode
This chapter demonstrates how to configure an FTD device in Inline Mode, how to enable fault tolerance features on an inline set, and how to trace a packet in order to analyze the root cause of a drop. This chapter also describes various command-line tools that you can use to verify the status of an interface, an inline pair, and an inline set.
Chapter 12: Inspecting Traffic Without Blocking It
This chapter explains the configuration and operation of various detection-only modes of an FTD device, such as Passive Mode, Inline Tap Mode, and Inline Mode with the Drop When Inline option disabled. It also provides various command-line tools that you can use to determine the status of interfaces and traffic.
Chapter 13: Handling Encapsulated Traffic
This chapter shows you how to analyze and block traffic that is encapsulated with the GRE protocol. This chapter also demonstrates the steps to bypass an inspection when the traffic is transferred over a tunnel. Besides showing configurations, this chapter also shows various tools to analyze an action applied by the Prefilter and Access Control policy of an FTD device.
Chapter 14: Bypassing Inspection and Trusting Traffic
This chapter discusses the techniques to bypass an inspection. It provides the steps to configure different methods. The chapter also analyzes the flows of bypassed packets to demonstrate how an FTD device acts during different bypassing options. You will learn how to use various debugging tools to determine whether the bypass process is working as designed.
Chapter 15: Rate Limiting Traffic
This chapter goes through the steps to configure QoS policy on an FTD device. It also provides an overview to the common ratelimiting mechanisms and the QoS implementation on an FTD device. This chapter also provides the command-line tools to verify the operation of QoS policy in an FTD device.
Chapter 16: Blacklisting Suspicious Addresses by Using Security Intelligence
This chapter illustrates the detection of a malicious address by using the Security Intelligence feature. It describes how to configure an FTD device to block, monitor, or whitelist an address when there is a match. This chapter also discusses the backend file systems for the Security Intelligence feature. You can apply this knowledge to troubleshoot an issue with Security Intelligence.
Chapter 17: Blocking a Domain Name System (DNS) Query
This chapter demonstrates various techniques to administer DNS queries using a Firepower DNS policy. Besides using traditional access control rules, an FTD device can incorporate the Cisco Intelligence Feed and dynamically blacklist suspicious domains. This chapter shows various ways to configure and deploy a DNS policy. This chapter also demonstrates several command-line tools you can run to verify, analyze, and troubleshoot issues with DNS policy.
Chapter 18: Filtering URLs Based on Category, Risk, and Reputation
This chapter describes techniques to filter traffic based on the category and reputation of a URL. It illustrates how a Firepower system performs a URL lookup and how an FTD device takes action based on the query result. This chapter explains the connection to a URL through debugging messages, which is critical for troubleshooting.
Chapter 19: Discovering Network Applications and Controlling Application Traffic
This chapter shows how a Firepower system can make you aware of the applications running on your network and empowers you to control access to any unwanted applications. It also shows the techniques to verify whether an FTD device can identify an application properly.
Chapter 20: Controlling File Transfer and Blocking the Spread of Malware
Cisco integrates the Advanced Malware Protection (AMP) technology with the Firepower technology. This chapter explains how the technologies work together to help you detect and block the spread of infected files across your network. In this chapter, you will learn the configurations and operations of a file policy on a Firepower system. This chapter also demonstrates various logs and debugging messages, which are useful for determining issues with cloud lookup and file disposition.
Chapter 21: Preventing Cyber Attacks by Blocking Intrusion Attempts
This chapter describes the well-known feature of a Firepower system: the Snort-based next-generation intrusion prevention system (NGIPS). In this chapter, you will learn how to configure an NGIPS, how to apply any associated policies, and how to drill down into intrusion events for advanced analysis. This chapter discusses the Firepower Recommendations feature and demonstrates how the recommended ruleset can reduce system overhead by incorporating discovery data.
Chapter 22: Masquerading the Original IP Address of an Internal Network Host
This chapter discusses various types of NAT on an FTD device. It shows the steps to configure a NAT rule and demonstrates how FTD can leverage NAT technology to masquerade internal IP addresses in a real-world scenario.
... View more
The Snort.org website has been updated to facilitate direct searches of the release snort rules based upon CVE ID or MS Advisory. Data that is returned by this search is independent of the previous rule-docs posting process, and should be available immediately upon SRU release.
You can access it here: https://snort.org/rule_docs.
You can search using a standard format CVE ID (“CVE-2014-1776”, for example) or MS Advisory ID ("MS08-067”, for example).
You can leverage this in lieu of manually checking on a FireSIGHT Management Center (FMC) with updated rules installed.
... View more
Jeffrey, 1. Go to the Downloads Home: https://software.cisco.com/download/navigator.html 2. Navigate to the Products > Security > Firewalls > Firewall Management > FireSIGHT Management Center. 3. Select a model. For example, FireSIGHT Management Center 4000. 4. On the left panel, select the desired product update. The following screenshot, for example, shows various types of products update on the left panel. 5. If you want to download the documentation for any rule updates, select Rules Updates, and hover your mouse over to a rule update release. A Detail popup window appears. You could find the links to the rule update documentation on the popup window. For example, please see the screenshot below: Thanks, Nazmul
... View more
Julien, Please read the following article. This will help you to write the flow matrix or a firewall rule. http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118791-technote-firesight-00.html Thanks, Nazmul
... View more
FireAMP Mac Connector v220.127.116.119 Release Date: March 04, 2015 New FireAMP Mac Connector officially certified on OS X 10.10. Bugfixes / Enhancements Addressed compatibility issue with OS X mail.app where malicious emails are continually downloaded and quarantined by the FireAMP Mac Connector. The Connector now detects and notifies that malicious emails are present but does not quarantine malicious .emlx files created by mail.app. It is left to the administrator to remove the malicious email from the server manually. If mail.app is configured to automatically download attachments and those are determined to be malicious, the Connector will continue to quarantine those attachments. Important: This fix only affects OS X mail.app. Other email applications may behave differently. Resolved a rare issue where the Connector is unable to sync policies for some period of time. Addressed a performance issue where users experienced high CPU usage after waking the computer from sleep or performing a reboot. Fixed high CPU usage issues on OS X 10.10 due to changes in Spotlight. Eliminated a race condition where kernel extensions were unable to successfully unload on shutdown or reboot. Improved Connector validation of user-created exclusions.
... View more
FireAMP Console v5.1.20150304 Release Date: March 04, 2015 New Low Prevalence Executables can be configured to automatically be submitted for File Analysis. Export computer details to a CSV file from the Computers page. Announcements will alert the user of new releases or upcoming system maintenance. Added support for entering a custom Cisco AMP Threat Grid API key. Bugfixes / Enhancements Added the ability to bulk delete computers from the Computers page. Improved bulk move operations on the Computers page. Fixed a bug where incorrect files were being downloaded when the user tried to download PCAP files from File Analysis. File Analysis search is now performed either in the Your Files or Global Files context. Removed the Connector 3.0 ClamAV Compatibility Mode policy setting because FireAMP Windows Connector 3.0 is deprecated and no longer supported, making this option obsolete. FireAMP Console v5.1.20150218 Release Date: February 18, 2015 Bugfixes / Enhancements Upgraded FireAMP Mac Connector protocol version to improve compatibility and reliability. This update is required to ensure future connectivity between the Sourcefire cloud and FireAMP Mac Connectors. All FireAMP Mac Connector policies will be updated to enable this change. Fixed a bug to address compatibility of the OpenIOC format with the FireAMP Endpoint IOC engine. Users experiencing false positives with Endpoint IOCs should re-upload them. FireAMP Console v5.1.20150204 Release Date: February 05, 2015 Bugfixes / Enhancements Fix to allow users to search File Analysis results by SHA-256 or file name.
... View more
This document describes detail steps for reimaging a Sourcefire Series 2 Sensor and DC500. If you need to reimage a Series 3 device, please read this document.
The instruction on this document is applicable to reimage the following hardware platforms to software versions 4.10 or 5.2.
Sensor Models Defense Center Models Software Versions Available for reimage 3D500 3D1000 3D2000 3D2100 3D2500 3D3500 3D4500 3D6500 DC500 4.10 5.2
Before You Begin
Before you begin the reimage process, ensure the following items:
If you plan to reimage a Defense Center (DC) or stand-alone sensor, you should backup your appliance before you proceed. Identify the model number of your sensor and verify that this document is appropriate. Obtain a Sourcefire branded USB keyfob that comes with Sourcefire appliance packaging.
If you can not find the keyfob, please contact Cisco Technical Support Team. A generic USB keyfob is not compatible.
Download the appropriate installation guide and .iso disk image for your desired software version from cisco support site. An .iso file should be copied to a host running an SSH server. The SSH server has to be reachable from the management network of the Sourcefire appliance that will be reimaged. If an SSH server is unavailable, you may use a DC for this process.
Do not plug a KVM switch when you upgrade or reimage a Defense Center or a Sensor. Do not rename an .iso image file. An .iso image is not copied to the Sourcefire USB keyfob. Verify the md5sum of the .iso after you download.
The 3D Sensor and DC Installation Guides has been attached with this document. It provides detail instructions for reimage on chapter 5 "Restoring a 3D Sensor/Defense Center to Factory Defaults". In addition, a detail step-by-step screenshots have been provided below.
The following example uses Version 4.10 when the screenshots were captured. The reimage process is identical for Version 4.10.x and 5.x except for the version numbers displayed on a screen.
Note: For 3D500/1000/2000 sensors press Ctrl + U slowly and repeatedly when the Sourcefire splash screen appears; continue until the splash screen disappears to boot from the USB.
Figure 4: Choose option 0 if you are using a keyboard and monitor.
Figure 8: To select the network device, press spacebar.
Figure 16: SCP protocol is recommended.
Figure 17: It is possible to use a Defense Center as the SCP server for this step.
Note: If you get a connectivity error at this point instead of the expected message, verify your connection to the SSH server.
Figure 21: To select an iso image, press spacebar.
Note: It is required to use the default filename for an iso file, or the file may not be detected at this step.
Figure 23: Support recommends skipping option 3 (Select Patches/SEUs) during this process. Patches and SEUs can be installed after the reimage is complete.
Before a sensor comes back up (while the screen is still blank), power down the sensor. Then, remove the USB drive and power up the appliance.
For 3D500, 3D1000 and 3D2000 sensors, disconnect the power cord from the 3D Sensor, making sure to slide the plastic housing back from the socket. For 3D2100, 3D3500, 3D4500 and 3D6500 sensors, press the power button.
If you do not power down the 3D Sensor in time, you must wait until it finishes booting. Then, for 3D500, 3D1000 and 3D2000 sensors, log in and enter the following command at the CLI, and finally power down the appliance by disconnecting the power cord.
sudo shutdown -h now
For 3D2100/3500/4500 and 3D6500 sensors, wait until the appliance boots from the USB drive, then press the power button.
... View more
Akhtar, This document discusses about software version 4.10.x. Since you have just ordered new products, are you going to use RNA/RUA (on legacy Version 4.10), or the FireSIGHT (on Version 5.2 or 5.3)? The FireSIGHT license on your Defense Center determines how many individual hosts and users you can monitor with the Defense Center and its managed devices, as well as how many users you can use to perform user control. A FireSIGHT license on the DC1500 supports up to 50,000 hosts and users. Because FireSIGHT licensed limits are matched to the hardware capabilities of Defense Centers, we do not recommend exceeding them. Thank you.
... View more
Hi Akhtar, The following document provides a list of ports required by a FireSIGHT System: http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118108-technote-firesight-00.html Thank you.
... View more
This error occurs when an OVF image of a Virtual Appliance file is modified upon extraction. This usually occurs when a virtual image is being extracted using WinZip. Steps to deploy an OVF image properly: Verify that you are using the supported platform. Verify that the md5sum of the OVF image matches with the md5sum which is provided on the support site for that particular Virtual Appliance. Create a folder on your local host. Extract the virtual appliance on the created folder. Remove the .mf file from the directory. Import the OVF image now, and deploy it.
... View more