Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting
|
|
- Cynthia Allison
- 5 years ago
- Views:
Transcription
1
2 BRKSEC-3455 Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting Foster Lipkey, Technical Leader Veronika Klauzova, TAC Tech Lead
3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public
4 Agenda Introduction Updated FTD Packet Flow Data-Path Improvements Firepower New Features in X Best Practices for Deployments Troubleshooting Tools Exciting Real-World Use-Cases Conclusions
5 Your presenter throughout FTD journey Firepower TAC TL Snort Expert Sourcefire Veteran Automation Enthusiast Foster Lipkey BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6 Your presenter throughout FTD journey Firepower TAC engineer Passionate Linux Admin Love to explore Cisco technologies Veronika Klauzova BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Hardware & Software Review
8 NGFW evolution BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8
9 What platforms can run FTD Software ASA 5500X-Series (5506X-5555X with SSD) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9
10 What platforms can run FTD Software Firepower 2100 series BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10
11 What platforms can run FTD Software Power Console MGMT 8 x optic SFP+ ports Front view 2 x 2.5 SSD Bays Rear view 2x optional NetMods 2 x Power Supply Module Bays 6 x Hot-Swap Fans units Firepower 4100 series BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 Updated FTD Packet Flow
16 Firepower Threat Defense high level DETECTION ENGINE / Snort Packet Data Transport System (PDTS) DATA-PATH / LINA FXOS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 Firepower 2100 architecture overview BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 Firepower 9300/4100 architecture overview BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 FTD Packet-Flow Detection Engine / Snort RX YES PDTS DAQ Lina rule-id matched Ingress Interface Existing Conn NO Egress Interface Pre-Filter L3/L4 ACL ALG checks NAT L3, L2 hops VPN Decrypt QoS, VPN Encrypt Data-Path / LINA TX BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 LINA / Data-Path Detection Engine/ Snort - Architecture BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 Data-Path Improvements
22 Data-Path improvements / Safe Guards Snort Fail Open When Busy If the buffer going into Snort is 85% full, new flows will be bypassed Snort Fail Open When Down When Snort goes does due to restart for policy deploy, or for any other reason new flows will be bypassed BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23 Data-Path improvements / Safe Guards Device > Device Management [Edit] > Device tab Automation Application Bypass If traffic enters Snort through the buffer and does not provide a verdict back to LINA within configured threshold, Snort is restarted and a core file is generated BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 Show Time
25 Snort reload instead of restart As of following changes would not cause Snort to be restarted This applies to all FTD devices managed by FMC Policy changes URL Application ID Intrusion Policy NAP policy Policy action Refer to URL categories for the first time in AC rules or remove all existing references to URL categories Turn on/off Application ID Add or Delete Intrusion Polices in AC rules, or Edit Intrusion Policy Attach a NAP policy for the first time to AC Policy Simple SRU update Security Intelligence Typical rule updates without Shared Object (SO) / binary rule updates Changes to Whitelist/Blacklist of URL, DNS entries BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Other snort major updates Changes to application detectors display warnings Break HA operation restart snort/s (warning displayed) Memory allocation changed SRU simple rule changes does not cause snort restart, but binary objects do Binary changes are not that frequent Whether snort would affect it depends on system resources BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 Snort Preserve-Connection When Snort goes down connections with Allow verdict are preserved in LINA Snort does NOT do a mid-session pickup on preserved flows on coming up Does NOT protect against new flows while Snort is down Feature Introduction Can be enabled/disabled from CLISH: configure snort preserve-connection enable/disable BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 Minimalize network disruption during policy deployment Snort restart behavior depends on Advance settings in Access Control Policy TAC highly recommend to enable: Inspect traffic during policy apply = Yes Without this option Snort always restarts during policy deployment BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 Snort Restart & Reload Architecture BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 Show Time
31 Firepower New Features in X
32 New Signed Software Update/Upgrade images Signed images were introduced in Signed images are the.rhel.tar files (caution: DO NOT UNTAR THEM!) Managed FTD device can be upgraded only after FMC is upgraded FTD on platforms 4100 and 9300 series needs to have upgraded FXOS software via Firepower Chassis Manager prior FTD upgrade to version To update an FMC from to release an unsigned upgrade package need to be used (.sh file) Platform Current Version Destination Version Package name to be used FMC Sourcefire_3D_Defense_Center_S3_Upgrade sh FMC Sourcefire_3D_Defense_Center_S3_Upgrade sh.REL.tar BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 Virtual FDM Allows users to manage virtual platforms using on-box management Only fresh installation to enables FDMv management option Initial setup can be done once, it cannot be relaunched Adding/removing interfaces on already running FTDv requires deregistration of management (all configuration will be lost!) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 Threat Intelligence Director Consumes third-party cyber threat intelligence Requirements: FMC and FTD running GB of memory Protect license (IPv4, IPv6, Domain and URL detection) Malware license (SHA-256 detection) Terminology STIX Structured Threat Intelligence expression TAXII transport mechanism for STIX TID is activated under Access Control Policy Advanced tab TID correlation for incident generation is dependent on an exact match! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 TID High-Level Architecture Third-Party Cyber Security Intelligence STIX TAXII Flat files Cisco TID on FMC Syncd.pl Sftunnnel (TCP 8305) Observables Can take up to 20 minutes! NGFW / NGIPS (manage device) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 TID Troubleshooting Observables type IPv4 and IPv6 addresses Domain names URL s SHA-256 hashes File location /ngfw/var/sf/iprep_download /ngfw/var/sf/sidns_download /ngfw/var/sf/siurl_download /ngfw/var/sf/sifile_download BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 API bulk rule access insertion, yay! Old behavior: one AC rule can be imported at the time New behavior: we can insert up to 1000 rules within same API request! How cool is that? We can insert rules at specific location (rule number or within specific category/section) After rule insertion, other rules are automatically reordered Rest API can handle if other user is already modifying the same rule set When no position of the rule is defined, it goes to the end of ACP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 Best Practices for Deployments (security is our priority)
39 VPN deployment on FTD: things that you might have missed! Cisco Employee working from home attacker Clear-text / un-authenticated session FMC Should been never been allowed The Internet outside inside Cisco network NGFW Anyconnect (encrypted session) FTP Servers BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40 Is your network protected? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41
42 FTD / IPS is dropping packets HELP! FTD detection engine / IPS bottleneck causing throughput issues Do we have enough processing power / right hardware? What is traffic pattern / volume? (the type, size and protocol of packet) Why not simply enable all of the rules?. Ok, now really, how many Snort signatures are enabled? expensive signatures & local rule IPS alerting load (processing and disk operations) Expensive work on preprocessors BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 Tuning IPS rules #(TAC tip & trick) Use case: poor performance with default IPS policy baseline for FTP traffic Simplified topology: client (Windows 10) ---1Gbps --- FTD Gbps --- server (Windows 10) Performance measurement results with default policy ~ 380 Mbps Performance measurement after IPS rule tuning ~ 970 Mbps BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 Full example: performance numbers from field/lab testing Mode Protocol Configuration Throughput Transparent FTP (Filezilla ) Pre-filter policy with Fast-path rule for TCP ports 20 and 21 ~979 Mbps Access Control Policy, Allow rule for TCP ports 20 and 21, IPS connectivity over Security Access Control Policy, Allow rule for TCP ports 20 and 21, IPS Balanced Security and Connectivity Access Control Policy, Allow rule for TCP ports 20 and 21, IPS Security over Connectivity Access Control Policy, Allow rule for TCP ports 20 and 21, IPS Maximum detection Access Control Policy, Allow rule for TCP ports 20 and 21, IPS tuned (base no rules active + 51 active rules) Filter used: ftp metadata:"security-ips drop" Access Control Policy, Allow rule for TCP ports 20 and 21, IPS tuned (base no rules active + 51 active rules) Filter used: ftp metadata:"security-ips drop" ~650 Mbps ~380 Mbps ~340 Mbps ~320 Mbps ~971 Mbps ~800 Mbps + File policy with application protocol FTP (detect all file types and block malware executable s with local malware analysis) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 Low IPS performance? rule it out by FTD rule profiling! Edit /ngfw/var/sf/detection_engines/<uuid>/ advanced/perf_monitor.conf config profile_rules: print all, sort avg_ticks, filename /ngfw/var/log/profiling-rules.log config profile_preprocs: print all, sort avg_ticks, filename /ngfw/var/log/profiling-preprocs.log Restart Snort pmtool restartbytype snort Start rule profiling > system support run-rule-profiling BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46 Low IPS performance? rule it out by FTD rule profiling! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 Performance graphs from the WebUI Why does Bytes/Packet matter? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 Reassembly cost Posted throughput ratings for the Firepower appliances are usually rated at 1518 bytes packets. Smaller packets results in more processing. 1MB of traffic with 1518 bytes/packets = ~ 658 packets 1MB of traffic with 400 bytes/packet = ~ 2500 packets Every packet header must be evaluated and the packet has to be placed into the buffer for re-assembly. The larger number of packets to process requires more CPU time. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 Let s talk about the elephant in the room Large flows are generally related backup, database replication, etc. which usually does not require inspection Sort Analysis > Connections for connection size to find top talkers Once we determine the top talkers, and confirm they can be safely ignored, we create trust rule for the IP conversations. Mitigations IAB / Pre-Filter fast-path BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 Sizing your NGFW / NGIPS throughput considerations Number of Snort instances per FTD platform For Your Reference Platform Snort Instances Platform Snort Instances Platform Snort instances Firepower Firepower Firepower 9300 SM Firepower Firepower Firepower 9300 SM Firepower Firepower Firepower 9300 SM Firepower Firepower Enabling File-Inspection will change these values > pmtool show affinity BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 Troubleshooting Tools
52 What are main FTD processes and what they do? snort ids_event_processor ids_event_alerter inspects network traffic (pass, block and alert) sends intrusion events to managing device (FMC) sends intrusion events to Syslog or SNMP server wdt-util used for fail-to-wire / hardware bypass sftunnel diskmanager, Pruner Lina Snmpd, ntpd SFDataCorrelator processing events pm (process manager) secure tunnel between managed device and FMC managing disk space and clean up old files Responsible for Firewall functionality like ACL, NAT, Routing etc. SNMP monitoring, responsible for time synchronization responsible for launching and monitoring of all FTD relevant processes and restarting them in case of failure BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 Process Management - basics FTD Root CLI: ftd-vklauzov:/# pmtool status grep " - " head SFDataCorrelator (normal) - Running mysqld (system,gui,mysql) - Running httpsd (system,gui) - Waiting sftunnel (system) - Running Process name Category Status Process ID BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54 Process Management - basics FMC Root CLI: root@fmc-2:/# pmtool disablebyid sftunnel root@fmc-2:/# pmtool status grep " - " grep sftunnel sftunnel (system) - User Disabled root@fmc-2:/# pmtool enablebyid sftunnel root@fmc-2:/# pmtool status grep " - " grep sftunnel sftunnel (system) - Running 1720 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 Data-path and Snort capture points Detection Engine / Snort > capture-traffic 2. snort inbound/outbound firepower# capture out 1. firepower# capture in DATA-PATH 3. data-path outbound data-path inbound BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 Data-path inbound/outbound - The Wires Never Lie! Data-path/lina (diagnostic cli): firepower# capture in interface INSIDE match icmp any any trace detail Capture name Interface name protocol Source Destination BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 Data-path stop and delete captures Delete packet captures firepower# no capture in Stop packet captures firepower# no capture in interface inside BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58 Show Time
59 Show Time
60 Show Time
61 Snort Capture - The Wires Never Lie! (1) CLISH: > capture-traffic Options: -s 0 -w capture.pcap icmp and host IP > : ICMP echo request,id 24538,seq 1,length 64 Berkeley Packet Filter syntax same as for tcpdump capturing tool -s 0 means snaplength, in other words no limit for packet size -w filename.pcap indicates to which file you want to write output of data captured by specified filter capture is written to /ngfw/var/common/ folder Copy file out to SCP server: file secure-copy <IP address of server> <username> <location where to copy the file> capture.pcap BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 Snort Capture - The Wires Never Lie! (2) CLISH: NON-VLAN TAGGED TRAFFIC VLAN TAGGED TRAFFIC > capture-traffic Options: -s 0 -v -n -e (icmp and host ) or (vlan and icmp and host ) 00:50:56:b6:0b:33 > 58:97:bd:b9:73:ee, ethertype 802.1Q (0x8100), length 78: vlan 208, p 0, ethertype IPv4, (tos 0x0, ttl 128, id 5366, offset 0, flags [none], proto ICMP (1), length 60) LINA CLI: IN LINA CLI: OUT firepower# sh cap inside 802.1Q vlan#208 P > : icmp: echo request firepower# sh cap outside > : icmp: echo request BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 Which ACP rule is being evaluated? Tool that provides the Access Control Rule evaluation status for each flow as we receive packets in real time. NGFW debug needs to have specified at least one filtering condition. >system support firewall-engine-debug Please specify an IP protocol: icmp Please specify a client IP address: Please specify a server IP address: Monitoring firewall engine debug messages > AS 1 I 44 New session > AS 1 I 44 using HW or preset rule order 2, 'allow and inspect', action Allow and prefilter rule > AS 1 I 44 allow action BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63
64 Show Time
65 Access Control Policy Rule Hit Counters > show access-control-config ===================[ ciscolive ]==================== Description : Default Action : Allow Default Policy : Balanced Security and Connectivity Logging Configuration DC : Disabled Beginning : Disabled End : Disabled Rule Hits : Variable Set : Default-Set... (output omitted)... Policy name # watch /usr/local/sf/bin/sfcli.pl show firewall grep "ciscolive\ Rule\:\ Rule Hits " ===================[ ciscolive ]==================== Rule Hits : [ Rule: allow ] Rule Hits : 14 Rule name BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 ACP Rule Hit Counters FMC WebUI Analysis -> Custom -> Custom Workflows -> Create Custom Workflow and use Table Connection Events Add page and fill in fields like: Access Control Policy, Access Control Rule, Count, Initiator IP, Responder IP Add Table view BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 ACP Rule Hit Counters FMC WebUI vs CLISH > show access-control-config [ Rule: DNS and icmp ] Action : Allow Destination Ports : protocol 6, port 53 protocol 17, port 53 protocol 1 protocol 6, port 80 Logging Configuration DC : Enabled Beginning : Enabled End : Enabled Rule Hits : 28 Variable Set : Default-Set (truncated) Why the hit counters do not match? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 Capture With Trace GUI Quickly Identify where in the data-path the traffic is impacted BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68
69 Show Time
70 Show Time
71 CLI Analyzer Contextual help and highlighting Embedded Intelligence File Analysis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72 Show Time
73 LINA / Data-Path I m a trouble-shooter now System Support Trace Capture w/ trace Capture-traffic Firewall-Engine-Debug BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 Exciting Real-World Use-Cases
75 Real World Scenario Intermittent network outages following migration to FTD Following a migration from ASAs to FTDs on pair of boarder firewalls intermittent outages occur. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75
76 Real World Scenario Using our tools Failed: Working: Sometimes its what the FW didn t do that counts Symptoms: Migration from ASAs to FTDs results in outage under load. When placing ASAs back inline outage does not occur Troubleshooting: Performance review Capture w/ Trace Packet Capture with FTDs inline Packet Capture with ASAs inline Compared the packet captures Root Cause Sysopt connection tcpmss set to 0 Changed to 0 by adding jumbo frames to interface BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 76
77 Real World Scenario HARDWARE ERROR ON LCD HARDWARE ERROR on Firepower sensor LCD panel BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77
78 Closing
79 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public
80 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public
81 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Corner Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81
82 Veronika Klauzova Foster Lipkey Thank you
83
Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting
Dissecting Firepower-FTD & Firepower-Services Design & Troubleshooting Veronika Klauzova BRKSEC-3455 Agenda Introduction Updated FTD Packet Flow Data-Path Improvements Best Practices for Deployments Troubleshooting
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationClarify Firepower Threat Defense Access Control Policy Rule Actions
Clarify Firepower Threat Defense Access Control Policy Rule Actions Contents Introduction Prerequisites Requirements Components Used Background Information How ACP is Deployed Configure ACP Available Actions
More informationConfiguration and Operation of FTD Prefilter
Configuration and Operation of FTD Prefilter Policies Contents Introduction Prerequisites Requirements Components Used Background Information Configure Pre-filter Policy Use Case 1 Pre-filter Policy Use
More informationCisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationCisco Firepower Thread Defence. Claudiu Boar
Cisco Firepower Thread Defence Claudiu Boar Security everywhere Stop threats at the edge Control who gets onto your network Find and contain problems fast Protect users wherever they work Simplify network
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Adding Devices to the Firepower Management
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,
More informationConfigure FTD Interfaces in Inline-Pair Mode
Configure FTD Interfaces in Inline-Pair Mode Contents Introduction Prerequisites Requirements Components Used Background Information Configure Inline Pair Interface on FTD Network Diagram Verify Verify
More informationThe following topics describe how to manage various policies on the Firepower Management Center:
The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationBefore You Update: Important Notes
Before you update, familiarize yourself with the update process, the system's behavior during the update, compatibility issues, and required pre or post-update configuration changes. Caution Note Do not
More informationNew Features and Functionality
This section describes the new and updated features and functionality included in Version 6.2.1. Note that only the Firepower 2100 series devices support Version 6.2.1, so new features deployed to devices
More informationFeatures and Functionality
Features and functionality introduced in previous versions may be superseded by new features and functionality in later versions. New or Changed Functionality in Version 6.2.2.x, page 1 Features Introduced
More informationUnderstanding HTTPS to Decrypt it
Understanding HTTPS to Decrypt it James Everett Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join
More informationAdvanced Firepower IPS Deployment
Advanced Firepower IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 Webex Teams Questions? Use Webex Teams to chat with the speaker after the session How 1 2 3 4 Find this session
More informationDesign and Deployment of SourceFire NGIPS and NGFWL
Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect Abstract Overview of Session This technical session covers the
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, page 1 Remote Management Configuration, page 2 Adding Devices to the Firepower Management Center,
More informationRequest for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )
Appendix 1 1st Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection;
More informationNXOS in the Real World Using NX-API REST
NXOS in the Real World Using NX-API REST Adrian Iliesiu Corporate Development Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationThe following topics explain how to get started configuring Firepower Threat Defense. Table 1: Firepower Device Manager Supported Models
The following topics explain how to get started configuring Firepower Threat Defense. Is This Guide for You?, page 1 Logging Into the System, page 2 Setting Up the System, page 6 Configuration Basics,
More informationThreat Centric Network Security
BRKSEC-2056 Threat Centric Network Security Ted Bedwell, Principal Engineer Network Threat Defence Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationFirepower Techupdate April Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017
Firepower 6.2.1 Techupdate April 2017 Jesper Rathsach, Consulting Systems Engineer Cisco Security North April 2017 Firepower 6.2.1 Nr. 1 most important!! Firepower 6.2.1 BUGFIXES!!!!! Alle kendte severity
More informationTRex Realistic Traffic Generator
DEVNET-1120 TRex Realistic Traffic Generator Hanoch Haim, Principal Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3.0.3 of the Sourcefire 3D System. Even if you are familiar with the
More informationConfiguring Firepower Threat Defense interfaces in Routed mode
Configuring Firepower Threat Defense interfaces in Routed mode Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Configure a Routed Interface
More informationDeploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even
More informationGetting Started with Access Control Policies
Getting Started with Control Policies The following topics describe how to start using access control policies: Introduction to Control, page 1 Managing Control Policies, page 6 Creating a Basic Control
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationConnection Logging. About Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL
More informationASACAMP - ASA Lab Camp (5316)
ASACAMP - ASA Lab Camp (5316) Price: $4,595 Cisco Course v1.0 Cisco Security Appliance Software v8.0 Based on our enhanced FIREWALL and VPN courses, this exclusive, lab-based course is designed to provide
More informationMcAfee Network Security Platform 9.2
McAfee Network Security Platform 9.2 (9.2.7.22-9.2.7.20 Manager-Virtual IPS Release Notes) Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product
More informationSourcefire Network Security Analytics: Finding the Needle in the Haystack
Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationFirepower Threat Defense Cluster for the Firepower 4100/9300
Firepower Threat Defense Cluster for the Firepower 4100/9300 Clustering lets you group multiple Firepower Threat Defense units together as a single logical device. Clustering is only supported for the
More informationPrefiltering and Prefilter Policies
The following topics describe how to configure prefiltering: Introduction to Prefiltering, on page 1 Prefiltering vs Access Control, on page 2 About Prefilter Policies, on page 4 Configuring Prefiltering,
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.2.0.2 Original Publication: October 18, 2013 Last Updated: October 18, 2013 These release notes are valid for Version 5.2.0.2 of the Sourcefire 3D System. Even
More informationCisco - ASA Lab Camp v9.0
Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationConfigure Firepower Threat Defense (FTD) Management Interface
Configure Firepower Threat Defense (FTD) Management Interface Contents Introduction Prerequisites Requirements Components Used Background Information Configure Management Interface on ASA 5500-X Devices
More informationAdvanced IPS Deployment
Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 About your Speaker Gary Halleen gary@cisco.com Technical Solutions Architect Cisco Global Security Sales Organization Oregon
More informationMcAfee Network Security Platform
Revision B McAfee Network Security Platform (8.1.7.5-8.1.3.43 M-series Release Notes) Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product
More informationCisco Threat Intelligence Director (TID)
The topics in this chapter describe how to configure and use TID in the Firepower System. Overview, page 1 Requirements for Threat Intelligence Director, page 4 How To Set Up, page 6 Analyze TID Incident
More informationTetration Hands-on Lab from Deployment to Operations Support
LTRACI-2184 Tetration Hands-on Lab from Deployment to Operations Support Furong Gisiger, Solutions Architect Lawrence Zhu, Sr. Solutions Architect Cisco Spark How Questions? Use Cisco Spark to communicate
More informationChapter 6: IPS. CCNA Security Workbook
Chapter 6: IPS Technology Brief As the awareness of cyber and network security is increasing day by day, it is very important to understand the core concepts of Intrusion Detection/Defense System (IDS)
More informationTroubleshooting the Security Appliance
CHAPTER 43 This chapter describes how to troubleshoot the security appliance, and includes the following sections: Testing Your Configuration, page 43-1 Reloading the Security Appliance, page 43-6 Performing
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationFirepower Management Center High Availability
The following topics describe how to configure Active/Standby high availability of Cisco Firepower Management Centers: About, on page 1 Establishing, on page 7 Viewing Status, on page 8 Configurations
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationCisco FirePOWER 8000 Series Appliances
Data Sheet Cisco FirePOWER 8000 Series Appliances Product Overview Finding a network security appliance with exactly the right throughput, interface options, and threat protection for all the different
More informationPass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS
Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285
More informationTroubleshooting. Testing Your Configuration CHAPTER
82 CHAPTER This chapter describes how to troubleshoot the ASA and includes the following sections: Testing Your Configuration, page 82-1 Reloading the ASA, page 82-8 Performing Password Recovery, page
More informationIntrusion Detection and Prevention IDP 4.1r4 Release Notes
Intrusion Detection and Prevention IDP 4.1r4 Release Notes Build 4.1.134028 September 22, 2009 Revision 02 Contents Overview...2 Supported Hardware...2 Changed Features...2 IDP OS Directory Structure...2
More informationCorrigendum 3. Tender Number: 10/ dated
(A premier Public Sector Bank) Information Technology Division Head Office, Mangalore Corrigendum 3 Tender Number: 10/2016-17 dated 07.09.2016 for Supply, Installation and Maintenance of Distributed Denial
More informationWhy is performance testing of security devices so hard?
Why is performance testing of security devices so hard? Charlie Stokes Technical Marketing Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationIntroduction to Cisco ASA to Firepower Threat Defense Migration
Introduction to Cisco ASA to Firepower Threat Defense Migration This guide describes how to use Cisco s migration tool to migrate firewall policy settings from your Cisco ASA to a Firepower Threat Defense
More informationResilient WAN and Security for Distributed Networks with Cisco Meraki MX
Resilient WAN and Security for Distributed Networks with Cisco Meraki MX Daghan Altas, Director of Product Management BRKSEC-2900 Agenda Problem Cisco CNG Live network creation demo (45m) Product Brief
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3 of the Sourcefire 3D System. Even if you are familiar with the update process,
More informationNetwork Security Platform 8.1
8.1.7.5-8.1.3.43 M-series Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation
More informationManaging Latency in IPS Networks
Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings
More informationTraffic Flow, Inspection, and Device Behavior During Upgrade
Traffic Flow, Inspection, and Device Behavior During Upgrade You must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur: When you upgrade the operating
More informationGet Hands On With DNA Center APIs for Managing Intent
DEVNET-3620 Get Hands On With DNA Center APIs for Managing Intent Adam Radford Distinguished Systems Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationFirewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků
Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků Jiří Tesař, CSE Security, jitesar@cisco.com CCIE #14558, SFCE #124266 Mapping Technologies to the
More information* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).
Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationThe IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.
I n t r o d u c t i o n The CCNA Security IINS exam topics have been refreshed from version 2.0 to version 3.0. This document will highlight exam topic changes between the current 640-554 IINS exam and
More informationCisco Next Generation Firewall Services
Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationInside Cisco IT: Secure, Simultaneous Access to Trusted and Untrusted Networks using C-Bridge
Inside Cisco IT: Secure, Simultaneous Access to Trusted and Untrusted Networks using C-Bridge Tom Woodard Cisco InfoSec Architect BRKCOC-1900 This solution solves business challenges by securely allowing
More informationCisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab
Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab Ali Shaikh Technical Leader Faraz Shamim Sr. Technical Leader Mossaddaq Turabi Distinguished ENgineer Cisco Spark How Questions?
More informationMcAfee Network Security Platform 9.1
9.1.7.15-9.1.5.9 Manager-NS-series Release Notes McAfee Network Security Platform 9.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues
More informationIPS Device Deployments and Configuration
The following topics describe how to configure your device in an IPS deployment: Introduction to IPS Device Deployment and Configuration, page 1 Passive IPS Deployments, page 1 Inline IPS Deployments,
More informationAgile Security Solutions
Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization
More informationCisco Virtual Networking Solution for OpenStack
Data Sheet Cisco Virtual Networking Solution for OpenStack Product Overview Extend enterprise-class networking features to OpenStack cloud environments. A reliable virtual network infrastructure that provides
More informationRouting Underlay and NFV Automation with DNA Center
BRKRST-1888 Routing Underlay and NFV Automation with DNA Center Prakash Rajamani, Director, Product Management Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationData collected by Trend Micro is subject to the conditions stated in the Trend Micro Privacy Policy:
Privacy and Personal Data Collection Disclosure Certain features available in Trend Micro products collect and send feedback regarding product usage and detection information to Trend Micro. Some of this
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationCatalyst 9K High Availability Lab
LTRCRS-2090 Catalyst 9K High Availability Lab Minhaj Uddin Technical Marketing Engineering Sai Zeya Technical Marketing Engineering Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker
More informationGetting Started. About the ASA for Firepower How the ASA Works with the Firepower 2100
This chapter describes how to deploy the ASA on the Firepower 2100 in your network, and how to perform initial configuration. About the ASA for Firepower 2100, page 1 Connect the Interfaces, page 4 Power
More informationServiceability of SD-WAN
BRKCRS-2112 Serviceability of SD-WAN Chandrabalaji Rajaram & Ali Shaikh Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live
More informationLogging into the Firepower System
The following topics describe how to log into the Firepower System: Firepower System User Accounts, on page 1 User Interfaces in Firepower Management Center Deployments, on page 3 Logging Into the Firepower
More informationCloud-Managed Security for Distributed Networks with Cisco Meraki MX
Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Joe Aronow, Product Architect Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationAccess Control Using Intrusion and File Policies
The following topics describe how to configure access control policies to use intrusion and file policies: About Deep Inspection, page 1 Access Control Traffic Handling, page 2 File and Intrusion Inspection
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-210 Title : Implementing Cisco Threat Control Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-210
More informationClassic Device Management Basics
The following topics describe how to manage Classic devices (7000 and 8000 Series devices, ASA with FirePOWER Services, and NGIPSv) in the Firepower System: Remote Management Configuration, page 1 Interface
More informationRemote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN
Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers
More informationIntroducing Cisco Network Assurance Engine
BRKACI-2403 Introducing Cisco Network Assurance Engine Intent Based Networking for Data Centers Sundar Iyer, Distinguished Engineer Head Cisco Network Assurance Engine Team Dhruv Jain, Director of Product
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.5 Original Publication: June 8, 2015 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.5 of the Sourcefire 3D System. Even if
More informationSecurity Management System Release Notes
Security Management System Release Notes Version 5.1 Important notes You can upgrade the SMS to v5.1 directly from SMS v4.4 or later. If you are upgrading from a release earlier than v4.4 you must first
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationFTD: How to enable TCP State Bypass Configuration using FlexConfig Policy
FTD: How to enable TCP State Bypass Configuration using FlexConfig Policy Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure an Extended
More informationTAP Aggregation-Network Visibility and Security
Data Center & Cloud Computing DATASHEET TAP Aggregation-Network Visibility and Security Model: T5800-8TF12S REV.1.0 2018 TAP Aggregation 01 Overview The FS T5800 TAP (Test Access Port) Series Switches
More information