Cisco Next-Generation Firewall With Prime Security Manager 9.2 v1

Cisco Demo Cloud (dCloud)
Cisco Next-Generation Firewall with Prime Security

Manager 9.2 v1
Last Updated: 3-JUN-2014
About This Cisco Solution

The Cisco ASA Next-Generation Firewall provides next-generation security capabilities at scale without requiring additional
hardware modules. The Cisco ASA Next-Generation Firewall supports services such as application visibility and control, web
security essentials, intrusion prevention, remote access and cloud web security to provide an end-to-end, scalable security
solution. Cisco Next-Generation Firewalls are managed by Cisco Prime Security Manager (PRSM).
Cisco Prime Security Manager provides a centralized, simple, and scalable tool to manage Cisco Next-Generation Firewalls. It
provides context-aware capabilities for exceptional Application Visibility and Control (AVC), Web Security Essentials (WSE), and
Intrusion Prevention Systems (IPS) so enterprises can enable new use cases without compromising security.
About This Demonstration

This preconfigured demonstration includes:
Scenario 1: Configuration Overview - Overview of the ASA configuration used in this demonstration
Scenario 2: Event Monitoring - Operational monitoring of the managed devices in this demonstration
Scenario 3: Application Awareness - Enhanced visibility and control of network traffic on standard and non-standard
ports
Scenario 4: Managing Encrypted Traffic - Decryption of traffic for inspection and access control
Scenario 5: Authentication - Active and passive authentication of users with CDA integration
Scenario 6: Dashboards and Reports - Summary views of network information
Demonstration Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1.
Demonstration Requirements
Required
Laptop
Cisco AnyConnect
Optional
Mobile Devices with AnyConnect VPN
o Apple iPad
o Apple iPhone
o Android devices
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 31
Demonstration Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios and features. All information
needed to complete the access components, is located in the the demo script.
Demonstration Topology
Figure 1.
Demo Topology
Page 2 of 31
Demonstration Preparation
BEFORE DEMONSTRATING
We strongly recommend that you go through this process at least once, before presenting in front of a live audience. This will allow
you to become familiar with the structure of the document and the demonstration.
PREPARATION IS KEY TO A SUCCESSFUL CUSTOMER PRESENTATION.
Follow the steps below to schedule your demonstration and configure your demonstration environment.
1.
Browse to dcloud.cisco.com, select the location closest to you, and then login with your Cisco.com credentials.
2.
Schedule a demonstration [Show Me How].
3.
Test your bandwidth from the demonstration location before performing any demonstration scenario. [Show Me How]
4.
Verify your demonstration has a status of Active under My Demonstrations on the My Dashboard page in the dCloud UI.
5.
It may take up to 15 minutes for your demonstration to become active.
Connect to the CSM workstation, using one of the following options:
Using Cisco dCloud Remote Desktop client [Show Me How] OR
Using Cisco AnyConnect [Show Me How]

o
After connecting to the demonstration via AnyConnect, use your local RDP client to connect to CSM located at
198.19.10.39. Login with username dcloud\administrator and password C1sco12345.
Page 3 of 31
Scenario 1: Configuration Review

Context-aware devices (CX devices) such as ASA CX let you enforce security based on the complete context of a situation. With
ASA CX, you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying
access to games on Facebook. The Cisco Prime Security Manager interface is used to generate the configuration and then deploy
that configuration to the managed devices.
1.
From the CSM workstation, launch Internet Explorer and open Cisco Prime Security Manager (PRSM) using the Favorites
bar.
2.
Login as admin/C1sco12345.
3.
Go to Configurations > Policies/Settings.
4.
Select Devices in the left navigation dropdown.
Figure 2.
5.
Device Policies/Settings
Select the New Tab icon and then select Traffic Redirection.
Figure 3.
Traffic Redirection
Figure 4.
Traffic Redirection Details
6.
All traffic is sent to the PRSM device.
Select the New Tab icon and then select Access policies.
Page 4 of 31
Figure 5.
7.
Click the ASA inbound policies button.
Figure 6.
8.
Inbound Policies
Expand the outside_access_in sub tab to see the access control lists that are configured on the ASA.
9.
Access Policies
The access list can be edited here and applied to the ASA as needed.
Click the Context aware policies button.
10. Expand the Access_ASA sub tab.
These are the policies that are implemented for this demonstration.
Note that a policy has been defined to deny Facebook Applications: Games.
11. Click the Facebook Applications: Games policy and then click the Edit button.
Page 5 of 31
Figure 7.
Figure 8.
Facebook Policy
The Edit policy popup window will open.

Edit Facebook Policy
Note that the Application/Service selected is Facebook Applications: Games and the Policy Action is Deny.
12. Click within the Application/Service field to scroll through the options for applications and services that can be configured for
a policy.
Figure 9.
Application/Service Options
NOTE: If you want to show more detailed information about applications and application types, go to Components > Applications
and demonstrate the Application Viewer.
13. Click Cancel to close the Edit policy window and return to the list of policies.
Page 6 of 31
From the list of policies, note that a policy is defined to Warn for destination named Questionable Sites. This policy will
warn users, but will not block them.
14. Click Questionable Sites to see configuration details for the destination.
Figure 10.
Questionable Sites
A View URL object window will open. Note that the destination is a URL object that includes a list of Web categories.
When users access Web pages matching these categories, they will be warned, but not blocked.
15. Click Close to close the View URL object window and return to the list of policies.
16. Click the Unacceptable Sites policy.
Figure 11.
Unacceptable Sites
A View URL object window will open. Note that the destination is a URL object that includes a list of Web categories.
When users access Web pages matching these categories, they will be blocked.
17. Click Close to close the View URL object window and return to the list of policies.
18. Click the last access policy row in the list and click the Edit button.
Figure 12.
Behavioral Policy
The Edit Policy window will open showing details about the policy configuration.
Page 7 of 31
Figure 13.
Application Behaviors
In the Edit Policy window, a list of application behaviors will display. Based on the application you can allow or deny
certain behaviors.
HIGHLIGHT: Cisco Prime Security Manager enables policies to be based on a rich set of contextual elements. For example,
instead of a policy that allows or denies the entire Facebook application, application behaviors within Facebook that are used for
business purposes can be enabled, while nonbusiness application behaviors such as Facebook Games can be disabled.
19. Click Close to return to the list of policies.
20. Select the New Tab icon and then select Malware Protection.
Figure 14.
Malware Protection
The Local Malware Protection Configuration tab shows the current setting.
Page 8 of 31
Figure 15.
Malware Protection
In this case, protection is On and is set to the default web reputation profile, which is the recommended filtering level.
Intrusion Prevention Configuration

NOTE: The steps below must be completed in order to demonstrate decryption in a later scenario.
21. Select the New Tab icon and then select Intrusion Prevention.
Figure 16.
Intrusion Prevention
22. Click inside the box next to NG IPS profile and select the Default NG IPS profile.
23. Click Save.
Figure 17.
IPS Configuration
24. Near the top of the window, you will see a CHANGES PENDING notification.
25. Click the link to view the Commit and Deploy Changes screen. Click Commit to commit the changes.
Page 9 of 31
Figure 18.
Commit Changes
The ASA is now configured for Intrusion Prevention using the selected policy.
HIGHLIGHT: The Cisco Threat Operations Center uses dynamic updates and actionable intelligence obtained from ASAs, IPSs,
Email Security Appliances, Web Security Appliances, and system administrators to calculate a web reputation score for web sites.
Web reputation is a statistical assessment based on context and past behavior and combines many factors of varying significance
into one correlated metric. Similar to a persons credit score, web reputation is a continuous value along a graduated scale from 10 to 10. By defining a low reputation zone, you can implement predictive, zero-day protection against low reputation sites, the
ones that are most likely to serve malware to your users.
Page 10 of 31
Scenario 2: Event Monitoring

Use the PRSM Event Monitor to monitor and examine events from the devices you are managing. Events are organized into views
that you can filter or search to find events that interest you. You can create customized views and filters to fit your needs or use the
predefined views included in the application. Event Viewer is useful for operational monitoring and troubleshooting of the managed
devices.
1.
To open the PRSM Event Monitor, go to Events > Context Aware Security.
Figure 19.
Context Aware Security
The list of events represents traffic flowing through a CX device. In this case the ASA5515X.
By default the list is set to pull historical events from the last 30 minutes when you click the Filter button and displays the
newest events at the top of the list.
In this demonstration, filters have been created to reduce the number of events. These filters can be removed to view all
events from all traffic sources.
2.
In a new Internet Explorer tab, click the Favorites shortcut for ihaveabadreputation.com.
Figure 20.
3.
Access will be denied.
Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
Figure 21.
4.
ihaveabadreputation.com
Events List
The list includes information about the event.
The display is customizable and can include more or less information about the event as preferred.
The HTTP Deny indicates that this flow was dropped.
Hover over the event and click View Details.
Page 11 of 31
Figure 22.
View Details
In the event details popup, you will see that the threat type is listed as Suspected Malware. Since Malware Protection is
on, this is the expected behavior.
Figure 23.
Suspected Malware
5.
Return to the second Internet Explorer tab.
6.
From the Favorites bar, click the shortcut for poker.com.
Figure 24.
7.
The site will be blocked.
A new event will display in the list.
Figure 25.
8.
poker.com
Event
Hover over the event and click View Details.
Page 12 of 31
Figure 26.
9.
View URL Category
Expand the Policy section of the event details window.
Figure 27.
Policy Details
In the Access portion of the Policy section, note that the policy for Unacceptable Sites resulted in the Deny action for this
event.
Figure 28.
Access Policy for Gambling Event
10. Close the details window.

11. Return to the second Internet Explorer tab.
12. From the Favorites bar, click the shortcut for ebay.com.
Figure 29.
ebay.com
You will see a warning that the site is not recommended.
13. Click Continue to Site.
The eBay website will open.
14. Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
Page 13 of 31
New events will display in the list.
NOTE: Due to the nature of the eBay website, multiple events will appear in the list. You may need to scroll to find the event for
www.ebay.com.
15. Close the Internet Explorer tab open to eBay to prevent further events from populating the list.
Page 14 of 31
Scenario 3: Application Awareness

The Cisco ASA CX offers application awareness for enhanced visibility and control of network traffic. The ASA CX can identify
traffic on non-standard ports.
1.
In a new Internet Explorer tab, click the Favorites shortcut for http_outside.com-9980.
This site is used to illustrate that the ASA CX correctly identifies the traffic as HTTP traffic even though it is not on the
standard HTTP port, 80.
2.
In the event list, note that the event for the site is correctly identified as HyperText Transfer Protocol.
Figure 30.
HTTP Event
3.
Hover over the event and select View Details.
4.
In the Event Details popup, note the Port and Application.
Figure 31.
Event Details
5.
Minimize Internet Explorer.
6.
Launch PuTTY using the desktop shortcut.
7.
From the list of Saved Sessions, select Outside.com:9922 and click Open.
Page 15 of 31
Figure 32.
8.
In the event list, you will have a new event identified as Secure Shell to Destination Port 9922.
Figure 33.
9.
SSH to Outside.com
Non Standard Ports
The ASA CX identified the traffic as Secure Shell even though it appeared on port 9922.
Close all Internet Explorer tabs except the tab open to the PRSM Event Monitor.
10. Close the Putty session.
Page 16 of 31
Scenario 4: Managing Encrypted Traffic

Some protocols, such as HTTPS, use Secure Sockets Layer (SSL) or its follow-on version, Transport Layer Security (TLS), to
encrypt traffic for secure transmissions. Because encrypted traffic cannot be inspected, you must decrypt it if you want to apply
access rules that consider higher-layer traffic characteristics to make access decisions.
If you elect to decrypt traffic, the ASA CX acts as a man-in-the-middle:
Incoming traffic is decrypted.
The traffic is inspected. Access rules are applied.
If the traffic is allowed, any profiles defined in the access policy for the flow are applied, and the flow is re-encrypted and
sent to its destination.
Return trip traffic is also decrypted, inspected, then re-encrypted and sent to the client.
Decryption Configuration
1.
Go to Configurations > Policies/Settings.
2.
Select the New Tab icon and then select Decryption Settings.
Figure 34.
The Local Decryption Settings window displays showing that decryption is enabled using a VeriFraud certificate.
Figure 35.
3.
Decryption Settings
Decryption Settings
Select the New Tab icon and then select Decryption Policies.
Page 17 of 31
HIGHLIGHT: The default behavior of the ASA CX is to not decrypt encrypted traffic. Therefore, policies are created to apply the
Decrypt Everything or Decrypt Potentially Malicious Traffic actions. Policies that use Do Not Decrypt are necessary only if they
specify a subset of traffic that would otherwise match a policy that applies some level of decryption.
4.
Expand the decryption policies.
Figure 36.
Decryption Policies
Three policies have been defined in this demonstration:
The first policy exempts update traffic coming from the ASA or PRSM.
The second policy exempts traffic to finance web sites from decryption.
The final policy sets all other traffic for decryption.
Testing Decryption Policies

To see these policies in action, follow the steps below:
5.
Go to Events > Encrypted Traffic View.
Figure 37.
Encrypted Traffic View
6.
In a new Internet Explorer tab, click the Favorites shortcut for Google.
7.
Click the lock icon next to the address bar.
Figure 38.
VeriFraud Certificate Used
Page 18 of 31

8.
Note that the VeriFraud certificate used has been supplied by the ASA CX.
Figure 39.
9.
Flow Decrypted
Note that the default decryption policy was applied to the traffic to www.google.com and the traffic was decrypted.
Switch to the Internet Explorer tab open to Google. Click the Favorites shortcut for US Bank.
10. Click the lock icon next to the address bar.

Figure 40.
Entrust Certificate Used
Note that Entrust has issued the certificate for this site.
Figure 41.
Traffic NOT Decrypted
Note that the Do NOT Decrypt Finance policy was applied to the traffic and the traffic was NOT decrypted.
Identifying Threats in Encrypted Traffic

NOTE: In order for the steps below to function correctly, you must first complete the steps in the Intrusion Prevention Configuration
section from Scenario 1.
One of the most important features of using decryption is to allow the ASA CX to examine the traffic for possible threats. To
demonstrate this, follow the steps below:
12. In the Internet Explorer tab open to the PRSM Event Monitor, select the NG IPS tab.
Page 19 of 31
Figure 42.
NG IPS Tab
13. In a new Internet Explorer tab, click the Favorites shortcut for Outside.com-cmd.exe.
Figure 43.
Favorites Bar
The page will not load.
You will see a new event in the NG IPS tab that indicates that traffic was denied.
15. Hover over the event and click View details.

Figure 44.
Event Details
16. In the event details window, note the Threat detected.

Figure 45.
Threat Details
The ASA CX was able to detect the threat after the traffic was decrypted.
17. Close all Internet Explorer tabs except the tab open to the PRSM Event Monitor.
Page 20 of 31
Scenario 5: Authentication
Authentication is the act of confirming the identity of a user. You can obtain user identities passively or actively. With passive
authentication, user identity is obtained by checking a mapping of IP addresses to user identity collected by the Context Directory
Agent (CDA) or AD agent application. Authentication is passive because the user is not prompted to provide credentials.
With active authentication, when an HTTP or decrypted HTTPS traffic flow comes from an IP address for which ASA CX has no
user-identity mapping, you can decide whether to authenticate the user who initiated the traffic flow against the directories
configured for the network. If the user successfully authenticates, the IP address is considered to have the identity of the
authenticated user.
Authentication Configuration
1.
From the CSM workstation Internet Explorer tab open to PRSM, go to Configurations > Policies/Settings.
NOTE: If you have multiple tabs open, you may wish to close those now.
2.
Select the New Tab icon and then select AD Agent.
Figure 46.
3.
The configuration shows that the agent is located at IP address 198.19.10.42.
Select the New Tab icon and then select Identity Policies.
Figure 47.
4.
AD Agent
Identity Policies
Expand the policy list. Select the policy and click the Edit button.
Page 21 of 31
Figure 48.
The Edit policy popup window will open.
Figure 49.
Edit Policy
Edit Authentication Policy
In the Edit policy popup window, the details of the configuration show that the Realm is dCloud and the Action is set to
get identity using AD agent.
If the AD agent cannot identify the user, active authentication using NTLM will be used.
5.
Close the Edit policy popup window.
6.
In a new Internet Explorer tab, click the Favorites shortcut for CDA.
7.
Login as admin/C1sco12345.
8.
The Configuration Status page will display.
Click the arrow next to the dcloud.cisco.com domain.
Page 22 of 31
Figure 50.
9.
Active Directory Servers
The configured Active Directory Servers and their status will display.
Users log into the domain with an Active Directory username and password.
Active Directory and CDA communicate user information including username and IP address.
Go to Mappings > IP to Identity.
Figure 51.
A list of IP Addresses mapped to AD Identities will display.
Figure 52.
IP to Identity
IP Address Mappings
From the list you can see which IP address is currently mapped to which AD user.
10. Return to the PRSM tab on the CSM workstation.

11. Go to Events > Authentication.
You will come back to this tab in a later step.
Figure 53.
Authentication Events
Testing Authentication Settings for Non-Domain Devices

If a device, that is not part of the configured domain, attempts to send traffic through the ASA CX, the user will be prompted to login
to the domain.
Page 23 of 31
12. Connect to wkst1, using one of the following options:
Using Cisco dCloud Remote Desktop client [Show Me How] OR
Using Cisco AnyConnect [Show Me How]

o
After connecting to the demonstration via AnyConnect, use your local RDP client to connect to wkst1 located at
198.19.10.36. Login with username wkst1\administrator and password C1sco12345.
NOTE: The login credentials are for the local machine account (wkst1) rather than the domain (dcloud).
13. Launch Internet Explorer.
You will be prompted to login to the domain.
14. Login with password C1sco12345.
The browser will load the home page.
NOTE: This authentication is now cached in CDA and will not prompt for authentication again. If you wish to clear authentication to
show the process again, close all open Internet Explorer windows and run the applet on the desktop, NGFW Clear Auth.
15. Return to the PRSM Event Monitor on the CSM workstation. Click the Filter button to retrieve the latest events.
A new authentication event will display in the list.
Figure 54.
Authentication Event
16. Click the View details link for the event.

Figure 55.
View Details
The Event Details popup window includes additional information about the authentication event.
Note that this active authentication via NTLM is the backup method if the AD agent cannot identify the user.
17. Close the event details window.

Now that the user has been authenticated, all traffic will be subject to the policies and actions configured on the ASA CX.
18. On the CSM workstation within the PRSM tab, go to Events > All Events.
19. On wkst1, use the Internet Explorer Favorites links to open tabs to poker.com, ebay.com and Google.com. Access will be
inspected, denied or decrypted according to the policy settings.
Page 24 of 31
Figure 56.
Testing Websites
20. Return to the PRSM Event Monitor on the CSM workstation.
You will see events related to traffic inspection, denial and decryption for each of the sites accessed by wkst1.
Testing Authentication Settings - VPN Users

When a user connects to the ASA via VPN, that connection information is communicated from the ASA to the CDA. Cisco Prime
Security Manager will then use this authentication information found in CDA to perform Single Sign On (SSO).
21. AnyConnect to the demonstration if you did not already do so during Demo Prep. [Show Me How]
22. Connect to vpn-wkst using your local RDP client.
After connecting to the demonstration via AnyConnect, use your local RDP client to connect to vpn-wkst located at
198.18.133.36. Login with username vpn-wkst\administrator and password C1sco12345.
Figure 57.
Local RDP to VPN-WKST
23. From vpn-wkst, right-click the taskbar icon for the Cisco AnyConnect Secure Mobility Client, and select VPN Connect.
Page 25 of 31
Figure 58.
VPN Connect from VPN-WKST
24. The IP address will be prepopulated. Click Connect.

Figure 59.
AnyConnect Client
25. Click Connect Anyway to dismiss the certificate warning.

Figure 60.
Certificate Warning
26. Locate your AnyConnect credentials from your Active session found in the session details tab of the running dCloud demo:
Username: Your CCO user ID. This is the ID you used to login to Cisco dCloud.
Password: The AnyConnect password shown in the Session Details of your active demo.
Page 26 of 31
Figure 61.
AnyConnect Credentials from Session Details
27. Enter the username and password from the Session Details and click OK.
Figure 62.
AnyConnect Credentials
A message will display indicating that VPN connection is up and the AnyConnect icon in the taskbar will show a lock.
28. Return to the Internet Explorer tab open to CDA on the CSM workstation.
29. Go to Mappings > IP to Identity.
Figure 63.
IP to Identity
30. Sort the list in descending order by IP address.
The first entry in the list should show a VPN mapping for the remote user.
Page 27 of 31
Figure 64.
CDA Mappings
When the VPN was formed, the ASA communicated that information to CDA.
Now that the user has been authenticated, all traffic will be subject to the policies and actions configured on the ASA CX.
31. Return to the PRSM Event Monitor on the CSM workstation and go to Events > All Events.
32. On vpn-wkst, use the Internet Explorer Favorites links to open tabs to poker.com, ebay.com and Google.com.
Access will be inspected, denied or decrypted according to the policy settings. Note that no second authentication prompt
is required within Internet Explorer since single-sign-on (SSO) is used even though this device is NOT joined to the
domain.
Figure 65.
Testing Websites
33. Return to the PRSM Event Monitor on the CSM workstation. Click the Filter button to retrieve the latest events.
You will see events related to traffic inspection, denial and decryption for each of the sites accessed by vpn-wkst.
34. Close the Internet Explorer tab open to CDA on the CSM workstation.
35. Close the connection to wkst1.
36. Close the connection to the vpn-wkst.
Page 28 of 31
Scenario 6: Cisco Prime Security Manager Dashboards and Reports

Dashboards
Dashboards aggregate information on various aspects of your network traffic. You can view dashboards on various time periods to
analyze the traffic on your network. In most cases, you can drill down from general information to specific information. For
example, you can view a dashboard on all users, and then view details about specific users.
Network Overview Dashboard

This dashboard shows summary information about the traffic in the network and the health and performance of the device. In
Multiple Device mode, health and performance information is available for all managed devices. Use this information to help
identify areas that need deeper analysis, or to verify that the network is behaving within general expectations.
1.
Return to PRSM on the CSM workstation.
2.
To view the network overview, select Dashboard > Network Overview.
3.
For Time Range, select Last 24 Hours.
Figure 66.
Time Range
4.
Scroll down to show the customer the wealth of information provided.
5.
Under Top CX destinations, click on one of the Web categories to drill down.
Figure 67.
6.
Top CX Destinations
Identify the top user (Top Sources) for the selected category.
Figure 68.
Top Sources
Page 29 of 31
Malware Traffic Dashboard

This dashboard shows the results of transactions based on the web reputation of the web servers visited. A transaction is
considered to be malicious if the web reputation of the site is -6 or lower. Use this information to help identify areas that need
deeper analysis or changes to existing policies, or to verify that reputation filtering is performing within general expectations.
7.
To view the dashboard, select Dashboard > Malware Traffic. You can also view the dashboard by clicking View All in the
Malicious Transactions dashboard on the Network Overview.
8.
Click on View More link in the Threat Types section.
Figure 69.
9.
View More
For one of the threat types, click on the number of transactions to view the actual events.
Figure 70.
Transactions
Applications Dashboard
10. Go to Dashboard > Applications.
11. For Time Range, select Last 24 Hours.
12. Click on the application name for one of the applications listed.
Figure 71.
Application
Page 30 of 31
13. Show the detailed information provided, including top sources and destinations for that application.
Intrusion Prevention Dashboard

14. Go to Dashboard > NG Intrusion Prevention.
Note the number of detected threats. In the lab environment, 100% of the detected threats will be blocked.
PDF Reports
15. In the upper right hand corner of the dashboard, click on the Generate report link.
Figure 72.
Generate Report
16. Set the report parameters:
Report Type: Application and web destination
Time Range: Last 24 hours
Figure 73.
Report Parameters
17. Click Generate.

18. When prompted, Open the report.
19. Scroll through the report, and then either save or close the report.
Page 31 of 31

Cisco Next-Generation Firewall With Prime Security Manager 9.2 v1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Next-Generation Firewall With Prime Security Manager 9.2 v1

Uploaded by

Copyright:

Available Formats

Cisco Demo Cloud (dCloud)

Cisco Next-Generation Firewall with Prime Security

About This Cisco Solution

About This Demonstration

Scenario 6: Dashboards and Reports - Summary views of network information

Schedule a demonstration [Show Me How].

It may take up to 15 minutes for your demonstration to become active.

Connect to the CSM workstation, using one of the following options:

Using Cisco dCloud Remote Desktop client [Show Me How] OR

Using Cisco AnyConnect [Show Me How]

Scenario 1: Configuration Review

Go to Configurations > Policies/Settings.

Select Devices in the left navigation dropdown.

Traffic Redirection Details

All traffic is sent to the PRSM device.

Click the ASA inbound policies button.

Click the Context aware policies button.

10. Expand the Access_ASA sub tab.

The Edit policy popup window will open.

Intrusion Prevention Configuration

Scenario 2: Event Monitoring

Context Aware Security

Access will be denied.

The list includes information about the event.

The HTTP Deny indicates that this flow was dropped.

Hover over the event and click View Details.

Return to the second Internet Explorer tab.

From the Favorites bar, click the shortcut for poker.com.

The site will be blocked.

A new event will display in the list.

Hover over the event and click View Details.

View URL Category

Expand the Policy section of the event details window.

Access Policy for Gambling Event

10. Close the details window.

You will see a warning that the site is not recommended.

13. Click Continue to Site.

The eBay website will open.

New events will display in the list.

Scenario 3: Application Awareness

Hover over the event and select View Details.

In the Event Details popup, note the Port and Application.

Minimize Internet Explorer.

Launch PuTTY using the desktop shortcut.

Non Standard Ports

10. Close the Putty session.

Scenario 4: Managing Encrypted Traffic

Incoming traffic is decrypted.

The traffic is inspected. Access rules are applied.

Go to Configurations > Policies/Settings.

Expand the decryption policies.

Three policies have been defined in this demonstration:

The final policy sets all other traffic for decryption.

Testing Decryption Policies

Go to Events > Encrypted Traffic View.

Encrypted Traffic View

Click the lock icon next to the address bar.

VeriFraud Certificate Used

10. Click the lock icon next to the address bar.

Entrust Certificate Used

Traffic NOT Decrypted

Identifying Threats in Encrypted Traffic

The page will not load.