Advanced FTD Lab

Lab Introduction
Eric Kostlan
Technical Marketing Engineer
October 15th, 2017
Key Learning Objectives

At the end of the Lab session, you should be able to:

• Perform basic configuration of the NGFW with the REST
API and FMC
• Configure new feature provided by the 6.2.2 release
• Remote Access VPN with AnyConnect
• Cisco Threat Intelligence Director (CTID)
• Configure selected features from earlier releases

#WWST #CISCOVT #CISCOSE

Cisco Firepower Next-Generation Firewall
Also known as Firepower Threat Defense or FTD

FP 6.2.1 /
FP 6.0.1
FP 6.1 FP 6.2 FP 6.2.2
(ASA 9.6.1) (ASA 9.7.1) (ASA 9.8.1 /
ASA 9.8.2)

6.0.1 CCO Post 6.2.2 CCO Post

March 20th, 2016 September 5th, 2017

#WWST #CISCOVT #CISCOSE

Remote Access VPN
Customer Use Case
Provide advanced security for remote users ISP
• Secure SSL/IPsec AnyConnect access to corporate
network
• Support for Split Tunneling or Backhauling to Internet
handle traffic from remote uses to Internet. Edge

• AMP and File inspection Policy to monitor roaming

user data.
• Easy RA VPN Wizard to configure AnyConnect
Remote Access VPN
• Advanced Application level inspection can be FP2100 in
enabled to enforce security on inbound Remote HA
Access User data.
• Monitoring and Troubleshooting to monitor remote
access activity and simplified tool for troubleshooting.
Campus/Priv
ate Network
Private Network
#WWST #CISCOVT #CISCOSE
RA VPN on FTD Versus ASA
Features provided in FTD (and ASA)
• Both SSL and IPsec with AnyConnect
• Basic AAA
• LDAP/AD, client certificate, RADIUS
attributes, DACLs, Time ranges
• Time Ranges
• AnyConnect client
• Proxy/DNS/WINS server assignment
• Simple configuration
• Session monitoring and control
#WWST #CISCOVT #CISCOSE
Features only supported by ASA
• Advanced AAA
• Kerberos, TACACS, SAM, RSA SDI,
Local Authentication, RADIUS CoA
• Hostscan/Endpoint assessment
• AnyConnect client customization
• Dynamic Access Policies (DAP)
• LDAP attribute map
• VPN Load Balancing
• Clientless RA VPN
RA VPN Components
• Access interfaces – determine interfaces to be used by RA VPN
• SSL settings, such as access ports
• IKEv2 settings such as certificate

• AnyConnect image – client package to be installed on the endpoint

• AnyConnect client profile – XML can be uploaded into the FMC as file object.
• Referenced in the group policy and downloaded to the endpoint while the VPN connection is initiating
• Includes may parameters for the AnyConnect client.

• Connection profiles – determine how authentication is performed

• Group policies -- a set of user-oriented attribute/value pairs for RA VPN users

• DNS/WINS, SSL/DTLS, timeouts, client bypass protocol and DHCP network scope
• Split tunnel and split DNS configuration
• VPN filter , egress VLAN and client firewall rules
• AnyConnect client profile, SSL/DTLS settings and connection settings

#WWST #CISCOVT #CISCOSE

Objects Associated with RA VPN

#WWST #CISCOVT #CISCOSE

RA VPN Configuration Wizard (FMC)

#WWST #CISCOVT #CISCOSE

Modifying Remaining RA VPN Components

#WWST #CISCOVT #CISCOSE

Cisco Threat Intelligence
Director (CTID)
Customer Use Case
• Increasing proportion
of customers are consuming cyber
threat intelligence from third parties
• Customers need to operationalize
cyber threat intelligence

March 2017 SANS™ Institute

Written by Dave Shackleford
#WWST #CISCOVT #CISCOSE
Cyber Threat Intelligence Today
• Security Buyers with Cisco Firepower/AMP
• Financial Institutions/FS-ISAC who are mandated to
Targeted at ingest and share CTI in STIX and TAXII
• Enterprises with mature security programs that have
made the investment into intelligence sources

• Problems with cyber threat intelligence today

• Provides operationalization challenges
• Requires an analyst to make sense and relate to the organization
• Focuses on threats but does not answer whether or not the user is
vulnerable or protected
• Requires multiple intelligence sources, both free and paid
• Utilizes no single machine readable format

#WWST #CISCOVT #CISCOSE

Cisco Threat Intelligence Director (CTID)
• Security Buyers with Cisco Firepower/AMP
• Financial Institutions/FS-ISAC who are mandated to
Targeted at ingest and share CTI in STIX and TAXII
• Enterprises with mature security programs that have
made the investment into intelligence sources

• The solution: Cisco Threat Intelligence Director

(CTID)
• Uses customer CTI to identify threats using sophisticated correlation across
Firepower NGFW/AMP
• Automatically blocks supported indicators on Cisco NGFW using added context
from intelligence sources
• Provides a single integration point for all STIX and CSV intelligence sources
Note: The Department of Homeland Security (DHS) and Financial Services
Information Sharing and Analysis Center (FS-ISAC) have promoted the adoption
of STIX and TAXII as standards for sharing CTI

#WWST #CISCOVT #CISCOSE

Target Customer Using CTID Third Parties

• Intelligence Vendors • Threat Intelligence

• AlienVault Platforms (TIP) Vendors
• Crowdstrike • Anomali
• EclecticIQ
• FireEye/iSIGHT Partners
• Lookingglass
• Flashpoint • ThreatConnect
• Symantec DeepSight • ThreatQuotient

Note: These are the tested third parties. The architecture supports any
third party that provides indicators in STIX or flat file format.

#WWST #CISCOVT #CISCOSE

Cisco Threat Intelligence Director (CTID)
Step 2
2. Publish
observables to
sensors
Cisco Threat NGFW / NGIPS
Intelligence Director Block Monitor

ESA / WSA / AMP

FMC
Step 3
Step 1 3. Detect and alert to
1. Ingest third-party create incidents
Cyber Threat
Intelligence indicators

#WWST #CISCOVT #CISCOSE

Structured Threat Information eXpression (STIX™)

• A structured
language for
cyber threat
intelligence
• Designed to
convey data
about cybersecurity
threats
• XML based
• Standardized

#WWST #CISCOVT #CISCOSE

Structured Threat Information eXpression (STIX™)

• A structured
language for
cyber threat
intelligence
• Designed to
convey data
about cybersecurity
threats
• XML based
• Standardized

#WWST #CISCOVT #CISCOSE

Structured Threat Information eXpression (STIX™)

• A structured
language for
cyber threat
intelligence
• Designed to
convey data
about cybersecurity
threats
• XML based
• Standardized

#WWST #CISCOVT #CISCOSE

Structured Threat Information eXpression (STIX™)

• Indicators
Definition of the threat

• Observables
Components of a threat that can
be observed by a network device

• Incidents
Events triggered when the indicator
is observed

#WWST #CISCOVT #CISCOSE

Getting Started with STIX™

§ Visit the STIX Project Website

• URL: https://stixproject.github.io/
§ Create sample STIX files
• URL: https://generator.cosive.com/

#WWST #CISCOVT #CISCOSE

Trusted Automated eXchange of Indicator
Information (TAXII™)

§ Transport mechanism for STIX

§ Standardizes the automated exchange of cyber
threat information
§ Free
§ Open Source

#WWST #CISCOVT #CISCOSE

Hail a TAXII !!

§ Free source of TAXII feeds

§ Website URL: http://hailataxii.com
§ Multiple feeds
§ To configure the TAXII intelligence source
• URL: http://hailataxii.com/taxii-discovery-service
• USERNAME: guest
• PASSWORD: guest

#WWST #CISCOVT #CISCOSE

Lab Topology
Lab Topology

#WWST #CISCOVT #CISCOSE

Lab Topology

#WWST #CISCOVT #CISCOSE

Lab Outline
Lab Table of Context – Core

• Scenario 1: Device Deployment with the REST API

• Scenario 2: Basic Configuration
• Scenario 3: AnyConnect Remote Access VPN
• Scenario 4: AnyConnect with RADIUS Attributes
• Scenario 5: AnyConnect with Client Certificates
• Scenario 6: Monitoring and Troubleshooting
• Scenario 7: Cisco Threat Intelligence Director (CTID)

#WWST #CISCOVT #CISCOSE

Lab Table of Context – Auxiliary

• Scenario 8: FlexConfig
• Scenario 9: ASA to NGFW Migration
• Scenario 10: NAT and Routing
• Scenario 11: Site-to-Site VPN
• Scenario 12: Web Proxy Integration
• Scenario 13: Prefilter Policies
• Scenario 14: Integrate Routing and Bridging (IRB)

#WWST #CISCOVT #CISCOSE

Lab Dependencies

• All scenarios rely on Scenario 1 and Scenario 2. These must be done,

and must be done in order.
• Scenarios 3 through 6 cover RA VPN in detail, and must be done in
order. But you can stop at any point and go on to other scenarios.
• Scenario 13 uses the static NAT configuration from Scenario 10.

#WWST #CISCOVT #CISCOSE

Sample Lab Exercise Set

• Scenario 1: Device Deployment with the REST API

• Scenario 2: Basic Configuration
• Scenario 3: AnyConnect Remote Access VPN
• Scenario 4: AnyConnect with RADIUS Attributes
• Scenario 7: Cisco Threat Intelligence Director (CTID)
• Scenario 8: FlexConfig
• Scenario 10: NAT and Routing
• Scenario 11: Site-to-Site VPN
#WWST #CISCOVT #CISCOSE
Additional Resources

• Firepower Management Center Configuration Guide, Version 6.2.2

• Firepower Release Notes, Version 6.2.2
• Firepower REST API Quick Start Guide, Version 6.2
• Search for Cisco NGFW on YouTube

#WWST #CISCOVT #CISCOSE