Firepower NGFW Basics Lab v23 PDF

Cisco dCloud
Cisco Firepower Next-Generation Firewall 6.2 Basics Lab

v2.3 dCloud: The Cisco Demo Cloud
Last Updated: 28-AUGUST-2018
About This Demonstration

This guide for this preconfigured demonstration includes:
 Requirements
 About This Solution
 Topology
 Get Started
 Scenario 1: Device Deployment w ith the REST API
 Scenario 2: Basic Configuration
 Scenario 3: FlexConfig
 Scenario 4: NAT and Routing
 Scenario 5: Prefilter Policies
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
● Laptop ● Cisco AnyConnect®
© 2018 Cisco and/or its affiliates. All rights reserv ed. This document is Cisco Public Information. Page 1 of 52
Cisco dCloud
About This Solution

IT teams have been asked to manage security using a patchw ork of siloed point products, starting w ith legacy next-generation
dCloud: The Cisco Demo Cloud
firew alls (NGFW), w hich w ere created w ith a focus on application and bolted on best effort threat protection. As such, these legacy
NGFWs are unable to provide an enterprise w ith the contextual information, automation, and prioritization that they need to handle
today's modern threats.
Cisco Firepow er is an integrated suite of netw ork security and traffic management products, deployed either on purpose -built
platforms or as a softw are solution. The system is designed to help you handle netw ork traffic in a w ay that complies w ith your
organization’s security policy-your guidelines for protecting your netw ork.
This allow s the Cisco Firepow er NGFW to evolve w ith a focus on enabling enterprises to stop, prioritize, understand, and automate
responses to modern threats in real-time. Firepow er NGFW is unique in its threat-focus, w ith a foundation of comprehensive
netw ork visibility, best-of-breed threat intelligence and highly-effective threat prevention to address both know n and unknow n
threats. Firepow er NGFW also enables retrospective security, through Advanced Malw are Protection, that can “go back in time” to
quickly find and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in
time-to-detection (TTD) for Cisco customers compared to industry averages.
In this lab you w ill build a multi-site netw ork Next Generation Firew all (NGFW) solution at betw een a corporate and tw o branch
sites. Using the Firepow er Management Console (FMC) you w ill build High Availability NGFW’s at the corporate site, and manage
a branch. In this lab you w ill also configure a NGFW using the FDM (Firepow er Device Manager). You w ill also configure remote
access and site to site VPN’s. You w ill also configure Cisco Threat Intelligence Director to accept and implement third party
updates to your NGFW devices.
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable w ith predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
Figure 1. dCloud Topology
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document w ith an active session before presenting in front
of a live audience. This w ill allow you to become familiar w ith the structure of the document and content.
It may be necessary to schedule a new session after follow ing this guide in order to reset the environment to its origina l
configuration.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Follow the steps to schedule a session of the content and configure your presentation environment.
1. Initiate your dCloud session. [Show Me How ]
NOTE: It may take up to 10 minutes for your session to become active.
2. For best performance, connect to the w orkstation w ith Cisco AnyConnect VPN [Show Me How ] and the local RDP client on
your laptop [Show Me How ]
 Workstation 1: 198.18.133.50, Username: adm inistrator, Passw ord: C1sco12345
NOTE: You can also connect to the w orkstation using the Cisco dCloud Remote Desktop client [Show Me How ]. The dCloud
Remote Desktop client w orks best for accessing an active session w ith minimal interaction. How ever, many users experience
connection and performance issues w ith this method.
Cisco dCloud
Scenario 1. Device Deployment with the REST API

The objective of this lab you w ill perform a simple deployments of the NGFW. Most of this w ill be w ith a REST API python script.
But first you must perform some preliminary steps. Also the routing configuration is not yet supported (6.2.2) by the REST API, so
you w ill do this manually.
Steps
Configure the NGFW for management by the FMC
1. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called NGFW1. Login using userid
adm in, passw ord C1sco12345
NOTE: If you run into issues w ith typing special characters, please open the file on the Jump desktop called Strings to cut and
paste.txt.
2. Enter the follow ing command:
a. show m anagers you w ill see either:
i. Managed Locally
ii. No managers configured
b. Enter the follow ing command:
configure manager add fmc.dcloud.local C1sco12345
3. Read the w arning and answ er yes w hen, or if, asked if you w ant to continue. Do not type y.
NOTE: The NGFW2, NGFW3, NGFWBR1 w ere installed w ith the on-box manager (Firepow er Device Manager or FDM) enabled.
This is the default configuration. This is w hy you are receiving this w arning. You w ill only receive the w arning if the FTD is set to
Managed Locally
We w ill have an on-box management lab exercise later in this class.
But be aw are that you cannot sw itch betw een FMC and FDM w ithout deleting the NGFW configuration.
4. Leave this PuTTY session open, since it w ill be used throughout the lab.
Cisco dCloud
Run a REST API script to register and configure the NGFW

To demonstrate the REST API, you w ill run a Python script that w ill perform the follow ing:
 Create an access control policy
 Register the NGFW1 to the FMC
 Configure the NGFW(s) interfaces
NOTE: The scripts are for training purposes only, so they are not perfectly polished. If you w ish to inspect the first script, it is
located in /usr/local/bin. It is called register_config.py, and uses a Python module generated by connect.py. The command
runapiscript is a symbolic link to register_config.py.
1. From the Jump desktop, launch PuTTY. Double-click on the Inside Linux server session. Login as root, passw ord
C1sco12345
2. On the Inside Linux server CLI run runapiscript.
3. When asked Which firew all do you w ant to register? , enter 1 (NGFW1) and press Enter.
4. When prompted to enter an access control policy nam e , enter a reasonable name, like: Base_Policy Access Control
Policy.
5. You w ill see the script run through the registration process.
6. Open the Firefox Brow ser and on the FMC, click the icon to the right of the Deploy button, and select the Tasks tab.
NOTE: It may take several seconds before any tasks start. If no tasks start for over a minute, check to see if you enabled the demo
Smart license. If you did not, you should enable it, and run the runapiscript1 script again. Be sure to use a different name for the
access control policy, or delete the policy that the script created.
7. The script w ill automatically continue for the discovery process
8. The script w ill automatically configure the interfaces
a. Leave this PuTTY session open. You w ill use it throughout the lab.
Cisco dCloud
Scenario 2. Basic Configuration

This exercise consists of the follow ing tasks:
 Create objects needed for exercise
 Modify the access control policy
 Create a NAT policies
 Configure Branch1 FTD Using FMC
 Configure Branch2 FTD Using FDM
 Deploy the Configuration changes
 Modify the netw ork discovery policy
 Deploy the configuration changes
The objective of this exercise is to deploy a simple, but effective, NGFW configuration.
 Allow outbound connections, and block other connection attempts
 Perform file type and malw are blocking on these outbound connections
 Provide intrusion prevention on these outbound connections
Steps
Create objects needed for exercise
1. On the FMC, select Objects > Object Managem ent.
a. Click Add Netw ork > Add Object.
b. For Name, enter Lab_Netw orks.
c. Enter 198.18.0.0/15. This includes all IP addresses used in the lab pod.
Cisco dCloud
d. Click Save.
2. Select Interface from the left navigation panel.
a. Click Add > Security Zone .
NOTE: There are tw o types of interface objects: security zones and interface groups. The key difference is that interface groups
can overlap. Only security zones can be used in access control policy rules.
3. Create the Netw ork Objects for the Security Zones that w ill be added to the interfaces.
Cisco dCloud
4. For Nam e, enter OutZone. Select Routed from the Interface Type drop-dow n menu.
a. Select the ISP-Side interface. Click Add and then click Save. (If NGFW1 does not show up click the arrow under
Device > Interfaces) dCloud: The Cisco Demo Cloud
5. Click Add > Security Zone .
a. For Name, enter InZone. Select Routed from the Interface Type drop-dow n menu.
b. Select the LAN-Side interface. Click Add and then click Save.
6. Go to Devices > Device Managem ent and select the pencil icon on the NGFW1 Line.
Configure the default route
1. In the FMC, select Devices > Device Managem ent. Click on the pencil icon to edit the device settings.
2. The Interfaces tab should be selected. Confirm that the REST API script configured the inside and outside interfaces of the
NGFW1
Cisco dCloud
3. Select Routing > Static Route, and click the Add Route button.
4. Select ISP-Side in the Interface field.
5. Select any-ipv4 from available netw orks (This is the equivalent of a default route).
6. Click Add.
Cisco dCloud
7. For Gatew ay click on the “+” icon to create a new object.
a. Select the “+” sign next to the Gatew ay* pull dow n menu.
b. Name the Object “FMC-HQ-WAN_GW (You w ill be able to reuse this object later).
c. Enter the Netw ork IP Address: 198.18.128.1 (This is the outside interface of the Firew all facing the WAN).
d. Click Save.
8. Click OK to add the Static Route Configuration.
9. Click Save.
Cisco dCloud
Modify the access control policy
1. From the menu, select Policies > Access Control > Access Control. Notice that an access control policy w as created by the
REST API script.
a. Edit the access control policy by clicking the pencil icon to the right of the policy.
b. Click the green [+] sign Add Rule.
c. For Name, enter Allow Outbound Connections .
d. Select into Default from the Insert drop-dow n list.
NOTE: Rules are divided into sets w ithin a policy. Tw o sets are predefined:
Mandatory rules , w hich take precedent over rules of child policies

Default rules, w hich are evaluated after the rules of child policies
In this exercise, you w ill not create a child policy, but you w ill use the default rule set as a convenient w ay of making sur e this rule
is evaluated last.
2. The Zones tab should already be selected.
a. Select InZone and click Add to Source.
b. Select OutZone, and click Add to Destination.
Cisco dCloud
3. Select the Inspection tab.
a. Select Dem o Intrusion Policy from the Intrusion Policy drop-dow n list.
b. Select Dem o File Policy from the File Policy drop-dow n list.
NOTE: The demo intrusion and file policies w ere pre-configured to save you time. See Appendix 1 in the Firepow er Advanced Lab
Guide v2.3 for instructions on how to create these.
4. Click Add to add the rule.
5. Select the HTTP Responses tab.
6. Select System -provided from the Block Response Page drop-dow n list.
7. Select the Advanced tab.
8. Click the pencil icon to edit the Transport/Netw ork Layer Preprocessor Settings.
9. In the Maximum Active Responses text field, enter 25.
Cisco dCloud
10. Click OK.
NOTE: Setting Maximum Active Responses to a value greater than 0 enables the rules that drop packets to send TCP resets to
close the connection. Typically both the client and server are sent TCP resets. With the configuration above, the system can initiate
up to 25 active responses (TCP Resets) if it sees additional traffic from this connection.
In a production deployment, it is probably best to leave this set to the default. Then no resets are sent, and the malicious system
w ill not know that it has been detected. But for testing and demonstrations, it is generally better to send resets w hen packe ts match
drop rules.
11. Click Save to save the changes to the access control policy.
Create a NAT policy
1. From the menu, select Devices > NAT.
2. Click the New Policy button, and select Threat Defense NAT.
3. For Name, enter Default PAT.
4. Select the NGFW(s). Click Add to Policy and then click Save.
5. Wait for the policy to open for editing.
Cisco dCloud
6. Click Add Rule.
7. Select In Category and NAT Rules After from the Insert drop-dow n lists. This w ill ensure that this rule w ill be evaluated after
the auto-NAT (object NAT) rules. dCloud: The Cisco Demo Cloud
8. Select Dynam ic from the Type drop-dow n list.
a. You w ill be at the Interface Objects tab. Select InZone and click Add to Source.
b. Select OutZone and click Add to Destination.
9. Select the Translation tab.
a. Select any from the Original Source drop-dow n list.
b. Select Destination Interface IP from the Translated Source drop-dow n list.
c. Click OK to save the NAT rule.
d. Click Save to the NAT Policy.
Cisco dCloud
Static NAT Policy for FMC
The FMC is behind the NGFW1, w hich is acting as a NAT device. We need to build a static NAT Policy so that the Branch FTD w ill
be able to communicate w ith the HQ-FMC.
1. Click on Add a NAT Rule .
2. Make it an Auto NAT Rule.
3. Under Interface Objects, select InZone and Add to Source .
4. Select OutZone and Add to Destination.
5. Under Translation click the (+) sign and add the name FMC_PRIVATE.
6. For Netw ork enter 198.19.10.120/32 (This is the address of the HQ-FMC).
7. Click Save.
Cisco dCloud
8. Click on the (+) sign again and add the name FMC_PUBLIC.
9. For Netw ork enter 198.18.133.120 (An Address on the WAN netw ork).
Cisco dCloud
10. Click OK and then Save at the top of the w eb page.
11. Create an Inbound Access List for the Private FMC modifying the Access Control Policy Base_Policy.
a. Select Policies > Access Control Policies .
b. Click on the pencil icon by Base_Policy.
c. Add rule called FMC_Static_NAT.
d. Action Allow .
e. Source Zone: Outzone, Destination: InZone.
f. Destination netw orks FMC_Private.
g. Inspection Tab.
i. Intrusion Policy Demo Intrusion Policy.
ii. File Policy Demo File Policy.
h. Click Add and Save.
Modify Network Discovery Policy
The default netw ork discovery policy is configured to discover all applications, both internal and external. We w ill w ant to add host
and user discovery. In a production environment, this can exceed the FMC Firepow er host license. For this reason, it is best
practice to modify the policy.
1. From the menu, select Policies > Netw ork Discovery.
a. Click the pencil icon to the right to edit the existing rule.
b. Check the Users checkbox. The Hosts checkbox w ill auto-check.
c. Delete both 0.0.0.0/0 and ::/0.
2. Select Lab Netw orks click Add.
Cisco dCloud
3. Click Save.
4. Click Deploy in the upper right hand corner of the FMC.

a. Check the for the NGFW(s) device, and expand the list to see the details. The page should look similar to the
follow ing picture. As of version 6.2.3 you w ill be alerted if there is a SNORT interruption. Also you w ill see w hat w ill
cause the interruption. If you w ish to deploy later you can click the cancel button.
5. Confirm that NGFW settings, NAT policy netw ork discovery, interface and static route configuration w ill be modified.
a. Click Deploy.
b. Click the icon to the right of the Deploy link in the upper right-hand corner of the FMC. Wait until the deployment is
complete.
Cisco dCloud
Test the NGFW deployment
1. On the Inside Linux Server CLI:

a. Enter w get cisco.com . This should succeed. This confirms NAT and routing.
b. Enter ping outside. This should succeed. Enter Ctrl+C to exit ping.
c. Enter ftp outside. Login as guest, passw ord C1sco12345
2. Enter cd ~root. You should see the follow ing message: 421 Service not available, remote server has closed
connection. This confirms that IPS is w orking.
NOTE: If the FTP session hangs, you probably forgot to enable active responses in the access control policy. You need not fix this,
as long as you remember to expect this behavior.
3. Type quit to exit FTP.
4. In the FMC, select Analysis > Intrusions > Events .
NOTE: Observe that Snort rule 336 w as triggered. In the Demo Intrusion Policy, the rule state for this rule is set to Drop and
Generate Events. This rule is disabled in the system-defined intrusion policies such as Balanced Security and Connectivity.
NOTE: In a production environment, if you run into a situation w here events are not appearing, the first thing you should check is
the time synchronization betw een the NGFW and FMC. How ever, in this lab, it is more likely to be an issue w ith the eventing
processes. If this happens, try restarting these processes as follow s.
On the NGFW CLI run the follow ing command.
pmtool restartbytype EventProcessor
From the Jumper desktop, connect to the FMC using the pre-defined PuTTY session. Login as adm in/C1sco12345 and run the
follow ing commands.
sudo pmtool restartbyid SFDataCorrelator
sudo pmtool restartbyid sftunnel
NOTE: The sudo passw ord is C1sco12345
Cisco dCloud
5. Click the arrow on the left to drill dow n to the table view of the events. Observe that details of the event are presented.
a. Click the arrow on the left of the event to drill dow n further. Note that you are presented w ith extensive information,
including the details of the Snort rule. dCloud: The Cisco Demo Cloud
b. Expand the Actions and note that you could disable the rule from here - but do not!
6. Test the file and malw are blocking capabilities. These Wget commands can be cut and pasted from the file on the Jump
desktop called Strings in order to cut and paste the text.
7. From the Inside Linux Server Login root/C1sco12345

a. As a control test, use WGET to dow nload a file that is not blocked. w get -t 1 outside/files/ProjectX.pdf. This
should succeed.
b. Next use WGET to attempt to dow nload the file blocked by type. w get -t 1 outside/files/test3.avi.
NOTE: Very little of the file is dow nloaded. This is because the NGFW can detect the file type w hen it sees the first block of data.
The Demo File Policy is configured to block AVI files.
c. Finally use WGET to attempt to dow nload malw are. w get -t 1 outside/files/Zombies.pdf.
NOTE: About 99% of the file is dow nloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up. The Demo File Policy is configured to block malw are
detected in PDF files.
8. In the FMC, select Analysis > Files > Malw are Events .
a. Observe that one file, Zom bies.pdf, was blocked.
b. Click the arrow on the left to drill dow n to the table view of the events. Note that the host 198.19.10.200 is
represented by a red icon. This is the Inside Linux Server. The red icon means the host has been assigned an
indication of compromise.
NOTE: The action is reported as Custom Detection Block, instead of Malw are Block. This is because w e added Zombies.pdf to the
custom detection list, just in case the lab has issues connecting to the cloud. See Appendix 1 for details.
9. As an alternative, you can try the follow ing from the inside Linux server:
wget -t 1 outside/malware/Buddy.exe
This should be reported as a Malware Block. How ever, in this particular lab environment, the cloud lookup may fail. Therefore the
file may not be blocked.
Cisco dCloud
10. Click on the red com puter icon. This w ill open the host profile page. Look over this page and then close it.
11. From the menu, select Analysis > Files > File Events. You should see information about all 3 file events.
NOTE: You can drill dow n if you w ish.
12. Open a Putty Connection to the Outside Linux Server.
a. Login as root/C1sco12345
b. Ping 198.18.133.120 (Outside NAT Address of the FMC).
c. Use Ctrl + C to stop the pinging.
d. Minimize the Putty session.
Adding FTD Branch 1 to network
1. Earlier w e created a Static NAT entry for the FMC. 198.18.133.120.
2. Now w e w ill configure NGFW Branch 1 so it w ill also be managed by the FMC.
3. On the Jump PC Open the Putty Connection to NGFWBR1 (198.18.133.42 : 22) Login adm in Passw ord C1sco12345
4. Type the follow ing command configure manager add 198.18.133.120 C1sco12345 abcde and after the question type yes.
NOTE: You need to add the FMC’s NAT Address and also a specific NAT ID (in this case abcde). The NAT ID w ill need to match
w ith the NAT ID on the FMC w hen you go through the NGFW registration process.
Cisco dCloud
5. Go back to the FMC w ebpage and go to Devices > Device Managem ent > Add > Add Device .
6. Under Access Control Policy, select the dow n arrow and choose Create New Policy.
7. Name: Branch1access Select Base Policy: None Default Action: Block all traffic. Click Save.
8. Click Add Device.
Cisco dCloud
9. Select Branch1Access Smart Licensing: Check all boxes Under Advanced Type the NAT code from the FTD: abcde.
10. Click Register.

11. Wait until the ngfw br1 has registered.
NOTE: Now that the ngfw br1 has been added w e need to add interfaces, build the default route, create a NAT policy and update
the Access Policy
12. Go to Devices > Device Managem ent. Click on the pencil icon next to the ngfw br1.
NOTE: The address for the Interfaces are not preconfigured because w e w ere not able to run the deployment script. The REST
API in 6.2.2 does not support the NAT function. This situation should be fixed in a future release.
13. Click on the pencil icon on the Gigabit Ethernet0/0 line.
Cisco dCloud
14. Set up the Zones and IP address.
15. Name: branch1_Outside Security Zone: Click New Enter a name: branch1_Outzone.
16. Select the IPv4 address tab.
17. IP Address: 198.18.133.142/18 (This is the address of the Outside WAN [ISP]).
Cisco dCloud
NOTE: In this scenario, w e used 198.18.133.42/18 for the Managem ent IP Address of the Firew all. You can see this address by
entering the show network command from the command line or by going to expert m ode on the FTD and run the ifconfig
command and look at the br1 interface. The Management IP Address is accessibly only to the Operating dCloud:
System.TheWe therefore
Cisco Demo Cloud
have to build a WAN interface as an outside interface. The Outside Interface can also be configured by DHCP from the ISP, w e did
not w ant to add an additional server to this lab scenario.
18. Repeat for GigabitEthernet0/1 line.
19. Click Save at the top of the Web page.
20. Go to Routing >Static Route > Add Route > to build a Static route to the Internet.
Cisco dCloud
21. Select Interface branch1_Outside .
22. For Available Netw ork, select any-ipv4 for Gatew ay.
23. Click the green (+) button and configure the New Netw ork Object: 198.18.128.1.
24. Click Save.
25. Click OK
NOTE: If the Interface branch1_Outside does not show up in the pull dow n box, click on the save button on the top right of the
screen.
26. When done, click Save at the top of the w eb page.
27. Go to Devices NAT > New Policy > Threat Defense NAT.
28. Name the Policy Branch1_NAT and under available devices select ngfw br1.
29. Click Add to Policy.
30. Click Save.
Cisco dCloud
31. Click to Add Rule.
32. Select Auto NAT Rule Type : Dynamic.

33. Under Interface Objects, select branch1_InZone . Click Add to Source.
34. Select branch1_Outzone and Add to Destination.
35. On the Translation Tab under Original Packet Select the (+) and configure New Netw ork Object Name: Branch1_Netw orks
Netw ork: 198.19.11.0/24 (You could also create an Object in the Objects Page that w ould encompass an entire lab netw ork
group such as 198.18.0.0/15).
36. Click Save.
37. On Translated Packet, select Destination Interface IP.
38. Select OK and then Save at the top of the w eb page.
Cisco dCloud
39. To modify the Access Control Policy, go to Policies > Access Control > Branch1Access .
40. Click on the pencil icon.
41. Click on Add Rule.
42. Name the rule Branch1Allow .
43. Select branch1_InZone for Source and branch1_OutZone for destination
44. On Inspection Policy Select Dem o Intrusion Policy and Dem o File Policy.
Cisco dCloud
45. Click on Add Click on Save at the top of the w eb page Click Deploy and Select ngfw br1.
Cisco dCloud
Cisco dCloud
Configuring Branch 2 Management Using Firepower Device Manager (FDM ON BOX)
1. From the Jump PC, open the Rem ote Desktops Folder.
2. Select Wkstbr2.
3. When the Window s Security Prompt pops up use the passw ord: C1sco12345
4. Click OK.
NOTE: In order to configure the FTD using the on box manager w e need to be on the 192.168.45.0/24 subnet The default FTD
address is 192.168.45.45/32 w ith a default gatew ay of 192.168.45.1. We open the RDP session on a secondary NIC card on the
w orkstation so that w e can simulate local connectivity betw een the w orkstation and the FTD. The IP Address for the w orkstation is
192.168.45.225/32 in order to be on the same subnet as the FTD.
5. On the w orkstation open up putty and type: 192.168.45.45 use Port 22 (SSH) login in adm in/C1sco12345!
NOTE: When changing the passw ord using the GUI you m ust have a special character in the passw ord. That is w hy w e put a “!”
in the passw ord. When configuring the passw ord through the CLI a special character is not needed.
Cisco dCloud
6. Type configure m anager delete
a. Type yes
b. Wait for prompt to return and type: configure m anager local and press enter
Note: FDM (On Box Manager) w as configured prior in order to upgrade the softw are. By doing the above commands you w ill
clear some of the configuration parameters and also reset the evaluation license. It w ill take some time for the w eb service to
become available.
7. Open your Firefox Brow ser It w ill direct you to 192.168.45.45
8. Click on Advanced and Add Exception and Confirm Security Exception
9. Login in adm in/C1sco12345!
10. You w ill come to the follow ing screen, w hich displays the FTD connections. Scroll dow n to the Outside Interface Address
11. Select the arrow next to Using DHCP.
12. Click on Manual Input.
Cisco dCloud
13. Configure the Outside Interface Address.
 IP Address: 198.18.133.4
 Netw ork Mask: 255.255.192.0
 Gatew ay: 198.18.128.1
14. Configure the Management Interface by using OPENDNS Servers.
15. Check for the Tertiary Server 198.18.128.1
16. Check for the Hostname NGFWBR2 and click Next.
Cisco dCloud
17. If you get a message that the connection to w ww.cisco.com failed. That is ok move on to the setting of the NTP services.
18. Manually Set the NTP Server.
a. Select Tim e Zone.
b. NTP Time Server Manually input.
c. Address: 198.18.128.1.
d. Click Next.
Cisco dCloud
19. This w ill bring you to Smart License select Start 90-day evaluation period w ithout registration.
Cisco dCloud
20. The next screen prompts you to configure Interfaces or Policy.
21. Select Interfaces to look at the screen.

NOTE: As you can see Interface GigabitEthernet 0/1 is 192.168.45.1. Also, the Outside Interface GigabitEthernet 0/0 has the
outside interface that w e manually configured. We w ill come back to this device later to configure the Site to Site VPN.
Cisco dCloud
Scenario 3. FlexConfig
This exercise consists of the follow ing tasks.
 Create a user defined FlexConfig object
 Modify a Text Object used in a system defined FlexConfig object
 Create and configure a FlexConfig policy
 Deploy the changes and test the configuration
FlexConfig is a feature that allow s the deployment of configuration directly to the Lina (ASA) configuration in the FTD. This can be
used to deploy features that are not yet available in the FTD. There are tw o objectives for this lab exercise:
 Configure EIGRP using a user defined FlexConfig object.
 Use a system defined FlexConfig objects to disable SIP inspection.
NOTE: There are separate system defined FlexConfig objects for configuring EIGRP. For configurations that may change over
time, it is better to use these objects. But to demonstrate the simplicity and pow er of FlexConfig, a user defined FlexConfig object
w ill be used.
System defined FlexConfig Objects w ill be used to configure the FTD as a source of NetFlow data.
Steps
Create a user defined FlexConfig object
1. In the FMC UI, select Objects > Object Managem ent.
2. At the bottom of the left navigation panel, under FlexConfig, select FlexConfig Object.
3. Click Add FlexConfig Object.
a. For Name, enter m yEIGRP.
b. In the main text area, enter the follow ing commands.
i. router eigrp 10
ii. netw ork 198.18.128.0 255.255.192.0
c. Click Save.
Cisco dCloud
Modify a Text Object for a system defined FlexConfig object

You should still be on the Object Managem ent page in the FMC UI.
1. Click on the magnifying glass icon to the right of the Flex Object called Default_Inspection_Protocol_Disable . You cannot
edit this object, but you could copy it if you w anted to.
NOTE: The FlexConfig objects are w ritten in the Apache Velocity language. This language supports loops and if statements.
These begin w ith a #. This is not a comment. It indicates that the line is not literal text to be included in the output. Comments
begin w ith ##.
NOTE: That this FlexConfig object loops over a text object called disableInspectProtocolList. You w ill now edit this text object.
2. Click Close.
3. At the bottom of the left navigation pane of the Object Managem ent page, under FlexConfig, select Text Object.
4. Edit the text object called disableInspectProtocolList.
a. This variable takes multiple values. Leave the value set to 1.
b. Enter the value sip.
5. Click Save.
Create and configure a FlexConfig policy
1. From the menu, select Devices > FlexConfig. Click New Policy.
a. For Name, enter NGFW1_Test Flex Policy.
b. Select the device NGFW1. Click Add to Policy.
2. Click Save.
3. Wait a few seconds for the policy to open for editing.
a. In the left column, under User Defined, select m yEIGRP. Click to add the FlexConfig object to the policy.
b. In the left column, under System Defined, select Default_lnspection_Protocol_Disable. Click to add the
FlexConfig object to the policy.
4. Click Save.
5. Click Preview Config.
6. Select NGFW1 from the Select Device drop-dow n list.
7. Wait a few seconds and the configuration changes w ill appear. Confirm that the commands look correct.
8. Click Close.
Cisco dCloud
Deploy the changes and test the configuration
From the NGFW1 CLI run show running-config policy-map. Confirm that SIP inspection is enabled.
1. From the Inside Linux Server session, type ping 204.44.14.1. This should fail.
2. Deploy the changes you made. Wait until the deployment is complete.
3. From the NGFW1 CLI run show running-config policy-m ap. Confirm that SIP inspection is now disabled.
4. From the NGFW1 CLI run show eigrp neighbors. Confirm that an adjacency has been formed betw een the FTD and CSR
router.
5. From the NGFW1 CLI run show eigrp topology. Confirm that the EIGRP routes have been received.
a. Look for netw ork 203.14.10.0/24
NOTE: You w ill also see some routes that have no successors. These routes w ill be used in the next section BGP
6. Run show route eigrp. Confirm that the NGFW1 now has EIGRP learned routes in its routing table.
Cisco dCloud
Scenario 4. NAT and Routing

 Create objects needed for this lab exercise
 Configure static NAT
 Modify access control policy to allow outside access to w wwin
 Configure BGP
 Deploy the changes and test the configuration There are tw o objectives for this lab exercise:
 Create a public w eb server
 Configure BGP
The first objective w ill involve creating netw ork objects, creating access control lists. Also, static NAT and dynamic routin g w ill be
configured.
NOTE: The public server w ill be deployed in the inside netw ork. It w ould be more realistic to deploy this in a DMZ, but that w ould
take more w ork. How ever, the lab pod has this capability. See Appendix 4 for information about creating a DMZ in the lab pod.
Steps
Create objects needed for this lab exercise
1. From the menu, select Objects > Object Managem ent. The Netw ork object page w ill be selected.
a. Click Add Netw ork > Add Object.
b. For Name, enter w w win.
c. For Netw ork, enter 198.19.10.202.
d. Click Save.
e. Click Add Netw ork > Add Object.
f. For Name, enter w w wout.
g. For Netw ork, enter 198.18.128.202.
h. Click Save.
2. Click Add Netw ork > Add Object.
a. For Name, enter 203.14.10.0.
b. For Netw ork, enter 203.14.10.0/24.
c. Click Save.
Cisco dCloud
3. Select Access List > Standard from the left navigation pane.
a. Click Add Standard Access List.

b. For Name, enter Filter203.
c. Add the 2 access control entries show n below . The second entry is critical, because of an implicit deny all at the end
of the list.
d. Click Save.
Cisco dCloud
Configure static NAT
1. From the menu, select Devices > NAT.

2. Click the pencil icon to edit the Default PAT policy.
3. Click Add Rule.
a. Select Auto NAT Rule from the Type drop-dow n list.
b. You w ill be at the Interface Objects tab. Select InZone, and click Add to Source.
c. Select OutZone, and click Add to Destination.
4. Select the Translation tab.
a. Select w w w in from the Original Source drop-dow n list.
b. Select Address and w w w out from the Translated Source drop-dow n list.
c. Click OK to save the NAT rule.
5. Click Save to save the NAT policy.
Cisco dCloud
Modify access control policy to allow outside access to wwwin
1. From the menu, select Policies > Access Control > Access Control.
2. Edit the NGFW Access Control Policy for example Base_Policy.
a. Click Add Rule.
b. For Name, enter Web Server Access .
c. Select into Default from the Insert drop-dow n list.
d. The Zones tab should already be selected. Select InZone, and click Add to Destination.
e. Select OutZone, and click Add to Source.
f. Select the Netw orks tab.
g. Select w w w in, and click Add to Destination.
h. Select Ports. Under Available Ports type HTTP and select HTTP and HTTPS and add to destination.
i. Under Selected Destination Ports type in the Protocol box ICMP select. Click Add.
NOTE: We use the true IP of the w ebserver, instead of the NAT'ed address that the client w ill connect to.
j. Select the Inspection tab.
k. Select Dem o Intrusion Policy from the Intrusion Policy drop-dow n list.
l. Select Dem o File Policy from the File Policy drop-dow n list.
m. Click Add to add the rule.
3. Click Save to save the access control policy changes.
Configure BGP
1. From the menu, select Devices > Device Managem ent.
2. Click on the pencil icon to edit the device settings for the device NGFW1.
a. Select the Routing tab.
b. Select BGP, and check the Enable BGP checkbox.
c. Set the AS Num ber to 10.
d. Expand BGP in the left navigation pane and select IPv4.
e. Check the Enable IPv4 checkbox.
f. Click on the Neighbor tab and click on Add.
g. For IP Address, enter 198.18.133.3.
Cisco dCloud
h. For Rem ote AS, enter 20.
i. Check the Enable address checkbox.

j. Select Filter203 from the Incoming Access List drop-dow n list.
k. Click OK to add the neighbor.
3. Click Save to save the BGP configuration.
1. Deploy the changes, and w ait until the deployment is complete.
2. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called Outside Linux Server. Login as
root, passw ord C1sco12345
a. Type curl w w wout. This should succeed.
b. Type ssh w w wout. This should fail.
Cisco dCloud
3. On the Jump desktop, open the PuTTY link. Double click on the preconfigured session called CSR. Login as adm in, passw ord
C1sco12345
a. On the CSR CLI, run the command show bgp, and confirm that 4 routes appear. dCloud: The Cisco Demo Cloud
4. From the NGFW1 CLI:
5. Run show route. Confirm that the only routes learned from BGP w ere 62.24.45.0/24 and 62.112.24.0/24. Note that
203.14.10.0/24 w as successfully filtered out of BGP. How ever, if you performed the FlexConfig scenario, you w ill see this
route as an external EIGRP route.
6. Run show bgp and show bgp rib-failure. This show s that the 198.18.128.0/18 route w as not inserted in the routing table
because there w as a better route (connected).
NOTE: You can also run this command from the FMC.
7. From the menu, select Device > Device Managem ent.
8. Edit the NGFW1 device and select the Devices tab.
Cisco dCloud
9. In the Health section, click the icon to the right of Status.
10. Click Advanced Troubleshooting.

11. Select the Threat Defense CLI tab. From this tab, you can run several NGFW CLI commands.
12. From the Inside Linux server session, type ping 62.24.45.1. This should succeed.
NOTE: You can also run this command from the FMC.
13. Command Show :
a. Route
b. BGP
c. Eigrp neighbors
Cisco dCloud
Scenario 5. Prefilter Policies

 Investigate NGFW default behavior for tunneled traffic
 Create a tunnel zone
 Create a prefilter policy
 Modify the access control policy
 Deploy the changes and test the configuration
If there is a clear-text tunnel, the NGFW access control policies apply to the tunneled traffic. Prefilter policies give control over the
tunneling protocol. The follow ing tunneling protocols are supported.
 GRE
 IP-in-IP
 IPv6-in-IP
 Teredo
Prefilter policies communicate w ith access control policies via tunnel tags. The prefilter policy assigns tunnel tags to specified
tunnels. The access control policy can then include rules that only apply to traffic tunneled through those specified tunnel.
In this exercise, you w ill create a GRE tunnel betw een the inside and outside CentOS servers.
You w ill then configure the NGFW to block ICMP through this GRE tunnel.
NOTE: This exercise has Scenario 4 as a prerequisite. This is because the exercise assumes the static NAT rule, w hich translates
198.19.10.202 to 198.18.128.202. To understand the configuration of the tunnel interface, you can inspect
/etc/sysconfig/network-scripts/ifcfg-tunO on the inside and outside servers.
Steps
Investigate NGFW default behavior for tunneled traffic
In this task, you w ill confirm that the access control policy rules apply the tunneled traffic.
Cisco dCloud
1. You should still have the SSH session open to the Inside Linux server.
2. If you do not have an SSH session to the Outside Linux Server, from the Jump desktop, launch PuTTY and double -click on the
pre-definite Outside Linux Server session. Login as root, passw ord C1sco12345 dCloud: The Cisco Demo Cloud
3. Create a GRE tunnel betw een the Inside Linux server and Outside Linux server.
a. On the Outside Linux Server CLI, type ifup tun0.
b. On the Inside Linux Server CLI, type ifup tun0.
c. On the Inside Linux Server, confirm that you can ping through the tunnel w ith the follow ing command. ping 10.3.0.2.
Test the IPS capabilities.
1. Run the follow ing command from the Inside Linux Server CLI. ftp 10.3.0.2.
a. Login as guest, passw ord C1sco12345
b. Type cd ~root. You should see the follow ing message:
c. 421 Service not available, remote server has closed connection.
d. Type quit to exit FTP.
2. In the FMC, from the menu, select Analysis > Intrusions > Events .
a. Click the arrow on the left to drill dow n to the table view of the events.
b. Observe that the source and destination IPs are 10.3.0.1 and 10.3.0.2, respectively.
3. Test the file and malw are blocking capabilities by running the follow ing commands on the Inside Linux server CLI.
NOTE: These Wget commands can be cut and pasted from the file on the Jump desktop called Strings to cut and paste.txt.
a. As a control test, use WGET to dow nload a file that is not blocked. w get -t 1 10.3.0.2/files/ProjectX.pdf.
b. This should succeed.
c. Next use WGET to dow nload the file blocked by type. w get -t 1 10.3.0.2/files/test3.avi.
NOTE: Very little of the file is dow nloaded. This is because the NGFW can detect the file type w hen it sees the first block of data .
d. Finally use WGET to dow nload malw are.
e. w get -t 1 10.3.0.2/files/Zom bies.pdf
NOTE: About 99% of the file is dow nloaded. This is because the NGFW needs the entire file to calculate the SHA. The NGFW
holds onto the last block of data until the hash is calculated and looked up.
4. In the FMC, from the menu, select Analysis > Files > File Events .
a. Click Table View of File Events .
b. Observe that the sending and receiving IPs are 10.3.0.2 and 10.3.0.1, respectively.
Cisco dCloud
Create a tunnel zone
1. From the menu, select Objects > Object Managem ent.

a. Select Tunnel Zone from the left navigation pane.
b. Click Add Tunnel Zone .
c. For Nam e, enter gre.
d. Click Save.
Create a prefilter policy
2. From the menu, select Policies > Access Control > Prefilter .
a. Click New Policy. Enter a name such as ngfw Prefilter Policy. Click Save.
b. Wait a few seconds for the policy to open up for editing.
3. Click Add Tunnel Rule .
a. For Nam e, enter Handle gre Traffic.
b. Select GRE from the Assign Tunnel Zone drop-dow n list.
c. Select the Encapsulation & Ports tab and check the GRE checkbox.
NOTE: There are 3 actions.
 Analyze - traffic w ill be passed to Snort, and access policy rules w ill apply .
 Block - traffic is blocked.
 Fastpath - traffic is allow ed, and bypasses any further inspection.
Cisco dCloud
NOTE: You can also create prefilter rules for this policy. This gives you the ability to analyze, block or fast path traffic based on
layer 2 through 4 information.

4. Click Add to add the rule.
5. Click Save to save the prefilter policy.
Modify the access control policy
1. From the menu, select Policies > Access Control > Access Control to edit the NGFW Base_Policy Access Control Policy.
2. Click on the link Default Prefilter Policy to the right of the string Prefilter Policy above the policy rules.
3. Select NGFW Prefilter Policy.
4. Click OK.
a. Select the Rules tab.
b. Click Add Rule.
c. Call the rule Block ICMP Over GRE.
d. Select into Mandatory from the Insert drop-dow n list.
e. Set the action to Block w ith reset.
f. In the Available Zones column, select GRE and click Add to Source .
g. In the Available Applications column, select ICMP and click Add to Rule.
h. Select the Logging tab. Check the Log at Beginning of Connection checkbox.
i. Click Add to add the rule to the policy.
5. Click Add Rule.
a. Call the rule Allow GRE Traffic.
b. Select into Default from the Insert drop-dow n list. This w ill become the last rule in the access control policy.
c. In the Available Zones column, select GRE and click Add to Source.
d. Select the Inspection tab.
e. Select Demo Intrusion Policy from the Intrusion Policy drop-dow n list.
f. Select Demo File Policy from the File Policy drop-dow n list.
g. Click Add to add the rule to the policy.
h. Click Save to save the access control policy.
Cisco dCloud
1. Deploy the changes, as you have been. Wait for the deployment to complete.
2. On the Outside Linux Server, run tcpdum p -n -i tun0 to monitor tunnel traffic.
a. Run the follow ing commands on the Inside Linux Server CLI.
b. w get 10.3.0.2 This should succeed.
c. ping 10.3.0.2
You should see the follow ing output, indicating that the ping is being blocked.
From 10.3.0.2 icmp_seq=1 Packet filtered
3. Inspect the output of the tcpdum p command on the Outside Linux Server to conf irm that the ping is not making it to 10.3.0.2.
4. Tear dow n tunnel:
a. On the Outside Linux Server CLI, type ifdow n tun0.
b. On the Inside Linux Server CLI, type ifdow n tun0.

Firepower NGFW Basics Lab v23 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firepower NGFW Basics Lab v23 PDF

Uploaded by

Copyright:

Available Formats

Cisco dCloud

Cisco Firepower Next-Generation Firewall 6.2 Basics Lab

Last Updated: 28-AUGUST-2018

About This Demonstration

 About This Solution

 Scenario 1: Device Deployment w ith the REST API

 Scenario 2: Basic Configuration

 Scenario 4: NAT and Routing

 Scenario 5: Prefilter Policies

About This Solution

Figure 1. dCloud Topology

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

1. Initiate your dCloud session. [Show Me How ]

NOTE: It may take up to 10 minutes for your session to become active.

 Workstation 1: 198.18.133.50, Username: adm inistrator, Passw ord: C1sco12345

Scenario 1. Device Deployment with the REST API

Configure the NGFW for management by the FMC

2. Enter the follow ing command:

a. show m anagers you w ill see either:

ii. No managers configured

b. Enter the follow ing command:

configure manager add fmc.dcloud.local C1sco12345

We w ill have an on-box management lab exercise later in this class.

Run a REST API script to register and configure the NGFW

 Register the NGFW1 to the FMC

 Configure the NGFW(s) interfaces

2. On the Inside Linux server CLI run runapiscript.

7. The script w ill automatically continue for the discovery process

8. The script w ill automatically configure the interfaces

Scenario 2. Basic Configuration

 Modify the access control policy

 Create a NAT policies

 Configure Branch1 FTD Using FMC

 Configure Branch2 FTD Using FDM

 Deploy the Configuration changes

 Modify the netw ork discovery policy

 Deploy the configuration changes

 Allow outbound connections, and block other connection attempts

 Provide intrusion prevention on these outbound connections

Create objects needed for exercise

1. On the FMC, select Objects > Object Managem ent.

a. Click Add Netw ork > Add Object.

b. For Name, enter Lab_Netw orks.

dCloud: The Cisco Demo Cloud

2. Select Interface from the left navigation panel.

a. Click Add > Security Zone .

5. Click Add > Security Zone .

Configure the default route

dCloud: The Cisco Demo Cloud

4. Select ISP-Side in the Interface field.

7. For Gatew ay click on the “+” icon to create a new object.

8. Click OK to add the Static Route Configuration.

Modify the access control policy

b. Click the green [+] sign Add Rule.

c. For Name, enter Allow Outbound Connections .

d. Select into Default from the Insert drop-dow n list.

Mandatory rules , w hich take precedent over rules of child policies

2. The Zones tab should already be selected.

a. Select InZone and click Add to Source.

b. Select OutZone, and click Add to Destination.

3. Select the Inspection tab.

4. Click Add to add the rule.

5. Select the HTTP Responses tab.