topic Firepower FMC and FTD Deployment Issues: in Network Security

Firepower FMC and FTD Deployment Issues:

Qamar Islam — Fri, 21 Feb 2020 14:03:43 GMT

Dear Experts;

I Installed and configured the FMC with FTD, I just have some issues regarding this deployment.

Deployment Senario:

I configured the two passive interfaces (eth1, eth2) on the FTD server and Span the Email traffic on eth1 and Web traffic on eth2. FTD analyze the web traffic in eth2 but i need to verified email traffic coming in or not. As my knowledge the FTD has customized Linux OS. how I can verified that.?

On the FMC health status, It shows that the URL filtering download failure error. How can i fix it and how can i check the direct connectivity in FTD.

your support required.

Thanks

You can go into the OS and

Marvin Rhoads — Thu, 20 Apr 2017 08:48:03 GMT

You can go into the OS and use tcpdump to see the incoming packets on a given interface. That program requires root privilege so be sure to "sudo tcpdump".

Regarding the health status, verify the FMC can reach the Internet and resolve addresses. You can also do this from the command line - telnet to an external host on port 80, nslookup etc. are all things you can do to verify.

Thanks for your support

Qamar Islam — Thu, 20 Apr 2017 09:27:17 GMT

Thanks for your support Marvin

On the CLI of FTD, I just have the limited commands. I tried to figure it out but nothings works following are the commands:

configure

exit

expert

history

logout

show

systems

The above are the commands.

Kindly more elaborate the commands so can i fix the issues.

Thanks

You need to switch to "expert

Marvin Rhoads — Thu, 20 Apr 2017 10:48:05 GMT

You need to switch to "expert" mode. Then you will be in the Linux bash shell environment.

Hi Marvin;

Qamar Islam — Thu, 27 Apr 2017 07:22:30 GMT

Hi Marvin;

I just have a question:

Can I add multiple FTD's in FMC.?

I recently add FTD for the analysis of Web Traffic Now the client need to analysis for Email Traffic.

The Email traffic coming from the regional sites too far from the existing site so I need to deploy another FTD and add this to FMC and Span the email traffic on it.

Can I add multiple FTD;s in FMC?

I just deployed it but when registering in FMC I just get an error. Kindly find an attached error snap-shot

Your kind support is needed.

Thanks

Yes - you can add multiple

Marvin Rhoads — Thu, 27 Apr 2017 07:34:25 GMT

Yes - you can add multiple FTD sensors in a given FMC (subject to your FMC license of 2- 10- or 25-device limit).

The error you are getting is most commonly due to one of two reasons:

1. Necessary network connectivity is not in place (tcp/8305 bidirectional is required between the FMC and all sensors)

2. There is a NAT between the FMC and the sensor. In that case you need to use the "DONTRESOLVE" option as described here:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html

Also, the sensor version must not be higher than the FMC. (i.e cannot register a 6.2 sensor to a 6.1 FMC).

Hi Marvin,

Qamar Islam — Thu, 27 Apr 2017 09:39:21 GMT

Hi Marvin,

Thanks for your reply.

Yaa I just checked the tcp/8305 bidirectional port and following are the syslogs I just received.

the FTD sensor ip address is 10.50.62.209

Apr 27 2017 13:45:12 FMC sudo: pam_unix(sudo:session): session closed for user root

Apr 27 2017 13:45:12 FMC sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

Apr 27 2017 13:45:12 FMC sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/log/CSMAgent.log

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.62.209' in 14 seconds

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Could not receive Message: Closed

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Connected to 10.50.62.209:8305 (IPv4)

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.62.209

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.62.209:8305/tcp

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.62.209 (via eth0)

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Connect to 10.50.62.209 on port 8305 - eth0

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_peers [INFO] Peer 10.50.62.209 needs a single connection

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [4180] sftunneld:sf_connections [INFO] Start connection to : 10.50.62.209 (wait 0 seconds is up)

what was the issue am just little confused in below logs:

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.62.209' in 14 seconds

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Could not receive Message: Closed

both are on the same versions 6.1

find attached snap-shot for adding another FTD

Hi Marvin,

Qamar Islam — Thu, 27 Apr 2017 12:32:04 GMT

Hi Marvin,

I just registered the FTD thanks for your support.you are right that, we just have the port issue on both FMC and FTD. THanks

Now i just have an issue for the licenses. How can i generate the licenses for that FTD.?

I just assign the same policy for the previous FTD. I just need the steps to generate the licenses.

Thanks

Kindly find the below snapshot.

FTD uses Smart Licenses. You

Marvin Rhoads — Thu, 27 Apr 2017 12:41:42 GMT

FTD uses Smart Licenses. You need to allocate them to your registered FMC in the Cisco portal:

https://software.cisco.com/

..and then apply them to the new sensor within FMC.

Hi Marvin,

Qamar Islam — Fri, 28 Apr 2017 12:57:40 GMT

Hi Marvin,

I just registered another FTD and transferred the SMTP traffic through span port.

I just have some quries:

How I can check and analysis of SMTP traffic?

How can I check that the traffic is coming or not?

what are the commands in FMC and FTD to find the SMTP or port 25 traffic?

You can simply query the

Marvin Rhoads — Fri, 28 Apr 2017 15:29:19 GMT

You can simply query the connection events and filter for smtp application.

Analysis > Connections > Events. Then "Edit Search" and include only smtp.

Hi Marvin;

Qamar Islam — Tue, 02 May 2017 18:37:47 GMT

Hi Marvin;

I analyzed all the events but there is not any sign of smtp or 25.

How i can further checked the traffic. In FTD console i typed the command system support firewall engine debug, also type the filters on port 25 but nothing shown on it also.

Your support needed.

Thanks

First off I'd confirm your

Marvin Rhoads — Tue, 02 May 2017 18:42:15 GMT

First off I'd confirm your span port is sending the smtp traffic. If it's physically nearby I'd just put a laptop with Wireshark on the port and grab a sample of the traffic.

If you're running 6.2 you can do advanced troubleshooting - do a trace and/or pull a packet capture from the GUI.

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html#id_41600

Hi Marvin;

Qamar Islam — Mon, 15 May 2017 14:37:14 GMT

Hi Marvin;

Good Day!

As per the attack Ransomeware in globe WANNACRY. The client need to move this APT solution in INLINE mode.

I just need little help for doing this activity.

Yes the Email traffic now analysed. Now the POC is completed.

Next Step:

Now client need to move FMC and FTD in Inline mode.

We will place FTD behind the web gateway. How many interfaces i need in FMC?

I just have some quires regarding moving passive mode to inline mode, Now what are the requirements for inline deployment. How many ports i need in FTD to take action on both email and the web traffic.?

How web gateway push the traffic in FTD?

How email gatemay push Email traffic in FTD?

If you have any document for inline deployment of the FTD Kindly share it.

I just have one night for this activity. Your kind support needed.

Thanks

Qamar

Qamar,

Marvin Rhoads — Mon, 15 May 2017 15:33:47 GMT

Qamar,

What you are asking is more of a professional services request. Which Cisco or a partner could handle as a paid service.

In general terms, FMC has a single interface for connecting to the managed devices as well as for administrative access to the server.

FTD interface design is not unlike firewall interface design - it varies widely according to the client's requirements, both current and planned. A very simple deployment is shown in the Quick Start Guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-fdm-5500x-qsg.html#pgfId-129862

Of course if you have multiple interfaces and/or zones with varying secuirty levels, your deployment could vary quite a bit from a simple "inside, outside and management" setup.

Hi Marvin,

Qamar Islam — Mon, 15 May 2017 20:42:44 GMT

Hi Marvin,

Thanks for your support boss,

Deployment scenario is on TRANSPARENT MODE.

I just placed the FTD in between the WEB-Gateway and Core-Switch. The traffic coming from web-gateway to FTD and then goes to Core-switch and Vice versa.

Web-gateway----FTD----Core-switch

As the I just have the OVA file of FTD and i installed in ESXI and bind virtually 3 interfaces with it. I bind 1 management with the FTD management and other two used for inline traffic coming from one interface to the other.

Inside to outside:

One interface defined as INSIDE.

Second Interface Defined as Outside.

Now i just implemented the below configuration to get traffic from Inside interface and analyzed it and transferred it to the next hop.

Kindly find an attached Snap-shots, I never get an ip-address of any interface inside or outside.

Is my configuration is correct or any further changed kindly share please.

I just transferred traffic in FTD but the traffic not coming out from the outside interface.

Steps by steps snap-shots attached.

Support needed boss.

I recommend you open a TAC

Marvin Rhoads — Tue, 16 May 2017 01:23:40 GMT

I recommend you open a TAC case.

It is most likely some aspect of your Access Control Policy that is blocking traffic - a default action is often the cuase for such behavior.

Thanks for your kind support.

Qamar Islam — Tue, 16 May 2017 09:09:55 GMT

Thanks for your kind support.

Regards:

Qamar

Hi Marvin,

Qamar Islam — Wed, 17 May 2017 09:50:18 GMT

Hi Marvin,

I web traffic analysis topology is given below:

Firewall <-> Web gateway(WCCP) <-> FTD (inline Transparent mode) <-> Core Switch <-> users

FMC and FTD virtualized.

Boss above is the topology of inline transparent mode deployment. Last night activity i just deployed the FTD virtual in between the web gateway and core switch. It worked fine and blocking and analysis works at all night but today morning at peak time when user connected to their network. After 3 hours the browsing is chocked. then i took back it to their production network.your suggestions required. Is their any limitations about the events connections with licenses or then above scenario any other possible troubleshooting required?

Kindly suggest please.

Connection events file

Qamar Islam — Wed, 17 May 2017 09:55:04 GMT

Connection events file attached