@Gallifrean,

The Firepower module on an ASA 55000 series requires a license be assigned to it. At a minimum you need the Control license (free) which you already have.

For it to be fully useful and illustrate all of the available features you would add the IPS subscription, URL Filtering and Malware licenses.

You can use either a local manager (ASDM running on a PC or Mac) or remote manager (Firepower Management Center or FMC server) to assign licenses to the systems.

Marvin,

     Can FTD make internal to external route decisions based on Layer 4 - 7 critera? If so, can you direct me to a configuration good example online?  An example of this would be a customer directing business related internet out their 100Mbps ISP, and social media traffic out their lower cost ISP or backup ISP, or SIP traffic out a dedicated ISP and all other traffic out another.

@robinson,

That's not possible as far as I know.

Routing decisions are based solely on classic routing criteria (IP address, best match based on prefix length, administrative distance etc.) and not on any of the L4-7 criteria that we have available in Access Control Policies.

What's available is described in the configuration guide here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/routing_overview_for_firepower_threat_defense.html

@Nick Currie,

Cisco's security intelligence organization Talos has a pretty comprehensive article here:

http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html

They note the following:

COVERAGE

There are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550.

Also, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted.

Most of the common miner apps and related indicators will be blocked by a default Intrusion Policy

If you look at your FMC, you can see the signatures they reference (and enable them if you wish) in your intrusion policy as follows (example subset only, a few more searches would be necessary to display them all as the search terms must be distinct since they are Boolean ANDed if you use multiple terms):

@dan.letkeman,

Yes, your whitelist can include wildcard URL objects.

In a DNS list entry, you can specify an asterisk (*) wildcard character for a domain label. All labels match the wildcard. For example, an entry of www.example.* matches both www.example.com and www.example.co.

Source:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/reusable_objects.html

I tested it using the local blacklist feature (easier to test) and it works.

First under Objects > Object Management > Security Intelligence > URL Lists and Feeds add the text file you created. I named mine "test_blacklist".

Then make sure you have it referenced in your active access control policy under the Security Intelligence tab. (Mine is a blacklist, obviously yours would be under whitelist)

Finally deploy your policy. You should then see the hits (assuming you are logging connection events) in your event viewer.

@JEFF SPRADLING,

Actually a book has been written just recently by an author more qualified than me. Please refer to Nazmul Rajib's "Cisco Firepower Threat Defense". It's published by Cisco Press and available via the usual channels. He includes several best practices.

There are also several good Cisco Live presentations.

Personally I use a combination of those plus some training guides that I'm unfortunately not at liberty to share as they contain copyrighted and/or NDA-protected material .

Hi Marvin,

Can we block mobile devices accessing anyconnect vpn in FTD firewall, we dont have ISE, we are looking this option in firewall if this is possible ? and also if you can share one example of FTD anyconnect vpn with certificate authentication ?

Thanks

Basavaraj

Hi Marvin,

Can you please explain the architecture of IPS snort rules and how can we edit existing snort rule or if i want to create custom snort is it possible ?

Thanks

Basavaraj

@Basavaraj Ningappa,

Snort rules are a very deep subject. I'd recommend you start with something like one of the excellent Cisco Live presentations to get started. For example, BRKSEC-3300, which you can find here:

https://www.ciscolive.com/global/on-demand-library/?search.event=ciscoliveemea2018&search.event=ciscoliveanz2018&search=snort#/session/BRKSEC-3300

As noted there (specifically see slide 35 onwards), Firepower Intrusion rules are Snort rules. You can enable or disable specific ones or create / import your own if the ones provided don't meet all of your needs.