cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
68372
Views
95
Helpful
67
Replies

Ask the expert- Best practices on Cisco FirePOWER

Cisco Moderador
Community Manager
Community Manager

This topic is a chance to discuss more about all you need to know about Cisco FirePOWER security solution. On this session, Marvin Rhoads will be answering all kind of questions about FirePOWER Management Center (FMC), FirePOWER Threat Defense (FTD) and FirePOWER service modules to FirePOWER appliances. All kind of topics related to this solution, such as operation, configuration, design architecture, troubleshooting, installation and licensing will be covered.

 

Centralize, integrate, and simplify security management on your network

 

To participate in this event, please use the Join the Discussion : Cisco Ask the Expert button below to ask your questions

 

Ask questions from Monday, March 19th to Friday 30th 2018

 

Featured Expert

 

CSC Photo - Marvin Rhoads.jpgMarvin Rhoads is a network security engineer with over 3 decades of experience. He focuses on Cisco network security solutions in his work as an independent consultant performing client-facing design and deployment services for several Cisco Partners. In addition to his 25 years of experience as a Cisco customer, Marvin has worked with Cisco partners for the past 7 years. Marvin holds several security and professional certifications, including a CCNP Security. He holds a Master’s Degree in Systems Engineering and a Bachelor’s Degree in Electronics Engineering Technology. He’s currently pursuing a CCIE Security certification.  

 

Marvin is passionate about helping and learning from his peers in the industry. He has been an active Cisco Support Community contributor since 2001. He has been named as a Cisco Designated VIP for 6 years in a row. In 2017 he was recognized as a member of the elite Cisco Support Community Hall of Fame program.

 

Marvin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation at the Security Category.  

 

Find other events or open new discussions https://supportforums.cisco.com/t5/community-ideas/bd-p/5911-discussions-community-ideas 

 

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
 

 

67 Replies 67

@Basavaraj Ningappa,

 

With any FTD remote access VPN you should be aware of the current guidelines and restriction for the same since there is not yet feature parity with the ASA-based solution. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

 

You cannot currently restrict device types allowed on a remote access VPN using FTD alone (with either local management or FMC).

 

Client certificate authentication is configured under your VPN connection profile AAA tab as shown below:

 

FTD VPN Client Certificate Authentication.PNG

 

 

Dear

In my firepower service on 5525-X I don't see any hit for the security intelligence on any traffic , how I can trace where things are missing for the security intelligence.

Thanks

@adamgibs7,

 

Check that you have selected some networks and/or URLs in your applied Access control Policy, Security Intelligence settings and that you have logging activated for the blacklisted objects.

 

It should look similar to what I show on my lab server as follows:

 

FMC - SI Settings.PNG

Dear marvin

 

my settings are same like your setting but still the same no events for the security intelligence

Thanks

@adamgibs7,

 

I suggest creating an entry on a test_blacklist URL list like the one shown on my example - just some target domain that's seldom used that you can test with.

 

With that in place, browse to the target domain and see if it's blocked. If it is, you should see a SI event. If not, please share the connection record.

John Roshek
Level 1
Level 1
Firepower and Telnet

To my knowledge Firepower does not use Telnet. When creating a session to the sfr module and running a netstat -an I see the sensor listening on port 23

 

 

sfr$ netstat -an

tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN

 

Can anyone tell me why this sensor is listening on tcp port 23 and if this can be turned off?

This seems to be the defaut behavior.

 

Thanks

It only appears to be listening at the Linux OS level. If you try to open a telnet connection it will be refused. That's because they're blocking the incoming traffic with iptables.

 

The only accepted traffic is icmp (ping, restricted to the required icmp message types), tcp/22 (ssh) and tcp/8305 (management port used by FMC).

 

See the following listing for confirmation:

 

admin@firepower:/etc/sysconfig$ more iptables
# Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015
*mangle
:PREROUTING ACCEPT [98319:30342283]
:INPUT ACCEPT [98342:30344874]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4427:1360521]
:POSTROUTING ACCEPT [4446:1362033]
COMMIT
# Completed on Tue Sep 15 15:06:41 2015
# Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1921:895829]
:DUMP - [0:0]
:STATEFUL - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -i cplane -j ACCEPT

#start ICMP INPUT BLOCK
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
#stop ICMP INPUT BLOCK

#start SSL SSH SNMP PORTS INPUT BLOCK
-A INPUT  -i eth0 -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
#stop  SSL SSH SNMP PORTS INPUT BLOCK

#start ESTREAMER PORT INPUT BLOCK

#stop ESTREAMER PORT INPUT BLOCK

#start MANAGEMENT PORT INPUT BLOCK
-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 8305 -j ACCEPT
#stop MANAGEMENT PORT INPUT BLOCK

-A INPUT -j STATEFUL
-A OUTPUT -o lo -j ACCEPT
-A DUMP -j DROP

#start MANAGEMENT PORT STATEFUL BLOCK
-A STATEFUL -i eth0 -m state --state NEW -j DROP
-A STATEFUL -i eth0 -p tcp -m tcp --dport 3306 -j DROP
#stop MANAGEMENT PORT STATEFUL BLOCK

-A STATEFUL -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
-A STATEFUL -j DUMP

COMMIT
# Completed on Tue Sep 15 15:06:41 2015
admin@firepower:/etc/sysconfig$

 

Thank you very much Marvin. This was very helpful.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: