cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

47650
Views
95
Helpful
67
Replies
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@Gallifrean,

 

Can you clarify your requirements a bit? Are you looking to use the devices for instructional purposes or operationally?

 

What exactly did you purchase (exact SKUs and licenses)?

Contributor

Re: Ask the expert- Best practices on Cisco FirePOWER

to reiterate
We are an educational institution teaching CCNA security with Cisco certified instructors.
We recently purchased three ASA 5506X.
My question was do I need to register them (to access Firepower) if they are only to be used in isolated labs within the institution.
If they are to be registered how do I do that so that different classes, across the years that we will be using the devices
can gain access to Firepower.
Currently we have
3 cisco 5506x each with a control licence PAK


Thanks Peter
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@Gallifrean,

 

The Firepower module on an ASA 55000 series requires a license be assigned to it. At a minimum you need the Control license (free) which you already have.

 

For it to be fully useful and illustrate all of the available features you would add the IPS subscription, URL Filtering and Malware licenses.

 

You can use either a local manager (ASDM running on a PC or Mac) or remote manager (Firepower Management Center or FMC server) to assign licenses to the systems.

Enthusiast

Re: Ask the expert- Best practices on Cisco FirePOWER

Marvin,

     Can FTD make internal to external route decisions based on Layer 4 - 7 critera? If so, can you direct me to a configuration good example online?  An example of this would be a customer directing business related internet out their 100Mbps ISP, and social media traffic out their lower cost ISP or backup ISP, or SIP traffic out a dedicated ISP and all other traffic out another.

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@robinson,

 

That's not possible as far as I know.

 

Routing decisions are based solely on classic routing criteria (IP address, best match based on prefix length, administrative distance etc.) and not on any of the L4-7 criteria that we have available in Access Control Policies.

 

What's available is described in the configuration guide here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/routing_overview_for_firepower_threat_defense.html

Enthusiast

Re: Ask the expert- Best practices on Cisco FirePOWER

That's so disappointing, Cisco Meraki can do it, so can most other firewall brands. (PA, and those FortiGuys), I would have that that going to FTD would have created a new paradigm on Cisco's position regarding that type of traffic manipulation.
The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"
Beginner

Re: Ask the expert- Best practices on Cisco FirePOWER


Good morning Marvin

I have a question regarding FTD devices and crypto mining. What is the recommended method of stopping applications on the internal network that may communicate with mining pools?
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

 

@Nick Currie,

 

Cisco's security intelligence organization Talos has a pretty comprehensive article here:

 

http://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html

 

They note the following:


COVERAGE


There are different ways to address miners and there is detection built in to Cisco security products to detect this activity. There is a specific detection name in AMP for coin miners, W32.BitCoinMiner. However, as these miners can be added as modules to various other threats, the detection names may vary. Additionally there are a couple NGIPS signatures designed to detect mining activity as well. However, these rules may not be enabled by default in your environment depending on the importance of potentially unwanted applications (PUA) in your network. The signatures that detect this type of activity includes, but isn't limited to: 40841-40842, 45417, and 45548-45550.

Also, technologies like Threat Grid have created indicators to clearly identify when mining activity is present when a sample is submitted.

 

Most of the common miner apps and related indicators will be blocked by a default Intrusion Policy

 

If you look at your FMC, you can see the signatures they reference (and enable them if you wish) in your intrusion policy as follows (example subset only, a few more searches would be necessary to display them all as the search terms must be distinct since they are Boolean ANDed if you use multiple terms):

 

FMC - Miner.PNG

 

 

 

Participant

Re: Ask the expert- Best practices on Cisco FirePOWER

I have setup dynamic feed lists for O365 and other Microsoft Services via these instructions:

 

https://www.staffeldt.net/cisco-fmc-intelligence-feeds-and-objects/

 

Using Minemeld I have pulled an generated the two lists needed to whitelist all of the Microsoft IP's and URL's.

 

However, the URL list that is generated by these feeds includes wildcards in the url list.  eg:

 

*.office.com
*.office365.com
account.office.net
api.office.com
appsforoffice.microsoft.com

Are these wildcards supported in a network feed?

 

Thanks,

Dan. 

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@dan.letkeman,

 

Yes, your whitelist can include wildcard URL objects.

 


In a DNS list entry, you can specify an asterisk (*) wildcard character for a domain label. All labels match the wildcard. For example, an entry of www.example.* matches both www.example.com and www.example.co.

 

Source:

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/reusable_objects.html

 

I tested it using the local blacklist feature (easier to test) and it works.

 

First under Objects > Object Management > Security Intelligence > URL Lists and Feeds add the text file you created. I named mine "test_blacklist".

 

Then make sure you have it referenced in your active access control policy under the Security Intelligence tab. (Mine is a blacklist, obviously yours would be under whitelist)

 

SI screenshot.PNG

 

Finally deploy your policy. You should then see the hits (assuming you are logging connection events) in your event viewer.

 

Blacklist  drop.PNG

Beginner

Re: Ask the expert- Best practices on Cisco FirePOWER

Hi Marvin,

 

I know you could write a book about best practices for installing and operating Firepower, but do you have a checklist of sorts that you could share that would identify the top things to ensure are set correctly (i.e. - modify default discovery process, logging at the end instead of beginning, etc.) ?

 

Thanks,

Jeff

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@JEFF SPRADLING,

 

Actually a book has been written just recently by an author more qualified than me. Please refer to Nazmul Rajib's "Cisco Firepower Threat Defense". It's published by Cisco Press and available via the usual channels. He includes several best practices.

 

There are also several good Cisco Live presentations.

 

Personally I use a combination of those plus some training guides that I'm unfortunately not at liberty to share as they contain copyrighted and/or NDA-protected material .

Re: Ask the expert- Best practices on Cisco FirePOWER

Hi Marvin,

Can we block mobile devices accessing anyconnect vpn in FTD firewall, we dont have ISE, we are looking this option in firewall if this is possible ? and also if you can share one example of FTD anyconnect vpn with certificate authentication ?

 

Thanks

Basavaraj

Re: Ask the expert- Best practices on Cisco FirePOWER

Hi Marvin,

Can you please explain the architecture of IPS snort rules and how can we edit existing snort rule or if i want to create custom snort is it possible ?

 

Thanks

Basavaraj

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@Basavaraj Ningappa,

 

Snort rules are a very deep subject. I'd recommend you start with something like one of the excellent Cisco Live presentations to get started. For example, BRKSEC-3300, which you can find here:

 

https://www.ciscolive.com/global/on-demand-library/?search.event=ciscoliveemea2018&search.event=ciscoliveanz2018&search=snort#/session/BRKSEC-3300

 

As noted there (specifically see slide 35 onwards), Firepower Intrusion rules are Snort rules. You can enable or disable specific ones or create / import your own if the ones provided don't meet all of your needs.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here