cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

47615
Views
95
Helpful
67
Replies
Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@Basavaraj Ningappa,

 

With any FTD remote access VPN you should be aware of the current guidelines and restriction for the same since there is not yet feature parity with the ASA-based solution. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

 

You cannot currently restrict device types allowed on a remote access VPN using FTD alone (with either local management or FMC).

 

Client certificate authentication is configured under your VPN connection profile AAA tab as shown below:

 

FTD VPN Client Certificate Authentication.PNG

 

 

Contributor

Re: Ask the expert- Best practices on Cisco FirePOWER

Dear

In my firepower service on 5525-X I don't see any hit for the security intelligence on any traffic , how I can trace where things are missing for the security intelligence.

Thanks

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@adamgibs7,

 

Check that you have selected some networks and/or URLs in your applied Access control Policy, Security Intelligence settings and that you have logging activated for the blacklisted objects.

 

It should look similar to what I show on my lab server as follows:

 

FMC - SI Settings.PNG

Contributor

Re: Ask the expert- Best practices on Cisco FirePOWER

Dear marvin

 

my settings are same like your setting but still the same no events for the security intelligence

Thanks

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

@adamgibs7,

 

I suggest creating an entry on a test_blacklist URL list like the one shown on my example - just some target domain that's seldom used that you can test with.

 

With that in place, browse to the target domain and see if it's blocked. If it is, you should see a SI event. If not, please share the connection record.

Beginner

Re: Ask the expert- Best practices on Cisco FirePOWER

Firepower and Telnet

To my knowledge Firepower does not use Telnet. When creating a session to the sfr module and running a netstat -an I see the sensor listening on port 23

 

 

sfr$ netstat -an

tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN

 

Can anyone tell me why this sensor is listening on tcp port 23 and if this can be turned off?

This seems to be the defaut behavior.

 

Thanks

Hall of Fame Guru

Re: Ask the expert- Best practices on Cisco FirePOWER

It only appears to be listening at the Linux OS level. If you try to open a telnet connection it will be refused. That's because they're blocking the incoming traffic with iptables.

 

The only accepted traffic is icmp (ping, restricted to the required icmp message types), tcp/22 (ssh) and tcp/8305 (management port used by FMC).

 

See the following listing for confirmation:

 

admin@firepower:/etc/sysconfig$ more iptables
# Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015
*mangle
:PREROUTING ACCEPT [98319:30342283]
:INPUT ACCEPT [98342:30344874]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4427:1360521]
:POSTROUTING ACCEPT [4446:1362033]
COMMIT
# Completed on Tue Sep 15 15:06:41 2015
# Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1921:895829]
:DUMP - [0:0]
:STATEFUL - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -i cplane -j ACCEPT

#start ICMP INPUT BLOCK
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
#stop ICMP INPUT BLOCK

#start SSL SSH SNMP PORTS INPUT BLOCK
-A INPUT  -i eth0 -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
#stop  SSL SSH SNMP PORTS INPUT BLOCK

#start ESTREAMER PORT INPUT BLOCK

#stop ESTREAMER PORT INPUT BLOCK

#start MANAGEMENT PORT INPUT BLOCK
-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 8305 -j ACCEPT
#stop MANAGEMENT PORT INPUT BLOCK

-A INPUT -j STATEFUL
-A OUTPUT -o lo -j ACCEPT
-A DUMP -j DROP

#start MANAGEMENT PORT STATEFUL BLOCK
-A STATEFUL -i eth0 -m state --state NEW -j DROP
-A STATEFUL -i eth0 -p tcp -m tcp --dport 3306 -j DROP
#stop MANAGEMENT PORT STATEFUL BLOCK

-A STATEFUL -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT
-A STATEFUL -j DUMP

COMMIT
# Completed on Tue Sep 15 15:06:41 2015
admin@firepower:/etc/sysconfig$

 

Beginner

Re: Ask the expert- Best practices on Cisco FirePOWER

Thank you very much Marvin. This was very helpful.
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here