03-12-2018 05:10 PM - edited 02-21-2020 07:30 AM
This topic is a chance to discuss more about all you need to know about Cisco FirePOWER security solution. On this session, Marvin Rhoads will be answering all kind of questions about FirePOWER Management Center (FMC), FirePOWER Threat Defense (FTD) and FirePOWER service modules to FirePOWER appliances. All kind of topics related to this solution, such as operation, configuration, design architecture, troubleshooting, installation and licensing will be covered.
Centralize, integrate, and simplify security management on your network
To participate in this event, please use the button below to ask your questions
Ask questions from Monday, March 19th to Friday 30th 2018
Featured Expert
Marvin Rhoads is a network security engineer with over 3 decades of experience. He focuses on Cisco network security solutions in his work as an independent consultant performing client-facing design and deployment services for several Cisco Partners. In addition to his 25 years of experience as a Cisco customer, Marvin has worked with Cisco partners for the past 7 years. Marvin holds several security and professional certifications, including a CCNP Security. He holds a Master’s Degree in Systems Engineering and a Bachelor’s Degree in Electronics Engineering Technology. He’s currently pursuing a CCIE Security certification.
Marvin is passionate about helping and learning from his peers in the industry. He has been an active Cisco Support Community contributor since 2001. He has been named as a Cisco Designated VIP for 6 years in a row. In 2017 he was recognized as a member of the elite Cisco Support Community Hall of Fame program.
Marvin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation at the Security Category.
Find other events or open new discussions https://supportforums.cisco.com/t5/community-ideas/bd-p/5911-discussions-community-ideas
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
03-21-2018 09:45 PM
Hi Team,
thanks for hosting expert event on FTD
we are trying to integrate FMC and FTD to Windows NPS radius server for centralized administration, we tried to find some Cisco docs to configure FMC and FTD radius attributes but we were not successful yet.
can you share any write up with step by step instructions how can I integrate FMC and FTD to windows radius for the management access authentication
thanks
Basavaraj
03-22-2018 01:42 AM - edited 03-22-2018 01:48 AM
Please refer to the Firepower Management Center configuration guide section on RADIUS authentication for system users here:
It gives a step-by-step guide from the perspective of the FMC end. I'm not aware of any guide that will also cover the NPS server side.
Are you trying to add specific attributes not already included in the not included in the dictionary file in /etc/radiusclient/ ? If so, note that any new attributes must be distinct from those included in the built-in dictionary.
03-22-2018 04:34 AM
Hi Marvin,
Thanks for your reference, we have added FMC IP as a radius client on the NPS side and in the FMC we have configured external authentication in fmc, but for some reason it didn't work, then we have raised the TAC case and TAC told that they are not supporting radius now. below is the message from TAC
"
We had a discussion with our BU and they concluded that FMC and microsoft NPS integration hasn’t been tested by the BU and there’s no relevant documentation for that as of now but they might test it and publish the documentation for the it in future.
If you have any questions or doubts, please do not hesitate to send me an e-mail. I'll be more than glad to help with your issue. Hope to hear from you soon."
If there is any solution now for this now, if you can share it with me that will be great.
Thanks
Basavaraj
03-22-2018 05:24 AM
While TAC might not support NPS integration per se, you should be able to make RADIUS work as an external authentication method. I use ISE as my external RADIUS server in my lab FMC and it works fine.
RADIUS is (mostly) clear text so you should be able to perform some packet captures to isolate and troubleshoot where the failure is occurring.
03-22-2018 09:34 PM
03-22-2018 11:34 PM
You can use user identity in your Access Control Policies (ACPs) which can include URL filtering conditions. One very good source for that identity is ISE. It is passive from the Firepower point of view so I believe it fits what you are asking when you refer to "single sign on".
You integrate ISE as an identity source to your Firepower Management Center by following the procedure described in the configuration guide here:
03-22-2018 09:53 AM
Hi All,
A design question, an FTD-HA set in front of a DC/server farm.
We need to implement a transparent FTD FW - in pair of ports. The question is this connection is a trunk port, and will carry 5+ VLANs through this north-south traffic. I cannot find a solid document for this type of design. l find lots about layer1, layer2, and layer3 in separate documentation. Layer 1 does support trunk port. Layer2 does support VLAN, layer3 does support route mode with BVI or transparent mode.
But I cannot find one that stated layer1/2 as trunk port with multiple VLANs and supported in transparent mode.
I/we believe it should work. But don't want to test it in production.
Thanks
Antien
03-22-2018 10:55 AM
You can do what you are asking about by using subinterfaces and tagging the VLANs on each side of the firewall.
Remember you can always lab it using an FTDv and a free evaluation license.
03-22-2018 10:11 AM
Hi Marvin,
First of all, congratulations to have the spirit to alwayls help people, this is something that in the technology side isn´t easy to find. Go ahead! You are in the right path! :)
About questions for Cisco Firepower, I have a couple below:
1.- It is recommended in a regular implementation with ASA FTD or ASA with FirePOWER to add ALL traffic to be inspected by IPS & AMP engines? I know that security rules recommend to always verify every packet that comes from Internet to our internal network, but probably there are some best practices that can consider to isolate traffic from Guest Users, Some specific Applications like: Microsoft Update, Anti-Virus/Malware clients, etc. in order to improve the performance in the box.
2.- For SSL decryption: Which are the best practices considering the first question, in where probably we don´t need to inspect ALL SSL traffic in the networks? Is evident that all ASA´s or Firepower appliance have a degradation of their performance, so I would like to know your inputs about this point due encryption traffic is something that is here as a day to day operation and we need to consider it due the amount of traffic that uses this kind of cipher.
Thanks for your inputs and comments,
Best regards.
Neyton Avila
03-22-2018 10:41 AM
Thanks for the encouraging words.
Regarding your questions:
1. In the context of your sensor being an Internet edge device, there are cases where you may not want to inspect incoming traffic. For instance, I have had scenarios where a significant amount of the incoming traffic was IPsec that terminated on a "behind the firewall" device. In that case we exempted all of that traffic from IPS inspection and got back a lot of capacity. For deployments other than the Internet edge there may be similar exemptions that are appropriate - for instance, bulk data transfers like backups between trusted hosts in a data center deployment.
2. SSL decryption is increasingly problematic for many reasons. The best use case for is is incoming SSL traffic to a server where you have the certificate and private key. For outbound traffic you not only have the challenges of being a "man-in-the-middle" and needing to decrypt and re-sign but also an increasing number of applications (iTunes, Dropbox etc.) and sites are resistant to this approach because of techniques like certificate pinning and related ones. The performance impact of trying to decrypt all SSL are significant as well. I usually advocate an approach that puts inspection of that sort of traffic closer to the user - things like Cisco AMP for Endpoints and Umbrella are my favored solutions as they will see the traffic in its unencrypted form by nature of where they sit.
03-22-2018 10:59 AM
Thanks @Marvin Rhoads for your answer, I will consider all your comments in future implementations and designs.
Have a great day! :)
Best regards,
Neyton Avila
03-22-2018 11:32 AM
Marvin,
When will the FP 2100 support SSL/TLS Decryption in hardware? The majority of my clients (I'm with a Partner) are bringing up the trend of Malware being transported in TLS to get around the inspections of FirePower and other IPS devices. The Cisco 2018 Annual Cyber Security Report also highlighted this trend. Palo Alto has been doing hardware decryption in many of their models for some time now and it is hard to for FirePower to complete against PA in the face of this obvious discrepancy. Also, are the FP 4100 models every going to have hardware decryption chipsets? It is my knowledge that they don't ship with the chipset at all. Also, is there any plan for the FTD line of ASA 5500X's to get TLS descryption chipsets? Or will there future replacement models with them?
I know that CPU based decryption is possible but the few (very few) Cisco documents I've seen referencing this option in FTD say that there is a 50-80% performance decrease on the FTD if you use CPU based decryption so this doesn't seem like a viable alternative.
Thanks,
Mark DeLong
03-22-2018 06:31 PM - edited 03-22-2018 07:04 PM
You make very good points about the challenges of protecting against threats in SSL/TLS payloads. Cisco is acutely aware of them as well and currently addresses them with several shipping products such as AMP for Endpoints, Umbrella and the recently announced Encrypted Traffic Analytics (ETA) technology.
I'm not authorized to comment on non-publicly-announced future releases from Cisco. I suggest contacting your local Cisco account manager or partner (moot for you since you're already a partner, but useful for the larger audience) to arrange for briefings under non-disclosure agreement which may shed light on future plans. As a partner you also have avenues via the partner enablement team (Partner Security community, SEVT etc.) by which to get roadmap information.
I can say as a general industry observation that decrypting all outbound traffic at the Internet edge is falling out of favor. It is problematic in the best of cases even with dedicated hardware appliances, whether from Cisco or other vendors. Products (iTunes, Dropbox, others) and protocols (e.g., http/2) are increasing rightly resistant to man-in-the-middle technologies that fundamentally break the chain of trust between client and server.
03-22-2018 11:34 AM
Marvin,
When will FTD based AnyConnect VPN support local usernames for authentication? Also, when will it support LDAP attribute maps and LDAP based authorization?
Thanks!
Mark DeLong
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide