This topic is a chance to discuss more about all you need to know about Cisco FirePOWER security solution. On this session, Marvin Rhoads will be answering all kind of questions about FirePOWER Management Center (FMC), FirePOWER Threat Defense (FTD) and FirePOWER service modules to FirePOWER appliances. All kind of topics related to this solution, such as operation, configuration, design architecture, troubleshooting, installation and licensing will be covered.
Centralize, integrate, and simplify security management on your network
To participate in this event, please use the button below to ask your questions
Ask questions from Monday, March 19th to Friday 30th 2018
Marvin Rhoads is a network security engineer with over 3 decades of experience. He focuses on Cisco network security solutions in his work as an independent consultant performing client-facing design and deployment services for several Cisco Partners. In addition to his 25 years of experience as a Cisco customer, Marvin has worked with Cisco partners for the past 7 years. Marvin holds several security and professional certifications, including a CCNP Security. He holds a Master’s Degree in Systems Engineering and a Bachelor’s Degree in Electronics Engineering Technology. He’s currently pursuing a CCIE Security certification.
Marvin is passionate about helping and learning from his peers in the industry. He has been an active Cisco Support Community contributor since 2001. He has been named as a Cisco Designated VIP for 6 years in a row. In 2017 he was recognized as a member of the elite Cisco Support Community Hall of Fame program.
Marvin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation at the Security Category.
Find other events or open new discussions https://supportforums.cisco.com/t5/community-ideas/bd-p/5911-discussions-community-ideas
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
With any FTD remote access VPN you should be aware of the current guidelines and restriction for the same since there is not yet feature parity with the ASA-based solution.
You cannot currently restrict device types allowed on a remote access VPN using FTD alone (with either local management or FMC).
Client certificate authentication is configured under your VPN connection profile AAA tab as shown below:
In my firepower service on 5525-X I don't see any hit for the security intelligence on any traffic , how I can trace where things are missing for the security intelligence.
Check that you have selected some networks and/or URLs in your applied Access control Policy, Security Intelligence settings and that you have logging activated for the blacklisted objects.
It should look similar to what I show on my lab server as follows:
I suggest creating an entry on a test_blacklist URL list like the one shown on my example - just some target domain that's seldom used that you can test with.
With that in place, browse to the target domain and see if it's blocked. If it is, you should see a SI event. If not, please share the connection record.
To my knowledge Firepower does not use Telnet. When creating a session to the sfr module and running a netstat -an I see the sensor listening on port 23
sfr$ netstat -an
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
Can anyone tell me why this sensor is listening on tcp port 23 and if this can be turned off?
This seems to be the defaut behavior.
It only appears to be listening at the Linux OS level. If you try to open a telnet connection it will be refused. That's because they're blocking the incoming traffic with iptables.
The only accepted traffic is icmp (ping, restricted to the required icmp message types), tcp/22 (ssh) and tcp/8305 (management port used by FMC).
See the following listing for confirmation:
admin@firepower:/etc/sysconfig$ more iptables # Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015 *mangle :PREROUTING ACCEPT [98319:30342283] :INPUT ACCEPT [98342:30344874] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4427:1360521] :POSTROUTING ACCEPT [4446:1362033] COMMIT # Completed on Tue Sep 15 15:06:41 2015 # Generated by iptables-save v1.4.20 on Tue Sep 15 15:06:41 2015 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1921:895829] :DUMP - [0:0] :STATEFUL - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i cplane -j ACCEPT #start ICMP INPUT BLOCK -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT #stop ICMP INPUT BLOCK #start SSL SSH SNMP PORTS INPUT BLOCK -A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT #stop SSL SSH SNMP PORTS INPUT BLOCK #start ESTREAMER PORT INPUT BLOCK #stop ESTREAMER PORT INPUT BLOCK #start MANAGEMENT PORT INPUT BLOCK -A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 8305 -j ACCEPT #stop MANAGEMENT PORT INPUT BLOCK -A INPUT -j STATEFUL -A OUTPUT -o lo -j ACCEPT -A DUMP -j DROP #start MANAGEMENT PORT STATEFUL BLOCK -A STATEFUL -i eth0 -m state --state NEW -j DROP -A STATEFUL -i eth0 -p tcp -m tcp --dport 3306 -j DROP #stop MANAGEMENT PORT STATEFUL BLOCK -A STATEFUL -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT -A STATEFUL -j DUMP COMMIT # Completed on Tue Sep 15 15:06:41 2015 admin@firepower:/etc/sysconfig$