04-20-2017 12:01 AM - edited 02-21-2020 06:03 AM
Dear Experts;
I Installed and configured the FMC with FTD, I just have some issues regarding this deployment.
Deployment Senario:
I configured the two passive interfaces (eth1, eth2) on the FTD server and Span the Email traffic on eth1 and Web traffic on eth2. FTD analyze the web traffic in eth2 but i need to verified email traffic coming in or not. As my knowledge the FTD has customized Linux OS. how I can verified that.?
On the FMC health status, It shows that the URL filtering download failure error. How can i fix it and how can i check the direct connectivity in FTD.
your support required.
Thanks
Solved! Go to Solution.
04-20-2017 03:48 AM
You need to switch to "expert" mode. Then you will be in the Linux bash shell environment.
04-27-2017 12:34 AM
Yes - you can add multiple FTD sensors in a given FMC (subject to your FMC license of 2- 10- or 25-device limit).
The error you are getting is most commonly due to one of two reasons:
1. Necessary network connectivity is not in place (tcp/8305 bidirectional is required between the FMC and all sensors)
2. There is a NAT between the FMC and the sensor. In that case you need to use the "DONTRESOLVE" option as described here:
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html
Also, the sensor version must not be higher than the FMC. (i.e cannot register a 6.2 sensor to a 6.1 FMC).
04-20-2017 01:48 AM
You can go into the OS and use tcpdump to see the incoming packets on a given interface. That program requires root privilege so be sure to "sudo tcpdump".
Regarding the health status, verify the FMC can reach the Internet and resolve addresses. You can also do this from the command line - telnet to an external host on port 80, nslookup etc. are all things you can do to verify.
04-20-2017 02:27 AM
Thanks for your support Marvin
On the CLI of FTD, I just have the limited commands. I tried to figure it out but nothings works following are the commands:
configure
exit
expert
history
logout
show
systems
The above are the commands.
Kindly more elaborate the commands so can i fix the issues.
Thanks
04-20-2017 03:48 AM
You need to switch to "expert" mode. Then you will be in the Linux bash shell environment.
04-27-2017 12:22 AM
Hi Marvin;
I just have a question:
Can I add multiple FTD's in FMC.?
I recently add FTD for the analysis of Web Traffic Now the client need to analysis for Email Traffic.
The Email traffic coming from the regional sites too far from the existing site so I need to deploy another FTD and add this to FMC and Span the email traffic on it.
Can I add multiple FTD;s in FMC?
I just deployed it but when registering in FMC I just get an error. Kindly find an attached error snap-shot
Your kind support is needed.
Thanks
04-27-2017 12:34 AM
Yes - you can add multiple FTD sensors in a given FMC (subject to your FMC license of 2- 10- or 25-device limit).
The error you are getting is most commonly due to one of two reasons:
1. Necessary network connectivity is not in place (tcp/8305 bidirectional is required between the FMC and all sensors)
2. There is a NAT between the FMC and the sensor. In that case you need to use the "DONTRESOLVE" option as described here:
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html
Also, the sensor version must not be higher than the FMC. (i.e cannot register a 6.2 sensor to a 6.1 FMC).
04-27-2017 02:39 AM
Hi Marvin,
Thanks for your reply.
Yaa I just checked the tcp/8305 bidirectional port and following are the syslogs I just received.
the FTD sensor ip address is 10.50.62.209
Apr 27 2017 13:45:12 FMC sudo: pam_unix(sudo:session): session closed for user root |
Apr 27 2017 13:45:12 FMC sudo: pam_unix(sudo:session): session opened for user root by (uid=0) |
Apr 27 2017 13:45:12 FMC sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/log/CSMAgent.log |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.62.209' in 14 seconds |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.50.62.209' |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.50.62.209' |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Could not receive Message: Closed |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '10.50.62.209' |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Connected to 10.50.62.209:8305 (IPv4) |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.62.209 |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.62.209:8305/tcp |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.62.209 (via eth0) |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Connect to 10.50.62.209 on port 8305 - eth0 |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_peers [INFO] Peer 10.50.62.209 needs a single connection |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [4180] sftunneld:sf_connections [INFO] Start connection to : 10.50.62.209 (wait 0 seconds is up) |
what was the issue am just little confused in below logs:
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.62.209' in 14 seconds |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.50.62.209' |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.50.62.209' |
Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Could not receive Message: Closed |
both are on the same versions 6.1
find attached snap-shot for adding another FTD
04-27-2017 05:32 AM
Hi Marvin,
I just registered the FTD thanks for your support.you are right that, we just have the port issue on both FMC and FTD. THanks
Now i just have an issue for the licenses. How can i generate the licenses for that FTD.?
I just assign the same policy for the previous FTD. I just need the steps to generate the licenses.
Thanks
Kindly find the below snapshot.
04-27-2017 05:41 AM
FTD uses Smart Licenses. You need to allocate them to your registered FMC in the Cisco portal:
https://software.cisco.com/
..and then apply them to the new sensor within FMC.
04-28-2017 05:57 AM
Hi Marvin,
I just registered another FTD and transferred the SMTP traffic through span port.
I just have some quries:
How I can check and analysis of SMTP traffic?
How can I check that the traffic is coming or not?
what are the commands in FMC and FTD to find the SMTP or port 25 traffic?
04-28-2017 08:29 AM
You can simply query the connection events and filter for smtp application.
Analysis > Connections > Events. Then "Edit Search" and include only smtp.
05-02-2017 11:37 AM
Hi Marvin;
I analyzed all the events but there is not any sign of smtp or 25.
How i can further checked the traffic. In FTD console i typed the command system support firewall engine debug, also type the filters on port 25 but nothing shown on it also.
Your support needed.
Thanks
05-02-2017 11:42 AM
First off I'd confirm your span port is sending the smtp traffic. If it's physically nearby I'd just put a laptop with Wireshark on the port and grab a sample of the traffic.
If you're running 6.2 you can do advanced troubleshooting - do a trace and/or pull a packet capture from the GUI.
http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html#id_41600
05-15-2017 07:37 AM
Hi Marvin;
Good Day!
As per the attack Ransomeware in globe WANNACRY. The client need to move this APT solution in INLINE mode.
I just need little help for doing this activity.
Yes the Email traffic now analysed. Now the POC is completed.
Next Step:
Now client need to move FMC and FTD in Inline mode.
We will place FTD behind the web gateway. How many interfaces i need in FMC?
I just have some quires regarding moving passive mode to inline mode, Now what are the requirements for inline deployment. How many ports i need in FTD to take action on both email and the web traffic.?
How web gateway push the traffic in FTD?
How email gatemay push Email traffic in FTD?
If you have any document for inline deployment of the FTD Kindly share it.
I just have one night for this activity. Your kind support needed.
Thanks
Qamar
05-15-2017 08:33 AM
Qamar,
What you are asking is more of a professional services request. Which Cisco or a partner could handle as a paid service.
In general terms, FMC has a single interface for connecting to the managed devices as well as for administrative access to the server.
FTD interface design is not unlike firewall interface design - it varies widely according to the client's requirements, both current and planned. A very simple deployment is shown in the Quick Start Guide here:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-fdm-5500x-qsg.html#pgfId-129862
Of course if you have multiple interfaces and/or zones with varying secuirty levels, your deployment could vary quite a bit from a simple "inside, outside and management" setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide