Re: Security Global Forum for ASA and FTD Topics - AMA - Page 3

ciscomoderator · ‎01-11-2021

This event is a chance to discuss about Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) regarding products, management, installation, configuration, implementation, use, and integration with other devices within your network. Learn the best practices to make the most of the advanced firewall settings, as well as the best practices to troubleshoot its common issues. This forum event works well as an introduction for those who are not familiar with the security tools and have recently started using them.

To participate in this event, please use the button below to ask your questions

Ask questions from Tuesday, January 12 to Friday, January 22, 2021

Featured experts

Berenice Guerra Martinez is a Technical Consulting Engineer at the Cisco Global Technical Assistance Center (TAC) for Security - Next Generation Firewall (NGFW). She specializes in Threat Detection, ASA and Firepower configuration and best practices, and Firepower integrations. Berenice has a bachelor’s degree in electronic engineering with a cybersecurity specialization and is a Telecommunications Technician. She holds three different Cisco certifications: CCNA R&S, CyberOps Associate, and DevNet Associate.

Namit Agarwal is a Technical Marketing Engineer in the Security Business Group. He is based out of Toronto, Canada. He partners closely with our platform product management team and leads critical technical enablement engagements. He joined Cisco in 2009 and has held multiple positions, most recently working as a Technical Leader with the Security CX team in Bangalore, India. In that role, he worked on escalations, led serviceability initiatives for product improvement, and drove engagements with the NGFW sales teams. He is a CCIE n°33795 Security and has experience with multiple Cisco Security solutions such as Cisco Firewalls, IPS, VPN, and Cloud Security.

Ilkin Gasimov is a Technical Consulting Engineer in the Cisco Global TAC for Security - NGFW. He joined the TAC team in 2017 and since then has mainly been focused on supporting Cisco NGFW platforms and on the collaboration with the Cisco Business Unit to contribute to the NGFW product quality improvement. He has also delivered troubleshooting sessions to the partners and customers. Before joining Cisco, he had hands-on experience with the Cisco ASA firewalls in enterprise and mobile networking environments. He holds a CCIE n°54979 Security certification since 2016.

Ricardo Diez Gutierrez Gonzalez is a Technical Consulting Engineer at the Cisco HTTS TAC for Security – NGFW – ASA – VPN. He joined Cisco six years ago. He belonged to the incubator program for six months achieving his CCNA and then he became a full-time engineer. Later he obtained his Specialist NGFW and CCNP security certifications. He is currently studying for the CCIE exam.

For more information, visit the Security Discussions category.
Find further events on Security Events list.

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Ricardo1 · ‎01-14-2021

Hi Adolfo,

You can create captures in two different ways on the FTD.

Using the GUI :

Go to system > health > monitor.

Search and select the device where you can enable the captures

Click on Advanced troubleshooting

Navigate to Capture w/ Trace and then click on Add captures

Using CLI:

SSH in to the FTD.

You will get to the clish ( clish icon >)

>

We need to jump to LINA side (ASA code) using the following command

>system support diagnostic-cli

firepower>enable

Password: <------ just hit enter, there is not enabled password
firepower#

Here you can enable the captures using the same commands you use on the ASA

firepower#capture in interface inside match ip any any

Thanks

Berenice Guerra · ‎01-21-2021

Hi Adolfo,

In addition to Ricardo's solution I can tell that FTD devices contains a LINA part which we can run some of the commands you used to use within the ASA devices. In order to navigate from the clish prompt, the FTD portion, to the LINA side (ASA). Type the ‘system support diagnostic-cli’ command, this should take you to the LINA portion where you would be able to run most of the ASA commands.

For further details about how to setup a packet captures in the NGFW Products Family you can consult the next content.

Cisco Video Portal - https://video.cisco.com/video/6176793105001
Cisco Tech Notes - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

Jessica Deaken · ‎01-15-2021

Is ASA deployment supported in virtual environments?

Ricardo1 · ‎01-16-2021

Hi Jessica,

Yes, the ASA is supported on some virtual eviroments. It is called ASAv and we support:

Amazon Web Services

Kernel-baased Virtual Machine (KVM

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

VMware vSphere

Microsoft Hyper-V

For more information please check

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_65990

Thanks.

Berenice Guerra · ‎01-25-2021

Hi Jessica,

Yes, the deployment of ASA is supported in different virtual platforms like VMWare, KVM or Azure.
For further details about how to deploy an ASAv on Microsoft Azure see the next video from the Cisco Video Portal site. https://video.cisco.com/video/6175870414001

Cisco Moderador · ‎01-15-2021

Hello everyone,

How can I replace a pair of HA ASAs if a unit is faulty?

Thanks a lot,

Adolfo.

Note: This question is a translation of a post originally created in Spanish by Adolfo Suarez. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

Ricardo1 · ‎01-16-2021

Hi Adolfo,

Here is the procedure:

1 .- After you replace the unit (RMA) you have to connect the ASA interfaces and turn it on the device.

2 .- Re-host the license (open a TAC case with licensing team).

3 .- If the ASA is on multicontext, change to multiple-context using the command "mode multiple". It will reboot the firewall.

3 .- From the unit that is working, take the output of the "show run failover" command , change the role (if the working unit is the primary then change it to secondary) and paste it on the faulty device.

4 .- Enable the failover using the command "failover"

5.- Check services and test a failover using the command "no failover active" on the active unit

Thanks.

StevieC666 · ‎01-16-2021

Hi all,

We have a pair of FP4115's and a pair FMC2600 boxes with 3 FTD HA instances running within the 4115's. Were 6.5.0.3 for FMC/FTD and 2.8(1.125) for FXOS.

It's being suggested by our MSP to go to 6.6.1-91 for FMC/FTD which makes absolute sense from a security and stability perspective. From a functionality perspective 6.7 however looks like it will address the reasons we we haven't migrated to AnyConnect yet from MS DirectAccess, we've bought all the appropriate licences, and there are other features that will make our MSPs life easier.

Any idea when 6.7 will move to suggested release? Are there any risks we could face by ignoring the suggested advice and guiding our MSP to go to that version?

Berenice Guerra · ‎01-29-2021

There is no date defined to make 6.7 the next recommended version. In fact, the 6.7 version was released to add new features to the Firepower devices.

I'd say that if you have made a proper analysis of your network requirements and see the most suitable one version than the other then it will depend on your network environment the one which would work better for you.

You may review the Resolved Issues and Known Issues from the Release Notes to cover all the possible concerns for the version evaluation.

Modérateur Cisco · ‎01-18-2021

Goodnight,

Is Speed test or any third party speed testing a good measure for speed testing for Firepower devices?

Thank you

* This is a question posted in French by ADC. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

Ricardo1 · ‎01-22-2021

Hi ADC

When you test with any speed testing website, or any bandwidth measurement tool, such as, iperf, one large single stream TCP flow is generated. This type of large TCP flow is called an Elephant Flow. An Elephant Flow is a single session, relatively long running network connection that consumes a large or disproportionate amount of bandwidth. This type of flow is assigned to one Snort instance, therefore the test result displays the throughput of single snort instance, not the aggregate throughput rating of the appliance.

One good option will be a FTP transfer through the firewall
Also you can use this tool to estimate the performance of your firepower device
https://ngfwpe.cisco.com/

wangyonggang2015 · ‎01-20-2021

Can Firepower’s maleware policy take effect on files sent by IM software(etc.Telegram,Whatsapp)?

Ilkin · ‎01-22-2021

The file policy can detect and inspect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). Any, the default, detects files in HTTP, SMTP, IMAP, POP3, FTP, and NetBIOS-ssn (SMB) traffic.

In order for the file policy be in effect for the above protocols in encrypted connections, such as HTTPS, such connections should be decrypted first. The IM software typically uses encrypted connections, so they are subject to decryption before file policy takes in effect on the payload. Whether a particular connection can be decrypted or not, depends on few factors. The Encrypted Traffic Handling section of the configuration guide shows the guidelines and limitiations of handling encrypted traffic in Firepower software.

armnandoh · ‎01-21-2021

Hello Cisco team,

First of all, thank you for the initiative in these types of events, they are really very helpful for the community.

I have a little question regarding VPN filters in a Client to site VPN (Anyconnect) in FTD managed by FDM.

In ASA I use to create a VPN filter for local users like this:

I create the ACL
access-list VPN-FILTER-NAME permit <ip/tcp/udp> object-group IPPOOL <LOCAL-NETWORK/PORT>

And then I apply the ACL in the username attributes:

username <user> attributes
vpn-filter value VPN-FILTER-NAME

e.g.

access-list AQUAMAN-FILTER extended permit tcp object-group CLIENT-VPN-IPPOOL host 172.24.16.10 eq 3389

username aquaman password 12345
username aquaman attributes
vpn-filter value AQUAMAN-FILTER

and it works.

But in the FDM, I have not found a feature where I can create this kind of filter.

In FDM users are created by Objects > Users > Add Local User (Service Types: RA-VPN)
Name and password are the only attributes that I can fill.

I already tried to enable the Identity Policy in the Policies tab, and then created an ACL adding the source (IPPOOL) and destinations (<LOCAL-NETWORK/PORT>) and the local users that were created. Bypass Access Control policy for decrypted traffic (sysopt permit-VPN) was disabled in Remote Access VPN Connection Profiles, in order for the ACL created could take effect. But It did not work.

Maybe I am missing something, could you please help me with the best practices in order to create VPN filters for local users in a Client to site VPN (Anyconnect) by FDM?

Best regards.

Namit Agarwal · ‎01-25-2021

Hi, currently FDM does not support specifying user attributes such as vpn-filter for local users. The local users used in the Remote Access VPN are detected as part of Passive Identity and can be used in the Access Control Policy to control access for the VPN user.

It is in effect better than the ASA option, as we can specify applications as well in the Access Control Policy rule.For this to work, we need to enable the Identity Policy in FDM and there is no need to create an Identity rule.

I just tested this on FDM and it works. You can reverify the settings and let me know ( Can you confirm what you are seeing the connection events on the FDM monitoring tab ).

Thanks,

Namit