The Advanced Troubleshooting

HQuest · ‎02-21-2017

So coming from the ASA world and jumping into the Threat Defense world, I would not lie I'm feeling lost. Like, completely lost. I have reviewed the configuration guide quite a few times but still can't come to a sane conclusion.

Back on the ASA, I can to mundane things like setting up OSPF routes, have my servers on a DMZ protected by the ASA, make internal IPs reachable by the devices on the WAN side without NAT'ing them, create access control lists to allow or block specific traffic, and direct traffic to the inspection. The last is how ASA + SRF works, with SRF plugging in at the inspection part however leaving ASA to act as a regular firewall.

Now, on FTD mode (currently on the latest and greatest v6.2.0), things are a new beast. It looks great and the product has a lot of potential, opening doors to a higher level of automation on the network security field.

To begin with, unless I have the FTD talking to a FMC (I call this BS, however I can see a few positive points: ie, how much impact on a busy security appliance the management interface and the rules compilation, checks and deployment would have over the unit main tasks of inspection and security without bypassing traffic; OSPF was always been so entry level, I was not expecting that), I can't set OSPF routes. And so far, I didn't found a way on the GUI to check out routing tables: I can still use the show route on the CLI, but hey, isn't FTD management via FMC supposed to be as much WebGUI as possible?

I still didn't found a way to reach any internal IP addresses from my devices on the WAN side - and as a matter of fact, I can't ping neither private or virtual public IPs from the WAN side; just the real, physically connected interfaces addresses are being ARP'ed. Which can explain why my public servers, on the DMZ side, completely vanished off the real world. Routes exists on both the FTD and the outside device, exactly as they were on the old ASA days.

The Access List objects under Objects -> Object Management are of no use other than to create confusion (or are they?! I don't even have to deploy after change them, as I have to every time I do anything else on the FMC) and it seems like ACL's are in fact consolidated under the Policies -> Access Control, and from there I can make the old Allow/Deny sets and also enjoy all the nice set of inspection features that Snort/Sourcefire offers. Too bad these are useless if the basics aren't working.

Anyone to give a basic rundown to an ASA guy on how to cover a few of the above scenarios?

Very appreciated.

Marvin Rhoads · ‎02-21-2017

Cisco exposed some of the legacy ASA features that have not yet been fully realized in FMC via the FlexConfig feature. Over time, they plan to deprecate that and have everything purely in the FMC GUI (or REST API if you go that route). The sense I get is that they decided to slip those features in with FlexConfig as opposed to leaving them out altogether and taking an even bigger hit from not supporting those features at all.

You should be able to do the basic ACL bits pretty much the same as you could with a plain ASA. In FMC 6.2 you now have access to a packet-tracer and packet-capture functionality to check your logic. Please find it under System > Health > Monitor > Advanced Troubleshooting,

HQuest · ‎02-22-2017

Thanks Marvin for the reply. FlexConfig seemed handy to use some "obscure" features from ASA in the FMC, but my understanding was ACLs were nothing short of basic, right?

With the FTD being the default gateway from multiple inside interfaces, wouldn't a full any to any, trust access policy be able to make, for instance, packets on two non-bridged interfaces go in and out and have the FTD routing them? I mean, I wasn't really expecting I would have to enter that on the FlexConfig section.

Now, I also cannot find this Advanced Troubleshooting inside System > Health > Monitor. There is only an Alert button on the top and a pie chart. Is that a feature available for higher end devices and not on the small 5506? I remember I could do pretty much anything on my 5505 prior to deploy on their bigger brothers.

I have been using the Analysis > Connection > Events to see what's hitting the interfaces, not sure how different the Advanced Troubleshooting is.

Thanks again.

Marvin Rhoads · ‎02-22-2017

You're welcome.

ACLs should have equivalent capability as ASA ACLs (with a small exception reagrding SGTs).

I believe the Advanced Troubleshooting tool should be there for any FTD device - 5506 through 9300. I don't have one in front of me to verify it though.

HQuest · ‎02-22-2017

The Advanced Troubleshooting is actually found after I select System > Health > Monitor and then click on the FTD device name (might need to expand the appliance summary "Normal" status to see a list of devices, if they have no alerts). It can also be found via a "Troubleshoot" icon under Devices > Device Management, next to the device Edit/Delete icons. However, no packet tracer tab or button is found.

Documentation states there is a packet tracer ("Firepower Management Center Configuration Guide, Version 6.2" PDF document, page 263), but such tab is nowhere to be found.

Trying to "make sense" of FTD