Solved: Firepower FMC and FTD Deployment Issues:

Qamar Islam · ‎04-20-2017

Dear Experts;

I Installed and configured the FMC with FTD, I just have some issues regarding this deployment.

Deployment Senario:

I configured the two passive interfaces (eth1, eth2) on the FTD server and Span the Email traffic on eth1 and Web traffic on eth2. FTD analyze the web traffic in eth2 but i need to verified email traffic coming in or not. As my knowledge the FTD has customized Linux OS. how I can verified that.?

On the FMC health status, It shows that the URL filtering download failure error. How can i fix it and how can i check the direct connectivity in FTD.

your support required.

Thanks

Marvin Rhoads · ‎04-20-2017

You need to switch to "expert" mode. Then you will be in the Linux bash shell environment.

View solution in original post

Marvin Rhoads · ‎04-27-2017

Yes - you can add multiple FTD sensors in a given FMC (subject to your FMC license of 2- 10- or 25-device limit).

The error you are getting is most commonly due to one of two reasons:

1. Necessary network connectivity is not in place (tcp/8305 bidirectional is required between the FMC and all sensors)

2. There is a NAT between the FMC and the sensor. In that case you need to use the "DONTRESOLVE" option as described here:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html

Also, the sensor version must not be higher than the FMC. (i.e cannot register a 6.2 sensor to a 6.1 FMC).

View solution in original post

Marvin Rhoads · ‎04-20-2017

You can go into the OS and use tcpdump to see the incoming packets on a given interface. That program requires root privilege so be sure to "sudo tcpdump".

Regarding the health status, verify the FMC can reach the Internet and resolve addresses. You can also do this from the command line - telnet to an external host on port 80, nslookup etc. are all things you can do to verify.

Qamar Islam · ‎04-20-2017

Thanks for your support Marvin

On the CLI of FTD, I just have the limited commands. I tried to figure it out but nothings works following are the commands:

configure

exit

expert

history

logout

show

systems

The above are the commands.

Kindly more elaborate the commands so can i fix the issues.

Thanks

Marvin Rhoads · ‎04-20-2017

You need to switch to "expert" mode. Then you will be in the Linux bash shell environment.

Qamar Islam · ‎04-27-2017

Hi Marvin;

I just have a question:

Can I add multiple FTD's in FMC.?

I recently add FTD for the analysis of Web Traffic Now the client need to analysis for Email Traffic.

The Email traffic coming from the regional sites too far from the existing site so I need to deploy another FTD and add this to FMC and Span the email traffic on it.

Can I add multiple FTD;s in FMC?

I just deployed it but when registering in FMC I just get an error. Kindly find an attached error snap-shot

Your kind support is needed.

Thanks

Marvin Rhoads · ‎04-27-2017

Yes - you can add multiple FTD sensors in a given FMC (subject to your FMC license of 2- 10- or 25-device limit).

The error you are getting is most commonly due to one of two reasons:

1. Necessary network connectivity is not in place (tcp/8305 bidirectional is required between the FMC and all sensors)

2. There is a NAT between the FMC and the sensor. In that case you need to use the "DONTRESOLVE" option as described here:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html

Also, the sensor version must not be higher than the FMC. (i.e cannot register a 6.2 sensor to a 6.1 FMC).

Qamar Islam · ‎04-27-2017

Hi Marvin,

Thanks for your reply.

Yaa I just checked the tcp/8305 bidirectional port and following are the syslogs I just received.

the FTD sensor ip address is 10.50.62.209

Apr 27 2017 13:45:12 FMC sudo: pam_unix(sudo:session): session closed for user root

Apr 27 2017 13:45:12 FMC sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

Apr 27 2017 13:45:12 FMC sudo: www : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chown www:www /var/log/CSMAgent.log

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.62.209' in 14 seconds

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Could not receive Message: Closed

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Successfully connected using SSL to: '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Connected to 10.50.62.209:8305 (IPv4)

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Wait to connect to 8305 (IPv6): 10.50.62.209

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to 10.50.62.209:8305/tcp

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to 10.50.62.209 (via eth0)

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] Connect to 10.50.62.209 on port 8305 - eth0

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_peers [INFO] Peer 10.50.62.209 needs a single connection

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [4180] sftunneld:sf_connections [INFO] Start connection to : 10.50.62.209 (wait 0 seconds is up)

what was the issue am just little confused in below logs:

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [INFO] reconnect to peer '10.50.62.209' in 14 seconds

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Unable to connect to peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] VerifyConnect:Failed to authenticate or to be authenticated by peer '10.50.62.209'

Apr 27 2017 13:45:08 FMC SF-IMS[4134]: [652] sftunneld:sf_ssl [WARN] Could not receive Message: Closed

both are on the same versions 6.1

find attached snap-shot for adding another FTD

Qamar Islam · ‎04-27-2017

Hi Marvin,

I just registered the FTD thanks for your support.you are right that, we just have the port issue on both FMC and FTD. THanks

Now i just have an issue for the licenses. How can i generate the licenses for that FTD.?

I just assign the same policy for the previous FTD. I just need the steps to generate the licenses.

Thanks

Kindly find the below snapshot.

Marvin Rhoads · ‎04-27-2017

FTD uses Smart Licenses. You need to allocate them to your registered FMC in the Cisco portal:

https://software.cisco.com/

..and then apply them to the new sensor within FMC.

Qamar Islam · ‎04-28-2017

Hi Marvin,

I just registered another FTD and transferred the SMTP traffic through span port.

I just have some quries:

How I can check and analysis of SMTP traffic?

How can I check that the traffic is coming or not?

what are the commands in FMC and FTD to find the SMTP or port 25 traffic?

Marvin Rhoads · ‎04-28-2017

You can simply query the connection events and filter for smtp application.

Analysis > Connections > Events. Then "Edit Search" and include only smtp.

Qamar Islam · ‎05-02-2017

Hi Marvin;

I analyzed all the events but there is not any sign of smtp or 25.

How i can further checked the traffic. In FTD console i typed the command system support firewall engine debug, also type the filters on port 25 but nothing shown on it also.

Your support needed.

Thanks

Marvin Rhoads · ‎05-02-2017

First off I'd confirm your span port is sending the smtp traffic. If it's physically nearby I'd just put a laptop with Wireshark on the port and grab a sample of the traffic.

If you're running 6.2 you can do advanced troubleshooting - do a trace and/or pull a packet capture from the GUI.

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html#id_41600

Qamar Islam · ‎05-15-2017

Hi Marvin;

Good Day!

As per the attack Ransomeware in globe WANNACRY. The client need to move this APT solution in INLINE mode.

I just need little help for doing this activity.

Yes the Email traffic now analysed. Now the POC is completed.

Next Step:

Now client need to move FMC and FTD in Inline mode.

We will place FTD behind the web gateway. How many interfaces i need in FMC?

I just have some quires regarding moving passive mode to inline mode, Now what are the requirements for inline deployment. How many ports i need in FTD to take action on both email and the web traffic.?

How web gateway push the traffic in FTD?

How email gatemay push Email traffic in FTD?

If you have any document for inline deployment of the FTD Kindly share it.

I just have one night for this activity. Your kind support needed.

Thanks

Qamar

Marvin Rhoads · ‎05-15-2017

Qamar,

What you are asking is more of a professional services request. Which Cisco or a partner could handle as a paid service.

In general terms, FMC has a single interface for connecting to the managed devices as well as for administrative access to the server.

FTD interface design is not unlike firewall interface design - it varies widely according to the client's requirements, both current and planned. A very simple deployment is shown in the Quick Start Guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-fdm-5500x-qsg.html#pgfId-129862

Of course if you have multiple interfaces and/or zones with varying secuirty levels, your deployment could vary quite a bit from a simple "inside, outside and management" setup.