Webcast-Deploy and Operate Cisco NGFW-FTD

Cisco Support Community
Expert series Webcast

Event name
Speaker name
Speaker title
Date
News &
Upcoming events
2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ask the Expert following the Webcast
Now through September 29th
http://bit.ly/ATE_NGF-FTD
Aastha Bhardwaj &

Dinkar Sharma
Cisco Support Community Ask the Expert
CUCM 12.X Smart Licensing Overview
With Mohit Grover

& Amit Singh
http://bit.ly/ATE-cucm12x
Insert event banner
-Event open only to Cisco

Customers and Partners-
Cisco Support Community - Webcast in Spanish
Cisco Mobile Remote Access (MARA)- How to register Jabber from WAN
September 26th, 2017
UTC (-5hrs)
With Mauro Tartara

& Pablo Lopez Insert event banner
http://bit.ly/sp-webcast_MRA
-Event open to all technology & Cisco enthusiasts-

Cisco Support Community - Webcast in Portuguese
Cisco Services benefits for Customers and Partners
September 28th, 2017
UTC (-3hrs)
With
Larissa Brito Insert event banner
http://bit.ly/PT_Webcast-services

Cisco Support Community Spanish Ask the Expert
How to become an IT professional with Cisco Certifications
September 18 to October 6, 2017
With
Eduardo Moisa
Insert event banner
http://bit.ly/ATE_Cretifiaciones

Discover the new
Support Community!
Our new home is available

Visit our new site!
http://bit.ly/CSC-homepage
Become an event Top Contributor!
Participate in Live
Interactive Technical
Events and much more
http://bit.ly/Event-Top-
Contributors
Rate content at the Cisco Support Community
Help us to recognize the quality content in the community
Encourage and acknowledge people who

generously share their
Rate documents, time and expertise
Videos & blogs!
Cisco Support community Experts
Aastha Bhardwaj Dinkar Sharma

Escalation Engineer Customer Support Engineer
CCIE #46900 CCIE #47755
Question Manager
Adam Kilgore
Customer Support Engineer
Thank You For
Joining Us Today!
Download Todays Presentation

http://bit.ly/webcast-slides_NGFW-FTD
Submit Your Questions Now!
Use the Q&A panel to

submit your questions and
the panel of experts will
respond.
They will be answered eventually

Please take a moment to complete
the survey at the end of the webcast
Next Generation Firewall
Overview and Troubleshooting tools
Aastha Bhardwaj-CCIE#46900
Dinkar Sharma-CCIE#47755
19th Sep2017
1 Overview of NGFW
Installation, Licensing,
2
and Management
Agenda 3
Deployment modes,
and packet flow
Troubleshooting tools
4
demo
5 Q&A
What is Firepower Threat Defense?
A. Firepower(snort)
Polling Question 1 B. ASA
C. ASA + Firepower (Unified Image)
D. None of the above
FTD Overview
Cisco Firepower NGFW is a complete solution
Cisco Firepower NGFW
Stop more Gain more Detect earlier, Reduce Get more from
threats insight act faster complexity your network
Threat Focused Fully Integrated

Performance and Scalability
Cisco NGFW Product Family
Firepower
Firepower 9300
4100
Firepower
2100
A SA5545-
5555-X
A SA 5525-X
A SA 5506H-X
A SA 5516-X
A SA 5506W-X A SA 5508-X
A SA 5506-X
SMB & Distributed Commercial & Enterprise Data Center, High Performance Computing, Service
Enterprise Provider
Offering extensive contextual visibility
The more you see, the better you can protect
Client applications
Operating systems
C&C
Servers
File transfers Mobile Devices
Threats
Applicatio Routers & sw itches

User
n
s
protocols Web
Typical IPS applications Printers
Malw are
Typical NGFW Netw ork Servers
VOIP phones
Cisco Firepower NGFW

FTD Software Architecture The Big Picture
ASA engine (multiple instances of Data Path) - Focused on L2-L4 functionality

Snort engine (multiple instances of Snort) - Focused on L7 functionality
1. A packet enters the ingress interface and it is handled by the ASA engine
2. If the policy dictates so the packet is inspected by the Snort engine
3. Snort engine returns a verdict (whitelist or blacklist) for the packet
4. The ASA engine drops or forwards the packet based on Snorts verdict
FTD Installation on ASA
*.lfbff
Boot image
*.cdisk
Images to install FTD
System image *.pkg

Prerequisites
The ASA ROMMON version is at least 1.1.8 (for ASA-5506/5508/5516)
ASA flash should have at least 3.1 GB
The boot image is uploaded to a TFTP server.
The system image is uploaded to an HTTP/HTTPS or FTP server
FTD installation on ASA
Step 1 Reload the ASA and break into ROMMON mode
Use BREAK or ESC to interrupt boot.
rommon #0>
Step 2 Configure basic network settings and install the FTD boot image
rommon 1 > ADDRESS=10.62.148.29
rommon 2 > SERVER=10.229.22.31
rommon 3 > GATEWAY=10.62.148.1
rommon 4 > IMAGE=ftd-boot-9.7.1.0.cdisk
rommon 5 > tftpdnld
Step 3 Configure the boot image

firepower-boot> setup
Step 4 Install the system image (WITH NOCONFIRM) not to be prompted for confirmation messages during
the installation process
firepower-boot> system install ftp://10.48.45.236/ftd-6.1.0-330.pkg
Step 5 Accept End User License Agreement, specify network settings, Management mode, FTD mode
Step 6 Register FTD to FMC (if needed)
> configure manager add 10.62.148.50 cisco
Firepower 2100 vs 4100/9300
FRR4100/9300 FPR2100
Software Separate OS images for FXOS and FTD Unified OS bundle (FTD + FXOS)
FXOS CLI Read and Configure Read-only
Management mode FMC and FCM (chassis manager) FMC or FDM
Management interface Chassis Mgmt interface for FXOS mgmt Chassis mgmt shared between
Separate interface for FTD mgmt FXOS and FTD
Data interfaces Allocated from FCM Allocated from FMC

SNMP SNMP for FTD ASA Engine from FMC SNMP for FTD ASA Engine and
SNMP for FXOS from FCM FXOS is configured from FMC
Syslog Syslogs for FTD ASA sent from FTD Data int FXOS and FTD ASA syslogs are
Syslogs for FXOS sent from FXOS mgmt int sent from ASA Engine
Port-Channel LACP only LACP or Mode ON

NTP Configured from FCM (chassis manager) Configured from FMC
FTD Diagnostic vs. Management Interface
Management Interface M0/0
br1/management0(Snort) Diagnostic(Lina)
Mandatory interface (terminate Not recommended to

sftunnel) configure, use Data interface
Assigned IP address is used for Remote access to ASA (LINA)
FTD/FMC communication Source for ASA syslog, AAA
SSH/HTTPS access to the FTD messages, etc.
> show network # show interface ip brief
FTD installation on Firepower 4100/9300
Step 1 Upload the FTD image (.csp file) to FCM (Firepower Chassis Manager)
Step 2 On FCM configure FTD Management and Data Interfaces (Interfaces tab)
Step 3 On FCM Create an FTD Logical Device (Logical Devices > Add Device)
Step 4 On FCM provision the FTD Management interface
Step 5 On FCM provision the FTD settings (password, FW mode, DNS IP) and FMC info
Step 6 On FCM provision the FTD Data interface(s)
Step 7 Register FTD to FMC (Firepower Management Center)
Licensing on FTD
FTD Licensing
FTD uses Smart Licensing model where the license is not tied to any SN
Smart Licensing is applicable only on FTD. All other Firepower products still
use Classic Licensing
Evaluation license available for 90 days with full* functionality
After 90 days you need to register with Cisco Smart Software Manager
(CSCM)
Licensing is handled by the FMC which will not deploy or accept events from
unlicensed devices
FTD Licensing
To apply a Smart License on FTD
Step 1 - Obtain an ID Token from Cisco Smart Software Manager (CSCM -
Cisco License Portal)
Step 2 - Register Firepower Management Center (FMC) to CSCM
Step 3 - Register FTD to FMC

Step 4 - Apply one or more licenses to FTD devices
FTD Licensing
Smart License State Machine
Product Usage Comments

Registration Authorization
State State
Unregistered -- The FMC is neither in Registered nor Evaluation mode. This is the initial state after FMC
installation or after 90-day Evaluation License Expiration
Registered Authorized The FMC is registered with Cisco Smart Software Manager (CSCM) and there are FTD devices
registered with valid subscription
Registered Authorization Expired FMC failed to communicate with Cisco License backend for more than 90 days
Registered Unregistered The FMC is registered with Cisco Smart Software Manager (CSCM), but there are no FTD
devices registered on FMC
Registered Out-of-Compliance The FMC is registered with Cisco Smart Software Manager (CSCM), but there are FTD devices
registered with invalid subscription(s).
E.g. An ASA5506 FTD device uses THREAT subscription, but in the with Cisco Smart Software
Manager (CSCM) there are no THREAT subscriptions available for ASA5506
Evaluation (90 days) N/A
Evaluation period is in use, but there are no FTD devices registered on FMC
FTD Management
Easily manage NGFWs across multiple sites
Firepower Management Center
Centralized management for multi-site

deployments Firepower Management Center
Multi-domain management Firewall & AVC
Role-based access control NGIPS
High availability AMP
APIs and pxGrid integration Security Intelligence
Available in physical and virtual options
Manage across many sites Control access and set p olicies Investigate incidents Prioritize response
Easily manage individual NGFWs
Firepower Device Manager
Integrated on-box option for single instance

Firepower Device Manager deployment
Easy set-up NAT and Routing
Intrusion and Malware

Role-based access control
prevention
High availability Device monitoring
Physical and virtual options VPN support
Set up easily Control access and set policies Investigate incidents Prioritize response
Firepower Threat Defense Management
FDM FMC
> configure manager add <IP unregister the > configure

address> <reg_key> device from FMC manager delete
add FTD in FMC GUI > configure manager local
FMC FDM
!!! Migration between off-box and on-box will remove the whole FTD
configuration. Before migrating there is need to unregister the FTD device from
Smart Licensing server !!!
Deployment and Interface Modes
Deployment Scenarios
FTD can act as both NGFW and NGIPS on different network
interfaces:
NGFW derives operational modes from ASA and adds Firepower
features (Routed and Switched interface modes)
NGIPS operates as a standalone Firepower with limited ASA
engine functionality (Passive, Passive (ERSPAN), Inline pair, Inline
pair with tap interface modes)
Pick from many deployment modes
NGIPS deployment modes NGFW deployment modes
Inline or Passive Fail-to-wire NetMods Additional options

Inline Route
d
NetMod
101110
Inline Tap Transparent
101110
Passive
Virtual or Physical
FTD Deployment and Interface Modes
Deployment Modes: Interface Modes:
Routed Routed
from classic ASA
Transparent Switched (BVI)
Passive
from classic ASA
Passive (ERSPAN)
from classic
Inline Pair Firepower IPS
Inline Pair with tap
High Availability on FTD
HA Requirements
To build an HA pair between 2 FTD devices the following requirements
should be met:
Same model
Same version (FXOS and FTD)
Same number and type of interfaces
Both devices are in the same group/domain in FMC
Identical NTP configuration
No uncommitted changes on FMC
The same FTD mode: routed or transparent
No DHCP/PPPoE configured on any of interfaces
Different hostname (FQDN) for both chassis:
firepower# show chassis-management-url
https://FPR4100.cisco.com:443//
Policy Deployment in HA
1. Start Deployment request initiated from FMC comes to Active FTD

2. Snort-side configuration is applied on Active FTD
3. LINA process on Active unit will send snort-side config to Standby node
4. Lina configuration applied on Active unit
5. LINA process on Active unit takes care of syncing lina configurations to Standby node
6. Deployment Status with SUCCESS or FAILURE is sent back to FMC with all the
information
Life of a packet
FXOS (4100/9300) architecture and Packet Flow
Packet Flow on FP2100
1. The packet arrives on the Internal Switch

2. Internal Switch forwards the packet to the ASA Engine (Network Processing Unit - NPU)
3. ASA Engine forwards the packet to Snort Engine (CPU)
4. Snort Engine forwards the packet back to ASA Engine (NPU)
5. ASA Engine forwards the packet to the Internal Switch
6. The Internal Switch sends the packet back to physical network
FTD Packet Processing
How can we bypass snort inspection in
FTD?
Polling Question 2 A. Create Whitelist in SI policy

B. Pre Filter policy
C. Configure tcp state bypass
D. None of the above
Troubleshooting Tools
FTD Data-Plane - Packet-Tracer
Packet-tracer shows the ASA Engine Datapath checks done on a virtual packet
Source interface
Summary or
detailed format
FTD Troubleshooting Tools Capture
FTD offers 2 kinds of Captures :
1. ASA(Lina)-level capture capture command from CLISH
2. Snort-level capture capture-traffic command from CLISH
Where are these captures taking place?
Additionally, in expert mode , tcpdump can be taken to capture traffic .

FTD Data-Plane Capture + Capture w/Trace
Source interface
IP Protocol
Circular buffer
Trace ingress packets
Current GUI limitations

Cannot specify Src and Dst ports
Only basic IP Protocols can be matched
Cannot enable capture for ASA Engine ASP Drops
Workaround Use the FTD CLI
FXOS Data-Plane (MIO) Capture
Egress Packet = Chassis Backplane
Captures only at Ingress of MIO fabric internal switch

Enabling FXOS capture from CLI:
FPR9K-2-A# scope packet-capture Create a capture session
FPR9K-2-A /packet-capture* # create session port1_2
FPR9K-2-A /packet-capture/session* # create phy-port Ethernet1/2 Apply the capture
FPR9K-2-A /packet-capture/session/phy-port* # exit
FPR9K-2-A /packet-capture/session* # enable
FPR9K-2-A /packet-capture/session* # commit-buffer Enable the capture
FXOS Control-Plane Captures
The Firepower chassis Management interface provides SSH, HTTPS access

Source/Destination for Control-Plane traffic: NTP, SNMP, AAA, Syslog, DNS
FPR4140-A# show fabric-interconnect
Fabric Interconnect:
ID OOB IP Addr OOB Gateway OOB Netmask OOB IPv6 Address OOB IPv6 Gateway Prefix Operability
---- --------------- --------------- --------------- ---------------- ---------------- ------ -----------
A 10.62.148.37 10.62.148.1 255.255.255.128 :: :: 64 Operable
FPR4140-A# connect fxos

FPR4140-A(fxos)# ethanalyzer local interface mgmt capture-filter "tcp port 443" limit- Create a capture
captured-frames 50 write workspace:///SSL.pcap session
FPR4140-A# connect local-mgmt
FPR4140-A(local-mgmt)# dir
1 23075 Jan 12 13:13:18 2017 SSL.pcap
FPR4140-A(local-mgmt)# copy workspace:///SSL.pcap ftp://anonymous@10.48.40.70/SSL.pcap
Export the capture
FTD Logging ASA-level logs
ASA-level logs provide information about the FTD ASA Engine
Remote Syslog server

which receives the logs
> show running-config logging Same as on classic ASA

> show logging
Apr 23 2017 11:11:45: %ASA-7-609002: Teardown local-host nlp_int_tap:ff02::1 duration 0:00:02
FTD Logging System logs
pigtail is an FMC and FTD CLI tool that parses, reformats, and displays the
contents of several log files as the files are written
Messages shown in order based on their timestamps - Different color per file
FTD Debugs
FTD debugs can be categorized in 3 types

1. ASA Engine Control-Plane debugs
2. ASA Engine Data-Plane debugs
3. Snort Engine Data-Plane debugs
Demo
Which of the following tool is best in
troubleshooting URL filtering issue?
Polling Question 3 A. Capture

B. Firewall engine debug
C. Packet tracer
D. Pigtail
Submit Your
Questions Now!
Use the Q&A panel to submit your

2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential questions, our expert will respond
Ask the Expert following the Webcast
Now through September 29th
http://bit.ly/ATE_NGF-FTD
Aastha Bhardwaj &

Dinkar Sharma
Collaborate within our Social Media
Twitter Facebook
@Cisco_Support Cisco Support Community
http://bit.ly/csc-twitter http://bit.ly/csc-facebook
Learn About Upcoming Events

Lo invitamos a nuestros prximos eventos en
Redes Sociales
Google+ App LinkedIn

Description, details Cisco Technical Support CSC-Cisco-Support-Community
http://bit.ly/csc-googleplus http://bit.ly/csc-linked-in
YouTube
Ciscosupportchannel
http://bit.ly/csc-youtube
Learn About Upcoming Events
Cisco has support communities in other languages!
If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate & collaborate

Comunidad de Soporte Cisco
De Cisco Russian
Spanish

Japanese
Comunidade de
Suporte de Cisco
Portuguese Chinese
More IT Training
Videos and
Technical
Seminars on the
Cisco Learning
Network
View Upcoming Sessions Schedule
https://cisco.com/go/techseminars
Thank you for participating, you earned a discount!
Redeem your 35% discount offer by entering code: CSC when checking out.
http://bit.ly/CSC-CiscoPress-2017
Cisco Press
Thank you for Your
Time!
Please take a moment to complete the

survey
Thanks For Joining today!

Webcast-Deploy and Operate Cisco NGFW-FTD

Uploaded by

Copyright:

Available Formats

Webcast-Deploy and Operate Cisco NGFW-FTD

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Webcast-Deploy and Operate Cisco NGFW-FTD

Uploaded by

Copyright:

Available Formats

Cisco Support Community

Expert series Webcast

Now through September 29th

Aastha Bhardwaj &

CUCM 12.X Smart Licensing Overview

With Mohit Grover

-Event open only to Cisco

September 26th, 2017

With Mauro Tartara

-Event open to all technology & Cisco enthusiasts-

September 28th, 2017

-Event open to all technology & Cisco enthusiasts-

September 18 to October 6, 2017

-Event open to all technology & Cisco enthusiasts-

Our new home is available

Encourage and acknowledge people who

Aastha Bhardwaj Dinkar Sharma

Download Todays Presentation

Use the Q&A panel to

They will be answered eventually

Cisco Firepower NGFW

Threat Focused Fully Integrated

Applicatio Routers & sw itches

Typical NGFW Netw ork Servers

Cisco Firepower NGFW

ASA engine (multiple instances of Data Path) - Focused on L2-L4 functionality

System image *.pkg

Step 3 Configure the boot image

Data interfaces Allocated from FCM Allocated from FMC

Port-Channel LACP only LACP or Mode ON

Management Interface M0/0

Mandatory interface (terminate Not recommended to

Step 3 - Register FTD to FMC

Smart License State Machine

Product Usage Comments

Centralized management for multi-site

Multi-domain management Firewall & AVC

Role-based access control NGIPS

High availability AMP

APIs and pxGrid integration Security Intelligence

Available in physical and virtual options

Integrated on-box option for single instance

Intrusion and Malware

High availability Device monitoring

Physical and virtual options VPN support

> configure manager add <IP unregister the > configure

add FTD in FMC GUI > configure manager local

Inline or Passive Fail-to-wire NetMods Additional options

Inline Tap Transparent

1. Start Deployment request initiated from FMC comes to Active FTD

1. The packet arrives on the Internal Switch

Polling Question 2 A. Create Whitelist in SI policy

D. None of the above

Additionally, in expert mode , tcpdump can be taken to capture traffic .

Trace ingress packets

Current GUI limitations

Egress Packet = Chassis Backplane

Captures only at Ingress of MIO fabric internal switch

The Firepower chassis Management interface provides SSH, HTTPS access

FPR4140-A# connect fxos