FTD Know How

Next-Gen Firewall:
Firepower Threat Defense (FTD)

Mikis Zafeiroudis – Engineer, Cisco Services
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Agenda
• Introduction
• FTD Installation and Licensing
• FTD Management options
• FTD Deployment and interfaces modes
• FTD Packet Flow
• Troubleshooting tools
• High Availability
FTD in a nutshell
FTD High-level overview
Firepower Threat Defense (FTD) merges 2 products:
• ASA
• Firepower (Snort)
Developed to solve 2 main problems:

• Different management for ASA and SFR
• Duplicated functions between ASA and SFR
FirePOWER on ASA vs FTD
FirePOWER on ASA
• Requires 2 software images
• 2 Operating Systems on same HW
• Duplicated functionality
• 2 management applications
FTD
• Zero-copy packet inspection
• Unified management (FMC/FDM)
Agenda
• Introduction
• FTD Packet Flow
FTD installation on ASA5506/8/16-X
For FTD installation you use 2 images
• OS image (AKA boot image) - For Firepower Threat Defense on
ASA5506/8/16-X is a *.lfbff file.
• System image – This is a .pkg file
Prerequisites
Before proceeding with the FTD installation verify the following:
• ASA flash should have at least 3.1 GBytes (3GBytes + size of boot image)
free space
• The boot image is uploaded to a TFTP server
• The system image is uploaded to an HTTP or FTP server
• The ASA ROMMON is at least 1.1.8 version
FTD installation on ASA5506/8/16-X in a nutshell
Step 1 – Put the .lfbff boot image into a TFTP and the .pkg system image into FTP or HTTP server
Step 2* – Download the ROMMON image from Cisco site and upgrade the ASA ROMMON >= 1.1.8
ASA5506X-1# copy ftp://10.48.40.70/asa5500-firmware-1108.SPA disk0:asa5500-firmware-1108.SPA
ASA5506X-1# upgrade rommon disk0:asa5500-firmware-1108.SPA
If needed, upgrade ROMMON
Step 3 – Reload the ASA and enter into ASA ROMMON mode
Step 4 – Configure basic network settings and install the FTD boot image
Enter ROMMON
rommon 1 > ADDRESS=10.62.148.29
rommon 7 > tftpdnld and install FTD
Step 5 – Configure the boot image boot image
firepower-boot> setup
Step 6 – Install the system image Install FTD
firepower-boot> system install ftp://10.229.22.42/ftd-6.0.0-1005.pkg system image
Step 7 – Accept EULA, specify network settings, Mgmt mode (local/FMC), FW mode (routed/transparent)
Step 8 – Register FTD to FMC
> configure manager add 10.62.148.73 cisco If needed, register FTD to FMC
FTD Licensing
• FTD uses Smart Licensing model where the license is not tied to any SN
• Smart Licensing is applicable only on FTD. All other Firepower products still use
Classic Licensing
• Licensing is handled by the FMC which will not deploy or accept events from
unlicensed devices
• Evaluation license available for 90 days with full* functionality
• After 90 days you need to register with Cisco Smart Software Manager (CSCM)
FTD Licensing
4 types of licenses
1. Base License (NGFW) – Comes with the appliance
- Enables Networking, Firewall and Application Visibility and Control
2. Threat - Term-based
- Enables IPS, Security Intelligence - SI (IP, DNS)
3. Malware – Term-based
- Enables AMP and Threat-Grid
4. URL Filtering – Term-based
- Enables Category and Reputation-based URL filtering
• Currently, in case of FTD HA both units need license
• Air-gap networks require Permanent License Reservation (PLR)
or Satellite Software Licensing
FTD Licensing
To apply a Smart License on FTD
• Step 1 - Obtain an ID Token from Cisco Smart Software Manager (CSCM -
Cisco License Portal)
• Step 2 - Register Firepower Management Center (FMC) to CSCM
• Step 3 - Register FTD to FMC

• Step 4 - Apply one or more licenses to FTD devices
Agenda
• Introduction
• FTD Packet Flow
FTD Management options
2 Management options:
• Firepower Management Center (FMC) – off-box manager
• Firepower Device Manager (FDM) – on-box manager
FMC GUI
FTD Management options
FDM GUI (available as from 6.1)
• HTML5-based (no Java plugins)

• Supported on
ASA5506-X/5506H-X/5506W-X/5508-X/5512-X/5515-X/5516-X/552
5-X/5545-X/5555-X
On-box Vs. Off-box comparison at 6.1
FMC (Off-box) FDM (On-box)
NAT & Routing ✔ ✔
Access Control ✔ ✔
Intrusion & Malware ✔ ✔
Device & Events Monitoring ✔ ✔
Site to Site VPN ✔ In Roadmap
Security Intelligence ✔ In Roadmap
Other Policies: SSL, Identity, Rate Limiting (QoS) etc. ✔ In Roadmap
Active/Passive Authentications ✔ In Roadmap
Risk Reports ✔ ✘
Correlation & Remediation ✔ ✘
SNMP ✔ ✘
Easy Device Setup ✘ ✔
=> Detailed => Optimized for SMBs => Not Present

FTD CLI configuration modes
Three CLI modes:

1. FTD CLISH mode
2. FTD expert mode
3. ASA CLI mode
In a nutshell:
> expert
admin@FTD5506-1:~$ sudo su CLISH mode
Password:
root@FTD5506-1:/home/admin# lina_cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach. Expert mode
Type help or '?' for a list of available commands.
firepower# ASA CLI

FTD CLISH mode
• Accessible locally via Console or remotely via SSH
• Provides access to FTD management configuration, show and
debug commands
> configure
disable-https-access Disable https access
disable-ssh-access Disable ssh access
firewall Change to Firewall Configuration Mode
high-availability Change to Configure High-Availability Mode
https-access-list Configure the https access list
log-events-to-ramdisk Configure Logging of Events to disk
manager Change to Manager Configuration Mode
network Change to Network Configuration Mode
password Change password
ssh-access-list Configure the ssh access list
CLISH mode Converged CLI (6.1) allows execution of ASA commands
> show ip | include inside
GigabitEthernet1/1 inside 192.168.75.11 255.255.255.0 manual
system support diagnostic-cli can also provide access to ASA CLI

> system support diagnostic-cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower# ASA CLI
ASA CLI configuration is not possible
firepower# configure terminal
^
ERROR: % Invalid input detected at '^' marker.
FTD Management interface
FTD physical Management interface is divided into 2 logical
subinterfaces:
• diagnostic
‘show int ip brief’
• br1*
Sftunnel between
FMC/FTD is
terminated on ‘show network’
br1
* FP4100/9300 use subinterface management0 instead of br1

Agenda
• Introduction
• FTD Packet Flow
FTD Deployment and Interface Modes
2 Deployment Modes:
• Routed
• Transparent } Device Modes inherited from ASA
6 Interface Modes
}
• Routed
Interface Modes inherited from ASA
• Switched (BVI)
}
• Passive
• Passive (ERSPAN)
Interface Modes inherited from FirePOWER
• Inline pair
• Inline pair with tap
Note - interface modes can be mixed on a single FTD device
Deployment Mode: Routed
• Traditional L3 firewall deployment
• Allows configuring all interface modes apart from Switched (BVI)
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: routed
• You can later change the FTD mode from CLISH CLI:
> configure firewall routed
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
Deployment Mode: Transparent
• Allows configuring all interface modes apart from Routed, Passive ERSPAN
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: transparent
• You can change the FTD mode from firewall to transparent from CLISH:
> configure firewall transparent
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
Interface Mode: Routed
• Available only in Routed Deployment
• One or more physical or logical (VLAN) routable interfaces
• Allows features like NAT or Dynamic Routing protocols to be configured
• Packets are being forwarded based on Route Lookup
• Full ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped
Interface Mode: Switched
• Available only in Transparent Deployment mode
• Very similar to classic Transparent firewall
• Two or more physical or logical interfaces are assigned to a Bridge Group
• Full ASA engine checks are applied along with full Snort engine checks
• Packets are being forwarded based on CAM table Lookup
• BVI interface is being used to resolve next hop MAC using ARP or ICMP
Interface Mode: Inline Pair
• 2 Physical interfaces internally bridged
• Very similar to classic inline IPS
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for
flows going through an Inline Pair.
• Few ASA engine checks are applied along with full Snort engine checks
Interface Mode: Inline Pair
TCP packets are handled in a TCP-state bypass mode so that majority of ASA
engine checks are disabled
firepower# show conn detail
1 in use, 30 most used
Flags: A - awaiting responder ACK to SYN, a - awaiting initiator ACK to SYN,
b - TCP state-bypass or nailed,
…
k - Skinny media, M - SMTP data, m - SIP media, N - inspected by Snort, n - GUP
TCP Set1:outside(outside): 192.168.75.40/23 Set1:inside(inside): 192.168.75.15/61563,

flags b N, idle 8s, uptime 8s, timeout 1h0m, bytes 69
• b flag - FTD Inline Pair mode handles a TCP connection in a TCP state-bypass mode
and doesn’t drop TCP packets that don’t belong to existing connections. A classic ASA
will drop an unsolicited SYN/ACK packet unless TCP state-bypass is enabled.
• N flag - The packet will be inspected by Snort engine
Interface Mode: Inline Pair with Tap
• 2 Physical interfaces internally bridged
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for
flows going through an Inline Pair
• Few ASA engine checks are applied along with full Snort engine checks to
a copy of the actual traffic
• Actual traffic cannot be dropped
Interface Mode: Inline Pair with Tap
Tracing a transit packet shows that the packet is not getting dropped
firepower# show capture CAPI packet-number 1 trace
9 packets captured
1: 20:06:10.571427 192.168.75.15.43708 > 192.168.75.40.23: S 315154105:315154105(0)
win 4128 <mss 1460>
..
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: Access-list would have dropped,but packet forwarded due to inline-tap
ASA engine syslog messages show during a TCP connection creation that TCP
state bypass is being applied
May 26 2016 20:06:10: %ASA-6-302303: Built TCP state-bypass connection 8963 from
inside:192.168.75.15/43708 (192.168.75.15/43708) to outside:192.168.75.40/23
(192.168.75.40 /23)
Interface Mode: Passive
• 1 Physical interface operating as a sniffer
• Very similar to classic IDS
• Few ASA engine and Full Snort engine checks to a copy of the actual traffic
Interface Mode: Passive (ERSPAN)
• 1 Physical interface operating as a sniffer
• Very similar to a remote IDS
• Available only in Routed Deployment mode
• A GRE tunnel between the capture point and the FTD carries the packets
• Few ASA engine and Full Snort engine checks to a copy of the actual traffic
Interface Modes - Summary
FTD interface mode FTD Deployment Description Real traffic can be
mode dropped
Full ASA and Snort
Routed Routed Yes
checks
Full ASA and Snort
Switched Transparent Yes
checks
Partial ASA and full
Inline Pair Routed or Transparent Yes
Snort checks
Routed or Transparent Partial ASA and full
Inline Pair with Tap No
Snort checks
Routed or Transparent Partial ASA and full
Passive No
Snort checks
Partial ASA and full
Passive (ERSPAN) Routed No
Snort checks
Quiz
Which of the following interface modes work similar to classic IDS (choose 3)?
1. Inline Pair with Tap
2. Passive
3. Switched (Transparent)
4. Passive (ERSPAN)
5. Inline Pair
6. Routed
Answer
Inline Pair with Tap, Passive, Passive (ERSPAN)
Agenda
• Introduction
• FTD Packet Flow
FTD Packet Processing – The big picture
1. A packet enters the ingress interface and it is handled by the ASA engine
2. If the policy dictates so the packet is inspected by the Snort engine
3. Snort engine returns a verdict (whitelist or blacklist) for the packet
4. The ASA engine drops or forwards the packet based on Snort’s verdict
• Snort engine runs 6.x code
• ASA engine runs 9.6.x code
FTD Packet Processing: Ingress Interface
• Packet arrives on ingress interface.

• Input counters are incremented by NIC and periodically retrieved by CPU
• Similarly to classic ASA, input queue (RX ring) is an indicator of packet load
> show interface g1/2 detail
Interface GigabitEthernet1/2 "inside", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
IPS Interface-Mode: inline-tap, Inline-Set: Set1
47770671 packets input, 7620806887 bytes, 0 no buffer
Received 23734506 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
input queue (blocks free curr/low): hardware (1008/800)
output queue (blocks free curr/low): hardware (1023/985) © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
FTD Packet Processing: Connection Lookup
• ASA engine checks for existing connection

• If a match is found packet uses Fast Path bypassing basic checks
firepower# show capture CAPO packet-number 2 trace
2 packets captured
2: 12:51:51.094691 192.168.76.14 > 192.168.75.14: icmp: echo reply
...
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 1541, using existing flow © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
FTD Packet Processing: VPN Decryption
• VPN on FTD is available as from version 6.1

• IKEv1 and IKEv2 are supported
• Pre-shared key authentication (PKI in the roadmap)
• No GETVPN, DMVPN, Anyconnect, EZVPN support
• Similar to classic ASA, only policy-based (crypto map) is supported. No route-based (VTI) support
• ‘same-security-traffic permit intra-interface’ implicitly enabled (hairpinning capable)
• Only Tunnel mode is supported (no Transport mode)
• Supports tunnel with a 3rd party VPN device (Extranet)
• In Evaluation Licensing mode only DES is supported. Smart License Strong Crypto attribute is
needed for stronger encryption algorithms
When comes to configuration FMC supports the deployment of 3 different topologies:

1. Point-to-Point
2. Hub and Spoke
3. Full Mesh (will create n(n-1)/2 tunnels)
• no sysopt connection permit-vpn is enforced (different behavior than classic ASA).

This implies that VPN decrypted traffic has to be explicitly allowed
firepower# show run sysopt
no sysopt connection permit-vpn
• On FMC the tunnel status is updated every 5 minutes in Health Events. Use CLISH Converged
CLI for live verification and troubleshooting
> show crypto > debug crypto
ikev1 Show IKEv1 operational data ikev1 Set IKEV1 debug levels
ikev2 Show IKEv2 operational data ikev2 Set IKEV2 debug levels
ipsec Show IPsec operational data ipsec Set IPSec debug levels
... ... © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
FTD Packet Processing: UN-NAT/Egress int.
• Egress interface determination

• In case there is Destination NAT (UN-NAT) the egress interface will be determined based on the
NAT rule, unless route lookup is preferred (identity NAT)
firepower# show capture DMZ packet-number 3 trace detail
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static Host-A Host-B
NAT divert to egress interface inside
Untranslate 192.168.76.100/0 to 192.168.75.14/0 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
FTD Packet Processing: Prefilter Policy
• Prefilter Policy got introduced in 6.1 version

• Serves 2 main purposes
1. Adds additional flexibility when it comes to handling tunneled traffic:
• GRE
• IP-in-IP
• IPv6-in-IP
• Teredo Port 3544
2. Provides Early Access Control (EAC) which allows a flow to bypass completely the Snort engine
• Navigate to Policies > Access Control > Prefilter and create a Prefilter Policy
• Add one or more Tunnel or/and Prefilter (Early Access Control) rules and attach the Policy to ACP
FTD Packet Processing: Prefilter Policy (tunneled)
• Classic ASA checks the outer IP header

• A FirePOWER device (Snort) checks the inner IP header
• FTD ASA code checks the outer IP header while the Snort engine checks the inner IP header
(tunneled)
• Tunneled Rules provide 3 possible actions:
1. Block – Drops the tunneled traffic

2. Fastpath – Allows the tunneled traffic and bypasses the Snort Engine
3. Analyze – Will send the tunneled traffic to Snort Engine. Optionally allows traffic Tagging
FTD Packet Processing: Prefilter Policy (EAC)
• Early Access Control Rules provide 3 possible actions:
1. Block – Drops the traffic

2. Fastpath – Allows the traffic and bypasses the Snort Engine
3. Analyze – Will send the traffic to Snort Engine
• Prefilter Rules are deployed to ASA as L3/L4 ACEs and are placed above the normal L3/L4 ACEs
firepower# show access-list
}
access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268434457: PREFILTER POLICY: FTD_Prefilter_Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 268434457: RULE: Fastpath_Rule1
EAC Prefilter
access-list CSM_FW_ACL_ line 3 advanced trust ip host 192.168.75.16 any rule-id 268434457 event-log both (hitcnt=0) Rules
access-list CSM_FW_ACL_ line 4 remark rule-id 268434456: PREFILTER POLICY: FTD_Prefilter_Policy
}
access-list CSM_FW_ACL_ line 5 remark rule-id 268434456: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268434456 (hitcnt=0) 0xf5b597d6 Tunnel Prefilter
access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268434456 (hitcnt=0) 0x06095aba
Rules
access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268434456 (hitcnt=2) 0x52c7a066
}
access-list CSM_FW_ACL_ line 9 advanced permit udp any any eq 3544 rule-id 268434456 (hitcnt=0) 0xcf6309bc
access-list CSM_FW_ACL_ line 10 remark rule-id 268434445: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ line 11 remark rule-id 268434445: L4 RULE: Block ICMP
access-list CSM_FW_ACL_ line 12 advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start (hitcnt=0) L3/L4
0x8bf72c63 ACEs
access-list CSM_FW_ACL_ line 13 remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1
access-list CSM_FW_ACL_ line 14 remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268434434 (hitcnt=410) 0xa1d3780e
FTD Packet Processing: L3/L4 ACL
• Advanced L3/L4 ASA ACL is an Access Control Policy (ACP) that is configured on FMC.
• Pushed as a global ACL (CSM_FW_ACL_) to ASA engine and as AC rules in
/var/sf/detection_engines/UUID/ngfw.rules file in Snort engine
firepower# show run access-list
access-list CSM_FW_ACL_ advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start
firepower# show run access-group
access-group CSM_FW_ACL_ global
• 7 possible actions to the traffic:
FTD Packet Processing: L3/L4 ACL - Allow
• Allow Rule will be pushed to ASA engine as permit action and to Snort engine as allow action. The
rule ID correlates the ASA rules with the Snort rules
access-list CSM_FW_ACL_ line 8 remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
access-list CSM_FW_ACL_ line 9 advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ line 11 remark rule-id 268435457: L4 RULE: ACP_Rule2_Allow_ICMP_Type
access-list CSM_FW_ACL_ line 12 advanced permit icmp host 2.2.2.2 host 3.3.3.3 echo rule-id
268435457
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules
268435456 allow any 1.1.1.1 32 any any 2.2.2.2 32 any any any (appid 3501:1)
268435457 allow any 2.2.2.2 32 8 any 3.3.3.3 32 any any 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
• packet-tracer shows that ASA engine will send the packet to Snort engine for a Verdict
> packet-tracer input inside icmp 1.1.1.1 8 0 2.2.2.2
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-list CSM_FW_ACL_ advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
This packet will be sent to snort for additional processing where a verdict will be reached
• Tracing a real packet will show the Snort Verdict

1: 09:17:18.996149 1.1.1.1 > 2.2.2.2: icmp: echo request
!
Phase: 4
Type: ACCESS-LIST
...
This packet will be sent to snort for additional processing where a verdict will be
reached
!
Phase: 13
Type: EXTERNAL-INSPECT
...
Application: 'SNORT Inspect'
Phase: 14
Type: SNORT
...
Snort Verdict: (pass-packet) allow this packet
FTD Packet Processing: L3/L4 ACL - Trust
• Trust Rule will be pushed to ASA engine as trust action and to Snort engine as fastpath action
access-list CSM_FW_ACL_ line 17 remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
access-list CSM_FW_ACL_ line 18 advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules

268435477 fastpath any 4.4.4.4 32 any any 5.5.5.5 32 53 any 17
FTD Packet Processing: L3/L4 ACL - Trust
Packet-tracer shows that ASA engine will not send any packets to Snort engine
> packet-tracer input inside udp 4.4.4.4 1111 5.5.5.5 53
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-list CSM_FW_ACL_ advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id
No Additional Information means
268435477 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268435477: ACCESS POLICY: FTD5506-1 - Mandatory/4
the packet is not going to be
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port redirected to Snort engine
FTD Packet Processing: L3/L4 ACL - Block
• Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule conditions
and to Snort engine as deny rule. If both applied, Application takes precedence over Dest Ports.
firepower# show access-list Packet matching this rule
access-list CSM_FW_ACL_ line 20 remark rule-id 268435460: L7 RULE: ACP_Rule5_Block_Telnet_App will be dropped by Snort
access-list CSM_FW_ACL_ line 21 advanced permit ip host 5.5.5.5 host 6.6.6.6 rule-id 268435460 engine
access-list CSM_FW_ACL_ line 23 remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port
access-list CSM_FW_ACL_ line 24 advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id Packet matching this
268435464 rule will be dropped
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules by ASA engine
268435460 deny any 5.5.5.5 32 any any 6.6.6.6 32 any any any (appid 861:1)
268435464 deny any 6.6.6.6 32 any any 7.7.7.7 32 23 any 6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
FTD Packet Processing: L3/L4 ACL - Block
• For Block Rule that uses Application the tracing of a real packet shows that the packet is dropped by
ASA due to Snort engine verdict
7: 13:42:53.655971 192.168.75.14.36775 > 192.168.76.14.23: P 4147441466:4147441487(21) ack 884051486 win 16695
Type: SNORT
Subtype: Snort needs to process few packets before
Result: DROP
determines the Application type
Snort Verdict: (black-list) black list this flow
• Snort engine debug shows how the verdict was determined

> system support firewall-engine-debug
5.5.5.5-36774 > 6.6.6.6-23 6 AS 1 I 0 Starting with minimum 6, 'ACP_Rule5_Block_Telnet_App', and IPProto first with zones
3 -> 1, geo 0(0) -> 0, vlan 0, sgt tag: untagged, svc 861, payload 0, client 2000000861, misc 0, user 9999997, url , xff
5.5.5.5-36774 > 6.6.6.6-23 6 AS 1 I 0 match rule order 5, 'ACP_Rule5_Block_Telnet_App', action Block
5.5.5.5-36774 > 6.6.6.6-23 6 AS 1 I 0 deny action
FTD Packet Processing: DAQ
• Data Acquisition Library (DAQ) is the interface between ASA engine and Snort engine
• DAQ communicates with ASA Datapath processes through Packet Data Transport System (PDTS)
1. A packet is placed into DMA Memory
2. Datapath processes the packet
3. If requires Snort inspection a pointer to the packet is added
to PDTS TX Queue of a specific Snort instance
4. Snort instances periodically read the TX Rings and process the
packets in the DMA Memory
5. When a Snort instance finishes the processing puts to PDTS RX
queue a PDTS Notification (Verdict or SSL Decrypted packet)
6. Datapath processes reads the Verdict or copies the Decrypted
packet to DMA memory
FTD Packet Processing: Packet Decoding
• Packet Decoder – Prepares the packets for preprocessor analysis

• Decoder options that can be applied depend on FTD interface mode (Routed, Inline Pair etc)
• L2-L4 Snort Preprocessors are configured under Policies > Access Control > Access Control >
Network Analysis Policy
Troubleshooting Tip
You can enable the
appropriate Intrusion
Rule IDs (116:SID) to
generate events for
Decoder matches
FTD Packet Processing: L2-L4 Preprocessors
• FTD Inline Normalization depends heavily on FTD interface modes

• FTD routed or transparent interface modes handle TCP Options in ASA engine (tcp-map)
> show running-config all tcp-map firepower# show service-policy set connection
tcp-map UM_STATIC_TCP_MAP Global policy:
no check-retransmission Service-policy: global_policy
no checksum-verification Class-map: class-default
tcp-options range 6 7 allow Set connection advanced-options: UM_STATIC_TCP_MAP
tcp-options range 9 18 allow ..
tcp-options range 20 255 allow TCP-options:
tcp-options selective-ack allow Selective ACK cleared: 0 Timestamp cleared : 0
tcp-options timestamp allow Window scale cleared : 0
tcp-options window-scale allow Other options cleared: 11
tcp-options mss allow Opt 19: 11
tcp-options md5 clear Other options drops: 0
FTD Packet Processing: SI (IP)
• Security Intelligence (SI) can Blacklist (drop) or Whitelist (allow) IP addresses early in the packet
processing lifetime within the Snort engine
• Whitelist overwrites the Blacklist
• The Blacklist can be populated in 2 ways:
1. Manually by the FMC administrator
2. Automatically by Intelligence Feed (Talos or custom) or List
• Snort returns to ASA a verdict about a packet being blacklisted
FTD Packet Processing: SI (IP)
• The files containing the IPs from Talos SI Feed are in /ngfw/var/sf/iprep_download directory
root@FTD5506-1:/ngfw/var/sf/iprep_download# ls -alt | grep blf
-rw-r--r-- 1 root root 1252278 Jun 12 16:06 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba.blf
-rw-r--r-- 1 root root 227696 Jun 12 16:05 032ba433-c295-11e4-a919-d4ae5275a468.blf
• If a packet is being dropped by Snort SI the ASA capture trace shows the Verdict
> show capture CAPI packet-number 1 trace
Phase: 14
Type: SNORT
Subtype:
Result: DROP
FTD Packet Processing: SSL Decryption
• SSL Inspection Policy controls which traffic will be decrypted by FTD so that other policies (ACP, File,
Snort) can inspect the traffic.
• Can be configured in the Firepower Management Center, under Policies > SSL.
• FTD provides 2 Decryption modes:
1. Decrypt - Know Key - SSL/TLS server owned by us
2. Decrypt - Resign - 3rd party SSL/TLS server. The FTD does man-in-the-middle and for that
reason requires Internal CA
• SSL Policy is attached to Access Control Policy (ACP)
• Client Hello features (enabled by default) allows FTD to modify (TLS ver, Ciphers) the Client Hello
message (Required for Safe Search and YouTube EDU)
FTD Packet Processing: SI (DNS/URL)
Security Intelligence (DNS)

• With this feature DNS Requests can get one of the following actions:
1. Whitelist
2. Monitor
3. Domain Not Found (NXDOMAIN)
4. Drop (drops the DNS query)
5. Sinkhole (redirection to a local honeypot IP)
• The DNS lists (Blacklist or Whitelist) can be populated manually or automatically (Talos or custom)
FTD Packet Processing: SI (DNS/URL)
Security Intelligence (URL)

• Works similarly to IP Security Intelligence and provides 3 actions
1. Whitelist
2. Blacklist (Block)
3. Blacklist (Monitor)
• In case Talos URL Feed is used part of the db is stored locally and updated daily
• For non-cached URLs a Cloud lookup is done
FTD Packet Processing: Identity Policy
Identity Policy enables user-based authentication. The user info can be obtain in various ways:
1. Passive Authentication
• Integration with LDAP Requires User Agent
• Integration with ISE pxGrid
• Integration with Citrix VDI Identifying multiple users behind one IP

• Network Discovery (User) Traffic-based Detection (LDAP, FTP etc)
2. Active Authentication
• Captive Portal Basic, NTLM, Kerberos
FTD Packet Processing: L7 ACL
Correlate SSL Policy User-based rules

L7 ACL can do among others: Application filtering
SafeSearch
Forward to Intrusion Policy Forward to

File Policy YouTube EDU
FTD Packet Processing: QoS (Rate Limiting)
• QoS Rate-Limiting capabilities added on FTD 6.1 release

• QoS Traffic Shaping and Policing not available at the moment
• You create/manage QoS Policies from FMC Devices > Qos section
• Compared to other policies, a QoS Policy is not attached to Access Control Policy, but directly to FTD
device
FTD Packet Processing: Network Discovery
• Network Discovery is used in 2 main places:

1. FMC Dashboards
2. Intrusion Prevention FireSIGHT Recommendations
• Same functionality as on classic Firepower devices
• Configuration from Policies > Network Discovery
Tip – Make sure you tune the
networks in the Network
Discovery Policy to match the
networks you want to discover
and remove the 0.0.0.0/0
and ::/0 entries
FTD Packet Processing: File Policy (AMP)
• File Policy provides few different functionalities:

Detect Files = Checks first 1460 Bytes of a
file, determines the type and generates a log
Block Files = Blocks the file based on first 1460 Bytes
Malware Cloud Lookup = Sends the SHA-256 hash of a file to the cloud for analysis
and depending on the answer generates a log if the file is bad. Optionally, Local
Analysis can analyze the file and Dynamic Analysis Capable files can be sent to cloud
for Dynamic Analysis and/or SPERO analysis
Block Malware = Sends the SHA-256 hash of a file to the cloud for analysis and
depending on the answer blocks it if the file is bad. Optionally, Local Analysis can
block the file and/or Dynamic Analysis Capable files can be sent to cloud for Dynamic
Analysis and/or SPERO analysis.© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 151
FTD Packet Processing: File Policy (AMP)
• When a File Policy decides that a file should be blocked a verdict is returned to ASA DATAPATH.
In that case FW engine debug and Snort debug show: L7 ACL allows the FT control channel
> system support firewall-engine-debug traffic, but File Policy blocks the
.. malicious file transfer
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 New session
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 using HW or preset rule order 2, 'Allow Rule1', action Allow and prefilter rule 0
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 allow action
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 Allowing expected session for service 166
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File policy verdict is Type, Malware, and Capture
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File type verdict Reject, fileAction Block, flags 0x00003500, and type action Reject for
t0
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File type event for file named fu.exe with disposition Type and action Block
> debug snort generic

snort_insp: flow created: TCP: 192.168.76.14 (tzone: 0) to 192.168.75.14 (tzone 0)
snort-insp: Flow from 192.168.76.14/20 to 192.168.75.14/36952 is black listed.
FTD Packet Processing: Intrusion Policy
• Tracing a real packet shows the Snort engine verdict when a Snort Rule is being matched
2: 12:16:09.232776 192.168.77.40 > 192.168.75.39: icmp: echo reply
Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
..
Result:
input-interface: outside
input-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
FTD Packet Processing: Snort Verdict & Flow Update
• At this point the Snort Engine returns to ASA DATAPATH through the DAQ and PDTS framework a
Verdict (Pass, Blacklist (Block), Fast-Forward etc)
• Depending on the Verdict the ASA engine will update the Flow accordingly (terminate or proceed with
further checks)
> show logging | include connection
Jun 13 2016 13:32:49: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.76.14/0 gaddr 192.168.75.14/0 laddr
192.168.75.14/0
Jun 13 2016 13:33:00: %ASA-6-302016: Teardown UDP connection 357875 for inside:192.168.75.14/60131 to dmz:192.168.76.14/53
duration 0:02:01 bytes 43
> show conn address 192.168.75.179

UDP outside 192.168.75.179:138 inside 192.168.75.255:138, idle 0:00:19, bytes 35306, flags - N
UDP outside 192.168.75.179:137 inside 192.168.75.255:137, idle 0:00:19, bytes 6350, flags - N
>
FTD Packet Processing: ALG Checks
• ASA Application Layer Gateway (ALG) are the classic Modular Policy Framework (MPF) rules applied
on ASA engine
• Currently on FTD the configuration MPF is not tunable
• You can use classic ASA MPF commands to verify the existing MPF configuration
firepower# show run class-map
firepower# show run policy-map
firepower# show run service-policy
!
firepower# show service-policy flow tcp host 192.168.75.14 host 192.168.77.40 eq 80
FTD Packet Processing: NAT, VPN, L3, L2
• The remaining checks on ASA engine are the same as on classic ASA
• NAT IP header
• VPN Encrypt
• L3 Route
• L2 Resolution of next hop
Quiz
Based on the following output what could be 2 possible reasons for the packet drop?
Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
..
Result:
input-interface: outside
input-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
Answer
Some possible drop reasons: Intrusion Policy, Security Intelligence (IP), L7 ACP
Agenda
• Introduction
• FTD Packet Flow
FTD Troubleshooting Tools – Logging
• Logging provides valuable information for troubleshooting
• Two levels of logs
1. ASA engine
• Sourced from a data interface or the diagnostic subinterface
• Same as on classic ASA
2. Snort engine
• Sourced from br1 subinterface
• Same as on classic Firepower
FTD Troubleshooting Tools – SNMP
• SNMP can provide information for troubleshooting
• ASA engine can be configured for SNMP polling or traps (Devices >
Platform Settings) > show run snmp-server
snmp-server host outside 192.168.1.100 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
*FDM (on-box management) doesn’t support SNMP configuration

FTD Troubleshooting Tools – Packet Tracer
• FTD ASA-level Packet Tracer is the same as on classic ASA appliances
• In 6.0 code it can only run from ASA CLI
> system support diagnostic-cli
firepower# packet-tracer input inside tcp 192.168.75.14 1111 192.168.76.14 80
• In post-6.1 code the command can be also executed from CLISH CLI and from
FMC ASA CLI
> packet-tracer input inside tcp 192.168.75.14 1111 192.168.76.14 80
• Currently, Packet Tracer shows only the ASA Datapath processing. Packet
Tracer for Snort engine in the roadmap
FTD Troubleshooting Tools – Capture
• FTD provides 2 types of captures
1. ASA-level capture – ‘capture’ command from CLISH
2. Snort-level capture – ‘capture-traffic’ command from CLISH
• Where are these captures taking place?
• Additionally, ‘expert’ mode tcpdump can be used to capture control-plane

traffic to and from the br1 interface
FTD Troubleshooting Tools - Capture w/Trace
• As on classic ASA appliances the FTD ASA Capture can be combined with
Packet Tracer to show how a real packet was processed
> capture CAPI trace interface inside match ip host 192.168.75.14 host 192.168.76.14
• Provides visibility to the Snort Verdict

> show capture CAPI packet-number 1 trace
Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Application: 'SNORT Inspect'
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Snort Verdict: (pass-packet) allow this packet
FTD Troubleshooting Tools - FW Engine Debug
• FW Engine Debug comes from classic Firepower appliances
• It is executed in CLISH CLI and it runs against the following Snort engine
components:
> system support firewall-engine-debug
Please specify an IP protocol: tcp

Note - At least one condition
Please specify a client IP address: 192.168.75.14 has to be specified
Please specify a client port:
Please specify a server IP address: 192.168.76.14
Please specify a server port:
Monitoring firewall engine debug messages
FTD Troubleshooting Tools – pigtail
• Pigtail is an FMC and FTD CLI tool that parses, reformats, and displays the
contents of several log files as the files are written
• Messages are shown in order based on their timestamps
• Different color per file that is parsed
Use ‘pigtail –help’ to see all
available options
• Files parsed by pigtail on FTD
Keyword associated File Purpose
ACTQ /var/log/action_queue.log Logs related to Perl scripts that were run (e.g.
policy_apply.pl)
DEPL /var/log/sf/policy_deployment.log Logs related to Policy Deployment
HTTP /var/log/httpd/httpsd_error_log Logs related to HTTPS deamon
DCSM /var/log/mojo.log Logs related to Perl calls
MOJO /var/log/mojo/mojo.log Logs related to Perl calls

MSGS /var/log/messages Generic log messages
NGFW /var/log/ngfwManager.log Logs related to FTD Configuration Communication Manager

(CCM) and Config Dispatcher (CD) components
NGUI /ngfw/var/cisco/ngfwWebUi/ Apache Tomcat Catalina logs

tomcat/logs/catalina.out
• To parse all files and save the output to a file
> pigtail all
*************************************************************************************
*****************************************************************
** Displaying logs: HTTP ACTQ DCSM VMSS MOJO NGUI NGFW TCAT VMSB DEPL USMS MSGS
*************************************************************************************
*****************************************************************
Collated log written to pigtail-all-1465555118.log As soon as you press CTRL+C a file is
>
written in the /home/admin directory
• Things to look for in the pigtail output:

• Keywords such as "Exception", "error", "Fatal", "Failed", "trace"
• Specific keywords related to the feature you troubleshoot
FTD Troubleshooting Tools – File Download
• In case a process (e.g. ASA engine or Snort engine) crashes a coredump file will be
created on FTD /ngfw/var/common directory ‘expert’ mode
admin@FTD5506-1:~$ ls -alt /ngfw/var/common/ | grep core
-rw------- 1 root root 700583936 Jun 8 19:01 core_1465412492_FTD5506-1_snort_6.11131
• You can easily fetch a coredump file from FMC GUI

1. Navigate to System > Health > Monitor
2. Click on the FTD device and then on Advanced Troubleshooting. You will be
transferred to Advanced Troubleshooting page.
3. Specify the file name and click on Download
FTD Troubleshooting Tools – ASA CLI
• You can execute ASA CLI commands from FMC GUI
• Currently (6.1) only 4 commands are supported
1. Ping
2. Packet-tracer
3. Any ‘show’ command
4. Traceroute
FTD Troubleshooting Tools – TS File (GUI)
• Before contacting TAC generate an FTD Troubleshooting File. This includes the
ASA engine ‘show tech-support’ output along with many other outputs
• To collect the Troubleshooting
1. Navigate to System > Health > Monitor
2. Click on the FTD device and then on Generate Troubleshooting Files
3. Select All Data and click on Generate
FTD Troubleshooting Tools – TS File (CLI)
• In case you cannot generate an FTD Troubleshoot File from FMC you can
generate it from FTD CLI
> system generate-troubleshoot ALL
Starting /usr/local/sf/bin/sf_troubleshoot.pl...
Please, be patient. This may take several minutes.
The troubleshoot option code specified is ALL.
Troubleshooting information successfully created at /ngfw/var/common/results-06-14-2016--220256.tar.gz
• To export the file from FTD to a remote FTP server

> file copy 192.168.0.100 anonymous /remote_dir/ results-06-14-2016--220256.tar.gz
• To export the file from FTD to a remove SCP server

> file secure-copy 192.168.0.100 cisco / results-06-14-2016--220256.tar.gz
[email protected]'s password:
copy successful.
Agenda
• Introduction
• FTD Packet Flow
FTD High Availability and Scalability overview
• FTD supports A/S failover (AKA High Availability) and Clustering (AKA High
Scalability)
• High Availability is equivalent to classic ASA failover and it is supported on:
• ASA5500-X
• FP4100 and FP9300 (inter-chassis – blades on different physical chassis)
• vFTD on ESXi, but not in AWS environment
• With HA both units require a Smart License (discount compared to Standalone)
• Clustering is supported on:
• FP9300 (intra-chassis) so cluster with up to 3 blades in the same chassis
FTD High Availability (failover) verification
> show failover
Failover On
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet1/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(1)72, Mate 9.6(1)72
HTTP Replication enabled by default
Serial Number: Ours JAD192100SZ, Mate JAD192304SU
Last Failover at: 21:57:44 UTC Jun 14 2016
This host: Primary - Standby Ready
Active time: 3009 (sec)
slot 1: ASA5508 hw/sw rev (1.0/9.6(1)72) status (Up Sys)
Interface outside (192.168.1.2): Normal (Monitored)
Interface inside (192.168.2.2): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up) Snort and Disc monitoring
Other host: Secondary - Active
Active time: 7974 (sec)
slot 1: ASA5508 hw/sw rev (1.0/9.6(1)72) status (Up Sys)
Interface outside (192.168.1.1): Normal (Monitored)
Interface inside (192.168.2.1): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 2: diskstatus rev (1.0) status (up)
Stateful Failover Logical Update Statistics
FTD High Availability (failover) – Snort failure
In case that 50% or more of the Snort instances are down failover will be triggered
> show failover | include snort
slot 1: snort rev (1.0) status (down)
Failover history reports Snort failure as a service module failure event

> show failover history
19:12:07 UTC Jun 15 2016
Active Standby Ready Other unit wants me Standby
19:12:07 UTC Jun 15 2016
Standby Ready Failed Detect service module failure
19:12:08 UTC Jun 15 2016
Failed Standby Ready My service module is as good as peer
19:12:09 UTC Jun 15 2016
Standby Ready Failed Detect service module failure
Summary
• FTD Unified Image was developed to get the best from both worlds:
• ASA
• Firepower
• Supported on many different HW and virtual platforms
• Full Firepower feature set already available. ASA features are introduced in
phases
• Single off-box manager: Firepower Management Center (FMC)
• New Java-free on-box manager: Firepower Device Manager (FDM)
Appendix
• FTD Reimage
• FTD Licensing Subscriptions and Roadmap
• FTD Performance
• FTD CLI – Basic Commands
FTD reimage on ASA5506/8/16-X
The following steps assume that there is already an FTD image installed
Step 1 – Reboot the FTD and enter boot CLI mode
> reboot In pre-6.1 code the command
This command will reboot the system. Continue?
Please enter 'YES' or 'NO': YES
is system reboot
..
==============================================
Use ESC to interrupt boot and launch boot CLI.
Use SPACE to launch Cisco FTD immediately.
Launching boot CLI ...
Cisco FTD Boot 6.0.0 (9.6.1.)

Type ? for list of commands
firepower-boot>
Step 2 – Run the setup utility
firepower-boot> setup
Enter a hostname [firepower]: firepower
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.1.1]: 10.62.148.29
Enter the netmask [255.255.254.0]: 255.255.255.128
Enter the gateway: 10.62.148.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Enter the primary DNS server IP address: 192.168.0.1
Do you want to configure Secondary DNS Server? (y/n) [n]: n
Do you want to configure Local Domain Name? (y/n) [n]: n
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: n
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully! Verify connectivity with FTP or HTTP server
..
firepower-boot> ping 10.48.40.70
64 bytes from 10.48.40.70: icmp_seq=1 ttl=61 time=31.5 ms
Step 3 – Download and install the system image
firepower-boot> system install ftp://10.48.40.70/ANG/mzafeiro/ftd-6.1.0-226.pkg
# The content of disk0: will be erased during installation! #
#############################################################
Do you want to continue? [y/N] y
Erasing disk0 ...
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-FTD 6.1.0-226 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: y
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
.......................................................................
firepower login: admin
Password: Press Enter
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENT
Please enter 'YES' or press <ENTER> to AGREE to the EULA:
Step 4 – Configure FTD network settings and device modes
You must change the password for 'admin' to continue.
Enter new password: Specify the new
Confirm new password:
You must configure the network to continue. admin password
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 10.62.148.29
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.128
Enter the IPv4 default gateway for the management interface [192.168.45.1]: 10.62.148.1
Enter a fully qualified hostname for this system [firepower]: FTD5508-1
Enter a comma-separated list of DNS servers or 'none' []: 192.168.0.1
Enter a comma-separated list of search domains or 'none' []:
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: no
Configure firewall mode? (routed/transparent) [routed]:
FMC vs On-box
.. Routed vs Transparent
>
Appendix
• FTD Reimage
• FTD Performance
FTD Smart Licensing Subscriptions
• In addition to Base License that is already included the following time-based
license subscriptions are available
Subscription Feature Set included
T Threat
TC Threat + URL Filtering
TM Threat + Malware
TMC Threat + Malware + URL Filtering
URL URL Filtering (requires existing Threat subscription)
AMP Malware (requires existing Threat subscription)
Software Support by Platform
Platform FTD FirePOWER NGIPS ASA FirePOWER on ASA
Series 2 (obsolete) ✘ ✘ ✘ ✘
Series 3 (FirePOWER 7000, 8000) ✘ ✔ ✘ ✘
ASA Low-end (5506/08/16) ✔ ✘ ✔ ✔
ASA Mid-range (5512/15/25/45/55) ✔ ✘ ✔ ✔
ASA High-end (5585 SSP10/20/40/60) ✘ ✘ ✔ ✔
FirePOWER 9300 (3RU) ✔ ✘ ✔ ✘
FirePOWER 4100 (1RU) ✔ ✘ ✔ ✘
VMware ✔ ✔ ✔ ✘
AWS ✔ ✘ ✔ ✘
ISR 4K ✔ ✘ ✘ ✘
New Capabilities in Firepower Threat Defense 6.1
Threat and NGFW Enterprise Management Core Firewall
VDI Identity (Citrix and Microsoft)* Safe Web-based On-box Manager Rate Limiting
Search enforcement (Firepower Threat Defense) Tunnelled Traffic Policies
ISE Remediation Risk Reports Site-to-Site VPN
True-IP Policy (XFF) Localization to Japanese, Korean, Multicast Routing
Inline SGT Tags Chinese
Shared NAT
Captive Portal Enhancements (Guest Third-Party Config via REST API*
Limited Config Migration
Button, User Logoff) (FirePOWER Appliances/Services Only)
(ASA to Firepower TD)
Kerberos Management Center HA
Fail to Wire Netmod Support
AMP Private Cloud with ThreatGrid Management of More Appliances
Broader Virtualization (KVM)
Unified CLI
ONLY IN FIREPOWER
COMMON ACROSS FIREPOWER PLATFORMS* © 2015 Cisco and/or itsTHREAT DEFENSE
affiliates. All rights reserved. Cisco Confidential 215
*Unless specified
Firepower Threat Defense Features and Priorities
Q4 CY15/Q1 CY16 - Firepower
Q2 CY16 – Firepower 6.1 High Priorities for Future Releases
6.0/6.0.1
Firewall: Firewall: Firewall:
SSL Decryption Site-to Site VPN Remote Access VPN (AnyConnect SSL)
Captive Portal / Active Auth Rate Limiting Inter-chassis Clustering
ISE Identity/Device/SGT SafeSearch/YouTube EDU Multi-context
Active-Passive HA* X-Forwarded-For Policy SSL Acceleration
Threat: VDI Identity Threat:
OpenAppID (Citrix/Microsoft) Correlation of sophisticated IoCs across Cisco products
DNS, URL Inspection Threat: Management:
ThreatGrid Remediation to ISE Management for ASA policies from Management Center
Management: Inline SGT Tags Permanent License Reservation
Multi-tenancy Domains, Management: Event Scale
RBAC and Network Maps On-box Web UI (Basic policy) Management of More Devices
Policy Inheritance REST API*
Management HA
Appendix
• FTD Reimage
• FTD Performance
FTD Performance on ASA HW
Model 5506-X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X
Max AVC 250 450 300 500 850 1100 1500 1750
Throughput Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
Max AVC and IPS 125 250 150 250 450 650 1000 1250
Throughput Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
AVC or IPS
90 180 100 150 300 375 575 725
Sizing
Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
Throughput
Max 250,00 500,00 750,00
50,000 100,000 100,000 250,000 1,000,000
Connections 0 0 0
Max CPS 5,000 10,000 10,000 15,000 20,000 20,000 30,000 50,000
• Sizing recommendations are the same as on ASA with FP module

• 440 Bytes TCP for Sizing
FTD Performance on FP4100 and FP9300
4110 4120 4140 SM-24 SM-36 SM-36x3

Max Throughput: Application
12G 20G 25G 25G 35G 100G
Control (AVC)
Max Throughput: Application 10G 15G 20G 20G 30G 90G
Control (AVC) and IPS
Sizing Throughput: AVC (450B) 4G 8G 10G 9G 12.5G 30G
Sizing Throughput: AVC+IPS
3G 5G 6G 6G 8G 20G
(450B)
Maximum concurrent sessions
w/AVC 4.5M 11M 14M 28M 29M 57M
Appendix
• FTD Reimage
• FTD Performance
FTD CLI
To change the FTD 'admin' password
> configure password
Enter current password:
Enter new password:
Confirm new password:
>
The following command will show FTD system events

> show audit-log
Audit Log Output:
..
message : Successful task completion : Clam update synchronization from KRK-2K-2
..
message : Successful task completion : Apply AMP Dynamic Analysis Configuration from KRK-2K-2
..
message : Successful task completion : Registration 'ksec-fs2k-2-mgmt.cisco.com'
FTD CLI
The following command will show the Access Control Policy (ACP) configuration
including SI (IP, URL, DNS) and Advanced Settings
> show access-control-config
===================[ FTD5506-1 ]====================

Default Action : Allow
Default Policy : Balanced Security and Connectivity
..
===[ Security Intelligence - Network Whitelist ]====
..
===[ Security Intelligence - Network Blacklist ]====
..
=====[ Security Intelligence - URL Whitelist ]======
..
=====[ Security Intelligence - URL Blacklist ]======
..
=======[ Security Intelligence - DNS Policy ]=======
..
===============[ Rule Set: (User) ]================
..
===============[ Advanced Settings ]================
..
=============[ Interactive Block HTML ]=============
FTD CLI
Shutting down the box (ASA5512/15/25/45/55-X)
> shutdown In pre-6.1 code the command
This command will shutdown the system. Continue?
is system shutdown
Broadcast meStopping Cisco ASA5515-X Threat Defense......ok
On ASA5506/08/16 the system will stop at a prompt where you can unplug the
cable or you are given the option to reboot
> shutdown
This command will shutdown the system. Continue?
Firepower Threat Defense stopped.

It is safe to power off now.
Do you want to reboot instead? [y/N]

FTD Know How

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FTD Know How

Uploaded by

Copyright:

Available Formats

Next-Gen Firewall:

Firepower Threat Defense (FTD)

Developed to solve 2 main problems:

• Step 3 - Register FTD to FMC

• HTML5-based (no Java plugins)

=> Detailed => Optimized for SMBs => Not Present

Three CLI modes:

firepower# ASA CLI

system support diagnostic-cli can also provide access to ASA CLI

* FP4100/9300 use subinterface management0 instead of br1

TCP Set1:outside(outside): 192.168.75.40/23 Set1:inside(inside): 192.168.75.15/61563,

• Packet arrives on ingress interface.

• ASA engine checks for existing connection

• VPN on FTD is available as from version 6.1

When comes to configuration FMC supports the deployment of 3 different topologies:

• no sysopt connection permit-vpn is enforced (different behavior than classic ASA).

• Egress interface determination

• Prefilter Policy got introduced in 6.1 version

• Classic ASA checks the outer IP header

• Tunneled Rules provide 3 possible actions:

1. Block – Drops the tunneled traffic

• Early Access Control Rules provide 3 possible actions:

1. Block – Drops the traffic

• 7 possible actions to the traffic:

• Tracing a real packet will show the Snort Verdict

root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules

• Snort engine debug shows how the verdict was determined

• Packet Decoder – Prepares the packets for preprocessor analysis

• FTD Inline Normalization depends heavily on FTD interface modes

Security Intelligence (DNS)

Security Intelligence (URL)

• Integration with ISE pxGrid

• Integration with Citrix VDI Identifying multiple users behind one IP

Correlate SSL Policy User-based rules

Forward to Intrusion Policy Forward to

• QoS Rate-Limiting capabilities added on FTD 6.1 release

• Network Discovery is used in 2 main places:

• File Policy provides few different functionalities:

Block Files = Blocks the file based on first 1460 Bytes

> debug snort generic

> show conn address 192.168.75.179

*FDM (on-box management) doesn’t support SNMP configuration

• Additionally, ‘expert’ mode tcpdump can be used to capture control-plane

• Provides visibility to the Snort Verdict

> system support firewall-engine-debug

Please specify an IP protocol: tcp

HTTP /var/log/httpd/httpsd_error_log Logs related to HTTPS deamon

DCSM /var/log/mojo.log Logs related to Perl calls

MOJO /var/log/mojo/mojo.log Logs related to Perl calls

NGFW /var/log/ngfwManager.log Logs related to FTD Configuration Communication Manager

NGUI /ngfw/var/cisco/ngfwWebUi/ Apache Tomcat Catalina logs

• Things to look for in the pigtail output:

• You can easily fetch a coredump file from FMC GUI

Troubleshooting information successfully created at /ngfw/var/common/results-06-14-2016--220256.tar.gz

• To export the file from FTD to a remote FTP server

• To export the file from FTD to a remove SCP server

Failover history reports Snort failure as a service module failure event

Launching boot CLI ...

Cisco FTD Boot 6.0.0 (9.6.1.)

TC Threat + URL Filtering

TMC Threat + Malware + URL Filtering

URL URL Filtering (requires existing Threat subscription)