Professional Documents
Culture Documents
FTD Know How
FTD Know How
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Agenda
• Introduction
• FTD Installation and Licensing
• FTD Management options
• FTD Deployment and interfaces modes
• FTD Packet Flow
• Troubleshooting tools
• High Availability
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
FTD in a nutshell
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
FTD High-level overview
Firepower Threat Defense (FTD) merges 2 products:
• ASA
• Firepower (Snort)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
FirePOWER on ASA vs FTD
FirePOWER on ASA
• Requires 2 software images
• 2 Operating Systems on same HW
• Duplicated functionality
• 2 management applications
FTD
• Zero-copy packet inspection
• Unified management (FMC/FDM)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Agenda
• Introduction
• FTD Installation and Licensing
• FTD Management options
• FTD Deployment and interfaces modes
• FTD Packet Flow
• Troubleshooting tools
• High Availability
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
FTD installation on ASA5506/8/16-X
For FTD installation you use 2 images
• OS image (AKA boot image) - For Firepower Threat Defense on
ASA5506/8/16-X is a *.lfbff file.
• System image – This is a .pkg file
Prerequisites
Before proceeding with the FTD installation verify the following:
• ASA flash should have at least 3.1 GBytes (3GBytes + size of boot image)
free space
• The boot image is uploaded to a TFTP server
• The system image is uploaded to an HTTP or FTP server
• The ASA ROMMON is at least 1.1.8 version
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
FTD installation on ASA5506/8/16-X in a nutshell
Step 1 – Put the .lfbff boot image into a TFTP and the .pkg system image into FTP or HTTP server
Step 2* – Download the ROMMON image from Cisco site and upgrade the ASA ROMMON >= 1.1.8
ASA5506X-1# copy ftp://10.48.40.70/asa5500-firmware-1108.SPA disk0:asa5500-firmware-1108.SPA
ASA5506X-1# upgrade rommon disk0:asa5500-firmware-1108.SPA
If needed, upgrade ROMMON
Step 3 – Reload the ASA and enter into ASA ROMMON mode
Step 4 – Configure basic network settings and install the FTD boot image
Enter ROMMON
rommon 1 > ADDRESS=10.62.148.29
rommon 7 > tftpdnld and install FTD
Step 5 – Configure the boot image boot image
firepower-boot> setup
Step 6 – Install the system image Install FTD
firepower-boot> system install ftp://10.229.22.42/ftd-6.0.0-1005.pkg system image
Step 7 – Accept EULA, specify network settings, Mgmt mode (local/FMC), FW mode (routed/transparent)
Step 8 – Register FTD to FMC
> configure manager add 10.62.148.73 cisco If needed, register FTD to FMC
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
FTD Licensing
• FTD uses Smart Licensing model where the license is not tied to any SN
• Smart Licensing is applicable only on FTD. All other Firepower products still use
Classic Licensing
• Licensing is handled by the FMC which will not deploy or accept events from
unlicensed devices
• Evaluation license available for 90 days with full* functionality
• After 90 days you need to register with Cisco Smart Software Manager (CSCM)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
FTD Licensing
4 types of licenses
1. Base License (NGFW) – Comes with the appliance
- Enables Networking, Firewall and Application Visibility and Control
2. Threat - Term-based
- Enables IPS, Security Intelligence - SI (IP, DNS)
3. Malware – Term-based
- Enables AMP and Threat-Grid
4. URL Filtering – Term-based
- Enables Category and Reputation-based URL filtering
• Currently, in case of FTD HA both units need license
• Air-gap networks require Permanent License Reservation (PLR)
or Satellite Software Licensing
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
FTD Licensing
To apply a Smart License on FTD
• Step 1 - Obtain an ID Token from Cisco Smart Software Manager (CSCM -
Cisco License Portal)
• Step 2 - Register Firepower Management Center (FMC) to CSCM
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
FTD Management options
2 Management options:
• Firepower Management Center (FMC) – off-box manager
• Firepower Device Manager (FDM) – on-box manager
FMC GUI
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
FTD Management options
FDM GUI (available as from 6.1)
5-X/5545-X/5555-X
On-box Vs. Off-box comparison at 6.1
FMC (Off-box) FDM (On-box)
NAT & Routing ✔ ✔
Access Control ✔ ✔
Intrusion & Malware ✔ ✔
Device & Events Monitoring ✔ ✔
Site to Site VPN ✔ In Roadmap
Security Intelligence ✔ In Roadmap
Other Policies: SSL, Identity, Rate Limiting (QoS) etc. ✔ In Roadmap
Active/Passive Authentications ✔ In Roadmap
Risk Reports ✔ ✘
Correlation & Remediation ✔ ✘
SNMP ✔ ✘
Easy Device Setup ✘ ✔
In a nutshell:
> expert
admin@FTD5506-1:~$ sudo su CLISH mode
Password:
root@FTD5506-1:/home/admin# lina_cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach. Expert mode
Type help or '?' for a list of available commands.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
FTD Management interface
FTD physical Management interface is divided into 2 logical
subinterfaces:
• diagnostic
‘show int ip brief’
• br1*
Sftunnel between
FMC/FTD is
terminated on ‘show network’
br1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
FTD Deployment and Interface Modes
2 Deployment Modes:
• Routed
• Transparent } Device Modes inherited from ASA
6 Interface Modes
}
• Routed
Interface Modes inherited from ASA
• Switched (BVI)
}
• Passive
• Passive (ERSPAN)
Interface Modes inherited from FirePOWER
• Inline pair
• Inline pair with tap
Note - interface modes can be mixed on a single FTD device
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Deployment Mode: Routed
• Traditional L3 firewall deployment
• Allows configuring all interface modes apart from Switched (BVI)
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: routed
• You can later change the FTD mode from CLISH CLI:
> configure firewall routed
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Deployment Mode: Transparent
• Traditional L2 firewall deployment
• Allows configuring all interface modes apart from Routed, Passive ERSPAN
• You can specify the firewall mode (Routed or Transparent) during the FTD
setup process:
Configure firewall mode? (routed/transparent) [routed]: transparent
• You can change the FTD mode from firewall to transparent from CLISH:
> configure firewall transparent
This will destroy the current interface configurations, are you sure that you want to
proceed? [y/N] y
The firewall mode was changed successfully.
>
Note - The FTD mode can be changed only if the device is unregistered
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Interface Mode: Routed
• Available only in Routed Deployment
• Traditional L3 firewall deployment
• One or more physical or logical (VLAN) routable interfaces
• Allows features like NAT or Dynamic Routing protocols to be configured
• Packets are being forwarded based on Route Lookup
• Full ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Interface Mode: Switched
• Available only in Transparent Deployment mode
• Very similar to classic Transparent firewall
• Two or more physical or logical interfaces are assigned to a Bridge Group
• Full ASA engine checks are applied along with full Snort engine checks
• Packets are being forwarded based on CAM table Lookup
• BVI interface is being used to resolve next hop MAC using ARP or ICMP
• Actual traffic can be dropped
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Interface Mode: Inline Pair
• 2 Physical interfaces internally bridged
• Very similar to classic inline IPS
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for
flows going through an Inline Pair.
• Few ASA engine checks are applied along with full Snort engine checks
• Actual traffic can be dropped
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Interface Mode: Inline Pair
TCP packets are handled in a TCP-state bypass mode so that majority of ASA
engine checks are disabled
firepower# show conn detail
1 in use, 30 most used
Flags: A - awaiting responder ACK to SYN, a - awaiting initiator ACK to SYN,
b - TCP state-bypass or nailed,
…
k - Skinny media, M - SMTP data, m - SIP media, N - inspected by Snort, n - GUP
• b flag - FTD Inline Pair mode handles a TCP connection in a TCP state-bypass mode
and doesn’t drop TCP packets that don’t belong to existing connections. A classic ASA
will drop an unsolicited SYN/ACK packet unless TCP state-bypass is enabled.
• N flag - The packet will be inspected by Snort engine
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Interface Mode: Inline Pair with Tap
• 2 Physical interfaces internally bridged
• Available in Routed or Transparent Deployment modes
• Most of ASA features (NAT, Routing, L3/L4 ACL etc) are not available for
flows going through an Inline Pair
• Few ASA engine checks are applied along with full Snort engine checks to
a copy of the actual traffic
• Actual traffic cannot be dropped
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Interface Mode: Inline Pair with Tap
Tracing a transit packet shows that the packet is not getting dropped
firepower# show capture CAPI packet-number 1 trace
9 packets captured
1: 20:06:10.571427 192.168.75.15.43708 > 192.168.75.40.23: S 315154105:315154105(0)
win 4128 <mss 1460>
..
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: Access-list would have dropped,but packet forwarded due to inline-tap
ASA engine syslog messages show during a TCP connection creation that TCP
state bypass is being applied
May 26 2016 20:06:10: %ASA-6-302303: Built TCP state-bypass connection 8963 from
inside:192.168.75.15/43708 (192.168.75.15/43708) to outside:192.168.75.40/23
(192.168.75.40 /23)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Interface Mode: Passive
• 1 Physical interface operating as a sniffer
• Very similar to classic IDS
• Available in Routed or Transparent Deployment modes
• Few ASA engine and Full Snort engine checks to a copy of the actual traffic
• Actual traffic cannot be dropped
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Interface Mode: Passive (ERSPAN)
• 1 Physical interface operating as a sniffer
• Very similar to a remote IDS
• Available only in Routed Deployment mode
• A GRE tunnel between the capture point and the FTD carries the packets
• Few ASA engine and Full Snort engine checks to a copy of the actual traffic
• Actual traffic cannot be dropped
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Interface Modes - Summary
FTD interface mode FTD Deployment Description Real traffic can be
mode dropped
Full ASA and Snort
Routed Routed Yes
checks
Full ASA and Snort
Switched Transparent Yes
checks
Partial ASA and full
Inline Pair Routed or Transparent Yes
Snort checks
Routed or Transparent Partial ASA and full
Inline Pair with Tap No
Snort checks
Routed or Transparent Partial ASA and full
Passive No
Snort checks
Partial ASA and full
Passive (ERSPAN) Routed No
Snort checks
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Quiz
Which of the following interface modes work similar to classic IDS (choose 3)?
1. Inline Pair with Tap
2. Passive
3. Switched (Transparent)
4. Passive (ERSPAN)
5. Inline Pair
6. Routed
Answer
Inline Pair with Tap, Passive, Passive (ERSPAN)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Agenda
• Introduction
• FTD Installation and Licensing
• FTD Management options
• FTD Deployment and interfaces modes
• FTD Packet Flow
• Troubleshooting tools
• High Availability
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
FTD Packet Processing – The big picture
1. A packet enters the ingress interface and it is handled by the ASA engine
2. If the policy dictates so the packet is inspected by the Snort engine
3. Snort engine returns a verdict (whitelist or blacklist) for the packet
4. The ASA engine drops or forwards the packet based on Snort’s verdict
• Snort engine runs 6.x code
• ASA engine runs 9.6.x code
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
FTD Packet Processing: Ingress Interface
• In Evaluation Licensing mode only DES is supported. Smart License Strong Crypto attribute is
needed for stronger encryption algorithms
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
FTD Packet Processing: VPN Decryption
• On FMC the tunnel status is updated every 5 minutes in Health Events. Use CLISH Converged
CLI for live verification and troubleshooting
> show crypto > debug crypto
ikev1 Show IKEv1 operational data ikev1 Set IKEV1 debug levels
ikev2 Show IKEv2 operational data ikev2 Set IKEV2 debug levels
ipsec Show IPsec operational data ipsec Set IPSec debug levels
... ... © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
FTD Packet Processing: UN-NAT/Egress int.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
FTD Packet Processing: Prefilter Policy
• Navigate to Policies > Access Control > Prefilter and create a Prefilter Policy
• Add one or more Tunnel or/and Prefilter (Early Access Control) rules and attach the Policy to ACP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
FTD Packet Processing: Prefilter Policy (tunneled)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
FTD Packet Processing: Prefilter Policy
(tunneled)
• Prefilter Rules are deployed to ASA as L3/L4 ACEs and are placed above the normal L3/L4 ACEs
firepower# show access-list
}
access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268434457: PREFILTER POLICY: FTD_Prefilter_Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 268434457: RULE: Fastpath_Rule1
EAC Prefilter
access-list CSM_FW_ACL_ line 3 advanced trust ip host 192.168.75.16 any rule-id 268434457 event-log both (hitcnt=0) Rules
access-list CSM_FW_ACL_ line 4 remark rule-id 268434456: PREFILTER POLICY: FTD_Prefilter_Policy
}
access-list CSM_FW_ACL_ line 5 remark rule-id 268434456: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 6 advanced permit ipinip any any rule-id 268434456 (hitcnt=0) 0xf5b597d6 Tunnel Prefilter
access-list CSM_FW_ACL_ line 7 advanced permit 41 any any rule-id 268434456 (hitcnt=0) 0x06095aba
Rules
access-list CSM_FW_ACL_ line 8 advanced permit gre any any rule-id 268434456 (hitcnt=2) 0x52c7a066
}
access-list CSM_FW_ACL_ line 9 advanced permit udp any any eq 3544 rule-id 268434456 (hitcnt=0) 0xcf6309bc
access-list CSM_FW_ACL_ line 10 remark rule-id 268434445: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ line 11 remark rule-id 268434445: L4 RULE: Block ICMP
access-list CSM_FW_ACL_ line 12 advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start (hitcnt=0) L3/L4
0x8bf72c63 ACEs
access-list CSM_FW_ACL_ line 13 remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1
access-list CSM_FW_ACL_ line 14 remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
access-list CSM_FW_ACL_ line 15 advanced permit ip any any rule-id 268434434 (hitcnt=410) 0xa1d3780e
FTD Packet Processing: L3/L4 ACL
• Advanced L3/L4 ASA ACL is an Access Control Policy (ACP) that is configured on FMC.
• Pushed as a global ACL (CSM_FW_ACL_) to ASA engine and as AC rules in
/var/sf/detection_engines/UUID/ngfw.rules file in Snort engine
firepower# show run access-list
access-list CSM_FW_ACL_ advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start
firepower# show run access-group
access-group CSM_FW_ACL_ global
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
FTD Packet Processing: L3/L4 ACL - Allow
• Allow Rule will be pushed to ASA engine as permit action and to Snort engine as allow action. The
rule ID correlates the ASA rules with the Snort rules
firepower# show access-list
access-list CSM_FW_ACL_ line 8 remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
access-list CSM_FW_ACL_ line 9 advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ line 11 remark rule-id 268435457: L4 RULE: ACP_Rule2_Allow_ICMP_Type
access-list CSM_FW_ACL_ line 12 advanced permit icmp host 2.2.2.2 host 3.3.3.3 echo rule-id
268435457
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules
268435456 allow any 1.1.1.1 32 any any 2.2.2.2 32 any any any (appid 3501:1)
268435457 allow any 2.2.2.2 32 8 any 3.3.3.3 32 any any 1 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
FTD Packet Processing: L3/L4 ACL - Allow
• packet-tracer shows that ASA engine will send the packet to Snort engine for a Verdict
> packet-tracer input inside icmp 1.1.1.1 8 0 2.2.2.2
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456
access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5506-1 - Mandatory/1
access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
FTD Packet Processing: L3/L4 ACL - Allow
Phase: 14
Type: SNORT
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
...
Snort Verdict: (pass-packet) allow this packet
FTD Packet Processing: L3/L4 ACL - Trust
• Trust Rule will be pushed to ASA engine as trust action and to Snort engine as fastpath action
firepower# show access-list
access-list CSM_FW_ACL_ line 17 remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port
access-list CSM_FW_ACL_ line 18 advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id 268435477
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
FTD Packet Processing: L3/L4 ACL - Trust
Packet-tracer shows that ASA engine will not send any packets to Snort engine
> packet-tracer input inside udp 4.4.4.4 1111 5.5.5.5 53
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust udp host 4.4.4.4 host 5.5.5.5 eq domain rule-id
No Additional Information means
268435477 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268435477: ACCESS POLICY: FTD5506-1 - Mandatory/4
the packet is not going to be
access-list CSM_FW_ACL_ remark rule-id 268435477: L4 RULE: ACP_Rule4_Trust_DNS_Port redirected to Snort engine
Additional Information:
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 111
FTD Packet Processing: L3/L4 ACL - Block
• Block Rule will be pushed to ASA engine as a permit or deny action depending on the rule conditions
and to Snort engine as deny rule. If both applied, Application takes precedence over Dest Ports.
firepower# show access-list Packet matching this rule
access-list CSM_FW_ACL_ line 20 remark rule-id 268435460: L7 RULE: ACP_Rule5_Block_Telnet_App will be dropped by Snort
access-list CSM_FW_ACL_ line 21 advanced permit ip host 5.5.5.5 host 6.6.6.6 rule-id 268435460 engine
access-list CSM_FW_ACL_ line 23 remark rule-id 268435464: L4 RULE: ACP_Rule6_Block_Telnet_Port
access-list CSM_FW_ACL_ line 24 advanced deny tcp host 6.6.6.6 host 7.7.7.7 eq telnet rule-id Packet matching this
268435464 rule will be dropped
root@FTD5506-1:/home/admin# cat /var/sf/detection_engines/27306154-256d-11e6-9fc9-180edde177c5/ngfw.rules by ASA engine
268435460 deny any 5.5.5.5 32 any any 6.6.6.6 32 any any any (appid 861:1)
268435464 deny any 6.6.6.6 32 any any 7.7.7.7 32 23 any 6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
FTD Packet Processing: L3/L4 ACL - Block
• For Block Rule that uses Application the tracing of a real packet shows that the packet is dropped by
ASA due to Snort engine verdict
firepower# show capture CAPI packet-number 7 trace
7: 13:42:53.655971 192.168.75.14.36775 > 192.168.76.14.23: P 4147441466:4147441487(21) ack 884051486 win 16695
Type: SNORT
Subtype: Snort needs to process few packets before
Result: DROP
determines the Application type
Additional Information:
Snort Verdict: (black-list) black list this flow
• Data Acquisition Library (DAQ) is the interface between ASA engine and Snort engine
• DAQ communicates with ASA Datapath processes through Packet Data Transport System (PDTS)
1. A packet is placed into DMA Memory
2. Datapath processes the packet
3. If requires Snort inspection a pointer to the packet is added
to PDTS TX Queue of a specific Snort instance
4. Snort instances periodically read the TX Rings and process the
packets in the DMA Memory
5. When a Snort instance finishes the processing puts to PDTS RX
queue a PDTS Notification (Verdict or SSL Decrypted packet)
6. Datapath processes reads the Verdict or copies the Decrypted
packet to DMA memory
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 129
FTD Packet Processing: Packet Decoding
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 131
FTD Packet Processing: L2-L4 Preprocessors
• Security Intelligence (SI) can Blacklist (drop) or Whitelist (allow) IP addresses early in the packet
processing lifetime within the Snort engine
• Whitelist overwrites the Blacklist
• The Blacklist can be populated in 2 ways:
1. Manually by the FMC administrator
2. Automatically by Intelligence Feed (Talos or custom) or List
• Snort returns to ASA a verdict about a packet being blacklisted
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 135
FTD Packet Processing: SI (IP)
• The files containing the IPs from Talos SI Feed are in /ngfw/var/sf/iprep_download directory
root@FTD5506-1:/ngfw/var/sf/iprep_download# ls -alt | grep blf
-rw-r--r-- 1 root root 1252278 Jun 12 16:06 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba.blf
-rw-r--r-- 1 root root 227696 Jun 12 16:05 032ba433-c295-11e4-a919-d4ae5275a468.blf
• If a packet is being dropped by Snort SI the ASA capture trace shows the Verdict
> show capture CAPI packet-number 1 trace
1: 16:07:45.147743 192.168.75.14 > 38.229.186.248: icmp: echo request
Phase: 14
Type: SNORT
Subtype:
Result: DROP
Additional Information:
Snort Verdict: (black-list) black list this flow
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 136
FTD Packet Processing: SSL Decryption
• SSL Inspection Policy controls which traffic will be decrypted by FTD so that other policies (ACP, File,
Snort) can inspect the traffic.
• Can be configured in the Firepower Management Center, under Policies > SSL.
• FTD provides 2 Decryption modes:
1. Decrypt - Know Key - SSL/TLS server owned by us
2. Decrypt - Resign - 3rd party SSL/TLS server. The FTD does man-in-the-middle and for that
reason requires Internal CA
• SSL Policy is attached to Access Control Policy (ACP)
• Client Hello features (enabled by default) allows FTD to modify (TLS ver, Ciphers) the Client Hello
message (Required for Safe Search and YouTube EDU)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 138
FTD Packet Processing: SI (DNS/URL)
• The DNS lists (Blacklist or Whitelist) can be populated manually or automatically (Talos or custom)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 139
FTD Packet Processing: SI (DNS/URL)
• In case Talos URL Feed is used part of the db is stored locally and updated daily
• For non-cached URLs a Cloud lookup is done
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 140
FTD Packet Processing: Identity Policy
Identity Policy enables user-based authentication. The user info can be obtain in various ways:
1. Passive Authentication
• Integration with LDAP Requires User Agent
SafeSearch
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 144
FTD Packet Processing: Network Discovery
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 150
FTD Packet Processing: File Policy (AMP)
Malware Cloud Lookup = Sends the SHA-256 hash of a file to the cloud for analysis
and depending on the answer generates a log if the file is bad. Optionally, Local
Analysis can analyze the file and Dynamic Analysis Capable files can be sent to cloud
for Dynamic Analysis and/or SPERO analysis
Block Malware = Sends the SHA-256 hash of a file to the cloud for analysis and
depending on the answer blocks it if the file is bad. Optionally, Local Analysis can
block the file and/or Dynamic Analysis Capable files can be sent to cloud for Dynamic
Analysis and/or SPERO analysis.© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 151
FTD Packet Processing: File Policy (AMP)
• When a File Policy decides that a file should be blocked a verdict is returned to ASA DATAPATH.
In that case FW engine debug and Snort debug show: L7 ACL allows the FT control channel
> system support firewall-engine-debug traffic, but File Policy blocks the
.. malicious file transfer
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 New session
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 using HW or preset rule order 2, 'Allow Rule1', action Allow and prefilter rule 0
192.168.75.14-36942 > 192.168.76.14-21 6 AS 1 I 0 allow action
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 Allowing expected session for service 166
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File policy verdict is Type, Malware, and Capture
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File type verdict Reject, fileAction Block, flags 0x00003500, and type action Reject for
t0
192.168.76.14-20 > 192.168.75.14-36943 6 AS 1 I 0 File type event for file named fu.exe with disposition Type and action Block
• Tracing a real packet shows the Snort engine verdict when a Snort Rule is being matched
firepower# show capture CAPO packet-number 2 trace
2: 12:16:09.232776 192.168.77.40 > 192.168.75.39: icmp: echo reply
Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Verdict: (black-list) black list this flow
..
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 160
FTD Packet Processing: Snort Verdict & Flow Update
• At this point the Snort Engine returns to ASA DATAPATH through the DAQ and PDTS framework a
Verdict (Pass, Blacklist (Block), Fast-Forward etc)
• Depending on the Verdict the ASA engine will update the Flow accordingly (terminate or proceed with
further checks)
> show logging | include connection
Jun 13 2016 13:32:49: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.76.14/0 gaddr 192.168.75.14/0 laddr
192.168.75.14/0
Jun 13 2016 13:33:00: %ASA-6-302016: Teardown UDP connection 357875 for inside:192.168.75.14/60131 to dmz:192.168.76.14/53
duration 0:02:01 bytes 43
• ASA Application Layer Gateway (ALG) are the classic Modular Policy Framework (MPF) rules applied
on ASA engine
• Currently on FTD the configuration MPF is not tunable
• You can use classic ASA MPF commands to verify the existing MPF configuration
firepower# show run class-map
firepower# show run policy-map
firepower# show run service-policy
!
firepower# show service-policy flow tcp host 192.168.75.14 host 192.168.77.40 eq 80
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 163
FTD Packet Processing: NAT, VPN, L3, L2
• The remaining checks on ASA engine are the same as on classic ASA
• NAT IP header
• VPN Encrypt
• L3 Route
• L2 Resolution of next hop
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 164
Quiz
Based on the following output what could be 2 possible reasons for the packet drop?
firepower# show capture CAPO packet-number 2 trace
2: 12:16:09.232776 192.168.77.40 > 192.168.75.39: icmp: echo request
Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Verdict: (black-list) black list this flow
..
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (snort-drop) Snort requested to drop the frame
Answer
Some possible drop reasons: Intrusion Policy, Security Intelligence (IP), L7 ACP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 170
Agenda
• Introduction
• FTD Installation and Licensing
• FTD Management options
• FTD Deployment and interfaces modes
• FTD Packet Flow
• Troubleshooting tools
• High Availability
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 172
FTD Troubleshooting Tools – Logging
• Logging provides valuable information for troubleshooting
• Two levels of logs
1. ASA engine
• Sourced from a data interface or the diagnostic subinterface
• Same as on classic ASA
2. Snort engine
• Sourced from br1 subinterface
• Same as on classic Firepower
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 173
FTD Troubleshooting Tools – SNMP
• SNMP can provide information for troubleshooting
• ASA engine can be configured for SNMP polling or traps (Devices >
Platform Settings) > show run snmp-server
snmp-server host outside 192.168.1.100 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
• In post-6.1 code the command can be also executed from CLISH CLI and from
FMC ASA CLI
> packet-tracer input inside tcp 192.168.75.14 1111 192.168.76.14 80
• Currently, Packet Tracer shows only the ASA Datapath processing. Packet
Tracer for Snort engine in the roadmap
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 176
FTD Troubleshooting Tools – Capture
• FTD provides 2 types of captures
1. ASA-level capture – ‘capture’ command from CLISH
2. Snort-level capture – ‘capture-traffic’ command from CLISH
• Where are these captures taking place?
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (pass-packet) allow this packet
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 179
FTD Troubleshooting Tools - FW Engine Debug
• FW Engine Debug comes from classic Firepower appliances
• It is executed in CLISH CLI and it runs against the following Snort engine
components:
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 181
FTD Troubleshooting Tools – pigtail
• Files parsed by pigtail on FTD
Keyword associated File Purpose
ACTQ /var/log/action_queue.log Logs related to Perl scripts that were run (e.g.
policy_apply.pl)
DEPL /var/log/sf/policy_deployment.log Logs related to Policy Deployment
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 182
FTD Troubleshooting Tools – pigtail
• To parse all files and save the output to a file
> pigtail all
*************************************************************************************
*****************************************************************
** Displaying logs: HTTP ACTQ DCSM VMSS MOJO NGUI NGFW TCAT VMSB DEPL USMS MSGS
*************************************************************************************
*****************************************************************
Collated log written to pigtail-all-1465555118.log As soon as you press CTRL+C a file is
>
written in the /home/admin directory
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 183
FTD Troubleshooting Tools – File Download
• In case a process (e.g. ASA engine or Snort engine) crashes a coredump file will be
created on FTD /ngfw/var/common directory ‘expert’ mode
admin@FTD5506-1:~$ ls -alt /ngfw/var/common/ | grep core
-rw------- 1 root root 700583936 Jun 8 19:01 core_1465412492_FTD5506-1_snort_6.11131
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 184
FTD Troubleshooting Tools – ASA CLI
• You can execute ASA CLI commands from FMC GUI
• Currently (6.1) only 4 commands are supported
1. Ping
2. Packet-tracer
3. Any ‘show’ command
4. Traceroute
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 185
FTD Troubleshooting Tools – TS File (GUI)
• Before contacting TAC generate an FTD Troubleshooting File. This includes the
ASA engine ‘show tech-support’ output along with many other outputs
• To collect the Troubleshooting
1. Navigate to System > Health > Monitor
2. Click on the FTD device and then on Generate Troubleshooting Files
3. Select All Data and click on Generate
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 186
FTD Troubleshooting Tools – TS File (CLI)
• In case you cannot generate an FTD Troubleshoot File from FMC you can
generate it from FTD CLI
> system generate-troubleshoot ALL
Starting /usr/local/sf/bin/sf_troubleshoot.pl...
Please, be patient. This may take several minutes.
The troubleshoot option code specified is ALL.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 187
Agenda
• Introduction
• FTD Installation and Licensing
• FTD Management options
• FTD Deployment and interfaces modes
• FTD Packet Flow
• Troubleshooting tools
• High Availability
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 188
FTD High Availability and Scalability overview
• FTD supports A/S failover (AKA High Availability) and Clustering (AKA High
Scalability)
• High Availability is equivalent to classic ASA failover and it is supported on:
• ASA5500-X
• FP4100 and FP9300 (inter-chassis – blades on different physical chassis)
• vFTD on ESXi, but not in AWS environment
• With HA both units require a Smart License (discount compared to Standalone)
• Clustering is supported on:
• FP9300 (intra-chassis) so cluster with up to 3 blades in the same chassis
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 189
FTD High Availability (failover) verification
> show failover
Failover On
Failover unit Primary
Failover LAN Interface: FOVER GigabitEthernet1/3 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 60 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.6(1)72, Mate 9.6(1)72
HTTP Replication enabled by default
Serial Number: Ours JAD192100SZ, Mate JAD192304SU
Last Failover at: 21:57:44 UTC Jun 14 2016
This host: Primary - Standby Ready
Active time: 3009 (sec)
slot 1: ASA5508 hw/sw rev (1.0/9.6(1)72) status (Up Sys)
Interface outside (192.168.1.2): Normal (Monitored)
Interface inside (192.168.2.2): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up) Snort and Disc monitoring
Other host: Secondary - Active
Active time: 7974 (sec)
slot 1: ASA5508 hw/sw rev (1.0/9.6(1)72) status (Up Sys)
Interface outside (192.168.1.1): Normal (Monitored)
Interface inside (192.168.2.1): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Stateful Failover Logical Update Statistics
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 195
FTD High Availability (failover) – Snort failure
In case that 50% or more of the Snort instances are down failover will be triggered
> show failover | include snort
slot 1: snort rev (1.0) status (down)
slot 1: snort rev (1.0) status (up)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 204
Summary
• FTD Unified Image was developed to get the best from both worlds:
• ASA
• Firepower
• Supported on many different HW and virtual platforms
• Full Firepower feature set already available. ASA features are introduced in
phases
• Single off-box manager: Firepower Management Center (FMC)
• New Java-free on-box manager: Firepower Device Manager (FDM)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 205
Appendix
• FTD Reimage
• FTD Licensing Subscriptions and Roadmap
• FTD Performance
• FTD CLI – Basic Commands
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 207
FTD reimage on ASA5506/8/16-X
The following steps assume that there is already an FTD image installed
Step 1 – Reboot the FTD and enter boot CLI mode
> reboot In pre-6.1 code the command
This command will reboot the system. Continue?
Please enter 'YES' or 'NO': YES
is system reboot
..
==============================================
Use ESC to interrupt boot and launch boot CLI.
Use SPACE to launch Cisco FTD immediately.
firepower-boot>
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 208
FTD reimage on ASA5506/8/16-X
Step 2 – Run the setup utility
firepower-boot> setup
Enter a hostname [firepower]: firepower
Do you want to configure IPv4 address on management interface?(y/n) [Y]: Y
Do you want to enable DHCP for IPv4 address assignment on management interface?(y/n) [N]: N
Enter an IPv4 address [192.168.1.1]: 10.62.148.29
Enter the netmask [255.255.254.0]: 255.255.255.128
Enter the gateway: 10.62.148.1
Do you want to configure static IPv6 address on management interface?(y/n) [N]: N
Enter the primary DNS server IP address: 192.168.0.1
Do you want to configure Secondary DNS Server? (y/n) [n]: n
Do you want to configure Local Domain Name? (y/n) [n]: n
Do you want to configure Search domains? (y/n) [n]: n
Do you want to enable the NTP service? [Y]: n
Apply the changes?(y,n) [Y]: Y
Configuration saved successfully! Verify connectivity with FTP or HTTP server
..
firepower-boot> ping 10.48.40.70
64 bytes from 10.48.40.70: icmp_seq=1 ttl=61 time=31.5 ms
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 209
FTD reimage on ASA5506/8/16-X
Step 3 – Download and install the system image
firepower-boot> system install ftp://10.48.40.70/ANG/mzafeiro/ftd-6.1.0-226.pkg
# The content of disk0: will be erased during installation! #
#############################################################
Do you want to continue? [y/N] y
Erasing disk0 ...
Verifying
Downloading
Extracting
Package Detail
Description: Cisco ASA-FTD 6.1.0-226 System Install
Requires reboot: Yes
Do you want to continue with upgrade? [y]: y
Reboot is required to complete the upgrade. Press 'Enter' to reboot the system.
.......................................................................
firepower login: admin
Password: Press Enter
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
END USER LICENSE AGREEMENT
Please enter 'YES' or press <ENTER> to AGREE to the EULA:
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 210
FTD reimage on ASA5506/8/16-X
Step 4 – Configure FTD network settings and device modes
You must change the password for 'admin' to continue.
Enter new password: Specify the new
Confirm new password:
You must configure the network to continue. admin password
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 10.62.148.29
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.128
Enter the IPv4 default gateway for the management interface [192.168.45.1]: 10.62.148.1
Enter a fully qualified hostname for this system [firepower]: FTD5508-1
Enter a comma-separated list of DNS servers or 'none' []: 192.168.0.1
Enter a comma-separated list of search domains or 'none' []:
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Manage the device locally? (yes/no) [yes]: no
Configure firewall mode? (routed/transparent) [routed]:
FMC vs On-box
.. Routed vs Transparent
>
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 211
Appendix
• FTD Reimage
• FTD Licensing Subscriptions and Roadmap
• FTD Performance
• FTD CLI – Basic Commands
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 212
FTD Smart Licensing Subscriptions
• In addition to Base License that is already included the following time-based
license subscriptions are available
Subscription Feature Set included
T Threat
TM Threat + Malware
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 213
Software Support by Platform
Platform FTD FirePOWER NGIPS ASA FirePOWER on ASA
Series 2 (obsolete) ✘ ✘ ✘ ✘
VMware ✔ ✔ ✔ ✘
AWS ✔ ✘ ✔ ✘
ISR 4K ✔ ✘ ✘ ✘
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 214
New Capabilities in Firepower Threat Defense 6.1
Threat and NGFW Enterprise Management Core Firewall
VDI Identity (Citrix and Microsoft)* Safe Web-based On-box Manager Rate Limiting
Search enforcement (Firepower Threat Defense) Tunnelled Traffic Policies
ISE Remediation Risk Reports Site-to-Site VPN
True-IP Policy (XFF) Localization to Japanese, Korean, Multicast Routing
Inline SGT Tags Chinese
Shared NAT
Captive Portal Enhancements (Guest Third-Party Config via REST API*
Limited Config Migration
Button, User Logoff) (FirePOWER Appliances/Services Only)
(ASA to Firepower TD)
Kerberos Management Center HA
Fail to Wire Netmod Support
AMP Private Cloud with ThreatGrid Management of More Appliances
Broader Virtualization (KVM)
Unified CLI
ONLY IN FIREPOWER
COMMON ACROSS FIREPOWER PLATFORMS* © 2015 Cisco and/or itsTHREAT DEFENSE
affiliates. All rights reserved. Cisco Confidential 215
*Unless specified
Firepower Threat Defense Features and Priorities
Q4 CY15/Q1 CY16 - Firepower
Q2 CY16 – Firepower 6.1 High Priorities for Future Releases
6.0/6.0.1
Firewall: Firewall: Firewall:
SSL Decryption Site-to Site VPN Remote Access VPN (AnyConnect SSL)
Captive Portal / Active Auth Rate Limiting Inter-chassis Clustering
ISE Identity/Device/SGT SafeSearch/YouTube EDU Multi-context
Active-Passive HA* X-Forwarded-For Policy SSL Acceleration
Threat: VDI Identity Threat:
OpenAppID (Citrix/Microsoft) Correlation of sophisticated IoCs across Cisco products
DNS, URL Inspection Threat: Management:
ThreatGrid Remediation to ISE Management for ASA policies from Management Center
Management: Inline SGT Tags Permanent License Reservation
Multi-tenancy Domains, Management: Event Scale
RBAC and Network Maps On-box Web UI (Basic policy) Management of More Devices
Policy Inheritance REST API*
Management HA
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 216
Appendix
• FTD Reimage
• FTD Licensing Subscriptions and Roadmap
• FTD Performance
• FTD CLI – Basic Commands
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 217
FTD Performance on ASA HW
Model 5506-X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X
Max AVC 250 450 300 500 850 1100 1500 1750
Throughput Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
Max AVC and IPS 125 250 150 250 450 650 1000 1250
Throughput Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
AVC or IPS
90 180 100 150 300 375 575 725
Sizing
Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps
Throughput
Max 250,00 500,00 750,00
50,000 100,000 100,000 250,000 1,000,000
Connections 0 0 0
Max CPS 5,000 10,000 10,000 15,000 20,000 20,000 30,000 50,000
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 219
Appendix
• FTD Reimage
• FTD Licensing Subscriptions and Roadmap
• FTD Performance
• FTD CLI – Basic Commands
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 220
FTD CLI
To change the FTD 'admin' password
> configure password
Enter current password:
Enter new password:
Confirm new password:
>
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 221
FTD CLI
The following command will show the Access Control Policy (ACP) configuration
including SI (IP, URL, DNS) and Advanced Settings
> show access-control-config
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 222
FTD CLI
Shutting down the box (ASA5512/15/25/45/55-X)
> shutdown In pre-6.1 code the command
This command will shutdown the system. Continue?
Please enter 'YES' or 'NO': YES
is system shutdown
On ASA5506/08/16 the system will stop at a prompt where you can unplug the
cable or you are given the option to reboot
> shutdown
This command will shutdown the system. Continue?
Please enter 'YES' or 'NO': YES
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 223