Pass Your Cisco SNCF 300-710 Exam Easy!

Cisco 300-710 Securing Networks with Cisco Firepower (300-710 SNCF) exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Cisco 300-710 Securing Networks with Cisco Firepower (300-710 SNCF) exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Cisco SNCF 300-710 certification exam dumps & Cisco SNCF 300-710 practice test questions in vce format.

Cisco NGFW Firepower Threat Defense (FTD)

6. Lecture-06:Configure and Verify Cisco FTD Using FDM Lab.

Topology, which we created in the previous video. This is our topology. I have internal PC with 192 160 at one one. And we decide to assign the FTD internal interface IP100 externally with the help of DHCP. And this is our internet ISP, which is management. There will be a management interface; you know, management and management. We will assign 100 or 200 IPs. So this is a small topology, and this is a SOHO solution. a remote branch where we don't have FMC. Later in the course, we will add FMC and configure it. But right now we want to configure them as standalones locally. Okay, so this is our topology. Here I connect the management and external networks to the same network. You can do it this way as well. It means management and externalisation use the same subnet. It's okay, no issue for a purpose, you can do it. But in the real world, management is outside the band. We have a separate subnet for that one. So that's why I configured a separate subnet. So what we'll do is I'll turn on this FTD console. So click on this one. When you install them, check out how to install them. Unfortunately, it's not working. I restarted the device. So this is the first configuration of FTD. So when it's time to boot up for the first time, keep in mind that it will take 15 to 20 minutes to boot up. It's booting up now for the first time, and it'll ask you for a username and password. Okay, I'm using this topology, NFTD. So the default username is Edmund, and the password is a capital three. I mentioned it here as well: Edmund's username and password. So in this login, it will ask you to press Enter to display whatever the licence agreement is and everything else. Anyway, Enter. Then, space bar, space bar, page by page. If you enter So, it will run line by line. So space bar, space bar, until it reaches the end. Okay, now it will ask you to accept the licence agreement. So type yes in uppercase and hit enter. This is the first time configuring Then FTD will tell you to change your password. The default password was Edmund one, two, and three. So, at the rate of 12345, it has to be a complicated password. So I assigned a new password in uppercase BC: 81234, five. So I changed the password from Edmund1, 2, and 3 to this one. Now it's asking me, "Do you want to configure the IP for this?" What we want is the management IP. They are asking, So why has already been selected?" We will say "enter." Then they ask you: Do you want to configure IPV? Six nos are already there, so we will say no. They then say to configure IPv4 via DHCP or manually. They've already chosen manual. So enter just the IP. By default, IPA is 45 45.But we decide that our management is 100 200.So here I will type 192, 100, and 6800, 200, which are my WiFi subnets, and your cachet can be different. And Enter. Then the subnet mask is yes; it's correct; enter. Then it asks me for the gateway. So 192, 100, and 6800 are my gateways; one and enter. Now they want the name by default to be Firepower. So I say FTD. That's the name I want to give them. And Enter. And they say the DNS server is okay. I don't want DNS. It's asking for DNS, so it's okay. And it says "search domain name." You can type "Google" either. You can type "enter." I don't want to type a domain name. Okay, so now they will apply these changes to the device, and they will ask me a few questions more. They will say that you want to configure this device locally. And then they may ask some more questions as well. So until it's applied, which takes 1 minute. So let me show you here. So what I did was type in "admin" and the password "adminone," "two," and "three" after 20 minutes, then type "yes." Then why do you want to configure IPS? Four, then no, then manual, then type IP, then gateway, then name. And then here, I type the domain name. But here I say no. That's the IP. And then change the name. This is the next question they need to ask me. They say, "Do you want to configure this device locally?" As I told you, I don't have FMC. Later, we will say no. But right now, I will say yes. So I hope they say yes. They say to manage the device locally. Yes, it's already selected. So I'll say yes because I want to configure it, and they'll tell me to use Firepower mode to route it. But when you want to install them in FMC, if you say "no," it means you want to configure this device through FMC. So what they will do is ask you another question. You want to deploy this device in routed mode, either transparently or not, but here it's not. There is only one mode available when you want to configure this device locally. So keep in mind that this is the only disadvantage of using local storage. Okay, so they asked me this one. Now it will apply all the settings. Then we can use the Show Network command to check the detail or management IP, whatever, and then we can ping our gateway under that one. We can ping any other place to see if everything is working or not. and then we will type the same IP. In this case, our IP is 100 200, and there will be a certificate error. It's okay, just accept. And then we can log in through Firepower Device Manager, which we just discussed. What is FDM? So FDM is nothing but a way to physically access this device locally. So yes, it's done. Also, press CTRL L to clear the screen and Show Network to check your network configuration. Okay, network and enter now. After a while, it will show me the configuration that I just applied. Okay, but I need to apply one more thing, and if you're using an older version, you're done up to this point. Now issuing the IP addresses and everything justcome to the browser and type Https. Keep in mind https 192 100 and 6800 200 and enter. Okay, it's come up; it hasn't asked me, and I believe so, but this one says service is unavailable, unfortunately. What says "quadrant"? If you are using an old version, it's okay. Up to this point, you are done. But in 6.71, the latest version, Cisco changed it. No, you need to enable services as well. But an old version is okay. So I need to type two extra commands, and those commands are configure manager, local, that I want to configure this device locally, which I already told them. But anyway, this is what they change. The new one requires you to type this command and then configure command https here https excess liston which device you want to allow this one to operate. So right now, zero zero means anyone. I am not concerned about this one. and enter after these two commands. Now this device will be available graphically. These are the two extra commands and the latest version. However, if you want to do your lab and old version, I'll show you those images. If you have fewer frames and you have 16 GB of RAM, then you need to do that one now that it's done. And if I refresh this time, it will work. Okay, the way it has to come up now,maybe it takes a bit time to apply. Okay, let me copy and open a new browser sometime. So let me go to private mode. OK, so it's still showing me that maybe it takes some time. The new device requires more RAM, and I'm running on eight GB; I forgot to increase it. However, if you have an old image, it can easily run on eight GB. Okay, let me try another browser. I applied the command "local" and here." Let me see here. So please advance and accept this one. Yeah, it's come up now. Okay, so let me close this one. Firepower device manager appears. So what was the username, "admin," and what was the password? At the rate of 12345, A, B, and C You remember that we changed the password. So it's not Edmund. One, two, three, and click on login. This is known as the Firepower Device Manager. We did not install anything extra, by the way. Just type this IP in the browser and log in now. So when you log in, you will see zero interfaces configured outside and zero slash one connected inside. Okay, and we are at the first device setup configuration and then the blue one, which is selected. Okay, so yeah, it's logging. Okay, so as you can see, I will show you all these things later on. Right now, DNS is reachable, NTP is not reachable, and a gateway is not reachable. Smart licencing is not activated. And we're just getting started with configuring the Internet connection. Then we need to go to configure time settings, and then we need to enable smart licencing. This one. So Smart's licence is not activated yet. And sitting is not one of them. That is why MTP is not reachable and we are here. Zero slash one is interface, or inside. And that's what we have here. Zero is inside, and outside is this one, which is through DHCP, but it's still not reachable. And we are connected through management. 100, 200. This one console we never and theCisco FDM, we are using KVM. I will show you all this, but what you need to do next is to use the outside interface. So we've already decided they will use DHCP. IP 6 is disabled; we don't need anything, so just click Next. So this is the way to configure a single device the first time. If you want to assign a public IP address to someone else. Yes, you can use from here manual. But in my case, we decided to use DHCP. So what if it takes two minutes to apply this setting, and then this blue, this one shifts to timesheeting two, and then it goes to smart licensing? We will activate 90 days. Okay, so still, it will take two minutes. So let me show you from here. Okay, so we already discussed what FDM is FDM.So we checked the configuration. By the way, if you want control, you can ping something from here. To ping, typeping system and then typing a data into breachable. Yes, and then type ping on your gateway system. 192, 100, and 6800. That one was our gateway. So yes, a gateway is also reachable; control C to stop this one and then ping the system. Let's check DNS as well. So, pingsystem@yahoo.com, is something translating or not? Maybe I have something wrong. Pingst. I'm sorry. Ping XYs ping system@yahoo.com So yes, Yahoo is translatable; it's okay. It means everything is okay. And you can check routes as well; you can type commands. We already did this one in the CISCO essay command. Right now we don't have anything, but just to show you it's here, Okay, 1141 So the route is already there, and let's go back. That it's. Okay, or not still, because it's taking two minutes. Okay, it says deploying changes, which can take a few minutes. The first will take some time, but the times sitting and smart licence will not. But the first interface is the one for which they are asking, "Connect firewall to internet," and they say, "Where is the outside interface connected to?" So which IP do you want to use? So I said "DHCP." Then I pressed CTRL l to clear the screen. So everything is okay, and we are just waiting for this one to reply, then the second thing will come up. This blue will go to configure time settings. Okay, so I hope so. Yeah, it's done. So now go to Step Two. Now you can see the configuration time setting. So this is the time sitting and TP that we discuss in many courses, and you already know that if you want to change the time zone, you can do so from here. This is the NTP time server they will use five times. If you want to change them, you can do so, and you can put your manual in as well. But anyway, let's use this one. We don't care about time setting, but if you want, you can in the real world. You need to make a change, and you can type your NTP server IP. And now it's jumping green, this has turned green, and everything is fine. And now, with a smart license, time is saved. So it's a good thing they offer a 90-day evaluation period. So click the first one and say "Finish." So now this smart licence will be yellow, and it's done. DNS is reachable, internet is okay, NTP is okay,our gateway is reachable now and zero slash zero. Now they say the device is up and ready to be configured as a standalone device, either through the cloud or manually. But anyway, I say stand-alone device, and they want to configure interfaces. Just say, "Got it. I will do it myself." So that's it. And now, as you see, everything has changed now.Okay, so let's go up to which point we've done. So we check the gateway, we log in through FDM, and this is the thing that you need to check. And we did not put DNS—DNS was the default—and we did not change anything related to NTP. If you want to, you can, and we enable a 90-day evaluation. Okay, and finish. And here they are asking for the new version. They will ask you cloud base as well. However, I believe that we do not require Cloud locally. And now I need to configure interfaces on the inside because this interface is through DHCP, you see. I will show you all these theme limits. I will do a bit later from here to here, everything. But anyway, right now I need to enable three interfaces, ones, two, and three. One is management, and the other is local and outside. So click on "view all interfaces" and let's see that my inside interface is not configured with Ron IP, by the way. So outside, they took over DHCP automatically, which we know they will do in one of four ranges. So what they tend one one 4110. They took this IP, it's okay. But the inside interface, this zero one, is what we decide; we say we will assign static IP 100, and what is assigned here is 45 one, which is the wrong one by default. So go to this pencil icon and click edit okay, and now there is another thing you need to do; it says DHCP server is enabled on this interface, which starts from 46 and Edwin to 45. I don't need it in my case. I want to assign static IP here. I don't need DHCP. Just click on this delete button and tell them that inside the interface, I don't need AC If you need to leave it, either change them and change to your environment, and then change the IP. In our case, we decided 100 done, and they said just change the IP, we don't need IPV6, and okay, so my inside interface changed them to properly, and now all we need to do is configure. I delete this one and change the IP to my okay policy and net policy will be by default there you don't need to do that's the good thing, so now change the IP and this one is not showing it has to show the DHCP IP and now I change the IP and from here you can go to device FTD FTD we give them the names, so now I am back to my main interface and by the way my IP address has to show me Yeah, one is 4110 and the inside is 1100 Okay, so my inside interface is now okay, but for a device to work, we need a policy to allow traffic. Let's go to policy and check whether my traffic is allowed or not. So you see there is a default one; you don't need to do anything inside to outside if there is any default one that is blocked. Go click on net. What left? We need at least three things to make the firewall work: a net policy, an access policy, and a route, so let's go back to the device and check. The last thing we need to know is that a default route must be present for everything to work, which means I must push everything to port 1114. So, let's go to routing; there is no static route yet, which is the last thing to configure before our topology starts working, and yes, there is no route; you can click on this plus icon either in this one and give them any name you want, suppose. I say ISP description because we are using IP 4 and network because by default out this year to give this one to ISP so gateway There is nothing configured, so we can create an object here and type "give them an ISP IP suppose" and enter the IP address here. whatever you have 192 one give it to this guy noneed of this one. Okay so object is there now select the objectso what does it mean by this one? I say if anyone with IP four give the route to IP. IP. Okay, sorry, outside interface, Ineed to choose the interface. So my outside interface is zero, slate zero, and I choose zero for this key interface. So you see now that it looks good. Now it says "zero zero with zero zero." Next up is 1141. They said this is the last thing I need, and here is the deployment. Click on this one and say "Deploy." Now it will show you the changes as well. They claim you configure one object, er, the IP addresses. Then you create this one object with the name "Ice Pip." You enter these details into the default route, and I say deploy them if there is a yellow icon on the ball. So it means there are some pending. So they're sending these details from this browser to FTD, and with this push, we can check them here and show netrule while we're already there. So let's see if the net rule is there. Yes. And then a show route is there. These commands use and saysquarewalia show IP brief interface. So, let's take a look at the show interface IP brief. You see this command we use in squares; most of the commands are similar. So show the interface in brief. We have two interfaces. One is through DHCP, which is written herewith, and this is by default. Okay, the data did not apply yet. They are showing 45, but we changed them too. It means the configuration is not pushing yet. Yeah, it's in progress, and you can see them here. So it's still in progress. And when it's done, we can check it from the internal system. So net policy was there; we just configured a default route. Then there was a yellow type, this icon, which means there are some pending changes, and we apply that one, and after 20 to 1 minute it will deploy everything. And then we can test the Internet from our internal PC, which is our Docker. We already assign IP there, and I hope it will work if everything is okay. And then we will verify by using the show route command to check show net detail to check which policy is hitting, and we can check show connection detail again as well, which is in the firewall we use as well. And that will be our first lab to configure FTD locally. Okay, let's go back and see if it's finished or still in the works. It may take a few minutes to complete. Okay, so it will take another 1 minute to apply these changes. Until that time, let me go to PCOne, which we already configure, and let me see IP addresses. Everything is okay. Okay, I can make them bigger. All right. And, if enabled, CTRL L to clear the screen. So my IP is 192-1681 one andtype route to check 100 route. Yes. And you can use DNS. There is a command to checketcandreserve.com, so my DNS is eight eight, so I hope everything is fine from this PC; however, you may use any other PC. By the way, I'm using a Docker, so let's go back and see. There are no pending changes, so supply and let's check the interfaces again because the interface was 45, now it's 100 hours, one of which we decide and one of which is outside, and the route I showed you already means I need to ping 192, 168, and 100 firewalls inside IP. Yes, I can ping, and if I say "ping eight," yes, I can ping at "eight eight," and I hope so if I go to my browser, so the internet has to work as well. OK, and here is Google.com, and if I go to Facebook.com from here, so yes, it's working, and let me keep slipping, and let's go back to FTD, and here I will show you everything in detail just to show you. So in monitoring, it's showing me that these are the three ports desk use, and let's go to network overview. So let's see which rule is being broken. Because I'm pinging eight continuously, the top destination is this one with a huge number of hits, some of which are Google and Facebook IPs, and you can see the inside to outside rule has been hit 53 times by users because right now we don't have any, so it won't show an application URL and all you can see from this dashboard, which we'll look at in detail anyway, is the inside to outside zone. So we are heading outside, so it's showing you and your destination as well. It will show you eight at the top because I'm continuously pinging there just to show you, "Okay," and that's it. And it's working. So, let's go ahead and click on device FTD, which is the main screen, and this topology to show you how you're connected, and we'll go over what "green," "gray," and "red" mean in detail. and all those we will see a bit later. Okay, let's go back. If I missed something, let me go through them. I already showed you a net policy if you want to check, by the way, so show net, and here should be its yeah so you can see translated hits 161. If I check again, it needs to be increased because it is always 169. I'm sending a pin, so the net is there and shows a connection. So because there are already connections there, it will show connections. You can see so many connection which we checkin Cisco essay and show connection detail if youwant to check in detail, show connection detail ifyou want to see in detail by the wayyes it's showing in detail and route is alreadythere, I already checked show okay that's it. And there is a default route and everything is working. If I missed that, let's go down, because this was initially working. How we can apply FTD locally to use FDM to locally connect and figure it out.

7. Lecture-07:Firepower Device Manager Main Page walkthrough.

Give you the main page overview. Then we will do everything, one by one, tomorrow. So here is when you log infirst time there is a Cisco logo. Then there's Firepower Device Manager, which I already mentioned when you log in to your browser, and it's called Firepower Device Manager locally. Then there are some tabs with "monitoring" just related to monitoring. Then policies, net policy, access policy, etc. For which we will do in detail. Then object to create to use them. And there's the device and FTD, which is the name we give it. Okay. Then there are things like, if you want to open console CLI to ping something, you can do the same thing I did here: type show route. So it will show you the same thing here rather than have you go to the console. So you can use and you canuse them here, here to supply everything. And it will show you a task list. And if you have any question either you don't knowyou click and it will open a help and theuser which I'm logging and their profile and log outagain we will do in detail on these things. And also, we will do these one by one in detail. and also all these. Then there is a model Cisco that we are using, KVM, because we installed that version. And there's the software version six, seven, the most recent one, as I mentioned. There's also the database system and the vulnerability. database version intrusion rule update intrusion rulewe will do which is IPS ideas. Okay. And cloud service is the new thing. They integrate them. So we are not registered with cloud services, and high availability is not configured; we will do so later in the course. Then there's a diagram that shows you everything you're connected to on the inside via one. And it's true: zero one is on the inside of me. That's why I connect them like this way.Because they already created two objects—inside and outside—with these interfaces being integrated with those ones. So we use the same thing I told you about, but under a different name. These are the three interfaceswhich right now is green. Green means it's working. Everything greyed out means it's not configured yet, either disabled or whatever. And red means is down or there is some issue. So this is green zero one they say inside networkconnected to port g zero one with the name insidealready they created this object for us, they see insideIP, sorry, zero one is the inside IP. 100 and is enabled. Zero is through DHCP, and 11410 is this one that is connected here. And this is the outside name by default. And we are connected through management. 100, 200, and this one, so it's also green, and console is not enabled. Okay. And there's the gateway. The gateway we configure one and 26114one we are reached to internet. We test them, we reach eight, we configure NTP, and the smart licence is activated for 90 days. Soit will show you if you don't need this diagram, and there is a way to hide them if they don't remove it. Yeah, I think so, and they remove it from the new one. There is a small button to hide them if you want. If you don't need this diagram for some reason, okay, then these are the interface details. It will show you how many interfaces are enabled out of five. You see 1234, and out of five, three are enabled, including management, and you can view all the interfaces from here. Again, we will do it in detail. Then, if you want to configure geolocation, one static crowd is configured to ensure that these are updated. either vulnerability update our system upgrade and security intelligence wewill do all these in detail so you can updatethose details to click on this one. Smart licence is showing you 90 days which we activatethem if you want to take backup in the store. So we will again do the same detailed troubleshooting whenever you have an issue and you want to open a case where you need to request a file be created. It takes some time; you say up to an hour. You need to create this one to send to Cisco Tech to open a case with them. Normally, they'll ask you this. So this troubleshooting session is for that one. For side-to-side VPN, there is no connectivity; for remote access VPN, there is no connectivity; for advanced configuration, there is Flex Configure Smart, and so many other advanced options are here. And device administration if you want to do some other thing and audit it—all those things can be configured here. Again, we will do so tomorrow in detail. Then a system setting for management access determines how you want to allow this device when you click on HTTPS through SSH. By default, SSH is enabled. If I go to secure CRT and type this IP, it's the same IP where I'm connected graphically, so SSH is also by default enabled. If I go to file, click connect, type this one and my IP username was admin, and enter OK, they're going to connect me to the remote system, which hasn't refused me yet. Okay, so it says local SSH is enabled, but for some reason, let me try again. If it's not from here, let me try puti; SecureCT can give you a headache sometimes, so let me try from here. Okay, so it was refused for some reason, so you can do the management again and we will do it in detail You can configure the manage interface protocol SSH and HTTP say any any by the way I need to access because they say any and if you want to enable management and data interface or web and data interface okay so let me go back so we can do this in detail, same as logging setting if you want to send the logs you know we need logs to the remote server to internal. Buffer to console, we've done all of this in detail and other courses, but we'll do it quickly here as well, so let me go back and configure those details. You can configure DHCPserver if you want to enable DCP and internal, either in DMV or Nein. We will see DNS by default; we configure eight. I believe that's okay. So we configure eight; you can configure umbrella DNS, as we already discussed in CCNP, so we can configure different DNS as well. which we will see, and then management interface, so management interface IP is just 100 or 200; this is the gateway if you want to change something, so you can come and change it from here, okay? Then host name, by default, we give them FTD for some reason if you want to change the name and are not happy with it. You can change it from here, and then time services will be configure this.We'll change them to Google later in the course, okay, and then cloud services if you want to enable cloud services, which we don't have, so you can configure from here and see if there's anything else they said, so this is the system-related thing and these are some, so this was the main screen, which you can see device FTD is the same as an object, where we can configure so many objects here, like a network-related port-related security zone, and here we can create policies and not only access control policies. Net policy. Security intelligence policy Identity policy SSL decryption to decrypt the packet identity to use Active Directory They have so many IP addresses to block and allow a full list of security intelligence, and we will discuss the access list and intrusion policy if you want to enable as an IPS. There is a balance security and connectivity and all thosethings which we can use later Okay, and the same as monitoring everything, so install them and configure locally—so easy, there isn't much to explore if you explore them—so it's so easy to configure, but the only thing is that the first time you'll be afraid that it's something difficult, but it isn't. It's also very simple, so when you click the mouse word, it will show you some information. When we click the mouse word, it will show us information in green. I already mentioned that grey is not enabled, and orange generated means something is wrong, so we go to inside and outside, click on this one, then the management settings, which we will see, and these are the configuration devices. setting like "update routing interface," which we will see if you want to configure interfaces. Routing updates. System sitting. Smart licence baker's cup and restore troubleshooting site-to-site and remote access VPN, so if we go back to the device, this was the overall. Okay? And that's it.

8. Lecture-08:FDM, System Settings, Management Access List.

OK, guys, so yesterday we deployed a small topology standalone device, the FTD. OK? So this side is connected to the Internet using DHCP, and zero slash one is connected inside, which is 100. And there is one test PC with one monitor. and we are using management 100 and 200. So let me log in through management to FTD using 100 or 200. So, my username is Edmund ABC 12345. And yesterday, we discussed Firepower Device Manager. Whenever you want to deploy a single device, then you need to use this method, and we discuss everything you can see on the main screen. Okay, so we discussed the model, the software, the vendor database, and so on, everything.Okay? So let's start now. The next thing is that we're going to discuss system settings. There is management access and all these things. The first thing is management access. So what is management access? Management access. If you want to reach this device, we use management through HTTP and SSH. So when you click on that management access, they're asking you, "Do you want to use triple A?" So right now we don't want to use AAA,later in the course we will do these guys already covered in the CCNP What is AAA? So if you want to use Cisco, other Cisco, ACS, or any other triple-A server, you can configure that AAA server for HTTP traffic and for SSH traffic. The second type is for management. Management means the traffic which going from administratorPC to the device is called management traffic. when you want to configure a router, switch, firewall, FTD, whatever. So this is called management access. Okay, second tab is asking management interfaces. So on management interfaces, now we're logging through management interfaces. This management interface you see is for management purposes. So this is management interface, which wecan access FTD through 100 200. So this is called management interface,which is out of band management. There are two types of things. One is out of band management, and the other one is in band management. So right now this is out of band management. This is a separate link, which you connect to FTD, and you can only configure FTD. It will not accept user traffic, only management traffic. So this is called "out of band management." So they're asking you to enable HTTP on the management interface for IPV 4 and IPV 6, as well as SSH for any IPV 4 and IPV 6. If you want to restrict this device, normally in any organisation you will see only administrators, security engineers, and security administrators; they can only access the devices. There is an access list configured similarly in our organisation as well. Only we security engineers can access the devices through management to restrict them, while the other guy can access them even if they don't have a username and password. Still, it is not a good idea to give your management IP to anyone. But right now by default is allowed to anyonesuppose you don't want IPV six for Https. You can delete them; there is a small icon, so I did. I say I don't want HTTP for IPV 6, because right now I'm using IPV 4 management, just like SSH. If you don't need SSH for IPV 6, you can restrict them now to these two things. If you want to restrict them further so you canaid like a single IP for Http right now thisis my management IP so my management IP. I don't know which is my management IP, so I need to check so I can allow a single IP as well. Okay. So let me see my IP where I'm connected to this one. So this is 102. So if you want to restrict that Only this PC can access this FTD through management. This management through Https soyou can type allowed network. You can create objects here. Okay. Object we will discuss a bitlater so you can create object. You can put a host single IP Just as an example, in my case, 102 is a single IP, or you can allow the entire network, let's say the management network. I want to allow the entire management subnet. I don't want to take a risk maybe single IP I canallow if the IP change so I will not accept this device. So what I say is 192/1,684, so basically I allow the entire network, and you can put a description as well. So when you press okay, now choose your management object for HTTP. Now my one is there, okay? But keep in mind because any is there soit means anybody can access them again why? because it's not like an ACL to check from top to bottom. It means they will check anything here, so if you want to protect your network, You need to delete this one to allow only your management subnetnow it's okay and the same thing you can do for SSHas well to only allowed SSH and this one okay. So let me do it again. I don't want to apply because I need to showyou here something as well so here is this plusicon you can add and you can remove as well. which is present, so let me repeat: HTTPAND allowed network any IP for and okay Why am I doing this? I need to show you something else, okay, so you can put them back as well. Okay. So this is done. This was AAA. This was a management interface used to limit traffic management traffic such as HTTP. Https. SSH. Telnet, SNMP, and management traffic are all called SNMP, and there is a data interface if you want to allow in-band management. As I previously stated, there are two types of management: out of band management, which is a separate line reach to your device to manage it, and data interface management, which means allowing management traffic on the data interface as well. So this is called a data interface. Suppose I have an internal PC; can I access this device for management from the internal? So I don't think so. It's allowed by default. So if I go there, what is my internal IP? 192, 168, sorry, 100. So this is my internal interface. I want to access this device for management purposes. So no, it cannot, because this is an internal data interface. But if you want, you can allow management traffic on the same IP. How? by using data interfaces. Right now, there is no Data Interface Object. So if you want, you can create a data interface and select the interface. My interface is inside this one, so I can go inside the interface and say "allowed HTTPS." If you want to allow SSH as well, type SSH as well. And if you want to do restriction,you can put restriction as well. Here, right now, I will say any, by the way. You can allow your internal subnet, which is 192.168.1.1, to restrict them, but anyway, for testing purposes, I'll say okay, so done. I've now enabled management traffic from the data interface. And what else? There is a small ball icon; it means there is something pending. I will tell you a bit later, but anyway, right now I will deploy this one. After deployment, you will see this IP will be allowed for management as well, even though this is a data interface IP. But you can access this device from your internal interface to use it for management purposes. So you get what I'm saying? So after a while, let them deploy, and I will go here. So what we do is go to device, then system settings management Access okay, so here you candelete if you want to restrict them, management interfaces,whereas Https and SSH, okay, and you can createa rule by click this plus icon. And then you can create a rule and a protocol. What protocol do you want to allow? There are basically two protocols for management purposes. Okay, and then, let's see. Okay, just be patient while we investigate this one. So still, it's going on. If I check here, I still need to deploy. So, deployment is in progress. So after the deployment, you will see that this can be accessed for management purposes through internal IP. Keep in mind, our management IP is this 100 or 200, and we want to allow management through internal IP, which is not possible right now. So, after deployment, you will see it will be accessible. Okay? So now you will see this device. OK, so it's here. Now you see from inside IP that I can access this device for management purposes. So this is called end-band management. So I allowed HTTP and SSH through data interfaces and then management web services. Management Web Services is the certificate's subject. Because I already exist sometimes when first time you accessthe device it will ask the certificate like this typeof error okay so it means a certificate error theywill ask you so what you can do. You can install a certificate that is recognised by all browsers, or you can export and import it to your internal browser to support it. OK, so this error you see is smaller and not CQR, so this one is for that purpose, this management web service. Okay, and they are using the default web server certificate if you want, and you have one right now; we don't have either if you want to create one, so it will be the same, okay. What else? This was management access the first linkwhich they give us and system setting.

9. Lecture-09:FDM, System Settings, Diagnostic Logging.

The link is fine for diagnostic logging. It's here either in the logging setting, which you can see. The second logging setting means if you want to send your logs, we discuss them in more detail in the CCMP and other courses, so I don't want to go into detail—you already know your logs if you do. Just let me revise log there are eight level uplogs from zero to seven is eight level of logsfrom zero to 70 is emergency then alert. then a critical error warning. Notification informational and debugging the more important are these three eitherthe fourth one as well up to this . 0123 These are because the system is unusable, possibly because something is wrong, alert, and critical; you already know these, so if you want to send the logs, it's all about the logs and where you want to send them, so when I click on logging settings, remote server, if you want to send the logs to remote syslog server, everything is disabled by default, except the first one, remote server, which you can enable. Remote servers is log server IP, so I already put one system here; let me go on that server just to show you; we will do it in more detail later, but for now, consider them just to show you how it works. There is another system I just connected, 1141, so I connected one interface here. You can connect here directly, or you can install and connect there as well, so let me log in. I already installed one window server there, and I have already installed a Syslog server, whereas let me go to your window 10, and we use this Syslog server many times by the way, so let me go to window one. Two. Three, and this is the syslog that we're using before we use this one okay. What can I do? Let me restart, and by restart, I mean until later. Iwill show you okay so this is log to send them So now they're asking where to send the first one is Syslog Server okay so click on this plus icon so there's no object to show you where to send where is the Syslog Server IP? You can click on Create New Syslog Server, and they will ask for the IP address, so let's check out the IP address for Windows 10, which is our Syslog server, okay? So let's check it out, it should be something like twelve R. eleven IP, so let's see if it will be from the same subnet 192-16-8114, okay? So let's check it out, yeah, okay, and let's go to interfaces and check the IP address for Syslog Two, yeah, so let's go back, and here I will type 192-16-8114 I just need to double check, yes, because, as you know, Syslog is using UDP, and five one four is the default port they are using, okay, and where is this Syslog server? It's asking you for the data interface, so basically it's an external one, but it can be internal. It can be anything, so I say "outside interface" okay and click okay. So now I say, "Whatever happened, send to this syslog server," which is an external syslog server; choose IP, and now click okay. So now I enable this syslog server and this eighth level, which I told you is emergency alert. So I enable until the end because I just want to test otherwise the most important of two errors okay so it's okay and now if you want to custom login filter you can enable filter to sendfilter the one which you need so they can send those logs only so I enable remote server save okay so it's successfully saved now there's an orange dot so you need to deploy whenever you do some changes so let's deploy Let's go to Syslog and let me clear this so we can see them when they're done, so let's go back, soit's still in process, and let me close and let me show you the other one now the other one is file and malware logging, and we will do a file and malware policy as well later in the course in detail if you want to put restrictions on the file so that nobody can send a PDF file or a Word file so you can use that. file policy Malware policy is Malaysia software with which you can protect your network from spyware, logs, and so many other things malware is an umbrella term we use for Malaysia software where so many things are coming like a virus is warm and everything, so if you already enabled malware and file policy, it's generating logs, so if you want to send those logs, then enable this one and put the syslog server IP right now because we don't have a file and malware policy. It's pointless to send traffic to the Syslog server, so this one is obvious: this one is to remove server datalogging; this is datalogging; this is file and malware datalogging; anything for which we have traffic null except traffic in the internal buffer, which is also disabled on every device. every Cisco devicestore the logs locally in buffer buffer is a small memoryso if I go to this device and by default isdisabled let me see show logging. It's the same command as the Cisco essay. It's in switches and routers as well. So it's asking me—let's see—buffer is disabled right now. You see, buffer logging is disabled. So every Cisco device stores the logs locally. So whenever something goes wrong, you can check thelocal logs first time normally when we troubleshoot. So we go to these buffer logs, and we can see the logs by running the command show logging as far as the switch, router, Cisco SI, and FTD. So if you want to store the log in a buffer, you can enable this one right now andagain, which severity level you want to send? I think, so it's deployed now. So let's go to Windows 10 and see the logs you see. Let me make them bigger. So now it's sending the logs one, one this, theexternal IP and apprehel two and you can see morelogs are coming because it's a data log, anything relatedto anything, all the logs will and also up tolevel seven I told them to send. So you can see the logs are being sent here now, and you can verify from here. Okay, so I'll send the logs here and let's go back this way; you can send file logs, an internal buffer if you want, so you can enable and which logs you want to send, the more critical; normally, we send emergency logs, but it'll be a burden anyway, so let me on for a while and I say send to a local, so it will do more. Okay, buffer size by default and routers which isnormally just the buffer size, but if you wantto increase, you can increase it as well. The buffer is a small memory that will store the latest logs. So I say this is my buffer size, okay, and send all the logs up to debug level seven to the internal buffer and then console filter. This is my console; I'm not receiving any logs, so if you want to enable logs on your console, you can enable those as well. So let me enable it for test purposes, and up to what level? It's up to debug, and let's save and deploy. So it's saved now, and I believe it will show you here. And now there is an orange dot, so now you can deploy them, okay, and they will show you as well. Whatever you change, it will show you here, so they will deploy, let's see, and after a while, when it's deployed, you will see the logs here, and also when you type showlogging, you will see the logs here as well. So all of this is related to logs; if you're unfamiliar with logs, you can learn more about them in my other videos; we go over all seven levels as well as the different types of messages in Syslog. Okay. So this was Syslog for console, and for syslog filtering for diagnostic log and console, you can enable and disable it from here Okay, so if you enable console log, it will show you the logs on the console; these are levels zero to seven okay, and if you want to send them to an external Syslog server, you can enable, enter the IP of the Syslog server, and after deployment, you will see the logs like this. So this was related to Syslog and FTD as an individual device, okay, so let's see if it's deployed or not okay. Still in process, let me close the internal system right now I don't need okay and still I can't see any logs here so this is the way to configure Syslog let me close so it's here system sitting, we're here login sitting, and I believe it's done not yet okay. It took one to two minutes to deploy. When it's done, you'll see the logs here in the console. You'll see the logs here by the way if we make any changes, so let me make some changes and also show logging. Yeah, now you can see the logs; before it wasn't showing; unfortunately, this screen cannot be made larger; it is very difficult, but you can see the log. Those who have done Cisco SS may be familiar with this one, so you see the log before it was saved, it's disabled now, you can see the log, and on the console, it's going to show you. I'm on up to debug on the console, so let me make some changes and then it'll show us here, so let me go to and let me create some object or something on one machine, sorry host, and let's see if we do anything to see the log so they have to show us the logs here whenever something happens, so let me go back to the device and go to the log setting, so yes. Console I enable up to debug yes, it's correct, so there has to show me the logs here by the way, but anyway, this is the way to enable logs on buffer buffer, which is a small memory to store and either you can send to external and you can enable syslog for file and malware, and also you can enable for console as well, so still, I cannot see any logs for console either. They change a few things. So I'm just wondering if this can be the issue, but it has to show us. And this one as well. Anyway, this is SYSLOG. You have an idea how it is working. Okay.

10. Lecture-10:FDM, System Settings, DHCP Server Configuration.

Everything is related to DHCP. Again, we discuss DHCPN in detail, a dynamic host configuration protocol that you already know. So DHCP do it will assign IP subnetmasDNS when server many things TFTP so manythings can be assigned through DHCP. and it will assign all the parameters automatically. And this is what we call them: DHCP servers. It uses port numbers 67 and 68. As a result, you can configure FTD to automatically provide IP in their details. So you can make FTD a DHCP server as well. How can we can?So if we go to device and there is DHCP server. So right now, there is no DCP server configured. The first step is to create a DHCP server, which can be done from here or from this plus. So create for this one. and specify which interface should be configured as a DHCP server. So right now I will use this internal interface one.So I say "inside interface. Okay. an address pool. I would say 192-1681 with the 192-16-8199—let me start this from ten. So from now on, this is my address pool. They give examples as well. Okay. And click okay what I donegreater than this IP address. Sorry I type wrongly this one one dot okay. and press OK, so now it's done. I enable it then you can delete. You can edit as well. Suppose you want to change something and there is a small icon to delete. There is configuration configuration tape. Say if you want to enable foroutside either inside interface extra things likeextra thing is like a Vin server. Let's say Windsor's secondary wind servers aren't in use. And let's say you're talking about DNS. And let me put it it's coming automatically. So let me put these, okay? So I put this for OpenDNS and this for DHCP to allocate. This one cannot define DCP on the same interface used for auto configuration. Okay. So here's another one. Okay. So this is a DHCP configuration. And let me push this one now. So you can make FTD a DHCP server. So, on the internal interface, they will now allocate IP addresses ranging from 10 to 99. So what I'm going to do is stop this internal PC. and let me change the setting to make them do is stop thiSo let me stop. because I assign a static IP. And now go to startup configuration, and here And let me this one save and IP. And noSo when it's done, I will start this one. It will take the IP automatically. because I purposefully gave ten IP addresses before the IP was one. So let's see which IP this device will get here.And if you want, tell us what else we can do. if you want to see the wireshark. So let me launch Docker Wireshark to demonstrate. We already know Dora process. But first, let me show you where you can find Wireshark. There is Wireshark, and can I connect here and use it? Let's see if I can use it as an external interface. Otherwise I need to connect here and letme see here capture zero one interface I don't think so. It's working right this way. I thought it was working like this. I just need to show you envireshark and type DHCP here. So let's go back. I think so. It's done now. It's still in process. These guys already know the ones who don't know, and they are new to this one. So DHCP basically uses the Dora process—discover, offer, request, and acknowledgement. So that's why I started Wireshark to show you those packets as well. So I'm just waiting for deployment. It takes one to two minutes, and then I will start this PC to get the IP dynamically. Yeah, it's done. Okay, and now let's start this device and see. They will send a discover packet saying that I need an IP address if everything is okay and this device does not get static IP again. Maybe I missed this one. So let me capture this one, let me open it, get the IP or not—let's see. Okay, let me go to where the system tool and terminal are, and let's see. Okay, so I did not get the IP address, and maybe the issue is this Docker. Let's see this one. So from here, everything is okay. Enable HTTP servers 1000 and 199. So I don't think there's any issue from here. So what I can do is stop this one and connect another system. Let me take another system to connect them, and we can use Windows. Let me put in Windows XP or something. Yeah, okay, so let me put this system in, let me delete this device, and connect internally this PC-window PC here, which is our internal. Okay, let me start this device, and also, after it starts, we can capture the package zero slash zero interface through wireshark and its his PC-windowStill, we cannot see any traffic. Let's see, maybe the system is booting up so you can make FTD a DHCP server as well. Okay, so it's come up now, and let me see. And now let's see which IP is getting one ninety two, one sixty eight, and one ten. Okay, you can see it's getting the IP, the same IP with which we started, and everything will be up now, and By the way, there will be no such thing. The internet and everything will for some reason itdid not capture that traffic because I put thiswarshark wrongly here it has to be somewhere inside. But anyway, I thought I would show you the Dora process. But anyway, we will do the course anyway later on. Okay, you can see I have access and everything is working. And if you have a doubt that maybe it's not going through the firewall, So what we can do is let me ping one, which is a DNS server. Okay. fastest DNS server. So let's go to FTD, and from monitoring, we can see the network overview here. The top destination should be one one.You can see it's one one one even though it's thisone but after a while it will become one one. So let me refresh. Go to Network Overview. So traffic is going through this way. You see, it's 23%, and the one I use is the highest—1 forty-nine K, one point four—and it will be more after a while when you refresh them. So let's refresh because more ping is there. So let's go to system and network overview again. Okay, here's number 49. So it means the traffic is going through them and everything is assigned automatically through DHCP. If I say IP config so 192, 160 at 1100 isthe gateway and if I say all so DNS and everythingyou see we use this DNS and also at and Vinserver is also there because I assign Vin server as well. You see Vin server DNS, I put these two DNSand this ten IP and this is the default gateway. So everything is working. So this was FTD acting as a DHCP server. By the way, there is a default DHCP server as well. So I create a pool here in the interface, and okay, then we go to configuration to enable DNS. By the way, we enable this DNS; another one is eight eight eight, and then we go to the PC inside and verify that everything is working properly. So you can enable DHCP as well.

Go to testing centre with ease on our mind when you use Cisco SNCF 300-710 vce exam dumps, practice test questions and answers. Cisco 300-710 Securing Networks with Cisco Firepower (300-710 SNCF) certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Cisco SNCF 300-710 exam dumps & practice test questions and answers vce from ExamCollection.