Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 8

42. Lecture-42:Introduction and Concept of DNS Policy in Cisco FTD.

Time we discuss about security intelligence. What is Security intelligence. So, it’s a complete team of Cisco and they get all the detail, you know, Malaysia’s domain, Malaysia IP and their URL domain, all those details, they have a full database. And last time we discuss in detail. I don’t want to go in detail, but one thing we left in that time, I told you as well that okay, we block IPS and we block URL. But what about the DNS entries? Okay, the domain complete domain, the fully qualified domain name, either the DNS entry, because the URL may change their IPS behind, maybe they have the same IP, but they can change the URL. So what we can do, we can block such site and such website, such domains, such IPS, the public complete list of Malaysia and spy and all those website by DNS entry as well. So we can allow and deny based on domain name DNS entry. So for that purpose, we can use DNS policy and Cisco FTD. So, we already done half of the part. Last time security Intelligence and this DNS detail was there if we go to FMC, okay, and when you go to object management, okay, so last time we done these two part, let me show you. Here is Security Intelligence. You can see network list in feeds. We done last time, this one. And then we done URL list in feeds.

Now this one, DNS list in feeds. So, same like a network and URL, there is two by default entry, which we cannot delete. And neither we can put something directly and directly. There is a way, same like a last time we tell. So we cannot put anything by name. Global blacklist for DNS and global whitelist for DNS. And same way like a URL and network, they have also intelligent feed. And we discuss what is feed is nothing but a list, dynamic list. And if you want update it, so you can click update feed. So you can update this one and this one. Update, I believe, let me check after 2 hours, I believe by default. So if we check, so it’s by default 2 hours. This is the frequency to update from Cisco intelligent. It’s a dynamic list. So whenever in the world there is something related to DNS, Malaysia, something so Cisco will put in their list and you will get automatically not only an FTD, this feature is included in Cisco WSA, Cisco ESA and Cisco Is and other security devices. It’s a very good feature by overall, we call them Security Intelligence. And we discussed last time in detail. So the same way, we can create three different way DNS policy as well. Same like an IPN URL. One method is to get the database from Cisco intelligent team, which by name teles. And we go to their website as well, if you remember, and which is this one. So we can get up to date information from cisco intelligent. Second method is we can filter manually using global DNS, whitelist and Blakelist same like last time, we done network and URL. So here is global, blakelist and global. This feature is for daily use.

So when you are here, suppose an analysis and you are doing operation job, daily job and you are maintaining your firewall and suddenly they told you that there is something you need to block them. So if you go to table view, if there is any connection either let me create some connection from here to go any website. Okay. So let me go here if there is any URL so that I can show you. So no entry because we just send a ping. So let me open some website. Suppose Facebook. And here is something. Okay, let me visit some website so that we can see here. So let me refresh this one. So without deploy you can block and allowed we will do in the lab. But I’m just showing you. So now we have many entry. Let’s go to here is okay. So when you right click on this one. So here is Blake list DNS request to domain now. So you can Blake list this straight away. And after next click when somebody is hitting this URL, it will not work. And this entry will go directly to that URL list. Let me show you. Let’s send this Wikipedia.

So if you right click here and here is Blakelist DNS request to domain now. Okay which we will do in the lay. But I’m just showing you. So this is a second method to use which is frequently and daily based. You can use them to block or allow someone by domain, by DNS entry, complete domain, whatever is related to both side. Third method is we can create our own custom field and custom list. Same like the last time, we create our custom IPS and custom URL. So the same thing we can do here as well. We can create our own. So it means it’s not going to apply. Let me refresh sometime. It will give you an error. So let me go back to show you. So we can block maybe the thing which we want to block the DNS entry. Maybe there is not block in the Cisco list. So what you can do, you can create your custom list to block either. Maybe you want some more IPS because it’s changing country to country as well. Like let me give an example last time I also give an example here. In Saudi Arab. They block China and Russia and what is called Israel. These countries are blocked here. But this country may not be blocked in UK. And these three countries are not included in Cisco less to block them.

So what you can do in this situation is for your company and country requirement. You can create your custom DNS feed and that’s what you can do from here. If you go to device sorry, object and object management. So you can create your custom list either custom feed custom feed you can get from internet. Maybe I give an example if I have somewhere this time I take an example screenshot from internet if I mentioned somewhere or this one. So feed is nothing but a dynamic list and custom list which you create and note paid. And you want to block those IP either URL, either DNS entry, whatever. So you can create your custom list to block. So these are three different method. So I was about to show you. So here is if I come to security intelligent DNS list and feed, okay? So if you click here so there are two type of thing which you can create a list. When you click here, it will show you feed or list. If you say list then they will say browse the list which we will create later now and you can block those. And if you say Feed then you need to type the link of the feed. Okay? Feed can be your local as well. You can put them in your web server and you can dynamically it will get IP either you need to update regularly and they will get those IP from the list.

You need to give them update frequency time. Here is so feed and list is similar thing. Okay, don’t worry that what is feed. Okay? So these are the three method but before going to apply DNS policy, we just need to know a little bit about DNS. I believe we discuss DNS in more detail in many courses. What is DNS domain name system either domain name server. So basically DNS what DNS do? They translate your fully qualified domain name to IP because human understand like a@yahoo. com Google. com all these things behind this URL there is IP like if we go to CMD and type enslookup okay? And if I type Google. com so behind there is Google this IP if I copy this IP and type any browser suppose I open any other website but if I type this IP, it will go to Google. Look, it is going but if you tell someone they type two 2165-821-1206 you will say what the hell are you talking? But if you tell him to go to google so they can understand easily human they learn name quickly as compared to digits. So DNS do this for us. They translate this Google. com to this IP behind the scene just like in your mobile phone you have many number but you mentioned by name and in the whole what we discuss in detail. But I just want to show you root server root DNS server. So there are 13 DNS server in the whole world and then these 13 DNS server has many replica, many backup.

These are 13 DNS server which is in the whole world. And these 13 server is representing by these 13 server as A to M-A-B-C-D-E-F-G-H-I-J-K-L-M-S become 13. And then every DNS has many replica and many look at now in the whole world they keep all the record like a root server. org. What is behind the scenes server, their domain name, their IPS like Google. com, Facebook. com, Twitter. com they keep all the detail on all 13 DNS server and they synchronize with each other. Whenever you want to register a new domain name, they have to check all these DNS entries. This is overall 13 DNS server but we can create our own DNS server as well for this one and these DNS server we can create in let me log in to any server like a server 2003 server, 2008 server, 2012 server 16 and now there is 19 and also Linux. These can be used as a DNS server. So you can create your local DNS as well. So when you create local DNS, they already have these 13 root server, these 13 DNS root server as well. If I click on my DNS server and if I go to this one and go to property, here is root hint, it’s called root server as well. So you can see it starts from A-B-C-D with public IPS up to M because these are ending with M, these are 13 root DNS server. So when you create a local DNS, you will see this one automatically even in Linux as well. So when the entry came to DNS, DNS will check their local database. If they don’t have, they will forward everything to these 13 DNS server and they will ask them do you know this guy? Okay, so just to show you this DNS, so you can create a local DNS as well, and you can use World Public 13 DNS server. And then there is the top level domain, and there is authoritative DNS. Not authoritative. So many things we discuss in CCNP. I don’t want to go, but I just revise what is DNS. So this is the way how it is working. Suppose I type here this server rootserver. org suppose maybe I type Abcden. com, maybe it’s not there so what will happen?

They say the site cannot be reached because they send this request to local DNS. We don’t have local DNS is go to my modem modem send to the 13 DNS server, 13 DNS server say there is no such person, no such domain and they will respond to you. But if I type something correctly, suppose Facebook so what they will do, this request will go to and they will translate. Yeah, there is another story as well, because sometimes they keep the record if I go to Ipconfig display DNS. So this Facebook detail is in my local DNS entry for a short time. So that’s why it’s come quickly. So it will not go to those 13 DNS server. That is a different story but I’m just telling you how it is working. So when you send the request, they will check in local DNS which I show you my local DNS. And if they don’t have if they have, they will reply in case if they don’t have, they will go to ISP from my modem to ISP and they will check. And they will forward to those 13 DNS server which I show you.

And then they will check. They have a different way like a org. This is called top level domain. We discuss I don’t want to go in detail. And then they will respond to this the way how DNS work. And this is not possible in any organization to block 53 port which is for DNS TCP UDP it means you have to allow it. And now in this letter it means in this world the main issue is DNS security. That’s why Cisco umbrella is there. Cisco introduced Co umbrella which was before I think so it was something else we discussed in CCNP. Open DNS by name. Open DNS. While the issue is it’s not possible to allow 53, you have to allow it. And there are so many attack by DNS. So open DNS was there. Then Cisco hire this one and they make them Cisco umbrella. And there are other many things are introduced for DNS security. So one of them to use DNS policy to save yourself from such a take. Okay. So that’s the way how DNS working. Now coming to when we create DNS policy, we will see these action to take whitelist definitely to allow someone and to pass the traffic monitor just generate logs. But it will allowed. We already know these two things. Because another policy we discuss as well drop definitely we also know this one just drop the traffic straight away to take action. The other two which is not maybe we did not discuss in other policy is domain not found. So we can create a DNS policy to respond whenever somebody going to Malaysia’s website either malware website.

So our firewall will reply them that this domain not found even though domain is there. But they will make them fool that this domain does not exist. And it’s a good thing we can create such DNS policy. So whenever somebody is going to illegal website domain and when the DNS request go on the first place. Because the first thing go DNS request. So they will say domain not found. We can create such policy. We will see in the lab. Second thing is sync hole sync whole we can. This is also a good practice. Because if you said domain not found so maybe some user may say how it is possible. Suppose you said that yesterday I go to this website from my home. And when I’m trying from my laptop at office. So they say domain not found. So they may thinking some user. Another thing which we can do for smart user. We can use sync hole, DNS Sync Hole DNS Sync Hole they will respond them but not domain not found. They will respond them with a fake IP, fake IP address. They will response them with fake IP. Suppose you are going to any suppose any malware website. Suppose Facebook is Malware website. So when you type Facebook. com, so they will say that it will redirect you to the fake IP.

In this way your traffic will not go out. So that the malware can come to our organization either our network. So these two we will see in the lab. So these are two other possibilities which we can apply in DNS. So these are the action which we can take to whitelist someone to monitor. Just generate log domain not font to reply them that this domain does not exist. Drop them straight away and singlehole to redirect them to a fake server IP. It can be a server in our office and it can be a fake IP, just an object. So let’s discuss those three in detail. The first one was drop action. So how the drop action will work? Suppose this user query that Cisco. com and FTD will drop them straight away. There is no such and I don’t want to allow you. So you drop them in the first place when the request go to this. So this is drop and shortcut. So you can drop them straight away without asking or redirect them or something. Second thing is domain not found which we discuss. So domain not found. When a user send a request again to Cisco. com, this time is not dropped, but they will reply then that the domain Cisco. com is not found either does not exist, they will say there is no Cisco. com behind the scene, you configure DNA. So whenever somebody going to such website which is not allowed, so they will get the response in such a way. Okay, so this is a second method.

Third method which is very good. One is sync hole. So how sinkhole will work. So when they send the requests, cisco. com firewall will forward their traffic to a sinkhole server. It’s like a honey pot as well. Honeypot means to catch someone. You make your own server, a server. And whenever somebody going to such a malicious and such other illegal whatever, you know all the thing either virus’s, website, any other URL which is not allowed legally anywhere organization and somebody going to there. So what they will do, they will redirect you to DNS sync hole. So it can be a physical server where you can monitor those users that who is visiting those illegal websites or domain or whatever. So you can catch them by this way. Sometimes we call them honeypot as well to catch someone. Second thing, this sinkhole may not be a server. It can be just an object on your firewall. It will do the same thing. It will respond them by that object. And we will do the object, we don’t need the server, we will create just an object. So whenever somebody go into Malaysia’s website, so they will get response from this sinkhole so you get the idea, maybe when we do the lab maybe you will understand correctly.

Now, before going to DNS policy practically we need to know two things we discuss already as well. Feed. So Feed is basically Cisco has a dedicated threat intelligent research team which we discussed last time with telus and they’re monitoring and analyzing internet traffic every second and whenever they find out any suspicious activity, they categorize them and they make a list and you get that list automatically and that dynamic list called Feed. And that’s what we update the feed just now, I show you, we update our feed this one automatically is there, you can create your own as well. But how we are getting this feed in every Sisco device mostly now they fit this one cloud agent. So Cloud Agent when your device is connected to internet, so periodically they will communicate with the Cisco intelligent, telus intelligent and they will get the update. That’s the way they are getting. So Cisco WSA ESA Cisco firepower Cisco SA and every device they include this cloud engine to get the updated feed. Last thing before going to lab you need to know NS lookup name server lookup there’s a command line in every server sorry in every window, Linux and so many other to use to find out the domain to IP and IP domain related to DNS. Okay, so we will use this NS lookup as well. So you just need to know what is NS lookup? Okay?

43. Lecture-43:Configure and Verify Domain Name System (DNS) Policy.

The DNS policy lab time we will do, you will use the same topology which we used last time. Okay, so here is FTD 100, 200 is management IP and 1254 is inside IP. Okay? And one one 4254 is outside IP and there is a default route sending everything to 1141. Okay, inside that we have three PC for test purpose. 1311 and one two, one is Linux, the other is docker. And this one is window. Okay, we have external to server, maybe we will use later one one 4250 and one one 4251. Okay, so we already know how to register. So we already registered this FTD. This FTD is registered with FMC FMC IPS 210. This is 210. This device is in routed mode. Okay. And this policy is here. And let me show you the interfaces which is configured here. Quickly, zero slash one is inside. So this is zero slash one, sorry 1254. And the interface is zero slash one. So 1254 and one 1254 is configure. And these are security zone routing is configure static route which will push everything to next hub. So here is static route. Okay, let me quickly show you. So S will send everything to 1141 here. Okay, so routed configure. Third thing is configure access control policy which we’ve done in detail. So access control policy, we create one policy which allowed everything. So there is a default policy.

We create insert to outside, insert subject any, any everything. And there is a net policy because these are internal user when they go out. So it will be translated to this interface. 254. Again we will do net in detail but just to show you. So that’s the net policy. That’s it. Okay, so our main topic, we will configure DNS last time we create security intelligent here and what we done, we apply these all security intelligence to this playlist. Okay, there were some network related stuff and some of URL and then we test them. But we left last time. One thing DNS policy here is there is a deferered one which is not working. So I told you that we will do this one. So that’s the part related to security intelligence to stop the search site using DNS. Okay, so we will attach DNS policy here. But before creating a DNS policy, when you go to policy, here is DNS policy. Before creating DNS policy, we need some objects for test purpose. So let’s go to object object management and we will create some custom object like a list of DNS, Yahoo and MSN. We will block these for test purpose. So let me see if I don’t have I need to create, okay, I don’t have so let’s go to Nordpaid for custom DNS entry and what I will say@yahoo. com and MSN. com, you can put anything, okay, maybe Twitter. com. These three is enough for test purpose. And let me save this one. Okay, so we’re going to drop these one. So let me say DNS drop. Okay. One list I created here is N. Let me create another custom list. And I don’t know which name to put. Yahoo MSN. I just need some more. So let’s see facebook.

Facebook. com. I need one more something. Suppose Google. com. So I say Facebook and Google. com. Let me save this one. DNS. This will be not a drop. This will be suppose we have three action here. Let me see the action so that I can create object. Up to that way let me go back. We discuss many action. I just want to show you domain not found. So those are the first one we will use for drop and domain not found. So let me DNS this will be domain not found. So two. Okay. So Facebook and Google. com domain not found. And this one is@yahoo. com Ms and Twitter. This should be dropped straight away. And these two will be domain not found. And the third thing is Sinkhole. So what IP will do? Any Malaysia’s website? Anything? So I will redirect them to an IP. So these three thing I need, the first two is clear. It’s not that much difficult. Whitelist and monitor. Okay. If I get a time, I will show you those two as well. It’s easy. Okay. So now I created two objects. So get two other file. Now what I need to do, I am in object go to security intelligent DNS list and feed. Okay. And let’s create a two list. Click on a DNS list and change this one to list. And here I would say DNS. DNS drop this the name and browse date file. The one which we have just created. DNS drop and upload. Okay. Same like last time which we done. Network list. So three entries are there and save. So I create one object with there is three domain DNS entry. Let’s create another one. Again I need a list.

And this time DNS domain not found. You can give any name by the way. Just so that we can understand them easily. DNS domain not found upload. I believe two entries were there. So let’s see how many they are showing your two entry and save. So I create two custom list. One for drop and the other is for domain not found. Done. Now third thing I need, before doing the lab properly, we need to create sync Hole. So just after that one there is a Sync Hole. Click on Sync Hole and there is no object by default. Click on Add sync hole. I’m still an object. Okay. And let’s give them name a DNS Sync hole and IP suppose IP which is not a new. Let’s give them one. One and IPV six 2000 double colon one suppose and log connection to Sync Hole. Yes. Block and log connection to sync hole. Okay. And you can type many type to block such type like a command and control malware and phishing. I say no. Everything so that’s the way to create sinkhole object. It can be a physical server. I already explain you theoretical part. But I’m creating just an object considering this like a server and save. Okay. So I created two custom list and then sync hold. Now I will create a DNS policy. And attach to my access control policy. So from here we can create go to policy. And here is DNS policy.

Click on DNS policy by default there is a DNS policy with the name default DNS policy. But it’s read only if we click on it. And I believe you cannot write anything. So it’s here add a DNS rule. I maybe it’s not allowed me to put something I think. So in this new one I believe they read right now. But before the old version it was only read and this was disabled. But this one is allowed anyway. We can create our own as well. So let me go to DNS. And you can create here a DNS policy. So I would say DNS policy. This is my one. And you can put description as well. So this is DNS policy and save rather than to use default one, we can create our own as well. So now DNS policy with the name by default there is global Whitelist which we discuss. And global blacklist for whitelist is whitelist and blacklist domain not Found error will give them. Okay, so these two are there. But we don’t care about these two. Click on here a DNS rule and give them any name. So the first one we will say drop. So let’s these are the action which we discuss whitelist just generate logs and allow the traffic domain not found which we will see now. And drop. So the first one I want to test drop. So I say drop rule and enable. And the traffic will go from inside zone. Okay. And network should be you can put any either.

You can put your local. This one it’s up to you. But anyway just put any VLAN we don’t have any. Here is DNS. So click on DNS. And for drop we create a custom one. It should be here. Just go down and there should be drop DNS. Yeah. With the name DNS drop. Three objects are there. You can see if you click. So it will show you three objects we put here. So put that rule and add to rule. So whenever somebody hit those three objects okay, three objects. So it will give them a drop straight away they will drop them. So we create one rule and eight then it’s here. Now let’s create a new rule with Domain not Found. So domain I’m just giving the name so that we can understand it. Otherwise you can give names for your company requirement. Okay. So I give them domain not found rule and xns domain not Found. It will be generated from inside network can be anything. And DNS for domain not found. We create another custom list. Here is where two object were there DNS domain not found. So whenever somebody visit those two objects so they will reply them with domain not found. Okay, done. Two things are done. But we want to test third action as well. So click on a DNS rule. So we test this one. We will see. We will test drop. Now the sync hole. So let’s say what is the name sync hole. And what I give rule enable sync hole. And here is the sync hole object I just created. You remember by one, one one. This is why I create an advance and say DNS Sync hole. And I say the request can be from inside network can be anything and DNS. Now what I will say by default there are security intelligent whole list like DNS are taker same like last time we discussed. So these are DNS entry. Click DNS. This one DNS fraud DNS Botnet, CNC, command and control. All these. So let me go to all these. I don’t want to click by mistake. My one which we create custom phishing this one spyware suspicious. There are so many categories. So I don’t want to these two. Okay. And that’s it. Global playlist. We will do this later on. Domain not found is my custom one. And DNS drop is my custom one. And done. So I say whenever somebody go to all these which is I am getting through feed. I’m getting all these through feed automatically attacker DNS detail banking fraud detail bought net related command and control related exploit. One high risk, one malware, one suspicious, one phishing one. So whenever I’m getting somebody is going to these website this domain, this URL redirect them to DNS Sync hole.

And DNS sync hole is one one, one IP and IPV six is 2001. So that’s the way to deal with user and ed. So my three rule are ready for drop domain not found and sync all just say save. Okay, the last thing, whenever you create any policy, it has to be attached to the main policy. Access control policy. So let’s go to Access Control Policy. Last tip. And we will attach this DNS policy there. So whenever traffic is going or coming so they will inspect. So let’s edit the access control policy. And where is DNS? DNS is here. Go to security. Intelligent tab. And here is when you click. So we create our own with the name DNS policy. And let’s enable logs which is enabled by default. Yeah. So logs is enabled so that we can see the traffic and that’s it okay. No need of do anything. So it’s apply and the rule is allowed all. Let me see this one that is okay or not. Let me double check. Allowed all which is allowed everything. So inside to outside and network is or subnet. No, this subnet is wrong. Ten is wrong. I believe we have something else. So let me put any an application is any port? Is any URL. Is any okay and let me see inspection is none. Okay and logs are enabled. I just want to see the logs are enabled or not done. Okay and now let me save this one and we are done. Last thing what we can do, let’s deploy this detail. So what we will do, we will push these details from FMC to FTD one okay and deploy because you are doing everything here and when you are done you can push them to FTD.

Now we are pushing all these details to FTD but before doing this one, when this push I just need to see this one. So drop when I put Yahoo, Ms and Twitter it will be dropped straight away and when I put Facebook and Google it will say domain not found. So how we will test? Let’s go to any inside PC. In this case let me go to window and let me log in test one, two, three okay and I need a wireshark as well so that I can show you as well from there. So let me see if wireshark is not installed, I will quickly install wireshark as well in this window and this window PC. So let’s see wire so wire shock is not here unfortunately. And let me check my IP as well. I thought maybe I install sock IP is also not assigned. So what is the IP? First let me install wireshark quickly. Wireshark is important to show you how the traffic going and maybe if it is there or not no. So I need to download quickly. So let me go to Google. com and let’s quickly download wireshark. Okay and there is download other we can use Linux as well. And Linux there is by default wireshark. So let me start that Linux as well. If it is not installed quickly, we will move to this one PC two kali Linux. And Kali Linux by default everything is there, even wireshark is there. So let’s see if it is download quickly then we will test and window. If it is not, then we will move to Kali Linux to test from there because I need a wireshark to show you. So let’s see, I think so it’s downloading it may take maybe one to two minutes until their time is also pushing the policy. So let’s see okay and let me open this one. If wireshark is there, then we’re going to use Linux bitter to use Linux root and tourist password opposite. Okay if you want to use anywhere left so they still default username and password and let’s see the IPS configure or not. Okay, so now I’m logging. I just want to test IP address first. Ethernet zero okay, so it’s 100 is wrong.

So what I need to do, let me put the IP first go to wire setting and the IP should be one two. Okay, so let me change the IP. And when you click here on the interface and go to IP before and say I want to do manually. And here is you can type 109, 216812 and 255-255-2550 gateway s firewall IP which is 254 and DNS should be eight. Okay. And that’s it apply. Okay, disconnect and connect again. Close. And from here let’s test again. Ethernet zero. So now our IP is one dot two. Let me ping my gateway 192-1681 dot 254 yeah, it’s okay. And let me ping a dot a dot eight so it’s OK. And my traffic should go through Firewall. And let’s see wireshark is there. Yes. So it’s good. Don’t need the window. It will take some time. So it’s better to test from here. So I say my ethernet. This one. So whatever I’m sending through traffic through this one I say capture their traffic. So now let’s go to list DNS drop. So drop straight away. They will show you drop. Okay, if we go to test so we have done this one and let’s go to testing. Okay, we apply so the drop one, the verification this one no drop will be straight away. So let’s do drop. Okay. So let me open a browser and let me filter them DNS only we do need the other traffic. So I said DNS. So they are sending traffic to DNS. Okay, let’s see what going to happen. So the drop one was@yahoo. com so when I go to@yahoo. com and go to wireshark where is wireshark? Sorry, I open a wrong one. Here is okay. So let’s see wireshark from wireshark entry.

Can I make them bigger? Let me stop because there are many things open. So let me restart again and continue without saving. And let’s go to@yahoo. com this time is by DNS’s block. Okay. And let’s go there. So they send a request to DNS and straight away they block@yahoo. com this is domain name system entry and this the flake. Okay. And message query. They send message query that I’m going to yahoo. And there is should be answer. So let’s see, maybe the second file drop is drop straight away. But I’m just seeing maybe we can see something from here. The other two I will explain you properly. But the drop, I’m not sure what will be the answer. So they say@yahoo. com okay, let me make them a bit like this way. Okay, so let’s see no authentication@yahoo. com and that’s the response. I just want to see the response. There is for some reason it’s not showing the response to me. Yeah, there is answer@yahoo. com. And what was our next one? Google and let’s see Google. com. These two will be dropped straight away. But I thought it may show us the detail but for some reason there is somewhere but I forgot the answer place. They will say no query. They will answer, they will drop them straight away. Okay, here is so let’s check the other two so let me stop this one. It will be clear from those two. Continue without saving and let’s go to drop is done. Now we say Facebook. com. Okay, I’ve done Google. Okay. By the way, so if we go to Facebook facebook. com so what will happen? It will give us domain not found.

So let’s see what is the entry? Okay, the last thing because we just done this one you see here. How can I make them bigger a bit. Okay, the last entry. This one. Let’s see, we visit to Facebook. Where is Facebook? Here is so now you see here. Let’s go here on the top. And there should be domain not found error. There should be like this. Well, let me show you from here. It should be no such name. When you go to Flake, when we visit such website, I can show you from around other way. But I just want to show you from here as well. Okay, so let me go to messages. It’s better to do it from here. What is called from Nslookup. It’s more easy. Okay, so let me go to CMD. Okay, first I need to change the IP. By the way, just 1 minute to change the IP. It should be one three, PC three. Okay, just let me change the IP. Okay. And uncheck IPV six. And let put IP 192-1681 dot three and gateway should be 192-1681 dot 253 254 sorry. And DNS should be a eight and okay, close this one and let’s check out our IP. And before doing anything we need to verify so Ipconfig. Okay, one three is okay. And now ping the gateway 109, 2168-1254 so I can ping the gateway. Hopefully it will work. And now let’s test them.

So the first thing which we done drop@yahoo. com. So what we can do if we say Nslookup and type here@yahoo. com so it will not show me. By the way, it’s showing for some reason the IPV six, not the IPV four. But it has to give me error like this one. And what about the other one? The drop one is the MSN. com. So MSN. com. Okay. And MSN. com is also showing me by the way the IP which hasn’t to be because we put them. And third one is Twitter. Okay. And Twitter. com. Let’s see it’s showing us or not? So these three, they will drop them straight away. Now coming to domain not found to domain not found. If I say Facebook. com so there should be for some reason something is wrong. It’s apply or not? Yes, for some reason it’s showing us the IP. What was the domain not found? Other one? Google. com. Let’s test this one. Yeah, this one is okay. It’s in nonexisting domain. Even Google is there. And I type correctly. It has to be the same like for Facebook. com. Let me see, maybe I type Facebook Rangdi it’s okay. So it has to give me like this way not existing domain. When I type google. com so this one is working for some reason the second one is not working facebook. It has to do the same thing for Facebook. Yeah, it’s okay now, so you see, I will show you from the logs as well.

So two things, drop is done straight away and then domain not found it will give you this error. If you type any good website which is not in this list, it will show you everything like what is the other website? Twitter we already put them let me go to any other website open DNS, it will give you proper result. So don’t think like this. Maybe it will give you opendns. com, it will give you all the details you see, but not for Google. com. And this one the last thing we need to check the sync hole. So for sync hole I need any malicious IP so from where I can get same like how we get the other detail. Last time I told you, you cannot get the detail from graphically. You need to go to FTD either FMC. Okay? It’s better to go to FMC. So let me log into FMC. You can get from FMC either. You can get from FTD, but in FMC it’s easy. So let me go to FMC and get any Malaysia IP so that we can test them. So what we can do go to FMC and open it okay. And go to the directory is for that one I believe last time we done war and then it was something I forgot it was SF something yeah, SF and then security intelligent DNS here are this one okay. And then LS so you see a lot of category now we can use head command or tell command to check out. So here is let’s see the first one one and tab are to complete.

So this one is for high risk one. So this one is not working, let’s go to another. There is nothing new entry and some 1937 and tab okay, so this is DNS lock and lock. There is also nothing, so let’s go. Some list may be empty so e 90 zero the last one and let’s see what entry this one and they have only one entry. This is monitor one I don’t know, let’s go to another one. This is universal ID. Okay? For every detail if you are confused last time I show them that when you go to DNS your DNS policy so they are not representing all the detail by name, but they are representing by the way, it’s better to do it from secure CRT so it will be clear to you visible, more visible, okay? So let me quickly connect it to FMC if I can through SSH okay? And quick connect and the IP of 100 to ten user name is Admin okay, accept and save and ABC the rate ABC one is better now so that we can see everything. Okay? So this is wrong. ABC at the rate ABC one. Okay, now and expert mode. And then we’re going to log into Sudo Su. Type ABC at the rate ABC one. And now I’m here. And now I can go to the directory. Directory is here. This one and Si DNS and LS and now I can use head. So it’s better to copy and paste. It’s easy here. Okay. Just the name DNS response. That’s the category. By the way, here when you go to what was the category? Sync. Hold this one. Let me show you all these category when you go to DNS so which one they are showing us is DNS responses. So DNS responses will be there. DNS responses here is how many objects are there? 45684 but because I’m using head command, it will show me only eight. Okay, so here is so let me copy any from here and let me try this one so it will show a sinkhole. Let’s go to my PC and do Nslooka for this one paste okay. Why? It’s not pasting.

Let me type again. I need to type them so it’s better. Which is this one? AZ let me try last time otherwise I will type myself okay so it’s not working so what I can do let me minimize this one and let’s do like this way sorry for this one I thought it will work what is this one? BT imes. com you see what is showing us 2011 because I told them that whenever somebody going to any of these websites, any Malaysia website, any category, like attacker, this one botnet command and control. So I was like, okay, let me show you another example. Let’s check out another one from any other entry. This was for response one. So let’s go to maybe this one, I don’t know, maybe this one is something this is DNS suspicious. This one DNS suspicious category. Every this category they give them this number. This number car universal unique identifier last time I told them that’s why? So don’t confuse so you can check out from here, you cannot find from here. There are objects 74946 graphically. It’s not possible. You have to come to FMC to find out. So now I’m in DNS suspicious category. So in suspicious category, let’s check out another one. Let’s ping another one to test properly.

So what is this one? Sh DJs and buzz. For some reason it has to be here. My goodness. It’s very difficult to before I used to copy and paste. But for some reason maybe I can paste here. Let’s see then I can copy from here. Okay. And let me try. No, so leave it. Let me type myself. I just need this simple one. This one JS bus. Let me double check. Shdjs and bus. Let’s see. It can respond to the same. So you see, it gave me this one one one. Now you may thinking this why and everything. So let me show you from here. Go to analyses and events. Don’t worry, we can verify from here as well. And I will on the wireshark to show you again. You see this here. Action is Sync Hole, DNS block, NSYNC hole then domain not found, action DNS block sinkhole, sync hole, domain not found, domain not found and it should be I think. So if we go to Analysis and Context Explorer, we can see from there as well. So our DNS is working and is blocking spur policy. It should be. Let’s go to this category security Intelligent. So let’s see, it should be here as well. It takes a bit of time to show here, but let’s see. Yeah, this URL one here is DNS domain not found and DNS response. We check two IP, one from DNS suspicious list and one from DNS responses. So those two detail are here and then DNS domain not found. There’s the one which hit and that’s the IP users. We try to them and these are the destination. Okay, so Security Intelligent is working by DNS entry as well and we verify from here.

And you can go to Security Intelligent Events to show you here as well. So let’s see it’s there or not. So you can see it’s. Domain not found, DNS block, DNS block and all those detail. And you can see from here which thing is block and every detail are here and why it’s blocked. Security intelligent category. Hit. We create this one DNS domain not found, DNS suspicious. This is the predefined category which we use and DNS responses. And my blank let’s okay, this is the URL. This is the last one. That’s why showing here. Forget about this one. Today one is starting from here. So you see it’s working. So let me go back if I missed something. The only thing is the wire shark which I did not show you properly for some reason it was not showing. But if you want to test, you can type anything. So it will show you like this in Nslookup entry and wireshark it will show you no such name. And the list you can get from here, I show you from here you can get all the list IP, okay? And then type and it will show you copy. From there you can search and Security Intelligent website as well. Last time I showed them this website and then you can test the Sync Hole one. So Sync Hole will show you like this. Whenever you go to those Malaysia’s website, it will direct you to this one. This is called sync hole. Okay. And it will show you this IP even though you are going to Google. com, but it will redirect you to the one one one IP which is a Sync whole IP. So from wireshark you can confirm. Unfortunately it was not proper one, but you can and then we verify from Security Intelligent events. All the details are there and also from. Events. And also you can go to contact explorer to verify from there.

Okay, we create our own Blake List and you can put a Blake List as a whitelist IP as well. Suppose this IP is blocked, whereas the one which we try the last time, this one, let me copy this one. This website is block. Yeah. If you want to make them whitelist, it’s okay. Just go to Object Management and you can create your custom list and put them in whitelist. And also you can remove from there in the list. Okay? So go to Security intelligent DNS list and feed. Create a list here. But call this list when you create a list and put this IP. So when you go to Access Control Policy and when you edit your Access Control Policy, go to Security Intelligent and when your list is here, sorry, here DNS. You can put them in white list as well. No, not this here. So it should be around other way. You need to call them in white list. We need to go to Policy DNS policy. You have to create a policy or policy is. This one here is. So you need to create a new rule and this time say whitelist whatever from any zone. And here you can call your whitelist IP list which is not here when you create them. So in this way Blake List will IP will be whitelist. You get what I’m saying? Normally we don’t do like this, but I’m just showing you. Maybe you are thinking that I want to allow block IP. So you can create the same way.

The list which we create for Blake List, you can create for whitelist as well. Node paid and type here. This one. This was the website I believe. I just need the full one to show you quickly sh DJ and it can copy from here. By the way, here is and Save. And suppose white and DNS create a rule here quickly go to Object Management and go to Security Intelligent DNS List and feed. If you have a many list, I’m just showing you one IP. So don’t be confused. You will say for one IP you have to do all these no? Maybe you have a list of IP which you want to whitelist. So I say whitelist DNS and browse the list which I just created this one upload. Okay? And save. Now go to DNS and whitelist MLA them. Go to DNS Policy and edit DNS Policy. Okay? And create a DNS rule. And this time say whitelist. Let me change the action to whitelist and say Whitelist rule. Suppose and from inside source and go to here is which our rule is where is this one? Add this one and eight done. I will apply. But let me show you. So whitelist and blacklist can be done by this way as well. Okay, so now what I will do, I will save this one. But where is the whitelist? By the way, it’s not necessary to put them on top and down. It will check everything. Maybe you are thinking that it’s here and the other one is down so it’s okay and let me deploy them. Okay. So if I go back here so I cannot ping this IP by the way, ping this website as well. Here is let me and paste. Okay, so it’s pinging but it’s not in DNS. Okay. So if I go back to NS lookup and type this website. So it’s showing me sync hole. Yeah. After applying this rule, it will not show me the sinkhole, it will show me the IP. So let’s see that I whitelist them. It’s working or not. So we just need to wait for a while. Again, if I do showing me our sinkhole address. So let’s see. So this is the way if you want to allow Blake list IP and want to make them as a whitelist. Okay. And the last thing which we will do straight away, if you want to block someone or to allow some domain so when you go to events, you can right click and straight away you can blacklist and you can whitelist for a while. You don’t need to deploy them. Same like the last time. We done for URL as well. Okay. If we go to analysis events so until it’s deployed, let me show you this one. We will save some time. Okay? And if you are in table view okay. So let’s see if I can do it by IP. So this is by IP which we’ve done last time. But I need to go to domain. So let’s go to domain. Where is domain? Here is okay. So this is Facebook. Suppose if you want to right click on it, it’s whitelist. It should be blacklist as well. Here is so when you click suppose I want to send them as a blacklist for some reason, it’s not going to apply virtually. It’s showing you a window like this. Sometimes it takes time to apply and sometimes straight away is working. So it’s not doing for some reason. So let me refresh but when you click, it will go to that white list. Okay, maybe let me apply to some other by the way, it has to work. But in simulation, I don’t know if on this one is not working. So let’s try another by domain. If we have domain detail no.

So it’s better to do it again from here. Let me try and let’s put them in whitelist. No, it’s not working. You know, it will work the same way, but in my lab it’s not working. In real world, it will work. Okay, keep in mind, same like this way. Okay? Last time which we done. Let me show you example so that you get the idea. Maybe you missed last time so that I can show you. Suppose eight at eight and I want to whitelist this IP. So when you click this one, so it will show you a window like this and whitelist now. So when it’s whitelist, it will go straight away to object, object management, okay? And here I will show you an object. So when you go to security intelligent and go to network and list. So eight eight will be here in the list and global whitelist automatically. You remember last time we done like this way, you see same way when you click there on URL. So URL will come here automatically. And today the same DNS domain name will come directly to this global blacklist which is nothing here yet, and global whitelist. But unfortunately it’s not working in my case when I click so it’s showing you a window and it’s not coming. So this is also possible. That’s the third way, because we discussed there are three ways to configure DNS. So we have done all three ways.

One is to update and download, which is we use the default one, DNS whitelist and Blake list. We just create a list and we can create a custom list. And also you can do whitelist and Blake list which is not working. We’re just showing a window now. Let’s go back. So it’s apply now and let’s see what happened. So last three times it’s showing me this. Now it’s in whitelist. So you see issuing the actual IP now, not this one, because now it’s in whitelist. You get what I’m saying? So you can put blacklist IP and whitelist even though this is in blacklist IP as well, and you make them whitelist. So last time I told these guys that it will override the Blakelist. So if an IP and URL and domain are in blacklist as well, and whitelist as well, so which thing they will follow? They will follow whitelist. Last time I told them so the same thing, even this IP is blacklist from Cisco, but I make them whiteless, so it will be whitelist this wise, not redirect me to the sinkhole. Even there is a malicious IP. That’s it for now.

44. Lecture-44:Introduction and Concept of Pre-Filtering Policy FTD.

Policy is related is prefilter. Prefilter means if you don’t want to filter some traffic, you can use this policy. So we are doing policy. You know, if we come to policy, so we done DNS policy and we then access control policy. Now we want to do the this the last one, pre filter policy. So what is pre filter policy? Pre filter policy to bypass the traffic and normally in interview, they will ask you related to firewall, they will ask you related to this policy. Normally, one and two question, they will ask you if you want to bypass some traffic for administrator, maybe for engineers and maybe some traffic, you don’t want to test them. Deep packet inspection if you don’t want to do deep packet inspection, so is it possible? So you’re going to say yes, this is possible by pre filter policy. Even though in pre filter policy, there are many actions. One is analyzed, second is blocked, third one is fast path. Basically, fast path is the one which bypass the traffic. It will not go through deep packet inspection. It will not check by excess control policy. Block is block. In analyze means normal way. So this is called pre filter policy. There are three type of action. Maybe you want deep picket inspection, so check the action analyze. Maybe you want to bypass some traffic. So you can say that fast path and maybe you want to drop some traffic straight away before entering to your firewall. You want to save resources, CPU CPU utilization. Again, you can use prefilter policy, but keep in mind, prefilter policy just work like an excess control access list. Same like in Cisco ASA.

Either in routers, it can only allow traffic based on source and destination, IP and port. So for many purposes, we can use pre filter policy. But before going in more detail, let me show you from diagram. So when the traffic enter to your firewall, the second thing is pre filter policy. And you see, if you apply pre filter policy with fast Path, your traffic will bypass and it will go straight away and will exit. Nothing will be checked. Which thing will not be checked means there will be no DNS. We just done DNS, no URL last time we done no IP means security intelligent, no security intelligent, no ACL up to layer seven, okay? No rate limitation, no file policy, no Snot engine, nothing will be checked. And you will go straight away directly. And you will exit like a VIP person. Like any country what is called Prime Minister like country up, they can go directly to some places without any restriction. So the same as fast path, it will bypass the traffic straight away. But if you choose fast path, keep in mind but normally we are using this for Fast Path prefilter policy. Maybe if you choose the second option, so keep in mind analyze, then it will go through this one. Then it will go to security intelligent then it will go to Snort engine. But if you choose fast path then it will bypass everything. So what will happen? It means if I’m using fast path so Snort engine will be not used. And this the engine which doing deep packet inspection. This the FTD main operating system. Because this FTD is made from two things. Cisco SA and FTD and which combined we call them now Cisco FTD which we discuss at first lecture. So now we will say why we need let me give you some use cases of fast path and pre filter policy. So you can save your resources and CPU and Ram and utilization and Snot engine. Suppose in your organization it’s a straight rule that telnet is not allowed. So suppose telnet is not allowed, so what will happen? You can create prefilter policy and block them on the first place. Second thing is if you are not creating prefilter policy, what will happen? The packet will enter in your firewall. Because you are not doing prefilter policy it will enter, then it will go to security intelligent.

They will say I don’t care, my job is something else. Let’s go to another part. They will check an application control rate limit file malware, snort, everything will be tested. They say it’s okay if telnet is blocked at the end. So they say no. Okay telnet is blocked but Snort engine is used. All these things is used at the end they say no, you are blocked telnet. So why not create pre filter policy on the top? So when telnet is enter they say no block. So all these resources do not use all resources. Let me give you a real word. Example. In UK maybe they have a job which is only for British national. There is maybe some asylum seekers, some is from other countries, some as students which is not allowed for their job. If you are not mentioning that this job is only for British national, so what will happen? Students will apply, everything will apply. So when they are recruiting they will check. Okay your student no, you are not allowed full time. You are out but you are using resources 101 hundred CV, they will filter them and they say oh okay, you are student, your asylum seeker not allowed. You are from another country. Your passport is this. So it will take a lot of time. But if you mention in the description that students and these and these and these are not allowed.

I know in UK is not possible. Normally they are not doing racism. But here in this country they directly mentioned that only Pakistani, only Indian are allowed. Only British national can apply for this job. They have specific criteria. So it will short list straight away. So if I look a job here and it’s mentioned that only Indian can apply, so I will not apply. So it means my CV will not go to their job and it will be easy for them as well too shortly. This is called Pre filter policy to check everything in the first place. Now maybe there is some traffic which you want to bypass. Maybe you are SSH traffic which you are using as an administrator to check everything. You are accessing your devices so it’s your traffic and you already know. So why not bypass them rather than to check everything and check and use your engine and it’s not engine and everything wasting additional resources so you can bypass as well in some cases maybe telnet and trace route. We allowed this by default so that we can troubleshoot thing. So if you say no it’s not allowed and they go to snort engine and they say so you are utilizing your resources. So you can again bypass such thing. So you can block as well on the first place and you can allow it on the first place as well. And the last third option is analyzed. You may say that beside telnet, okay, telnet is block, SSH is bypass and check everything and you can choose analyze. So rest of the traffic will go normally, it will be inspected by all these line and firewall and also maybe VPN for VPN you don’t want to utilize them to check them. So this is called pre filter Policy.

Okay, so now we get the idea of what is prefilter policy. There are three type of action if you go to a policy and here is Prefilter policy by default there is no such policy, okay? By default there is a policy, I believe it, we cannot use them. Let’s see, one is read only. Yeah, so you cannot aid rule. It’s read only and there is no aid rule. Okay by the way, so what you can do, you can create your own policy. Go to pre filter policy. The default one is not usable. So you can say new policy. And let me say Pre filter policy and description if you want to give any description. And now let me create so now it’s here pre filter policy with the name and here is for tunnel because for VPN you can also use and here is a prefilter rule. So when you click on prefilter rule okay so here is action analyze. I told you, analyze means this traffic will be treated normally. It will go to Snot engine, it will go to file policy, it will go to intrusion policy, it will check everything, it will be tested by everything. Block means straight away block this traffic and don’t sneak to snort engine and other things and all these things and fast path bypass this traffic. This traffic will be not checked by any intrusion, any policy, anything, neither excess control policy. I will show you this one. I will block everything. But here it will be bypass fast path still it will work. So fast path is the one which bypass all the thing and it will go straight away. So these are the three action which we can take. And other window is similar to choose the object from insert to outside, out side to inside insert to DMZ and such thing you can choose your network and you can choose your port to allowed or block something.

Okay, so these are the things and these are the action which we can take. Okay, so now how to create? I show you by default there is one policy which is not working. Default. Prefilter policy is read only so you cannot utilize them. Okay, and what else? So I show you this thing. Yeah. So in next video we will do the lab. Okay, so let me see if I miss something here. You can create the rule, you can enable the rule, choose the interfaces your network from where to where and port number. Because I told you, there is no application, no nothing. Because Pre filter is just like an ACL. It can only use network means a source IP and destination IP and port, source port and destination port. That’s it. It’s not like an application. And by application if you go to other policies. So in excess control policy, many things are there. Because access control policy can check up to layer seven. So keep this in mind. Normally they are asking an interview. So, access control policy look at now there are many things included up to layer seven. Even port is also here. But they say network, application port by user. Okay? By URL by application. But these application and URL, these are layer seven things. So layer seven things are not here. Prefilter policy is just source and destination and source and destination port same consider them like ACL, ACL Nsisco, router, ACL, NSA, firewall so now we know Prefilter can only do things by port number and by IPN. There are three type of action which we can take. And what is the use case. So I give you one to use case to use them. So save your utilization resources, additional and all those things.

• Category: Uncategorized