Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD)

21. Lecture-21:Configure and Verify ACP Firepower Device Manager.

Access control policy. Again later in the course. We will do in detail. Excess control policy. ACP. It’s like an ACL which check from top to bottom. A you know, ACL which we’ve done in Cisco SA firewall. And also in router and switches. So access control policy is the same thing. How the traffic flow into allowed or deny the traffic. For that purpose we are using access control policy. And where we can find. So if you go to the third tab, here is policies. But here are many policies. Like SSL decryption policy to decrypt the traffic. Identity policy is related to active directory and LDAP. To create the policy based on user. There is car, identity, policy. Intelligent sisco team teles where you get the more detail. Like Malaysia’s IP Malaysia DNS Detail malaysia’s domain detail So that policy. Again all these three policy we will do in more detail later. But here is also available in FDM as well. Security intelligence. Then there is a net policy. Again, there are so many net to configure. We will do in detail. And the one now I’m interested in excess control policy. And also intrusion to check for any intrusion like IPS. So excess control policy by default there is one policy. You remember by default there was one policy. And it says inside to outside rule. And it’s trust. What is trust? There are three type of action. Block to block the traffic straight away. Allow to allow the traffic. And trust. It means I trust on this guy. And don’t check anything. Suppose if I change to allowed, okay.

So you see, it will check and logs will be generating. If I said trust, so most of the thing will okay, something wrong, let me go trust again. So it will be not checked further. So like a trust. If I trust you, it means you can come directly to me. So block means to block the traffic database. When the traffic will come, it will be blocked. And the other one is allowed to allow the traffic. Why sometime is not working. And then trust to trust you. It will be not checked further. So this is the action inside zone. We just check object inside zone. So the traffic will go from inside zone. Network will be any port, will be any it will go to outside zone. Network will be any port, will be any application, any URL, any and any user. Here you can enable extra things like. And also you can edit this policy. And from here you can minimize. And you can see the diagram as well. So user is any network as any due location. We just check out portage. Any the traffic will go from this zone. And it will be trusted to this zone, to anywhere. And you can edit and you can delete. And if you want you can create your own policy. Click on a rule. And that’s asking you the name. Suppose I say outside to end because from outside the traffic is not allowed. So I say outside to N side. So I create this rule with order number two, it will be below the first one because it’s checked top to bottom and it will be allowed either it will be trusted. So I say it will be allowed three action source will be not any. I have two source.

So in this time I would say the traffic will come from outside zone and network will be any you can specify you can specify port, you can specify Sgt and destination zone will be inside and network any suppose if you want you can click and you can put the network as well. So we have network object here. Okay, suppose inside yeah we have a network so let me put that one. So I say the network will be inside subnet and let me put here any something so at least we fill up something. So you can see how we can put and port will be if we have any or Https and Http. So let me type this one http don’t have and port here as well if you want to allow it. So you can allow port as well. So let me go to Http and Https, okay? And this way my policy is created but this source and destination detail another tab is application which application you want to allow. So you can add the application from here you remember the object application, so you can take the object from there. So many application are there like the one for share which we check out. So you can add application here. URL.

You can put URL, I think. So we create one google URL, it may be here that’s the only one we created. So you can put that URL either you can put any okay, and then user but it’s required identity policy which we haven’t configured means we never configure our FTD to reach active directory either LDAP. So that’s why this rule will not work until we configure identity policy. Intrusion Policy the feature is not enabled. I will show you. I need to enable this feature to use them as an IPS to check everything like a DDoS attack, Dos attack and so many other things. File policy two again it require a license to enable and control the file download and upload.

The last table is logging, it’s generate events. So at the end, either in the beginning of the connection when this policy is hit and you can see the diagram is where it will be like this way. So this is the zone and is the destination zone. If you don’t need and press OK and this way we create another policy which is allowed from outside to inside. And order is number two. So let me you see, it’s number two. You can edit and you can delete them. The license, it was issued, so we need to go to license and URL. License we enable, but we never enable trade and we never enable malware which we will do a bit later, but anyway so that’s why in policy it was not showing me to enable if I click on it and if I say intrusion now, it’s okay and the other one is okay. This require another license. So intrusion is now. And you can use intrusion policy to choose. We will see in detail like a balance security and connectivity intrusion policy and also connectivity over security if you concerned. About connectivity but not security you can use this policy we will discuss an intrusion these in more detail but anyhow it’s here now before it was not showing us because I never enable the last default action is block if nothing match here. So the last traffic, it will block them, the traffic.

This is the block policy. And if you want to enable logs on block, so you can enable and you can send the logs to Syslog. Server as well. Okay. And here you can filter them. And this is setting more detail if you want to allow we will do this later in the course. What else here? Yeah, so let me go back if I miss something. So this is the way to see this one diagram. Trust. I already told you that allowed the traffic without further inspection of any kind. Allowed means to check everything like an intrusion policy and drop to drop. The traffic unconditionally. And these are the action. And this is the default action, which we check. Okay? Then we enable source and destination. I create a policy from outside to inside. You can choose Application. You can choose URL.

We create one URL Google. One user is required identity policy and the other one is intrusion. So we enable intrusion policy. You can choose any from these and file policy. You can enable file policy to control the file. And malware related stuff logs to enable logs at the beginning when the connection initiated. So it will send the logs basically it will send the logs here. Monitor and there is events logs which they sent to yeah, here. Is it will send all the logs here if you disable the logs, you will never see the logs here so we never request any let me go to window to generate some traffic so let’s see there is and now let’s check out. You can see now the logs is coming up. One 10 is the IP and it’s going to one one one. So all the events because the policy logs is already enabled at the end. So that’s why it’s showing the events log so if you want to enable them so it’s better to enable to see the logs so on both policy I believe there is log enable. Let’s see logs. Okay, let’s go there. Yeah. The beginning is enabled here. And this one I enable also is the beginning. So that’s why I can see the logs. There an event. It is better to enable it. Okay. And what they said so this was excess control policy. And there is by default one policy. Otherwise the traffic will never go outside. Either the traffic will never come inside. So you can create it is many you want. You can create policy. And it’s checked from top to bottom, just like ACL, which again we will discuss later in the course in more detail. Okay.

22. Lecture-22:FDM, Introduction & Walkthrough Monitoring Dashboards.

Is monitoring, which will show you several, you know, dashboards. So whatever going on, any events, any connection logs, everything you can check from monitoring and monitoring, there is system related monitoring, like whatever. Like a CPU usage, memory usage. System information system a model system, software vendorability, database rule update every throughput all interfaces, single interfaces. All those details can be found in system one. So if we go whereas monitoring so that’s the tab here we can see some monitoring. The first one is on the left side of system, so you can see model is this one. Software vendorability, database intrusion, rule updates. How many interfaces are connected, which is green and which one is not in. Use every throughput of all interfaces outside interface, only the management one or inside one you can check and here you can see CPU usage, 28% memory usage and disk usage and events. Right now there is no events, so if you can generate from inside, where we install last time window to check out. Okay, so if I go back and run this inside system and let’s see, what is the IP address of this system? I think so. We assign them ten or something. So IP config the IP is 110 and you can ping. Let’s ping one one a DNS, which is outside.

Okay. And let me do continuous one one one. And also you can use web browser to check any website so that we can see the logs there and monitoring tab. So let me on and do something like a www. facebook. com from inside system which is the IPS 120. So let’s go back and see now system okay, so it has to be fill up now it will show you something then network overview so network overview is all related to network summary like a policy, a user in traffic detail, application usage, connection intrusion signature, URL category and all those things can be checked from here. So if we go back so they say access and essay security intelligence rule, which I show you right now. So they say insert to outside rule are used because only we have only one rule insert to outside. If I go back to policy and I can show you the excess control policy by the way, we have two, but one, this one is used right now because traffic is going from inside to outside. So this is inside to outside rule are used. So that’s why showing us in network overview that this rule has been used. So if somebody initiates traffic from outside, then it will show me the outside and when. Okay, and if you want to check the traffic in KB and MB and Gig, so you can check data usage in this way, same as user. Right now we are not integrated to active directory, so it’s not showing us anything here. Application https. We are using an ICMP because still ICMP is going on. And I just check what is called Https.

So that’s why it’s showing me let me stop, is enough for us to see the log. So you can see Https and this one is ICMP because I’m using Ping, which is coming under Internet control message protocol thread. We are not using any thread and URL category top destination is one, one one because I was pinging and there is a Facebook IP as well then user. If you want to check user information right now it’s not integrated to active directory. And if you want to check how many per line and this is the percentage and value in from last 30 minutes. And you can do custom range as well. Application if you want to check application, so they say ICMP DNS because when you are initiating traffic, so you are using DNS and Https and Https. So it’s showing you those application is used. Application again we will do in detail and it’s show using Java, how many transaction, how many are denied total bytes and blah, blah blah. Those information are here with the related application. So we use Java update. Maybe this application updates something Java. So that’s why showing you that Java update has been done. Facebook and Mozilla is used. So definitely we are using Mozilla URL category. It will show you again, we are not, we haven’t enabled URL category.

So it will show you URL detail. Again, we will do in detail excess control and security intelligence rule. We have only one rule which is used. So if you want to see in percentage and if you want to see in transaction and all those. So it’s showing you that one zone, which zone are used. We have only two zone. Okay, the outside zone is also used maybe once, I don’t know, I did not use, but we are normally right now we are using inside to outside zone, but outside to inside zone is also used. So it’s showing you here again in percentage how many item you want to see and from how long, and it’s showing you the date as well. Destination, the top destination is one, one, one because I was pinging this one. And the other destination is showing you again a percentage and value, how many item and how information you want to see a taker.

We haven’t done any attack, so it will not show you again. We will do letter in the course attack targets again related to those information which we will do thread again we will do. So these three things will be clear when we will do intrusion prevention policy and file logs. We are not using any file and monitoring as well. So it’s showing you nothing malware again we will do separately and SSL decryption. We haven’t enabled SSL decryption. Again we will do later in the core and these are all the events which happen from end to out, end to DMZ, DMZ to end, whatever. So all the thing with Elvid show you here all the information. So if I say all events, okay, so let’s see, it will show you all the detail, whatever going on. So you can check from here and see connection, how many connections are established. So you can check connections as well from end to out or whatever. So right now there is only one. So I need to ping something or to do something, so it will show you and let me refresh connection. This is our initiator IP 10, that’s why I’m showing you this one and let me refresh this so that we can see the connection. And let’s see now it may show you one, two more, it takes time to show you here you can go in more detail related to all these information. Okay, so right now there are only one which is 53. They are using all events.

Whatever happened, it has to show us all the information and last 60 seconds if you want to see more, so you can click last. Okay, last 62nd, these are the connection which by the way has to show us more detail which is not showing. Maybe come after a while, you can add remove column here, these are the column if you have more column to enable like an intrusion policy application and you can select all to show you all the policy. Suppose I want all okay, so they will show you other column as well here after a while. Okay, so you can add and remove column as well. And you can see from last 62nd, 22nd and 62nd detail as well if you want to pause for a while, because if the traffic is going on, so it will be refreshed automatically after 62nd. So if you want to pause and see something, so you can pause and you can check the detail and then you can resume the connection so it will show you the latest connection. Let me okay, resume now and you can filter as well. So many filters like application equal destination IP, greater than destination IP. Suppose in our case one one suppose if there is any traffic, so it will show you those detail and you can filter them. Right now it’s not showing us the destination IP, but if there is so they can show you only those detail which is related to destination IP. This one let me refresh if we have something else, reset filter so it will show you all the detail again and let me generate some more. Okay, traffic is going on CTRL C and let me refresh something. Okay, and now, let’s see now so let me do all events. So filter is here, it will show you automatically like a source IP, destination, application and all those details you can check out and you can filter them here. If you need a specific, you can use more than one filter as well. Right now I don’t have anything intrusion related detail right now we are not using intrusion policy. This is file policy, malware policy, security intelligent policy and copy all events if you want. Okay, so this is related to events by the way, it has to show us more events. So let me go back and check again. This one to check out by the way, we have generated many events but sometimes it takes time to show us. So right now I am back on this one, on this page and let’s see if it can yes, it’s showing us but in line result.

Okay, so this one and all events because if it is show us then I can filter them here. So I will show you how to filter it. So again it’s not showing us more detail by the way, let me go back because I enable all the column so it can be the issue. I need to go down and there will be a column to filter. Okay, so it’s not showing, by the way. So let me go and remove and there is I just need initiator IP select all this one. I need the source IP and destination IP so that I can show you. Basically I enable the other stuff. So let me go down. If they can show us still not so let me go. Okay, let me see the I don’t need this one. I don’t need a reason. I need source IP and destination the initiator IP. So let me put destination and let me initiate her IP who initiate? I don’t need interfaces yeah, here is initiator IP and the source IP OK, sign up, let’s see now so that I can filter and I can show you because I cannot filter by this time it’s very difficult to filter by time but you can filter this is the initiator IP. So suppose I want only a traffic which is from 110. So you can unfilter and you can say suppose initiator IP this one, this is greater than, this is less than and this is exactly.

So I say exactly IP is 192, 168 10 show me the traffic which is initiated by this IP one 10. So it will show you their traffic as well. And if you want the destination IP, it’s not showing me, by the way. It is then like a one one one h I’m pinging. Either we have other IP like a Facebook, so you can filter them as well. The last thing related to session who is login to this device right now is an administrator I’m logging admin which is this one and last 55 minutes session and you can delete the session if you want so you can see all those three details from Monitor tab. So this was a Monitor tab network overview we check out the user right now there is no users because of active directory so it’s not showing us anything related to application. We check some application, we check web application, URL category is not enabled. And then we check the events, okay, you can filter them and you can see connection events, intrusion events, file and Malware events, security, intelligent events, so many events you can check from here and then you can pause them, which I told you you can remove column and for how long? You need 62nd and whatever 32nd and ten second, and if you click it will show you more detail, which I show you if you want to see the source, IP destination, IP protocol, port and all these details you can click and you can see. And then I show you, you can filter them and you can reset the filter as well.

23. Lecture-23:FDM, Configure and Verify Main Page Device Groups.

So last time we deploy FTD standalone, okay, locally without FMC, a small topology. So now we need to configure something like interfaces, routing updates, smart licenses and all those stuff. So if I log in to FDM, I’m already logged in to FDM, we already discuss these things. So on the main screen there is interfaces and it says that out of 53 are enabled. So if you can see one, two and three management, plus two other are enabled with green and tick mark. So if you want to configure interfaces management, either tunnel base, either physical interfaces, you need to come here, and it’s showing again here, that two interfaces are enable one management, okay, and also virtual tunnel interfaces if you need, you can filter them, search them as well. Like suppose if you want to search outside interface outside, so it will show you outside, okay, outside, so it will only show you if you have many interfaces. Right now we have only a few interfaces, you can clear the filter as well. So these are my interfaces outside, which is enable and routed mode, because transparent mode is not possible and standalone and locally, these are the IP address through DHCP and the other one is statically via sign. So this is through DHCP which is outside interface, and Ha is enable if you want, and you can configure them with this small pencil icon, okay? And if you want sub interfaces, so you can click and you can create sub interfaces from here, just click this plus sign and choose the interface where you want to create some interfaces, suppose outside or inside, whatever, and you can create sub interfaces and all those stuff if you want. We are not going in detail, our target is the other one.

We will discuss all these things there, but maybe in future and your job, maybe some small remote side. So then you need to deploy FTD locally. So that’s why I’m showing you all these. So these are the interfaces related stuff which showing you here. Let me go back to FTD. Another thing is related to routing, like a static route, default route, BGP, so on. So they say that one static route is configured, which we configure last time. So if I click view configuration so you can check out this the name outside interface and we configure one default route here with metric one. Again if you want to delete either if you want to edit them. So click and edit the detail if you want. Again filter. And plus if you want to edit static and default route there is BGP OSPF and EHRP as well an old model. These three were not there but in 6. 7 they add BGP means dynamic routing protocol as well. And even you can rather than to go here, we discussed last time, this one, so CLI is available here as well. Show route and show IPV six route show BGP so you can go directly and can check here rather than to type there. So they give you this facility right away and routing detail as well. And let’s see, there is a default out which is this one. So you can check out from here as well.

Again if you want, just click plus give any name to the route like ISP description, choose the interface where to exit the route and the next stop. They call them gateway. Okay, metric we already know and routing protocol we discuss many times and SLM monitor if you want, we discuss these metric and SLM many courses which you are already doing. So this is the way where you can configure dynamic and static route. Okay, so let me go back. So there is only one already configured. This one is showing you static route. If you configure dynamic, it will show you that one as well. This place updates geolocation like a place, country and all those details, rules and venturability database system upgrades, security intelligence feeds which we will do in our next when we install FMC. But if you want standalone so you can update geolocation which will take maybe 20 to 25 minutes if you click on this information. So it will show you that it will take 45 minutes, but it depends. Okay, so you can upgrade and you can update your geo location like a country, south Africa, UK, all those countries if you want to create policy. So you can put geo location as well. This is vulnerability database if you want to update right now is the version security intelligent feedback which we will do in our next part.

Security intelligent is basically like a list upload domain IP blocklisted IP. Security intelligent cisco have their own security intelligence and they integrate those security intelligent to their FTD and FMCs, cisco, WSA, ESA and many other devices they already integrated. So if you want to check so let me show you quickly security intelligent if you go to Cisco security intelligent, there is a website, I forgot the name, so that’s why I’m searching with the name with the Cisco security intelligence. This one teles intelligence. This is the website where you can find out blacklisted IP domain and so many other things you can find out NDNS entries as well. Okay, if you want something, suppose Google, which is clear IP, let me show you this IP. So they integrate those security integrity we will do in the lab later in the course. But just to show you here, after a while it will show you that related information to eight eight DNS IP. Okay, so you can update that one as well.

So I think so it’s come up now and it’s showing you this IP reputation, is it’s? Okay, and you can see all the detail related to this eight eight domain and so many IPS. So if you want so you can update them because regularly is update system upgrade if you want to upgrade this, the latest version, I believe there is cisco introduced something else. But if you want to upgrade, you can browse and you can upgrade this operating system right now is 6. 765. The latest one we are using the same is intrusion rule. If you want to upgrade that one intrusion again, we will do like IPS. If you want to use Cisco FTD as IPS to check for Dos attack, DDoS attack and so many other things blacklisted and so many things again we will do in the lab later in the course. So you can update those rules as well from here. So let me go back. Another thing is smart license which we already activated and 84 days left because it takes one week. So if we click on that so if you want to enable trade malware related, either disable enable URL, VPN, lil related and base license which is required. So you can do from here.

And it will show you the days. How many days are lift here for Smart license and then break up and restore as the name suggests. If you want to take up of this single FTD, and if you want to restore last breakup this morning, I take why to show you quickly. So that’s why I say 10th apprail. There is a breakup. So if you click so there is a backup. I already take this morning 12:00 p. m. . It’s a manual backup and you can restore them. You can download this backup and you can delete them. So there are recurring schedule backup, manual backup and upload recurring means if you want to repeat. So these two are schedule based. But this one you can give them daily, you can give them weekly, you can give monthly. So it means it will be repeat daily basis, either weekly or the monthly basis. So you can give them the name and you can give the exact time to take the breakup. And if you want to encrypt, so that nobody can open it. So you can put the password as well. But this backup will it will occur again and again. So then what is the difference between this one? This is one time schedule BAKEUP. You can give only one time and when their time is reached, so it will be once in your entire life. Only once you can sit. So when this date comes, because this date and time will never repeat again, you can put security if you want. So this is the difference between this one and this. This one is manual backup which I already take. If you want to take backup, just give them a name test. Suppose test two, give description, put the password one, two, three. Suppose one, two, three and just a backup. Also you can schedule them. So to give you this facility like this one. Okay.

So it will start to take up of this FTD and then it will show you here the last one is upload. If you download this one, suppose I have a test one which is already I have. So they give you two facility to upload the backup. Either from here, either from here. Keep in mind they keep the makeup inside in the device as well. And you can download them to keep outside of the device. So I click here because two things are running, so it takes some time. So after a while, yes, so it’s downloaded. Now here is my backup. So if want to upload, just browse and the backup where I download, you can restore them. Okay? So I think download this one, next generation firewall backup with the date, timestamp and either you can do directly from here is the same thing. This one is the one which is showing here. And this 1 may be a different one which you want to upload. And either maybe you have a new device with the same model and everything and if you want to configure the same thing. So take a backup on your external hard drive on your system and then upload to the new one so it will be restored. So you can use this upload for that purpose as well. But this one just directly from the system, inside the system if you want to take a breakup and restore. So let me go back. So this was related to backup and restore. Then there is a troubleshoot. Troubleshoot basically means I already take because it takes almost 1 hour to take a troubleshoot create a troubleshoot file. So because it will take time. So what I done, I already click on here, it can take up to 1 hour to generate troubleshoot file. Basically when you want to open a case with Tech, which is Cisco tech Technical Support if you want to take any support from Cisco. So they will ask you to generate a troubleshoot file. And then you can click on this one download troubleshoot file to share with Cisco tech. If I mentioned here when you want to open a ticket with Cisco, so they will ask you let me go there with troubleshoot.

This one. Cisco Technical Assistance Center. They call it a take like other firewall, they call them support, okay? Like Palo Alto support and FortiGate support. So Cisco have this one, so they will ask you to share. So now I download this share with zip format and I can share with Cisco to investigate them further. So this troubleshoot is for that purpose. And if I go bake, maybe the breakup is ready. Let’s see if the breakup is ready. So it’s not yet ready. It takes time. That’s why I already take to show you. Okay then if you want to configure site to site VPN okay so you can configure site to site VPN if you click and then they give you a steps to site to site VPN which we will do later in the course so you can configure and they show you the diagram as well how it will work. So it’s very simple like an ASA firewall not that much different and this one is remote ssvpn same like a Sq SFR wall to configure sisq any connect and you can connect to this device remotely. So again we will do this one and then advanced configuration if you want to create a smart CLI flex configure so many other thing and objects related stuff and advanced type of configuration. So then you can come here. And you can create smart CLI either object and flex VPN detail you can configure. And then the last one is device administration. Like audit events, deployment history, user login details and everything. You can check here again.

They introduced. This one in the new one. So these are the event logs from last two weeks. Either whatever you need, you can filter them as well. And if you want download history only. So this is the history whatever we done so it will show you with the time and date everything and HS sync config we don’t have right now rule update if the rule is updated so it will show you those detail as well. Okay and we already done system setting last time one by one we already done this. So this is the main screen where you can see so let me go back up so still the backup is going on and you can check from this one task list so let’s see running completed it looked like okay yeah issuing now let’s say backup test two is still running so you can check everything from here. Last time we discussed this one so let me go back. So this was the main screen if you want to change something so let me go back troubleshoot side to side VPN okay remote access VPN if you want to configure advanced configuration and device administration, audit etc.

• Category: Uncategorized