Deploy the Management Console Machine

In this section, we will cover what you need to deploy the virtual machine on Virtual Center. It is assumed you are already familiar with your virtualization solution. We will focus on the Firepower-specific configuration.

When you deploy the virtual machines, do not select all files. Pick the VI OVF if you are using Virtual Center and the ESXi one if you are not. Select the VMDK file. Optionally, you can pick the relevant MF. It will not give you an error if you do not upload a Makefile.

As you go through the wizard, you keep most of the defaults. For lab purposes, you can change the storage to thin provisioning. That will save you space on your lab hard drives. In production, you would not do this. Figure 21-2 shows an example of deploying a template.

At the Select networks step, pick the port group for your management network. In the Customize template step, enter the information for managing the FMC. Make sure not to lose the password. You will need it to log into the console.

Once you complete the OVF deployment wizard, turn on the virtual machine. It will take a while to set up. After the console has stopped showing setup messages, you can use a web browser to continue configuration.

Licensing

Before you add anything to the FMC, you need to configure licensing. FMC 6.6 uses Smart Licensing, even though there is an option for offline license reservations. To configure Smart Licensing, click the settings gear, and then click Smart Licenses. Figure 21-3 shows the System menu where you can find the Licensing option. Notice that the System button in version 6.6 is a gear icon and does not say System.

From there, you can click an option to start your evaluation period. If you have a Smart Account, you can generate a token just like with any other device and register the FMC with Smart Licensing.

If you use an On-Premises Smart License server, there are a few other steps. You will first need to go to Settings ➤ Integration and see the Smart Software Satellite Configuration screen. Figure 21-4 shows the configuration for an On-Premises license server.

Use https://FQDN_or_hostname_of_Satellite/Transportgateway/services/DeviceRequestHandler as the URL. It will ask for a certificate . The certificate is not the certificate of the license manager. It is a special certificate. At the time of this writing, it is available at http://www.cisco.com/security/pki/certs/clrca.cer.

Deploy the Threat Defense Virtual Machines

The process for deploying the OVF for the Threat Defense virtual machines is mostly the same as with the FMC. The difference is on the Select networks and Customize template pages.

On the Select networks page, you associate the interfaces with port groups. The Management0-0 interface is typically in the same port group as the FMC management interface. The GigabitEthernet0-# associates with data interfaces on the FTD device. Don’t worry about it if you don’t need that many interfaces. You can remove them after deploying. Figure 21-5 shows the mapping of FTD interfaces with VMware port groups.

The Customize template page shown in Figure 21-6 has the same information as with the FMC, but it includes extra fields to allow you to configure registration to the FMC during deployment. In our example, we will manually register the device to the FMC.

Stand-Alone Firepower Threat Defense Appliances

If your organization is so small that you only need a single firewall, you probably don’t need the functionality of the full Firepower Management Center. Until recently, the virtual firewalls could only be managed using the FMC. In FTD 6.4 and above, there is local management, and the capabilities of local management are improving with each release.

When you log into a standalone FTD for the first time, it will present you with a setup wizard as showing in Figure 21-7. The defaults are to automatically get an address from the outside interface, block unsolicited outside traffic, and allow traffic from the inside. This is like the defaults for small office and home office appliances.

As you go through the wizard, you are given the option to make the FTD stand-alone or to manage it through the cloud with CDO. If you select CDO, it will ask for information to connect to CDO. We show this in Figure 21-8.

If you choose stand-alone, it will suggest that you configure your policies. We will discuss policies using the FMC. In the FMC and FTD version 6.6, the capabilities are similar. In older versions, the stand-alone version is more limited.

Adding Devices to the FMC

The first step in adding devices to the FMC is to allow the FTD to talk to it. If you did this when you deployed the virtual machine, you don’t need to do it again. If you are using an FTD 4000 or 9000 series, you may have done it when creating the container. We will discuss containers later.

In other cases, we need to use the command line to configure the manager. Once we configure the manager on the command line, the local web interface will stop working. Figure 21-9 shows the configuration to connect an FTD to the FMC.

Use the line configure manager add <manager IP> <key> to allow an FTD device to be managed by the FMC. The key is a registration key. It is always best practice to use complex keys, but it will only be used for initial registration. We are using “cisco” as the key for simplicity.

To finish adding a device, go to the FMC and browse to Devices ➤ Device Management. Then click the Add button, and then select Device. The Add Device form is shown in Figure 21-10. Optionally, you can create groups to help organize your devices.

Provide the IP address or hostname of the FTD device. Use the registration key you configured on the FTD. Select the licenses you will use. For demonstration purposes, we are using all licenses for this device. You must configure an access control policy here. In this example, I created a blank policy for network discovery. We will cover this in the “Access Policies” section. After entering all the information, click Register and wait for it to complete.

Updating and Patching

Before going operational, you should patch the FMC and managed FTDs using the recommended release.

Click the settings gear in the top right, and then click Updates. There are three categories of updates: Product, Rule, and Geolocation. For initial deployment, we are concerned with Product Updates. The updates page is shown in Figure 21-11.

You have a choice of uploading updates from your local computer or downloading updates from Cisco. When you download from Cisco, you will get patches, but not major version changes. If you upload updates, you will upload the updated TAR file you downloaded from Cisco.

Once the files are on the FMC, you can click the button to install them on the platforms. It is best practice to update the FMC first and then update the managed FTDs. Upgrades will cause the systems to reboot. During initial configuration, it isn’t a problem to reboot firewalls. In production, you should have high availability configured.

Rule and Geolocation Updates and Scheduling

Product Updates cause reboots. Most administrators will only update products during outage windows, and they will watch the system to make sure everything comes up correctly. Rule and Geolocation Updates are less risky and are often scheduled.

Even though intrusion signature rule updates can be scheduled, you might not want to automatically deploy rules. The deployment of rules can cause a brief outage. The warning you will get when you deploy updates is shown in Figure 21-12.

Geolocation Updates do not have the same issue as intrusion signatures. They can be safely installed using automatic updates.

Access List

The access lists in this section are not used in the access control policies. Even though there are other uses, the most common place to use access lists is with VPN configurations. The access list is used with posturing redirection.

We will not be covering access list objects further in this book. They are only mentioned so we can clarify that they are not the same as access lists used in access control policies.

Address Pools

Address pools are commonly used with remote access VPNs. We will revisit this in the “Virtual Private Networks” section.

DNS Server Group

A common use of DNS Server Group objects is to configure DNS to VPN users.

FlexConfig

We have a brief section on FlexConfig later in this chapter. Firepower is the combination of ASA and Sourcefire IPS. The interface is based on Sourcefire’s Defense Center. Not all ASA configuration is integrated into the interface yet. FlexConfig is a workaround. It allows you to push ASA configuration to the FTDs for options that aren’t supported in the graphical interface.

Interface

Firepower is a zone-based system. The interfaces defined under Object Management are zones. When we configure our devices, we add the device interfaces to zones. If a zone hasn’t been pre-created, we can create it when setting up a device.

FMC is designed as a distributed system. You can have interfaces from more than one device in the same zone, and then you can configure access rules based on the zone.

Network

The network objects are the heart of access control policies and a few other policies. Networks can be defined as hosts, ranges, or FQDNs. The networks can be organized in groups, and the groups can be nested. Even though you can create network objects on the fly when editing policies, it is best practice to pre-stage network object groups.

PKI

PKI, or Public Key Infrastructure , contains information about certificate authorities that you can trust and information about certificate enrollment. Configuring certificates in this section does not mean they are used anywhere. PKI configuration on Firepower is slightly different than what you have encountered on other systems. It is a common source of confusion.

We cover PKI in more depth in the “Virtual Private Networks” section.

Port

Port objects define ranges and groups of ports that you use in access control policies. Port objects are not necessarily ports. The objects can include protocols other than TCP or UDP. A limitation of port groups is that they cannot be nested. That means you can’t have a port group inside another port group. When migrating from ASAs that use nested port groups, the groups must be flattened. The Firepower Migration Tool can do this for you, but you are at the mercy of how it names the groups.

RADIUS Server Group

This object defines RADIUS servers that will be used with VPN and similar configurations. This object is not used when the FMC itself uses RADIUS for administrative authentication.

URL

URL objects are used when filtering by URL. We will cover this briefly in the “Access Policies” section.

Variable Set

Variable sets are primarily used to supply variables to intrusion detection rules.

VPN

Most reusable VPN settings are configured under this object. When we configure VPNs later in the chapter, we will define these objects and then reference them in the VPN configuration.

High Availability

High availability is important for minimizing outages. The primary type of high availability supported on Firepower is active/passive failover. It is not much different than with the legacy ASA firewalls.

To configure failover, start with two identical Firepower Threat Defense appliances added to the FMC. They should be cabled identically and have the same version of Threat Defense operating system. The secondary device does not need to have any configuration or licenses assigned. It will inherit those from the primary appliance. The appliances need to have at least one connection for failover and state traffic. You can use the same connection, if there isn’t too much state traffic to saturate the link. The failover link is used to sync configuration, and the stateful failover link is used to sync application content between peers. There should not be any pending deployments. If there are any pending deployments, it is best practice to push them to the device before creating the HA pair. Deployment is shown in Figure 21-16.

After verifying cabling and FTD versions, go to Devices and click Add ➤ High Availability, as shown in Figure 21-17.

Create a name for the pair and select Firepower Threat Defense as the device type. Make sure you pick the correct firewall as the primary peer. The configuration from the primary will be pushed to the Secondary. If the existing configuration is on the firewall selected as secondary, it will be overwritten. HA interface configuration is shown in Figure 21-18.

Configure the links for failover. In my example, I am using a single link for both failover and state. Pick IP addresses that are not used elsewhere in your network. These don’t need to be routable because they are only on the link between the appliances. For additional security, you can enable IPsec on the links.

Once you click Add, you need to wait for a while. Even once Tasks show the high availability deployment is complete, the health policy might not have caught up. The system may show the pair in a degraded state for a few minutes after it is created. Error messages about failover state are normal while high availability is stabilizing. Messages such as what is shown in Figure 21-19 are common while synchonizing and are not cause for concern.

After everything is synchronized, you will manage the pair as a single device. Use the pencil icon for the pair to edit the configuration for the pair. As you can see in Figure 21-20, there is only one pencil icon for the pair of devices.

Troubleshooting is slightly different. Troubleshooting is still individual to the firewall. Troubleshooting is almost always done on the active appliance. In our example, the primary appliance is active. If there is a failover event, then the secondary appliance will be active. You need to pay attention to which one is active before troubleshooting. To get into the troubleshooting menu, click the tool icon for the active appliance.

Routing

Firepower supports static routing, OSPFv2, OSPFv3, RIP, and BGP. Multicast routing is under the routing menu, but it is out of the scope of this book.

Did you notice that we didn’t list EIGRP? The current version of Firepower does not allow EIGRP configuration from the Routing tab. It requires FlexConfig to push ASA configuration onto the appliances.

The concepts for routing protocols are the same as with routers, with a few limitations.

Static

Static routing is common on firewalls. In many implementations, you have a default route pointing to the outside interface and a summarized route for your internal networks.

If you have more than one path leaving the network, you may need multiple default routes with different metrics. Tracking can be used to determine if the primary path is degraded.

To create a tracking object, browse to Objects ➤ Object Management ➤ SLA Monitor. Click the button Add SLA Monitor. When the form shown in Figure 21-21 comes up, provide an address to be monitored, a name, an ID, and the interface.

After creating the object, browse to Devices ➤ Device Management and edit the firewall that needs the static route. Click the Routing tab. Depending on whether you already have a route created, either click Add Route or click the pencil to edit an existing route. Figure 21-22 shows an example of editing a static route.

Pick the interface for the route. We named our interfaces Inside, Outside, and DMZ. Yours may differ. Select the networks that should be routed. We are creating a default route, so we selected any-ipv4. If you need to route specific networks, you need to create a network object. You can create one inline by using the plus button by Available Network. This allows you to create a network object. If you need to use a group on network objects, you should pre-create it under Object Management.

The gateway points to a host network object. We used the plus button to create a host network object containing the IP address of the next hop router.

Route tracking is optional. We are using the tracking object that we just created. When the tracking object shows that pings fail, it will remove the route. If we create a second static route with a less preferred (higher) metric, it will be used when the track fails.

Before the configuration is active, we need to deploy it. Once deployment is complete, we can look at the state of routing. Even though you can run commands through the Advanced Troubleshooting option for a device in the FMC, it is easier to use the CLI. This is shown in Figure 21-23. For even more flexibility, you can enable system support diagnostic-cli.

When I look at the routing table in Figure 21-24, we see that it is pointing to the less preferred route. This is because the default gateway is down. We cab see the issue in the SLA output in Figure 21-25.

Once we fix the issue, we see routing to the primary gateway.

OSPF

The FMC supports two OSPF processes. Each process maintains its own topology table. If you want to share routes between processes, you need to redistribute.

When you set up a process, you need to pick Internal Router, ABR, ASBR, or ABR & ASBR. The selection limits what you can configure. The process needs to be an ABR to allow multiple areas. It needs to be an ASBR to allow redistribution.

In our example shown in Figure 21-26, we select ABR & ASBR so we can unlock all the options. In most cases, this is not what you need in production.

When you click Add Area, you configure the area ID and select the networks to advertise. For example purposes, we selected any-ipv4. In most cases, you want to be more specific. It is best practice to create a custom network object group to use. The options for area type are normal, stub, or NSSA. The use of these options aligns with routers. If you scroll down in the Add Area frame, you will see authentication options. The FMC supports MD5 or cleartext passwords. After setting up the areas, we configure interfaces that will participate in OSPF. Click the Interfaces tab and add interfaces. We will see a page similar to Figure 21-27. In many cases, you will use the default settings.

If required, you can change hello times, configure authentication passwords or key chains, and configure unicast neighbors from this window.

If you need to redistribute into OSPF, click the Redistribute tab. The configuration is similar to routers. If you need to control redistribution, you can create a route map. You can create the route map from this window or from Object Management. Ensure that you select Use Subnets. Otherwise, it will default to only redistributing classful networks. Figure 21-28 shows an example of the OSPF redistribtion page.

Once you are done with routing, deploy your changes to the appliances.

BGP

For organizations with several inside- and outside-facing interfaces, OSPF may be used for interior routing, and BGP may be used for external routing. BGP is configured in two parts on the FMC. You configure the autonomous system and general process-level settings under General Settings. This is shown in Figure 21-29. Then you configure address families under the appropriate virtual router and address family.

After enabling the process, you can add networks to the address family. Select IPv4 under BGP, and then go to the Networks tab. Click the Add button. As we see in Figure 21-30, you are prompted to select a network object. When you add a network in BGP, it needs to have an exact match in the routing table for it to advertise it. If BGP is not advertising any network, verify that the advertised networks match exactly with what is in the routing table. Using the command line to show route is the easiest way to see the routing table.

If you want to use aggregates (summaries), that can be done with the Aggregate tab. For an aggregate to be advertised, some component of the aggregate needs to be advertised already.

When you configure a neighbor, you can control what is sent to the neighbor and what is received from the neighbor. The options are the same as with a router, except the FMC uses a web interface, as seen in Figure 21-31. The options to control incoming and outgoing prefixes require objects. You can use the plus button to create objects on the fly or use Object Management. The content of the objects is the same as with routers.

DHCP Server

In an enterprise network, address assignment is usually the role of a dedicated server. However, the Firepower firewalls can act as a DHCP server or a proxy for a DHCP server.

DHCP is configured from the DHCP tab of a device’s configuration, as shown in Figure 21-32.

You can automatically obtain options for domain suffix, DNS, and WIN; or you can manually configure them. In the Server section, add a pool of addresses by using the Add button. If you need additional options, click the Advanced tab. This may be needed for VoIP phones that require Option 150 to find their TFTP server.

If you prefer to relay an enterprise DHCP server, click DHCP Relay. Set the interfaces that will listen for DHCP requests in the DHCP Relay Agent tab. Click the DHCP Servers tab and configure information to find the DHCP server. This is similar to using IP helper address on a router. As we can see from the error shown in Figure 21-33, you cannot have a relay and a server on the same interface.

Network Address Translation

Network Address Translation (NAT) is used to translate addresses between interfaces. In most cases, you use RFC 1918 addresses on the inside of your network and public addresses on your external interfaces. NAT can be used to hide your inside addresses or to map many inside addresses to a single public IP address or a small pool of public IP addresses.

NAT on firewalls uses the same principle as NAT on routers, but the configuration is different. This leads to a few caveats when setting up NAT on a firewall.

Firepower uses NAT policies that can be attached to more than one firewall. You get to the policy through Devices ➤ NAT. Click New Policy and then Threat Defense NAT to create a policy for Firepower Threat Defense appliances. Figure 21-34 shows Firepower NAT or Theat Defense NAT. Firepower refers to the older Firepower devices and modules. We want Threat Defense.

When you create a policy, it needs a name. You will be asked to assign devices to the policy. You do not need to do that at this point. You can create a policy and assign devices to it later. In our example, we have Site1, FTD_Site1, and FTD_Site2 as options. Site1 is a group. You can use groups instead of selecting individual firewalls. In this case, the group only contains FTD_Site1. If you make your policy flexible, you can apply it to more than one device. Figure 21-35 shows a new policy targetting two devices.

Once you get into the policy, you see three sections: NAT Rules Before, Auto NAT Rules, and NAT Rules After. This concept came from the ASA firewalls. Auto NAT has fewer options to configure than manual NAT. It is only concerned with the source. If you do not need destination information in a rule, it is recommended that you use auto NAT. In ASA firewalls, manual NAT rules are processed before auto NAT unless you added a token to tell the system to look at the rule after auto NAT. That is the source of “Before” and “After.”

Regardless of if you are configuring auto NAT or manual NAT, you need to choose static or dynamic. Static NAT is used for one-to-one mappings. Servers that need to be reachable from outside the firewall often have a static mapping. Most endpoints can use dynamic mappings. With a dynamic mapping, the translated address may change. Figure 21-36 shows an example configuring dynamic NAT.

Many people equate dynamic NAT to Port Address Translation (PAT). They are commonly used together, but you can use each without the other. If you have a pool of public addresses, the system can dynamically issue them without need of PAT. PAT is needed when you don’t have enough addresses in your outside pool and the system needs to translate port numbers so it can reuse IP addresses. Similarly, you can statically change a port number. In some cases, the port a server listens to is not what outside users see.

We pre-created most of the network objects. You can create them on the fly or create them through Objects ➤ Object Management ➤ Network. In some of our examples, we are using network groups that must be created under Object Management.

The first rule we are going to create is DMZ or Inside going outside. We will use PAT for these because they are for dynamic connections going out. This rule will translate any traffic from the inside interface at Site 1 to the outside interface. This is equivalent to setting the nat inside and nat outside interfaces on a router. Figures 21-37 through 21-39 walk you through the PAT process.

Select the Site1_Inside network as the original source. This is similar to an access list selecting the source on a router. Leave the translated source blank. That will be translated using a PAT pool.

In the PAT Pool tab, check the Enable PAT Pool box. Select Address in the dropdown. Click the plus next to the address to create a network object. Configure a range of IPs to use in the PAT pool . After creating the PAT pool, select the object in the dropdown and save. Ensure you have a large enough PAT pool to support your network. If you have too many connections tranlating to too few outside addresses, you can exhaust your PAT pool. This happens when PAT uses every port on every external address.

We repeated the process for Site 1 DMZ and for Site 2 Inside. For Site 2 Inside, we used the destination interface as the translated source instead of using a pool. Our resulting policy is shown in Figure 21-39.

Dynamic rules will provide network connectivity for devices, but we also need some static rules for servers in the DMZ. In our example, we have two servers in the DMZ. We want the server at IP address 192.168.41.15 to appear as 172.16.50.15 to the outside, except we want TCP/80 on 192.168.41.16 to appear as TCP/8080 on 172.16.50.15. We will create the specific rule that changes ports first.

Since we are only modifying the source, we could use auto NAT. We are using manual NAT for demonstration purposes. This is shown in Figure 21-40.

In our example, we used the host network object DMZ_Router as the original source and the host network object called DMZ_Outside for the translated source. We translated packets from HTTP to HTTP_Alt. By default, NAT is two way. If you need to make it unidirectional, you can check the Unidirectional box under Advanced. In our case, we want it to be two way.

The second rule is similar to the first except we used the network object Metasploitable as the source. We still used DMZ_Outside as the translated source. We left all other fields in the Translation tab blank.

We will walk through setting up a couple Virtual Private Networks (VPNs) later in this chapter. It is best practice to use a separate firewall to terminate your VPNs as your filtering firewall that has NAT. It causes risk and complexity to put everything on one appliance. One of the complications is with NAT. NAT sees the VPN traffic as coming from the Outside zone. We need to add exceptions to the policy so the VPN traffic doesn’t get translated. We also need to ensure rules are configured to use routing, so they don’t cause a black hole.

The following figure shows the top two rules that will translate packets received on the outside interfaces of each site that came from a VPN to themselves. We also checked the Perform Route Lookup for Destination Interface checkbox under Advanced. Figure 21-41 shows the stat of our policy after adding the additional rules.

After completing the rules, we saved and deployed. This policy is assigned to two firewalls, but the FMC knows to only push relevant configuration to each. It may give you a warning about rules that will never be matched. You could fix this by using interface groups such that you only have relevant rules or break the policy up for each firewall. Breaking the policy up is the cleaner solution. Figures 21-42 and 21-43 show how the policy is reflected on each device.

The command show nat shows the configuration and the number of hits. We don’t have very many hits because we just deployed the configuration and haven’t done any testing. The command show xlate will show the translations and have addresses. If NAT isn’t working, verify your addresses are correct. If they are not, you need to go to Object Management and correct them and then deploy the configuration again. After making changes to NAT, the command clear xlate clears out the translation table. In the following example, we originally had the incorrect address for DMZ-Outside. It should have been 172.16.50.15. We can see this in the output shown in Figure 21-44.

After fixing the object, we cleared the specific translation. In this example, it had already cleared before we attempted to delete it. Now you can see the correct translation in Figure 21-45.

When we use a browser to go to http://172.16.50.15, it redirects to our Metasploitable host . When you used http://172.16.50.16:8080, we were redirected to the web interface for a Cisco router. We show this result in Figure 21-46.

Our real test of the NAT exceptions for VPN will be in the “Virtual Private Networks” section.

When we get to the “Troubleshooting” section of this chapter, we will revisit issues with NAT and show you how to identify problems.

FlexConfig

The graphical interface does not support every feature that was brought over from the ASA yet. The workaround is FlexConfig. FlexConfig allows you to push ASA commands to the Firepower appliances. Cisco provides several templates for common tasks. You only need to fill out the variables and associate FlexConfig to a platform. There are some ASA features that are not currently supported on Firepower, but you can fill most of the gaps in the graphical interface using FlexConfig.

One restriction is you cannot push configuration through FlexConfig, if it is supported in the graphical interface. A major disclaimer you need to be aware of is some configurations will not automatically unconfigure when you remove a policy. In some cases, you need to push an unconfigure object to undo changes.

We will illustrate FlexConfig with EIGRP. As of Firepower 6.6, EIGRP is not supported in the graphical interface. However, it is on the road map for the next major release.

The templates for FlexConfig are under Object Management. If you need a template that is not pre-created, you can create it here. The templates are under FlexConfig Object, and variables are defined under Text Object. If you want a better understanding of how a FlexConfig object works, view one of the pre-created scripts to see how it uses commands, conditions, loops, and variables. An example of part of the list of built in FlexConfig objects is shown in Figure 21-47.

For our example, we will start with EIGRP_Configure but modify it for our environment.

We will start by setting up the variables that we will use in our FlexConfig Object. Go to Text Object and change the value for eigrpAS to 100, as shown in Figure 21-48. This is the autonomous system configured on our DMZ router. We are changing this globally and not only for the policy.

Next, we need to set the router ID. The default value is blank. Go to the Text Object menu. Click the pencil next to eigrpRouterId to edit it. We want to add an override for FTD1. Figures 21-49 and 21-50 show the process to add an override for a variable.

We configured the override with a value of 192.168.41.1 for FTD1’s router ID.

Now we need to do something similar for eigrpNetworks. We will create a new variable with a list of networks. We will set the default to 0.0.0.0 and override it for FTD1. The network we created has an error. This is on purpose, so we can show how to troubleshoot FlexConfig errors. ASA and Firepower require subnet masks and not wildcard masks when you configure routing. If you look at Figure 21-51, you will notice we used wildcard mask syntax.

In the FlexConfig Object frame, click the Copy button next to EIGRP_Configure as shown in Figure 21-52.

This will allow us to edit the template. We are not changing any settings, but it is best practice to create a new object, so we have the option. We cannot edit a prebuilt object. Figure 21-53 shows the copied template.

Now we go to Devices ➤ FlexConfig and create a policy. Assign the target appliance(s) to the policy as shown in Figure 21-54.

Find the template FlexConfig object we just created and add it to the policy as shown in Figure 21-55.

Save the configuration and click the button to preview the configuration. If the configuration is what you expect, deploy the policy. If it is not right, we need to troubleshoot. If variables are not set correctly, the line is ignored. That is one of the common issues when configuring FlexConfig. Figure 21-56 shows an example of the FlexConfig preview.

Take note of the warning when you deploy shown in Figure 21-57. FlexConfig is powerful, but can be dangerous.

Do you remember the error we mentioned? When deployment fails, we can look at details. Figure 21-58 shows us why the configuration failed.

After fixing the eigrpNetworks text object, we can redeploy. Figure 21-59 shows EIGRP come up on the DMZ router that we pre-staged.

System Configuration Settings

System configuration refers to the Firepower Management Center configuration. Many of these settings apply to how firewalls are managed, but they do not directly apply to the firewalls.

Some common settings for management security are Access List, SNMP, Login Banner, Shell Timeout, User Configuration, and UCAPL/CC Compliance. Access List allows you to configure IP access lists for SMP, SSH, and HTTPS access. SNMP allows you to configure the SNMP version used and the parameters. It is recommended to use SNMPv3 with authentication and privacy. Login Banner configures the banner an administrator will see when logging into the FMC either through the Web or command line. Shell Timeout allows you to set a timeout for the command line or browser. The default timeout values are indefinite for shell and 60 minutes for HTTPS. Most organizations will change those defaults. User Configuration includes settings on password history, lockouts, and maximum concurrent sessions. Some of these settings are new in 6.6. If you are using an older version of the FMC, you will not see them. UCAPL/CC Compliance is for high-security environments. Setting compliance mode runs a script to lock down several settings, and it cannot be undone. You should only use this setting if you are absolutely sure you need to use it. If you use it on the FMC, you also need to set it on the platforms.

A few other common settings are Audit Log, Email Notification, HTTPS Certificate, Access Control Preferences, Intrusion Policy Preferences, Remote Storage Device, and Time Synchronization. Audit Log allows you to send audit and syslog data to an external server. We discuss that in more detail in the Monitoring Overview section. You use Email Notification to configure the connection to the SMTP server that can be used in notification rules. HTTPS Certificate is how you configure the HTTPS certificate for the FMC’s management interface. It is recommended that you change the certificate from the self-signed certificate to a trusted certificate. A recent issue with the self-signed certificate is that it was created in a way that is rejected by Safari on macOS. Unfortunately, there are also some issues with generating a certificate from trusted certificate authorities on Firepower. The HTTPS certificate must have basic constraints marked as critical. Some certificate authorities do not support this, and you need to jump through hoops to install the certificate through the command line. The HTTPS Certificate page allows you to enable client certificates. This will force certificate authentication for administrators. Only check this if you have already configured external authentication to allow certificates. Access Control and Intrusion Policy Preferences are really about comments. The default setting is to not allow comments when you change the policies. Optional will give administrators a box where they can add a comment or cancel. Required forces them to add a comment. Comments can be nice so you can review rules later and know when and why they were created. Remote Storage Device is important for backups. This menu allows you to configure a remote NFS, SMB, or SSH destination for reports and backups.

Platform Settings

Platform settings are the settings that get pushed to the firewall appliances. Even though many things are managed and monitored by the FMC, firewalls have their own management plane and data plane. They can send alerts directly to log destinations without aggregating them at the FMC. If you maintain several firewalls with different requirements, you can push a different policy to each.

To get to the policy, browse to Devices ➤ Platform Settings, as shown in Figure 21-60.

Once in the Platform Settings menu, click New Policy ➤ Threat Defense Settings. Give the policy a name and assign it to devices. Many of the settings are like what you saw in the “System Configuration” section.

Fragment Settings, shown in Figure 21-61, is an important data plane setting. We mentioned it in the context of an interface. You can also push settings to the device. It is optimal if you can architect your network so you can disallow fragmentation.

ICMP settings allows you to rate limit or block certain ICMP messages. The default is to rate limit ICMP unreachable messages to one per second. That helps mitigate port scanning risks. If you want to explicitly block or permit a type of ICMP, click Add to create a rule. Unless you pre-created it, you will need to create ICMP objects when you create the rule.

SSL allows you to set minimum versions for TLS, DTLS, and Diffie-Hellman. You can also create protocol-specific rules that include which algorithms may be used. For example, you may need to remove 3DES as an encryption algorithm for FIPS compliance. Figure 21-62 shows an example TLS policy setting.

Syslog settings are interesting. You have a lot more granularity for Syslog from the platform than from the FMC. The Syslog menu is not only Syslog. It also contains rules for sending log messages to email destinations. We go into logging slightly more in the logging and Monitoring Overview section.

Timeouts are important for preventing resource starvation. Other than the console timeout, the default settings in Timeouts meet the needs of most organizations.