Introduction

Cisco introduces next-generation security technologies in the unified Firepower Threat Defense (FTD) software. It offers the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), Advanced Malware Protection (AMP), and many more features—all in a single software image.

This book provides best practices, demonstrates configurations, analyzes debugs, and illustrates GUI screenshots from real-world deployment scenarios. It empowers you to configure your own Firepower system with confidence. The book summarizes complex operations in a simple flowchart, and presents many diagnostic tools that allow you to investigate any potential technical issues by yourself. In other words, it could serve you as a “personal technical support engineer.”

This book is an important resource to channel partners and managed security service providers (MSSPs) who want to provide technical support to their own customers.

This book is invaluable to the administrators of classified environments, such as U.S. government agencies, who are not allowed to share troubleshooting data due to security restriction, and therefore want to troubleshoot their own issues.

Any students or candidates who want to take a Cisco security certification exam will find valuable information in this book. This book covers Firepower next-generation security-related topics that are included in the CCNA Security, CCNP Security, and CCIE Security exam curricula.

This book is not a replacement for an official Cisco Firepower publication, such as a user guide or an installation guide. It is, rather, a supplement to the official publications.

Chapter 2, “FTD on ASA 5500-X Series Hardware”: This chapter describes the differences between various software images that may be installed on ASA 5500-X Series hardware. It demonstrates the detailed process of reimaging ASA 5500-X Series hardware to the FTD software. In addition, this chapter provides the command-line tools you can use to verify the status of the hardware and software.

Chapter 3, “FTD on the Firepower eXtensible Operating System (FXOS)”: This chapter describes the architecture, implementation, and installation of FTD on a Firepower security appliance running Firepower eXtensible Operating System (FXOS). It demonstrates several command-line tools you can use to determine the status of various components of the appliance.

Chapter 4, “Firepower Management Center (FMC) Hardware”: This chapter discusses and compares various hardware platforms for the FMC. It illustrates the complete reimaging process (also known as System Restore) and describes the best practices for doing it. You can also learn many different command-line tools to determine any issues with FMC hardware.

Chapter 5, “Firepower System Virtual on VMware”: This chapter describes various aspects of the Firepower virtual appliance, such as how to deploy a virtual appliance, how to tune the resources for optimal performance, and how to investigate issues with a new deployment.

Chapter 6, “The Firepower Management Network”: This chapter describes the best practices for designing and configuring a management network for the Firepower System. It also discusses the tools you can use to verify any communication issues between the management interfaces of the FMC and FTD. Before you begin the registration process, which is described in Chapter 7, you must ensure that the FMC and FTD are successfully connected through your network.

Chapter 7, “Firepower Licensing and Registration”: This chapter discusses licensing and registration—two important initial tasks in a Firepower system deployment. It describes the capabilities of different Firepower licenses and the steps involved in registering the FMC with a Smart License Server. It also demonstrates the registration process and the tools to investigate any communication issues.

Chapter 8, “Firepower Deployment in Routed Mode”: This chapter explains Routed Mode, which is a widely deployed firewall mode. It describes the steps involved in configuring the routed interfaces with static IP addresses as well as dynamic IP addresses. In addition, this chapter discusses various command-line tools you can use to determine any potential interface-related issues.

Chapter 9, “Firepower Deployment in Transparent Mode”: This chapter discusses another mode, Transparent Mode, including how to configure the physical and virtual interfaces, and how to use various command-line tools to investigate any potential configuration issues.

Chapter 10, “Capturing Traffic for Advanced Analysis”: This chapter describes the processes involved in capturing live traffic on an FTD device by using the system-provided capturing tool. To demonstrate the benefit of the tool, this chapter shows how to use various tcpdump options and BPF syntaxes to filter and manage packet capture.

Chapter 11, “Blocking Traffic Using Inline Interface Mode”: This chapter demonstrates how to configure an FTD device in Inline Mode, how to enable fault tolerance features on an inline set, and how to trace a packet in order to analyze the root cause of a drop. This chapter also describes various command-line tools that you can use to verify the status of an interface, an inline pair, and an inline set.

Chapter 12, “Inspecting Traffic Without Blocking It”: This chapter explains the configuration and operation of various detection-only modes of an FTD device, such as Passive Mode, Inline Tap Mode, and Inline Mode with the Drop When Inline option disabled. It also provides various command-line tools that you can use to determine the status of interfaces and traffic.

Chapter 13, “Handling Encapsulated Traffic”: This chapter shows you how to analyze and block traffic that is encapsulated with the GRE protocol. This chapter also demonstrates the steps to bypass an inspection when the traffic is transferred over a tunnel. Besides showing configurations, this chapter also shows various tools to analyze an action applied by the Prefilter and Access Control policy of an FTD device.

Chapter 14, “Bypassing Inspection and Trusting Traffic”: This chapter discusses the techniques to bypass an inspection. It provides the steps to configure different methods. The chapter also analyzes the flows of bypassed packets to demonstrate how an FTD device acts during different bypassing options. You will learn how to use various debugging tools to determine whether the bypass process is working as designed.

Chapter 15, “Rate Limiting Traffic”: This chapter goes through the steps to configure QoS policy on an FTD device. It also provides an overview to the common rate-limiting mechanisms and the QoS implementation on an FTD device. This chapter also provides the command-line tools to verify the operation of QoS policy in an FTD device.

Chapter 16, “Blacklisting Suspicious Addresses by Using Security Intelligence”: This chapter illustrates the detection of a malicious address by using the Security Intelligence feature. It describes how to configure an FTD device to block, monitor, or whitelist an address when there is a match. This chapter also discusses the back-end file systems for the Security Intelligence feature. You can apply this knowledge to troubleshoot an issue with Security Intelligence.

Chapter 17, “Blocking a Domain Name System (DNS) Query”: This chapter demonstrates various techniques to administer DNS queries using a Firepower DNS policy. Besides using traditional access control rules, an FTD device can incorporate the Cisco Intelligence Feed and dynamically blacklist suspicious domains. This chapter shows various ways to configure and deploy a DNS policy. This chapter also demonstrates several command-line tools you can run to verify, analyze, and troubleshoot issues with DNS policy.

Chapter 18, “Filtering URLs Based on Category, Risk, and Reputation”: This chapter describes techniques to filter traffic based on the category and reputation of a URL. It illustrates how a Firepower system performs a URL lookup and how an FTD device takes action based on the query result. This chapter explains the connection to a URL through debugging messages, which is critical for troubleshooting.

Chapter 19, “Discovering Network Applications and Controlling Application Traffic”: This chapter shows how a Firepower system can make you aware of the applications running on your network and empowers you to control access to any unwanted applications. It also shows the techniques to verify whether an FTD device can identify an application properly.

Chapter 20, “Controlling File Transfer and Blocking the Spread of Malware”: Cisco integrates the Advanced Malware Protection (AMP) technology with the Firepower technology. This chapter explains how the technologies work together to help you detect and block the spread of infected files across your network. In this chapter, you will learn the configurations and operations of a file policy on a Firepower system. This chapter also demonstrates various logs and debugging messages, which are useful for determining issues with cloud lookup and file disposition.

Chapter 21, “Preventing Cyber Attacks by Blocking Intrusion Attempts”: This chapter describes the well-known feature of a Firepower system: the Snort-based next-generation intrusion prevention system (NGIPS). In this chapter, you will learn how to configure an NGIPS, how to apply any associated policies, and how to drill down into intrusion events for advanced analysis. This chapter discusses the Firepower Recommendations feature and demonstrates how the recommended ruleset can reduce system overhead by incorporating discovery data.

Chapter 22, “Masquerading the Original IP Address of an Internal Network Host”: This chapter discusses various types of NAT on an FTD device. It shows the steps to configure a NAT rule and demonstrates how FTD can leverage NAT technology to masquerade internal IP addresses in a real-world scenario.