Cisco Firepower Threat Defense (FTD)

Cisco Firepower Threat Defense (FTD)

by Nazmul Rajib
Released December 2017
Publisher(s): Cisco Press
ISBN: 9780134679471

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

The authoritative visual guide to Cisco Firepower Threat Defense (FTD)

This is the definitive guide to best practices and advanced troubleshooting techniques for the Cisco flagship Firepower Threat Defense (FTD) system running on Cisco ASA platforms, Cisco Firepower security appliances, Firepower eXtensible Operating System (FXOS), and VMware virtual appliances.

Senior Cisco engineer Nazmul Rajib draws on unsurpassed experience supporting and training Cisco Firepower engineers worldwide, and presenting detailed knowledge of Cisco Firepower deployment, tuning, and troubleshooting. Writing for cybersecurity consultants, service providers, channel partners, and enterprise or government security professionals, he shows how to deploy the Cisco Firepower next-generation security technologies to protect your network from potential cyber threats, and how to use Firepower’s robust command-line tools to investigate a wide variety of technical issues.

Each consistently organized chapter contains definitions of keywords, operational flowcharts, architectural diagrams, best practices, configuration steps (with detailed screenshots), verification tools, troubleshooting techniques, and FAQs drawn directly from issues raised by Cisco customers at the Global Technical Assistance Center (TAC). Covering key Firepower materials on the CCNA Security, CCNP Security, and CCIE Security exams, this guide also includes end-of-chapter quizzes to help candidates prepare.

  • Understand the operational architecture of the Cisco Firepower NGFW, NGIPS, and AMP technologies
  • Deploy FTD on ASA platform and Firepower appliance running FXOS
  • Configure and troubleshoot Firepower Management Center (FMC)
  • Plan and deploy FMC and FTD on VMware virtual appliance
  • Design and implement the Firepower management network on FMC and FTD
  • Understand and apply Firepower licenses, and register FTD with FMC
  • Deploy FTD in Routed, Transparent, Inline, Inline Tap, and Passive Modes
  • Manage traffic flow with detect-only, block, trust, and bypass operations
  • Implement rate limiting and analyze quality of service (QoS)
  • Blacklist suspicious IP addresses via Security Intelligence
  • Block DNS queries to the malicious domains
  • Filter URLs based on category, risk, and reputation
  • Discover a network and implement application visibility and control (AVC)
  • Control file transfers and block malicious files using advanced malware protection (AMP)
  • Halt cyber attacks using Snort-based intrusion rule
  • Masquerade an internal host’s original IP address using Network Address Translation (NAT)
  • Capture traffic and obtain troubleshooting files for advanced analysis
  • Use command-line tools to identify status, trace packet flows, analyze logs, and debug messages

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. About the Technical Reviewer
  6. Dedication
  7. Acknowledgments
  8. Contents at a Glance
  9. Contents
  10. Reader Services
  11. Icons Used in This Book
  12. Command Syntax Conventions
  13. Introduction
  14. Part I Troubleshooting and Administration of Hardware Platform
    1. Chapter 1 Introduction to the Cisco Firepower Technology
      1. History of Sourcefire
        1. Evolution of Firepower
        2. FirePOWER Versus Firepower
      2. Firepower Threat Defense (FTD)
        1. FirePOWER Service Versus Firepower Threat Defense (FTD)
        2. Firepower System Software Components
        3. Firepower System Hardware Platforms
        4. Firepower Accessories
      3. Summary
    2. Chapter 2 FTD on ASA 5500-X Series Hardware
      1. ASA Reimaging Essentials
      2. Best Practices for FTD Installation on ASA Hardware
      3. Installing and Configuring FTD
        1. Fulfilling Prerequisites
        2. Upgrading Firmware
        3. Installing the Boot Image
        4. Installing the System Software
      4. Verification and Troubleshooting Tools
        1. Navigating to the FTD CLI
        2. Determining the Version of Installed Software
        3. Determining the Free Disk Space on ASA Hardware
        4. Deleting a File from a Storage Device
        5. Determining the Availability of Any Storage Device or SSD
        6. Determining the Version of the ROMMON Software or Firmware
      5. Summary
      6. Quiz
    3. Chapter 3 FTD on the Firepower eXtensible Operating System (FXOS)
      1. Firepower 9300 and 4100 Series Essentials
        1. Architecture
        2. Software Images
        3. Firepower Extensible Operating System (FXOS)
        4. FTD Software
        5. Firmware
        6. Web User Interfaces
      2. Best Practices for FTD Installation on Firepower Hardware
      3. Installing and Configuring FTD
        1. Fulfilling Prerequisites
        2. Deleting Any Existing Logical Devices
        3. Upgrading the FXOS Software
        4. Enabling Interfaces
        5. Installing FTD
        6. Uploading the FTD Software Image
        7. Adding a Logical Device for FTD
        8. Completing the Initialization of FTD
      4. Verification and Troubleshooting Tools
        1. Navigating to the FTD CLI
        2. Verifying the FXOS Software
        3. Verifying the Status of a Security Application
        4. Verifying the Security Modules, Adapters, and Switch Fabric
        5. Verifying the Hardware Chassis
        6. Verifying the Power Supply Unit (PSU) Modules
        7. Verifying the Fan Modules
      5. Summary
      6. Quiz
    4. Chapter 4 Firepower Management Center (FMC) Hardware
      1. FMC Component Essentials
        1. On-Box Managers
        2. Off-Box Managers
        3. Cisco Integrated Management Controller (CIMC)
        4. Internal USB Storage for the System_Restore Image
        5. User Interfaces
      2. Best Practices for FMC Reimage
        1. Pre-installation Best Practices
        2. Post-installation Best Practices
      3. Installing and Configuring the FMC
        1. Fulfilling Prerequisites
        2. Configuration Steps
        3. Step 1: Load the System_Restore Image
        4. Step 2: Configure the Network Settings
        5. Step 3: Choose a Transport Protocol
        6. Step 4: Download and Mount an ISO File
        7. Step 5: Run the Installation
        8. Step 6: Initialize the System
      4. Verification and Troubleshooting Tools
        1. Identifying the FMC on a Rack
        2. Determining the Hardware and Software Details of the FMC
        3. Determining the RAID Battery Status
        4. Determining the Status of a Power Supply Unit (PSU)
        5. Checking Logs on the CLI
        6. Enabling Alerts on the GUI
        7. Performing a Complete Power Cycle
        8. PSU Checklist
        9. Verifying the Fans
      5. Summary
      6. Quiz
    5. Chapter 5 Firepower System Virtual on VMware
      1. FMC and FTD Virtual Essentials
        1. Supported Virtual Environments
        2. ESXi Versus VI
        3. VMware Installation Package in a Tarball
        4. Disk Provisioning Options
      2. Best Practices for Firepower Virtual Appliance Deployment
        1. Pre-deployment Best Practices
        2. Post-deployment Best Practices
      3. Installing and Configuring a Firepower Virtual Appliance
        1. Fulfilling Prerequisites
        2. Creating a Virtual Network
        3. Creating a Network for FMC Virtual
        4. Creating a Network for FTD Virtual
        5. Using Promiscuous Mode
        6. Deploying an OVF Template
        7. Initializing an Appliance
        8. Initializing an FMC Virtual Appliance
        9. Initializing an FTD Virtual Appliance
      4. Verification and Troubleshooting Tools
        1. Determining the Status of Allocated Resources
        2. Determining the Status of a Network Adapter
        3. Upgrading a Network Adapter
      5. Summary
      6. Quiz
  15. Part II Troubleshooting and Administration of Initial Deployment
    1. Chapter 6 The Firepower Management Network
      1. Firepower System Management Network Essentials
        1. The FTD Management Interface
        2. Designing a Firepower Management Network
      2. Best Practices for Management Interface Configuration
      3. Configuring a Management Network on FMC Hardware
        1. Configuration Options
        2. Using the GUI During the First Login
        3. Using the GUI On Demand
        4. Using the Command-Line Interface
        5. Verification and Troubleshooting Tools
      4. Configuring a Management Network on ASA Hardware
        1. Configuration
        2. Verification and Troubleshooting Tools
      5. Configuring a Management Network on a Firepower Security Appliance
        1. Configuring the FXOS Management Interface
        2. Verification of the FXOS Management Interface Configuration
        3. Configuring the FTD Management Interface
        4. Verification of the FTD Management Interface Configuration
      6. Summary
      7. Quiz
    2. Chapter 7 Firepower Licensing and Registration
      1. Licensing Essentials
        1. The Smart Licensing Architecture
        2. Cisco Smart Software Manager (CSSM)
        3. CSSM Satellite
        4. Firepower Licenses
      2. Best Practices for Licensing and Registration
      3. Licensing a Firepower System
        1. Licensing Configuration
        2. Evaluation Mode
        3. Registering with the CSSM
        4. Verifying a Smart License Issue
      4. Registering a Firepower System
        1. Registration Configuration
        2. Setting Up FTD
        3. Setting Up the FMC
        4. Verifying the Registration and Connection
        5. Analyzing the Encrypted SFTunnel
      5. Summary
      6. Quiz
    3. Chapter 8 Firepower Deployment in Routed Mode
      1. Routed Mode Essentials
      2. Best Practices for Routed Mode Configuration
      3. Configuring Routed Mode
        1. Fulfilling Prerequisites
        2. Configuring the Firewall Mode
        3. Configuring the Routed Interface
        4. Configuring an Interface with a Static IP Address
        5. DHCP Services
        6. FTD as a DHCP Server
        7. FTD as a DHCP Client
      4. Verification and Troubleshooting Tools
        1. Verifying the Interface Configuration
        2. Verifying DHCP Settings
      5. Summary
      6. Quiz
    4. Chapter 9 Firepower Deployment in Transparent Mode
      1. Transparent Mode Essentials
      2. Best Practices for Transparent Mode
      3. Configuring Transparent Mode
        1. Fulfilling Prerequisites
        2. Changing the Firewall Mode
        3. Deploying Transparent Mode in a Layer 2 Network
        4. Configuring the Physical and Virtual Interfaces
        5. Verifying the Interface Status
        6. Verifying Basic Connectivity and Operations
        7. Deploying an FTD Device Between Layer 3 Networks
        8. Selecting the Default Action
        9. Adding an Access Rule
        10. Creating an Access Rule for SSH
        11. Verifying Access Control Lists
      4. Summary
      5. Quiz
  16. Part III Troubleshooting and Administration of Traffic Control
    1. Chapter 10 Capturing Traffic for Advanced Analysis
      1. Traffic Capture Essentials
      2. Best Practices for Capturing Traffic
      3. Configuring Firepower System for Traffic Analysis
        1. Capturing Traffic from a Firepower Engine
        2. tcpdump Options
        3. Downloading a .pcap File Generated by Firepower Engine
        4. Capturing Traffic from the Firewall Engine
        5. Downloading a .pcap File Generated by Firewall Engine
        6. Enabling HTTP Service in FTD
        7. Capturing Traffic from the FMC
        8. Downloading a .pcap File Generated by FMC
      4. Verification and Troubleshooting Tools
        1. Adding an Access Rule to Block ICMP Traffic
        2. Analyzing the Traffic Flow by Using a Block Rule
        3. Packet Processing by an Interface
      5. Summary
      6. Quiz
    2. Chapter 11 Blocking Traffic Using Inline Interface Mode
      1. Inline Mode Essentials
        1. Inline Mode Versus Passive Mode
        2. Inline Mode Versus Transparent Mode
        3. Tracing a Packet Drop
      2. Best Practices for Inline Mode Configuration
      3. Configuring Inline Mode
        1. Fulfilling Prerequisites
        2. Creating an Inline Set
        3. Verifying the Configuration
        4. Verifying Packet Flow by Using packet-tracer
        5. Verifying Packet Flow by Using Real Packet Capture
        6. Enabling Fault Tolerance Features
        7. Configuring Fault Tolerance Features
        8. Verifying Fault Tolerance Features
        9. Blocking a Specific Port
        10. Configuring Blocking a Specific Port
        11. Verifying Blocking of a Specific Port
        12. Analyzing a Packet Drop by Using a Simulated Packet
        13. Analyzing a Packet Drop by Using a Real Packet
      4. Summary
      5. Quiz
    3. Chapter 12 Inspecting Traffic Without Blocking It
      1. Traffic Inspection Essentials
        1. Passive Monitoring Technology
        2. Inline Versus Inline Tap Versus Passive
      2. Best Practices for Detection-Only Deployment
      3. Fulfilling Prerequisites
      4. Inline Tap Mode
        1. Configuring Inline Tap Mode
        2. Verifying an Inline Tap Mode Configuration
      5. Passive Interface Mode
        1. Configuring Passive Interface Mode
        2. Configuring Passive Interface Mode on an FTD Device
        3. Configuring a SPAN Port on a Switch
        4. Verifying a Passive Interface Mode Configuration
      6. Analyzing Traffic Inspection Operation
        1. Analyzing a Connection Event with a Block Action
        2. Analyzing Live Traffic
        3. Analyzing a Simulated Packet
        4. Analyzing an Intrusion Event with an Inline Result
      7. Summary
      8. Quiz
    4. Chapter 13 Handling Encapsulated Traffic
      1. Encapsulation and Prefilter Policy Essentials
      2. Best Practices for Adding a Prefilter Rule
      3. Fulfilling Prerequisites
        1. Transferring and Capturing Traffic on the Firewall Engine
      4. Scenario 1: Analyzing Encapsulated Traffic
        1. Configuring Policies to Analyze Encapsulated Traffic
        2. Prefilter Policy Settings
        3. Access Control Policy Settings
        4. Verifying the Configuration and Connection
        5. Analyzing Packet Flows
      5. Scenario 2: Blocking Encapsulated Traffic
        1. Configuring Policies to Block Encapsulated Traffic
        2. Verifying the Configuration and Connection
        3. Analyzing Packet Flows
      6. Scenario 3: Bypassing Inspection
        1. Configuring Policies to Bypass Inspection
        2. Custom Prefilter Policy
        3. Access Control Policy Settings
        4. Verifying the Configuration and Connection
        5. Analyzing Packet Flows
      7. Summary
      8. Quiz
    5. Chapter 14 Bypassing Inspection and Trusting Traffic
      1. Bypassing Inspection and Trusting Traffic Essentials
        1. The Fastpath Rule
        2. The Trust Rule
      2. Best Practices for Bypassing Inspection
      3. Fulfilling Prerequisites
      4. Implementing Fastpath Through a Prefilter Policy
        1. Configuring Traffic Bypassing
        2. Configuring a Prefilter Policy
        3. Invoking a Prefilter Policy in an Access Control Policy
        4. Verifying the Prefilter Rule Configuration
        5. Enabling Tools for Advanced Analysis
        6. Analyzing the Fastpath Action
      5. Establishing Trust Through an Access Policy
        1. Configuring Trust with an Access Policy
        2. Verifying the Trust Rule Configuration
        3. Enabling Tools for Advanced Analysis
        4. Analyzing the Trust Action
        5. Using the Allow Action for Comparison
      6. Summary
      7. Quiz
    6. Chapter 15 Rate Limiting Traffic
      1. Rate Limiting Essentials
      2. Best Practices for QoS Rules
      3. Fulfilling Prerequisites
      4. Configuring Rate Limiting
      5. Verifying the Rate Limit of a File Transfer
      6. Analyzing QoS Events and Statistics
      7. Summary
      8. Quiz
  17. Part IV Troubleshooting and Administration of Next-Generation Security Features
    1. Chapter 16 Blacklisting Suspicious Addresses by Using Security Intelligence
      1. Security Intelligence Essentials
        1. Input Methods
      2. Best Practices for Blacklisting
      3. Fulfilling Prerequisites
      4. Configuring Blacklisting
        1. Automatic Blacklist Using Cisco Intelligence Feed
        2. Manual Blacklisting Using a Custom Intelligence List
        3. Immediate Blacklisting Using a Connection Event
        4. Adding an Address to a Blacklist
        5. Deleting an Address from a Blacklist
        6. Monitoring a Blacklist
        7. Bypassing a Blacklist
        8. Adding an Address to a Whitelist
        9. Deleting an Address from a Whitelist
      5. Verification and Troubleshooting Tools
        1. Verifying the Download of the Latest Files
        2. Verifying the Loading of Addresses into Memory
        3. Finding a Specific Address in a List
        4. Verifying URL-Based Security Intelligence Rules
      6. Summary
      7. Quiz
    2. Chapter 17 Blocking a Domain Name System (DNS) Query
      1. Firepower DNS Policy Essentials
        1. Domain Name System (DNS)
        2. Blocking of a DNS Query Using a Firepower System
        3. DNS Rule Actions
        4. Actions That Can Interrupt a DNS Query
        5. Actions That Allow a DNS Query
        6. Sources of Intelligence
      2. Best Practices for Blocking DNS Query
      3. Fulfilling Prerequisites
      4. Configuring DNS Query Blocking
        1. Adding a New DNS Rule
        2. Invoking a DNS Policy
      5. Verification and Troubleshooting Tools
        1. Verifying the Configuration of a DNS Policy
        2. Verifying the Operation of a DNS Policy
      6. Summary
      7. Quiz
    3. Chapter 18 Filtering URLs Based on Category, Risk, and Reputation
      1. URL Filtering Essentials
        1. Reputation Index
        2. Operational Architecture
      2. Fulfilling Prerequisites
      3. Best Practices for URL Filtering Configuration
      4. Blocking URLs of a Certain Category
        1. Configuring an Access Rule for URL Filtering
        2. Verification and Troubleshooting Tools
      5. Allowing a Specific URL
        1. Configuring FTD to Allow a Specific URL
        2. Verification and Troubleshooting Tools
      6. Querying the Cloud for Uncategorized URLs
        1. Configuring FMC to Perform a Query
        2. Verification and Troubleshooting Tools
      7. Summary
      8. Quiz
    4. Chapter 19 Discovering Network Applications and Controlling Application Traffic
      1. Application Discovery Essentials
        1. Application Detectors
        2. Operational Architecture
      2. Best Practices for Network Discovery Configuration
      3. Fulfilling Prerequisites
      4. Discovering Applications
        1. Configuring a Network Discovery Policy
        2. Verification and Troubleshooting Tools
        3. Analyzing Application Discovery
        4. Analyzing Host Discovery
        5. Undiscovered New Hosts
      5. Blocking Applications
        1. Configuring Blocking of Applications
        2. Verification and Troubleshooting Tools
      6. Summary
      7. Quiz
    5. Chapter 20 Controlling File Transfer and Blocking the Spread of Malware
      1. File Policy Essentials
        1. File Type Detection Technology
        2. Malware Analysis Technology
        3. Licensing Capability
      2. Best Practices for File Policy Deployment
      3. Fulfilling Prerequisites
      4. Configuring a File Policy
        1. Creating a File Policy
        2. Applying a File Policy
      5. Verification and Troubleshooting Tools
        1. Analyzing File Events
        2. Analyzing Malware Events
        3. The FMC Is Unable to Communicate with the Cloud
        4. The FMC Performs a Cloud Lookup
        5. FTD Blocks Malware
        6. Overriding a Malware Disposition
      6. Summary
      7. Quiz
    6. Chapter 21 Preventing Cyber Attacks by Blocking Intrusion Attempts
      1. Firepower NGIPS Essentials
        1. Network Analysis Policy and Preprocessor
        2. Intrusion Policy and Snort Rules
        3. System-Provided Variables
        4. System-Provided Policies
      2. Best Practices for Intrusion Policy Deployment
      3. NGIPS Configuration
        1. Configuring a Network Analysis Policy
        2. Creating a New NAP with Default Settings
        3. Modifying the Default Settings of a NAP
        4. Configuring an Intrusion Policy
        5. Creating a Policy with a Default Ruleset
        6. Incorporating Firepower Recommendations
        7. Enabling or Disabling an Intrusion Rule
        8. Setting Up a Variable Set
        9. Configuring an Access Control Policy
      4. Verification and Troubleshooting Tools
      5. Summary
      6. Quiz
    7. Chapter 22 Masquerading the Original IP Address of an Internal Network Host
      1. NAT Essentials
        1. NAT Techniques
        2. NAT Rule Types
      2. Best Practices for NAT Deployment
      3. Fulfilling Prerequisites
      4. Configuring NAT
        1. Masquerading a Source Address (Source NAT for Outbound Connection)
        2. Configuring a Dynamic NAT Rule
        3. Verifying the Configuration
        4. Verifying the Operation: Inside to Outside
        5. Verifying the Operation: Outside to Inside
        6. Connecting to a Masqueraded Destination (Destination NAT for Inbound Connection)
        7. Configuring a Static NAT Rule
        8. Verifying the Operation: Outside to DMZ
      5. Summary
      6. Quiz
  18. Appendix A Answers to the Review Questions
  19. Appendix B Generating and Collecting Troubleshooting Files Using the GUI
    1. Generating Troubleshooting Files with the GUI
  20. Appendix C Generating and Collecting Troubleshooting Files Using the CLI
    1. Generating Troubleshooting Files at the FTD CLI
      1. Downloading a File by Using the GUI
      2. Copying a File by Using the CLI
    2. Generating Troubleshooting Files at the FMC CLI
  21. Index

Product information

  • Title: Cisco Firepower Threat Defense (FTD)
  • Author(s): Nazmul Rajib
  • Release date: December 2017
  • Publisher(s): Cisco Press
  • ISBN: 9780134679471