First step in Firepower Threat Defense

This time i will use eve-ng (i'll write about it in next post)) to test Firepower Threat Defense 6.2.2.
Simple deployment and first access rule with ICMP signature.

Below our topology:


















Inline pair interfaces is available in Routed and Transparent mode. In our case there'll be Routed mode with inline (brigde) pair. So this FTD device will be work as a  Firepower NGIPS :) on g0/1 - g0/0 interfaces with full Snort IPS feauters.

Images:
1. Cisco_Firepower_Management_Center_Virtual-6.2.2-81.qcow2
2. Cisco_Firepower_Threat_Defense_Virtual-6.2.2-81.qcow2
(FTD has asa982-3-smp-k8 image inside)

On FMC i turn on eval mode for 90 days. Like you see below we have also (Base license is by default) license for Malware, Threat, URL Filtering and Anyconnect. I show later how to eneble it for lab purpose :)













After proper boot FTD (it can take 30min or more) we see login page with default admin:Admin123 credentials and EULA to accept:



After accept we must configure: new password, IPv4 or/and IPv6 address, mask, gateway, hostname, dns servers, domain name, firewall mode - routed or transparent (i our case routed but even later we can use inline mode just like transparent).

Next we need to add managers on FTD: (vFTD can be only managed via FMC)

> show managers
No managers configured.

 > configure manager add 150.1.7.200 123456
> show managers
Host                      : 150.1.7.200
Registration Key          : ****
Registration              : pending
RPC Status                :
Type                   : Manager

 //in next post i'll show FTD 2130 localy managed 

After basic connectivity (ping from FMC to FTD) we can add FTD in FMC:
Devices -> Device Management -> Add... -> Add device














//ftd_policy under Access Control Policy -  blank policy with Block all traffic at the end


On FTD:

> show managers
Type   : Manager
Host                      : 150.1.7.200
Registration              : Completed

 Now we can edit ftd device and enable some license (Threat license for IPS feautures):
















Next step is to configure Interfaces and add to Inline Sets:

















//same step with g0/1 as outside interface

Next Inline Sets with Propagate Link State enable:

//Propagate Link State - if one link down then FTD shutdown another link in inline pair -> fastest routing convergence





























//Snort Fail Open - if enable FTD can pass traffic without inspection


Create simple Intrusion Policy:














Now we can edit our ftd_policy, allow_all rule with IPS inspection and logging:





























Deploy and test inline interface pair:















R1>ping 10.10.10.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms

 And see in Connections events database:








Now edit IPS signature nr 408, icmp echo reply, Drop and Generate events:
















Commit changes, deploy one more time and test ping from R1:

 R1>ping 10.10.10.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.12, timeout is 2 seconds:
.....

Success rate is 0 percent (0/5)

 And on events we see:

















Enjoy :)
Subscribe to: Posts (Atom)