Firepower Threat Defense – Interfaces and Zones

Categories Cisco, fmc
  • FTD is a true zone based firewall.
  • Security zones are collections of interfaces or sub-interfaces.
  • Policy rules can apply to source and/or destination zones.
  • This is NOT an ASA – We do NOT use security levels.

Interface Types

  • Management Interface
  • Diagnostic Interface
  • Physical Interface
  • Etherchannel
  • Redundant
  • Routed
  • Bridged

WAN/Outside

  • Our WAN/Outside will be our untrusted traffic.
  • We will use DHCP to get an IP address leased from the internet service provider.

LAN/Inside

  • Our LAN interface will be for our internal (inside) traffic.
  • We will use a static IP address and this port will be a routed interface that is connected to a routed port on our Cisco switch.
  • You can have different designs and use sub interfaces with dot1q trunking but I prefer to use as much layer 3 that I can.

Routing

  • We are using OSPF for our routing protocol.
  • We will advertise all of our inside networks and keep everything in the backbone.
  • We are going to be a normal router, we don’t need stub or not-so-stubby – we are an internal router.
  • We don’t need to worry about range or virtual links.

Firepower Threat Defense – Logical Objects

Categories Cisco, fmc

Network Address Objects

  • A network object represents one or more IP addresses. Network objects are used in various places, including access control policies, network variables, intrusion rules, identity rules, network discovery rules, event searches, reports, and so on.
  • It is a good idea to create objects for each VLAN
  • If possible creating objects for individual devices may be required.
  • It is a good idea to be as granular as possible because this will allow for flexibility and scalability to your rules offering more insights on what is happening within your network.
  • After the individual objects are created we will create a network group object that will encompass all of our internal network.
  • This group object will be used throughout our policy creation.

Ports

  • Port objects or groups represent different protocols. You can use port objects and groups in various places in the systems web interface, including access control policies, identity rules, network discovery rules, port variables, and event searches.
  • Just like our network objects we can create layer4 tcp/udp objects that will be used in the same manner.
  • You can also add service ports in the ACP when creating access control policies but they will not have a descriptive name.

Interfaces and Zones

  • Interface objects segment your network to help you manage and classify traffic flow. An interface object simply groups interfaces. These groups may span multiple devices; you can also configure multiple interface objects on a single device.
  • FTD is a zone based system creating security zones allows for easier management.

Application Filter

  • Application filters help you perform application control by organizing applications according to basic characteristics: type, risk, business relevance, category, and tags.
  • This can be used as a way to block web sites if you don’t have a license for URL filtering (This feature is included with the base license.
  • Add the selected filters.
  • You can choose the applications you want selected if you don’t want to choose all.
  • Add to Rule.
  • Save the new application filter.

Variable Sets

  • Variables represent values commonly used in intrusion rules to identify source and destination IP addresses and ports.You can also use variables in intrusion policies to represent IP addresses in rule suppressions, adaptive profile updates, and dynamic rule states.
  • Now we will edit our HOME_NET variable from ‘any’ to our network group object we created earlier.
  • This will help give a better insight and more security.
  • Update the new group object into the Included Networks list to remove the ‘any’ object.
  • After saving the new object we can see it has been applied and our new variable set has been created.

FMC Health Policies and Alerts

Categories Cisco, fmc
  • Health policies and alerts are an important part of managing devices.
  • At the top right corner of FMC we can see that their is currently an alert which is being generated because I am using a demo license.
  • The FMC is making a ‘call’ every 5 minutes and Cisco is replying that I’m not worthy!
  • Let’s disable that since this is a lab environment and you would not want to do this for production but I’m annoyed with seeing red.
  • The monitor gives us a break down of the health monitors that are hitting counters.

Health Policies

  • Now we go into the policy section of the health tab and create a new policy.
  • This policy will be applied to our FTD and FMC.
  • Disable the Smart licensing status monitor by selecting off and then saving the configuration.

SNMP Alert

  • Next we will continue to create our Syslog and SNMP alerts.

Syslog Alerts

That’s All Folks!

  • The SNMP/SYSLOG alerts should now be live once we have selected all modules we want, the severity at which they are defined and the alerts we choose.

Firepower Management Console System Configuration

Categories Cisco, fmc, Security

Syslog

  • Setting up a syslog server prevents allowing another user on the FMC to delete the logs. This also keeps a backup of your logs.
  • Set the ‘send audit to syslog’ as enabled
  • enter in the sys log serves IP address for the host.
  • Change the faility to SYSLOG
  • Set severity to what you would like.
  • Test the syslog server and then Save once verified it’s working.
  • You will be greeted with a Sucess message after the configuration change has took affect.

Login Banner

  • Create a login banner with whatever login greeting you would like.
  • It is a good idea to display an authorization warning for the login banner or any message you would like users to see once logged into the FMC.
  • Save the login banner once completed.

Change Reconciliation

  • Change reconciliation allows a reported to be generated every x hours:minutes to provide a history of what configurations have changed.

Email Notification

  • Enter in your information as needed.
  • The from address can be whatever you like all other information will need to be legitimate

HTTPS Server Certificate

  • Creating an HTTPS certificate.

Management Interfaces

  • Hostname of the device
  • Domain name the device is in.
  • DNS servers
  • Remote management port
  • Don’t forget to hit save!

Remote Storage Device

SNMP

  • Setup snmpv2
  • Create an ACL pointing to ISE or whatever you’re using for SNMP.