Default gateway
10602049836327222433493328
SSNGFWCertification Path Link
New Cert Track CCNP Feb 2020 Link New Cert Track CCNA Feb 2020 Link New Re-certification Policy Link ![]()
Useful LinksLearning Services Lab Portal Link
Cisco Learning Lab Portal (Instructor & Student) Link Cisco Digital Learning Library (Course material Labs) Link Firepower download ie VDB and more Link NGFW Sizing Tools Firepower Performance Estimator Link
FIREPOWER
9300 Data Sheet 20th April 2020 Link Multi-Instance Capability on Firepower 4100/9300 Link FTD Vs ASA Firepower Link NGFWv Data Sheet Link Firepower Release notes April 2020 (6.6 and below) Link Licensing Firepower 6.5 Link Firepower Management Centre Config Guide 6.5 Link FMC Hardware and Virtual Platforms current 2019 Link FMC EOL Platforms (750,1500,2000,4000) Link Good Firepower Compatibility Guide Link Licensing Firepower 6.2.2 Link Firepower System Feature Licenses Link ASA & Firepower Data Sheet (Licensing etc June/2019) Link Firepower Ports and communication Protocols Link FMC High Availability options (Active/Standby) Link FTD Packet Flow Link Dissecting Firepower NGFW FTD BRKSEC 3455 Link Passive/Active Authentication Link FTD V6.3 Multi-instance support Link Configure FTD management interface via FXOS Link Firepower DDOS Protection through Radware Link Cisco Live LinksBRKSEC-2020 including failover and caveats REALLY GOOD link
ASA to FTD Migration Link AMP & Thread Grid Integration ESA Link Firepower Platform Deep Dive Link Excellent Cisco Live Firepower Presentation Feb 2018 Barcelona FirePower for CCIE Security Candidates - BRKCCIE-3200 Useful Files![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
WhiteBoard Files![]()
![]()
![]()
![]()
YouTube VideosGood License Video for FTD thru FMC to Smart Licensing
|
Course Content
Cisco Firepower Threat DefenseNotes:
1. System configuration settings configured in 2 aras one for FMC(system-->config) and devices FTD (Devices-->Platform settings 2. Single area to configure Health policies, system-->health policy. However a single policy can be applied to both FMC and FTD or they can have sperate policies. All security products Link Firepower Ports and communication Protocols Link Secure Access to Internet Feeds (Proxy URL's) Link FTD and ISE SGT Link Trustsec Support matrix including FTD Link LabMinutes Video SGT Pt2 Link Good Product Overview (2017) 2100/4100/9300 Link Product Overview Firepower 1000 Link 4100/9300 Internal Architecture Link Add devices behind NAT with NAT id (IP Blank) Link Firepower Management Centre Configuration Guides Link Cisco Firepower NGFW Virtual Install and Upgrade Guides Link Cisco Firepower NGFW Install and Upgrade Guides Link Firepower Management Centre Installation Guide 6.0 later link SafeSearch Link Cisco more general Link VDB Updates Link All Management Platforms and devices Link Note the 5508 and 5512 do not support latest FTD ASA 5585-X EOL Cisco Defense Orchestrator CDO Link Lab minutes Multi domain management Video 1 of 2 Lab minutes Multi domain management Video 2 of 2 FMC High Availability (Active/Standby) Link FMC Platforms 2020 Link Performance expressed in bps(M or G) FMC Configuration Guides Link FMC EOL Platforms (750,1500,2000,4000) Link Configuring Static and Default routes (Tunneled) Link Community link for tunneled explaination Link FXOS Configuration Guide CLi/GUI link Demo License 25 of everything despite saying 0 see video Licensing Firepower 6.5 Link Smart Licensing via Cisco Smart Software Manager Link Smart Software Satellite Server air gapped from internet Link vPC/Port-Channel (Nexus) Link VSS (Virtual Switching System) & vPC Link Firepower NGFW ConfigurationSecurity Certifications Compliance (CC/UCAPL) Link
Revert Configs thru FDM (not FMC (6.4)) Link Initial config usb keyboard and vga monitor in appliance Link The FMC can record from 10 million events to 300 million Link Cisco Community Link on Max Events Link Migrate ASA Context to FTD Instance Link FTD SM-44 Module can support 14 instances Link Fail to Wire (NetMods) Link 2100 and above Interface modes IPS mode (no f/w features) Link Management & Diagnostic Interfaces Link FXOS for 4100/9300 Link FXOS for 2100 small subset of FXOS, int config, no cluster Link 2100 Architecture Link Difference between FXOS/ASA/Firepower (Cisco Comm) Link Not in course Firepower 1000 Series Link NAT ID, used a unique registration ID (no unique ip) Link Firepower Deep Dive Link Configuring FTD HA Active/Standby support only Link Clustering on the 4100/9300 ASA (16 per module/chassis) Link CLustering FTD 4100/9300 now 6 On FTD all interfaces have security level = 0 Link (Search) "Traffic between FTD interfaces (inter) and (intra) is allowed by default" Security Levels Cisco Community question Link FTD Clustering 9300/4100 (6/cluster) Link Ver 6.2 Rel Link Configure clustering on FTD 9300 Link • Firepower 9300—You can include up to 6 units in the cluster. For example, you can use 1 module in 6 chassis, or 2 modules in 3 chassis, or any combination that provides a maximum of 6 modules. Supports intra-chassis and inter-chassis clustering. • Firepower 4100 series—Supported for up to 6 units using inter-chassis clustering. ASA Clustering 9300/4100 (16/cluster 9.13 code) Link Ethernet MIX (EMIX) Link Tunneled static route (For VPN Traffic) Link ASA to FTD Reimage guide (includes 550X) Link Health Monitoring running every 5 minutes. JDBC Driver for external FMC database access Link Firepower NGFW Traffic ControlExcellent link to clarify FTD flows Link
A great link explaining the order of prefilter/ACP processing link DAQ (Data Acquisition) Troubleshooting Link QOS Option on FTD is to Rate Limit Link QOS 6.3 and above priority Q fudge Link QOS FMC Guide V6.5 Link Lina Code (ASA) before and after SNORT Process Link Packet Latency Thresholding Link Hardware by-pass fail-to-wire Link Fail to Wire Hardware Modules Link ACP Offloads, fastpath etc SmartNIC Link Flow Offload (V6.3 now supports Snort) Link FlexConfig replaced by Service Policies 6.30 onwards Link FlexConfig still present in 6.3 to config features outside GUI ie EIGRP, however connections limits created in adv area in ACP under "threat defense service policy" Configuring TCP state bypass using FlexConfig Link elephant/fat flow Link Firepower NGFW Address TranslationNAT and Access rules works identical to ASA ie pre-nat link
Excellent in depth NAT Guide Link Firepower NAT(legacy 7000/8000) or FTD NAT(&ASA) Link FQDN's in Network Objects post 6.3 Link Firepower DiscoveryNetwork Discovery Configuration Link
Active Discovery Link Use other active methods like NMAP and edit attributes Youtube of how to config NMAP on FMC Link Host Input API Guide Link Note: Regardless of the Network Discovery Policy if traffic is blocked or trusted in ACP then host information is not collected. Network discovery is after ACP and before File and IPS policy. Implementing Access Control Policies
Notes
1. 80% hit to do SSL Decryption on the box. 2. Yellow Triangle in Rule header indicates Licensing issue. 3. Blocked or trusted traffic, therefore no Network Discovery. 4. Talos maintained black/white list and custom. 5. The default ACP rule with no entries is the default action uses the Balanced Security and Connectivity intrusion policy to inspect traffic before allowing it to its final destination. 6. All out of date Policies deployed together and not individually as before Links ACP Rules Link NAT and Access rules works identical to ASA ie pre-nat link Application Inspection needs to see packet (Dozens ::) Link FQDN's in Network Objects post 6.3 Link Interface modes IPS mode (no f/w features) Link Passive interfaces - Inline Sets (Interfaces) Link The FMC can record from 10 million events to 300 million Link Cisco Community Link on Max Events Link Backup/Restore including events Link Events are FIF0 Link Mandatory rules Vs default rules in ACP Link Prefilters are only relevant to FTD and not classic devices ie ASA Security IntelligenceFile Control and Advanced Malware Protection"First Time File Analysis"
Based on your configuration, you can either inspect a file the first time the system detects it, and wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result. Notes
1. Clamav was added to Firepower services (FMC) 6.2 It is built into FTD 2. Local Analysis is independent of Dynamic, If local determines file is malware then it is not submitted to ThreatGrid. Can select both in Rule see above. 3. In latest versions the managed device holds onto last part of file submitted, If identified as Malware then drop last piece otherwise transmit. 4. Seperate area in FMC to configure AMP options like private cloud, it is a top level menu option "AMP" 5. If the Local malware analysis can determine a file as malware the file will not be submitted to ThreatGRID Links Application Preprocessors Link Network Layer/Transport Layer Preprocessors Link On Premise AMP Link Malware Protection Methods (Spero etc) Link IPSNotes:
New custom variable set includes all the default variable set entries Site to Site VPNNo DMVPN/GETVPN/EzVPN support
Remote Access VPNNOTE:
You can enable a 90 eval license for four licenses Base/Threat/Malware and URL Filtering You cannot deploy Remote Access VPN if the following are true: Smart Licensing on the Firepower Management Center is running in evaluation mode. Certificate Chains Link
FAQs Anyconnect Licensing Link Register Anyconnect license for use with FTD Link Remote Access VPN and FTD Link SSL DecryptionNO TLS V1.3 support yet in V6.6 Link
Poodle, Freak, Beast ... (SSL Vulnerabilities) Link Understanding Traffic Decryption Link Config 2020 V6.3 SSL Decrypt Link Cisco Live (2020) Decryption Firepower Link HTTP/2, Spdy, Quic Link Event AnalysisCan query database with SQL.
The FMC can record from 10 million events to 300 million Link Cisco Community Link on Max Events Link eStreamer protocol Firepower v6.2 Link eStreamer and Splunk integration Link System AdminNotes:
Intrusion rule update (Snort) Geolocation database updates (GeoDB) Vulnerability database updates (VDB) Troubleshooting
Note:
With the firewall-engine-debug command you can confirm whether traffic flow is evaluated against the proper Access Control rule: |