Default gateway
10602049836327222433493328
SSNGFWCertification Path Link
New Cert Track CCNP Feb 2020 Link New Cert Track CCNA Feb 2020 Link New Re-certification Policy Link ![]()
Dcloud labs etc.Cisco Secure FMC V7.1 Instant Demo Link
Cisco Secure Firewall Lab V7.1 Link Cisco Firewall on Youtube Link Useful LinksMAC ACL Rules
QUICK LINK TO NGFW RESOURCES LINK
New Migration tool ASA to FTD no FMC req'd Link CDO Scaled up solution of FMC for Firepower only Link Dissecting Firepower Cisco Live 2020 Link No Support for Active/Active Failover >= V6.3 Link V7.0.1 Link Renaming of Cisco Security Products Secure-X Link Learning Services Lab Portal Link Cisco Learning Lab Portal (Instructor & Student) Link Cisco Digital Learning Library (Course material Labs) Link Firepower download ie VDB and more Link NGFW Sizing Tools (Appears to require CCO account with high privilege access) Firepower Performance Estimator Link
FIREPOWER
Bulk import of Networks/ports via REST-API Link 9300 Data Sheet 20th April 2020 Link Multi-Instance Capability on Firepower 4100/9300 Link FTD Vs ASA Firepower Link NGFWv Data Sheet Link Firepower Release notes April 2020 (6.6 and below) Link Licensing Firepower 6.5 Link Firepower Management Centre Config Guide 6.5 Link FMC Hardware and Virtual Platforms current 2019 Link FMC EOL Platforms (750,1500,2000,4000) Link Good Firepower Compatibility Guide Link Good ASA Compatibility Guide Link Licensing Firepower 6.2.2 Link Firepower System Feature Licenses Link ASA & Firepower Data Sheet (Licensing etc June/2019) Link Firepower Ports and communication Protocols Link Password recovery on the 2100 Link You cannot change the FTD password thru FMC Link Note that the FDM has in later versions more capability in comparison with the FMC but is till not in the same league FMC High Availability options (Active/Standby) Link 9300 Active/Active failover IS supported 8/2021 Link FTD Packet Flow Link Dissecting Firepower NGFW FTD BRKSEC 3455 Link Passive/Active Authentication Link FTD V6.3 Multi-instance support Link Configure FTD management interface via FXOS Link Firepower DDOS Protection through Radware Link Cisco Live LinksBRKSEC-2020 including failover and caveats REALLY GOOD link
ASA to FTD Migration Link AMP & Thread Grid Integration ESA Link Firepower Platform Deep Dive Link Excellent Cisco Live Firepower Presentation Feb 2018 Barcelona FirePower for CCIE Security Candidates - BRKCCIE-3200 Useful Files![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
WhiteBoard Files![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
YouTube VideosLab Minutes Correlation rules Link
Firepower-->PxGrid-->ISE 17 mins in and 22 mins in
Great video on new feature to generate Tech-support files
Good License Video for FTD thru FMC to Smart Licensing
|
Course Content
Release Notes V7.1 December 2021 Link
Release Notes V7.0.0/1 October 2021 Link Snort V3 Support/RA VPN Load Balancing Previous versions V.6.7-V.6.6-V6.5-V6.4-V6.3 Release Notes V6.7 November 2020 Link
VTI Support FMC Configuration Guide 7.0 Oct 2021 Link
FMC Configuration Guide 6.6 7th April 2020 Link FMC Configuration Guide 6.5 pdf (2700 pages) Link Cisco Firepower Threat Defense
Notes:
1. System configuration settings configured in 2 areas one for FMC(system-->config) and devices FTD (Devices-->Platform settings 2. Single area to configure Health policies, system-->health policy. However a single policy has different health modules for FMC and FTD Link. All security products Link Cisco Secure Firewall 3100 (Brand new 4/2022) Link Firepower Ports and communication Protocols Link Secure Access to Internet Feeds (Proxy URL's) Link Limit the number of Host per domain(global 150000 max) Link FTD and ISE SGT Link Trustsec Support matrix including FTD Link LabMinutes Video SGT Pt2 Link FMC Vs CDO Link FDM Features Link Good Product Overview (2017) 2100/4100/9300 Link Product Overview Firepower 1000 Link 4100/9300 Internal Architecture Link Add devices behind NAT with NAT id (IP Blank) Link All Management Platforms and devices Link Note the 5508 and 5512 do not support latest FTD Firepower Management Centre Configuration Guides Link Cisco Firepower NGFW Virtual Install and Upgrade Guides Link Cisco Firepower NGFW Install and Upgrade Guides Link Firepower Management Centre Installation Guide 6.0 later link SafeSearch Link Cisco more general Link VDB Updates Link Management and Diagnostic interface Link Link2 ASA 5585-X EOL Cisco Defense Orchestrator CDO Link Lab minutes Multi domain management Video 1 of 2 Lab minutes Multi domain management Video 2 of 2 FMC Platforms March 2021 Link Performance expressed in bps(M or G) Browser requirements Link FMC High Availability (Active/Standby) Link FMC Configuration Guides Link FMC EOL Platforms (750,1500,2000,4000) Link Configuring Static and Default routes (Tunneled) Link Community link for tunneled explanation Link FXOS for the 1000/2100 and 3100 for FTD Link FXOS 1000/2100 and 3100 is not full FXOS (built into asa and ftd code 4100/9300 separate) Link FXOS Configuration Guide CLi/GUI link Demo License 25 of everything despite saying 0 see video Licensing Firepower V7.0 Link Licensing Firepower 6.5 Link Smart Licensing via Cisco Smart Software Manager Link Smart Software Satellite Server air gapped from internet Link vPC/Port-Channel (Nexus) Link VSS (Virtual Switching System) & vPC Link Firepower NGFW Configuration
Security Certifications Compliance (CC/UCAPL) Link
Communication ports used in Firepower (tcp 8305) Link No IP Address on Standby Interface (ASA) Link Transfer Packets Option when adding device Link Revert Configs thru FDM (not FMC (6.4)) Link Initial config usb keyboard and vga monitor in appliance Link The FMC can record from 10 million events to 300 million Link Cisco Community Link on Max Events Link Migrate ASA Context to FTD Instance Link FTD SM-44 Module can support 14 instances Link Fail to Wire (NetMods) Link 2100 and above Interface modes IPS mode (no f/w features) Link Management & Diagnostic Interfaces Link FXOS for 4100/9300 Link FXOS for 2100 small subset of FXOS, int config, no cluster Link 2100 Architecture Link Difference between FXOS/ASA/Firepower (Cisco Comm) Link Configuring interfaces FXOS Link Not in course Firepower 1000 Series Link NAT ID, used a unique registration ID (no unique ip) Link Firepower Deep Dive Link Configuring FTD HA Active/Standby support only Link Clustering on the 4100/9300 ASA (16 per module/chassis) Link CLustering FTD 4100/9300 now 6. The reason for often seeing 5 is you could have 3 modules per 9300 therefore giving you 15, one more 9300 and 3 modules would give you 18 (too many) On FTD all interfaces have security level = 0 Link (Search) "Traffic between FTD interfaces (inter) and (intra) is allowed by default" Security Levels Cisco Community question Link FTD Clustering 9300/4100 (6/cluster) Link Ver 6.2 Rel Link Configure clustering on FTD 9300 Link • Firepower 9300—You can include up to 6 units in the cluster. For example, you can use 1 module in 6 chassis, or 2 modules in 3 chassis, or any combination that provides a maximum of 6 modules. Supports intra-chassis and inter-chassis clustering. • Firepower 4100 series—Supported for up to 6 units using inter-chassis clustering. ASA Clustering 9300/4100 (16/cluster 9.13 code) Link Ethernet MIX (EMIX) Link Tunneled static route (For VPN Traffic) Link ASA to FTD Reimage guide (includes 550X) Link Health Monitoring running every 5 minutes. JDBC Driver for external FMC database access Link Firepower NGFW Traffic ControlNew Migration tool ASA to FTD no FMC req'd Link
Excellent link to clarify FTD flows Link
A great link explaining the order of prefilter/ACP processing link Carrier-grade NAT (110.64.0.0) Customer using 169 (Link local) had an issue that FTD uses this address Internally Link DAQ (Data Acquisition) Troubleshooting Link QOS Option on FTD is to Rate Limit Link QOS 6.3 and above priority Q fudge Link True Priority Queueing still not supported V7.0 Link QOS FMC Guide V6.5 Link Lina Code (ASA) before and after SNORT Process Link Packet Latency Thresholding Link 2100 Architecture NO SmartNic Link Hardware by-pass fail-to-wire Link Fail to Wire Hardware Modules Link ACP Offloads, fastpath etc SmartNIC Link Flow Offload (V6.3 now supports Snort) Link FlexConfig replaced by Service Policies 6.30 onwards Link FlexConfig still present in 6.3 to config features outside GUI ie EIGRP, however connections limits created in adv area in ACP under "threat defense service policy" Configuring TCP state bypass using FlexConfig Link elephant/fat flow Link Firepower NGFW Address TranslationIdentity NAT/Exemption NAT(VPN) essential same Link
Good link on options for NAT/PAT in FMC Link NAT and Access rules works identical to ASA ie pre-nat link Excellent in depth NAT Guide Link Firepower NAT(legacy 7000/8000) or FTD NAT(&ASA) Link FQDN's in Network Objects post 6.3 Link Firepower DiscoveryNetwork Discovery Configuration Link
Active Discovery Link Use other active methods like NMAP and edit attributes Youtube of how to config NMAP on FMC Link Host Input API Guide Link Note: Regardless of the Network Discovery Policy if traffic is blocked or trusted in ACP then host information is not collected. Network discovery is after ACP and before File and IPS policy. Implementing Access Control Policies
ACP Mandatory FIRST Default LAST Link
Notes
1. 80% hit to do SSL Decryption on the box. 2. Yellow Triangle in Rule header indicates Licensing issue. 3. Blocked or trusted traffic, therefore no Network Discovery. 4. Talos maintained black/white list and custom. 5. The default ACP rule with no entries is the default action uses the Balanced Security and Connectivity intrusion policy to inspect traffic before allowing it to its final destination. 6. All out of date Policies deployed together and not individually as before 7. No Wild card allowed in the URL field Links ACP Rules Link NAT and Access rules works identical to ASA ie pre-nat link Application Inspection needs to see packet (Dozens ::) Link FQDN's in Network Objects post 6.3 Link Interface modes IPS mode (no f/w features) Link Passive interfaces - Inline Sets (Interfaces) Link The FMC can record from 10 million events to 300 million Link Cisco Community Link on Max Events Link Backup/Restore including events Link Events are FIF0 Link Mandatory rules Vs default rules in ACP Link Prefilters are only relevant to FTD and not classic devices ie ASA Security Intelligence
Check the time of update of the SI Feeds in Object Management.
Delete additions to the Global Lists via Object Management. Firepower Security Intelligence feeds to FMC Link PunnyCode Link TID Part of the FMC for third party feeds (STIX etc) Link Helps aggregate intelligence data (Observables) 3rd Party Integration of SI Feeds (STIX/TAXII) Link File Control and Advanced Malware Protection"First Time File Analysis"
Based on your configuration, you can either inspect a file the first time the system detects it, and wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result. Notes
1. Clamav was added to Firepower services (FMC) 6.2 It is built into FTD 2. Local Analysis is independent of Dynamic, If local determines file is malware then it is not submitted to ThreatGrid. Can select both in Rule see above. 3. In latest versions the managed device holds onto last part of file submitted, If identified as Malware then drop last piece otherwise transmit. 4. Seperate area in FMC to configure AMP options like private cloud, it is a top level menu option "AMP" 5. If the Local malware analysis can determine a file as malware the file will not be submitted to ThreatGRID Links Application Preprocessors Link Network Layer/Transport Layer Preprocessors Link On Premise AMP Link Malware Protection Methods (Spero etc) Link First Time File Analysis (search in Link) Link File Policies (Store Files) Link Custom Detection List & Clean List are in "File Objects" Link Threat updates including Clam AV every 30 minutes Link IPSNotes:
New custom variable set includes all the default variable set entries Site to Site VPNsysopt connection permit-vpn Link
No DMVPN/GETVPN/EzVPN support Route Based VPNS (VTIs V6.7) Link Cross-Domains ie devices is leaf domains Link Remote Access VPN
NOTE:
a) You can enable a 90 eval license for four licenses Base/Threat/Malware and URL Filtering You cannot deploy Remote Access VPN if the following are true: Smart Licensing on the Firepower Management Center is running in evaluation mode. b) The Firepower System does not currently support TLS version 1.3 encryption or decryption. When users visit a web site that negotiates TLS 1.3 encryption, users might see errors similar to the following in their web browser:
Features still not supported in V7.0 Link
CWS Vs Umbrella (Cisco Anyconnect) Link VPN Local users supported V7.1 (Search local users) Link Certificate Chains Link FAQs Anyconnect Licensing Link Register Anyconnect license for use with FTD Link Remote Access VPN and FTD Link SSL DecryptionNO TLS V1.3 support yet in V6.6 Link
Poodle, Freak, Beast ... (SSL Vulnerabilities) Link Understanding Traffic Decryption Link Config 2020 V6.3 SSL Decrypt Link Cisco Live (2020) Decryption Firepower Link HTTP/2, Spdy, Quic Link Event AnalysisLog retentions duration dependant on number events Link
Can query database with SQL. Cisco provide "RunQuery" cli database query tool The FMC can record from 10 million events to 300 million Link Cisco Community Link on Max Events Link eStreamer protocol Firepower v6.2 Link eStreamer and Splunk integration Link L/H Blue Arrow in workflow output Link System AdminNotes:
Intrusion rule update (Snort) Geolocation database updates (GeoDB) Vulnerability database updates (VDB) Software Updates SRU & VDB Link
How to do a Manual/Auto update Link (see diagrams above) Stacked devices (8000) Link Implicit permissions via Ldap Authc (Authc Objects) Link ClamAV Local Malware Updates Link TroubleshootingNote:
With the firewall-engine-debug command you can confirm whether traffic flow is evaluated against the proper Access Control rule: Debugging on the CLI Link "system support diagnostic-cli" |