Shulou(Shulou.com)06/01 Report--

This time we will talk about the Firepower series, mainly because ASA is more familiar with it, so we can check the documents even if we don't. FMC is really familiar with a lot of operations.

Some basic operations have been mentioned before:

Https://blog.51cto.com/9272543/2397002

Use a script to modify the IP address of FMC

Sudo / usr/local/sf/bin/configure-network

FTD uses configure network and configure manager.

One: License

Let's start with license, one is the traditional license (classic license), NGIPSv, ASA with FirePOWER uses these license.

The new FTD all uses smart license.

Smart license components: Base, Threat, Malware, URLfiltering.

Among them, Base license includes user authentication and application identification.

Threat license, including IPS strategy (this is the core of firepower)

Malware: it's actually AMP and AMP Threat Grid that can be combined with antivirus software.

URL filter: Web link filtering, there is nothing to say.

Second, the overall strategy structure

There are so many Cisco documents, not even this! Only one of these.

But there is no mention of security intelligence, SSL policy, etc.

It is impossible to read the words for beginners, and qyt sums it up very well.

Security Intelligence-- > SSL policy (optional if you want to decrypt traffic)-- > Network Analysis policy-- > Access Control Policy-- > Network Discovery Policy-- > File policy-- > Intrusion policy-- > Default action intrusion policy

If you just look at the configuration interface of FMC, you have no idea that it is in this logical order.

One by one, Security Intelligence is a blacklist function provided by Cisco.

In fact, there is nothing to configure, as long as FMC can access the Internet, he can automatically download the list.

Access Control Policy

User Base Authentication

Active Directory Integration

Keep in mind that Firepower requires manual download of this user information.

Apply for a certificate for FMC, this is actually the operation of openssl, if you want to take the wireless IE,WLC is also operated in this way.

First sudo su-switch to root

Openssl genrsa-des3-out Fire.key 2048 / / generate a private key pair

Openssl req-new-key Fire.key-out Fire.csr / / into a CSR

Put this CSR under the home directory, because Winscp has no permission for the root directory to log in with admin

After downloading the CSR and key pair with WinSCP, the web type is still used when applying for the certificate

Import Root CA and internal certificate on FMC

My understanding is that you need to configure identity policy before doing user-based authentication

After a lot of testing, I reinstalled FMC6.2.3 and finally passed the test.

Enter the user name and password after entering the page

We can see user activity. In reality, I didn't think of a scenario that would need to use active authentication. If I have time, I will do another user agent experiment. Of course, it is said that Firepower's identity policy is very unstable and is not recommended.

Interactive Block

FMC has a strange feature that when you test a web page, it remembers the link, including the ip address. So you have to change the ip address and clear the cache of the web page, which is actually very complicated. So it is no wonder that the operation and maintenance staff are very painful in the production environment. Performance is weird. Anyway .

I have tested here, it seems that URL is not recognized, you have to use app, there will be an interactive block

Click continue and it will pass.

Looking at the log, we can find that I still remember my user info.

It's another very unreliable feature.

Security Intelligence, this test is relatively stable. It's worth using.

Define three files.

On the left and right are the comparisons before and after I deployed the SI.

Youtube just can't see it.

Of course, this situation is defined by myself, if you need to check the specific feeds of SI. Log in to FMC and do the following:

Sudo su

Cd / var/sf/iprep_download

Network Discovery Policy

But I personally feel that the detection is not very accurate.

One of my win10 detects that it is Win7 or Win8, so why? Of course, you can fix the OS manually, and then patch it where there is a target. The biggest question is, why 6.2.3, not even the option of windows2016! This feature is another bad review!

However, after discover has finished with all the hosts, you can configure IPS policy on top of it. There's a firepower recommendations.

File policy

IPS Policy

Katherine has an article about IPS policy's youtube that is very good:

Https://www.youtube.com/watch?v=CxUKj_tkpU0&t=273s

The level of IPS policy, and the testing methods are described.

Roughly so much first, after the safety of the exam, looking back, there is still a draft.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.