Uploaded by Nguyen NM

LABSEC-2000 Lab Guide

advertisement
Migrating from ASA to Firepower Threat
Defense (FTD)
LABSEC-2000
Speakers:
Prapanch Ramamoorthy
Akshay Dubey
1|Page
Firepower Threat Defense (FTD) Overview
Cisco’s Firepower Threat Defense (FTD) is a threat-focused NGFW, which is purpose built to get
granular application control, while protecting against malware and providing insight into and control
over threats and vulnerabilities. It helps shrink time to detection and remediation and reduces
complexity with a single management interface.
Lab Overview
Cisco's Adaptive Security Appliance (ASA) firewalls are among the most widely deployed network
firewalls in the world. Cisco newest NGFW offering, Firepower Threat Defense (FTD), merges ASA with
industry leading IPS and Malware protection abilities into a single threat-focused offering with the
added benefit of unified management. This session will demonstrate to participants, the procedure to
migrate from an existing ASA to an FTD using an easy-to-use migration utility. This session will also
provide users a walk-through of additional features of FTD and Firepower Management Center (FMC).
Learning Objectives
Upon completion of this lab, you would be able to:
1.
2.
3.
4.
Enable migration utility on FMC
Convert existing ASA configuration to FTD compatible policies
Upload migrated configuration to FMC
Discover and apply migrated configuration to FTD
Lab Topology
2|Page
IP Addressing
Replace ‘X’ with the POD number assigned to you in the below table:
Node Name
IP address
Credentials
FTD
17.17.x.50
username: admin
password: C!sco123
FMC_Migration
17.17.x.150
username: admin
password: C!sco123
FMC
17.17.x.100
username: admin
password: C!sco123
How to connect
a) For the lab PC, launch “Cisco Anyconnect VPN Client” and connect as below:
https://72.163.218.174. From the dropdown for Group, choose ASA-FTD-Migration
username/password : labsec2000-podx/C!sco123
Note: Accept any certificate warnings that might pop up due to untrusted certificates.
Note: Replace ‘x’ in the username with the POD number assigned to you.
b) Follow the instructions in the lab task using the IP addresses specified earlier to access the
individual devices
3|Page
Lab Tasks
Note: Replace ‘x’ with the POD number assigned to you in each of the following tasks.
Task 1: Enable migration utility in FMC
In this task, you will convert a regular FMC to one that is dedicated to migrating ASA configurations
to FTD compatible policies. Note that this is an irreversible operation, that is, once converted, that
FMC cannot be used for any purpose other than for migrating ASA configurations (including but not
limited to managing devices).
Steps:
1. Launch Putty and SSH to FMC_Migration using the IP address 17.17.x.150. Use the
credentials provided earlier to login.
2. Enter the ‘sudo’ mode using the command sudo su. When prompted, enter the same
password used to login to the FMC_Migration.
3. Run the command enableMigrationTool.pl. Type Y when prompted to continue.
4. This will change this FMC irrevocably into a special FMC whose sole purpose is to migrate
ASA configurations into SFO formatted files. Refer to the figure below:
4|Page
5. When the conversion is done, you’ll be told to refresh the web GUI. From now on when you
access this FMC_Migration, you’ll see an unmistakable message along the top telling you
that this is a specially configure FMC.
End of Task 1.
Task 2: Convert existing ASA configuration to FTD compatible policies
This task will walk you through the process of converting an ASA configuration file to an FTD
supported format.
Feature Information
This migration tool allows you to convert specific features in an ASA configuration to the equivalent
features in an Firepower Threat Defense configuration. After this conversion, it is recommended that
you complete the migration manually by tuning the converted policies and configuring additional
Firepower Threat Defense policies.
The migration tool allows you to migrate the following ASA features:
• Extended access rules (can be assigned to interfaces and assigned globally)
• Twice NAT and network object NAT rules
• Any network objects/groups or service objects/groups associated with the extended access
rules and NAT rules that the tool converts
There are also some limitations when it comes to what will get converted and what will not. A full
list of such limitation and other requirements can be found here - Cisco ASA to Firepower Threat
Defense Migration Guide, Version 6.2.
ACL Conversion
When converting ASA Access Control List commands into a format that works in the FTD you will
need to decide which “path” these rules will be imported. What is meant by that is there are two
places in the FTD where Access Control type rules can be located, either in the PreFilter Policy or the
Access Control Policy sections. This demo focuses more on the mechanics of doing the conversion
but here is a quick guide to your import options.
5|Page
Access Control List commands that have unsupported features (like the time-based feature) can be
imported along with the supported commands. However, they will be disabled by default so that you
can evaluate how to deal with the issue of the unsupported feature. Access Control Lists with logging
enabled will have the option to enable logging “At the start of connection”, “At the end of
connection”, or “Both”.
NAT Conversion
The NAT conversion is more straightforward. Twice NAT rules become Manual NAT rules, Network
Object NAT rules become Auto NAT rules.
NAT commands with unsupported features will not be converted and the conversion will fail.
6|Page
Network and Service objects/groups
The Network and Service Objects and Object Groups will only be converted when they are needed or
associated with the Access Control Rules or NAT Rules that are being converted. Not all features
within these features is supported in the FTD.
Note: There are multiple ASA configuration files available for you to choose from. You
can see the full list of files here – ftp://cisco:[email protected]/LABSEC-2000/
Steps:
1. Access the FMC_Migration web GUI by browsing to https://17.17.x.150. Login using the
credentials provided earlier.
2. Navigate to System > Tools > Import/Export. Click on Upload Package.
3. Click Browse… to find and select your ASA configuration file. Once selected, click Open.
4. Click Upload to load the ASA configuration file into the FMC Migration GUI.
7|Page
5. Now you will need to select the options you wish to use for the importation. Select the
combination that you prefer but take note that the further steps in this demonstration might
differ from what you need if you choose a different combination. Click OK to continue.
6. Under the Message Center’s Tasks tab, you can watch the progression of the conversion.
Navigate to the Message Center’s Tasks tab.
7. Once the FMC has parsed the whole ASA configuration file, it will generate a report on what
will or will not be converted. A link to this report will show up in the Task tab. Click on the
Click link to download or view this report.
8. Once you have reviewed the report, close the browser window.
8|Page
9. Once the conversion is done, you will be given a link to download the converted file (in .sfo
format). Click on the Click to download the FMC import file(.sfo) link to download the
converted file. Save the file to your computer.
End of Task 2.
Task 3: Upload migrated configuration to FMC
This task will walk you through the process of uploading the migrated ASA configuration file that was
previously downloaded to the FMC.
Note: This FMC is a “fresh” install with only minimal policies configured. This demo does
not cover the issue of importing a file into an FMC that already has a complex set of
policies configured. This may create conflicts that need resolved.
Steps:
1. Open a new tab in your browser and navigate to https://17.17.x.100. Log in using the
credentials provided earlier.
2. Navigate to System > Tools > Import/Export and click Upload Package.
9|Page
3. Click Browse… and select the converted configuration file. Click Open.
4. Click Upload to load the file into the FMC.
5. The policies should be already selected for you. If not, select the policies you wish to import.
Click Import to continue.
6. Create new Interface Group objects for each of the interfaces in the original ASA
configuration and map them to the appropriate Interface objects for the access-group and
NAT configurations. Click Import when done.
10 | P a g e
7. The FMC will now import the SFO file and make the new needed policies. This process can
take some time. Watch the Message Center’s Tasks tab for progress. Once the import is
complete, a report will be available. Click the Click to download Import report link to view
the report.
8. Now that the ASA configuration is imported review the imported policies. Navigate to
Devices > NAT to view the newly imported NAT policy. Click the Pencil icon for this NAT
policy to view this policy’s rules.
9. Browse the NAT rules. The ASA Twice NAT rules are the Manual NAT rules. The ASA Object
NAT rules are the Auto NAT rules.
11 | P a g e
10. Navigate to Objects > Object Management. Click on Network from the list of options. Any
imported Network Objects will be listed here.
11. Navigate to Policies > Access Control > Access Control to view the newly created Access
Control Policy. Click the Pencil icon for the created Access Control Policy to view any rules
that were created.
12. Since we chose to import the ASA Access Control Lists as PreFilter rules, no rules will be
shown here. However, note that the Prefilter Policy is set to a non-Default policy.
13. Navigate to Policies > Access Control > Prefilter. Click the Pencil icon for this policy to view
the rules.
12 | P a g e
14. Scroll through the list of rules and look for any greyed out rules. These are possibly rules that
were imported but had an issue with some unsupported feature. So, they are disabled by
default. Edit one of these rules by clicking the Pencil icon on their row.
15. Click on the Comment tab to view a comment as to why this rule is disabled. Click Cancel
when done viewing this rule.
End of Task 3.
Task 4: Discover FTD and apply migrated policies to it
This task will walk you through the process of discovering an FTD into the FMC and applying the
previously migrated policies to the discovered FTD.
Steps:
1. Launch Putty and SSH to FTD using the IP address 17.17.x.50. Use the credentials provided
earlier to login.
13 | P a g e
2. Verify the FTD is currently unmanaged using the command show managers. Configuring the
FMC that will be managing this FTD using this command – configure manager add
17.17.x.100 cisco. The cisco at the end is the registration key that must match on the FMC
and FTD.
3. If not already done so, login to the FMC by opening a new tab in your browser and navigate
to https://17.17.x.100. Log in using the credentials provided earlier.
Note: In order to manage an FTD, we need to enable Cisco Smart Licensing on the FMC.
There are 2 options available:
• Activate the 90-day evaluation mode on the FMC.
• Register the FMC with the Cisco Smart Licensing Server/Smart Licensing Satellite
Server.
For the purposes of this lab, we will be using the FMC in evaluation mode. For more
information about registering the FMC with the Cisco Smart Licensing Server/Smart
Licensing Satellite Server, refer this link - Smart Licensing for the Firepower System.
14 | P a g e
4. Browse to Systems > Licenses > Smart Licenses. Click on Evaluation Mode and click on Yes
when asked for a confirmation.
This will show you a page like below:
15 | P a g e
5. Browse to Devices > Device Management. Click on Add > Add Device.
6. Enter the following details in resulting popup:
Host
17.17.x.50
Display Name
FTD
Registration key
cisco
For the Access Control Policy, select the previously migrated policy. Check the 3 checkboxes under
Smart Licensing for Malware, Threat and URL Filtering. Click on Register once all this information is
completed.
16 | P a g e
7. The FMC will now begin the process of discovering and adding the FTD. This process can take
some time. Watch the Message Center’s Tasks tab for progress. Once the discovery is
complete, you will see a green check mark against the FTD as seen below:
8. Go back to the SSH session to the FTD and using the command show access-control-config,
verify that the previously migrated access-list configuration has been applied to the FTD:
9. Browse to Devices > NAT and then click the Pencil icon to edit the NAT policy.
10. Click the Policy Assignments link.
17 | P a g e
11. Select the previously discovered FTD device, click Add to Policy, and then click OK.
12. Click Save to save the changes.
13. Browse to Devices > Device Management. Click on the Pencil icon next to the FTD device.
14. Open the ASA configuration file in a text editor and go to the interface configuration section.
18 | P a g e
15. On the FMC, go the Interfaces tab and click on the Pencil icon against each of the interfaces
to configure them.
16. Configure the Name and IP address and check the Enabled box for the interfaces. Click Ok
once configured.
17. Click Save once all the necessary interfaces are configured.
Note: The NAT policy on the FMC makes uses of interface groups. Hence, it is necessary to
map the just-configured interfaces to interface groups in order to apply the NAT
configuration to the FTD.
19 | P a g e
18. Browse to Objects > Object Management. Click on Interface.
19. This page will list the interface groups that were previously created during the configuration
migration process. Assign the previously configured interfaces to the interface groups by
clicking on the Pencil Icon next to each of the interface groups, selecting the appropriate
interface and then clicking on Save.
20. Once all the interface groups have the appropriate interfaces under them, click on Deploy. In
the resulting popup, select the FTD device. Optionally, before clicking on the Deploy button,
click on the Plus icon to view the policies that need to be deployed to the FTD. Click on the
Deploy button when ready to deploy.
20 | P a g e
The FMC will now begin the process of deploying the configuration to the FTD. This process
can take some time. Watch the Message Center’s Tasks tab for progress. Once the
deployment is complete, you will see a green check mark against the FTD as seen below:
21. Log back into the FTD using SSH if not already done so and use the command show nat and
show running-config to verify the configuration deployed to the FTD:
End of Task 4.
Congratulations! You have completed the lab.
21 | P a g e
Download