Fire Jumper Academy FTD Troubleshooting for FE’s Ed Finger edfinge@cisco.com Day 1 • 9AM-Noon: Lecture • 1PM-5PM: Lab Day 2 • 9AM-Noon: Lecture • 1PM-5PM: Lab Special Thank You to Nazmul Rajib • Reference Diagrams from the Book • Cisco Firepower Threat Defense (FTD) • Nazmul Rajib Training Resource for this Class amazon.com/dp/1587144808 ciscopress.com/title/9781587144806 Agenda • Cisco Firepower Technology • Firewall Licensing and Registration • Firewall Deployment in Routed and Transparent Modes • Capturing Traffic for Advanced Analysis • Blocking Traffic Using Inline Interface Mode • Inspecting Traffic Without Blocking IT • Handling Encapsulated Traffic (Prefilter Policy) • Bypassing Inspections and Trusting Traffic • Rate Limiting Traffic • Block-Listing Suspicious Addresses by Using Security Intelligence • Filtering URLs Based on Category, Risk, and Reputation • Discover Network Applications and Control Application Traffic • Controlling File Transfer and Blocking the Spread of Malware Cisco Secure Firewall Technology Firepower System • Sourcefire acquisition by Cisco 2013 • Leader in: • Intrusion Detection System (IDS) • Intrusion Prevention System (IPS) • Next Generation Firewall (NGFW) • IPS based on SNORT • Developed by Martin Roesch Firepower System • Firewall Management Center (FMC) • Unified management over firewalls, application control, intrusion prevention, URL filtering and advanced malware protection • Firewall Threat Defense (FTD) • Unified software image • Next Generation Firewall (NGFW) • Firewall System Components Firepower System Components • Firewall Core Software • Unified image for Cisco ASA and Firewall Services (FTD) • SNORT engine • Intrusion detection, prevention, Snort 2.x and Snort 3.x • Web Server for GUI • SNORT/Sourcefire rules • Special ruleset to detect and prevent intrusion • Vulnerability database (VDB) • Stores vulnerability information and fingerprints of applications, services and operating systems Firepower System Components • Geolocation database (GeoDB) • Stores geographical information and associated IP addresses • URL filtering database • Categorizes websites based on targeted audiences or business purposes • Stored in the URL filtering database • Security Intelligence Feed • Talos monitors the internet to identify potential malicious IP addresses, domain names, and URLs • Local Malware detection • Malware license the FTD can detect viruses in files • ClamAV engine to analyze files locally Operational Modes FTD Deployment Modes NGFW Routed 10.1.1.0/24 inside NGIPS FTD 10.1.2.0/24 outside DMZ 10.1.3.0/24 Transparent inside FTD DMZ Integrated Routing Inline Tap 10.1.1.0/24 FTD inside and Bridging 10.1.1.0/24 DMZ outside Inline 10.1.2.0/24 outside Eth1/1 Eth1/1 Passive Eth1/1 FTD FTD FTD Eth1/2 Eth1/2 Mode of Operation – IPS Only ▪ Passive Mode • • ▪ Detection only mode. Does not interrupt network traffic flow. Support physical interfaces and Ether Channels only. Sensor sits between two physical ports on a switch or two different switches Inline Mode • Blocks malicious traffic in real time. • Support physical interfaces and Ether Channels only • Cannot use redundant interfaces, VLANs, and sub-interfaces ▪ Inline-Tap • • Cabling is like the Inline mode, but acts like the Passive mode. Switch between inline and inline-tap modes is done simply in the GUI. Transparent Interfaces Sensor is Layer 2 Bridge Architecture Architecture Diagram Firewall Threat Defense Introduction Firepower (mainly L7 functionality) LINA/ASA (L2-L4 functionality) Feature migration Full feature set Firewall Threat Defense On-box Firewall Device Manager Off-box Firewall Management Center FTD Software Architecture – The Big Picture • LINA engine (multiple instances of Data Path) - Focused on L2-L4 functionality • Snort engine (multiple instances of Snort) - Focused on L7 functionality 1. A packet enters the ingress interface and it is handled by the LINA engine 2. If the policy dictates so the packet is inspected by the Snort engine 3. Snort engine returns a verdict (allow or block) for the packet 4. The LINA engine drops or forwards the packet based on Snort’s verdict FTD Flow Load Balancing Internet A FTD NUMA LINA Load Balancer B C LINA A LINA B LINA C A B C C SNORT A A SNORT B DAQ A DAQ B DAQ C B DAQ Initiates Flows to SNORT Instance SNORT C FXOS Architecture and Packet Flow 1. 2. 3. 4. 5. 6. MIO receives the packet on physical port MIO sends the packet to Decorator (DDoS - vDP Radware) MIO receives the packet from Decorator (DDoS - vDP Radware) MIO sends the packet to the Security Module (FTD). If there is FTD Clustering the MIO will get the packet back and send it to the peer unit FTD sends the packet back to MIO MIO sends the packet to the egress physical port Packet Flow on FP2100 1. 2. 3. 4. 5. 6. The packet arrives on the Internal Switch Internal Switch forwards the packet to the LINA (ASA) Engine (Network Processing Unit - NPU) LINA (ASA) Engine forwards the packet to Snort Engine (CPU) Snort Engine forwards the packet back to LINA (ASA) Engine (NPU) LINA (ASA) Engine forwards the packet to the Internal Switch The Internal Switch sends the packet back to physical network FTD Diagnostic vs. Management Interface Management Interface Diagnostic br1/management0 • • • Mandatory interface (terminate sftunnel) Assigned IP address is used for FTD/FMC communication SSH/HTTPS access to the FTD > show network • • • Not recommended to configure, use Data interface Remote access to ASA (LINA) Source for ASA syslog, AAA messages, etc. # show interface ip brief SNORT Architecture Detection Engine • Consists of two components to perform inspection • Rules builder • Inspection component • Rules builder • On Snort startup, assembles rules into rule chains • Optimizes rule matching by the inspection component • Sources, destinations and port sources and destinations redundancies are eliminated • Implements rules chains as linked lists in a decision tree • Inspection component • Matches traffic to a rule chain • Further inspects traffic against the options in the matching rule chain • A packet is tested if it is TCP > Then passed to TCP rules, Source Address, etc. Until packet either matches an attach signature or tests clean. 23 Detection Engine • Consists of two components to perform inspection • Rules builder to build attack signatures by parsing Snort rules • Inspection component • Rules builder • On Snort startup, assembles rules into rule chains • Optimizes rule matching by the inspection component • Sources, destinations and port sources and destinations redundancies are eliminated • Implements rules chains as linked lists in a decision tree • Inspection component • Matches traffic to a rule chain • Further inspects traffic against the options in the matching rule chain • A packet is tested if it is TCP > Then passed to TCP rules, Source Address, etc. Until packet either matches an attach signature or tests clean. 24 SNORT 2 Architecture SNORT 2 Architecture Frag(x) Stream(x) 8080, 8000, 8180, etc. SNORT 2 Architecture SNORT 2 Components Supported acl AC policies in the packet path pdts Communication path between Lina and Snort daq Data Acquisition Layer for accepting the packet into SNORT Snort-engine Snort Generic Component Snort-file processor Snort File Processor Component Snort-firewall Snort Component responsible for enforcing Access Control Policy (AC Policy) Snort 3 - Overview • Snort 3 is now supported with FMC as well as FDM • Snort 3 Device Management • Ability to toggle device Snort versions (Snort 2<->Snort 3) from FMC device management • Upgrade / Migration Changes • Simplified Migration of Snort 2 to Snort 3 policies after upgrading to FP 7.0 • Support for synchronizing common intrusion policies between Snort 2 and Snort 3 versions Snort 3 Primer • Inspectors replace preprocessors • Event driven Plugins accomplish much of the processing objectives: • Codec - to decode and encode packets • Inspector - replaces Snort 2 preprocessors, for normalization, etc. • IpsOption - for detection in Snort rules • IpsAction - for custom actions • Logger - for handling events • Mpse - for fast pattern matching • So - for dynamic rules • Lightweight Security Package(LSP) is the new release manager for Snort 3, replacing Security Rule Updates (SRU) – fast, smaller, higher frequency Snort 3 – Benefits • Much more efficient memory utilization and faster reload times from multi-threaded architecture • Faster/deeper pattern lookups with HyperScan for higher efficacy • Improved human-readable signature language • LSP Light Weight Security Package – Smaller and Faster • Event-driven plugins replace preprocessors for quicker verdicts Snort 3.0 Architecture • Threaded to utilize multiple cores • 1 control thread (main) • N packet threads per process • Reloads faster (1 vs N) • A single config and network map • Uses less memory • Supports more IPS rules and larger netmap • Rules written in text like Snort 2 • More uniform syntax in Snort 3 • Easier to read, write, and verify • “Snort2lua” converts 2.9 IPS rules to 3.0 format • LuaJIT will be added later by TALOS Presentation ID 34 Snort 3 Traffic Inspection Custom Intrusion Rules • Users can upload custom intrusion rules, written in Snort 3 rule syntax • snort2lua tool on the FMC can be used to convert Snort 2 rules to Snort 3 syntax • Each custom rule must have a SID (>1000000) and REV information • GID need not be provided by the user • GID will be auto-generated per domain as in case of Snort 2 • Auto generated GID will be different from Snort 2 GID to avoid SID collision` Snort 3 – Changes in IPS Rule alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI request for known malicious URI"; flow:established,to_server; content:"/setup_b.asp?prj="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/Ui"; metadata:service http; sid:19626; rev:2;) alert http ( msg:"BLACKLIST URI request for known malicious URI"; flow:established,to_server; http_uri; regex:"/setup_b\.asp\?prj=\d&pid=.*&mac=", nocase, fast_pattern; sid:19626; rev:4; ) Snort Tools FTD ASP Drop Output © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Tools – show asp drop – FTD • Command Reference for all show asp drops: • https://www.cisco.com/c/en/us/td/docs/security/asa/asa-commandreference/show_asp_drop/show_asp_drop.pdf • Snort-drop: This counter is incremented and the packet is dropped as requested by Snort module. • Snort-down : This counter is incremented and the packet is dropped as the Snort module is down. • Snort-busy: This counter is incremented and the packet is dropped as the Snort module is busy and unable to handle the frame. Show Snort Stats © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Tools – show snort statistics – FTD CLI Guide Use this command to show Snort inspection results of your access policy and intrusion rule configurations. This command is typically used when debugging unexpected Snort inspection behavior. The statistics include the following: • Passed Packets—The number of packets sent to Snort, including packets sent from Lina. • Blocked Packets—The number of packets blocked in Lina and not sent to Snort. Tools – show snort statistics – FTD CLI Guide • Injected Packets—The number of packets Snort created and added to the traffic stream. For example, if you configure a block with reset action, Snort generates packets to reset the connection. • Packets bypassed (Snort Down or Snort Busy)—If you configure the system to allow packets that require Snort inspection and Snort cannot perform the inspection, these counters are the number of packets that bypassed inspection when Snort was either down or too busy to handle the packets. Tools – show snort statistics – FTD CLI Guide • Fast-forwarded flows—The number of flows that were fast forwarded by policy, and thus not inspected. • Blacklisted flows—The number of flows from policy configuration that were dropped by Snort. • Start-of-flow events—The Lina process sends start-of-flow events to Snort when it fast paths a flow without sending it to Snort. These events help Snort keep track of the connections and report the connection events. • End-of-flow events—The Lina process sends end-of-flow events to Snort when a fast path flow ends. Tools – show snort statistics – FTD CLI Guide • Denied flow events—The Lina process sends denied flow events to Snort when it decides to drop a flow before sending it to Snort. • Frames forwarded to Snort before drop—The number of to-bedropped packets forwarded to Snort. When the Lina decides to drop the frame for some reason, it is also sent to Snort for visibility. • Inject packets dropped—The number of packets that Snort added to the traffic stream that were dropped. Detailed Packet Processing Flow General Traffic Flow through FTD Firewall Data-Path Troubleshooting Framework flow diagram Packet Ingress Platform DAQ SI ACP SSL Auth Software Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib IPS NAP Packet Flow © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential FTD Packet Processing: ACL best practices • • • • • Use Prefilter Policy Fastpath rules for big ‘fat’ flows Place more specific rules at the top of the Access Control Policy Place rules that require Snort inspection at the bottom of the policy Avoid excessive logging Be aware of rule expansion > show access-list | include elements access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3 admin@NGFW1$ cat /var/sf/detection_engines/UUID/ngfw.rules | grep "Start of AC rule" -A 10000000 | grep v " of AC rule." | wc -l 32 Traffic Flow Troubleshooting • Tools used to troubleshoot Traffic Flow: • System Support Trace • System Support Firewall-Engine-Debug • Capture • Capture-Traffic • Packet-Tracer • Show asp drops • Show snort stats Designing a Firewall Management Network Requires that management interfaces can communicate with each other. FMC can manage from any location Firewall Management Network Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Management Interfaces Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Management Interface Multiple Networks Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Management Interface Best Practices • Segment management traffic from the data traffic. • Keeping the management network out-of-band secures the control-plane traffic in case the data network is attacked. • Default management port TCP 8305 • Cisco strongly recommends not to change the default port number Firewall Licensing and Registration Smart License Architecture • Offers two major benefits over the Classic License. • Enables you to administer all your Firewall licenses from a single place. • Enables full functionalities of the FMC and FTD without installing any licenses for the first 90 days of an initial deployment. • In the Smart Licensing architecture, the Firewall manager uses a process—Smart Agent—to communicate and register with the Cisco License Authority. • Cisco offers two options to connect a Firewall manager to the Cisco License Authority. • Cisco License Authority directly over the Internet • Smart Software Manager On-Prem. Cisco Smart Software Manager (SSM) Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib License Types • Base • Update the Firewall System • Control applications and users • Perform switching, routing and NAT • Threat • Detect and prevent intrusion attempts • Block-List traffic based on intelligence • Block transfer of certain types of files • Malware • Protect network from malware, enable AMP for network and enable AMP Threat Grid features • URL Filtering • Filter URLs based on Reputation and Category Connection between FMC and License Server • Command on the FMC • Login to FMC console port • For this lab Username: admin Password: C1sco12345 • Type • Expert • sudo tail –f /var/log/sam.log • You will be prompted for a password use: C1sco12345 Registration Process • FMC initial configuration • Management Interface IP address: pre-configured DHCP (7.x) will fall back to 192.168.95.1 • Username: Admin Password: Admin123 • Device Management Add Device from the GUI • Change Network Parameters from CLI prompt: sudo configure-network password: C1sco12345 • FMC Troubleshooting • CLI Commands • Expert • route –n • sudo ping x.x.x.x (For lab testing use 198.19.10.1, 198.19.10.100) • sudo traceroute <IP Address of FTD> • sudo netstat –antp | grep –i 8305 [will show currently registered FTD’s and their tunnel ports] • sudo sftunnel_status.pl <FTD IP Address> Registration Process • FTD Management Interface • Uses management interface to send and receive control traffic • During FTD Installation Process when you provide IP address for the Management Interface it is assigned to the Logical management interface • Uses the logical management interface to complete the registration process with the FMC • Establishes the Secure Tunnel • Apply Policies to the FTD • Transfer events from FTD to FMC • FTD Data Interfaces • Each data interface required to be on a different network • Diagnostic Interface must be on same subnet as logical management interface br1 • When diagnostic interface is configured with IP address it is considered a Data Interface • Must be on separate subnet from inside interface need a router to send traffic between different subnets Registration Process • FTD Troubleshooting • Show network • Shows Hostname, Domains, DNS servers, Management Port, Gateway, IP Address of Management Interface • Show interface ip brief • Ping system x.x.x.x • capture-traffic (for SNORT and br1) • sftunnel-status • Expert mode Commands • ifconfig • sudo netstat –antp | grep –i 8305 Troubleshooting Commands • Restart the sftunnel Process • sudo manage_procs.pl • Option 3 Restart Comm. Channel • On FMC to run debug log: • sudo tail –f /var/log/messages | grep [Management IP Address e.g. 198.19.10.81] Common Causes Registration Failures © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1. RMA’s 2. Registration Keys 3. NAT 4. Sftunnel Certificate Expired 5. Sftunnel.conf file corrupted 6. Database Issues Registration Failure Troubleshooting • Logs to check (sudo –i) • /etc/sf/sftunnel.conf • /var/log/messages • Scripts for registration issues • • • • • register_appliance.pl remove_peer.pl remove_managers.pl manage_procs.pl sfcfa_revoke Registration Failure: Corrupt sftunnel.conf • Registration may fail immediately or error if sftunnel.conf is corrupt. • Common error messages “Communication channel for management interface is not configured” during registration • ”Could not establish a connection with sensor. Make sure the registration keys match, that the software versions are compatible, and that the network is not blocking the connection” • Check sftunnel.conf file: # cat /var/sf/sftunnel.conf.in # cat /var/sf/sftunnel.conf Registration Failure: Fix Corrupt sftunnel.conf 1. Stop sftunnel process. # sudo pmtool disablebyid sftunnel 2. Backup corrupt sftunnel file. # cp /etc/sf/sftunnel.conf.in /etc/sf/sftunnel.conf.bad 3. Replace corrupt file with a known good sftunnel.conf from TAC. 4. Run the command to populate the data in the replacement file. # perl -MFlyLoader -e "SF::PeerManager::ConfigFiles::create_sftunnel_config()" 5. Restart sftunnel process. # pmtool enablebyid sftunnel 6. Attempt registration again. Registration Failures : Database Issues • Verify the EM_peers table is not corrupt • Verify the sensor table is not corrupt • Verify process for registration are running • • • • • SFDataCorrelator SFTunnel SFMGR SFIPPROXY Mysqld Firewall Deployment in Routed and Transparent Modes Policy Deployment Failures © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Troubleshooting deployment failures • Low Bandwidth causing deployment failure Policy Deployment Failure Troubleshooting • Collect UI Error for deployment failure • Collect IP of sensor(s) failing deployment • Optionally • Trouble Shoot files from FMC & Sensor(s) • Pigtail deployment logs • Logs to monitor for policy deployments • action_queue.log • usmsharedsvcs.log (FMC) • policy_deployment.log • pigtail (shows a combination of log file data) Capturing Traffic for Advanced Analysis Getting to know the tools Capture and Trace Best Practice for Capturing Traffic • The primary objective of a Firewall system is not to capture live traffic • Capture of live traffic only for troubleshooting purposes. • Use a dedicated system for capturing traffic for a long period of time. • Capturing live traffic on a production system can degrade system performance. • Capture traffic during a maintenance window. • Redirect packets to a file instead of console. • Copy the file a computer and open it by using any packet analyzer. • If not storing the packet in a file, limit the number of packets captured. Packet Capture • Allows Real packets that are captured on ingress interface to be traced through the system • Includes information from Snort and preprocessors about verdicts and actions • Multiple packet captures are possible at a time • Can modify, delete, clear and save captures • Traffic data can be downloaded in pcap or ASCII format Capturing Traffic for Advanced Analysis • Traffic Capture Essentials • FTD blocks a packet from ingress to egress interface performed by: • Firewall engine or Firepower engine. • Analyze packets from both engines to determine the problem. • Registration or communications issues between FTD and the FMC • Capture-traffic from the Firepower management interfaces. TRAFFIC TRANSVERSAL Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Traffic Capture • Firepower Engine • Firewall Engine • FMC CAPTURE vs CAPTURE-TRAFFIC Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Troubleshooting Traffic Capture Packet Processing by an Interface • Packet Processing by an Interface • If traffic not showing up in Capture. Check filtering condition in the capture or capture-traffic command is correct. • Check the statistics of the FTD interface and determine whether any packets are dropped by the interface. • > show interface GigabitEthernet 1/1 • Interface GigabitEthernet1/1 "INSIDE_INTERFACE", is down, line protocol is down • 0 no buffer Received 68 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, • FTD pulls packets from the ingress interface. • If the FIFO queuing algorithm becomes full. Incoming packets get dropped. The number of these dropped packets in the overrun counter. • The no buffer counter in the interface statistics provides the number of dropped packets. FIFO QUEUE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib FTD Captures • FTD provides 2 types of captures 1. LINA-level capture – ‘capture’ command 2. Snort-level capture – ‘capture-traffic’ command • Where do these captures take place? • capture-traffic command can be also used to capture FTD controlplane traffic (br1, management0) FTD Packet Processing: Intrusion Policy • • Intrusion Policy (Snort Rules) is the same as on classic Firepower devices Packets marked as dropped by a Snort Rule (Signature) can be tracked by: 1. FMC GUI (Connection Events, Intrusion Events) 2. Capture with Trace: firepower# show cap CAPI%intf=INSIDE% trace | in Drop Drop-reason: (ips) Blocked or blacklisted by the IPS preprocessor 3. From CLISH mode using ‘system support trace’ > system support trace 192.168.0.10-45988 > 192.168.2.10-80 192.168.0.10-45988 > 192.168.2.10-80 192.168.0.10-45988 > 192.168.2.10-80 192.168.0.10-45988 > 192.168.2.10-80 6 6 6 6 Snort: processed decoder alerts or actions queue, drop AS 1 I 12 Deleting session NAP id 2, IPS id 1, Verdict BLACKLIST ===> Blocked by IPS FTD Packet Processing: L3/L4 ACL - Allow • Tracing a real packet will show the Snort Verdict firepower# show capture CAPI packet-number 1 trace 1: 09:17:18.996149 1.1.1.1 > 2.2.2.2: icmp: echo request ! Phase: 4 Type: ACCESS-LIST ... This packet will be sent to snort for additional processing where a verdict will be reached ! Phase: 13 Type: EXTERNAL-INSPECT ... Application: 'SNORT Inspect' Phase: 14 Type: SNORT ... Snort Verdict: (pass-packet) allow this packet FTD Data-Plane: Capture + Capture w/Trace As from 6.2 release the capture can trace Snort features known as preprocessors and get the verdict: > show capture CAPI packet-number 6 trace .. Type: SNORT Result: DROP Additional Information: Packet: TCP, ACK, seq 157078375, ack 664745083 AppID: service HTTP (676), application unknown (0) The Snort ACP Rule that Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, username 'No Authentication Required', , url http://192.168.2.10/image.bmp triggered the Drop Verdict Firewall: block rule, 'Rule1' , drop Snort: processed decoder alerts or actions queue, drop NAP id 2, IPS id 0, Verdict BLACKLIST, Blocked by Firewall The Snort Verdict Snort Verdict: (black-list) black list this flow.. .. Result: input-interface: INSIDE input-status: up input-line-status: up Action: drop Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor The Drop Reason FTD Data-Plane – Capture w/Trace Snort Verdicts of Capture w/Trace and possible Root Causes Drop Reason Possible Root Cause (firewall) Blocked by the firewall preprocessor The packet is dropped by Snort ACL Block rule. Check 'system support firewall-engine-debug' to confirm this ACP L7 Rule (ips) Blocked the IPS preprocessor The packet is dropped by a Signature from the Snort Intrusion Policy Intrusion Policy (file-process) Blocked by the file process preprocessor The packet is dropped by Snort File Policy (reputation) Blocked by the reputation preprocessor The packet is dropped by the Snort Security Intelligence (SI) (snort-drop) Snort requested to drop the frame The packet matches an existing LINA Engine flow. Check the first packet of the flow that was blocked to see the full verdict File Policy SI (IP reputation) Existing LINA Engine flow FTD Data-Plane – Capture + Capture w/Trace Source interface IP Protocol Circular buffer Trace ingress packets Current GUI limitations • Cannot specify Src and Dst ports • Only basic IP Protocols can be matched • Cannot enable capture for LINA Engine ASP Drops Workaround – Use the FTD CLI Traffic Capture Troubleshooting FTD • Run the capture-traffic command on the shell • Select the Router to capture traffic from the data interfaces. • > capture-traffic • Select 1 Router or Global (Version dependent) • Options • –c Stops after a certain number of packets are captured • –e Displays the Ethernet header in the capture • –n Does not resolve the host name and port name • –s Defines the size (snaplength) of the captured packets • –v Show extra packet data. –vv shows even more data • –w Saves the captured packets in a file instead of displaying them on the console • –X Shows packet contents in hex and ASCII • Host, net Filters traffic to and from a single host or the entire network, respectively • Port, portrange Filters traffic to and from a single or range of ports respectively • Src, dst Selects a direction for traffic flow –source or destination. Used in conjunction with the host and port options • And, or, not Combines or isolates traffic with a precise condition • Vlan Captures traffic related to a particular VLAN. To capture VLAN tagged traffic, you must enter the vlan option fillowed by the desired vlan_id Troubleshooting Traffic Capture ICMP FTD > capture icmp_traffic interface INSIDE_INTERFACE match icmp any any > show capture icmp_traffic > capture-traffic > Router or Global Options: icmp ICMP-BLOCK-RULE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Traffic Capture Troubleshooting FTD • Example • –n –c 5 host x.x.x.x and port 80 • –n –c 5 scr x.x.x.x and dst port 80 • Server side traffic-originated web server • –n –c 5 dst x.x.x.x and src port 80 • Capture with default packet data • –n –c 5 host x.x.x.x • Print option • –n –c 5 –vv host x.x.x.x • Layer 2 Header • –n –c 5 –e host x.x.x.x • Download .pcap File • –w traffic.pcap –s 1518 host x.x.x.x Traffic Capture Troubleshooting Firewall Engine • Determine the name of the interface from which you want to capture traffic • > show nameif • Capture <capture name> interface <int_name> match protocol_name source_detail destination_detail Traffic Capture Troubleshooting FMC • admin@FMC:~$ ifconfig • Check eth0 • admin@FMC:~$ sudo tcpdump –i eth0 host x.x.x.x • sudo tcpdump –I eth0 host x.x.x.x –w /var/common/fmc_traffic.pcap • To store any user-generated file, use the /var/common directory on the FMC. If you save a file on this directory, the FMC allows you to download it directly using the GUI. • FMC GUI Download • Go to the Health > Monitor page and find the FMC in the appliance health status list. • Click on the FMC name. A detail view of the FMC health status appears. • Click the Advanced Troubleshooting button. The File Download tab appears. • Enter the name of the .pcap file (including the file extension) in the File field. • Click the Download button. The browser prompts you to save the file on your computer. • FMC CLI Download • scp /var/common/fmc_traffic.pcap admin@x.x.x.x: /home/user Locations of Capture FTD: /ngfw/var/common LINA: /mnt/disk0/ © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Packet Capture Procedures on Cisco Firepower Device Packet Tracer • Test policy configuration by modeling a packet based on source/destination address and protocol characteristics. • Policy lookup to test: • access rules • NAT • Routing • Access policies • Rate limiting • Packet flow based on: • Interfaces • SA/DA • Ports and protocols FTD Data-Plane - Packet-Tracer • Packet-tracer shows the LINA Engine Datapath checks done on a virtual packet Source interface summary, detailed or xml format FTD Data-Plane - Packet-Tracer When to use Packet-Tracer: • To verify if traffic to a specific port is allowed by LINA Engine Data-path and Snort Examples of Snort features that can be verified by Packet-Tracer: • Security Intelligence (IP Reputation) • L3/L4 IPS Intrusion Rules Examples of Snort features that currently cannot be verified by Packet-Tracer: • L7-related (SI DNS/URL, App ID, File Policy, L7 IPS Intrusion Rules) • Identity-based rules FTD Packet Processing: L3/L4 ACL - Allow • packet-tracer shows that LINA engine will send the packet to Snort engine for a Verdict > packet-tracer input inside icmp 1.1.1.1 8 0 2.2.2.2 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 1.1.1.1 host 2.2.2.2 rule-id 268435456 access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5506-1 - Mandatory/1 access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: ACP_Rule1_Allow_ICMP_App Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Blocking Traffic Using Inline Interface Mode Inline Mode Essentials • You can deploy an FTD • IDS Intrusion Detection System • IPS Intrusion Prevention System • To prevent any potential intrusion attempt in real time, you must deploy an FTD device in Inline Mode. • The ingress and egress interfaces are bundled into an interface pair. • Each pair must be associated with an inline set, which is a logical group of one or more interface pairs. INLINE-PAIR Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib FTD-DEPLOYMENT Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Inline Mode vs Transparent Mode • Both Inline Mode and Transparent Mode act as bumps in the wire. • Not seen by connected devices. • Inline Mode- Interfaces in an interface pair can send and receive any traffic, if policies permit. • No IP addresses needed on member interfaces of an inline-pair. • Transparent Mode places the inside and outside networks into a virtual bridge group and creates a Layer 2 bridging network. • Traffic originates from an FTD device using a Bridged Virtual Interface (BVI) as its source interface. • The BVI, inside network, and outside network must all be configured with the IP addresses from a single subnet. • Transparent Mode supports NAT • FTD does not support NAT in the Inline Mode. CONFIGURING INLINE MODE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Verifying Packet Flow by Using Real Packet Capture • Example • > capture inside_icmp trace interface INSIDE-INTERFACE match icmp any any > capture outside_icmp trace interface OUTSIDE_INTERFACE match icmp any any > show capture > show capture inside_icmp > show capture outside_icmp > show capture inside_icmp packet-number 1 trace > show capture inside_icmp packet-number 2 trace Blocking a Specific Port • Blocking a Specific Port • Policies > Access Control > Access Control page • Blocking port SSH 22 or another • > show access-list • Analyzing a Packet Drop > capture inside_ssh trace interface INSIDE_INTERFACE match tcp any any eq 22 > show capture inside_ssh > show capture inside_ssh packet-number 2 trace Inspecting Traffic Without Blocking It Traffic Inspection Essentials • Deploying a FTD for detection-only two options • Passive Mode • Inline Tap Mode • Passive Monitoring Technology • Promiscuous Mode: Configure the interface in passive mode, Set the interface into Promiscuous Mode. • Promiscuous Mode allows an interface to see any packet in a network segment—even packets that are not sent to that interface. This capability empowers an FTD device to monitor the network activities without being an active part of a network. • SPAN port: Some switch models replicate traffic from multiple switch ports and send the copies to a specific switch port. An FTD device can monitor a network without being an active part of the network flow; this feature is called port mirroring. Best Practices for Detection-Only Deployment • To observe any network activities and tune the security policies • Deploy FTD device in Detection-Only Mode Choose: • Inline Tap Mode over traditional Passive Mode. This allows you to switch to Inline Mode faster, without touching any physical cables. • FTD device in Detection-Only Mode permanently: Choose Passive Mode over Inline Tap Mode to eliminate any chance of traffic interruption due to an accidental outage of the FTD device (Fail-to-wire can correct this). • If the utilization of a network is medium to high, use a TAP instead of a SPAN port. • FTD device in Passive Mode cannot block traffic • IP addresses, and DHCP server configurations are not necessary in Inline, Inline Tap, and Passive Modes. PROMISCUOUS MODE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Handling Encapsulated Traffic (Pre-filter Policy) Pre-filter Packet Processing Prefilter • Prefilter and access control policies both allow you to block and trust traffic, though the prefiltering "trust“ functionality is called "fastpath" because it skips more inspection. • Bypass capability Fastpath rule action • Fastpathed traffic in the prefilter stage bypasses all further inspection and handling, including: • Security Intelligence • authentication requirements imposed by an identity policy • SSL decryption • access control rules • deep inspection of packet payloads • Discovery • rate limiting 118 ENCAPSULATED TRAFFIC Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib FTD Packet Processing: Prefilter Policy • • Prefilter Policy got introduced in 6.1 version Serves 2 main purposes 1. Adds additional flexibility when it comes to handling tunneled traffic: • GRE • IP-in-IP • IPv6-in-IP • Teredo Port 3544 2. Provides Early Access Control (EAC) which allows a flow to bypass completely the Snort engine FTD Packet Processing: Prefilter Policy Prefilter Rules are deployed to LINA as L3/L4 ACEs and are placed above the normal L3/L4 ACEs firepower# show access-list access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line access-list CSM_FW_ACL_ line 1 remark rule-id 268434457: PREFILTER POLICY: FTD_Prefilter_Policy 2 remark rule-id 268434457: RULE: Fastpath_Rule1 Prefilter 3 advanced trust ip host 192.168.75.16 any rule-id 268434457 event-log both (hitcnt=0) Rules 4 remark rule-id 268434456: PREFILTER POLICY: FTD_Prefilter_Policy 5 remark rule-id 268434456: RULE: DEFAULT TUNNEL ACTION RULE 6 advanced permit ipinip any any rule-id 268434456 (hitcnt=0) 0xf5b597d6 7 advanced permit 41 any any rule-id 268434456 (hitcnt=0) 0x06095aba Tunnel Prefilter 8 advanced permit gre any any rule-id 268434456 (hitcnt=2) 0x52c7a066 Rules 9 advanced permit udp any any eq 3544 rule-id 268434456 (hitcnt=0) 0xcf6309bc 10 remark rule-id 268434445: ACCESS POLICY: FTD5506-1 - Mandatory/1 12 advanced deny ip host 10.1.1.1 any rule-id 268434445 event-log flow-start (hitcnt=0) 0x8bf72c63 L3/L4 14 remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE ACEs 15 advanced permit ip any any rule-id 268434434 (hitcnt=410) 0xa1d3780e Prefilter vs ACP rules = first match is applied } } } FTD Packet Processing: Prefilter Policy (tunneled) • How works the analyze action: firepower# show access-list access-list CSM_FW_ACL_ line 5 remark rule-id 268435473: RULE: Tunnel_Rule1 access-list CSM_FW_ACL_ line 6 advanced permit gre any any rule-id 268435473 root@FTD5506-1:/var/sf/detection_engines/UUID# cat ngfw.rules # Start of tunnel and priority rules. # These rules are evaluated by LINA. Only tunnel tags are used .. 268435473 allow any any any any any any any 47 (tunnel 2) 268434456 allow any any any any any any any 4 (tunnel -1) 268434456 allow any any any any any any any 41 (tunnel -1) # End of tunnel and priority rules. # Start of AC rule. 268435474 allow 2 any any any any any any any 268435468 allow any any any any any any any any (log dcforward) # End of AC rule. Bypassing Inspections and Trusting Traffic FASTPATH Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib PreFilter FASTPATH and ACP TRUST Rate Limiting Traffic RATE-LIMITING Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Rate Limiting Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib BEST PRACTICES Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Block List Suspicious Addresses by Using Security Intelligence SI-ESSENTIALS Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib SI-ARCHITECTURE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib SI-ARCHITECTURE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib TXT-FILES-FOR-BLOCK LIST Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Block List Configuration • FMC, navigate to Object > Object Management. • Select the Security Intelligence > Network Lists and Feeds option. • Then click the Add Network Lists and Feeds button to upload your text file to the FMC. • After you select List from the Type dropdown, you can browse your text file. Upon successful upload, the FMC can show the number of addresses you uploaded. • Once the file is uploaded, navigate to Policies > Access Control > Access Control and edit the access control policy that you want to deploy to an FTD. • When the policy editor page appears, select the Security Intelligence tab. A list of available objects and zones appears. • On the Network subtab, select the custom object you want to block-list. You can also select a specific zone for inspection. By default, FTD inspects traffic from Any zone. • Immediate Block-Listing Using a Connection Event Block-List Configuration • The Firewall System enables you to Block-List an address instantly by right-clicking your mouse. • Adding an Address to a Block-List • Navigate to Analysis > Connections > Events. • Right-click the address you want to block. • From the context menu that appears, select Add IP to Block List. A confirmation window appears. Click the Add to Block List to confirm. • Deleting an Address from a Blocklist • Any addresses that you Block-List by using the Block List IP Now option are included in the Global-Block-List category. • If you want to remove the blocking attribute from an address and allow the address again, • Object Management > Security Intelligence > Network Lists and Feeds > Global-Block-List and edit to remove the address. • If you delete the entire Global-Block-List object by using the Security Intelligence configuration page, the access control policy does not enforce the Blocklist IP Now function. Block-List Configuration • Monitoring a Block-List • Occasionally, you might want to monitor the activities of certain hosts in a network instead of blocking them completely. • Follow these steps to enable monitoring functionality using Security Intelligence: • Assumes that you have already blocked certain traffic. This time, you just want to change the action (monitor only instead of block) for certain traffic. • In the Access Control Policy editor page, go to the Security Intelligence tab. • From the Block-List field, right-click a category that you want to monitor. • FTD does not support the Monitor-only mode for the Global-Block-List category. • From the context menu that appears, select the Monitor-only (do not block) option. The icon changes from a red × to a green down arrow. • When the configuration is complete, click Save to save the changes and redeploy the access control policy. Block-List Configuration Cont’d • Verification and Troubleshooting Tools • Check whether Security Intelligence’s health module is enabled on the health policy. • System > Health > Policy, edit a health policy, and select Security Intelligence from the left panel. You must redeploy a health policy if you change any settings. • Check whether the FMC has a valid Threat license and whether the license is applied on the desired FTD device. • Verifying the Download of the Latest Files • admin@FMC:~$ ls -halp /var/sf/iprep_download/ • ! After updating the Cisco Intelligence Feed from the cloud, FMC shows the blocklist files: • ls –halp /var/sf/iprep_download/ FTD Block-List Configuration Cont • FTD • ! After a fresh installation, FTD shows only the empty Block-List (.blf) and Do-Not-Block-List (.wlf) files. At this point, FMC has not applied a Cisco Intelligence Feed yet: • > expert • admin@firepower:~$ ls -halp /var/sf/iprep_download/ • ! Upon a successful deployment of an Access Control policy, FTD received the necessary Block-List (.blf) and Do-NotBlock-List (.wlf) files from an FMC. Each of these files represent a Security Intelligence category. • admin@firepower:~$ ls -halp /var/sf/iprep_download/ • If you have enabled Security Intelligence based on URL, you can find the list of Block-Listed and Do-Not-BlockListed URLs in similar format. The files are located in the /var/sf/siurl_download directory. • Verifying URL-Based Security Intelligence Rules • Security Intelligence at /var/sf/siurl_download. • admin@firepower:~$ ls -halp /var/sf/siurl_download/ • admin@firepower:~$ cat /var/sf/siurl_download/url.rules FTD Packet Processing: SI (IP) • Security Intelligence (SI) can Drop or Allow IP addresses early in the packet processing lifetime within the Snort engine • Do-Not-Block-List overrides the Block-List • The Blocklist can be populated in 2 ways: • 1. Manually by the FMC administrator 2. Automatically by Intelligence Feed (Talos or custom) or List Snort returns to LINA a verdict about a packet being blocked FTD Packet Processing: SI (IP) • The files containing the IPs from Talos SI Feed are in /ngfw/var/sf/iprep_download directory root@FTD5506-1:/ngfw/var/sf/iprep_download# ls -alt | grep blf -rw-r--r-- 1 root root 1252278 Jun 12 16:06 3e2af68e-5fc8-4b1c-b5bc-b4e7cab598ba.blf -rw-r--r-- 1 root root 227696 Jun 12 16:05 032ba433-c295-11e4-a919-d4ae5275a468.blf • If a packet is being dropped by Snort SI the LINA capture trace shows the Verdict > show capture CAPI packet-number 1 trace 1: 16:07:45.147743 192.168.75.14 > 38.229.186.248: icmp: echo request Phase: 14 Type: SNORT Subtype: Result: DROP Additional Information: Snort Verdict: (black-list) black list this flow FTD Packet Processing: SI (DNS/URL) Security Intelligence (URL) • Works similarly to IP Security Intelligence and provides 3 actions 1. Allow (Do-Not-Block-List) 2. Block (Block-List) 3. Monitor (Block-List) • • In case Talos URL Feed is used part of the db is stored locally and updated daily For non-cached URLs a Cloud lookup is done Filtering URLs Based on Category, Risk and Reputation OPERATIONAL Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib URL-FILTERING Settings> Tools> Scheduling> Add Task URL-FILTERING-DIAGRAM Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib UNCATAGORIZED URL Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Controlling File Transfer and Blocking the Spread of Malware BLOCKING-ARCHITECTURE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib MALWARE-CLOUD ARCHITECTURAL Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib MALWARE-TEXT-FILE Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Operations Getting to know the tools FTD Logging – ASA-level logs ASA-level logs provide information about the FTD LINA Engine Remote Syslog server which receives the logs > show running-config logging Same as on classic ASA > show logging Apr 23 2017 11:11:45: %ASA-7-609002: Teardown local-host nlp_int_tap:ff02::1 duration 0:00:02 FTD Logging – Snort-level logs Connection Events provide information about Snort Data-Plane Table View provides flexibility – allows addition/removal of columns On FTD the Connection Events are stored in: /var/sf/detection_engines/UUID/instance-X/unified_events-2.logXXX When they get archived they go to: /var/sf/detection_engines/UUID/instance-X/backup/unified_events-2.logXXX FTD Logging – System logs • Files like /ngfw/var/log/messages contain valuable information about FTD Control and Data-Plane status • You can use ‘system support view-files’ command from CLISH to see the contents of files under /ngfw/var/log directory > system support view-files ===View Logs=== ============================ Directory: /ngfw/var/log ----------sub-dirs---------packages removed_packages ... -----------files-----------2017-04-23 13:09:14.360532 | 3148401 | messages ([b] to go back or [s] to select a file to view, [Ctrl+C] to exit) Type ‘s’ to select a file Type a sub-dir name to list its contents: s Type the name of the file to view ([b] to go back, [Ctrl+C] to exit) > messages Specify the file name Apr 23 04:02:14 Firepower-module1 CROND[54253]: pam_unix(crond:session): session closed FTD CPU usage FTD provides 2 levels of CPU usage: • System level > system support utilization top - 13:00:15 up 2 days, 3 min, 0 users, load average: 24.29, 24.17, 24.15 Tasks: 719 total, 1 running, 717 sleeping, 0 stopped, 1 zombie Cpu(s): 29.8%us, 4.9%sy, 0.0%ni, 65.2%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st ... PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND Expected 13672 root 0 -20 27.2g 2.5g 2.0g S 1794 1.0 51978:46 lina 13863 root 20 0 5778m 72m 15m S 2 0.0 49:11.73 SFDataCorrelator > show cpu system Time CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice 19:53:46 all 29.79 0.00 4.92 0.04 0.00 0.01 0.00 0.00 0.00 • LINA engine level > show cpu usage CPU utilization for 5 seconds = 2%; 1 minute: 1%; 5 minutes: 0% > show processes cpu-usage sorted non-zero PC Thread - 5Sec 0.1% 1Min 0.1% 5Min 0.1% Process DATAPATH-0-5729 behavior! %idle 65.24 FTD CPU usage • Baseline your total CPU utilization • Alerts about High CPU don't necessary indicate a problem unless there is also latency and/or packet loss • Bypass flows that don't need Snort Inspection using Prefilter Policy Fastpath a) Big/fat flows (e.g backups, file transfers) b) Encrypted traffic that you don't decrypt (e.g. IPSec, SSH) • Intrusion Policy tuning and poorly-written Snort rules can affect performance. Try "Connectivity over Security" to narrow down FTD Memory usage FTD provides 2 levels of memory usage: • System level > system support utilization ... Mem: 8184696k total, 3583248k used, Swap: 3998716k total, 4920k used, 2991088k free, 3993796k free, 171812k buffers 1438548k cached total = used + free + buffers + cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 13672 root 0 -20 27.2g 2.5g 2.0g S 1794 1.0 51978:46 lina > show memory system total used free shared buffers cached Mem: 8184696 3582772 2992228 0 171828 1437868 -/+ buffers/cache: 3582772 4601924 free + buffers Swap: 3998716 4920 3993796 + cached • LINA engine level firepower# show memory [detail] Free memory: 2645848803 bytes (57%) Used memory: 1985224704 bytes (43%) -----------------------------Total memory: 4631073507 bytes (100%) Least free memory: Most used memory: 131126033472 bytes (92%) 11392566208 bytes ( 8%) FTD Memory usage (FDM) • FDM Monitoring > System Dashboard Memory utilization graph • The same output from FTD CLI: > system support utilization top - 19:43:24 up 1 day, 12:09, 1 user, load average: 12.09, 12.08, 12.07 Tasks: 142 total, 3 running, 139 sleeping, 0 stopped, 0 zombie Cpu(s): 29.8%us, 4.9%sy, 0.0%ni, 65.2%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 8184696k total, 3582780k used, 2996544k free, 171436k buffers Swap: 3998716k total, 4920k used, 3993796k free, 1433936k cached FTD Logging – System logs You can run pigtail from root to select individual logs Getting to know the tools FTD Debugs • FTD debugs can be categorized in 3 types 1. LINA Engine Control-Plane debugs 2. LINA Engine Data-Plane debugs 3. Snort Engine Data-Plane debugs Health Monitor Reports for Troubleshooting System Tuning Performance Tuning © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Iterative Process with Firepower, may take several tuning efforts • Feature Set Enabled • CPU, Memory, Throughput, Latency • Best Practices Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Diagram courtesy of Cisco Firepower Threat Defense FTD Nazmul Rajib Performance | Best practices © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CPU © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Trust Known traffic • Avoid Elephant Flows • Avoid Discovery of 0.0.0.0/0 network Memory © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Validate Asynchronous Traffic and update TCP Stream Configuration • Check for swap and buffer memory using top • Trust Known traffic to reduce the number of active TCP sessions. Throughput © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Trust small packets (Voice, DNS, ICMP) • Avoid Rules with generic PCRE (Pearl Compatible Regular Expressions) • Avoid Elephant Flows • Check Firepower Datasheets for appliance ratings • Have Cisco Sales use the Performance Estimator • Set Connection logging DB Limits to default. • Always Log at End of connection when possible. • Avoid un-necessary custom widgets on the Dashboard. Latency on FMC © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Performance Tuning Policy Config Best Practices • Properly Defined Variable Set • • IPS Base Policy using one of the three defaults, Connectivity, Balanced, Security Avoid using local/customer IPS rules. • Review Performance Statistics Graphs from FMC. • Do not use Maximum Detection • Flow-IP to eliminate TopTalkers • Network Discovery Policy not set to default. • Avoid inspecting trusted traffic like backups and encrypted data. • AC Rules configured optimally Thank You