Professional Documents
Culture Documents
TC - SECVFTD v25 - Lab Guide - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 7 PDF
TC - SECVFTD v25 - Lab Guide - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 7 PDF
[Lab Guide]
Step 3. Login to the portal using the credentials provided by the trainer. After successful login,
you will be able to access your POD.
Step 4. To exit the connection use Ctrl+Alt+Shift (For Mac if you don’t have ctlr key use fn+
cmd+Alt+Shift )and click POD name and select Logout.
Step 6. To share the screen use Ctrl+Alt+Shift, from the top left, click over share and select the
connection name.
Step 7. Copy the generated link and share it with trainer via any communication medium
(Skype or Email).
Note: In case your audio or video is not working properly, repeat the above step inorder to
reconnect to audio or video.
Step 11. While using Audio, make sure to allow the microphone when it prompts from the
browser.
Step 12. To allow camera and microphone, configure the site settings in HTML5 browser as per
below.
Chrome:
1) On the URL bar, click the LOCK icon just before the URL and click Site settings.
2) Select Allow for Camera, Microphone and Notification from the drop-down menu.
1) On the URL bar, click the LOCK icon just before the URL and click Show Connection
details icon as highlighted below and click More Information in the pop-up.
2) In the page Info pop-up window, go to Permissions tab. Scroll down and under Use the
Camera and Use the Microphone, uncheck the Use Default checkbox and select Allow
for both camera and microphone.
Edge:
Firepower Software
FirePOWER Threat Defense Virtual v6.2.3.4
Note: “<X>” is your pod number (e.g. “1” for pod 1, “8” for pod 8). Make sure you access only your
vFTD. For example if your POD 1 student access only vFTD PODX.
Step 4 Enter the following command and if any license prompt appears, click yes and proceed
with it
If you enabled any feature licenses, you must disable them in the
firepower device manager before deleting the local manager.
Host : 192.168.X4.24
RPC Status :
Note: The Registration Key is FirePOWER and it has been displayed encryptedly.
Step 2 If the connection was not private, click Advanced and Proceed to
192.168.X4.24(unsafe).
Step 5 Click on Register and wait for the device to be registered with FMC,it might take a
moment.
Note: If the Access Policy is not displayed as Default Intrusion Prevention, refresh the page after 5
mins.
Type : Manager
Registration : Completed
Step 2 To enable VMware tools in FMC. Navigate to SystemConfiguration and you will find
an option VMare tools on the left bottom of the screen.
Step 3 Check the box near Enable VMare Tools and click Save.
Step 4 Ensure whether the health status of the FMC is normal. The green tick icon indicates
that the FMC health status is normal.
Note: Under Health Monitor in the FMC, if you see an error stating “Interface is not receiving any
packets” you may ignore it, that will not affect the FMC performance.
Step 3 Click edit icon in Gigabitethernet 0/0 to configure the IP address and security zone.
MODE : None
NAME : Inside
On the IPv4 tab, select IP Type as Use Static IP and set IP address as 192.168.X5.1/24
and click OK.
MODE : None
Name : Outside
IPV4
IP Address : 192.168.X.254/24
Click OK.
Step 6 After the deployment is completed, Reload the page and notice that the two interfaces
are enabled with the green light under the satus of the interface.
Step 9 In the Routing tab, click on BGPStatic Route. Click on Add Route to add a route to the
outside interface at the top right.
TYPE : IPv4
INTERFACE : Outside
Move any-ipv4 from available Network to the selected network by selecting any-ipv4
and clicking on Add button.
Click on + symbol and add a gateway with the name GatewayIP and network
192.168.X.1
Click Save.
GATEWAY : GatewayIP
Step 3 Select Enabled for the Serve Time via NTP and select Via NTP from.
Step 4 Ensure the NTP values is 192.168.X4.100 (X=Pod Number) and click Save at the top right
corner.
Step 6 Select the Initial_Health_Policy and click the Edit button (pencil logo).
Step 7 Click on the option Time Synchronization Status and check whether enabled is ON and
then click Save Policy and Exit which is on the left side, bottom of the screen.
Step 9 Click the green check box (Apply Button) beside Initial_Health_Policy.
Step 11 Wait for a moment for the task to be executed. You can view the status of the task
under “!” icon near system and select task tab to view.
Step 12 Navigate again to SystemHealthPolicy. You should see the policy being applied to 2
appliances. If done correctly, your page should look like the image below.
Step 1 Navigate to System > Integration > Cisco CSI to verify the URL Filtering update.
Step 2 You should see the recent date and time in the last URL filtering update.
Step 3 If the recent date and time is not displayed, then manually click on Update Now button
and wait atleast for 10 mins to see the recent date and time.
Step 5 If the Update Now button is graded out then uncheck and check the Enable URL filtering
option again and then click on Update Now button.
Step 6 Wait for 5mins and click on Save after it got updated.
Step 7 Still, if you donot see the recent date and time, reboot the FMC once and check the URL
filtering status again.
Step 8 To reboot the FMC, navigate to the CLI of the FMC and issue the command sudo reboot
and enter password as C1sc0123 .
Step 2 In the FMC GUI, navigate to the Policies Access Control Malware & File page. Click
New File Policy.
Step 3 Name the new file policy Block Malware. Entering a description for the policy is
optional. Click Save.
Step 4 Click Add Rule to add a new rule in the Block Malware policy.
Step 5 In this new rule, in the Action drop-down box, choose Block Malware.
Step 6 When you choose Block Malware action, Reset Connection is enabled by default.
Step 7 Check the Spero Analysis for MSEXE and Dynamic Analysis boxes.
Step 8 For File Type Categories, check all the different file types.
Step 9 For File Types, choose All types in Selected Categories, then click Add and click Save.
Step 2 If you find any other policies already displayed under the intrusion please delete all the
Policies and click Create Policy.
Step 3 Name the new file policy as Initial Inline Policy - firepower3D.gkapac.local
Step 4 Entering a description for the policy is optional.
Step 5 Select the Drop when Inline check box to enable inline IPS operations.
Step 6 For the Base Policy, choose Security over Connectivity. Wait a few seconds for the
change.
Step 7 Click Create Policy.
Step 4 If Block All Traffic is not a Default Action then click the Default action drop-down box and
select Access Control: Block All Traffic.
Step 5 Click OK if any Warning pop-up appears.
Step 10 Click Add Rule to add a mandatory rule in the Default Intrusion Prevention access
control policy that will use the Block Malware file policy and the Initial Inline Policy -
firepower3D.gkapac.local intrusion policy.
Step 17 Click the Logging tab and enable Log at Beginning of Connection and Log at End of
Connection. Associating a file policy with the rule automatically enables the Log Files
check box. Leave the Log Files box checked. Leave the default of sending the events to
the Event Viewer.
Step 20 Click Deploy to deploy the Access Control Policy to the vFTD Sensor. Check the box near
VFTD and click Deploy.
Step 21 From the Policies Access Control page, once the Access Control Policy has been
applied to the vFTD Module, the status should state Up-to-date on all targeted devices.
Note: In the FMC GUI,navigate to Policy Access Control Access Control Default Intrusion
Prevention and confirm that the status shows Up to date on all targeted devices. If not up to date,
then click the deploy button at the top to check whether any task is pending, If yes Deploy it (or) try
refreshing the webpage.
The European Institute for Computer Antivirus Research (EICAR) developed the EICAR test file. This
EICAR test file can be used to test the response of antivirus and antimalware programs.
Note If this page http://www.eicar.org/download/eicar.com shows This page isn’t working HTTP 500.
Please be aware that it due to technical issue in website, so try again after 10 mins. If you get the
same error, continue with the next task.
Step 3 From FMC GUI, navigate to the Analysis Files Malware Events page. Click the
Table View of Malware Events.
Step 5 Use the right arrow key to scroll to the right to locate the Detection Name. You should
see EICAR
Step 6 Examine the Network File Trajectory from the Firepower Management Center. Navigate
to the Analysis Files Network File Trajectory page.
Step 7 You should see the eicar.com filename under the Recent Malware.
Step 4 Make sure that FTP service was already started. If the Service is inactive. On the
Command line, enter the following command to Restart the FTP Service :
Service vsftpd restart
Step 5 Go to the Inside PC-1 (win7). Try pinging to the Attacker PC (192.168.X.34). It should be
reachable.
Step 6 Then, using the web browser try connecting to the Attacker PC using FTP
(ftp://192.168.X.34/)
Step 7 If it prompts for the login credentials. Give the username and password (root/password)
of the attacker PC.
Step 9 You will be failed to download. Because you are trying to download a malware infected
file using FTP.
Step 10 Navigate to FMC GUI, Analysis Files Malware Events. A threat should appear with
the file type PDF in the list displayed.
Note: Reload (or) Refresh the web page of GUI once (or) twice to get the events updated.
Step 14 You can also view those malware events in the Analysis File File events.
Step 1 In the FMC GUI, navigate to Analysis Hosts Network Map to Verify the Network
Discovery. Examine some of the discovered networks, hosts, and applications.
Step 2 Click PoliciesNetwork Discovery and click the edit icon of the existing network
devices.
Step 3 Then check the checkbox near Users and then click Save .
Note: If the host (192.168.X5.10) is not displayed, do a continuous ping test from
192.168.X5.10(Inside Pc-1) to 192.168.X4.24(FMC).
Note: If the Indications of Compromise does not appear on the Host Profile at the first attempt.
From Inside PC-1, browse again to http://www.eicar.org/download/eicar.com to generate
Indications of Compromise. Reload the page once or twice and then navigate to FMC GUI. Refresh
the Host Profile page to view the Indication of Compromise.
Step 8 In this example output that follows, the 192.168.X5.10 host is the lab Inside PC-1.
Step 10 Click the down arrow next to one of the discovered applications (such as HTTPS) to get
more details.
Step 13 Check one of the check boxes, then click View to see all the WIndows hosts information.
Note: The Operating System of the host may not appear on the display at the first attempt. Reload
the page once or twice.
Step 2 Try pinging to 192.168.X5.12 (Inside PC-2) from the Attacker PC, it should be successful.
Step 3 Start the SQL and Metasploit services from the CLI.
To simulate attacks in the lab, use the Armitage tool on the Kali Linux Attacker PC. The
Armitage tool will use the Metasploit tool to launch the various attacks.
From the Attacker PC CLI, start the SQL and Metasploit services using the following CLI
commands:
Step 8 Once it finishes loading, click Hosts Nmap Scan Quick Scan (OS detect)
Step 9 Enter the IP of the Inside PC-2 (Xp) – 192.168.X5.12. Click OK.
Step 10 Wait for a few minutes for the scan to run, once it finishes, it should be able to detect a
discovered host running, click OK.
Step 12 Wait for a few minutes until the attack analysis is completed.
Step 17 Navigate back to browser of FMC and go to Analysis Intrusions Events to view the
intrusion events.
Step 18 You can click on any event and click view to see its details. Check the box near to any
one attack and click on the View and tab at the bottom.
Step 19 Again, check the box next to the event and click on View to view the detailed event
information.
Step 4 Navigate to HTTP Responses tab and select System-provided for both Block Response
Page and Interactive Block Response Page options.
Note: Block Response Page will display a page blocked page when user is trying to access prohibited
HTTP requests. Interactive Block Response will also display the blocked page, but only to warn user,
not completely blocking the site. They are able to continue by clicking the button below the page or
by refreshing the page. You can choose custom option if you wish to only warn the user or change the
text to be displayed to the user.
Step 11 Under Logging, select Log at Beginning of Connection and click Add button.
Step 13 Navigate to Deployments tab on top to view the Deployment Progress status. After it is
complete proceed with next task.
Note : Reload (or) Refresh the web page of GUI once (or) twice to get the events updated.
Step 2 Click Check for updates button and click Install Updates.
Note : We are creating a rule to inspect traffic going to AD, FTP and Web Server as it contains
sensitive data.
Step 7 Click Logging tab, tick Log at End of Connection and click Add button.
Action - Block
Step 6 Under Logging tab, tick on Log at Beginning of Connection. Click Add.
Step 2 Click the New Realm button. A realm is a logical group of directory servers of the same
type.
Step 3 Add the realm as follows:
• Name : Realm1
• Type : AD
• Base DN : dc=gkapac,dc=local
• Group DN : dc=gkapac,dc=local
• Port : 389
• Encryption : None
Step 10 To download the users and groups information. Click the edit icon to edit the Realm1.
Step 11 From the User Download tab, check the Download users and groups check box.
Password - tr@1n1ng@GK
Note: When the SourceFire User Agent is installed on the Active Directory server itself as in your lab,
you must specify "localhost" as the Active Directory server IP address when adding the Active
Directory server in the SourceFire User Agent GUI.
Step 12 Wait for a moment and verify that the Polling Status is available.
Step 5 Click Add Rule to create a new rule in the identity policy.
Step 6 Name the rule Identity Policy Rule 1. The rule action should be: Passive Authentication
which uses the Sourcefire User Agent.
Step 7 Select the Realm and Settings tab, then select Realm 1 (AD) in the Realm drop-down
selection box.
Step 8 Do not check the box Use active authentication if passive authentication cannot
identify user. Leave all other settings as the default.
Step 12 On the logging tab, make sure you enable Log at the Beginning of Connection, click
Save.
Step 19 To see the initiator users tab, click on Table View of Connection Events.
Step 20 Take note of the block event with the Initiator User amy.
Step 21 Now, close all the tabs and log out from gkapac\amy and login back to
gkapac\administrator - tr@1n1ng@GK user account.
While logging in the Inside PC-1 (GKAPAC\administrator – tr@1n1ng@GK), if you get an error “trust
relationship between this workstation and the primary domain failed “
To resolve this issue, remove the computer from the domain, and then connect the computer to the
domain.
5. When the advanced system settings open, switch to the computer name tab.
6. Click on the Change button.
7. Under the Member of heading, select Workgroup, type a workgroup name as ADMIN, and then
select OK.
10. When you are prompted to restart the computer, select OK.
13. Select OK, and then type the credentials administrator/tr@1n1ng@GK who has permissions
in the domain.
14. Click OK.
Step 3 Click Create Custom Detector at the top right of the display.
Step 6 For the Detector Type, use the default Basic type.
Step 7 Click Add next to Application Protocol to define the application protocol that will be
matched by this custom detector.
Risk: Low
Click OK.
Step 8 Click OK in Application Editor Window and if the warning prompt appears, click Yes.
Step 17 Search for the vtech custom application detector on the Policies Application
Detectors page by entering vtech on enter a filter space and check the box near that.
Step 18 Under the State column, click the check box to activate the vtech custom application
detector. If the warning prompt appears, click Yes.
Step 19 Activating a custom application detector will take about a minute. The SNORT engine
will reload automatically after activating an application detector.
Step 22 Open the vtech.lua file using WordPad to see what the LUA script looks like.
Step 25 Navigate to the Analysis Connections Events page. You should see a log with
vtech-app under web application.
Step 28 Click on add rule in the access control policy to use the vtep-app.
Step 31 You should see the vtep-app custom application. In this lab step, you will not actually
use the vtep-app custom application as a matching criteria for the access control policy
rule.
facebook.com
#
twitter.com
Step 2 From the Firepower Management Center GUI, navigate to the Objects Objects
Management page.
Step 3 From the left side of the page, select DNS Lists and Feeds under Security Intelligence.
Step 6 Locate then select the dns-list-file that you created in the notepad in your Host
machine.
Step 11 Click the edit icon to edit the Default DNS Policy.
Step 12 Click Add DNS Rule to add a new rule to the Default DNS Policy.
Step 24 Verify that the Default DNS Policy is applied by default to the DNS policy.
Step 26 After the completion of deployment go to the Inside PC-1, ping www.facebook.com and
www.twitter.com resolving to these domains should fail.
Step 27 From the Inside PC-1, ping www.yahoo.com the pings should be successful.
Note: From the Inside PC-1, run the nslookup command.Try to resolve www.yahoo.com. This should
be successful.Try to resolve www.facebook.com and www.twitter.com. These should fail.
Step 28 Go back to the GUI of the FMC and navigate to the Analysis Connections Security
Intelligence Events page.
Step 29 Check the box before the first packet to select all the logs and then select Table View of
Security Intelligence Events.
Step 32 Examine the Connections by DNS SI Categories, Connections by DNS Record Types, and
Traffic by DNS SI Categories widgets.
Name : Internal
Country Name : SG
Organization : Gkapac
Step 5 You can also click the Edit icon to examine the resulting Internal CA.
Step 7 Navigate to the Polices Access Control SSL page to create an SSL Policy.
Step 14 Click the Trusted CA Certificates tab to examine all the Cisco Trusted Authorities.
Step 15 Click the Undecryptable Actions tab to examine the default action for each
undecryptable situation.
Step 20 Click the Logging tab and enable log at the End of Connection.
Step 24 To apply the SSL Policy to the Access Control Policy. Navigate to the Policies Access
Control page.
Step 25 Click the edit icon to edit the Default Intrusion prevention access control policy.
Step 31 After the deployment to the FTD Device is successful. Go to the Inside PC-1 and clear
your Firefox browser cache.
Step 32 Then Browse https://www.yahoo.com from the Mozilla Firefox. You will be displayed
with the screen below.
Step 33 Click on I Understand the risks Add exception. You will find this dialog box.
Step 35 Verify the certificate Issued by the common name Internal certificate. VFTD is now
acting as the man in the middle between the client browser and the Yahoo web server.
Step 37 Check the box before first packet and click on Table View of Connection Events.
Step 38 Scroll to the right and you should see a connection event with the Decrypt (Resign) SSL
Status where the application protocol is HTTPS, and the web application is yahoo.
Step 39 Go back to the browser of the Inside PC-1 and browse to to download a test malware
file(https://www.ihaveabadreputation/eicar.com).
Step 44 Since the HTTPS connections are now decrypted and inspected, malware file transfers
over HTTPS should now be blocked.
Step 48 Navigate to Policies Access control SSL and click on the edit option to edit the
Decrypt Resign SSL policy to enable the Replace Key option.
Note: Use the Replace Key option to only have the certificate public key replaced instead of the
entire certificate. The Replace Key option is used when the destination secure server is using a self-
signed certificate or if the certificate is signed by an untrusted CA.
Step 50 In the Editing Rule Page, check the Replace Key below the Move option.
Step 56 Verify that the certificate is not signed by the Internal CA and is self-signed by
ihaveabadreputation.com.
Step 61 Navigate to the Analysis Connections Events page. Click Table View of Connection
Events. You should see an HTTPS connection to ihaveabadreputation.co with the
Decrypt (Replace Key) SSL Status. HTTPS connection to www.google.com should still
have the Decrypt (Resign) SSL Status.
Step 66 Go to category tab and add financial services with any reputation to the selected
categories.
Step 69 Click Deploy to deploy the SSL Policy to the vFTD managed device.
Step 70 To test from the Inside PC-1 using the Firefox browser, browse to any financial website
such as https://www.chase.com (or) https://www.hdfc.com
Note: After Firepower v6.0.0 initial release, with an SSL rule which matches on the URL category that
is enabled, if the URL category lookup fails or is unknown, the default action in the SSL policy will be
applied to the traffic.
Step 1 In the FMC GUI, navigate to access control policy page by selecting Policies Access
control Intrusion.
Step 2 Click the Create Policy button to create a new Network Analysis Policy. Name the policy
as Training Analysis Policy, set Base policy to Security over connectivity make sure that
Drop when Inline is enabled, and click Create and Edit Policy.
Step 3 Commit your changes and give any name for the prompting description tab. Click OK.
Step 5 Change the Default Action to Intrusion Prevention : Training Analysis Policy.
Step 7 In Logging window make sure Log at the end of Connection checkbox enabled and then
click OK.
Step 9 Navigate to PolicyAccess controlIntrusion and click the edit button for the Initial
inline Policy-firepower3D.gkapac.local.
Step 13 Check the checkbox next to GID in the heading of the rule list, it will select all the HTTP
Configuration rules.
Step 14 Click the Rule State and choose Generate Events to enable all of the rules that are
associated with HTTP Configuration.
Step 17 Click the Policy Information in the left side panel and Commit Changes to IPS policy, give
the description as IPS and click OK if any warning appears.
Step 19 Go to Inside PC-1 and in the browser access more than five connections using http.
Example: http://www.msn.com/
Step 20 You will see an event generated on the FMC, to check the output navigate to
AnalysisIntrusionEvents.
Note: The detected event name and screenshot may change accordingly.
Step 21 Check the checkbox near the newly generated log and click on view to view the
generated events.
Step 1 In the FMC GUI, navigate to Policies Correlation Traffic profiles and click on New
profile.
You have set the Profiling Time Window to maintain data for this profile for the last 1 hour(s). So you
are requested to wait until progress reaches 100%.During the time left create the following rules.
Step 6 Click the Rule Management tab. You will be creating a correlation rule that alerts if
malware is detected.
Step 16 Ensure that the policy has been activated by verifying the tick mark. If it is not activated
click on the sliding icon to activate it.
Step 18 Now from Inside PC-1, if not logged in yet, login as gkapac\administrator with the
password tr@1n1ng@GK .
Step 19 Browse to http://www.eicar.org/download/eicar.com. When you access the site your
access will be blocked first “The connection was reset”, refresh the browser couple of
time, still you cant access the website.
Step 20 You should not be able to access the website.
Step 21 To check the output click Analysis Correlation Correlation Events you will see the
following output screens.
Step 1 Navigate to Analysis Context Explorer and scroll to each sections to view the
generated events and data.
Step 2 Scroll down to the Application Protocol Information section and you can view the
applications that are been used and details of that application (eg:Risk,no of hosts etc).
Step 3 To view Intrusion Information which are generated and the details, scroll down to the
Intrusion Events section.
Step 4 To view the Network Information scroll to the network information section and you can
see the OS, Connections by Access Control.
Step 3 In the User Configuration section, enter NOC in the User Name field.
Step 4 In the Password field, enter training. Confirm the password in the Confirm Password
field.
Step 5 In the option field, check the checkbox that is associated with Exempt From Browser
Session Timeout.
Step 6 In the User Role Configuration section, check the checkbox Security Analyst.
Step 7 Click Save to save the new user account.
Step 2 You are directed to the Dashboard page. This page refreshes frequently, keep this page
open for atleast 3 minutes.
Step 3 The browser session never time out as the NOC user because it is Exempt from Session
timeout.
Step 4 Log out as NOC and log back in with admin credentials.
Step 6 Once you are logged out, log back in with the admin credentials(admin/C1sc0123).
Step 7 Navigate System configuration shell timeout to edit the system policy titled
Initial_System_Policy.
Step 3 Click the Create User Role button. In the Name field, enter Student 1 User Role. Click
Save .
Step 6 Click the Edit icon that is associated with Student 1 User Role.
Step 7 In the System Permissions section, choose the check box that is associated with Set this
role to escalate to: Administrator.
Step 8 Set the role to Authenticate with the assigned user’s password.
Step 9 Click Save.
Step 12 Log out of the current session and log back in using your internal account user
NOC.(NOC/training)
Step 14 Enter the password that you configured for the NOC account (training).
Step 15 Confirm that the user interface was updated to support the escalated administrator
permissions. Now you have all permissions of the escalation target role in addition to
your current role.
Step 1 in the FMC GUI, click Objects Object Management in the main menu.
Step 2 Click Network.
Step 3 Click the Add NetworkAdd object button.
Step 4 In the Network Objects dialog box, enter InsidePC in the name field and
192.168.X5.0/24 in the network field.
Step 5 Click Save.
Step 1 Click the Variable Set option from left side of the display.
Step 2 Click Add Variable Set.
Step 5 In the Network field under Included Networks, add the 172.16.10.0 network in the Enter
an IP address and click Add.
Step 3 In the Domains page, you can add domains under the Global domain or edit the Global
domain.
Step 4 Setting up multi-domains management is beyond the scope of this lab.
Step 5 In our lab environment, there is 1 device under the Global domain.
Step 6 To Archive File Inspection, navigate to the Policies Access Control Malware & File
page in the FMC GUI.
Step 7 Edit the Block Malware file policy.
Step 8 Click the Advanced tab of the file policy.
Step 9 Examine the Archive File Inspection settings. By default, Inspect Archive is not enabled.
Step 10 To check Default Network Analysis Policy, navigate to the Policies Access Control
page.
Step 13 Examine the default Network Analysis and Intrusion Policies settings.
Step 14 Click the Edit icon to edit the Network Analysis and Intrusion Policies settings.
Step 15 Change the Default Network Analysis Policy to the Security over Connectivity policy.
Step 20 It will display the User Profile in detailed manner which includes Indications of
Compromise, the Operating System of the host, applications etc.
Note: Select either Continuous Capture if you want the traffic captured without interruption, or Stop
when full if you want the capture to stop when the maximum buffer size is reached.
Packet Tracer
Step 33 On the Firepower Management Center, click Packet Tracer tab.
Step 34 Click OK if any popup appears.
Interface : Inside
URL Lookup
Step 38 Navigate to SystemIntegrationCisco CSI. Check the Query Cisco CSI for Unknown
URLs check box.
Step 39 Click Save.
Note : you can enter up to 250 URLs and public, routable IP addresses, in any common format (for
example, URLs may be with or without "http", "www", or a subdomain, or may be shortened).
If you enter many URLs and your network is slow, processing may take several minutes.
If you see an error message that the URL is not valid, check your spelling or try a different variation of
the URL. For example, omit the "www" or "http(s)" prefix.
A URL may belong to up to six categories but has only one reputation.
Step 43 (Optional) To save the results as a CSV file, click Export CSV.
Rest API
Step 45 In FMC GUI, navigate to System Configuration REST API Preferences to enable
Rest API.
Step 46 Check the "Enable REST API" checkbox.
Step 47 Click "Save". A box saying "Save Successful" will display when the REST API is enabled.
Step 49 From the Host PC, open Firefox and browse to https://192.168.X4.24/api/api-explorer/
using credentials admin/C1sc0123 to access the ASA REST API online documentation.
Step 50 Accept the certificate warning to continue if it appears.
Note: If the page was not displaying proberly, Install RESTClient plugin on firefox. RestClient addon is
needed to Display the REST API Console Content.
Click the menu button and choose Add-ons. The Add-ons Manager tab will open.
You can then install RESTClient add-on with the Install button.
Step 51 On the left under API INFO, click Devices, then click GET next to
/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-
6d9ed49b625f/devices/devicerecords
Step 52 Scroll down to counter uuid then paste that ftd sensor uuid.
Step 8 On the Rules tab of the QoS policy editor click Add Rule.
Step 9 For Name, enter BBC Rate Limit, for Apply QoS On, select Interfaces in Source Interface
Objects.
Step 12 Under Applications, search for BBC under Available Application and click Add to Rule.
Step 13 Click OK.
Step 21 Under Disabled Columns select QoS Policy, QoS Rule, QoS-Applied Interface, QoS-
Dropped Initiator Bytes, QoS-Dropped Initiator Packets, QoS-Dropped Responder
Bytes, QoS-Dropped Responder Packets then scroll down and click Apply.
Step 22 You should see event with the URL www.bbc.com and Qos Rule as Rate Limiting
Applications.
Step 29 Go back to Devices Qos and Click delete icon ( ) next to Rate Limiting Applications
to remove QoS Policy.
Step 30 Click OK to delete it.
Step 3 Click the SSL Policy 1 link next to SSL Policy: SSL Policy 1.
Step 4 Select None as the SSL Policy to use for inspecting encrypted connections and click OK.
Step 5 Click on Save at the top.
Step 6 Clik deploy at the top of the page.
Step 7 After the deployment is completed, from Inside PC-1, open Firefox then try to browse
on google, for example: testing. You should see safe search feature is in turnoff state.
Step 8 Navigate back to FMC GUI and go the Polices Access Control SSL page to create an
SSL Policy.
Step 9 Click New Policy.
Step 10 Name the SSL policy as SSL Policy for Safe Search.
Step 11 Optionally enter a description.
Step 12 Use Do not decrypt as the Default Action.
Step 13 Click Save.
Step 19 Click the Logging tab and enable log at the End of Connection.
Step 34 Tick Enable Safe search then choose Block as Action for non supported Engines.
Step 41 Click the drop-down menu next to Time range to clear to choose Everything.
Step 42 Next, click the arrow next to Details and check all choices in the list.
Step 44 After the Firefox history cleared, reload the page which is already opened in Firefox.
Step 45 Click I understand the risk Add exception.
Step 46 Uncheck Permanently store this exception.
Step 47 Click Confirm security exception. You should see the Search results with Safe Search
Feature turned on.
Note: If the ASAv CLI throws a warning saying ASAv platform license state is Unlicensed please
ignore and proceed.
Step 2 Enter into enable mode, if prompted for password just press Enter.
ciscoasa>en
Password:
ciscoasa#
Step 3 Configure the Inside Interface and Outside Interface on the ASAv.
ASAv Gi0/0 (Outside) = 192.168.X.253/24(Security Level of 0)
ASAv Gi0/1 (Inside) = 192.168.X7.1/24(Security Level of 100)
ciscoasa# conf t
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
Step 4 Enter the following command on ASAv console to enable ICMP inspection.
ciscoasa # conf t
Step 5 Use the show interface ip brief CLI command to verify the Gi0/0 and Gi0/1interfaces.
Step 6 Configure the default route points to the 192.168.X.1 next hop.
ciscoasa# conf t
Step 7 Use the show route command to verify the default route and the inside, outside, and
dmz local interfaces.
From the ASAv CLI, ping the vFTD (192.168.X.254), Inside PC (192.168.X5,10), and the
Shared Switch (192.168.X.1).
Step 9 From Inside Pc-1, try to ping 192.168.X7.10 (ASAv Inside PC). The ping should fail.
Step 10 Using the ASAv CLI, enable SSH and Cisco Adaptive Security Device Manager (Cisco
ASDM) access to the ASAv.
Enable the HTTP server on the ASAv.
conf t
Add the “student” user in the LOCAL database with the “cisco” password and assign
a privilege level of 15 to the user.
Enable Cisco ASDM and SSH Authentication using the LOCAL user database.
Ciscoasa(config)#write
Step 12 From the Management PC, open a browser window and navigate to the following URL:
https://192.168.X.253.
Step 13 Accept Security warnings.
Step 14 Click the Install ASDM launcher to access the ASAv (192.168.X.253).
Note: If Download bar displays this type of file can harm your computer .Do you want keep dm-
launcher.msi anyway? Click Keep to Download the dm-launcher.msi file.
Step 17 Navigate to the Downloads folder, and Run the dm-launcher.msi file.
Step 21 If prompted to upgrade the Cisco ADSM launcher, click Upgrade Now and continue to
upgrade the Cisco ASDM launcher. Click Finish when the Cisco ASDM launcher upgrade
is done. The Cisco ASDM launcher should relaunch automatically.
Step 23 Select Continue for the Security warning because the ASAv is using a temporary self-
signed certificate for this lab. You should be able to establish a Cisco ASDM session to
the ASAv.
Step 24 In ASAv license state: Unlicensed prompt, tick Do not show this message again option
check box and then click OK.
Step 5 Specify the hosts/networks that should be allowed to pass through the VPN tunnel. In
this step, you need to provide the Local Networks as 192.168.X7.0/24 and Remote
Networks as 192.168.X5.0/24 for the VPN Tunnel.
Step 6 Click Next when you are done.
Step 9 Check the Exempt ASA side host/network from address translation check box in order
to prevent the tunnel traffic from the start of Network Address Translation. Choose
inside from the drop-down list in order to set the interface where local network is
reachable.
Step 10 Click Next.
Note: If you see any popup contains error message like “error in sending command”. Click Close on
Error in sending command window and click Finish again.
Device : VFTD
Interface : outside
IP Address : 192.168.X.254
Step 9 Again click add icon (+) in Network Object window to add Network object.
Name : VFTDInsideNetwork
Network : 192.168.X5.0/24
Click Save.
Step 11 Choose VFTDInsideNetwork from Available Networks, and click Add or drag and drop
into the list of Selected Networks.
Step 12 Click OK.
Device : Extranet
Name : ciscoasa
IP Address : 192.168.X.253
Step 17 Again click add icon (+) in Network Object window to add Network object.
Name : ASAvInsideNetwork
Network : 192.168.X7.0/24
Click Save.
Step 19 Choose ASAvInsideNetwork from Available Networks, and click Add or drag and drop
into the list of Selected Networks.
Step 20 Click OK.
Choose DES_SHA-1 from Available Transform Sets, and click Add or drag and drop into
the list of Selected Transform Sets.
Click OK.
Step 29 If Block All Traffic is not a Default Action then click the Default action drop-down box
and select Access Control: Block All Traffic.
Step 30 Click Add Rule button.
Step 31 For Name, enter VPN, for Action, select Allow.
Step 32 Choose above rule 1 from the Insert drop-down, this is because if we do not move the
rule to the top, it will never be executed, because the default access rule permits
everything.
Step 33 Under Network, choose VFTDInsideNetwork from Available Networks, and click Add
Source Networks.
Step 34 Choose ASAvInsideNetwork from Available Networks, and click Add Destination
Networks.
Step 35 Under Logging, check Log at Beginning of Connection and Log at End of connection.
Activity Verification
Step 40 After the deployment is completed, from Inside Pc-1, try to ping 192.168.X7.10 (ASAv
Inside PC). The ping should be successful.
Step 41 From Inside PC-1 open command prompt and type tracert 192.168.X7.10.
ciscoasa> en
Password: [Enter]
ciscoasa#
Step 48 On ASAv Console, enter show crypto isakmp sa to displays all current IKE Security
Associations (SAs) at a peer.
Step 49 Enter show crypto ipsec sa to display all current IPsec SAs.
Step 51 Navigate back to ASDM and login using student/cisco if logged out, go to Monitoring
VPN VPN connection graphs IPsec tunnels. Choose IPSec Active Tunnels and IKE
Active Tunnels from Available Graphs window and add it to the Selected Graphs
window.
Step 52 Click Show Graphs.
Step 3 Click on the generate report option at the right end of Advance malware risk report.
Step 5 Click on Generate. Your report will be generated and saved in the reports tab.
Step 6 Click on the reports tab to view your generated report.
Step 8 Return to report template tab in FirePOWER GUI, click Create Report Template button.
Name the report as Connection Details Report.
Step 9 Click the Import Sections from Dashboard, Summaries and Workflow disk shaped icon
on far right of the screen.
Step 12 Leave the default output format as PDF and click Generate button.
Note : You can also view the generated reports by navigating to Overview ReportingReports.
Step 16 For example, Connection by Initiator IP Report will show you the total connections
initiated based on initiator IP. You are free to explore the rest of the reports which can
be generated.
Note: The reports will be generated only for the events you have performed in previous lab.
Activity Objective
Before Firepower Version 6.2.0, you have to create a realm and identity policy to perform user
control based on ISE Security Group Tag (SGT) data, even if you do not want to configure passive
authentication using ISE.
In Firepower Version 6.2.0, you no longer need to create a realm or identity policy to perform user
control based on ISE Security Group Tag (SGT) data. So in this lab activity you will do user control
using SGT without Realm and identity policy.
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will prepare, process, and install certificates on each Cisco ISE node. After
completing this activity, you will be able to meet these objectives:
Install CA certificate
Install a certificate
Activity Procedure
Step 1 On the Host PC, open a new tab in Firefox and navigate to
http://192.168.X4.100/certsrv. You should be prompted for credentials. Login with the
username administrator and the password tr@1n1ng@GK.
Step 4 Click Download CA Certificate and click Save File and OK.
Note: If the certifcate files are not renamed each time when they are saved. The file names will be
saved as follow certnew.cer, certnew(2).cer, and certnew(3).cer).
Step 9 In Firefox, open Cisco ISE node(https://192.168.X4.25), in a new tab and login with the
credentials admin and C1sc0123.
Step 10 In Cisco ISE Firefox tab, navigate to Administration System Certificates and click
Trusted Certificates.
Attribute Value
Step 16 Examine the page and the page options and navigate back to the Trusted Certificates
when finished.
You have completed this task when you attain this results:
You have successfully installed the CA server certificate in Cisco ISE node.
Activity Procedure
Complete these steps:
Step 1 In the ISE tab, navigate to Administration System Certificates Certificate signing
request and click Generate Certificate Signing Requests (CSR).
Attribute Value
Usage Admin
Digest to Sign With SHA-256 (Our Lab setup uses AD with Server 2008,
choose SHA-1 if your AD is Windows Server 2003)
Activity Verification
You have completed this task when you attain this result:
Activity Procedure
Complete these steps:
Step 1 Click the Firefox browser tab for http://192.168.X4.100/certsrv, and click the Home link
in the top right corner. Use the credentials Administrator and tr@1n1ng@GK if
prompted.
Step 7 Copy the entire contents of the CSR and paste it into the text box in the Saved Requests
section.
Activity Verification
You have completed this task when you attain this results:
You have successfully enrolled and downloaded the certificates for Cisco ISE node.
Activity Procedure
Step 2 Check the ISE#Admin check box and click Bind certificate.
Step 3 Fill out the Bind CA Signed Certificate according to the following table.
Attribute Value
Step 5 You will receive a notification that the system will restart, click Yes.
Caution The system will not wait for you to click OK to restart the services. Be careful not to
perform a certificate install on a system outside of the Maintenance windows.
Tip During this operation, the operating system will not restart. Only the Cisco ISE
application will restart.
Tip Depending upon your VM infrastructure, this operation could take between 5 and 15
minutes to complete.
This operation is an application server restart, not a system restart. To verify the
system uptime, login to the CLI via Console or SSH and issue the command show
uptime. You can monitor the status of the application server restart operation by
issuing the command show applications status ise. Once the operation is complete,
all Cisco ISE processes will be in the running state.
Step 6 After a while, log back into Cisco ISE by clicking the bookmark for ISE or refreshing the
screen. Use the credentials admin and C1sc0123 to login.
Activity Verification
You have completed this task when you attain this result:
Activity Objective
The ISE pxGrid node is configured for a Certificate Authority (CA) signed environment in a stand-
alone configuration. Initially, a “pxGrid” CSR request is generated from the ISE node and signed by
the CA server using the pxGrid customized template. The certificate will be bound to the initial ISE
CSR request.
The CA root certificate will be imported into the ISE certificate trusted store. The ISE identity
certificate will be exported in the ISE certificate system store. The ISE node will be enabled for
pxGrid operation.
Activity Procedure
Attribute Value
Usage pxgrid
In this task, you will process each Cisco ISECSR on the CA.
Activity Procedure
Step 1 Click the Firefox browser tab for http://192.168.X4.100/certsrv. Use the credentials
Administrator and tr@1n1ng@GK if prompted.
Step 6 Navigate to Downloads Folder and open the ISEpxGrid.pem file in Wordpad.
Step 7 Copy the entire contents of the CSR and paste it into the text box in the Saved Request
section.
Step 14 Check the ISE#pxgrid check box and click Bind certificate.
Step 15 Fill out the Bind CA Signed Certificate according to the following table and click Submit.
Attribute Value
Note: This may take a few minutes, you can run “show application status ise” on the ISE CLI to see
that pxGrid services are initializing, then running.
Note: You should also see that you have pxGrid connectivity in the lower left hand corner. If it not
connected, please wait for 1 or 2 minutes and click Refresh.
Step 18 Click on tab Settings and enable Automatically approve new certificate based accounts
and click Save.
Step 19 Click Yes in the pop-up info dialog [Are you sure you want to save settings?]
Activity Procedure:
The Firepower Management Center (FMC) is configured for Certificate Authority (CA)-signed
operation. The Firepower Management Center private key and CSR request are created from the
Firepower Management Center console (FMC). The CA server signs the CSR request and provides the
FMC identity certificate using the customized pxGrid template
Both the FMC certificate and FMC key are uploaded into FMC internal certs store. The CA root
certificate is uploaded into the FMC trusted CA store
Step 1 Take SSH to FMC CLI (192.168.X4.24) from secure CRT using admin/C1sc0123
Step 3 Generate a Firepower private key using the command given below and if it prompts for
pass phrase use C1sc0123.
..................................
..............
e is 65537 (0x10001)
There are quite a few fields but you can leave some blank
-----
root@firepower:/Volume/home/admin#
Note: If Win SCP not installed in Host PC. Download WinSCP from
http://filehippo.com/download_winscp/. After the file is downloaded, navigate to
C:\Users\Administrator\Downloads and run WinSCP-5.9.4-Setup.exe.
Step 6 Use WinSCP and access the FMC using hostname 192.168.X4.24 with credentials
admin/C1sc0123.
Step 9 Open the firepower.csr request using wordpad copy the content.
Step 10 Click the Firefox browser tab for http://sfua.gkapac.local/certsrv use the credentials
Administrator and tr@1n1ng@GK if prompted.
Step 15 Copy the entire contents of the CSR and paste it into the text box in the Saved Request
section.
Step 25 Navigate to Downloads Folder and rename the file certnew as FMCCA.
Upload the CA root cert into the Firepower Management trusted CA store
Step 26 Access FMC(https://192.168.X4.24) from browser. Use the credentials Admin and
C1sc0123 if prompted.
Step 33 Check Encrypted, and the password is option and enter the password as (C1sc0123),
then click Save.
iii. If the DNS record is not available for FMC or ISE then configure it.
Step 38 You should see the following on the ISE pxGrid node, navigate to ISE, select
AdministrationpxGrid Services.
Step 40 From FMC navigate to Policies Network Discovery Edit Rule by clicking on the
pencil icon.
Activity Procedure
Complete the following steps:
Step 1 Access the ISE GUI: Open the Internet Explorer browser and connect to
https://192.168.X6.25 login as user admin with the password C1sc0123.
Step 2 Create a local user named student with the password C1sc0123 in Cisco ISE:
Activity Procedure
Step 1 In the Cisco ISE GUI, configure a Network Device Group named HQ as a child to the
default Network
Step 2 Create a Network Device Group named Wired as a child to the default Network Device.
Activity Procedure
Complete the following steps:
Sharedswitch#conf t
Sharedswitch(config)#aaa new-model
Step 3 Enabling AAA globally changes the authentication behavior on the console and the VTY
lines. Set the enable secret to cisco and set the default authentication method for logins
to use the enable secret.
Step 4 On the switch, configure the global AAA settings required for proper 802.1X operation:
a. Define the default method for authentication of 802.1X access requests, specifying the group
ISE-RADIUS as the AAA server group.
b. Define the default method of authorizing network access sessions, specifying the group ISE-
RADIUS as the AAA server group.
c. Define the default method of accounting to be used for 802.1X sessions, specifying the group
ISE- RADIUS as the AAA server group.
Note: Expect the message %AAAA-4-SERVUNDEF: The server-group "ISE-RADIUS" is not defined.
Please define it. You will define this server-group in the next task.
Activity Procedure
Complete the following steps:
Step 1 Define the ISE appliance as a RADIUS server, include it in the AAA server group ISE-
RADIUS, and set the dead criteria for RADIUS servers
Note: AAA server groups are a construct that allows different sets of servers to be specified for
different AAA applications. For example, one set can be used for 802.1X AAA and another set for
administrative access AAA. You are defining an AAA server group in this lab to prepare for a
workaround in a later lab. The explanation will become clear when it is time to implement the
workaround.
Step 2 Configure the additional RADIUS attributes that are required by ISE:
a. Include the RADIUS Service-Type attribute in the authentication requests.
b. Include the endpoint IP address in the framed-IP-address attribute in the
authentication requests.
c. Include the class attribute in RADIUS authentication requests.
Step 4 IP device tracking is required to allow the switch to learn endpoint IP addresses and
populate the Framed-IP-Address field in the RADIUS authentication requests. Enable IP
device tracking:
ip device tracking
Activity Procedure
Complete the following steps:
dot1x system-auth-control
Step 2 Configure the interface supporting the Employee-PC (GigabitEthernet2/0/1) for 802.1X
monitor mode:
a. Configure multiple authentication (multi-auth) mode.
b. Configure the interface of the Employee-PC for 802.1X open mode. Do not use any
local access lists.
c. Enable recurring re-authentication.
d. Allow the RADIUS server to specify the re-authentication interval.
e. Enable the 802.1X authenticator role on the port.
f. Set the 802.1X timeout for supplicant retries to 10 seconds.
g. Allow 802.1X authentication to control the port's status.
sharedswitch(config-if)#authentication open
sharedswitch(config-if)#authentication periodic
Activity Verification
You have completed this task when you verify the 802.1X configuration on the switch using this
procedure:
Step 3 On the switch, view the overall 802.1X status using the show dot1x all command. You
should see that the system authentication control is enabled and the pae type on
interface GigabitEthernet 2/0/1 is set to authenticator.
Step 4 On the switch console, observe the failed access attempts through the interface
GigabitEthernet 0/2X. It may take 90 seconds before the messages are displayed. You
should see that the authentication fails because there is no supplicant and there is no
failover authentication method.
Step 5 On the switch, view the status of authentication sessions on the interface using the
show authentication sessions interface gigabitethernet 0/2X command. You should see
that the status is Authz Failed. Note that the endpoint IP address is defined because IP
device tracking is enabled. The IP address that you see may differ from the sample as the
address is assigned via DHCP.
Note: Please make sure you have a certificate enrolled from CA, and used by Admin, Portal and EAP
Authentication.
In this task you will define the HQ-SW as a TrustSec-aware NAD in the ISE. You will configure a
security group dedicated to the NADs, which will allocate a SGT to them. Being a member of the
security group, the switch will be able to download the TrustSec data and join the TrustSec domain.
Activity Procedure
Complete the following steps:
c. Check the SNMP Settings checkbox and verify or modify the Polling Interval to 600
seconds. Change the Originating Policy Services Node to ISE. Select 2c as SNMP
version. Enter the SNMP RO Community ciscoro and leave all other settings at their
default values.
In this task, you will configure the HQ-SW as a member of the CTS domain. Requirements include the
setting of the PAC secret and the CTS credentials. Once configuration is complete, the switch will
automatically authenticate and retrieve the CTS environment data and CTS policy.
Activity Procedure
Complete the following steps:
Sharedswitch#conf t
Step 2 Define ISE as a RADIUS server named ISE-PAC, using ports 1645 and 1646 for
authentication and accounting. Also specify radius-key as the PAC key for this server.
Step 3 Configure the switch for Cisco TrustSec (CTS) network authorization:
a. Create a network authorization list named cts-author-list that uses the ISE-CTS
group. A
Note: Although ISE is the only RADIUS server in the lab topology, you defined two AAA server groups
and added ISE to each of the groups. You used different authentication and authorization ports to
allow the switch to accept this duplication. The reason for this effort is a work around to an issue on
Catalyst 3000 platform and ISE with the version used in this lab. When a switch is provisioned with a
PAC, ISE expects all RADIUS messages, including accounting messages, to be authenticated using the
PAC. The switch, however, will continue to use the RADIUS key to authenticate accounting messages,
leading to dropped accounting requests. This effort is not required on other switch platforms.
Activity Verification
c. In the ISE GUI, after about two minutes you will see notifications of CTS data
download.
d. Examine the details. You should see a RADIUS request from 'CTSREQUEST' with Cisco
AV pair cts- pac-opaque.
Note: There are several things to note in the output. The update was successful. The SGT applied to
the local device is indeed number 2 with the name NAD. The CTS server list was downloaded from
ISE. The update timer settings were also downloaded from ISE and the timers will expire and data
will be refreshed in just under one day.
Note: If you want to repeat the process, you may have to clear the CTS settings. You can use the
commands clear cts credentials, clear cts environment-data, and clear cts pac all.
Activity Procedure
Complete the following steps:
Step 1 Create a new security group for the IT users.
a. Go to Work center TrustSec Componenets Security Groups.
b. Click Add to create a device group. Name it Amy. Click Submit.
Step 2 In the Cisco ISE GUI, navigate to Administration Identity Management External
Identity Sources and click Active Directory in the left pane.
Step 3 Click Add to Join Cisco ISE to the Active Directory:
a. In the Active Directory Domain field enter gkapac.local. Enter Join Point Name as
AD1 and click Submit at the bottom.
e. Click Close.
Note: You are retrieving groups that you will match when authorizing the clients.
c. Leave the filter as simply an *, and click Retrieve Groups.
Step 5 Click Administrator Identity Management Identity Source Sequences and click
Add.
Name: ADstore
Uncheck Select Certificate Based Authentication profile.
Move all the Available Search list sources to Selected area.
IMPORTANT Note: Sequence it in the order as shown in the screenshot.
Selected:
• AD1
• Internal Users
• Internal Endpoints
• Guest Users
• All_AD_Join_Points
Click Submit.
Step 4 If Block All Traffic is not a Default Action then click the Default action drop-down box to
the Access Control: Block All Traffic.
Step 5 Click the paper like icon which is the Logging icon.
Step 6 Make sure check box next to Log at Beginning of Connection is enabled and click OK.
Step 7 Navigate to HTTP Responses tab and make sure System-provided is selected for both
Block Response Page and Interactive Block Response Page options.
Note: Block Response Page will display a page blocked page when user is trying to access prohibited
HTTP requests. Interactive Block Response will also display the blocked page, but only to warn user,
not completely blocking the site. They are able to continue by clicking the button below the page or
by refreshing the page. You can choose custom option if you wish to only warn the user or change the
text to be displayed to the user.
Step 8 Now, click on the Rules tab.
Step 9 Click Add Rule button.
Step 10 For Name, enter Block Games for Amy, for Action, select Block.
Step 11 Click on the insert and keep it as above rule 1, this is because if we do not move the rule
to the top, it will never be executed, because the default access rule permits everything.
Step 12 Under URLs, select Games with any reputation.
Step 23 Navigate to Deployments bar on top to view the Deployment Progress status.
Activity Procedure
Complete the following steps:
Step 1 On the Inside PC-1, disable the native Windows 802.1X supplicant:
1. Right-click the Network icon in the system tray. Select Open Network and Sharing
Center.
2. Click Change adapter settings. This navigates you to the Network Connections list.
3. Double-click Local Area Connection. Click Properties, select the Authentication tab.
4. Clear the Enable IEEE 802.1X authentication checkbox. Click OK and Close.
Note: If the Authentication tab is missing from Local area Connection then skip step 1.
3. After installation finishes, restart the Inside PC-1 to make the changes to take effect.
Media : Wired
Security : 802.1X
802.1X Configuration
Password : PEAP
6. Click OK.
7. Click Manage network vpn preferencesuncheck block connections to
untrusted servers.
Step 3 Enter “shut” and “no shut” the switch port G 0/2X to catch the Cisco any connect
popup.
Step 4 In cisco any connect secure mobility client using Test NIC logon as gkapac\amy with
password tr@1n1ng@GK. In the Cisco ISE GUI, verify the authentication result and the
authorization profile applied to the session.
Step 6 Navigate to Operations Live logs, you should see a successful access attempt of user
amy.
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
(priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
SGT Value: 16