TC - SECVFTD v25 - Lab Guide - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 7 PDF

SECVFTD v25 – Securing Enterprise Networks
with Cisco Firepower Threat Defense Virtual

appliance
[Lab Guide]
SECVFTD v25 Lab Guide

Contents
Accessing the Lab ................................................................................................................. 4
Visual Objective .................................................................................................................. 13
Job Aids .............................................................................................................................. 14
Credentials (X=POD number) ....................................................................................................... 14
Lab 1: Configuring the FTD module and FirePOWER Management Center ......................... 15
Task 1: Adding firePOWER management center in FTD ................................................................ 15
Task 2: Adding device to firePOWER management center ........................................................... 16
Task 3: Verifying licenses on firePOWER management center ...................................................... 19
Task 4: Verifying registration of FTD Sensor to firePOWER management center .......................... 19
Task 5: Enabling VMware-tools in FirePOWER management center ............................................. 20
Task 6: Configuring the interfaces and routes to the FirePOWER threat defense using the
FirePOWER Management center ................................................................................................. 20
Task 7: Applying policies to firePOWER management center and firePOWER Threat defense sensor
................................................................................................................................................... 26
Lab 2: Configuring File, IPS and Access Control Policy ........................................................ 31
Task 1: Configuring File Policy...................................................................................................... 31
Task 2: Configuring IPS Policy ...................................................................................................... 32
Task 3: Configuring Intrusion Control Policy................................................................................. 33
Lab 3: Test Basic ASA firePOWER Malware Protection ....................................................... 37
Task 1: Block malware site using the firePOWER malware protection .......................................... 37
Task 2: Block malware file using file transfer protocol ................................................................. 39
Lab 4: Test firePOWER Network Discovery Feature............................................................ 44
Task 1: View basic network discovery of firepower ...................................................................... 44
Task 2: Test basic network discovery of firepower ....................................................................... 49
Lab 5: Test Basic firePOWER IPS Operation ........................................................................ 50
Task 1: Creating an intrusion attack to test the firepower IPS operation. ..................................... 50
Lab 6: Configure and Test Access Control Policy ................................................................. 58
Task 1: Configuring Access Policy to block access to gaming site .................................................. 58
Task 2: Testing Access Policy to block access to gaming site......................................................... 61
Task 3: Create Access Rule to block windows update ................................................................... 62
Task 4: Testing Access Policy to block windows update................................................................ 63
Task 5: Including IPS Policy in Intrusion Prevention Policy ............................................................ 64
SECVFTD v25 Lab Guide 1

Task 6: Configuring Access Policy for Blocking Facebook (AVC Feature) ....................................... 66
Lab 7: Integrating Microsoft Active Directory with firePOWER .......................................... 68
Task 1: Configure the Firepower Management Center to connect to the Active Directory ........... 68
Task 2: Configure the Firepower Management Center to connect to the SourceFire User Agent. . 73
Task 3: Configure Identity Policy .................................................................................................. 76
Task 4: Configure User Based Access Control Policy Rules ............................................................ 78
Lab 8: Configuring Basic Custom Application Detector ....................................................... 88
Lab 9: Configuring DNS Policy ............................................................................................. 95
Lab 10: Configuring SSL Policy .......................................................................................... 101
Lab 11: Tuning Your HTTP _Inspect Pre-processor............................................................ 116
Lab 12: Creating A Correlation Policy and Working with Connection Data and Traffic
Profiles ............................................................................................................................. 122
Lab 13: Analysing Events Using Context Explorer ............................................................. 127
Lab 14: Creating User Accounts and Configuring UI Timeout Value ................................. 129
Lab 15: Testing Exempt vs. Non-exempt Users ................................................................ 132
Lab 16: Escalating Permissions ......................................................................................... 135
Lab 17: Creating Objects and Variable set. ....................................................................... 141
Task 1: To Create Objects .......................................................................................................... 141
Lab 18: Creating New Variable Set................................................................................... 143
Lab 19: Examine Others Firepower v6.2 Features ............................................................ 145
UserBased Indication of compromise ..................................................................................... 147
Packet Capture ...................................................................................................................... 148
Packet Tracer ......................................................................................................................... 150
URL Lookup............................................................................................................................ 151
Rest API ................................................................................................................................. 153
Lab 20: Configuring Rate limiting...................................................................................... 158
Lab 21: Enabling Safe search feature ................................................................................ 163
Lab 22: Configuring site to site VPN.................................................................................. 169
Task 1: Set Up and Test the ASAv ............................................................................................... 169
Task 2: Configuring ASAv Site-to-site VPNs ............................................................................... 177
Task 3: Configuring Firepower Threat Defense Site-to-site VPNs................................................ 181
Activity Verification ................................................................................................................... 191
Lab 23: Reporting ............................................................................................................. 197

Appendix .......................................................................................................................... 205
ISE and SGT tags without Identity .................................................................................... 205
Lab 1: Certificate Operations ..................................................................................................... 205
Task 1: Install a CA Certificate ................................................................................................ 205
Task 2: Generate a CSR .......................................................................................................... 208
Task 3: Enroll Cisco ISE with an External CA ............................................................................ 210
Task 4: Install a Certificate ..................................................................................................... 211
Lab 2: Pxgrid with Rapid Threat Containment ............................................................................ 214
Taks 1: Generate a CSR for Pxgrid .......................................................................................... 214
Task 2: Enroll Cisco ISE with an External CA ............................................................................ 216
Task 3: Configuring Firepower Management Center 6.2 ......................................................... 220
Lab 3: Bootstrap Identity System ............................................................................................... 230
Task 1: Create local user student ........................................................................................... 230
Task 2: Define the switch as a NAD in Cisco ISE ...................................................................... 231
Task 3: Configure AAA Settings on Switch .............................................................................. 233
Task 4: Configure RADIUS Settings on Switch ......................................................................... 234
Task 5: Configure Switch for 802.1X Monitor Mode ............................................................... 236
Lab 4: Implement Cisco TrustSec ............................................................................................... 240
Task 1: Prepare ISE for TrustSec communication with the Inside-SW...................................... 240
Task 2: Configure the Switch to Act as SGA Device ................................................................. 242
Task 3: Implement Authorization ........................................................................................... 247
Lab 5: Configuring Access control policy on FMC to block Amy SGT tag ...................................... 255
Lab 6: Deploy AnyConnect Supplicant........................................................................................ 258
Lab 7: Testing ISE and SGT tags without Identity feature ........................................................... 264

Accessing the Lab
Step 1. To access the HTML5 web interface the browser should support HTML5 and below are
the version details
 Firefox (version 51 & above)
 Chrome (version 57 & above)
 Edge (version 40 & above)
Step 2. To access the web interface, launch a browser and browse to
https://vlab(X).trainocate.com (X may vary based on 1, 2 or 3. Check with the trainer
for the exact link).
Step 3. Login to the portal using the credentials provided by the trainer. After successful login,
you will be able to access your POD.
Step 4. To exit the connection use Ctrl+Alt+Shift (For Mac if you don’t have ctlr key use fn+
cmd+Alt+Shift )and click POD name and select Logout.

Step 5. To copy paste use Ctrl+Alt+Shift to use the clipboard and also use the same to close
the clipboard window. (For Mac if you don’t have ctlr key use fn+ cmd+Alt+Shift).
Step 6. To share the screen use Ctrl+Alt+Shift, from the top left, click over share and select the
connection name.
Step 7. Copy the generated link and share it with trainer via any communication medium
(Skype or Email).

Step 8. If the connection is lost or expired, need to generate a new share link, the old link will
be expired.
Step 9. To avoid using the scroll bar and to get a better view of the POD screen, navigate to
your browser settings, select full screen option. Then, right click on the screen and
select reload or use F5 (Fn+F5) to refresh the browser for full screen to reflect.
 Chrome: Reload
 Firefox & Edge: use F5 (Fn+F5) or hover the cursor to the top of the browser
and click refresh icon.

Step 10. If your lab requires to test audio or video, please right click on the audio or video icon
at the right bottom of the workstation tray and select disconnect and then click connect
to attain the connection.
Note: In case your audio or video is not working properly, repeat the above step inorder to
reconnect to audio or video.
Step 11. While using Audio, make sure to allow the microphone when it prompts from the
browser.
Step 12. To allow camera and microphone, configure the site settings in HTML5 browser as per
below.
Chrome:
1) On the URL bar, click the LOCK icon just before the URL and click Site settings.
2) Select Allow for Camera, Microphone and Notification from the drop-down menu.

3) Once the changes are made, reload the page manually or click reload when prompted.

Firefox:
1) On the URL bar, click the LOCK icon just before the URL and click Show Connection
details icon as highlighted below and click More Information in the pop-up.
2) In the page Info pop-up window, go to Permissions tab. Scroll down and under Use the
Camera and Use the Microphone, uncheck the Use Default checkbox and select Allow
for both camera and microphone.

3) Close the pop-up window and right-click in the HTML5 webpage and click Reload icon.
Edge:
1) Go to Start from your PC or laptop and click Settings icon.
2) Click Privacy in the settings window.
3) On the left-pane, select Camera under App Permissions.

4) Under Choose which apps can access your camera, check whether Microsoft Edge is
enable (On).
5) Repeat the steps 3-4 for Microphone.

6) Go back to https://vlab(X).trainocate.com and click Reload.

Visual Objective
The figure illustrates what you will accomplish in this activity.
Firepower Software
 FirePOWER Threat Defense Virtual v6.2.3.4
 FirePOWER Mangement center v6.2.3.4
PLEASE READ THE FOLLOWING BEFORE PROCEEDING TO THE LAB EXERCISE!!!

1) Screenshots used in this lab guide are just examples. The values and entries may not be the
same in real time configurations.
2) To stop the ping in the Linux, press "Ctrl + c" key.
3) Under Health Monitor in the FMC, if you see an error stating “Interface is not receiving any
packets” you may ignore it that will not affect the FMC performance.
4) If you find AMP for Networks Status Cannot Connect to Cloud Warning Under Health Monitor
in FMC , it may affect the labs due to unstable connectivity of AMP cloud.So please do the
following steps.
1.In the FMC GUI, Navigate to System→Integration
2.Check the Checkbox near Share URI from Malware Events with cisco and Use Legacy Port
32137 for AMP for Networks
3. Click Save.
4. After 10- 15 min. please repeat the labs.

Job Aids
Credentials (X=POD number)
Virtual machines IP Address Username Password
Inside PC-1 [Win-7] 192.168.X5.10/24 gkapac\administrator tr@1n1ng@GK
Inside PC-2 [Win- Xp] 192.168.X5.12/24 Administrator tr@1n1ng@Gk
vFTD Inside 192.168.X5.1
vFTD Outside 192.168.X.254
FirePOWER Threat Defense 192.168.X4.23 admin password

Virtual 6.2.3.4
FirePOWER Management 192.168.X4.24 admin C1sc0123

center 6.2.3.4
AD Server 192.168.X4.100 administrator tr@1n1ng@GK
Attacker PC- Linux 192.168.200.34 root password
ASAv Inside PC [Win-7] 192.168.X7.10/24 ADMIN-PC tr@1n1ng@GK

\administrator

Lab 1: Configuring the FTD module and FirePOWER Management
Center
Task 1: Adding firePOWER management center in FTD

Step 1 In the RDP Host PC, navigate to CLI of FTD in VMware Workstation.
Note: “<X>” is your pod number (e.g. “1” for pod 1, “8” for pod 8). Make sure you access only your
vFTD. For example if your POD 1 student access only vFTD PODX.
Step 2 This vFTD must be managed by a Management Center. A unique alphanumeric

registration key is always required. In most cases, to register a sensor to a Management
Center, you must provide the hostname or the IP address along with the registration
key.
'configure manager add [hostname | ip address ] [registration key ]'

Step 3 Later, using the web interface on the FirePOWER Management Center, you must use the
same registration key used in the sensor. To add the sensor to the management Center.
Step 4 Enter the following command and if any license prompt appears, click yes and proceed
with it
> configure manager add 192.168.X4.24 firePOWER
If you enabled any feature licenses, you must disable them in the
firepower device manager before deleting the local manager.
Otherwise, those licenses remain assigned to the device in Cisco

smart software manager.
Do you want to continue[yes/no]:yes
Manager successfully configured.
Please make note of reg_key as this will be required while adding

Device in FMC.
> show managers
Host : 192.168.X4.24
Registration Key : ****

Registration : pending
RPC Status :
Note: The Registration Key is FirePOWER and it has been displayed encryptedly.
Task 2: Adding device to firePOWER management center

Step 1 In the RDP Host PC, Login to Cisco firePOWER management center at
https://192.168.X4.24/ (X=Pod number) using the credentials admin/C1sc0123
(username/password).
Step 2 If the connection was not private, click Advanced and Proceed to
192.168.X4.24(unsafe).

Step 3 Navigate to Devices  Device Management and click AddAdd Device button on the
right.
Step 4 The Add Device page appears
Enter/select the following:
Host - 192.168.X4.23 (X=Pod Number)

Display Name - VFTD
Registration Key - firePOWER
Group - None
Access Control Policy - Click on ‘Create new policy’

Name – Default Intrusion prevention
Description – None
Select Base policy – None

Default Action – Intrusion Prevention and click on Save.
Smart Licensing – Check on Malware, Threat,URL Filtering.
Others - Leave at default
Step 5 Click on Register and wait for the device to be registered with FMC,it might take a
moment.
Step 6 After the registration is completed, On FMC GUI, navigate to DevicesDevices

Management and ensure that in the Access Control Policy it is displayed as Default
Intrusion Prevention.
Note: If the Access Policy is not displayed as Default Intrusion Prevention, refresh the page after 5
mins.

Task 3: Verifying licenses on firePOWER management center
Step 1 Navigate to System  Licenses  Smart Licenses to verify the installed licenses. All
required licenses will be installed already.
Task 4: Verifying registration of FTD Sensor to firePOWER management

center
Step 1 From Virtual FirePOWER Threat Defense(vFTD) CLI, run the following command and the
registration should be completed.
> show managers
Type : Manager
Host : 192.168.X4.24 (X=Pod Number)
Registration : Completed

Task 5: Enabling VMware-tools in FirePOWER management center
Step 1 Login to the GUI of Firepower Management center (https://192.168.X4.24) using
admin/C1sc0123.
Step 2 To enable VMware tools in FMC. Navigate to SystemConfiguration and you will find
an option VMare tools on the left bottom of the screen.
Step 3 Check the box near Enable VMare Tools and click Save.
Step 4 Ensure whether the health status of the FMC is normal. The green tick icon indicates
that the FMC health status is normal.
Note: Under Health Monitor in the FMC, if you see an error stating “Interface is not receiving any
packets” you may ignore it, that will not affect the FMC performance.
Task 6: Configuring the interfaces and routes to the FirePOWER threat

defense using the FirePOWER Management center
Step 1 From the GUI of FMC, navigate to Devices Device Management.

Step 2 Click on the edit option in the VFTD and go to the Interfaces tab. You can see all
the interfaces excluding the management 0/0 interface. Assign the following IP
addresses to those interfaces
Interfaces Name Security Zone IP Address
GigabitEthernet 0/0 Inside INSIDE 192.168.X5.1/24
GigabitEthernet 0/1 Outside OUTSIDE 192.168.X.254/24
Step 3 Click edit icon in Gigabitethernet 0/0 to configure the IP address and security zone.
MODE : None
NAME : Inside
Check on the Enabled
SECURITY ZONE : INSIDE
Click on NEW and enter the name INSIDE
Click OK to create a zone.
On the IPv4 tab, select IP Type as Use Static IP and set IP address as 192.168.X5.1/24
and click OK.

Step 4 Click edit on the interface Gigabitethernet 0/1 and assign the following parameters:
MODE : None
Name : Outside
Check on the Enabled.
Security zone : OUTSIDE
Click on NEW and enter the name OUTSIDE
Click OK to create a zone.
IPV4
IP Type : Use Static IP
IP Address : 192.168.X.254/24
Click OK.

Step 5 After configuring the IP address, click on Save and Deploy the changes to the vFTD
sensor (by clicking on the Deploy button on the top right).
Step 6 After the deployment is completed, Reload the page and notice that the two interfaces
are enabled with the green light under the satus of the interface.

Step 7 Now, from the Inside PC-1 ping its gateway IP 192.168.X5.1 and from the Attacker PC
ping its gateway IP 192.168.X.254. You should succeed.
Step 8 Navigate back to FMC GUI,DeviceDevice Managementedit VFTDRouting.
Step 9 In the Routing tab, click on BGPStatic Route. Click on Add Route to add a route to the
outside interface at the top right.
Enter the following information:
TYPE : IPv4
INTERFACE : Outside
SELECTED NETWORK : any-ipv4
Move any-ipv4 from available Network to the selected network by selecting any-ipv4
and clicking on Add button.
Click on + symbol and add a gateway with the name GatewayIP and network
192.168.X.1
Click Save.
GATEWAY : GatewayIP

METRIC :1
Leave other as default and click on OK.
Step 10 Click Save and Deploy the changes to the VFTD.

Step 11 After deployment completes, try pinging to the 8.8.8.8 from the Inside PC-1, you should
succeed.
Task 7: Applying policies to firePOWER management center and firePOWER

Threat defense sensor
Step 1 Open browser (Google Chrome) from the Host PC and enter https://192.168.X4.24 and
login to the GUI of firePOWER management center using the credentials
(username/password)admin/C1sc0123.
Step 2 Navigate to System Configuration  Time synchronization.
Step 3 Select Enabled for the Serve Time via NTP and select Via NTP from.
Step 4 Ensure the NTP values is 192.168.X4.100 (X=Pod Number) and click Save at the top right
corner.

Step 5 Navigate to SystemHealthPolicy.
Step 6 Select the Initial_Health_Policy and click the Edit button (pencil logo).
Step 7 Click on the option Time Synchronization Status and check whether enabled is ON and
then click Save Policy and Exit which is on the left side, bottom of the screen.
Step 8 Navigate to System > Health >Policy.
Step 9 Click the green check box (Apply Button) beside Initial_Health_Policy.

Step 10 Apply the policy to both firepower.gkapac.local(FMC) and vFTD select both and click
Apply button.
Step 11 Wait for a moment for the task to be executed. You can view the status of the task
under “!” icon near system and select task tab to view.
Step 12 Navigate again to SystemHealthPolicy. You should see the policy being applied to 2
appliances. If done correctly, your page should look like the image below.

Note: If the policy is not applied to 2 appliances, repeat the steps 8,9 and 10 again to get 2
appliances.
Verify URL Database download:
Step 1 Navigate to System > Integration > Cisco CSI to verify the URL Filtering update.
Step 2 You should see the recent date and time in the last URL filtering update.
Step 3 If the recent date and time is not displayed, then manually click on Update Now button
and wait atleast for 10 mins to see the recent date and time.
Step 4 Click Save after it got updated.
Step 5 If the Update Now button is graded out then uncheck and check the Enable URL filtering
option again and then click on Update Now button.
Step 6 Wait for 5mins and click on Save after it got updated.
Step 7 Still, if you donot see the recent date and time, reboot the FMC once and check the URL
filtering status again.
Step 8 To reboot the FMC, navigate to the CLI of the FMC and issue the command sudo reboot
and enter password as C1sc0123 .

Note: If any error popup appears on VMware Workstation. Close the FMC VM tab using cross icon
and click on FMC VM in the left pane of the screen.

Lab 2: Configuring File, IPS and Access Control Policy
Task 1: Configuring File Policy

Step 1 Add a new file policy with a rule to block malware.
Step 2 In the FMC GUI, navigate to the Policies  Access Control  Malware & File page. Click
New File Policy.
Step 3 Name the new file policy Block Malware. Entering a description for the policy is
optional. Click Save.
Step 4 Click Add Rule to add a new rule in the Block Malware policy.
Step 5 In this new rule, in the Action drop-down box, choose Block Malware.
Step 6 When you choose Block Malware action, Reset Connection is enabled by default.
Step 7 Check the Spero Analysis for MSEXE and Dynamic Analysis boxes.
Step 8 For File Type Categories, check all the different file types.
Step 9 For File Types, choose All types in Selected Categories, then click Add and click Save.

Step 10 Click on the Save button at the top right.
Task 2: Configuring IPS Policy

Step 1 In the FMC GUI,navigate to the Policies  Access Control  Intrusion page.
Step 2 If you find any other policies already displayed under the intrusion please delete all the
Policies and click Create Policy.
Step 3 Name the new file policy as Initial Inline Policy - firepower3D.gkapac.local
Step 4 Entering a description for the policy is optional.
Step 5 Select the Drop when Inline check box to enable inline IPS operations.
Step 6 For the Base Policy, choose Security over Connectivity. Wait a few seconds for the
change.
Step 7 Click Create Policy.

Step 8 After the IPS policy has been successfully added, navigate to the Policies  Access
Control  Intrusion page again to refresh the page.
Task 3: Configuring Intrusion Control Policy

Step 1 To Edit the Default Intrusion Prevention access control policy, navigate to the Policies
 Access Control page.
Step 2 Click the edit icon to edit the Default Intrusion Prevention access control policy.
Step 3 Verify that Block All Traffic is the Default Action.
Step 4 If Block All Traffic is not a Default Action then click the Default action drop-down box and
select Access Control: Block All Traffic.
Step 5 Click OK if any Warning pop-up appears.
Step 6 Click the Logging icon ( ).

Step 7 Check the check box next to Log at Beginning of Connection to enable logging of the
connection events for traffic matching the default action.
Step 8 Click OK.
Note : You cannot check log at end-of-connection events for blocked traffic.
Step 9 Leave the default setting of only Send Connection Events to the Event Viewer.
Step 10 Click Add Rule to add a mandatory rule in the Default Intrusion Prevention access
control policy that will use the Block Malware file policy and the Initial Inline Policy -
firepower3D.gkapac.local intrusion policy.

Step 11 Name the new Access Control Policy rule as Access Policy Rule.
Step 12 This new Access Control Policy rule should use the default Allow action so that the
matching traffic can be inspected using an IPS policy and a File policy.
Step 13 Insert this access control policy rule into the Mandatory section.
Step 14 Click the Inspection tab.
Step 15 In the Intrusion Policy drop-down box, choose the Initial Inline Policy -
firepower3D.gkapac.local.
Step 16 In the Malware Policy drop-down box, choose Block Malware File Policy.
Step 17 Click the Logging tab and enable Log at Beginning of Connection and Log at End of
Connection. Associating a file policy with the rule automatically enables the Log Files
check box. Leave the Log Files box checked. Leave the default of sending the events to
the Event Viewer.

Step 18 Click Add.
Step 19 Click Save.
Step 20 Click Deploy to deploy the Access Control Policy to the vFTD Sensor. Check the box near
VFTD and click Deploy.
Step 21 From the Policies  Access Control page, once the Access Control Policy has been
applied to the vFTD Module, the status should state Up-to-date on all targeted devices.
Note: In the FMC GUI,navigate to Policy  Access Control  Access Control  Default Intrusion
Prevention and confirm that the status shows Up to date on all targeted devices. If not up to date,
then click the deploy button at the top to check whether any task is pending, If yes Deploy it (or) try
refreshing the webpage.

Lab 3: Test Basic ASA firePOWER Malware Protection
Task 1: Block malware site using the firePOWER malware protection

Step 1 From the Inside PC-1, browse to http://www.eicar.org/download/eicar.com
Note:
The European Institute for Computer Antivirus Research (EICAR) developed the EICAR test file. This
EICAR test file can be used to test the response of antivirus and antimalware programs.
Browsing to http://www.eicar.org/download/eicar.com should trigger a malware block with reset

connection and a corresponding malware event in the Firepower Management Center.
Step 2 You should not be able to access this web page.
Note If this page http://www.eicar.org/download/eicar.com shows This page isn’t working HTTP 500.
Please be aware that it due to technical issue in website, so try again after 10 mins. If you get the
same error, continue with the next task.
Step 3 From FMC GUI, navigate to the Analysis  Files  Malware Events page. Click the
Table View of Malware Events.

Step 4 Your output should look similar to the one shown in the next screenshot. You should see
the Malware Block Action. The other connection information that is shown includes the
Time, Sending IP, and Port and Country, Receiving IP, and Port and Country, Event Type,
Detection Name, File Name, File SHA-256, Threat Score, File Type, Application Protocol,
and so on.
Step 5 Use the right arrow key to scroll to the right to locate the Detection Name. You should
see EICAR
Step 6 Examine the Network File Trajectory from the Firepower Management Center. Navigate
to the Analysis  Files  Network File Trajectory page.
Step 7 You should see the eicar.com filename under the Recent Malware.
Step 8 Click the File SHA-256 of the eicar.com file.

Step 9 Your output should look similar to the one shown in the next screenshot. You should see
the eicar.com file was blocked during the attempted HTTP transfer.
Task 2: Block malware file using file transfer protocol

Step 1 In the VMware Workstation, login to the Attacker PC( linux) using the credentials
(root/password)
Step 2 From Attacker PC launch a Terminal Window

Step 3 check the status of the FTP service . Use the following command to check the status of
SSH service
Service vsftpd status
Step 4 Make sure that FTP service was already started. If the Service is inactive. On the
Command line, enter the following command to Restart the FTP Service :
Service vsftpd restart
Step 5 Go to the Inside PC-1 (win7). Try pinging to the Attacker PC (192.168.X.34). It should be
reachable.
Step 6 Then, using the web browser try connecting to the Attacker PC using FTP
(ftp://192.168.X.34/)
Step 7 If it prompts for the login credentials. Give the username and password (root/password)
of the attacker PC.

Step 8 After you login, you can see the files and folders shared by the attacker PC. In that list of
files, try downloading the amptest1.pdf file.
Step 9 You will be failed to download. Because you are trying to download a malware infected
file using FTP.

Note: Sometimes the webpage might not show “failed to load PDF Document” message. But still we
can see the Malware Events generated for PDF file in forthcoming steps.
Step 10 Navigate to FMC GUI, Analysis  Files  Malware Events. A threat should appear with
the file type PDF in the list displayed.
Note: Reload (or) Refresh the web page of GUI once (or) twice to get the events updated.
Step 11 Click on the Table View of Malware Events.

Step 12 Navigate to Files  Network File Trajectory. You should see the amptest1.pdf file as
malware under Recent Malware.
Step 13 Click on the File SHA-256.
Step 14 You can also view those malware events in the Analysis File  File events.

Lab 4: Test firePOWER Network Discovery Feature
Task 1: View basic network discovery of firepower

In this lab task, you will examine the Firepower Network Discovery results.
Step 1 In the FMC GUI, navigate to Analysis  Hosts  Network Map to Verify the Network
Discovery. Examine some of the discovered networks, hosts, and applications.
Step 2 Click PoliciesNetwork Discovery and click the edit icon of the existing network
devices.
Step 3 Then check the checkbox near Users and then click Save .
Step 4 Click Deploy.

Step 5 After the deployments is over, navigate back to the AnalysisHostsNetwork Map to
see the hosts in the FMC GUI.
Step 6 Expand the 192 network and locate the 192.168.X5.10 host(Inside PC-1). Click the
192.168.X5.10 link to display the host profile. Click the link to the host profile.
Note: If the host (192.168.X5.10) is not displayed, do a continuous ping test from
192.168.X5.10(Inside Pc-1) to 192.168.X4.24(FMC).

Step 7 It will display the Host Profile in detailed manner which includes Indications of
Compromise, the Operating System of the host, applications etc..
Note: If the Indications of Compromise does not appear on the Host Profile at the first attempt.
From Inside PC-1, browse again to http://www.eicar.org/download/eicar.com to generate
Indications of Compromise. Reload the page once or twice and then navigate to FMC GUI. Refresh
the Host Profile page to view the Indication of Compromise.
Step 8 In this example output that follows, the 192.168.X5.10 host is the lab Inside PC-1.

Step 9 Navigate to the Analysis  Hosts  Applications page.
Step 10 Click the down arrow next to one of the discovered applications (such as HTTPS) to get
more details.
Step 11 Navigate to the Analysis  Hosts  Hosts page.

Step 12 Click the down arrow next to one of the operating system vendors Microsoft to get
more details. In the example given below, there are multiple hosts running the various
Windows operating system.
Step 13 Check one of the check boxes, then click View to see all the WIndows hosts information.

Task 2: Test basic network discovery of firepower
Step 1 Trigger some ICMP traffic from Inside PC-1 to FMC.
Step 2 From Inside PC-1, do a ping to 192.168.X4.100.
Step 3 Return to the Firepower Management Center GUI and navigate to the Analysis  Hosts
 Network Map page on firePOWER Management Center GUI.
Step 4 In the search box, type in 192.168.X4.100 to filter for this particular IP address. Expand
the 192 network to choose the 192.168.X4.100 host.
Step 5 Examine the 192.168.X4.100 host profile.
Step 6 The Operating System of the host should be running Windows and the host protocol of
ICMP/IP.
Note: The Operating System of the host may not appear on the display at the first attempt. Reload
the page once or twice.

Lab 5: Test Basic firePOWER IPS Operation
Note: Ensure FMC health status is green before proceeding or you might fail the test. If it shows the
VFTD is out of sync, ensure that the VFTD time is synchronized with the FMC date and time. Enter
show time command on Sensor(VFTD), if the time shows huge difference, you need to set the time
following the machine date and time.
Task 1: Creating an intrusion attack to test the firepower IPS operation.

Step 1 From the VMware workstation, login to the Attacker PC(linux) Machine using the
credentials root/password and then click terminal on the left pane of the desktop.
Step 2 Try pinging to 192.168.X5.12 (Inside PC-2) from the Attacker PC, it should be successful.
Step 3 Start the SQL and Metasploit services from the CLI.
To simulate attacks in the lab, use the Armitage tool on the Kali Linux Attacker PC. The
Armitage tool will use the Metasploit tool to launch the various attacks.
From the Attacker PC CLI, start the SQL and Metasploit services using the following CLI
commands:
root@root:~# service postgresql start
root@root:~# msfdb init

root@root:~# msfdb start
Step 4 Click Applications Exploitation Tools  armitage to start the application.
Step 5 Leave the settings at default and click Connect button.
Step 6 Click Yes button.

Step 7 Wait for a few minutes for the Armitage GUI to appear.
Step 8 Once it finishes loading, click Hosts  Nmap Scan  Quick Scan (OS detect)
Step 9 Enter the IP of the Inside PC-2 (Xp) – 192.168.X5.12. Click OK.
Step 10 Wait for a few minutes for the scan to run, once it finishes, it should be able to detect a
discovered host running, click OK.

Step 11 From Armitage GUI, select Attacks  Find Attacks.
Step 12 Wait for a few minutes until the attack analysis is completed.

Step 13 Click the OK once it is done.
Step 14 Click on Attacks  Hail Mary on the Armitage GUI.

Step 15 Click Yes button for confirmation. It will take a few minutes for the Hail Mary to run.

Step 16 Wait until the Hail Mary has finished before continuing to the next step. When the Hail
Mary has been completed, the Hail Mary Console will display the msf > prompt.
Step 17 Navigate back to browser of FMC and go to Analysis  Intrusions  Events to view the
intrusion events.

Note: If you not get an Instrusion events due to Instrusion policy. Delete the Initial Inline Policy -
firepower3D.gkapac.local and reconfigure it. After that attack Win XP from Attacke PC.(Follow Lab 2
Task 2,3 and Lab 5).
Step 18 You can click on any event and click view to see its details. Check the box near to any
one attack and click on the View and tab at the bottom.
Step 19 Again, check the box next to the event and click on View to view the detailed event
information.

Lab 6: Configure and Test Access Control Policy
Task 1: Configuring Access Policy to block access to gaming site

Step 1 Login to FMC GUI using credentials (admin/C1sc0123).
Step 2 Navigate to Policies  Access Control  Access Control.
Step 3 Click the Edit icon for Default Intrusion Prevention policy.
Step 4 Navigate to HTTP Responses tab and select System-provided for both Block Response
Page and Interactive Block Response Page options.
Note: Block Response Page will display a page blocked page when user is trying to access prohibited
HTTP requests. Interactive Block Response will also display the blocked page, but only to warn user,
not completely blocking the site. They are able to continue by clicking the button below the page or
by refreshing the page. You can choose custom option if you wish to only warn the user or change the
text to be displayed to the user.
Step 5 Click on Save at the top.
Step 6 Now, click on the Rules tab.

Step 7 Click Add Rule button, at the top right corner.
Step 8 For Name, enter Block Games for Action and select Block
Step 9 Under URLs, select Games with any reputation.

Step 10 Click on the insert and keep it as above rule 1, this is because if we do not move the rule
to the top, it will never be executed, because the default access rule permits everything.
Step 11 Under Logging, select Log at Beginning of Connection and click Add button.

Step 12 Click on Save and then select Deploy button to deploy the changes.
Step 13 Navigate to Deployments tab on top to view the Deployment Progress status. After it is
complete proceed with next task.

Task 2: Testing Access Policy to block access to gaming site
Step 1 From Inside PC-1, browse to www.ea.com, your access will be denied.
Step 2 Try browsing to other non-games sites, it will be successful.
Step 3 Navigate to Analysis  Connections  Event

Step 4 You should see an event with block action with the URL www.ea.com
Note : Reload (or) Refresh the web page of GUI once (or) twice to get the events updated.

Task 3: Create Access Rule to block windows update
Step 1 Navigate to Policy  Access Control  Access Control. Click the Edit icon of the Default
Intrusion Prevention.
Step 2 Click Add Rule button again to add another access rule.
Step 3 Add a rule to block windows update.
Step 4 Name the rule Block Windows Update.
Step 5 Select Block from the Action drop down list.
Step 6 On top right of the screen, select Insert above Rule 1.
Step 7 Under Applications  Available applications, search for Windows Update under
Available Application and click Add to Rule.
Step 8 Click Logging tab and tick Log at beginning of connection

Step 9 Click Add button.

Step 10 Click Save button.
Step 11 Click Deploy at the top and select the device then click Deploy button.
Step 12 Navigate to Deployments bar on top to view the Deployment Progress status. After the
deployment is 100%, proceed with next tasks.
Task 4: Testing Access Policy to block windows update

Step 1 From Inside PC-1, click the windows button and search for Windows Update and click to
open Windows Update.
Step 2 Click Check for updates button and click Install Updates.
Step 3 You should fail to update.

Step 4 In firePOWER Management Center, navigate to Analysis  Connections  Events.
Step 5 You should see event with block action with application Windows Update.
Task 5: Including IPS Policy in Intrusion Prevention Policy

Step 1 Navigate to Policies  Access Control  Access Control.
Step 2 Edit Default Intrusion Prevention Policy.
Step 3 Click Add Rule button.
Step 4 Enter the name as IPS for AD,FTP and Web server.
Step 5 In the networks tab Under Destination network, enter 192.168.X4.100 which is the AD,
FTP and Web Server IP address to the destination network, select Insert below rule 1 in
the top right corner of the wizard.
Note : We are creating a rule to inspect traffic going to AD, FTP and Web Server as it contains
sensitive data.

Step 6 Click Inspection tab, select Security over Connectivity for Intrusion Policy.
Step 7 Click Logging tab, tick Log at End of Connection and click Add button.

Step 9 Click Deploy at the top and select the device then click on the Deploy button.
Step 10 Navigate to Deployments bar on top to view the Deployment Progress status.

Task 6: Configuring Access Policy for Blocking Facebook (AVC Feature)
Step 1 Navigate to Policies  Access Control  Access Control  Default Intrusion
Prevention and click the Edit button.
Step 2 Click on the Add Rule button
Step 3 Enter the following
Name - Block Facebook
Action - Block
Step 4 Select Insert above rule 1

Step 5 Under the Applications tab, under available applications search box, enter Facebook
and click Add to Rule.
Step 6 Under Logging tab, tick on Log at Beginning of Connection. Click Add.

Step 7 Click Save and then Deploy at the top then select the device and click on the Deploy
button to deploy it.
Step 8 After Deployment of device is successful, go to Windows 7 Inside PC-1, open a web
browser and navigate to https://www.facebook.com. You will not be able to access it.
Step 9 Navigate to Analysis  Connections  Events to view the block event.

Lab 7: Integrating Microsoft Active Directory with firePOWER
Task 1: Configure the Firepower Management Center to connect to the

Active Directory
Step 1 In the FMC GUI,navigate to the System  Integration page. Click the Realms tab.
Step 2 Click the New Realm button. A realm is a logical group of directory servers of the same
type.
Step 3 Add the realm as follows:
• Name : Realm1
• Type : AD
• AD Primary Domain : gkapac.local
• Directory Username : Administrator@gkapac
• Directory Password : tr@1n1ng@GK
• Base DN : dc=gkapac,dc=local
• Group DN : dc=gkapac,dc=local
• Group Attribute : Member
Leave other as default and click OK.

Step 4 From the Directory tab, click Add Directory to add the Active Directory server into the
realm.
Step 5 Add the Active Directory Server as follows:
• Hostname/IP Address : 192.168.X4.100
• Port : 389
• Encryption : None

Step 6 Click Test to test the connection to the Active Directory server. The test should be
successful.
Step 7 Click OK twice.
Step 8 Click Save.

Step 9 Click on the sliding button under State to enable the releam.
Step 10 To download the users and groups information. Click the edit icon to edit the Realm1.
Step 11 From the User Download tab, check the Download users and groups check box.

Step 12 Select all the Available Groups by Right Click on any Available Groups tab and click
Select all.
Step 13 Click Add to Include.

Step 14 Click Save.
Step 15 Click the Download Now icon to start a manual download of the users and groups
information.
Step 16 Click Yes for the confirmation window.
Step 17 Click OK for acknowledgment window.

Step 18 From the Message Center Tasks tab, you should see the Download users/groups from
AD Realm1 message.
Task 2: Configure the Firepower Management Center to connect to the

SourceFire User Agent.
Step 1 Navigate to the System  Integration page. Click the Identity Sources tab.
Step 2 Click User Agent next to Identity Service Engine.
Step 3 Click New Agent to add the SourceFire User Agent.

Step 4 Enter the IP address of 192.168.X4.100. Click Add.

Step 5 Click Save.
Step 6 Login to AD Server (Administrator/tr@1n1ng@GK) in the VMWare Workstation and

locate the Configure SourceFire User Agent icon on desktop. Double click to open it.
Step 7 Examine the various menu tabs that are available on the SourceFire User Agent GUI.
Step 8 Check the SFUA Service Status. It should be Running.
Step 9 Click on Active Directory Servers tab.

Step 11 Enter the following and click Add then Save button.
Server Name/IP Address - localhost (must be localhost if SFUA is installed in AD)

Domain - gkapac.local
Authorized User - administrator
Password - tr@1n1ng@GK
Local Login IP Address - 192.168.X4.100 (X = Pod Number)
Process real-time events – checked
Note: When the SourceFire User Agent is installed on the Active Directory server itself as in your lab,
you must specify "localhost" as the Active Directory server IP address when adding the Active
Directory server in the SourceFire User Agent GUI.
Step 12 Wait for a moment and verify that the Polling Status is available.

Step 13 Click on Sourcefire DCs tab.
Step 15 Enter 192.168.X4.24 for the Server Name/IP Address field and click Add button.

Step 17 Check the Sourcefire Defense Center status. It should be available. If the Defense Center
status is stuck in the unknown state for more than 5 minutes, remove the Defense
Center in the SourceFire User Agent and then re-add it back.
Task 3: Configure Identity Policy

Step 1 Go back to the GUI of the FMC and navigate to the Policies  Access Control 
Identity page.
Step 2 Click New Policy to create a new identity policy.

Step 3 Name the identity policy Identity Policy 1. Optionally, give it a description.
Step 4 Click Save.
Step 5 Click Add Rule to create a new rule in the identity policy.
Step 6 Name the rule Identity Policy Rule 1. The rule action should be: Passive Authentication
which uses the Sourcefire User Agent.
Step 7 Select the Realm and Settings tab, then select Realm 1 (AD) in the Realm drop-down
selection box.
Step 8 Do not check the box Use active authentication if passive authentication cannot
identify user. Leave all other settings as the default.

Step 9 Click Add.
Step 10 Click Save.
Task 4: Configure User Based Access Control Policy Rules

Step 1 Navigate to Policies  Access ControlAccess Control.
Step 2 Click the edit icon under Default intrusion prevention.
Step 3 Click on the Advanced tab.
Step 4 In order to configure user-based access control policy rules, an identity policy must be
applied to the access control policy.
Step 5 Click on the pencil icon in Identity Policy Settings to bring you to the advanced tab of
the access control policy to apply the identity policy.

Step 6 Select the Identity Policy 1 identity policy to apply to the access control policy.
Step 7 Click OK.
Step 8 Click Save.

Step 9 Now click on the Rules tab and click the edit icon under Block games Access Control
Policy.

Step 10 Click on Users tab, select Realm1 in Available Realms and choose the amy user from the
available users. And click on Add to rule.
Step 11 Click on the Move option at the top right and select Insert above rule 1
Step 12 On the logging tab, make sure you enable Log at the Beginning of Connection, click
Save.

Step 13 Click Save button at the top of the page.
Step 14 Click Deploy button, check the box near the VFTD and deploy the changes made.
Note: Wait until the deployment is fully completed.
Step 15 Try to browse to www.ea.com from Inside PC-1, notice that the website is accessible.
Step 16 Now logout from the Administrator account and Login to the Inside PC-1 as gkapac\amy
with the password tr@1n1ng@GK.
Step 17 Now try to browse to www.ea.com. You will fail.

Step 18 Navigate to Analysis  Connections  Events to see the connection event.
Step 19 To see the initiator users tab, click on Table View of Connection Events.
Step 20 Take note of the block event with the Initiator User amy.
Step 21 Now, close all the tabs and log out from gkapac\amy and login back to
gkapac\administrator - tr@1n1ng@GK user account.

Note:
While logging in the Inside PC-1 (GKAPAC\administrator – tr@1n1ng@GK), if you get an error “trust
relationship between this workstation and the primary domain failed “
To resolve this issue, remove the computer from the domain, and then connect the computer to the
domain.
1. Login to the administrator account ADMIN-PC\administrator – tr@1n1ng@GK.

2. Click Start button.
3. Right Click Computer and select Properties.

4. Now click on the Advanced system settings link on the left hand side.
5. When the advanced system settings open, switch to the computer name tab.
6. Click on the Change button.
7. Under the Member of heading, select Workgroup, type a workgroup name as ADMIN, and then
select OK.

8. Click OK if any popup arises.
9. Click OK to Welcome popup.
10. When you are prompted to restart the computer, select OK.
11. On the Computer Name tab, select Change again.

12. Under the Member of heading, select Domain, and then type the domain name as
gkapac.local.
13. Select OK, and then type the credentials administrator/tr@1n1ng@GK who has permissions
in the domain.
14. Click OK.
15. Click OK at welcome popup.

16. When you are prompted to restart the computer, select OK.
17. Restart the Inside PC-1.
18. Now login to Inside PC-1 using the credentials gkapac\administrator-tr@1n1ng@GK.

Lab 8: Configuring Basic Custom Application Detector
Step 1 If logged out, login to the GUI of Firepower Management center (https://192.168.X4.24)
using admin/C1sc0123.
Step 2 Navigate to the Policies  Application Detectors page.
Step 3 Click Create Custom Detector at the top right of the display.
Step 4 Name of the custom detector: vtech
Step 5 Give it a description: test custom app detector
Step 6 For the Detector Type, use the default Basic type.
Step 7 Click Add next to Application Protocol to define the application protocol that will be
matched by this custom detector.
Name of the application : vtech-app
Give it a description : virgina tech
Business Relevance : Low
Risk: Low
Click Add and select the Categories as government services .
Click OK.
Step 8 Click OK in Application Editor Window and if the warning prompt appears, click Yes.

Step 9 Select the vtech-app as the Application Protocol for the vtech custom application
detector.

Step 10 Click OK.
Step 11 Click Add to the right of Detection Patterns.
Step 12 Select HTTP as the protocol.
Step 13 Select URL as the type.
Step 14 Enter vt.edu as the pattern.
Step 15 Click OK.

Step 16 Click Save.
Step 17 Search for the vtech custom application detector on the Policies  Application
Detectors page by entering vtech on enter a filter space and check the box near that.
Step 18 Under the State column, click the check box to activate the vtech custom application
detector. If the warning prompt appears, click Yes.
Step 19 Activating a custom application detector will take about a minute. The SNORT engine
will reload automatically after activating an application detector.
Step 20 Click OK for the pop-up if arised.

Step 21 Click the green arrow icon to download and save the LUA script file to the PC.
Step 22 Open the vtech.lua file using WordPad to see what the LUA script looks like.
Step 23 From your Inside PC-1 (Windows 7), browse to http://www.vt.edu

Step 24 Return to the Firepower Management Center GUI https://192.168.X4.24/
Step 25 Navigate to the Analysis  Connections  Events page. You should see a log with
vtech-app under web application.
Step 26 Choose down arrow icon on log to view detailed information.

Step 27 Navigate to Policies  Access control  Access control. Click on the Edit option on the
default intrusion prevention policy.
Step 28 Click on add rule in the access control policy to use the vtep-app.
Step 29 Click the Applications tab.
Step 30 Search for vtech in the available applications.
Step 31 You should see the vtep-app custom application. In this lab step, you will not actually
use the vtep-app custom application as a matching criteria for the access control policy
rule.
Step 32 Click Cancel to abort the rule configuration.

Lab 9: Configuring DNS Policy
Step 1 From your host PC, use notepad to create a file containing the following two domain
entries. Name the file dns-list-file.
facebook.com
#
twitter.com
Step 2 From the Firepower Management Center GUI, navigate to the Objects  Objects
Management page.
Step 3 From the left side of the page, select DNS Lists and Feeds under Security Intelligence.
Step 4 Click Add DNS Lists and Feeds.
Name the DNS List: DNS_list_for_lab
Select List as the type.
Step 5 In upload list click Browse.
Step 6 Locate then select the dns-list-file that you created in the notepad in your Host
machine.
Step 7 Click Open.

Step 8 Click Upload.
Step 9 Click Save.
Step 10 Navigate to the Policies  Access Control DNS page.
Step 11 Click the edit icon to edit the Default DNS Policy.
Step 12 Click Add DNS Rule to add a new rule to the Default DNS Policy.
Step 13 Name the new DNS Rule: Test rule
Step 14 The Enable box should be checked by default.
Step 15 Select Drop as the rule action.
Step 16 Click the DNS tab.
Step 17 Select the DNS_list_for_lab DNS list.
Step 18 Click Add to Rule.
Step 19 Click Add.

Step 20 Click Save.
Step 21 Navigate to the Policies  Access Control  Access Control page.
Step 22 Edit the Default Intrusion Prevention access control policy.
Step 23 Click the Security Intelligence tab.
Step 24 Verify that the Default DNS Policy is applied by default to the DNS policy.

Step 25 Click on the deploy button at the top of the display to deploy the changes.
Step 26 After the completion of deployment go to the Inside PC-1, ping www.facebook.com and
www.twitter.com resolving to these domains should fail.
Step 27 From the Inside PC-1, ping www.yahoo.com the pings should be successful.
Note: From the Inside PC-1, run the nslookup command.Try to resolve www.yahoo.com. This should
be successful.Try to resolve www.facebook.com and www.twitter.com. These should fail.
Step 28 Go back to the GUI of the FMC and navigate to the Analysis  Connections  Security
Intelligence Events page.
Step 29 Check the box before the first packet to select all the logs and then select Table View of
Security Intelligence Events.

Step 30 You should see the Block Action with the DNS Block Reason, and the DNS_list_for_lab
Security Intelligence Category.
Step 31 Navigate to the Overview  Dashboards  Security Intelligence Statistics page.
Step 32 Examine the Connections by DNS SI Categories, Connections by DNS Record Types, and
Traffic by DNS SI Categories widgets.

Lab 10: Configuring SSL Policy
Step 1 Navigate to the Objects  Object Management, PKI  Internal CAs page.
Step 2 Click on + Generate CA at the top.
Step 3 Enter the following :
Name : Internal
Country Name : SG
State or Province : Singapore
Locality or City : Singapore
Organization : Gkapac
Organizational Unit : Technical
Common Name : Internal certificate

Step 4 Click on Generate self-signed CA.
Step 5 You can also click the Edit icon to examine the resulting Internal CA.

Step 6 Click OK.
Step 7 Navigate to the Polices  Access Control  SSL page to create an SSL Policy.
Step 8 Click New Policy.
Step 9 Name the SSL policy as SSL Policy 1.
Step 10 Optionally enter a description.
Step 11 Use Do not decrypt as the Default Action.
Step 12 Click Save.

Step 13 Click edit icon in SSL Policy 1.
Step 14 Click the Trusted CA Certificates tab to examine all the Cisco Trusted Authorities.
Step 15 Click the Undecryptable Actions tab to examine the default action for each
undecryptable situation.
Step 16 Click the Rules tab.
Step 17 Click Add Rule to add an SSL decryption rule.

Step 18 Name the rule as SSL rule.
Step 19 Select the Decrypt-Resign action with the Internal
Step 20 Click the Logging tab and enable log at the End of Connection.
Step 21 Leave other settings as the default.
Step 22 Click Add.
Step 23 Click Save.
Step 24 To apply the SSL Policy to the Access Control Policy. Navigate to the Policies  Access
Control page.
Step 25 Click the edit icon to edit the Default Intrusion prevention access control policy.
Step 26 Click the None link next to SSL Policy: None

Step 27 Select SSL Policy 1 as the SSL Policy to use for inspecting encrypted connections.
Step 28 Click OK.
Step 29 Click Save.

Step 30 Click Deploy and apply the Access Control Policy with the SSL Policy to the ASAFTD
managed device.
Step 31 After the deployment to the FTD Device is successful. Go to the Inside PC-1 and clear
your Firefox browser cache.
Step 32 Then Browse https://www.yahoo.com from the Mozilla Firefox. You will be displayed
with the screen below.
Step 33 Click on I Understand the risks  Add exception. You will find this dialog box.

Step 34 Click View to view the certificate and Click Confirm Security Exception.
Step 35 Verify the certificate Issued by the common name Internal certificate. VFTD is now
acting as the man in the middle between the client browser and the Yahoo web server.

Step 36 Navigate to the Analysis  Connections  Events page.
Step 37 Check the box before first packet and click on Table View of Connection Events.
Step 38 Scroll to the right and you should see a connection event with the Decrypt (Resign) SSL
Status where the application protocol is HTTPS, and the web application is yahoo.
Step 39 Go back to the browser of the Inside PC-1 and browse to to download a test malware
file(https://www.ihaveabadreputation/eicar.com).
Step 40 Click on I understand the risk  Add exception.
Step 41 Uncheck the Permanently store this exception.

Step 42 Click Confirm Security Exception.
Step 43 The HTTPS connection to https://www.ihaveabadreputation/eicar.com should fail.
Step 44 Since the HTTPS connections are now decrypted and inspected, malware file transfers
over HTTPS should now be blocked.
Step 45 Navigate to the Analysis  Connections  Events page.
Step 46 Click Table View of Connection Events.

Step 47 You should see a connection with the Block Action, File Block Reason, Decrypt (Resign)
SSL Status where the application protocol is HTTP, and the URL is
https://ihaveabadreputation/eicar.com
Step 48 Navigate to Policies  Access control  SSL and click on the edit option to edit the
Decrypt Resign SSL policy to enable the Replace Key option.
Note: Use the Replace Key option to only have the certificate public key replaced instead of the
entire certificate. The Replace Key option is used when the destination secure server is using a self-
signed certificate or if the certificate is signed by an untrusted CA.
Step 49 Click on the edit option at the SSL rule.
Step 50 In the Editing Rule Page, check the Replace Key below the Move option.

Step 51 Click Save and again click on save at the top.
Step 52 Click Deploy to deploy the changes made.
Step 53 Go to the browser of the inside PC-1 and try downloading

https://www.ihaveabadreputation.com/eicar.com.
Step 54 Click on I Understand the risks Add exception.
Step 55 Click View to view the certificate.
Step 56 Verify that the certificate is not signed by the Internal CA and is self-signed by
ihaveabadreputation.com.

Step 57 Browse to https://www.google.com from the inside PC-1 browser.
Step 58 Click on I Understand the risks Add exception.
Step 59 Click View to view the certificate.
Step 60 Verify that the certificate is signed by the Internal certificate.
Step 61 Navigate to the Analysis  Connections  Events page. Click Table View of Connection
Events. You should see an HTTPS connection to ihaveabadreputation.co with the
Decrypt (Replace Key) SSL Status. HTTPS connection to www.google.com should still
have the Decrypt (Resign) SSL Status.

Step 62 Navigate to PoliciesAccess Control  SSL policy and click on the edit option to edit
the policy action to Do not decrypt.
Step 63 Click edit on Decrypt-Reign rule.
Step 64 Select Do not decrypt in the action.
Step 65 Click Yes on the Pop Up Warning.
Step 66 Go to category tab and add financial services with any reputation to the selected
categories.
Step 67 Click Save.
Step 68 Click Save to save the configuration changes.
Step 69 Click Deploy to deploy the SSL Policy to the vFTD managed device.
Step 70 To test from the Inside PC-1 using the Firefox browser, browse to any financial website
such as https://www.chase.com (or) https://www.hdfc.com

Step 71 Navigate to the Analysis  Connections  Events page. Click Table View of Connection
Events. You should see an HTTPS connection to chase.com with the Do Not Decrypt SSL
Status.
Note: After Firepower v6.0.0 initial release, with an SSL rule which matches on the URL category that
is enabled, if the URL category lookup fails or is unknown, the default action in the SSL policy will be
applied to the traffic.

Lab 11: Tuning Your HTTP _Inspect Pre-processor
In this lab, you will create a Network Analysis Policy and tune the HTTP pre-processor.
Step 1 In the FMC GUI, navigate to access control policy page by selecting Policies  Access
control  Intrusion.
Step 2 Click the Create Policy button to create a new Network Analysis Policy. Name the policy
as Training Analysis Policy, set Base policy to Security over connectivity make sure that
Drop when Inline is enabled, and click Create and Edit Policy.
Step 3 Commit your changes and give any name for the prompting description tab. Click OK.

Step 4 Navigate to PoliciesAccess control Access control, and click on the edit icon (pencil
icon) associated with Default intrusion prevention.
Step 5 Change the Default Action to Intrusion Prevention : Training Analysis Policy.
Step 6 Click the Logging icon ( ) in the Default Action bar.
Step 7 In Logging window make sure Log at the end of Connection checkbox enabled and then
click OK.
Step 8 Click Save on the top of the page.
Step 9 Navigate to PolicyAccess controlIntrusion and click the edit button for the Initial
inline Policy-firepower3D.gkapac.local.
Step 10 Click the Rules option in the left side panel.
Step 11 In the Rule column, select the Preprocessor option.

Step 12 Click the HTTP configuration selection to filter on the HTTP preprocessor rules.
Step 13 Check the checkbox next to GID in the heading of the rule list, it will select all the HTTP
Configuration rules.
Step 14 Click the Rule State and choose Generate Events to enable all of the rules that are
associated with HTTP Configuration.
Step 15 Click OK.

Step 16 Click the Advanced Settings option in the left side pane and disable Global Rule
Thresholding.
Step 17 Click the Policy Information in the left side panel and Commit Changes to IPS policy, give
the description as IPS and click OK if any warning appears.

Step 18 Deploy it by clicking on the Deploy button at the top right of the screen. Check the box
near VFTD and click on Deploy. Wait until the deployment is completed and reload the
page to see whether the policy has been updated.
Step 19 Go to Inside PC-1 and in the browser access more than five connections using http.
Example: http://www.msn.com/
Step 20 You will see an event generated on the FMC, to check the output navigate to
AnalysisIntrusionEvents.
Note: The detected event name and screenshot may change accordingly.
Step 21 Check the checkbox near the newly generated log and click on view to view the
generated events.

Step 22 Click on the packets options at the top, to view the detailed summary of the event

Lab 12: Creating A Correlation Policy and Working with Connection
Data and Traffic Profiles
In this lab, you will create correlation policies with rules that trigger on specific conditions that are
related to data gathered from connection events.
Step 1 In the FMC GUI, navigate to Policies  Correlation Traffic profiles and click on New
profile.
Step 2 In the Profile Name field, enter Malware Profile.

Step 3 In the Profile Condition section, choose Either Initiator IP or Responder IP is in and
enter 192.168.X5.0/24.
Step 4 In the Profile Option section, set the profiling time window to 1 hour.
Step 5 Click Save and Activate.

Note: Ensure that the policy has been activated by verifying the tick mark.
You have set the Profiling Time Window to maintain data for this profile for the last 1 hour(s). So you
are requested to wait until progress reaches 100%.During the time left create the following rules.
Step 6 Click the Rule Management tab. You will be creating a correlation rule that alerts if
malware is detected.
Step 7 Click Create Rule.

Step 8 In the Rule Name field, enter Malware Profile with the description malware test profile.
Step 9 In the Select type of event for this rule section, choose if a Malware event occurs and by
network - based malware detection from the drop-down menu.
Step 10 In the drop-down list that is associated with the condition, choose File type is EICAR.
Step 11 Under Rule options in snooze set it for 5 mins and click Save.

Step 12 Click the Policy Management tab and select Create Policy.
Step 13 In the Name Field, enter Malware detection Profile and Default priority as 1.
Step 14 Add the Malware profile rule to correlation policy by clicking on Add rule and under the
ungrouped rules select the check box Malware profile

Step 15 Select priority as 1 for the added rule and click Save.
Step 16 Ensure that the policy has been activated by verifying the tick mark. If it is not activated
click on the sliding icon to activate it.

Step 17 If the progress is completed your page looks as following page.
Step 18 Now from Inside PC-1, if not logged in yet, login as gkapac\administrator with the
password tr@1n1ng@GK .
Step 19 Browse to http://www.eicar.org/download/eicar.com. When you access the site your
access will be blocked first “The connection was reset”, refresh the browser couple of
time, still you cant access the website.
Step 20 You should not be able to access the website.
Step 21 To check the output click Analysis  Correlation  Correlation Events you will see the
following output screens.

Lab 13: Analysing Events Using Context Explorer
Using this lab, you can view the data and events generated in each section.
Step 1 Navigate to Analysis  Context Explorer and scroll to each sections to view the
generated events and data.
Step 2 Scroll down to the Application Protocol Information section and you can view the
applications that are been used and details of that application (eg:Risk,no of hosts etc).
Step 3 To view Intrusion Information which are generated and the details, scroll down to the
Intrusion Events section.
Step 4 To view the Network Information scroll to the network information section and you can
see the OS, Connections by Access Control.

Lab 14: Creating User Accounts and Configuring UI Timeout Value
In this lab, you will create an internal user account.
Step 1 Navigate to System  Users.

Step 2 Click the Create User button.
Step 3 In the User Configuration section, enter NOC in the User Name field.
Step 4 In the Password field, enter training. Confirm the password in the Confirm Password
field.
Step 5 In the option field, check the checkbox that is associated with Exempt From Browser
Session Timeout.
Step 6 In the User Role Configuration section, check the checkbox Security Analyst.
Step 7 Click Save to save the new user account.

Step 8 Navigate to System configuration  shell timeout and edit the system policy titled
Initial_System_Policy.
Step 9 In the Browser settings section, enter 3 in the Browser Session Timeout field.

Step 10 Click Save.

Lab 15: Testing Exempt vs. Non-exempt Users
Step 1 Log out as admin and login with the NOC user credentials (NOC/training).
Step 2 You are directed to the Dashboard page. This page refreshes frequently, keep this page
open for atleast 3 minutes.
Step 3 The browser session never time out as the NOC user because it is Exempt from Session
timeout.
Step 4 Log out as NOC and log back in with admin credentials.

Step 5 In 3 minutes, the admin browser session will time out.
Step 6 Once you are logged out, log back in with the admin credentials(admin/C1sc0123).
Step 7 Navigate System  configuration  shell timeout to edit the system policy titled
Initial_System_Policy.

Step 8 Change the Browser Session Timeout to the default value(60 mins).
Step 9 Click Save.

Lab 16: Escalating Permissions
You will create a custom user role and tune this user role to include the ability to escalate
permissions.
Step 1 Navigate Systemusers.

Step 2 Click the User Role tab.
Step 3 Click the Create User Role button. In the Name field, enter Student 1 User Role. Click
Save .
Step 4 Click OK if any warning pop-ups.

Step 5 At the top right of the screen, click on the Configure Permission Escalation. Set the
target to Administrator and click OK.
Step 6 Click the Edit icon that is associated with Student 1 User Role.
Step 7 In the System Permissions section, choose the check box that is associated with Set this
role to escalate to: Administrator.
Step 8 Set the role to Authenticate with the assigned user’s password.
Step 9 Click Save.

Step 10 Navigate back to NOC user Configuration by clicking on the users tab and click on the
edit icon of NOC and choose Student 1 User Role as the custom user role.

Step 11 Click Save.
Note: You will now escalate your internal account permissions.
Step 12 Log out of the current session and log back in using your internal account user
NOC.(NOC/training)

Step 13 Navigate to the NOC tab (in the right of the user interface) and choose Escalate
Permissions.
Step 14 Enter the password that you configured for the NOC account (training).
Step 15 Confirm that the user interface was updated to support the escalated administrator
permissions. Now you have all permissions of the escalation target role in addition to
your current role.

Step 16 Log out of the session and log back in to the user interface, using the administrator
credentials (admin/C1sc0123).

Lab 17: Creating Objects and Variable set.
Task 1: To Create Objects

In this lab, you will create objects that will be used in your access control policy.
Step 1 in the FMC GUI, click Objects  Object Management in the main menu.
Step 2 Click Network.
Step 3 Click the Add NetworkAdd object button.
Step 4 In the Network Objects dialog box, enter InsidePC in the name field and
192.168.X5.0/24 in the network field.
Step 5 Click Save.
Step 6 Click the Add NetworkAdd object button again.

Step 7 Name the Network object as Management and enter the network field as
192.168.X4.0/24.
Step 8 Click Save.

Step 9 Click the Add Network Add Group Groups link.
Step 10 In the Name field, enter firepower.

Step 11 Move InsidePC and Mangament from Network Objects to the selected Networks.
Step 12 Click Save.

Lab 18: Creating New Variable Set
In this task you will create a new variable set that contains the networks of interest.
Step 1 Click the Variable Set option from left side of the display.
Step 2 Click Add Variable Set.
Step 3 Enter the name of the new variable set as firepower

Step 4 Click Edit icon next to the Home_Net variable.
Step 5 In the Network field under Included Networks, add the 172.16.10.0 network in the Enter
an IP address and click Add.

Step 6 Click Save and then click Save again.

Lab 19: Examine Others Firepower v6.2 Features
Step 1 To Multi-domains Management, navigate to the System  Domains page.
Step 2 By default all the managed devices belong to the Global domain.
Step 3 In the Domains page, you can add domains under the Global domain or edit the Global
domain.
Step 4 Setting up multi-domains management is beyond the scope of this lab.
Step 5 In our lab environment, there is 1 device under the Global domain.
Step 6 To Archive File Inspection, navigate to the Policies  Access Control  Malware & File
page in the FMC GUI.
Step 7 Edit the Block Malware file policy.
Step 8 Click the Advanced tab of the file policy.
Step 9 Examine the Archive File Inspection settings. By default, Inspect Archive is not enabled.
Step 10 To check Default Network Analysis Policy, navigate to the Policies  Access Control
page.

Step 11 Click on edit on the Default Intrusion Policy.
Step 12 Click the Advanced tab.
Step 13 Examine the default Network Analysis and Intrusion Policies settings.
Step 14 Click the Edit icon to edit the Network Analysis and Intrusion Policies settings.
Step 15 Change the Default Network Analysis Policy to the Security over Connectivity policy.
Step 16 Click OK.

Step 17 Click Save.

UserBased Indication of compromise
Step 18 Navigate to Analysis  Users  Users.
Step 19 Click down arrow icon for Realm1\administrator (LDAP).
Step 20 It will display the User Profile in detailed manner which includes Indications of
Compromise, the Operating System of the host, applications etc.

Packet Capture
Step 21 In the Firepower Management Center, choose Devices  Device Management.
Step 22 Click the troubleshooting icon. The Health Monitor page appears.
Step 23 Click Advanced Troubleshooting.
Step 24 Select the Capture w/Trace tab.

Step 25 Click Add Capture.
Step 26 Enter the Name as PacketCapture for capturing the trace.
Step 27 Select the Interface as inside for capturing the trace.

Step 28 Specify Match Criteria details:
Select the Protocol as ICMP.
Source Host : 192.168.X5.10
Destination Host : 8.8.8.8
Leave all other settings as default.
Note: Select either Continuous Capture if you want the traffic captured without interruption, or Stop
when full if you want the capture to stop when the maximum buffer size is reached.
Step 29 Click Save.

Step 30 Check Enable Auto Refresh checkbox to enable it.
Step 31 From Inside PC-1 ping to 8.8.8.8.

Step 32 Return to FMC GUI, you should see Packets captured.
Packet Tracer
Step 33 On the Firepower Management Center, click Packet Tracer tab.
Step 34 Click OK if any popup appears.
Step 35 Enter the following parameters:
Packet type : ICMP
Interface : Inside
Source : IP Address (IPv4): 192.168.X5.10
Destination : IP Address (IPv4): 8.8.8.8
Type : 0 (Echo Reply)

Code : 255
Leave Output format as summary.
Step 36 Click Start.

Step 37 In output window you should see trace details.
URL Lookup
Step 38 Navigate to SystemIntegrationCisco CSI. Check the Query Cisco CSI for Unknown
URLs check box.
Step 39 Click Save.

Step 40 Select Analysis  Lookup  URL.
Step 41 Enter the urls which you want to check reputation. For example google.com cisco.com
zapak.com. Separate each entity with a space.
Step 42 Click Search.
Note : you can enter up to 250 URLs and public, routable IP addresses, in any common format (for
example, URLs may be with or without "http", "www", or a subdomain, or may be shortened).
If you enter many URLs and your network is slow, processing may take several minutes.
If you see an error message that the URL is not valid, check your spelling or try a different variation of
the URL. For example, omit the "www" or "http(s)" prefix.
A URL may belong to up to six categories but has only one reputation.
Step 43 (Optional) To save the results as a CSV file, click Export CSV.

Step 44 Click OK to save file.
Rest API
Step 45 In FMC GUI, navigate to System  Configuration  REST API Preferences to enable
Rest API.
Step 46 Check the "Enable REST API" checkbox.
Step 47 Click "Save". A box saying "Save Successful" will display when the REST API is enabled.

Step 48 On vFTD sensor CLI enter show summary command to copy the ftd uuid.
Step 49 From the Host PC, open Firefox and browse to https://192.168.X4.24/api/api-explorer/
using credentials admin/C1sc0123 to access the ASA REST API online documentation.
Step 50 Accept the certificate warning to continue if it appears.
Note: If the page was not displaying proberly, Install RESTClient plugin on firefox. RestClient addon is
needed to Display the REST API Console Content.
Click the menu button and choose Add-ons. The Add-ons Manager tab will open.
In the Add-ons Manager tab, select the Plugins panel.
Enter poster in search box at the top to search Poster addon.
You can then install RESTClient add-on with the Install button.

Click Restart Now if it pops up. Your tabs will be saved and restored after the restart.
Step 51 On the left under API INFO, click Devices, then click GET next to
/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-
6d9ed49b625f/devices/devicerecords
Step 52 Scroll down to counter uuid then paste that ftd sensor uuid.
Step 53 Click GET next to /api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-

6d9ed49b625f/devices/devicerecords/{containerUUID}/physicalinterfaces

Step 54 Click GET under API console to see the interface details.

Lab 20: Configuring Rate limiting
Step 1 If logged out, login to the GUI of Firepower Management center (https://192.168.X4.24)
using admin/C1sc0123.
Step 2 Choose Devices  QoS.
Step 3 Click New Policy to create a new QoS policy.

Step 4 Enter the name as Rate Limiting Applications.
Step 5 Optionally, assign Description for QoS Policy.
Step 6 Choose VFTD from Available Devices, then click Add to Policy or drag and drop into the
list of Selected Devices.
Step 7 Click Save.
Step 8 On the Rules tab of the QoS policy editor click Add Rule.
Step 9 For Name, enter BBC Rate Limit, for Apply QoS On, select Interfaces in Source Interface
Objects.

Step 10 Under Traffic Limit Per Interface, enter a Download/Upload Limit as 0.008 Mbits/sec.
Step 11 Under Interface Objects, move INSIDE to Source Interface Objects and OUTSIDE to
Destination Interface Objects.
Step 12 Under Applications, search for BBC under Available Application and click Add to Rule.
Step 13 Click OK.
Step 14 Click Save.

Step 15 Click Deploy to deploy the Access Control Policy to the FTD Sensor.
Step 16 Check the box near VFTD and click Deploy.

Step 17 From the Devices  QoS page, once the QoS Policy has been applied to the VFTD, the
status should state Up-to-date on all targeted devices.
Step 18 From the Inside PC-1, browse to www.bbc.com

Step 19 Navigate to Analysis  Connections  Event  Table view of connection content.
Step 20 Click x icon next to the topic of any columns.
Step 21 Under Disabled Columns select QoS Policy, QoS Rule, QoS-Applied Interface, QoS-
Dropped Initiator Bytes, QoS-Dropped Initiator Packets, QoS-Dropped Responder
Bytes, QoS-Dropped Responder Packets then scroll down and click Apply.
Step 22 You should see event with the URL www.bbc.com and Qos Rule as Rate Limiting
Applications.

Step 23 Navigate to Devices  QoS.
Step 24 Click Edit on Rate Limiting Applications.
Step 25 Select Policy Assignment on top right corner of the page.
Step 26 In Targeted Device window, click delete icon next to VFTD .

Step 27 Click OK.

Step 28 Click Save at the top of the page.
Step 29 Go back to Devices  Qos and Click delete icon ( ) next to Rate Limiting Applications
to remove QoS Policy.
Step 30 Click OK to delete it.

Lab 21: Enabling Safe search feature
Step 1 Navigate to Policies  Access Control Access Control.
Step 2 Click the Edit icon for Default Intrusion Prevention policy.
Step 3 Click the SSL Policy 1 link next to SSL Policy: SSL Policy 1.
Step 4 Select None as the SSL Policy to use for inspecting encrypted connections and click OK.
Step 5 Click on Save at the top.
Step 6 Clik deploy at the top of the page.
Step 7 After the deployment is completed, from Inside PC-1, open Firefox then try to browse
on google, for example: testing. You should see safe search feature is in turnoff state.
Step 8 Navigate back to FMC GUI and go the Polices  Access Control  SSL page to create an
SSL Policy.
Step 9 Click New Policy.
Step 10 Name the SSL policy as SSL Policy for Safe Search.
Step 11 Optionally enter a description.
Step 12 Use Do not decrypt as the Default Action.
Step 13 Click Save.

Step 14 Click the Rules tab.
Step 15 Click Add Rule to add an SSL decryption rule.
Step 16 Name the rule as SSL rule for Safe Search.
Step 17 Select the Decrypt-Resign action with the Internal.
Step 18 Under Application tab, search for Search engine under Application Filter and click Add
to Rule.
Step 19 Click the Logging tab and enable log at the End of Connection.
Step 20 Leave other settings as the default.

Step 21 Click Add.
Step 22 Click Save at the top of page.
Step 23 To apply the SSL Policy to the Access Control Policy. Navigate to the Policies  Access
Control page.
Step 24 Click the edit icon to edit the Default Intrusion prevention access control policy.
Step 25 Click the None link next to SSL Policy: None.

Step 26 Select SSL Policy for Safe Search as the SSL Policy to use for inspecting encrypted
connections.
Step 27 Click OK.

Step 28 Click Save.

Step 31 For Name, enter Testing Safe Search, for Action select Allow.
Step 33 In the Applications tab, click the dimmed icon for Safe Search ( )
Step 34 Tick Enable Safe search then choose Block as Action for non supported Engines.

Step 35 Click OK.
Step 36 Under Logging, select Log at Beginning of Connection and click add.
Step 37 Click Save button at top of the page.

Step 38 Click Deploy to deploy the Access Control Policy to the FTD Sensor.
Step 40 In Firefox, click the menu button , choose History, and then Clear Recent History.
Step 41 Click the drop-down menu next to Time range to clear to choose Everything.
Step 42 Next, click the arrow next to Details and check all choices in the list.

Step 43 Finally, click the Clear Now button.
Step 44 After the Firefox history cleared, reload the page which is already opened in Firefox.
Step 45 Click I understand the risk  Add exception.
Step 46 Uncheck Permanently store this exception.
Step 47 Click Confirm security exception. You should see the Search results with Safe Search
Feature turned on.

Note: In Google preferences if you try to turnoff "safesearch" feature. It won’t, because you are
connected to a "safe" network.

Lab 22: Configuring site to site VPN
Task 1: Set Up and Test the ASAv

Step 1 Navigate to VMware Workstation and access the console of ASAv .
Note: If the ASAv CLI throws a warning saying ASAv platform license state is Unlicensed please
ignore and proceed.
Step 2 Enter into enable mode, if prompted for password just press Enter.
ciscoasa>en
Password:
ciscoasa#
Step 3 Configure the Inside Interface and Outside Interface on the ASAv.
ASAv Gi0/0 (Outside) = 192.168.X.253/24(Security Level of 0)
ASAv Gi0/1 (Inside) = 192.168.X7.1/24(Security Level of 100)
ciscoasa# conf t
ciscoasa(config)# interface GigabitEthernet 0/0
ciscoasa(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 192.168.X.253 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.X7.1 255.255.255.0

ciscoasa(config-if)# no sh
ciscoasa(config-if)# exit
Step 4 Enter the following command on ASAv console to enable ICMP inspection.
ciscoasa # conf t
ciscoasa(config)# fixup protocol icmp
Step 5 Use the show interface ip brief CLI command to verify the Gi0/0 and Gi0/1interfaces.
Step 6 Configure the default route points to the 192.168.X.1 next hop.
ciscoasa# conf t
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 192.168.X.1
Step 7 Use the show route command to verify the default route and the inside, outside, and
dmz local interfaces.

Step 8 Test the ASAv network connectivity.
From the ASAv CLI, ping the vFTD (192.168.X.254), Inside PC (192.168.X5,10), and the
Shared Switch (192.168.X.1).
The pings should be successful.
Step 9 From Inside Pc-1, try to ping 192.168.X7.10 (ASAv Inside PC). The ping should fail.
Step 10 Using the ASAv CLI, enable SSH and Cisco Adaptive Security Device Manager (Cisco
ASDM) access to the ASAv.
 Enable the HTTP server on the ASAv.
conf t
http server enable
 Enable Cisco ASDM access.
http 0.0.0.0 0.0.0.0 outside
 Enable SSH access.
ssh 0.0.0.0 0.0.0.0 outside
 Set the SSH timeout interval to 60 minutes.

ssh timeout 60
 Add the “student” user in the LOCAL database with the “cisco” password and assign
a privilege level of 15 to the user.
username student password cisco privilege 15
 Enable Cisco ASDM and SSH Authentication using the LOCAL user database.
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
 Generate the RSA keys on the ASAv using modulus 1024.
crypto key generate rsa mod 1024
Do you really want to replace them? Yes
Ciscoasa(config)#write
Step 11 From Host PC, ping to 192.168.X.253, it should be successful.
Step 12 From the Management PC, open a browser window and navigate to the following URL:
https://192.168.X.253.
Step 13 Accept Security warnings.
Step 14 Click the Install ASDM launcher to access the ASAv (192.168.X.253).

Step 15 Login by using the credentials student and cisco.
Step 16 Click Save file on popup.
Note: If Download bar displays this type of file can harm your computer .Do you want keep dm-
launcher.msi anyway? Click Keep to Download the dm-launcher.msi file.
Step 17 Navigate to the Downloads folder, and Run the dm-launcher.msi file.

Step 18 Click Next twice.
Step 19 Click install on Cisco ASDM-IDM Launcher-Install shied wizard.

Step 20 In the User Account Control Prompt, click Yes.
Step 21 If prompted to upgrade the Cisco ADSM launcher, click Upgrade Now and continue to
upgrade the Cisco ASDM launcher. Click Finish when the Cisco ASDM launcher upgrade
is done. The Cisco ASDM launcher should relaunch automatically.

Step 22 Set the Device IP address as 192.168.X.253 and Login to the Cisco ASDM launcher with
the credentials student/cisco.
Step 23 Select Continue for the Security warning because the ASAv is using a temporary self-
signed certificate for this lab. You should be able to establish a Cisco ASDM session to
the ASAv.
Step 24 In ASAv license state: Unlicensed prompt, tick Do not show this message again option
check box and then click OK.

Task 2: Configuring ASAv Site-to-site VPNs
Step 1 Navigate to Wizards  VPN Wizards  Site-to-site VPN Wizard once the ASDM
application connects to the ASAv.
Step 2 Click Next.

Step 3 Choose outside from the VPN Access Interface drop-down list in order to specify the
outside IP address of the remote peer as 192.168.X.254.
Step 4 Click Next.
Step 5 Specify the hosts/networks that should be allowed to pass through the VPN tunnel. In
this step, you need to provide the Local Networks as 192.168.X7.0/24 and Remote
Networks as 192.168.X5.0/24 for the VPN Tunnel.
Step 6 Click Next when you are done.

Step 7 Enter the authentication information to use, which is pre-shared key. The pre-shared
key used in this lab is cisco123.
Step 8 Click Next.
Step 9 Check the Exempt ASA side host/network from address translation check box in order
to prevent the tunnel traffic from the start of Network Address Translation. Choose
inside from the drop-down list in order to set the interface where local network is
reachable.
Step 10 Click Next.

Step 11 ASDM displays a summary of the VPN that is just configured. Verify and click Finish.
Note: If you see any popup contains error message like “error in sending command”. Click Close on
Error in sending command window and click Finish again.

Step 12 Click on Save button.
Task 3: Configuring Firepower Threat Defense Site-to-site VPNs

Step 1 Login to Cisco firePOWER management center https://192.168.X4.24/ (X=Pod number)
using the credentials admin/C1sc0123 (username/password).

Step 2 Go to Devices  VPNSite To Site.
Step 3 Click Add VPN and then choose Firepower Threat Defense Device.
Step 4 Enter a Topology Name as FirepowerThreatDefenseVPN.

Step 5 Choose the Network Topology for this VPN point to point.
Step 6 Choose the IKE versions as IKEv2.
Step 7 Under Node A select add icon (+).
Step 8 Enter the following configuration Add Endpoint window.
Device : VFTD
Interface : outside
IP Address : 192.168.X.254
Connection Type : Bidirectional
Click the + symbol next to Protected Networks.
Step 9 Again click add icon (+) in Network Object window to add Network object.

Step 10 In New Network Objects Window, enter following configuration,
Name : VFTDInsideNetwork
Network : 192.168.X5.0/24
Click Save.
Step 11 Choose VFTDInsideNetwork from Available Networks, and click Add or drag and drop
into the list of Selected Networks.
Step 12 Click OK.

Step 13 Click OK.
Step 14 Under Node B select add icon (+).

Step 15 Enter the following configuration Add Endpoint window.
Device : Extranet
Name : ciscoasa
IP Address : 192.168.X.253
Step 16 Click the + symbol next to Protected Networks.
Step 17 Again click add icon (+) in Network Object window to add Network object.

Step 18 In New Network Objects Window, enter following configuration,
Name : ASAvInsideNetwork
Network : 192.168.X7.0/24
Click Save.
Step 19 Choose ASAvInsideNetwork from Available Networks, and click Add or drag and drop
into the list of Selected Networks.
Step 20 Click OK.

Step 21 Click OK.

Step 22 In Create New VPN Topology window, navigate to IKE tab.
Step 23 Under IKEv2 settings, choose Pre Shared Manual Key from Authentication type
dropdown list.
Step 24 Enter the key as cisco123.

Step 25 In Create New VPN Topology window, navigate to IPsec tab and then in Transform Sets
Settings, under IKEv2 Ipsec proposals
Choose DES_SHA-1 from Available Transform Sets, and click Add or drag and drop into
the list of Selected Transform Sets.
Click OK.
Step 26 Click Save.

Step 27 To Edit the Default Intrusion Prevention access control policy, navigate to the Policies
 Access Control page. Click the edit icon to edit the Default Intrusion Prevention
access control policy,
Step 28 Verify that Block all traffic is the default action.
Step 29 If Block All Traffic is not a Default Action then click the Default action drop-down box
and select Access Control: Block All Traffic.
Step 31 For Name, enter VPN, for Action, select Allow.
Step 32 Choose above rule 1 from the Insert drop-down, this is because if we do not move the
rule to the top, it will never be executed, because the default access rule permits
everything.
Step 33 Under Network, choose VFTDInsideNetwork from Available Networks, and click Add
Source Networks.
Step 34 Choose ASAvInsideNetwork from Available Networks, and click Add Destination
Networks.
Step 35 Under Logging, check Log at Beginning of Connection and Log at End of connection.

Step 37 Click Save.
Step 38 Click Deploy on top of the page.
Activity Verification
Step 40 After the deployment is completed, from Inside Pc-1, try to ping 192.168.X7.10 (ASAv
Inside PC). The ping should be successful.
Step 41 From Inside PC-1 open command prompt and type tracert 192.168.X7.10.
Step 42 Login to the POD X ASAvInside PC with the credentials administrator/tr@1n1ng@GK

and open command prompt then tracert 192.168.X5.10.

Step 43 From Host PC, access the console of ASAv using PUTTY.
Step 44 Open the Putty from the desktop of Host PC and take SSH to ASAv(192.168.X.253).
Note: If any pop up appears,click RUN.
Step 45 Enter the Host Name (or IP Address) as 192.168.X.253 and click Open.
Step 46 Login as student with the cisco password.

Step 47 Enter the following commands in the ASAv console to go to the enabled mode.
ciscoasa> en
Password: [Enter]
ciscoasa#
Step 48 On ASAv Console, enter show crypto isakmp sa to displays all current IKE Security
Associations (SAs) at a peer.
Step 49 Enter show crypto ipsec sa to display all current IPsec SAs.

Step 50 Access vFTD console from the vSphere Client and enter show crypto isakmp sa, show
crypto ipsec sa command to display all IKE and ipsec SAs.
Step 51 Navigate back to ASDM and login using student/cisco if logged out, go to Monitoring 
VPN  VPN connection graphs  IPsec tunnels. Choose IPSec Active Tunnels and IKE
Active Tunnels from Available Graphs window and add it to the Selected Graphs
window.
Step 52 Click Show Graphs.

Lab 23: Reporting
Step 1 Navigate to the FMC GUI, go to Overview > Reporting
Step 2 Click on Report Templates.
Step 3 Click on the generate report option at the right end of Advance malware risk report.
Step 4 Enter Key in the Input parameters if you required.
Step 5 Click on Generate. Your report will be generated and saved in the reports tab.
Step 6 Click on the reports tab to view your generated report.

Step 7 After you click on the generated report. It will open a new tab in the browser as a
detailed report of the “Advance malware risk report”
Step 8 Return to report template tab in FirePOWER GUI, click Create Report Template button.
Name the report as Connection Details Report.
Step 9 Click the Import Sections from Dashboard, Summaries and Workflow disk shaped icon
on far right of the screen.

Step 10 For Import Report Sections, select Connection Summary for the Import dashboard and
click Import button.
Step 11 Click Generate button at the top right of the screen.
Step 12 Leave the default output format as PDF and click Generate button.
Step 13 If any pop windows appears click Yes.

Step 14 Navigate to Task bar on top to view the Report status.
Step 15 Click View PDF on the Generate report to open the Report in PDF format and view the
details. It will open a new tab in the browser as a detailed report of the “Connection
Details report”
Note : You can also view the generated reports by navigating to Overview  ReportingReports.
Step 16 For example, Connection by Initiator IP Report will show you the total connections
initiated based on initiator IP. You are free to explore the rest of the reports which can
be generated.
Note: The reports will be generated only for the events you have performed in previous lab.

Step 17 Customization of report can also be done to give your report extra details in Report
templates tab.

Appendix
ISE and SGT tags without Identity
Activity Objective
Before Firepower Version 6.2.0, you have to create a realm and identity policy to perform user
control based on ISE Security Group Tag (SGT) data, even if you do not want to configure passive
authentication using ISE.
In Firepower Version 6.2.0, you no longer need to create a realm or identity policy to perform user
control based on ISE Security Group Tag (SGT) data. So in this lab activity you will do user control
using SGT without Realm and identity policy.
Lab 1: Certificate Operations
Complete this lab activity to practice what you learned in the related module.
Activity Objective
In this activity, you will prepare, process, and install certificates on each Cisco ISE node. After
completing this activity, you will be able to meet these objectives:
 Install CA certificate
 Generate a certificate signing request
 Enroll Cisco ISE with external CA
 Install a certificate
Task 1: Install a CA Certificate
Activity Procedure
Complete these steps:
Step 1 On the Host PC, open a new tab in Firefox and navigate to
http://192.168.X4.100/certsrv. You should be prompted for credentials. Login with the
username administrator and the password tr@1n1ng@GK.

Download the CA Certificate
Step 2 Click Download a CA certificate, certficate chain, orCRL.
Step 3 Select the encoding method DER.
Step 4 Click Download CA Certificate and click Save File and OK.
Step 5 This file will be saved as certnew.cer.
Note: If the certifcate files are not renamed each time when they are saved. The file names will be
saved as follow certnew.cer, certnew(2).cer, and certnew(3).cer).
Step 6 Minimize Windows Explorer.
Step 7 Navigate to C:\Users\Administrator\Downloads.
Step 8 Rename the file certnew to ad-sise-ca.
Install a New Certificate in Cisco ISE Node
Step 9 In Firefox, open Cisco ISE node(https://192.168.X4.25), in a new tab and login with the
credentials admin and C1sc0123.
Step 10 In Cisco ISE Firefox tab, navigate to Administration  System  Certificates and click
Trusted Certificates.
Step 11 Click Import.
Step 12 Use the following table to fill in the page.
Attribute Value
Certificate File C:\Users\Administrator\Downloads\ad-sise-

ca.cer
Friendly Name AD-CA-CERT
Trust for authentication with [X] Check

ISE
Trust for Client authentication [X] Check

and Syslog
Step 13 Click Submit.

Step 14 If any popup appears, click Yes.
Step 15 In the ISE tab, choose AD-CA-CERT and click Edit.
Step 16 Examine the page and the page options and navigate back to the Trusted Certificates
when finished.

You have completed this task when you attain this results:
 You have successfully installed the CA server certificate in Cisco ISE node.
Task 2: Generate a CSR

In this task, you will generate and export a CSR on each Cisco ISE node.
Activity Procedure
Step 1 In the ISE tab, navigate to Administration  System  Certificates Certificate signing
request and click Generate Certificate Signing Requests (CSR).
Step 2 Use the following table to fill in the page.
Attribute Value
Usage Admin
Node ISE [Check]

Common Name (CN) $FQDN$ (Leave as default)
Organizational Unit (OU) Training
Organization (O) GKN
Key Length 2048
Digest to Sign With SHA-256 (Our Lab setup uses AD with Server 2008,
choose SHA-1 if your AD is Windows Server 2003)
Step 3 Click Generate. And a popup to export the CSR appears.

Step 4 Click Export. Click OK to save the file.
You have completed this task when you attain this result:
 Generate and export a CSR for Cisco ISE node.
Task 3: Enroll Cisco ISE with an External CA

In this task, you will process each Cisco ISECSR on the CA.
Activity Procedure
Step 1 Click the Firefox browser tab for http://192.168.X4.100/certsrv, and click the Home link
in the top right corner. Use the credentials Administrator and tr@1n1ng@GK if
prompted.
Step 2 Click Request a Certificate.
Step 3 Click Advanced Certificate Request.
Step 4 The Submit a Certificate Request or Renewal Request page appears.
Step 5 In the Certificate Template drop-down box, select Web Server.
Step 6 Navigate to C:\Users\Administrator\Downloads and then open the ISEAdmin.pem file

in Wordpad.
Step 7 Copy the entire contents of the CSR and paste it into the text box in the Saved Requests
section.

Step 9 Click Download Certificate and click OK to save.
Step 10 Open Windows Explorer and navigate to C:\Users\Administrator\Downloads.
Step 11 Rename the file certnew as ise-cert.
Step 12 Minimize Windows Explorer.
You have completed this task when you attain this results:
 You have successfully enrolled and downloaded the certificates for Cisco ISE node.
Task 4: Install a Certificate
In this task, you will bind or install the CA signed certificates.
Activity Procedure

Step 1 In the ISE Admin Portal, navigate to Administration  System  Certificates 
Certificate Signing request in the Certificate Management panel on the left.
Step 2 Check the ISE#Admin check box and click Bind certificate.
Step 3 Fill out the Bind CA Signed Certificate according to the following table.
Attribute Value
Certificate File C:\Users\Administrator\Downloads\ise-cert.cer
Friendly Name ise-cert
Validate Certificate [ ]<leave blank>

Extensions
Usage Admin (Already selected)

Step 5 You will receive a notification that the system will restart, click Yes.
Caution The system will not wait for you to click OK to restart the services. Be careful not to
perform a certificate install on a system outside of the Maintenance windows.
Tip During this operation, the operating system will not restart. Only the Cisco ISE
application will restart.
Tip Depending upon your VM infrastructure, this operation could take between 5 and 15
minutes to complete.
This operation is an application server restart, not a system restart. To verify the
system uptime, login to the CLI via Console or SSH and issue the command show
uptime. You can monitor the status of the application server restart operation by
issuing the command show applications status ise. Once the operation is complete,
all Cisco ISE processes will be in the running state.
Step 6 After a while, log back into Cisco ISE by clicking the bookmark for ISE or refreshing the
screen. Use the credentials admin and C1sc0123 to login.
You have completed this task when you attain this result:
 You have installed the CA signed certificate on each node.

Lab 2: Pxgrid with Rapid Threat Containment
Activity Objective
The ISE pxGrid node is configured for a Certificate Authority (CA) signed environment in a stand-
alone configuration. Initially, a “pxGrid” CSR request is generated from the ISE node and signed by
the CA server using the pxGrid customized template. The certificate will be bound to the initial ISE
CSR request.
The CA root certificate will be imported into the ISE certificate trusted store. The ISE identity
certificate will be exported in the ISE certificate system store. The ISE node will be enabled for
pxGrid operation.
Taks 1: Generate a CSR for Pxgrid

You will generate and export a CSR on each Cisco ISE node.
Activity Procedure
Step 1 In the ise tab, navigate to Administration  System  Certificates  Certificate

signing request and click Generate Certificate Signing Requests (CSR).
Use the following table to fill in the page
Attribute Value
Usage pxgrid
Node ISE [Check]
Common Name (CN) $FQDN$ (Leave as default)
Organizational Unit (OU) Training1
Organization (O) GKN1
Key Length 2048
Digest to Sign With SHA-256 (Our Lab setup uses AD with

Server 2008, choose SHA-1 if your AD is
Windows Server 2003)

Step 2 Click Generate.
Step 3 Select Export in popup to export the CSR appears.

Task 2: Enroll Cisco ISE with an External CA
In this task, you will process each Cisco ISECSR on the CA.
Activity Procedure
Step 1 Click the Firefox browser tab for http://192.168.X4.100/certsrv. Use the credentials
Administrator and tr@1n1ng@GK if prompted.
Step 5 In the Certificate Template drop-down box, select pxgrid.
Step 6 Navigate to Downloads Folder and open the ISEpxGrid.pem file in Wordpad.
Step 7 Copy the entire contents of the CSR and paste it into the text box in the Saved Request
section.
Step 9 Select Base 64 Encoded and click Download Certificate.
Step 10 Click OK to save.

Step 11 Open File Explorer and navigate to C:\Users\Administrator\Downloads.
Step 12 Rename the file cert new as pxg-cert
Step 13 In the ISE Admin Portal, navigate to Administration  System Certificates 

Certificate Signing request in the Certificate Management panel on the left.
Step 14 Check the ISE#pxgrid check box and click Bind certificate.
Step 15 Fill out the Bind CA Signed Certificate according to the following table and click Submit.
Attribute Value
Certificate File C:\Users\Administrator\Downloads\pxg-cert.cer
Friendly Name Pxg-cert
Validate Certificate [ ]<leave blank>

Extensions
Usage pxgrid (Already selected)

Step 16 Navigate to Administration  System  Deployment  ISE node  Edit  enable
pxGrid.
Note: This may take a few minutes, you can run “show application status ise” on the ISE CLI to see
that pxGrid services are initializing, then running.

Step 17 Select Administration  pxGrid services, then you should see the following:
Note: You should also see that you have pxGrid connectivity in the lower left hand corner. If it not
connected, please wait for 1 or 2 minutes and click Refresh.
Step 18 Click on tab Settings and enable Automatically approve new certificate based accounts
and click Save.
Step 19 Click Yes in the pop-up info dialog [Are you sure you want to save settings?]

Task 3: Configuring Firepower Management Center 6.2
Activity Procedure:
The Firepower Management Center (FMC) is configured for Certificate Authority (CA)-signed
operation. The Firepower Management Center private key and CSR request are created from the
Firepower Management Center console (FMC). The CA server signs the CSR request and provides the
FMC identity certificate using the customized pxGrid template
Both the FMC certificate and FMC key are uploaded into FMC internal certs store. The CA root
certificate is uploaded into the FMC trusted CA store
Step 1 Take SSH to FMC CLI (192.168.X4.24) from secure CRT using admin/C1sc0123
Step 2 Type sudo su and press Enter. Give Password as C1sc0123.
Step 3 Generate a Firepower private key using the command given below and if it prompts for
pass phrase use C1sc0123.
root@firepower:/Volume/home/admin# openssl genrsa -des3 -out

firepower.key 4096
Generating RSA private key, 4096 bit long modulus
..................................
..............
e is 65537 (0x10001)
Enter pass phrase for firepower.key:C1sc0123
Verifying - Enter pass phrase for firepower.key:C1sc0123

Step 4 Generate a CSR request using the command given below.
root@firepower:/Volume/home/admin# openssl req -new -key

firepower.key -out firepower.csr
Enter pass phrase for firepower.key:C1sc0123
You are about to be asked to enter information that will be

incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name

or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code []:US
State or Province Name []:ca
Locality Name []:San Jose
Organization Name []:GKAPAC
Organizational Unit Name []:ABJtraining
Common Name []:FMC.gkapac.local
Email Address []:fmc@gkapac.local
root@firepower:/Volume/home/admin#

Step 5 Open WinSCP shotcut icon on Desktop.
Note: If Win SCP not installed in Host PC. Download WinSCP from
http://filehippo.com/download_winscp/. After the file is downloaded, navigate to
C:\Users\Administrator\Downloads and run WinSCP-5.9.4-Setup.exe.
Step 6 Use WinSCP and access the FMC using hostname 192.168.X4.24 with credentials
admin/C1sc0123.
Step 7 Click Yes for Warning.

Step 8 To Copy firepower.csr and firepower.key file from the Firepower Management Center
(FMC) locally to the PC Desktop, select both firepower.csr and firepower.key from list
and click Download.
Step 9 Open the firepower.csr request using wordpad copy the content.
Step 10 Click the Firefox browser tab for http://sfua.gkapac.local/certsrv use the credentials
Administrator and tr@1n1ng@GK if prompted.
Step 14 In the Certificate Template drop-down box, select pxGrid.
Step 15 Copy the entire contents of the CSR and paste it into the text box in the Saved Request
section.

Step 17 Select Base 64 encoded format and click Download Certificate.
Step 18 Click OK to save.
Step 19 Open File Explorer and navigate to C:\Users\Administrator\Downloads.
Step 20 Rename the file cert new as fmcpxg.
Download the CA root certificate in base-64 encoded format
Step 21 Click the Firefox browser tab for http://192.168.X4.100/certsrv
Step 22 Click Download a CA Certificate, Certificate Chain, or CR
Step 23 Select the encoding method as base 64.

Step 24 Click Download CA Certificate and click Save File and OK.
Step 25 Navigate to Downloads Folder and rename the file certnew as FMCCA.
Upload the CA root cert into the Firepower Management trusted CA store
Step 26 Access FMC(https://192.168.X4.24) from browser. Use the credentials Admin and
C1sc0123 if prompted.
Step 27 Navigate to ObjectsObject Management PKITrusted CAAdd Trusted CA

provide a name as MS_CA and browse to FMCCA certificate, then Save.

Step 28 Upload the Firepower Management center public certificate and private key to the FMC
internal cert store (firepower.key, fmcpxg.csr)
Step 29 Select Objects  PKI  Internal Certs  Add Internal Certs.
Step 30 Provide name as FMC61.
Step 31 Choose fmcpxg.cer certificate from C:\Users\Administrator\Downloads folder.
Step 32 And choose Firepower.key file from Libraries\Documents folder.
Step 33 Check Encrypted, and the password is option and enter the password as (C1sc0123),
then click Save.
ISE Identity Sources CA-Signed Certificate Configuration

The Identity Sources Engine configuration defines the ISE pxGrid node connection parameters, ISE
MnT node certificates and FMC identity certificate.
Step 34 Select System  Integration  Identity Sources  Identity Services Engine
Enter the below details

Primary Host Name/IP Address : 192.168.X4.25
pxGrid Server CA : MS_CA
MNT Server CA : MS_CA
FMC Server Certificate : FMC61

Step 35 Select Test , you should see the following:
Step 36 Click OK.
Note : if ISE connection status shows Primary Host : Failure message.

i. In AD Server, to open DNS Manager, click Start, point to Administrative Tools, and then click
DNS.
ii. Under gkapac.local, make sure DNS record is configured for both ISE and FMC(ise.gkapac.local
and fmc.gkapac.local).
iii. If the DNS record is not available for FMC or ISE then configure it.
Step 37 Select Save once the connection is success.
Step 38 You should see the following on the ISE pxGrid node, navigate to ISE, select
AdministrationpxGrid Services.

Step 39 The FMC has been successfully registered to the ISE pxGrid node and subscribed to the
EndPointProfile Metada, SessionDirectory and TrustsecMetaData capabilities.
Step 40 From FMC navigate to Policies  Network Discovery  Edit Rule by clicking on the
pencil icon.
Step 41 Enable Hosts and Users and click Save.
Step 42 Select Save, you should see the following

Lab 3: Bootstrap Identity System
Task 1: Create local user student

In this task you will define a user named student with the password C1sc0123 in the local user
database of Cisco ISE.
Activity Procedure
Complete the following steps:
Step 1 Access the ISE GUI: Open the Internet Explorer browser and connect to
https://192.168.X6.25 login as user admin with the password C1sc0123.
Step 2 Create a local user named student with the password C1sc0123 in Cisco ISE:
a. In the Cisco ISE GUI, choose Administration  Identity Management  Identities

and click the Users folder in the Identities pane on the left side of the window.
b. In the Network Access Users pane, click Add. The New Network Access User pane is
displayed.
c. Define the user's attributes as follows:
 Name: student
 Login password and Re-Enter Password: C1sc0123
 User Groups: Employee

d. Click Submit to apply the changes.
e. Verify that the user named student is now defined in the Network Access Users
table and the status is Enabled.
Task 2: Define the switch as a NAD in Cisco ISE
Activity Procedure
Step 1 In the Cisco ISE GUI, configure a Network Device Group named HQ as a child to the
default Network
Device Group named All Locations:

a. Navigate to Administration Network Resources  Network Device Groups.
b. In the Network Device Groups pane on the left, expand Groups and choose All
Locations. An empty Network Device Groups table will be displayed.
c. Click Add above the empty table. Define a group named Inside and click Submit.
d. Verify that the location HQ is now in the Network Device Group table.
Step 2 Create a Network Device Group named Wired as a child to the default Network Device.
Group named All Device Types:

a. Navigate to Administration Network Resources  Network Device Groups.
b. In the Network Device Groups pane on the left, expand Groups and choose All
Device Types. An empty Network Device Groups table will be displayed.
c. Click Add above the empty table. Define a group named Wired, description Wired
and click Submit.
d. Verify that the device type Wired is now in the Network Device Group table.
Step 3 Define the HQ-SW as a NAD in the ISE.
a. Navigate to Administration  Network Resources  Network Devices.

b. In the Network Devices pane on the left side of the window, choose Network
Devices if necessary.
c. The empty Network Devices Table should be displayed.
d. Above the Network Devices table, click Add.
e. Define the NAD with these attributes:

 Name: Inside-SW
 IP Address: 192.168.X4.44/32
 Location: Inside
 Device type: Wired.
 Radius Authentication Settings: [X] Checked
 Shared Secret: radius-key
f. Click Submit.
Task 3: Configure AAA Settings on Switch

In this task you will configure AAA settings on the HQ-SW.
Activity Procedure
Step 1 Connect to the Shared Switch console port.

Step 2 Before any AAA authentication, authorization or accounting commands can be
configured; AAA must be enabled globally on the switch.
Sharedswitch#conf t
Sharedswitch(config)#aaa new-model
Step 3 Enabling AAA globally changes the authentication behavior on the console and the VTY
lines. Set the enable secret to cisco and set the default authentication method for logins
to use the enable secret.
Sharedswitch(config)#enable secret cisco

Sharedswitch(config)#aaa authentication login default enable
Step 4 On the switch, configure the global AAA settings required for proper 802.1X operation:
a. Define the default method for authentication of 802.1X access requests, specifying the group
ISE-RADIUS as the AAA server group.
b. Define the default method of authorizing network access sessions, specifying the group ISE-
RADIUS as the AAA server group.
c. Define the default method of accounting to be used for 802.1X sessions, specifying the group
ISE- RADIUS as the AAA server group.
Note: Expect the message %AAAA-4-SERVUNDEF: The server-group "ISE-RADIUS" is not defined.
Please define it. You will define this server-group in the next task.
aaa authentication dot1x default group ISE-RADIUS

aaa authorization network default group ISE-RADIUS
aaa accounting dot1x default start-stop group ISE-RADIUS
Task 4: Configure RADIUS Settings on Switch

In this task you will configure RADIUS settings on the HQ-SW.
Activity Procedure
Step 1 Define the ISE appliance as a RADIUS server, include it in the AAA server group ISE-
RADIUS, and set the dead criteria for RADIUS servers

a. Create a RADIUS server instance named ISE-KEY with the IP address 192.168.X6.25
using UDP ports 1812 and 1813, and specify the shared key 'radius-key'.
b. Create an AAA server group named ISE-RADIUS and assign the RADIUS server named
ISE-KEY to the group.
c. Set the RADIUS timeout to 10 seconds with a 3 attempt failure limit.
Note: AAA server groups are a construct that allows different sets of servers to be specified for
different AAA applications. For example, one set can be used for 802.1X AAA and another set for
administrative access AAA. You are defining an AAA server group in this lab to prepare for a
workaround in a later lab. The explanation will become clear when it is time to implement the
workaround.
radius server ISE-KEY

radius-server host 192.168.X6.25 auth-port 1812 acct-port 1813
key radius-key
!
aaa group server radius ISE-RADIUS
server name ISE-KEY
!
radius-server dead-criteria time 10 tries 3
Step 2 Configure the additional RADIUS attributes that are required by ISE:
a. Include the RADIUS Service-Type attribute in the authentication requests.
b. Include the endpoint IP address in the framed-IP-address attribute in the
authentication requests.
c. Include the class attribute in RADIUS authentication requests.
radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
Step 3 Configure the switch to use RADIUS vender specific attributes:

a. Configure the switch to use VSAs in authentication requests.
b. Configure the switch to use VSAs in accounting updates.

radius-server vsa send authentication
radius-server vsa send accounting
Step 4 IP device tracking is required to allow the switch to learn endpoint IP addresses and
populate the Framed-IP-Address field in the RADIUS authentication requests. Enable IP
device tracking:
ip device tracking
Task 5: Configure Switch for 802.1X Monitor Mode
Activity Procedure
Step 1 Enable 802.1X globally on the switch:
dot1x system-auth-control
Step 2 Configure the interface supporting the Employee-PC (GigabitEthernet2/0/1) for 802.1X
monitor mode:
a. Configure multiple authentication (multi-auth) mode.
b. Configure the interface of the Employee-PC for 802.1X open mode. Do not use any
local access lists.
c. Enable recurring re-authentication.
d. Allow the RADIUS server to specify the re-authentication interval.
e. Enable the 802.1X authenticator role on the port.
f. Set the 802.1X timeout for supplicant retries to 10 seconds.
g. Allow 802.1X authentication to control the port's status.
sharedswitch(config)#interface gigabitEthernet 0/2X
sharedswitch(config-if)#authentication host-mode multi-auth
sharedswitch(config-if)#authentication open
sharedswitch(config-if)#authentication periodic

sharedswitch(config-if)#authentication timer reauthenticate server
sharedswitch(config-if)#dot1x pae authenticator
sharedswitch(config-if)#dot1x timeout tx-period 10
sharedswitch(config-if)#authentication port-control auto
You have completed this task when you verify the 802.1X configuration on the switch using this
procedure:
Step 3 On the switch, view the overall 802.1X status using the show dot1x all command. You
should see that the system authentication control is enabled and the pae type on
interface GigabitEthernet 2/0/1 is set to authenticator.
sharedswitch#show dot1x all

Sysauthcontrol Enabled
Dot1x Protocol Version 3
Dot1x Info for GigabitEthernet0/2X

-----------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 10
Step 4 On the switch console, observe the failed access attempts through the interface
GigabitEthernet 0/2X. It may take 90 seconds before the messages are displayed. You
should see that the authentication fails because there is no supplicant and there is no
failover authentication method.
Apr 10 09:51:46.540: %DOT1X-5-FAIL: Authentication failed for client

(000c.29c0.95bc) on Interface Gi0/21 AuditSessionID
C0A8102C0000000E1EC44BB1

(000c.29ca.94d6) on Interface Gi0/21 AuditSessionID
C0A8102C0000000F1EC46195
(000c.29ca.94c3) on Interface Gi0/21 AuditSessionID
C0A8102C000000101EC4645E
Step 5 On the switch, view the status of authentication sessions on the interface using the
show authentication sessions interface gigabitethernet 0/2X command. You should see
that the status is Authz Failed. Note that the endpoint IP address is defined because IP
device tracking is enabled. The IP address that you see may differ from the sample as the
address is assigned via DHCP.
sharedswitch#show authentication sessions interface gigabitethernet

0/21
Interface MAC Address Method Domain Status Fg Session ID

--------------------------------------------------------------------
--
Gi0/21 000c.29ca.94d6 N/A UNKNOWN Unauth
C0A8102C0000000F1EC46195
Gi0/21 000c.29c0.95bc N/A UNKNOWN Unauth
C0A8102C0000000E1EC44BB1
Gi0/21 000c.29ca.94c3 N/A UNKNOWN Unauth
C0A8102C000000101EC4645E
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)

D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)

X - Unknown Blocker
Runnable methods list:

Handle Priority Name
6 5 dot1x
20 10 mab
18 15 webauth
Step 6 Go to Administrator  System  Certificates System Certificates. Select ise- cert

from list and click edit.
Step 7 Enable EAP Authentication and Portal check boxes.
Step 8 Click OK if any popup appears.
Step 9 Click Save.
Note: Please make sure you have a certificate enrolled from CA, and used by Admin, Portal and EAP
Authentication.

Lab 4: Implement Cisco TrustSec
Task 1: Prepare ISE for TrustSec communication with the Inside-SW
In this task you will define the HQ-SW as a TrustSec-aware NAD in the ISE. You will configure a
security group dedicated to the NADs, which will allocate a SGT to them. Being a member of the
security group, the switch will be able to download the TrustSec data and join the TrustSec domain.
Activity Procedure
Step 1 Configure the SGA AAA Server:

The SGA AAA servers defines a list of RADIUS servers that will be used by the TrustSec
capable network access devices (NADs) to obtain Cisco TrustSec (CTS) environment data
and policy. This list can be populated multiple servers in a distributed ISE deployment.
The NADs use their configured RADIUS servers for initial CTS authorization, and will then
use the servers on this list for ongoing CTS operations.
a. In the ISE GUI navigate to Work center  TrustSec  Componenets  Trustsec
AAA Servers.
b. Verify that there is an entry named ISE with the IP address 192.168.X6.25.
c. Change the name to ISE-CTS and the Port number to 1645.
d. Click Save.
Step 2 Configure SGA settings for the HQ-SW in ISE:

Additional settings must be configured in ISE for devices that will participate in CTS. The
NADs will also have to have corresponding settings in their configurations.
a. Go to Work center  TrustSec  Componenets Network Devices. Select the

Inside-SW.
b. Check the Advanced TrustSec Settings checkbox. Enable Use Device ID for SGA
Identification checkbox. Enter the RADIUS secret radius-key and leave all other
settings at their default values.
c. Check the SNMP Settings checkbox and verify or modify the Polling Interval to 600
seconds. Change the Originating Policy Services Node to ISE. Select 2c as SNMP
version. Enter the SNMP RO Community ciscoro and leave all other settings at their
default values.

Note: The update timers kept by the CTS devices are controlled by ISE. You did not change the values.
ISE defaults each of the timers to 1 day.
d. Click Save.
Task 2: Configure the Switch to Act as SGA Device
In this task, you will configure the HQ-SW as a member of the CTS domain. Requirements include the
setting of the PAC secret and the CTS credentials. Once configuration is complete, the switch will
automatically authenticate and retrieve the CTS environment data and CTS policy.
Activity Procedure
Step 1 Configure the SNMP Community on Switch,
Sharedswitch#conf t
Sharedswitch(config)#snmp-server community ciscoro RO
Sharedswitch(config)#snmp-server host 192.168.X6.25 ciscoro
Step 2 Define ISE as a RADIUS server named ISE-PAC, using ports 1645 and 1646 for
authentication and accounting. Also specify radius-key as the PAC key for this server.

Then add this server to the AAA server group named ISE-PAC
radius server ISE-PAC

address ipv4 192.168.X4.25 auth-port 1645 acct-port 1646
pac key radius-key
!
aaa group server radius ISE-CTS
server name ISE-PAC
Step 3 Configure the switch for Cisco TrustSec (CTS) network authorization:
a. Create a network authorization list named cts-author-list that uses the ISE-CTS
group. A
aaa authorization network cts-author-list group ISE-CTS
Note: Although ISE is the only RADIUS server in the lab topology, you defined two AAA server groups
and added ISE to each of the groups. You used different authentication and authorization ports to
allow the switch to accept this duplication. The reason for this effort is a work around to an issue on
Catalyst 3000 platform and ISE with the version used in this lab. When a switch is provisioned with a
PAC, ISE expects all RADIUS messages, including accounting messages, to be authenticated using the
PAC. The switch, however, will continue to use the RADIUS key to authenticate accounting messages,
leading to dropped accounting requests. This effort is not required on other switch platforms.
b. Enable CTS authorization using the cts-author-list method list.
cts authorization list cts-author-list

Step 4 Configure CTS credentials. Set the device ID to HQ-SW and password to radius-key. On
the Catalyst 3000 series, this setting is performed in privileged mode, not configuration
mode.
cts credentials id Inside-SW password radius-key
Step 5 Verify the PAC provisioning and data download process:

a. Navigate to Operations  Live Logs to View the authentications in the ISE GUI. After
two minutes you should see a notification about a PAC provisioned event:
b. On the switch, view the PAC received from the ISE:

sharedswitch#sh cts pacs
AID: 079259F2E92080A437F1935347A5047C
PAC-Info:
PAC-type = Cisco Trustsec
AID: 079259F2E92080A437F1935347A5047C
I-ID: Inside-SW
A-ID-Info: Identity Services Engine
Credential Lifetime: 18:09:44 UTC Jul 9 2017
PAC-Opaque:
000200B80003000100040010079259F2E92080A437F1935347A5047C0006009C0003

0100F842EDC5D05FB044D37BFD8D39C2B68F0000001358E77FA000093A80840A080B
15184C8E0919741D147140CE32A2BF85F38A849EC13BB387D269445F5FF85184F542
BAB274EAC4744AF34254F7429F649358B16864D941BE9EAA6BEAFA8BA025064F00F1
A0EBE70F305BF86389106C88E11B22A6A131EC7722E81A25BAF7DF72CDEBA72C3D29
F0757408F7D27B2F417AED9CDDC276624EAC
Refresh timer is set for 12w4d
c. In the ISE GUI, after about two minutes you will see notifications of CTS data
download.
d. Examine the details. You should see a RADIUS request from 'CTSREQUEST' with Cisco
AV pair cts- pac-opaque.

e. Examine the downloaded CTS environmental data on the switch.
sharedswitch#sh cts environment-data

CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 0-00:Unknown
Server List Info:
Installed list: CTSServerList1-0002, 1 server(s):
*Server: 192.168.16.25, port 1645, A-ID
079259F2E92080A437F1935347A5047C
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60
mins, deadtime = 20 secs
Multicast Group SGT Table:
Security Group Name Table:
0-bb:Unknown

2-bb:TrustSec_Devices
3-bb:Network_Services
4-bb:Employees
5-bb:Contractors
6-bb:Guests
7-bb:Production_Users
8-bb:Developers
9-bb:Auditors
10-bb:Point_of_Sale_Systems
11-bb:Production_Servers
12-bb:Development_Servers
13-bb:Test_Servers
14-bb:PCI_Servers
15-bb:BYOD
255-bb:Quarantined_Systems
Environment Data Lifetime = 86400 secs
Last update time = 18:11:33 UTC Mon Apr 10 2017
Env-data expires in 0:23:55:35 (dd:hr:mm:sec)
Env-data refreshes in 0:23:55:35 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
Note: There are several things to note in the output. The update was successful. The SGT applied to
the local device is indeed number 2 with the name NAD. The CTS server list was downloaded from
ISE. The update timer settings were also downloaded from ISE and the timers will expire and data
will be refreshed in just under one day.
Note: If you want to repeat the process, you may have to clear the CTS settings. You can use the
commands clear cts credentials, clear cts environment-data, and clear cts pac all.
Task 3: Implement Authorization

A very important feature of Cisco TrustSec is the ability to have ISE utilize all of the contectual data it
has available to dynamically classify endpoints and assign the appropriate SGT as part of 802.1X
authorization.
In this task you will configure a SGT for the IT users and configure the ISE authorization policy to set

the SGT as a result in their authorization policy rule. For the sake of time, you will only define SGT
policy for the IT user group.
Activity Procedure
Step 1 Create a new security group for the IT users.
a. Go to Work center  TrustSec  Componenets  Security Groups.
b. Click Add to create a device group. Name it Amy. Click Submit.
Step 2 In the Cisco ISE GUI, navigate to Administration  Identity Management  External
Identity Sources and click Active Directory in the left pane.
Step 3 Click Add to Join Cisco ISE to the Active Directory:
a. In the Active Directory Domain field enter gkapac.local. Enter Join Point Name as
AD1 and click Submit at the bottom.
b. Click Yes for Popup.

c. Use the credentials administrator and tr@1n1ng@GK and click OK.
d. Wait Until the node status becomes completed.
e. Click Close.
f. Explore the two connectivity test options:

1. Note that the current status of ise.gkapac.local is Joined to Domain.
2. Check the checkbox for the ISE.gkapac.local node and then click select Test user
from the toolbar. Use the credentials administrator and tr@1n1ng@GK and

click Test. Accept the message about submitting the dialog. You should see
Status: SUCCESS and Password for User Administrator Is Correct. Click Close.
Step 4 Retrieve groups from the Active Directory:

a. Choose Administration  Identity Management  External Identity Sources 
Active Directory.
b. Choose the Groups tab of your Active Directory AD1. Choose Add  Select Groups
from Directory.
Note: You are retrieving groups that you will match when authorizing the clients.
c. Leave the filter as simply an *, and click Retrieve Groups.

d. Choose
gkapac.local/Builtin/Administrators,gkapac.local/Builtin/Guests,gkapac.local/Built
in/Users,gkapac.local/Users/Domain Admins,gkapac.local/Users/Domain
Computers,gkapac.local/Users/Domain Controllers,gkapac.local/Users/Domain
Guests,gkapac.local/Users/Domain Users from the list.
e. Click OK, and then click Save.
Step 5 Click Administrator  Identity Management  Identity Source Sequences and click
Add.
Name: ADstore
Uncheck Select Certificate Based Authentication profile.
Move all the Available Search list sources to Selected area.
IMPORTANT Note: Sequence it in the order as shown in the screenshot.
Selected:
• AD1
• Internal Users
• Internal Endpoints
• Guest Users
• All_AD_Join_Points
Click Submit.

Step 6 Adjust the 802.1X authentication policy, so it uses the new identity source sequence:
a. Choose Policy  Authentication.
b. Examine the Dot1X policy. Click Edit and change it to the identity source sequence
AD store.
c. Options :
If authentication failed : Reject
If user not found : Continue
If process failed : Drop
Click Save.

Step 7 Configure an authorization policy rule for Amy users accessing from corporate assets:
Authorization policies are used to define what authorization profiles are applied under
which conditions.
a. Choose Policy  Authorization.
b. Currently there are just the default authorization policies. Insert a new rule above
this by clicking the Arrow button to the right of the Edit link. Choose Insert New Rule
Above.
c. Name the new rule Amy Access.
d. Begin the definition of the first condition. Click the + symbol in the Conditions field.
Choose Create New Condition (Advanced Option).
e. Configure the condition to specify that the Amy Users. Use the drop down menu, in
the Attribute field, choose AD1  ExternalGroups. In the Operator field, choose
Equals. In the Parameter field, choose gkapac.local/Users/Domain Users.
f. In Permissions, select Security Group  Amy.
g. Click Done to indicate you are done editing the authorization rule and then Save the
authorization policy.

Step 8 Make sure the permission in the Default rule to Standard  Deny Access. This
implements the stronger fail-close security approach. Again, Save the configuration.

Lab 5: Configuring Access control policy on FMC to block Amy SGT tag
Step 1 To Edit Default Access control policy, navigate to the Policies  Access Control page.
Step 2 Click the edit icon to edit the Default Intrusion Prevention access control policy.
Step 3 Verify that Block all traffic is the default action.
Step 4 If Block All Traffic is not a Default Action then click the Default action drop-down box to
the Access Control: Block All Traffic.
Step 5 Click the paper like icon which is the Logging icon.
Step 6 Make sure check box next to Log at Beginning of Connection is enabled and click OK.
Step 7 Navigate to HTTP Responses tab and make sure System-provided is selected for both
Block Response Page and Interactive Block Response Page options.
Note: Block Response Page will display a page blocked page when user is trying to access prohibited
HTTP requests. Interactive Block Response will also display the blocked page, but only to warn user,
not completely blocking the site. They are able to continue by clicking the button below the page or
by refreshing the page. You can choose custom option if you wish to only warn the user or change the
text to be displayed to the user.
Step 10 For Name, enter Block Games for Amy, for Action, select Block.
Step 12 Under URLs, select Games with any reputation.

Step 13 Under SGT/ISE attributes, select security group tag as Amy.
Step 14 Under Logging, select Log at Beginning of Connection.

Step 16 Click the SSL Policy for Safe Search link next to SSL Policy: SSL Policy for Safe Search.
Step 17 Select None as the SSL Policy to use for inspecting encrypted connections.
Step 18 Click the Identity Policy 1 link next to Identity Policy: Identity Policy 1.
Step 19 Select None as the Identity Policy.

Step 21 Click Deploy at the top and select the device then click Deploy button.
Step 22 Select Proceed on Errors and Warnings for Requested Deployment window.
Step 23 Navigate to Deployments bar on top to view the Deployment Progress status.

Lab 6: Deploy AnyConnect Supplicant
In this task you will install the AnyConnect Supplicant and use it for the 802.1X authentication.
Activity Procedure
Step 1 On the Inside PC-1, disable the native Windows 802.1X supplicant:
1. Right-click the Network icon in the system tray. Select Open Network and Sharing
Center.
2. Click Change adapter settings. This navigates you to the Network Connections list.
3. Double-click Local Area Connection. Click Properties, select the Authentication tab.
4. Clear the Enable IEEE 802.1X authentication checkbox. Click OK and Close.
Note: If the Authentication tab is missing from Local area Connection then skip step 1.
Step 2 On the Inside PC, install the Supplicant:

1. Go to C:\anyconnect-win-4.3.01095-pre-deploy-k9 folder.click setup.exe to install
any connect.
2. Select Any connect VPN and Any connect Network Access Manager from the list
and click Install Selected.
3. After installation finishes, restart the Inside PC-1 to make the changes to take effect.

4. After the Inside PC-1 is restarted. From the system tray, click on the AnyConnect
icon. You should see that the supplicant is attempting to access the default network
wired.
5. Click on Manage Networks  network  configuration and click Add.
Media : Wired
Descriptive Name : Test NIC
Security : 802.1X
802.1X Configuration
Password : PEAP
6. Click OK.
7. Click Manage network vpn  preferencesuncheck block connections to
untrusted servers.

The dynamic classification of Amy users with the Amy security group tag is now configured on ISE. To
verify if this is working correctly you will log in to the Employee-PC as the user Amy and verify the
results on ISE and the switch.
Step 3 Enter “shut” and “no shut” the switch port G 0/2X to catch the Cisco any connect
popup.
Step 4 In cisco any connect secure mobility client using Test NIC logon as gkapac\amy with
password tr@1n1ng@GK. In the Cisco ISE GUI, verify the authentication result and the
authorization profile applied to the session.

Step 5 Click Trust for Popup.
Step 6 Navigate to Operations  Live logs, you should see a successful access attempt of user
amy.

Step 7 Go to Work center  TrustSec  Componenets  Security Groups. Note the SGT of IT
Security group.
Step 8 Verify the authentication and authorization on the switch. You should see that the
appropriate SGT is being applied to incoming traffic:
Sharedswitch# show authentication sessions interface gigabitEthernet

2/0/1 details
Interface: GigabitEthernet0/2X
MAC Address: 000c.293c.4b17
IPv6 Address: Unknown
IPv4 Address: 192.168.X5.10
User-Name: gkapac\amy
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: C0A80F9A00000017011AF709
Acct Session ID: 0x00000008
Handle: 0xD7000009
Current Policy: POLICY_Gi2/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
(priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
SGT Value: 16

Method status list:
Method State
dot1x Authc Success

Lab 7: Testing ISE and SGT tags without Identity feature
Step 1 From inside PC-1, browse to www.ea.com you will fail.
Step 2 Try browsing to other non-games sites, you will be successful.

Step 3 Navigate to Analysis  Connections  Event  Table view of connection content.
Step 4 You should see event with block action with the URL as www.ea.com and SGT tag as
Amy.
Step 5 Click edit search on top. In general information type action as block and SGT tag as Amy.
Click Search.

Step 6 Enter “shut” and “no shut” the switch port G 2/0/1 to catch the Cisco any connect
popup.
Step 7 Remove Test NIC and Reconfigure it.
Step 8 In cisco any connect secure mobility client using Test NIC login as Student with password
C1sc0123. In the Cisco ISE GUI, verify the authentication result and the authorization
profile applied to the session.
Step 9 Then try to browse ea.com It should successful.
You have completed the lab. Congratulations!!

TC - SECVFTD v25 - Lab Guide - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 7 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TC - SECVFTD v25 - Lab Guide - Securing Enterprise Networks With Cisco Firepower Threat Defense Virtual Appliance v25 - drn1 - 7 PDF

Uploaded by

Copyright:

Available Formats

SECVFTD v25 – Securing Enterprise Networks

with Cisco Firepower Threat Defense Virtual

SECVFTD v25 Lab Guide

SECVFTD v25 Lab Guide 1

SECVFTD v25 Lab Guide 2

SECVFTD v25 Lab Guide 3

SECVFTD v25 Lab Guide 4

SECVFTD v25 Lab Guide 5

SECVFTD v25 Lab Guide 6

SECVFTD v25 Lab Guide 7

SECVFTD v25 Lab Guide 8

SECVFTD v25 Lab Guide 9

1) Go to Start from your PC or laptop and click Settings icon.

2) Click Privacy in the settings window.

3) On the left-pane, select Camera under App Permissions.

SECVFTD v25 Lab Guide 10

5) Repeat the steps 3-4 for Microphone.

SECVFTD v25 Lab Guide 11

SECVFTD v25 Lab Guide 12

 FirePOWER Mangement center v6.2.3.4

PLEASE READ THE FOLLOWING BEFORE PROCEEDING TO THE LAB EXERCISE!!!

SECVFTD v25 Lab Guide 13

Credentials (X=POD number)

Virtual machines IP Address Username Password

Inside PC-1 [Win-7] 192.168.X5.10/24 gkapac\administrator tr@1n1ng@GK

Inside PC-2 [Win- Xp] 192.168.X5.12/24 Administrator tr@1n1ng@Gk

vFTD Inside 192.168.X5.1

vFTD Outside 192.168.X.254

FirePOWER Threat Defense 192.168.X4.23 admin password

FirePOWER Management 192.168.X4.24 admin C1sc0123

AD Server 192.168.X4.100 administrator tr@1n1ng@GK

Attacker PC- Linux 192.168.200.34 root password

ASAv Inside PC [Win-7] 192.168.X7.10/24 ADMIN-PC tr@1n1ng@GK

SECVFTD v25 Lab Guide 14

Task 1: Adding firePOWER management center in FTD

Step 2 This vFTD must be managed by a Management Center. A unique alphanumeric

'configure manager add [hostname | ip address ] [registration key ]'

> configure manager add 192.168.X4.24 firePOWER

Otherwise, those licenses remain assigned to the device in Cisco

Do you want to continue[yes/no]:yes

Manager successfully configured.

Please make note of reg_key as this will be required while adding

> show managers

Registration Key : ****

SECVFTD v25 Lab Guide 15

Task 2: Adding device to firePOWER management center

SECVFTD v25 Lab Guide 16

Step 4 The Add Device page appears

Enter/select the following:

Host - 192.168.X4.23 (X=Pod Number)

Access Control Policy - Click on ‘Create new policy’

SECVFTD v25 Lab Guide 17

Smart Licensing – Check on Malware, Threat,URL Filtering.

Others - Leave at default

Step 6 After the registration is completed, On FMC GUI, navigate to DevicesDevices

SECVFTD v25 Lab Guide 18

Task 4: Verifying registration of FTD Sensor to firePOWER management

> show managers

Host : 192.168.X4.24 (X=Pod Number)

SECVFTD v25 Lab Guide 19

Task 6: Configuring the interfaces and routes to the FirePOWER threat

SECVFTD v25 Lab Guide 20