Brkccie 3201

#CLUS
FirePower Threat
Defense for CCIE
Candidates
Rafael Leiva-Ochoa
BRKCCIE-3201
#CLUS
Agenda • Introduction
• FirePower Threat Defense Platforms
(FTD)
• FirePower Threat Defense
Technology Overview
• FMC (FirePower Management Center)
• Traffic Processing
• ACP
• Prefilter
• NAT
• Failover
• Lab Ideas
• FirePower Threat Defense Classes
#CLUS BRKCCIE-3201 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
Introduction
• Rafael Leiva-Ochoa
• @Cisco since Oct 2000
• Works in the TS Training Group
(Part of Learning@Cisco)
• Delivers courses on Security to Global TAC Centers
• CCIE 19322 Security since 2007
CCIE Security Program
Overview
Topics Covered in the CCIE Security
CCIE Security Overview
Perimeter Security and Intrusion Prevention
Topics Covered in CCIE Security
CCIE Security Topics
• 1.1 Describe, implement, and troubleshoot HA features on • 1.7 Describe, implement, optimize, and troubleshoot
Cisco ASA and Cisco FirePOWER Threat Defense (FTD) policies and rules for traffic control on Cisco ASA, Cisco
FirePOWER and Cisco FTD
• 1.2 Describe, implement, and troubleshoot clustering on
Cisco ASA and Cisco FTD • 1.8 Describe, implement, and troubleshoot Cisco
Firepower Management Center (FMC) features such as
• 1.3 Describe, implement, troubleshoot, and secure routing alerting, logging, and reporting
protocols on Cisco ASA and Cisco FTD
• 1.9 Describe, implement, and troubleshoot correlation and
• 1.4 Describe, implement, and troubleshoot different remediation rules on Cisco FMC
deployment modes such as routed, transparent, single, and
multicontext on Cisco ASA and Cisco FTD • 1.10 Describe, implement, and troubleshoot Cisco
FirePOWER and Cisco FTD deployment such as in-line,
• 1.5 Describe, implement, and troubleshoot firewall features passive, and TAP modes
such as NAT (v4,v6), PAT, application inspection, traffic
zones, policy-based routing, traffic redirection to service • 1.11 Describe, implement, and troubleshoot Next
modules, and identity firewall on Cisco ASA and Cisco FTD Generation Firewall (NGFW) features such as SSL
inspection, user identity, geolocation, and AVC (Firepower
• 1.6 Describe, implement, and troubleshoot IOS security appliance)
features such as Zone-Based Firewall (ZBF), application
layer inspection, NAT (v4,v6), PAT and TCP intercept on • 1.12 Describe, detect, and mitigate common types of
Cisco IOS/IOS-XE attacks such as DoS/DDoS, evasion techniques, spoofing,
man-in-the-middle, and botnet
Cisco Virtual Machines Used on CCIE Security
Cisco Hardware Gear Used on CCIE Security
FirePower Threat
Defense Platforms (FTD)
Cisco ASA 5500-X Series Next-Generation
Firewalls
• Supports Cisco ASA Software Release 8.6.1 and later images; four times
the firewall throughput of Cisco ASA 5500 Series platforms.
Cisco FirePower NGFW
ASA 5500x
FirePower 8000/7000
FirePower 4100
FirePower 9300
FTD VM
FirePower Threat
Defense Technology
Overview
FirePower Management
Center (FMC)
FirePower Management Center- Overview
FMC Configuration
Windows 7 Logging
FTD VM Internet
Mac Sierra
FMC - Interface
Traffic Processing
FirePower
Access Malware
Control and File
Policy Policy
Network
Security SSL
Traffic Analysis
Intelligence Policy
Policy
Intrusion
Objects
Policy
FirePower Threat Defense
Access Control Policy
(ACP)
ACP (Access Control Policy) - Overview
Policy
Deployment
AC AC
FTD VM
P P
FMC
Top
ACP Policy
ACP Rule_______________________Drop
ACP Rule_______________________Allow
ACP Rule_______________________Allow
ACP Rule_______________________Allow
Bottom
ACP (Access Control Policy) – Policy Structure
Global to Per Rule

ACP
ACP Policy - SSL Policy - Identity Policy – Security SSL Malware

Security Intelligence – Network Analysis – Intelligence Policy
Prefilter Policy
and File
Policy
ACP Rule_______________________ Drop
ACP Rule________Intrustion Malware Allow
ACP Rule________________Malware Allow Network
ACP Rule________________Malware Allow Identity Intrusion
Analysis
Default______________________Intrustion Policy Policy
Policy
Prefilter Rule must be set

Policy to: Allow,
Interactive Block
• ACP Processing Flow with FTD

1. Prefilter
2. L3/L4 ACL
3. L7 ACL (App, URL)
> show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list CSM_FW_ACL_; 9 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 268436493: PREFILTER POLICY: Prefilter_3
access-list CSM_FW_ACL_ line 2 remark rule-id 268436493: RULE: GRE_Rule
access-list CSM_FW_ACL_ line 3 advanced permit gre host 192.168.2.2 host 192.168.3.3 rule-id 268436493 (hitcnt=0) 0xaaf7394a
access-list CSM_FW_ACL_ line 4 advanced permit gre host 192.168.3.3 host 192.168.2.2 rule-id 268436493 (hitcnt=0) 0x9d2df9bf
access-list CSM_FW_ACL_ line 5 remark rule-id 268436492: PREFILTER POLICY: Prefilter_3
access-list CSM_FW_ACL_ line 6 remark rule-id 268436492: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 7 advanced permit ipinip any any rule-id 268436492 (hitcnt=0) 0xf5b597d6
Prefilter
access-list CSM_FW_ACL_ line 8 advanced permit 41 any any rule-id 268436492 (hitcnt=0) 0x06095aba
access-list CSM_FW_ACL_ line 9 advanced permit gre any any rule-id 268436492 (hitcnt=0) 0x52c7a066
access-list CSM_FW_ACL_ line 10 advanced permit udp any eq 3544 any range 1025 65535 rule-id 268436492 (hitcnt=0) 0x46d7839e
access-list CSM_FW_ACL_ line 11 advanced permit udp any range 1025 65535 any eq 3544 rule-id 268436492 (hitcnt=0) 0xaf1d5aa5
access-list CSM_FW_ACL_ line 12 remark rule-id 268435484: ACCESS POLICY: Default_Policy - Mandatory
access-list CSM_FW_ACL_ line 13 remark rule-id 268435484: L7 RULE: Allow_Access_To_192
access-list CSM_FW_ACL_ line 14 advanced permit ip object IPv4-Private-192.168.0.0-16 any rule-id 268435484 (hitcnt=67487) 0x8005aaf2
access-list CSM_FW_ACL_ line 14 advanced permit ip 192.168.0.0 255.255.0.0 any rule-id 268435484 (hitcnt=67487) 0x8005aaf2 L3/L4
access-list CSM_FW_ACL_ line 15 remark rule-id 268434432: ACCESS POLICY: Default_Policy - Default
access-list CSM_FW_ACL_ line 16 remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
ACP
access-list CSM_FW_ACL_ line 17 advanced permit ip any any rule-id 268434432 (hitcnt=239796) 0xa1d3780e
> show access-control-config
===============[ Rule Set: (User) ]================
------------------[ Rule: Rule_1 ]------------------

Action : Block
ISE Metadata :
Source Networks : IPv4-Private-192.168.0.0-16 (192.168.0.0/16)

URLs
URL Entry : CNN_News - www.badsite.com
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits :0 ACP FTD VM ACP
Variable Set : Default-Set
------------------[ Rule: Rule_2 ]------------------

Action : Block
ISE Metadata :
Source Networks : IPv4-Private-192.168.0.0-16 (192.168.0.0/16)

URLs
URL Entry : CNN_News - www.sitesite2.com
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Disabled
Files : Disabled
Safe Search : No
Rule Hits :0
Variable Set : Default-Set
ACP (Access Control Policy) – Policy Rule
Structure
Structure (continue)
• Allow = Matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits within that
traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to its
destination.
• Trust = Matching traffic is allowed to pass to its destination without further inspection. Traffic that does not
match continues to the next rule.
• Monitor = Monitor rules track and log network traffic but do not affect traffic flow. The system continues to
match traffic against additional rules to determine whether to permit or deny it.
• Block = Matching traffic is blocked without further inspection
• Block with Reset = Matching traffic is blocked without further inspection. It will also reset the connection.
• Interactive Block = Give users a chance to bypass a website block by clicking through a customizable
warning page, called an HTTP response page. If user bypasses, it will acted as a Allow rule.
• Interactive Block with Reset = Give users a chance to bypass a website block by clicking through a
customizable warning page, called an HTTP response page. It will also reset the connection. If user
bypasses, it will acted as a Allow rule.
ACP (Access Control Policy) – Connection
Events
Prefilter
Prefilter Overview
None-Tunneled
Inner Inner
Inner EtherNet
IPv4/IPv6 TCP/UDP Prefilter
Header
Header Header
Tunneled
Inner Inner
Outer Ethernet Outer IP Inner EtherNet
GRE Header Prefilter IPv4/IPv6 TCP/UDP ACP
Header Header Header
Header Header
FTD VM
• ONLY supported on FTD

• Prefiltering can be used with None-Tunneled, or Tunneled Traffic
Prefilter Processing
Analyze
Fast Path
• Prefiltering Actions
1. Fast Path
2. Block
3. Analyze (Normal Processing Flow via Snort)
Creating a Prefilter
• The Default Prefilter Policy does not support adding Tunneled, or

None-Tunneled rules. It only supports two default action that
affects all traffic, which include Analyze all traffic, or Block all traffic.
By default, the action is set to Analyze all traffic.
Creating a None-Tunneled Prefilter
• Only one Prefilter Policy is supported per ACP
Creating a Tunneled Prefilter
207.245.2.3
G
FTD R
E
179.23.4.5
• GRE, IP-in-IP, IPv6-in-IP, and Teredo Port 3544 supported.

• None encrypted traffic ONLY.
NAT
NAT Overview
Internet Users
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.1 .2 FTD .2 .1
Internet
.8 .1
.1
192.168.2.0/24
NAT Xlate
Static NAT
.20 207.16.29.5 -> 192.168.2.20
• Most of ASA NAT features migrated to FTD
NAT Types Supported
• Static NAT
• Dynamic NAT
• Policy NAT
• Identity NAT
NAT - Create NAT Policy
• Only ONE NAT Policy is supported per FTD
NAT Processing Order
• Broken down into 3 section
• If nothing matches, NO translation is done.
Manuel Manuel
Auto NAT
NAT NAT
(Section 2)
(Section 1) (Section 3)
• Default location • Also called • Manual NAT
for manual NAT Object NAT entries that are
statements • Default location specified with
for auto NAT the after-auto
statements keyword
Manual NAT
Section 1
Auto NAT
Section 2
Manual NAT
Section 3
Manual NAT Sections 1, and 3
• Applied on a first match basis, and processed top to bottom. The
administrator does have the option of re-ordering NAT rules as
required.
Rule 1
• Dynamic NAT
Rule 2
• Static NAT
Rule 3
• Policy NAT
NAT Configuration Example for Section 1
Manual NAT
Section 1
Manual NAT
Section 3
• Selecting the SRC, and DST interfaces where the NAT will apply is not required,
but recommend to provide better control based on traffic flow.
NAT Configuration Example for Section 1 – Verify
Deployment
• Once Deploy, the configuration on the FTD is:
> show running-config nat Manual NAT
nat (Inside,Outside) source static Inside_SRV_1 Translated_IP
configuration
> show nat detail
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static Inside_SRV_1 Translated_IP NAT Order
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.20.10/32, Translated: 172.16.149.69/32
> show running-config object

object network Translated_IP
host 172.16.149.69
object network Inside_SRV_1
Object Used in NAT
host 192.168.20.21
NAT Configuration Example for Section 1 –
Verifying Hits
> show nat detail
1 (Inside) to (Outside) source static Inside_SRV_1 Translated_IP
> show conn all

42 in use, 269 most used
TCP Inside 172.16.149.69(192.168.20.21):58458 Outside 23.72.217.240:80, idle 0:00:21, bytes 1746, flags UIO N
TCP Inside 172.16.149.69(192.168.20.21):58477 Outside 74.125.197.95:443, idle 0:00:04, bytes 0, flags aA N
TCP Inside 172.16.149.69(192.168.20.21):58473 Outside 74.125.197.95:443, idle 0:00:05, bytes 0, flags aA N
> show xlate detail

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from Inside:192.168.20.21 to Outside:172.16.149.69
flags sT idle 0:00:03 timeout 0:00:00 refcnt 4 xlate id 0x7fc9939ec680
NAT Configuration Example for Section 1 –
Search Options
> show xlate detail
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from Inside:192.168.20.21 to Outside:172.16.149.69
flags sT idle 0:00:03 timeout 0:00:00 refcnt 4 xlate id 0x7fc9939ec680
> show conn all detail

TCP Inside: 192.168.20.21/58758 Outside: 23.72.217.240/80,

flags UIO N, idle 58s, uptime 58s, timeout 1h0m, bytes 1736, xlate id 0x7fc9939ec680

flags aA N, idle 1s, uptime 4s, timeout 30s, bytes 0, xlate id 0x7fc9939ec680

> show conn all detail | grep 0x7fc9939ec680

flags UfrIO N, idle 2m34s, uptime 7m34s, timeout 10m0s, bytes 1736, xlate id 0x7fc9939ec680
Auto NAT Section 2
Section 2 rules are applied in the following order, as automatically determined by the FTD:
1. Static Rules
2. Dynamic Rules
Within each rule type, the following ordering guidelines are used:
a. Quantity of real IP addresses—From smallest to largest. For example, an object with one address
will be assessed before an object with 10 addresses.
Object_2 Object_2
Object_1 Object_1
10.10.10.11 - 10.10.10.11 -
10.10.10.10 10.10.10.10
21 21
b. For quantities that are the same, then the IP address number is used, from lowest to highest. For
example, 10.1.1.0 is assessed before 11.1.1.0.
Object_2 Object_1 Object_1 Object_2

11.1.1.0 10.1.1.0 10.1.1.0 11.1.10
c. If the same IP address is used, then the name of the network object is used, in alphabetical
order. For example, abracadabra is assessed before catwoman. 59
https_object http_object http_object https_object

10.1.1.0 10.1.1.0 10.1.1.0 10.1.1.0
NAT Configuration Example Auto NAT Section 2
– Verify Deployment
> show running-config nat
nat (Inside,Outside) source static Inside_SRV_1 Translated_IP
!
object network IPv4-Private-192.168.0.0-16
nat (Inside,Outside) dynamic Translated_IP3
object network 192_168_30_Net
Manual NAT and Auto NAT configuration
nat (any,any) static 192_168_30_Net
object network 172_16_40_Net
nat (any,any) dynamic Translated_IP4
>
> show nat detail
1 (Inside) to (Outside) source static Inside_SRV_1 Translated_IP
Auto NAT Policies (Section 2)

1 (any) to (any) source static 192_168_30_Net 192_168_30_Net
2 (any) to (any) source dynamic 172_16_40_Net Translated_IP4
Source - Origin: 172.16.40.22-172.16.40.40, Translated: 172.16.149.99/32
3 (Inside) to (Outside) source dynamic IPv4-Private-192.168.0.0-16 Translated_IP3
Failover
Failover Overview
Primary/Active Internet Users

192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
FTD Internet
.8 .1
.2 .2
.1
.1 .1 .1
10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
Secondary/Standby
Failover Requirements
• Same Device type, and model
• Be in the same firewall mode (routed or transparent).
• Have the same major (first number), minor (second number), and maintenance
(third number) software version.
• Be in the same domain or group on the Firepower Management Center.
• Have the same NTP configuration. See Configure NTP Time Synchronization for
Threat Defense.
• Be fully deployed on the Firepower Management Center with no uncommitted
changes.
• Not have DHCP or PPPoE configured in any of their interfaces.
• Same Licensing
FTD Requirements Verification
> show version
-------------------[ firepower ]--------------------
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.2.2
(Build 81)
UUID : ae7e26a8-af43-11e7-8d32-c6e410b61da1
Rules update version : 2016-11-29-001-vrt
VDB version : 271
----------------------------------------------------
> show firewall

Firewall mode: Router
> show ntp

NTP Server : 172.16.199.20
Status : Being Used
Offset : -1.772 (milliseconds)
Last Update : 54 (seconds)
#CLUSBRKCCIE-3201 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
FTD Requirements Verification (cont.)
Failover Primary/Active, Secondary/Standby
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.8 .1 FTD
.2 .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
Secondary/Standby
• The Primary is the unit that has the fully tested configuration that needs to be deployed. The
Secondary does not need ANY configuration, since it will be a mirror of the Primary. (Except for
the L3/L2 info.)
• Changes can only be made on the Active.
Failover Cable Layout
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
VLAN 29
.8 .1 FTD
.2 .2
.1
.1 .1 Outside
F/S Cable 10.10.10.0/24
Inside .2
192.168.2.0/24
.20
VLAN 20 .3 FTD .3
Secondary/Standby
• Each interface much be able to communicate with its partner

interface. To verify communication status.
Failover Link
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.8 .1 FTD
.2 .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
Secondary/Standby
• One interface from each unit has to be used for the Failover Link.
Needs to be the same interface on each unit.
Failover Link (cont.)
• The unit state (active or standby)
• Hello messages (keep-alives)
• Network link status
• MAC address exchange
• Configuration replication and synchronization
Failover Stateful Link
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.8 .1 FTD
.2 .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
Secondary/Standby
• One interface from each unit has to be used for the Failover Stateful
Link. Can be the same interface as the Failover Link, but not
recommended.
Failover Stateful Cable Info Support (cont.)
• NAT translation table • The HTTP connection table
• The ISAKMP and IPsec SA table
• TCP connection states
• SIP signaling sessions
• UDP connection states
• Snort Inspection
• Snort connection states • Static Routes
• Strict TCP enforcement • Dynamic Routing Protocols
• The ARP table • DHCP Server
• ARP Inspection
• The Layer 2 bridge table
(for bridge groups) • And More
Failover Stateful Cable Info Not Supported (cont.)
• Sessions inside plaintext tunnels
• Inspection after decryption
• TLS Decryption State
• DHCP client
• DHCP server address leases
• Multicast routing
Failover Configuration
Primary
Secondary
Failover Verification
Failover Verification
> show running-config failover
failover
failover lan unit primary
failover lan interface Failover_Link_StateFul GigabitEthernet0/2
failover replication http
failover link Failover_Link_StateFul GigabitEthernet0/2
failover interface ip Failover_Link_StateFul 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover ipsec pre-shared-key *****
> show running-config interface

interface GigabitEthernet0/0
nameif Inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.20.3 255.255.255.0 standby 192.168.20.4
!
interface GigabitEthernet0/1
nameif DMZ
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.30.3 255.255.255.0 standby 192.168.30.4
Failover State Verification
> show failover
Failover On
Failover unit Primary
Failover LAN Interface: Failover_Link_StateFul GigabitEthernet0/2 (up)
Reconnect timeout 0:00:00
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
MAC Address Move Notification Interval not set
failover replication http
Version: Ours 9.8(2)3, Mate 9.8(2)3
Serial Number: Ours 9ASSDPXUJUW, Mate 9A6V1JLWT91
Last Failover at: 12:31:36 UTC Mar 7 2018
This host: Primary - Active
Active time: 1697 (sec)
slot 0: empty
Interface Inside (192.168.20.3): Normal (Monitored)
Interface DMZ (192.168.30.3): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Other host: Secondary - Standby Ready
Active time: 2223 (sec)
Interface Inside (192.168.20.4): Normal (Monitored)
Interface DMZ (192.168.30.4): Normal (Monitored)
Interface diagnostic (0.0.0.0): Normal (Waiting)
slot 1: snort rev (1.0) status (up)
slot 2: diskstatus rev (1.0) status (up)
Failover Monitoring
Health Monitoring
Failover Health Monitoring
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.8 .1 FTD
.2 .2 VLAN 29
.1
.1 .1
Hello
Hello
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
Secondary/Standby
• During the Health Monitoring, “hello’s” are sent between the Active,
and Standby unit using the failover cable every 1 sec, with a hold-
down of 15 sec.
Failover Health Monitoring - Failure
When a unit does not receive three consecutive hello messages on the failover link, the unit sends
LANTEST messages on each data interface, including the failover link, to validate whether or not
the peer is responsive. The action that the Firepower Threat Defense device takes depends on the
response from the other unit.
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.8 .1 FTD
.2 .2 VLAN 29
.1
.1 .1
Hello
Hello
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
Secondary/Standby
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
LANTEST LANTEST
.8 .1 FTD
.2 .2 VLAN 29
.1
.1 .1
ACK
LANTEST
LANTEST
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
ACK
.20
.3 FTD .3
VLAN 20
LANTEST
LANTEST
Secondary/Standby
1. If the Firepower Threat Defense device receives a response on

the failover link, then it does not failover.
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
ACK
LANTEST LANTEST
.8 .1
ACK
FTD
.2 .2 VLAN 29
.1
.1 .1
LANTEST
LANTEST
F/S Cable 10.10.10.0/24
FAILED
.2
192.168.2.0/24
.20
.3 FTD ACK .3
VLAN 20
LANTEST LANTEST
ACK
Secondary/Standby
1. If the Firepower Threat Defense device does not receive a response on the failover link, but it
does receive a response on a data interface, then the unit does not failover. The failover link is
marked as failed. You should restore the failover link as soon as possible because the unit
cannot fail over to the standby while the failover link is down.
Primary/Active Failed
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
LANTEST LANTEST
.8 .1
FAILED
FTD FAILED
.2 .2 VLAN 29
.1
.1 .1
LANTEST
LANTEST
F/S Cable 10.10.10.0/24
FAILED
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
LANTEST
LANTEST
Secondary/Standby Active
1. If the Firepower Threat Defense device does not receive a response
on any interface, then the standby unit switches to active mode and
classifies the other unit as failed.
Interface Monitoring
Failover Interface Monitoring
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
Hello
.8 .1 FTD
.2
Hello .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24 Hello
.20
.3 FTD .3
VLAN 20 Hello
Secondary/Standby
• During the Interface Monitoring, “hello’s” are sent between the Active,
and Standby unit using the monitored interfaces every 5 sec, with a
hold-down of 25 sec.
Failover Interface Monitoring -Failure
When a unit does not receive hello messages on a monitored interface for 2 polling periods, it runs interface tests.
If all interface tests fail for an interface, but this same interface on the other unit continues to successfully pass
traffic, then the interface is considered to be failed. If the threshold for failed interfaces is met, then a failover
occurs. If the other unit interface also fails all the network tests, then both interfaces go into the “Unknown” state
and do not count towards the failover limit.
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24

Primary/Active
Hello
.8 .1 FTD
.2
Hello .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24 Hello
.20
.3 FTD .3
VLAN 20 Hello
Secondary/Standby
Failover Interface Monitoring – Link Up/Down test
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.8 .1 FTD Interface
down
.2 .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
Secondary/Standby
• If the Link Up/Down test indicates that the interface is down, then the
device considers it failed. If the status is Up, then the device performs
the Network Activity test.
Failover Health Monitoring – Network Activity test
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24 CLEAR RECEIVE BUFFER
LANTEST
LANTEST
C
.8 .1 C FTD C
.2 .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20 C.3 FTD C
.3
VLAN 20 5 SEC
LANTEST
LANTEST
Secondary/Standby
• The purpose of this test is to generate network traffic using LANTEST messages to determine which (if
either) unit has failed. First, each unit clears its received packet count for its interfaces. As soon as a unit
receives any packets during the test (up to 5 seconds), then the interface is considered operational. If
not, it is considered failed. If neither unit received traffic, then the device starts the ARP test.
Failover Health Monitoring – ARP test
Primary/Active ARP CACHE
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24

ARP REQ ARP REQ MAC: A
.8 .1 FTD
.2 .2 VLAN 29
.1
.1
.1
MAC: B
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20 5 SEC
ARP REQ
ARP REQ
Secondary/Standby
• During the ARP test the ARP cache for the 2 most recently acquired entries are used. One at a time, the
unit sends ARP requests to these machines, attempting to stimulate network traffic. After each request,
the unit counts all received traffic for up to 5 seconds. If traffic is received, the interface is considered
operational. If no traffic is received, an ARP request is sent to the next machine. If at the end of the list
no traffic has been received, the device starts the ping test.
Failover Health Monitoring – Ping test
Primary/Active
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
Ping BC Ping BC
.8 .1 FTD
.2 .2 VLAN 29
.1
.1 .1
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3
ACK FTD ACK
.3
VLAN 20 5 SEC
Ping BC
Ping BC
Secondary/Standby
• A ping test that consists of sending out a broadcast ping request. The unit then counts all
received packets for up to 5 seconds. If any packets are received at any time during this interval,
the interface is considered operational and testing stops. If no traffic is received, the testing
starts over again with the ARP test.
Failover Process to Standby Unit
Primary/Active Failed
192.168.1.0/24 172.16.20.0/24 207.16.29.0/24
.2 .2
.8 .1 FTD
VLAN 29
.1
IP/MAC Switch
.1 .1
IP/MAC Switch
New Active
F/S Cable 10.10.10.0/24
.2
192.168.2.0/24
.20
.3 FTD .3
VLAN 20
Secondary/Standby Active
Lab Ideas
Lab Gear Needed
Free Version of
vSphere Hypervisor 6.x
Internet
Cisco C Series Server Cisco C3560X 24 port Internet Connection

700 GB HD or 2 TB HD
128 GB RAM
4 Port Gigbit Ethernet
FirePower Topology
Internet
FTD DNS
Mac DHCP
AD
LDAP
Cert Server
PC
vSphere VM
Hypervisor 6.x
Overall Topology
Internet
FTD DNS
Mac DHCP
AD
LDAP
Cert Server
PC
ACS ISE WSA ESA vWLC
FirePower Threat
Defense Classes
SSFIPS - Securing Networks with Cisco
FirePower Next-Generation IPS
• This lab-intensive course introduces you to the basic next-
generation intrusion prevention system (NGIPS) and firewall security
concepts. The course then leads you through the Cisco Firepower
system. Among other powerful features, you will become familiar
with:
• In-depth event analysis
• NGIPS tuning and configuration
• Snort® rules language
• 4 Day ILT
• 5 Day Virtual Training
FIREPOWER200 – Securing Networks with Cisco
FirePower Threat Defense NGFW
• This lab-intensive course introduces you to the basic next-
generation intrusion prevention system (NGIPS) and next-
generation firewall (NGFW) security concepts. The course then
leads you through the Cisco Firepower system, and VPN features
Among other powerful features, you become familiar with:
• Firepower Threat Defense configuration
• In-depth event analysis
• NGIPS tuning and configuration
• 5 Day ILT
• 5 Day Virtual Training
DSACI – Deploying Security in Cisco ACI
• You learn a brief overview of Cisco ACI architecture, including an
examination of the Cisco Nexus 9000 Series Switches for data centers.
Also, you have the opportunity to discover how to implement security
mechanisms in the operational infrastructure with the Cisco ACI
environment. You also explore the process for provisioning security
services in Cisco ACI, including external Cisco Adaptive Security
Appliance (ASA), Adaptive Security Virtual Appliance (ASAv) instances,
and Cisco Firepower capabilities.
• This course combines lecture materials and hands-on labs throughout
to make sure you are able to successfully deploy, configure, and
maintain Cisco ACI security.
• 5 Day ILT
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKCCIE-3201

by the speaker until June 18, 2018.
Complete your online session evaluation
Give us your feedback to be entered

into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
Thank you
#CLUS
#CLUS

Brkccie 3201

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkccie 3201

Uploaded by

Copyright:

Available Formats

#CLUS

Global to Per Rule

ACP Policy - SSL Policy - Identity Policy – Security SSL Malware

Prefilter Rule must be set

• ACP Processing Flow with FTD

------------------[ Rule: Rule_1 ]------------------

Source Networks : IPv4-Private-192.168.0.0-16 (192.168.0.0/16)

------------------[ Rule: Rule_2 ]------------------

Source Networks : IPv4-Private-192.168.0.0-16 (192.168.0.0/16)

• Block = Matching traffic is blocked without further inspection

• ONLY supported on FTD

• The Default Prefilter Policy does not support adding Tunneled, or

• Only one Prefilter Policy is supported per ACP

• GRE, IP-in-IP, IPv6-in-IP, and Teredo Port 3544 supported.

• Most of ASA NAT features migrated to FTD

• Only ONE NAT Policy is supported per FTD

> show running-config object

> show conn all

> show xlate detail

> show conn all detail

TCP Inside: 192.168.20.21/58758 Outside: 23.72.217.240/80,

TCP Inside: 192.168.20.21/58766 Outside: 65.55.252.93/443,

TCP Inside: 192.168.20.21/58765 Outside: 65.55.252.93/443,

> show conn all detail | grep 0x7fc9939ec680

Object_2 Object_1 Object_1 Object_2

https_object http_object http_object https_object

Auto NAT Policies (Section 2)

Primary/Active Internet Users

> show firewall

> show ntp

F/S Cable 10.10.10.0/24

• Each interface much be able to communicate with its partner

> show running-config interface

1. If the Firepower Threat Defense device receives a response on

192.168.1.0/24 172.16.20.0/24 207.16.29.0/24

192.168.1.0/24 172.16.20.0/24 207.16.29.0/24

Cisco C Series Server Cisco C3560X 24 port Internet Connection

Webex Teams will be moderated cs.co/ciscolivebot#BRKCCIE-3201

Give us your feedback to be entered

You might also like