FTD

  1. FTD
  2. Multi-instance
  3. Routed mode
  4. Etherchannel
  5. VPN
  6. Active/Standby
  7. Cluster
  8. Prefilter policy
  9. SSL decryption
  10. Access control policy (ACP)
  11. Security intelligence
  12. Discovery policy
  13. File policy
  14. IPS policy
  15. IPS preprocessor
  16. Identity policy
  17. FlexConfig

FTD

  • NGFW (LINA≡ASA + Snort)
    • IPS engine
    • external threat intelligence resources: AD, whitelist, blacklist
    • pulls data ≡ consistency
  • SSL decryption ≡ MITM
  • inline tap mode
    • sends packet copy to IPS
    • inline + passive
    • only physical interfaces or EtherChannel
  • policy processing order
    1. prefilter policy
    2. IP address black/whitelist policy
    3. L3/L4 ACL
    4. DNS URL
    5. L7 ACL
    6. File policy
    7. IPS policy
    8. next-hop lookup
  • no support for clientless VPN, VTI, IKEv1 clients, posture, double authC via group
  • VPN clients: AnyConnect only
  • VPN authC: AD, LDAP, RADIUS
  • VPN authZ + accounting: RADIUS
  • no support for telnet on security-level 0
  • FMC → FTD:
    • TCP 8305
  • FTDv
    • no EtherChannel
  • single global QoS policy on allow/trust, police only
  • by default only admin user has CLI access
  • cannot be CA
  • inline set does not pass BFD because src IP = dst IP
> system support diagnostic-cli

Multi-instance

  • separation using containers (~ NX-OS VDC)
  • HW resources are allocated on creation, no sharing between instances
  • FTD 4100, 9300
  • FXOS – chassis OS
  • instance can be individually rebooted

Routed mode

  • IPS is supported

Etherchannel

  • physical interfaces only

VPN

  • no VTI support
  • by default VPN traffic is not permitted
  • container configuration: topology in FMC
  • no support for IKEv2 asymmetric PSK on FMC

Active/Standby

  • the only mode for FMC

Cluster

  • no support for L3 link interface mode
  • FTD 4100, 9300
  • supports intra- and inter-chassis inline set and passive interfaces
  • FTDs must be fully deployed to form cluster
  • FTDs must be in the same group

Prefilter policy

  • ACL on 5-tuple + VLAN
  • matches outer tunnel header
  • actions:
    • block
    • fastpath: ≡ permit, can be forwarded by linecard
    • analyze: send to ACP ≡ Snort
  • bypasses QoS
  • for delay-sensitive streams, control plane, elephant flows, tunnels
  • rule type: tunnel (uni/bidirectional, rezoning support) and prefilter

SSL decryption

  • before ACP
  • methods:
    • known key: server key, decryption on the fly, passive MITM
    • resign: active MITM
  • can block traffic based on certificate fields (does not work with wildcard)
  • actions:
    • monitor
    • block [with reset]
    • decrypt

Access control policy (ACP)

  • matches inner tunnel header (GRE, IPIP, IP6IP, Teredo)
  • if there is not enough info in packet to classify the flow by Snort – pass to acuumulate info (3-5 packets)
  • actions
    • allow: pass to Snort
    • trust:
      • permit without passing to Snort
      • sends packet to Security Intelligence, Identity and QoS
      • not supported for dynamic ports (e.g. FTP)
    • monitor: log, look through ACP further
    • block
    • block with reset
    • interactive block [with reset]:
      • returns custom page with reasoning for the block
      • allows user to select access to blocked resource
  • inheritance
    1. parent mandatory
    2. child mandatory
    3. child default
    4. parent default
  • default actions:
    • network discovery: only policy is active
    • trust/block only: FW
    • intrusion prevention: IPS + network discovery, no File policy and AMP
  • rule logging is disabled by default, exceptions: monitor + Snort alert

Security intelligence

  • reputation-based filter
  • whitelist forwards data along the pipeline further
  • feed object ≡ Cisco provided, list object ≡ manual config
  • feed update
    • 2h for FMC by default
    • 30 mins for FMC → FTD by default
  • blacklist DNS
    • drop
    • domain not found
    • sinkhole: false IP
  • HTTP URL: match on substring
  • HTTPS URL: match CN of the first-level domain certificate, strict (not on substring)
  • query Cisco CSI for unknown URLs in global settings ≡ refresh cache before update
  • wildcard default: custom URL filter on “ign.com” matches “verisign.com” as well

Discovery policy

  • discovers user and host based on forwarded traffic, creates profiles
  • helps identify vulnerabilities
  • impact flag: whether the host is vulnerable to active attack
  • modes:
    • passive: based on traffic, permitted by ACP
    • active: uses nmap
  • FMC only
  • VDB ≡ vulnerability database
  • default: scan all
  • load-balancers and NAT should be excluded (several hosts behind same address)

File policy

  • detection is based on filename extension
  • depth of nested archives – up to 3
  • archives are not scanned by default
  • uses AMP4n, caches Cloud responses (HTTPS communication)
  • ClamAV for AV
  • disposition:
    • malware (cache timeout = 1h)
    • clean (cache timeout = 4h)
    • unknown (cache timeout = 1h), file is sent to ThreadGrid
    • unreachable
  • file block: last file fragment is not forwarded if it’s classified as malware ⇒ cannot complete download
  • scans FTP, HTTP, IMAP, POP3, SMTP, NetBIOS
  • actions
    • block
    • block malware
    • malware cloud lookup: log malware
    • detect files: log
  • for ACP allow and block interactive
  • FMC submits files to AMP Cloud (not FTD) if no info is available in cache
  • FTD sends a file to ThreatGrid but the result is received by FMC
  • 100 files per day towards Talos, 3000 with EA

IPS policy

  • rule state:
    • disable
    • generate event
    • drop and generate event
  • firepower recommendation ≡ host profile + Snort
  • for ACP allow and block interactive
  • impact flag:
    • 0 = no profile from discovery policy for the host
    • 1 = host is vulnerable or compromised
    • 2 = host is known, port is used, vulnerability not found
    • 3 = host is known, port is not used
    • 4 = host is unknown but matches profile
  • upper layer rule > lower layer rule (default: MyChanges > firepower recommendation > base layer)
  • system policies:
    • balanced security and connectivity
    • connectivity over security, security over connectivity
    • maximum detection, no rule active
  • scans traffic $EXTERNAL_NET → $HOME_NET
    • variables have to be set manually
    • best practice: any → protected subnet + public owned range
  • updates
    • Snort rules: Tuesday, Thursday
    • vulnerability DB
    • geolocation: weekly

IPS preprocessor

  • normalization for Snort
  • checksum calculation, fragment reassembly, stateful inspection
  • protocols
    • DCE/RPC: SMB protocol
    • DNS
    • FTP
    • Telnet
    • HTTP
    • SunRPC
    • SIP
    • GTP: GPRS tunnelling protocol
    • IMAP
    • POP3
    • SMTP
    • SSH
    • SSL
    • SCADA: DNP3, Modbus

Identity policy

  • FTD requests information via FMC
  • RADIUS between agent and FMC

FlexConfig

  • ASA CLI + scripts + variables
  • variable types:
    • policy object variable: strings, from FMC object
    • system variable: values received from FTD
    • processing variable: in scripts, ~ local variable
    • secret key: the only one starting with ‘@’ (others start with ‘$’)
  • #foreach, #if, #end, … – C preprocessor
  • #### – comment
  • append ≡ apply after FMC config
  • prepend ≡ apply before FMC config
  • deployment frequency:
    • every time
    • once
  • features: EIGRP, WCCP