- FTD
- Multi-instance
- Routed mode
- Etherchannel
- VPN
- Active/Standby
- Cluster
- Prefilter policy
- SSL decryption
- Access control policy (ACP)
- Security intelligence
- Discovery policy
- File policy
- IPS policy
- IPS preprocessor
- Identity policy
- FlexConfig
FTD
- NGFW (LINA≡ASA + Snort)
- IPS engine
- external threat intelligence resources: AD, whitelist, blacklist
- pulls data ≡ consistency
- SSL decryption ≡ MITM
- inline tap mode
- sends packet copy to IPS
- inline + passive
- only physical interfaces or EtherChannel
- policy processing order
- prefilter policy
- IP address black/whitelist policy
- L3/L4 ACL
- DNS URL
- L7 ACL
- File policy
- IPS policy
- next-hop lookup
- no support for clientless VPN, VTI, IKEv1 clients, posture, double authC via group
- VPN clients: AnyConnect only
- VPN authC: AD, LDAP, RADIUS
- VPN authZ + accounting: RADIUS
- no support for telnet on security-level 0
- FMC → FTD:
- FTDv
- single global QoS policy on allow/trust, police only
- by default only admin user has CLI access
- cannot be CA
- inline set does not pass BFD because src IP = dst IP
> system support diagnostic-cli
Multi-instance
- separation using containers (~ NX-OS VDC)
- HW resources are allocated on creation, no sharing between instances
- FTD 4100, 9300
- FXOS – chassis OS
- instance can be individually rebooted
Routed mode
Etherchannel
VPN
- no VTI support
- by default VPN traffic is not permitted
- container configuration: topology in FMC
- no support for IKEv2 asymmetric PSK on FMC
Active/Standby
Cluster
- no support for L3 link interface mode
- FTD 4100, 9300
- supports intra- and inter-chassis inline set and passive interfaces
- FTDs must be fully deployed to form cluster
- FTDs must be in the same group
Prefilter policy
- ACL on 5-tuple + VLAN
- matches outer tunnel header
- actions:
- block
- fastpath: ≡ permit, can be forwarded by linecard
- analyze: send to ACP ≡ Snort
- bypasses QoS
- for delay-sensitive streams, control plane, elephant flows, tunnels
- rule type: tunnel (uni/bidirectional, rezoning support) and prefilter
SSL decryption
- before ACP
- methods:
- known key: server key, decryption on the fly, passive MITM
- resign: active MITM
- can block traffic based on certificate fields (does not work with wildcard)
- actions:
- monitor
- block [with reset]
- decrypt
Access control policy (ACP)
- matches inner tunnel header (GRE, IPIP, IP6IP, Teredo)
- if there is not enough info in packet to classify the flow by Snort – pass to acuumulate info (3-5 packets)
- actions
- allow: pass to Snort
- trust:
- permit without passing to Snort
- sends packet to Security Intelligence, Identity and QoS
- not supported for dynamic ports (e.g. FTP)
- monitor: log, look through ACP further
- block
- block with reset
- interactive block [with reset]:
- returns custom page with reasoning for the block
- allows user to select access to blocked resource
- inheritance
- parent mandatory
- child mandatory
- child default
- parent default
- default actions:
- network discovery: only policy is active
- trust/block only: FW
- intrusion prevention: IPS + network discovery, no File policy and AMP
- rule logging is disabled by default, exceptions: monitor + Snort alert
Security intelligence
- reputation-based filter
- whitelist forwards data along the pipeline further
- feed object ≡ Cisco provided, list object ≡ manual config
- feed update
- 2h for FMC by default
- 30 mins for FMC → FTD by default
- blacklist DNS
- drop
- domain not found
- sinkhole: false IP
- HTTP URL: match on substring
- HTTPS URL: match CN of the first-level domain certificate, strict (not on substring)
- query Cisco CSI for unknown URLs in global settings ≡ refresh cache before update
- wildcard default: custom URL filter on “ign.com” matches “verisign.com” as well
Discovery policy
- discovers user and host based on forwarded traffic, creates profiles
- helps identify vulnerabilities
- impact flag: whether the host is vulnerable to active attack
- modes:
- passive: based on traffic, permitted by ACP
- active: uses nmap
- FMC only
- VDB ≡ vulnerability database
- default: scan all
- load-balancers and NAT should be excluded (several hosts behind same address)
File policy
- detection is based on filename extension
- depth of nested archives – up to 3
- archives are not scanned by default
- uses AMP4n, caches Cloud responses (HTTPS communication)
- ClamAV for AV
- disposition:
- malware (cache timeout = 1h)
- clean (cache timeout = 4h)
- unknown (cache timeout = 1h), file is sent to ThreadGrid
- unreachable
- file block: last file fragment is not forwarded if it’s classified as malware ⇒ cannot complete download
- scans FTP, HTTP, IMAP, POP3, SMTP, NetBIOS
- actions
- block
- block malware
- malware cloud lookup: log malware
- detect files: log
- for ACP allow and block interactive
- FMC submits files to AMP Cloud (not FTD) if no info is available in cache
- FTD sends a file to ThreatGrid but the result is received by FMC
- 100 files per day towards Talos, 3000 with EA
IPS policy
- rule state:
- disable
- generate event
- drop and generate event
- firepower recommendation ≡ host profile + Snort
- for ACP allow and block interactive
- impact flag:
- 0 = no profile from discovery policy for the host
- 1 = host is vulnerable or compromised
- 2 = host is known, port is used, vulnerability not found
- 3 = host is known, port is not used
- 4 = host is unknown but matches profile
- upper layer rule > lower layer rule (default: MyChanges > firepower recommendation > base layer)
- system policies:
- balanced security and connectivity
- connectivity over security, security over connectivity
- maximum detection, no rule active
- scans traffic $EXTERNAL_NET → $HOME_NET
- variables have to be set manually
- best practice: any → protected subnet + public owned range
- updates
- Snort rules: Tuesday, Thursday
- vulnerability DB
- geolocation: weekly
IPS preprocessor
- normalization for Snort
- checksum calculation, fragment reassembly, stateful inspection
- protocols
- DCE/RPC: SMB protocol
- DNS
- FTP
- Telnet
- HTTP
- SunRPC
- SIP
- GTP: GPRS tunnelling protocol
- IMAP
- POP3
- SMTP
- SSH
- SSL
- SCADA: DNP3, Modbus
Identity policy
- FTD requests information via FMC
- RADIUS between agent and FMC
FlexConfig
- ASA CLI + scripts + variables
- variable types:
- policy object variable: strings, from FMC object
- system variable: values received from FTD
- processing variable: in scripts, ~ local variable
- secret key: the only one starting with ‘@’ (others start with ‘$’)
- #foreach, #if, #end, … – C preprocessor
- #### – comment
- append ≡ apply after FMC config
- prepend ≡ apply before FMC config
- deployment frequency:
- features: EIGRP, WCCP