7.

13 Deploying Cisco Firepower Next-Generation Firewall

Configure Cisco Firepower

NGFW Discovery and IPS
Policy
Configure Cisco Firepower NGFW Discovery and IPS Policy
You are the network security engineer that has been tasked with the following:

• Configure discovery policy that will build host profiles for hosts in private IP
range only.
• Verify the information provided in host profile
• Configure custom IPS policy that will protect DMZ-Server from outside
attackers.
• Perform simulated attack from Kali-Host to DMZ-Server.
• Verify IPS events.

Configure Discovery Policy

In this procedure, you will configure discovery policy. You will make sure that only
hosts within networks of interest will be discovered. Usually, you enable discovery
policy for hosts in private IP range. These are the hosts you are interested in, as these
hosts belong to your organization. You will also verify host profile and analyze
information provided in it.
Step 1
Access the Admin-PC. Authenticate using student username
and 1234QWer password, if needed.
Step 2
Open a web browser and connect to HQ-FMC at https://10.10.3.60. Accept the
certificate warning and log in using admin username and Cisco123! password.
Answer

Step 3
Inside Cisco FMC, navigate to Policies > Network Discovery. Locate the
default 0.0.0.0./0 discovery rule and delete it by clicking the trash bin icon.
Answer

Step 4
Confirm the delete action by clicking Yes button.
Answer
Step 5
Create a new discovery rule by clicking Add Rule on the upper-right side of the
window. The Add Rule dialog box appears.
Answer

Step 6
Create a new discovery rule that will restrict discovery of hosts, users, and applications
to cover only IPv4 private address range. Follow these steps:

• Under Action drop-down menu select Discover.

• Select Host, User, and Applications check boxes.
• Under Available Networks select IPv4-Private-All-RFC1918. This is the
object that contains
• ClickAdd.
• ClickSave.
Answer

Rules have the action of either Discover or Exclude. The following list details the
options:

• Exclude: Excludes the specified network from monitoring. If the source or

destination host for a connection is excluded from discovery, the connection
is recorded but discovery events are not created for excluded hosts.
• Discover Hosts: Adds hosts to the network map based on discovery events.
 • Discover Applications: Adds applications to the network map based on
application detectors. Note that you cannot discover hosts or users in a rule
without also discovering applications.
• Discover Users: Adds users to the users table, and logs user activity based on
traffic-based detection on the user protocols configured in the network
discovery policy.
Step 7
To push the configuration change to the HQ-FTD device you need to deploy changes.
Inside Cisco FMC click Deploy in the upper-right corner of the screen, select HQ-
FTD device, and click Deploy.
Answer

Step 8
The deploy process may take up to a minute to finish. Inside Deployments tab make
sure that deployment to the HQ-FTD device was successful.
Answer

By default, the discovery process is passive so you will need to send some traffic
through HQ-FTD device to trigger discovery events. You will focus on host profile
for DMZ-Server. To make host profile for DMZ-Server more interesting, you will
have to trigger some traffic destined to DMZ-Server which acts as HTTP, FTP,
and SSH server.
Step 9
Access Internet-Host. Authenticate using student username
and 1234QWer password, if needed.
Step 10
On Internet-Host open Mozilla Firefox web browser and navigate
to http://192.0.2.20.
Answer

Step 11
On Internet-Host open Terminal and establish SSH connection to DMZ-
Server. Follow these steps:

• Use ssh 192.0.2.20 command to establish SSH session.

• When prompted for student's password, type 1234QWer.
• Type exit to close the SSH session.
Answer

student@internet-Host:~$ ssh 192.0.2.20

[email protected]'s password: 1234QWer

Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-29-generic

x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

* Canonical Livepatch is available for installation.

- Reduce system reboots and improve kernel security.

Activate at: https://ubuntu.com/livepatch

451 packages can be updated.

209 updates are security updates.

Last login: Thu Sep 12 09:08:22 2019 from 209.165.202.3

student@DMZ-Server:~$ exit

logout

Connection to 192.0.2.20 closed.

student@Internet-Host:-$

Step 12
Inside the Terminal, establish FTP connection to DMZ-Server. Follow these steps:

• Use ftp 192.0.2.20 command to establish FTP session.

• Authenticate with username student and 1234QWer for the password.
• Type bye to close the FTP session.
Answer

student@internet-Host:~$ ftp 192.0.2.20

Connected to 192.0.2.20.

220 (vsFTPd 3.0.3)

Name (192.0.2.20:student): [Enter]

331 Please specify the password.

Password: 1234QWer

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bye

221 Goodbye.

student@Internet-Host:-$

Step 13
Return to web browser on Admin-PC. Inside Cisco FMC, navigate to Analysis > Hosts
> Network Map. Follow these steps:

• On the left side of the screen expand the 172 (1) entry.
• Click the entry for 172.16.1.20. This is host profile for DMZ-Server.
 • Observe the host profile on the right side of the screen.
Answer

Note
Cisco Firepower NGFW was not able to determine the operating system of the DMZ-
Server because it has not seen enough traffic. This is limitation of the lab environment,
as not much traffic is generated by DMZ-Server.
The network map displays a host count and a list of host IP addresses. Each address or
partial address is a link to the next level. This network map view provides a count of all
unique hosts detected by the system. You can use the hosts network map to view the
hosts on your network, organized by subnet in a hierarchical tree, and to drill down to
the host profiles for specific hosts.

Step 14
Inside the Host Profile for DMZ-Server, scroll down and observe the servers detected.
This is the list of ports on which DMZ-Server is listening:

• TCP port 21 (Application: FTP).

• TCP port 22 (Application: SSH).
• TCP port 80 (Application: HTTP).
Answer
Configure Custom IPS Policy
In this procedure, you will configure custom IPS policy. You will use Balanced and
Security system-provided IPS policy as your starting point. You will then demonstrate
how to perform change to the ruleset in the custom IPS policy. You will then assign
custom policy to the one of the rules in the ACP, to make sure that traffic coming from
the outside network to the DMZ-Server gets inspected against your previously defined
IPS policy.

Step 15
Inside web browser on Admin-PC, navigate to Policies > Access Control > Intrusion.
Click Create Policy to start process of creating a custom IPS policy.
Answer

Step 16
The Create Intrusion Policy screen will open. Follow these steps:

• Name the IPS policy DMZ_IPS.

• Make sure Drop when Inline check box is selected. This setting makes sure that
Cisco Firepower drops the attacking traffic that is matched against IPS rules
that have rule state set to Drop and Generate Events. If this check box is not
selected, Firepower does not drop attacking traffic, it only generates IPS
events.
• Select Balanced Security and Connectivity from the Base Policy drop-down
menu. This is one of the three system-provided IPS policies. Rule set in base
 policy is pre-defined in base policy by Cisco Talos. It is a good starting point
when configuring IPS policy, and you can tailor IPS ruleset later according to
your needs.
• Click Create and Edit Policy.
Answer

Step 17
The Edit Policy: DMZ_IPS page will open. Observe the summary information about
the ruleset of your custom policy:

• 97
rules have rule state set to Generate Events. Rule state is pre-defined in
the Balanced Connectivity and Security policy that you chose as your base
policy.
• 9469 rules have rule state set to Drop and Generate Events. Rule state is pre-
defined in the Balanced Connectivity and Security policy that you chose as
your base policy.
• Click the Rules option on the left side of the screen.
Answer

Step 18
On the left side of the Rules section expand Category option and click browser-ie.
This will create a filter that will show IPS rules that are addressing Internet Explorer
vulnerabilities. You will now disable one of such rules, to demonstrate that you can
change the rule state defined in base policy at any time.

• Select the
check box next to rule with ID 45388 (observe that current state of the
rule is set to Drop and Generate Events as indicated by red X icon).
• Click the Rule State option.
• Click Disable to disable the rule.
Answer

You are not using Internet Explorer browser in the lab environment. This is why you
can manually disable IPS rules addressing vulnerabilities in Internet Explorer. To
demonstrate this, you have only disabled one such rule. Any traffic inspected by this
IPS policy will not be processed against this rule that has been disabled.

Step 19
Confirm the change of rule state by clicking OK.
Answer

Step 20
Click the Policy Information option on the top left side of the screen.
Answer
Step 21
Observe the summary information of the IPS policy and save the changes in IPS policy:

• 97
rules have rule state set to Generate Events. Rule state is pre-defined in
the Balanced Connectivity and Security policy that you chose as your base
policy.
• 9468 rules have rule state set to Drop and Generate Events. This is one less
than before, as rule state for one of the rules has been changed from Drop
and Generate Events to Disabled.
• Click Commit Changes button to save the changes performed in IPS policy.
Answer

Note
Anytime you perform any changes in IPS policy, you need to save them.
Step 22
Confirm the saving action by clicking OK button.
Answer
Step 23
The saving of IPS policy action will redirect you to the summary page for IPS policies
under Policies > Access Control > Intrusion. Notice that your custom IPS
policy DMZ_IPS is not used by ACP.
Answer

ACP controls which traffic gets inspected by which IPS policy. First you need to define
IPS policy and then assign it to the ACP, either to one of the ACP rules or as a default
action at the bottom of ACP.

Step 24
Navigate to Policies > Access Control > Access Control. Click the pencil icon to edit
the ACP named Internet Edge Access Control Policy.
Answer

You will now assign your custom IPS policy to the ACP rule. You want to protect
the DMZ-Server from any attacks sourced from outside network.

Step 25
Locate the rule named Inbound_to_DMZ. This is the rule that
allows DMZ_SERVICES (FTP, HTTP, HTTPS, and SSH) traffic
from outside interface to the DMZ_Server. Click the pencil button to edit this rule.
Answer
Step 26
The Editing Rule - Inbound_to_DMZ page opens. You will assign your custom IPS
policy to the Inbound_to_DMZ_rule. This makes sure that all traffic matching against
this rule also gets inspected against custom IPS policy DMZ_IPS. Follow these steps:

• Click the Inspection tab.

• Select DMZ_IPS from the Intrusion Policy drop-down menu.
• Click Save.
Answer

Step 27
Locate the rule named Inbound_to_DMZ again and notice that IPS policy icon is
colored yellow. This indicates that IPS policy is assigned to this rule. Click Save to save
the changes in ACP.
Answer
Step 28
To push the configuration change to the HQ-FTD device you need to deploy changes.
Inside Cisco FMC click Deploy in the upper-right corner of the screen, select HQ-
FTD device, and click Deploy.
Answer

Step 29
The deploy process may take up to a minute to finish. Inside Deployments tab make
sure that deployment to the HQ-FTD device was successful.
Answer
Verify IPS Events
In this procedure, you will send attacking traffic from Kali-Host to the DMZ-Server.
You expect that Cisco Firepower will match this attacking traffic and block it. You will
verify all this in the IPS events.

Step 30
Access the Kali-Host. Authenticate using root username and SnortisC00L password,
if needed.
Note
These are zeros in the password.
Step 31
Click the icon for Terminal application. Follow these steps:

• Issue
the /etc/init.d/postgresql start to start the postgresql
service.
• Issue the armitage command to start the armitage application.
Answer
Metasploit is a penetration testing platform that enables you to find, exploit, and
validate vulnerabilities. Armitage is a GUI tool for performing and managing all the
tasks available in Metasploit. To use Armitage, you need to have a running instance of
Metasploit on your system.

Armitage comes preinstalled on a default Kali Linux installation. Armitage helps

visualize the targets, automatically recommends suitable exploits, and exposes the
advanced post-exploitation features in the framework.

Step 32
Click the Connect button.
Answer

Step 33
Click the Yes button to start Metasploit server.
Answer

You will now perform the attack from Kali-Host to the DMZ-Server. Armitage
running on the Kali-Host has already been preconfigured for you. DMZ-
Server (available on the IP address 192.0.2.20 to the outside hosts) has been discovered
by the Armitage application. Armitage also has a database of attacks that can be
performed against DMZ-Server.

Step 34
Follow these steps to send attacking traffic against DMZ-Server:

• Click the 192.0.2.20 icon in the Armitage.

• Click the Attacks > Hail Mary option.
Answer

Step 35
Click the Yes button to confirm you want to send attacking traffic to the DMZ-Server.
Wait for some time so that process of sending attacking traffic ends.
Answer

Step 36
Return to web browser on Admin-PC. Inside Cisco FMC, navigate to Analysis >
Intrusions > Events. You should see some IPS events triggered. To get more
information about these events, click the Table View of Events hyperlink.
Answer
Step 37
You will see more information about IPS events triggered. Notice the following:

• You can see the Impact for each IPS event triggered. The impact level indicates
the correlation between intrusion data, network discovery data, and
vulnerability information. Impact level immediately indicates whether an
event is potentially a real event or a false positive.
• You can see the Inline result. These are the options for these field:

o A black down arrow indicates that the system dropped the packet that
triggered the IPS rule. You can see that all attacking packets sent
to DMZ-Server were blocked.
o Blank indicates that the triggered rule was not set to Drop and
Generate Events (you only see the alert, attacking traffic is not
blocked).
o A gray down narrow indicates that Cisco Firepower would have
dropped the packet if you enabled the Drop when Inline intrusion
policy option.
• You can see the Source IP address of the attacking traffic. In your example,
source of attacking traffic was Kali-Host (209.165.202.5).
• You can see the Destination IP address of the attacking traffic. In your
example, destination for attacking traffic was DMZ-Server (with internal IP
address 172.16.1.20).
• Also notice the destination port of the attacking traffic sent to DMZ-Server.
Access control policy only permits traffic on FTP (tcp/21), HTTP (tcp/80),
HTTPS (tcp/443) and SSH (tcp/22) destination ports. Armitage is sending
attacking traffic on these ports as discovered during the discovery phase of
performing the attack.
Answer
One of the most valuable analysis tools is the impact flag indicator. You will see impact
flag calculated for your intrusion events. To help you evaluate the impact that an event
has on your network, the Cisco FMC displays an impact level in the table view of
intrusion events. For each event, the system adds an impact level icon, whose color
indicates the correlation between intrusion data, network discovery data, and
vulnerability information.

• Impact flag 1: Act immediately, host is vulnerable or compromised. Impact flag

of 1 occurs when Snort IPS rule matches the vulnerability in that host's host
profile.
• Impact flag 2: worth investigation, host is exposed. Impact flag of 2 occurs
when host is in the scope of your network discovery policy and host profile is
built for the host involved in the intrusion event. Port or protocol used in the
attack is in use on the host, but vulnerability is not mapped to the host in the
host profile. Impact flag 2 has all the signs that there is a potential for an
exploit, that the vulnerability involved is not indicated in your host profile.
• Impact flag 3: good information, event may not have connected. Impact flag 3
occurs when host is in the scope of your network discovery policy and host
profile is built for the host involved in the intrusion event. Port or protocol
used in the attack is not in use on the host. Impact flag 3 event typically
indicates that a connection attempt was made with a host in your network, but
no connection was made.
• Impact flag 4: previously unseen host within monitored network. Impact flag 4
occurs when the host is in the scope of your network discovery policy, but
host profile is not built for the host involved in the intrusion event. Impact
flag 4 events typically occur when new sections of the network are brought
online, and host profiles are not yet built.
• Impact flag 0: event occurred outside profiled networks. Impact flag 0 events
occur when neither source nor destination IP is within the scope of your
network discovery policy. Impact flag 0 occurs only when either you have not
profiled your entire network, or you are seeing intrusion events in your
 enterprise that are not supposed to be in your network. Impact flag 0 events
are typically not a security concern if you have a fully profiled network.
Step 38
Inside the IPS Events view, scroll all the way to the right. Notice the following:

• In
the Access Control Policy column, you can see that traffic that triggered the
IPS events was matched against ACP policy named Internet Edge Access
Control Policy.
• In the Access Control Rule column, you can see that traffic that triggered the
IPS events was matched against ACP rule named Inbound_to_DMZ.
• In the Intrusion Policy column, you can see that traffic that triggered the IPS
events was matched against IPS policy named DMZ_IPS.
Answer

Step 39
Inside the IPS Events view, scroll back all the way to the left. Click any of red PC icons
next to the IP address 172.16.1.20 (DMZ-Server).
Answer
An IOC is a way to quickly see if a host has been compromised. The Cisco Firepower
System uses IOC rules in the network discovery policy to identify a host as likely to be
compromised by malicious means. When a host meets the conditions specified in these
system-provided rules, the system tags it with an IOC. The related rules are known as
IOC rules.

The system correlates data gathered about your monitored network and its traffic by
using intrusion, Security Intelligence, and malware events, and determines that a
specific host should be tagged with an IOC.

You can view and work with IOC data in several parts of the Cisco Firepower System
web interface. Connection, Security Intelligence, intrusion, malware, and IOC discovery
event views indicate whether an event has triggered an IOC. IP addresses that represent
IOC tagged hosts are tagged with a compromised host icon (colored red) instead of the
normal host icon (colored blue).

Step 40
Host profile for host 172.16.1.20 (DMZ-Server) opens. You can see few IOC flags
being set for DMZ-Server. The reason for IOC flags being set are intrusion events
where DMZ-Server was the attacked host. Close the host profile window.
Answer
Based on the analysis you performed you decide that no communication from Kali-
Host to your organization should be allowed. The easiest and most effective way to
achieve this is to add the IP address of the Kali-Host (209.165.202.5) to the Global
Blacklist. In this case, the Security Intelligence feature makes sure that no traffic to or
from this IP address is allowed through Cisco Firepower System

Step 41
Return to the IPS Events view, and perform these steps to add Kali-Host to the Global
Blacklist.

• Observe the time frame of when all IPS events were triggered.
• Right-click the IP address 209.165.202.5 (Kali-Host).
• Click Blacklist IP Now.
Answer

Step 42
Confirm the blocking of Kali-Host by clicking the Blacklist Now button. Remember
that adding an IP address to the Global Blacklist does not require deploying of the
configuration changes. Configuration changes take effect immediately.
Answer

Step 43
Return to the Kali-Host to send attacking traffic again. Follow these steps to send
attacking traffic against DMZ-Server:
 • Click the 192.0.2.20 icon in the Armitage.
• Click the Attacks > Hail Mary option.
Answer

Step 44
Click the Yes button to confirm you want to send attacking traffic to the DMZ-Server.
Wait for some time so that process of sending attacking traffic ends.
Answer

Step 45
Return to web browser on Admin-PC. Inside Cisco FMC, navigate to Analysis >
Intrusions > Events and click the Table View of Events hyperlink. There should be no
new IPS events as all communication from Kali-Host should be blocked earlier in the
packet processing flow by the Security Intelligence feature.
Answer
Step 46
Inside Cisco FMC, navigate to Analysis > Connections > Security Intelligence
Events. You should see that all traffic sourced from Kali-Host (209.165.202.5) gets
blocked by the Security Intelligence feature.
Answer

Configure Firepower Recommendations

In this procedure, you will use the Firepower Recommendations feature that will tailor
IPS policy to your network assets. You will run the feature and verify the changes that
have been performed to the ruleset by the Firepower Recommendations.

Step 47
Inside web browser on Admin-PC, navigate to Policies > Access Control > Intrusion.
Click the pencil icon to edit the DMZ_IPS policy.
Answer

Step 48
The Edit Policy: DMZ_IPS page will open. Click the Firepower
Recommendations option on the left side of the menu.
Answer

Step 49
Click the Generate and Use Recommendations button.
Answer

You can use Cisco Firepower intrusion rule recommendations to associate the operating
systems, servers, and client application protocols detected on your network with rules
specifically written to protect those assets. This allows you to tailor your intrusion
policy to the specific needs of your monitored network.
The system makes an individual set of recommendations for intrusion policy. It
typically recommends rule state changes for IPS rules.

You can choose either to use the recommendations immediately or to review the
recommendations (and affected rules) before accepting them.

The system does not change rule states that you set manually:

• Manually setting the states of specified rules before you generate

recommendations prevents the system from modifying the states of those
rules in the future.
• Manually setting the states of specified rules after you generate
recommendations overrides the recommended states of those rules.
Step 50
Cisco Firepower System will inform you that IPS policy is now using the generated
recommendations. Click the OK button.
Answer

Step 51
Observe the changes to the ruleset performed by Firepower Recommendations feature
in the Firepower Recommended Rules Configuration section of the Edit Policy:
DMZ_IPS page. Click the magnifying glass icon next to the View Recommended
Changes option.
Answer

Step 52
The window with Snort rules listed will open. On the right side of the screen
select Base Policy from the drop-down menu. This creates a filter that will show you all
rules that were changed by Firepower Recommendations in comparison to the Base
Policy. Notice the following:
 • The
original rule state for the base policy rules you see was set to Drop and
Generate Events, as indicated by the red X icon.
• Rule state for all these rules was changed to Disabled by the Firepower
Recommendations feature.
Answer

Step 53
Click the Policy Information option on the top left side of the screen.
Answer

Step 54
Observe the summary information of the IPS policy:
 • Firepower Recommendations feature changed rule state for a lot of different
rules.
• The
result is 6263 being enabled, out of which 109 rules are set to generate
events and 6154 rules set to drop and generate events.
• Click the Commit Changes button to save the changes in the IPS policy.
Answer

Configurations in IPS policy are contained in building blocks called layers, which you
can use to efficiently manage multiple policies. You can create and edit IPS policy
without consciously using layers. You can modify your policy configurations, and if
you have not added user layers to your policy, the system automatically includes your
changes in a single configurable layer that is initially named My Changes.

Upper layers override lower layers for the same rule or setting. If you had three layers
with different rule states for the same Snort rule, the uppermost layer state would be the
final state.

Using Firepower Recommendations feature inserts a read-only, built-in Firepower

Recommendations layer immediately above the base layer.

Any changes to the ruleset performed by Firepower Recommendations feature will

override ruleset settings defined in the base policy. Any changes the ruleset performed
by user will override ruleset settings defined by Firepower Recommendations.

Step 55
Confirm the saving action by clicking OK button.
Answer
Step 56
The saving of IPS policy action will redirect you to the summary page for IPS policies
under Policies > Access Control > Intrusion:

• Notice
that your custom IPS policy DMZ_IPS is out of date as it is not yet
deployed to the HQ-FTD device.
• Deploy the policy to the HQ-FTD by clicking the Deploy button in the upper
right corner of the menu.
Answer

Step 57
Select HQ-FTD device and click Deploy.
Answer
Step 58
The deploy process may take up to a minute to finish. Inside the Deployments tab,
make sure that deployment to the HQ-FTD device was successful.
Answer