Anda di halaman 1dari 20

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Introduction to FirePOWER & AMP

FirePOWER is IPS , URL Filtration & Reputation , Application Identification & Control , File
Filtration & Deposition (can be enhanced using AMP) , User traffic filtration , SSL decryptor
and more.

Products Overview

FirePOWER 7000 series & FirePOWER 8000 series appliances

They are just IPS with URL filtering capabilities and also AMP if you have the licenses for them

FP 7000 Series :
7010 , 7020 , 7030 , 7050 , 7110 , 7115 , 7120 , 7125

FP 8000 Series :
8120 , 8130 , 8140
8250 , 8260 , 8270 , 8290
8350 , 8360 , 8370 , 8390

64-bit virtual appliance. Virtual appliances are supported on VMware ESXi and VMware vCloud
Director environments.

ASA with FirePOWER

ASA 5506-X, ASA 5506H-X, ASA 5506W-X,
ASA 5508-X, ASA 5512-X, ASA 5515-X, AS A5516-X, ASA 5525-X, ASA 5545-X, ASA 5555-X.
ASA 5585-X-SSP-10, ASA 5585-X-SSP-20, ASA 5585-X-SSP-40, and the ASA 5585-X-SSP-60

They are ASA firewall with FirePOWER capabilities but use one image (system software) for ASA
and another one for FirePOWER

ASA FirePOWER Module also known as ASA SFR comes as SW or HW module

SW used in all ASA-X models expect 5585
HW used in 5585-X

3D tour for ASA with FirePOWER

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

FirePOWER 4100 & FirePOWER 9000 appliances

These are ASA firewall with FirePOWER capabilities but use one image with to provide Firewall &
Firepower capabilities.

3D tour for FirePOWER 4100 , 9300

remember 9300 came with Radware DefensePro distributed denial of service (DDoS) mitigation

AMP Advanced Malware Protection

This is AMP capabilities we can have on all above products and also we can install as separate
application on servers, PCs , Smartphones , ESA and WSA..etc.

The AMP solution can enable malware detection and blocking, continuous analysis and
retrospective alerting with File Reputation , File Sandboxing and File Retrospection.

In Palo Alto we call it (WildFire)

In Fortinet we call it Advanced Threat Protection (FortiSandbox, FortiAnalyzer,)
In Cisco we call it Advanced Malware Protection (AMP)

In Cisco AMP can be enabled in the following devices and we will call it [AMP for Networks] :
ASA with FirePOWER (you will need Malware License )
FirePOWER 7000, 8000 (you will need Malware License )
FirePOWER 4100 , 9300 (you will need Malware License )
In Cisco we can enable AMP in the following devices and we will call it [AMP for Contents] :
CWS (cloud version of WSA)
CES (cloud version of ESA)
Finally In Cisco we can enable AMP in windows , linux , Mac OS...etc , and we will call it [AMP for

Lets not forget AMP can be used also with Threat Grid
(To get advanced threat intelligence and static and dynamic malware analysis.
Can be a hardware appliance or cloud deployment.)

Best Practice is adding AMP to all devices including ASA with SFR , WSA ,ESA, PC, Servers and
The much you distribute AMP the much threat catching rate increased

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Management Products
ASDM 7.3 , 7.4 , 7.5 used to manage ASA
ASDM 7.3 , 7.4 , 7.5 can be used to manage FirePOWER too (with limitations)

FireSIGHT 5.3 , 5.4 can be used to manage FirePOWER (with no limitations)

FireSIGHT 6.0 (officially named FirePOWER Management Console FMC) used to manage both
ASA and FirePOWER .

As you can see FireSIGHT will apply policies & licenses to your FirePOWER devices
Your FirePOWER will send to FireSIGHT , events , information about his HW status and
Discovery information..etc.

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

FirePOWER based on SNORT

The Snort Engines Basic Architecture
The sniffer (DAQ & Packet Decoder)
The detection engine
The output and alerting module

Remember FirePOWER support more than 800 open source applications including SNORT, nmap
, Wireshark , ClamAV ....etc

FirePOWER 7000, 8000 Series sensing Interfaces types:

inline : bypass or not bypass
HA Link used for Clustering to share states between Paris

FirePOWER 7000 , 8000 Network Features:

virtual switch (7000 & 8000)
virtual router (7000 & 8000)
VPN gateway (7000 & 8000 & NGIPSV) , to use VPN will need VPN license and set
Virtual Router
NAT (7000 & 8000 & NGIPSV)
Clustering (7000 & 8000)
Stacking ( 8000 only)

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

FireSIGHT & FirePOWER Licensing

FireSIGHT required its own License , we add license to FireSIGHT and apply it him self

For FirePOWER appliance ( managed device)We add licenses to FireSIGHT then apply it to
managed devices

Type of licenses is:

Control is also known as Application Visibility and Control (AVC) or Apps.

Protection IPS aka This includes entitlement to Rule, Engine, Vulnerability, Signatures and
Geolocation updates.

Advanced Malware Protection (AMP) aka Malware provides cloud-based malware lookup
and sandbox analysis, including file trajectory and tracking across the network.

URL Filtering enables allowing/blocking websites based on their URL, category, or

reputation. Information such as category and business relevance is updated on the Defense
Center via a cloud connection.

VPN enables site-to-site VPN capabilities between devices, and it can be used to create a
secure tunnel to a remote office location without having to install separate VPN hardware.

We purchasing License for for one, three or five years. Also we must have in mind that
each license is bound to specific ASA model. So, if we buy/lease the license for 5525-X,
this license will not be valid for other ASA boxes.

Notice in ASA with FirePOWER we do not need VPN licenses since VPN capabilities for
firepower will not be exists .

Notice you can not have AMP (malware lic ) without having Protection lic (IPS lic ) first.

All licenses except VPN can applied to 7000 and 8000 Series , ASA FirePOWER and
VPN license applied ONLY to 7000 and 8000 Series .

When apply Control license to 7000 or 8000 Series it will add the following additional
capabilities :
Switching and routing
7000 and 8000 Series device high availability
7000 and 8000 Series network address translation (NAT)

Protection license must be exists to install Malware , URL Filtering and Control licenses .

Control license must be exists to install VPN .

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

With v6.0 We have the concept of classic and smart licenses,

For 7000 and 8000 Series, ASA FirePOWER, and NGIPSv devices, you must use Classic
Licenses. Devices that use Classic Licenses are sometimes referred to as Classic devices.
For Firepower Threat Defense and Firepower Threat Defense Virtual, you must use
Smart Licenses.

For example Lets focus on ASA5525-X model. Having the above picture in mind, we have the
following licenses:

These URL licenses provide us with URL filtering capabilities for one, three or five years.

The TA license enables the IPS capabilities of SFR module.

The TAC enables the IPS plus the URL filtering.

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda


Company Old name :Sourcefire

Company New name :Cisco

Product Old Name:FirePOWER

Product New Name:FirePOWER aka FP

Product Old Name:FireAMP

Product New Name:AMP

Product Old Name:Defense Center DC aka DC

Product New Name:FireSIGHT v5.3 v5.4 aka FS
Product New Name:FirePOWER management Center (FMC) aka FireSIGHT v6.0

Term Old :Sourcefire 3D sensor aka 3D

Term New: Device (Managed Device) such as FirePOWER 7000,8000 , ASA with FirePOWER ..etc.

All FirePOWER devices now called Series 3 devices

Series 2 is the second series of physical managed devices , Cisco no longer ships new Series 2

Some FirePOWER Technology Terms you should care about:

-In VPN Hub & Spokes , when we say Leafs that means Spokes
-Instead of using HSRP as gateway redundancy for both IPv4 and IPv6 addresses we use
Cisco Redundancy Protocol (SFRP) to achieve network redundancy for high availability
on either a device cluster or individual devices.
-Ether channel in FirePOWER called a link aggregation group (LAG) and use LACP.
-FirePOWER Clustering means HA (active/standby) which establish redundancy of
networking functionality and configuration data between two peer devices or two peer
device stacks.
FirePOWER Stacking means Clustering which combined resources in a single, shared,

FirePOWER Placement Overview

Inside Firewall
External ----------FW+FP-------Assets

Behind Firewall
External ----------FW-----FP-------Assets

Nearest to the Assets

External ----------FW---NAT R----Proxy Device-------FP-------Assets

Now days most of FP deployment is Inline But we still can use passive deployment between
internal segments (inside the assets networks) or in Honeypots.

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Introduction to Cisco FirePOWER Policies

You can Configure Many Polices in your FireSIGHT and he will apply it to your managed devices
such as FIrePOWER 7000,8000 ,ASA with FirePOWERetc.

Every Policy includes Rules inside it.

First of all you should care about three policies (Intrusion Policy, File Policy and Access Control
Policy) , these policies are the main policies you will work with .

1-Intrusion policy
Some time we call it IPS Policy, this policy responsible for inspecting your packets and match it
with SNORT Rules.
All your policy settings saved in (snort.conf) file , all your rules saved in files with extension
Normally when you create this policy, you will not need to create rules for it , rules already
created by Cisco Intel Sec Cloud (Talos Team) but still you can create a SNORT rule by yourself
if you want to using FireSIGHT GUI , for instance maybe you would like to create SNORT rule to
match Credit Cards numbers sent in plain text in your network.

Each Rule has State , it could be disable , Generate events , Drop & Generate events
Event here means Alert , so if we found Traffic match SNORT Rule we could trigger alert or even
trigger alert and drop packets in the same time .

When you first create Intrusion Policy , you should choose Base Policy for it
Base Policy is just telling your FirePOWER what SNORT rules should be enabled or disabled

You can choose one of the following base policies:

No Rules Active all rules disabled

Connectivity Over Security enable powerful rules only with CVSS score 10 & no older
than two years, ~ 800 Rules.
Balanced Security and Connectivity enable powerful rules only with CVSS score 9 & no
older than two years , ~ 6300 Rules.
Security Over Connectivity all rules enabled considered the strictest of the default
polices. (recommended but will need to be tuned later so it will not generate big
number of events or many false alarm events) , tuning will happen by using suppress ,
thresholds or disable SNORT rules. ~ 9000 Rules.

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Finally Just Remember, you should Generate (FireSIGHT Recommendations) from time to time
for your Policy .. FireSIGHT Recommendations is Feature will try to find what is the best Rules
should be enabled or disabled in your network and applied that for you .
FireSIGHT Recommendations can knows that by analyzing information got from Cisco Cloud and
also from FireSIGHT network discovery features.
For example FireSIGHT Recommendations may knows that all machines in your network running
windows OS , so it will disable all SNORT rules for Linux OS since there is no need to keep it

2-File Policy
We use this Policy for File Filtering such as deny or permit specific type of files
Also we use this Policy for File Disposition (AMP inspection), which means to find out if files
goes through our network are clean or Malware .

In FireSIGHT v6.0 we call this policy ( Malware & File Policy)

File Rule Actions:

Detect Fileslog the movement of files while still allowing them to pass.
Block Fileswill block the files. (good for file filtering purpose)
Malware Cloud Lookupwill calculate the SHA-256 hash value and use the cloud
lookup process to determine the malware disposition. Once that's determined, this
option will log the malware disposition of files while still allowing them to pass.
Block MalwareThis is the same as Malware Cloud Lookup only this rule will actually
block transfer of files that represent threats

Remember it like this if you will create rule for file filtering , action should be Detect or Block
If you create rule for AMP inspection ,action should be Malware Cloud Lookup or Block

Remember you will need Malware License applied to your managed device so you can make
use of Malware Cloud Lookup & Block Malware actions

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

3-Access Control Policy

This is the Main Policy where your traffic should go through it.
You can use it to filter URL or deny or permit traffic based on IP address , Ports , Applications ,
Users or even on Geolocation .
Something else very important about access control policy , its where you will activate your
Intrusion Policy or File Policy or Both
We will activate or lets say associate Intrusion Policy or File Policy on Access Control Rule

Normally when you create Access Control Policy you will be asked to choose Default Action
This Default Action will be applied to your traffic IF your Access Control Rules did not find any
match on this traffic.

(Each ACP has Default Action will be applied

Tell what the device will do if none of the Access Control rules above it match a given traffic
flow. )

After creating your Access Control Policy you should start creating Rules

As you can each Rule can have one of the following Actions:
Allow: it will pass traffic through the device. You can optionally inspect this traffic using an
Intrusion policy, a file policy, or both.
Trust: it will pass traffic through the device without further inspection. So you cannot use
Intrusion policy, a file policy, or both with this action.
Monitor: Only log a connection event.

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Block and Block with Reset: Block action stops the traffic from passing, while Block with Reset
also resets the connection. Blocked traffic is not inspected via IPS, file, or discovery policy rules.
So you cannot use Intrusion policy, a file policy, or both with this action.
Interactive Block and Interactive Block with Reset: For HTTP traffic, these actions allow users to
bypass a website block by clicking through the warning page.
These rules can be associated with IPS and file policies the same way that Allow rules can.

Remember we associate File Policy & Intrusion Policy to Access Control policy Rule
On the Right side of the Edit rule window go to Inspection Tab

Always remember to configure FirePOWER you will need to configure at least Intrusion, File
and Access Control Policy

Now lets talk about other policies that you might need to configure

Network Discovery Policy

FirePOWER can passively collect information about your network devices such as IP address , OS
, Users using these machines and even create Host Profile for each Host.
You can have One policy per device and its already created it for you but you can create Rules
for it by yourself

Action for rule is (discover or exclude) the Networks or zones you will mention in the rule.

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Correlation Policy
Used for detection of unusual activity rather than specific intrusion or malware events.
By using correlation rules, white lists, and traffic profiles, we can detect network or host
behaviors that may be an indication of malicious activity.

You should follow the following steps to create Correlation Policy :

1- Create Response (Action) will happens if traffic match your Rule
2- Create Correlation Rule to match traffic in specific conditions
3- Create Correlation Policy and add Correlation Rules to it
4- Add Response to your Correlation Rule

Response can be Alerts or Remediation Module

Alerts are simply notifications :
EmailSMTP message sent via the mail relay configured in the system policy.
SNMP SNMP versions 1, 2, and 3 are supported.
SyslogStandard syslog sent to UDP/514.

Remediation Modules (Perl Scripts) :

Cisco IOS Null RouteAdd a null route entry to a remote Cisco IOS router.
Cisco PIX ShunAdd a shun to a remote Cisco PIX (or ASA) firewall.
Nmap RemediationPerform an Nmap scan from a device or the Defense Center.
Set Attribute Value Set the value of a host attribute.

You can also add another Remediation Modules made by Cisco or by your Dev team
Read :
ISE and FirePower integration - remediation service example

Example: Excessive Connections From External Hosts

Example: Excessive BitTorrent Data Transfers

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

In correlation Policy we can set also two important things: White List and Traffic Profile

White list
White list is a set of criteria you can use to define operating systems, client/server apps, and
protocols that are allowed to run on your network.

For example, if you only allow Linux operating systems on a given network segment, by
creating a white list that contains only these operating systems, you can be alerted if FireSIGHT
detects any other OS on that segment.

Once the white list is created, it is treated in the same manner as a correlation rule.
So it must be implemented via a correlation policy.

Traffic Profiles
You can think of a traffic profile as a baseline of activity.
The profile defines the criteria for the baseline, such as IP address, application protocol,
transport protocol, and so on. Then, once activated, the profile collects a number of data points
about the traffic over the profile period.
Once the profile is built, you can add it to a correlation rule and specify the deviation that would
cause the rule to trigger.
Last, you add the rule to a correlation policy and select an appropriate response.

Traffic Profile Simple Example:

1-We create Traffic Profile named KOKO
Will monitor HTTP traffic when Source (initiator) & Destination (Responder) is in
for one week with taking samples every 5m.

2-We create Correlation Rule named WAWA

Saying if a traffic profile changes in profile KOKO
Has (number of connections) greater than 2 AND (unique initiators) greater than 2

3-We create Correlation Policy named SOSO

Add WAWA to it
Add response (sending Alert by email) if Rule match

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

NAT Policy Predictably, this policy configures Network Address Translation (NAT).
System Policy This controls a variety of device settings like local firewall, time synchronization,
and so on. The system policy is applied to all appliances, meaning to the Defense Center and all
Health Policy This policy sets warning and critical thresholds for various health parameters such
as disk space and CPU usage. You can also enable or disable various health checks as your heart

In FirePOWER 5.4 version we got Two New Policy Types:

SSL Policy (for SSL decryption , once created You must specify the SSL policy in the
advanced tab of the Access Control policy)
Network Analysis Policy : contains advanced IPS (Intrusion Policy) settings
(Preprocessors used by SNORT).

In FirePOWER 6.0 version we got some new policies such as:

DNS Policy
Identity Policy (for ISE integration)

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Road Map for Configuring FirePOWER

CLI -Initial setup
-Add (register) to FS
Configure manager add cisco123

GUI -Initial setup
-Add licenses
System Licenses click add new license
-Add (register) managed devices (FP)
Devices Devices Management click add click device
-Apply licenses to FP
Devices Devices Management click add click device
-Configure FP interfaces & network features (device management)
Devices Devices Management click managed devices click the ip add
Click inline set tab click add inline set
Click interfaces tab click yellow pencil click inline
Polices users add ldap connection
Polices users add user agent
-Configure FMC user accounts (accounts management)
System User Management Users tab click Create User
System User Management User Roles tab click Create User Role
System User Management Login Authentication tab click Authentication Object
-Create Objects (object management)
Objects Objects Managements
-Configure Intrusion (IPS) policy
Policies Intrusion click Create New Policy
Choose your base policy and dont forget your FireSIGHT Recommendations
-Configure File (AMP) policy
Policies Files (in v6 its called malware & File Policy)
Click Create New policy
Click New Rule

-Configure Access Control policy

Policies Access Control click create New Policy
Click create Add rule
Associate intrusion policy, file policy from inspection tab if need it

For URL Filtering:

Navigate to System Local Configuration.
Select Cloud Services.
Select the Enable URL Filtering check box in order to enable URL Filtering.

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Check you have URL lic

System Licenses

Navigate to Objects Object Management page.

Select Individual Objects for URL, and click the Add URL button. The URL Objects window

After you save the changes, navigate to Policies Access Control click the pencil icon in
order to edit the Access Control policy.
Select Add Rule.
Add your URL Object to the rule with the Allow action and place it above the URL Category rule,
so that its rule action is evaluated first.

-Intrusion event analysis & Reporting

To navigate to the default intrusion event workflow, go to
Analysis Intrusions Events.
The default workflow is called Events by Priority and Classification.

There are several views available for analyzing the events generated by file policy rules found
Analysis Files:
Malware Events
File Events
Captured Files
Network File Trajectory

Overview Reporting Report Template tab click Create Report Template

We can also schedule generating reports in periodic time by going to

System Tools scheduling and click Add Task then choose Job Type: Report

-Configure System & Health policies

System Local Configuration
System Local System Policy click Create Policy
System Updates
System Licenses
System Monitoring Audit
System Monitoring Syslog
System Monitoring Task Status
System Monitoring Statistics
System Tools Backup/restore
System Tools Scheduling
System Tools Import & Export
System Tools Data Purge

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

Health Health Monitor

Health Health Policy
Health Health Events
Health Health Blacklist
Health Health Monitor Alerts

-Configure Network Discovery policy

Policies Network Discovery click Add Rule
Once the discovery policy is created and applied, the managed devices begin sending
information to the Defense Center.
This information can be viewed in many different ways Analysis Hosts

Network Discovery Policy info collected about Networks can be viewed by Analysis
Connection Events

Devices can also collect connection data, and you can check out the events by going to Analysis
Connection Events.

Once user discovery is enabled, the users table and user activity in the database will populate.
You can see their contents by navigating to
Analysis Users Users
Analysis Users User Activity

To obtain a client fingerprint for a hos (client or server):

Policies Network Discovery
Click Custom Operating Systems
Click Create Custom Fingerprint

Creating an Nmap Scan Instance

Polices Actions Scanners
Click Add nmap instance
Click Add (from Configured Remediation)

Creating Application Detector

Polices Click Create Detector

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

-Configure Correlation policy

Correlation Policy & Rule Configuration

To create Rule:
Policies Correlation and then click the Rule Management tab.. Create Rule

To create Policy:
Policies Correlation, then click the Policy Management tab.Create Policy , then later to add
rule click Add Rules

To create Respond:
Actions Alerts
Actions Remediation instance

In Rule click red icon and add the respond to rule

White List Configuration

Policy Correlation. From here, click the White List tab.
Click the New White List link

Once the white list is created, it is treated in the same manner as a correlation rule.
So it must be implemented via a correlation policy.

These events can be found by navigating to Analysis Correlation White List Events

Traffic Profile Configuration

Policies Correlation. From here, click the Traffic Profiles tab to view existing profiles. By
default, this screen is blank

To begin, click the New Profile link on the right. This loads the profile configuration screen

Now that you have one or more traffic profiles, they must be added to a correlation policy to be
of any use.

Traffic profiles cant be added directly to a policy; you must first create rules that will trigger for
certain profile conditions

-Configure Advanced IPS policy

Policies Intrusion Network Analysis Policy

To create SNORT Rule

Policies Intrusion Rule Editor
Click the Create Rule button
Now, if you go back to Policies Intrusion Rule Editor, you can see our new snort rule

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

FirePOWER Resources

Exclusion of EIGRP OSPF and BGP Messages from the Firepower Intrusion Inspection

FireSIGHT URL Filtering using Sourcefire User Agent and LDAP AD

URL Filtering on a FireSIGHT System Configuration Example

VLAN Bridging with FirePOWER

Configuration of a Virtual Router on a FireSIGHT System

How to configure Clustering on Cisco FirePOWER 7000 and 8000 Series Devices

How to configure Stack on the Cisco Firepower 8000 Series Devices

Steps and Tips to Create, Import and Manage Custom Local Rules on a FireSIGHT System

ISE and FirePower integration - remediation service example

Cisco Firepower System Documentation Roadmap

3D tour for ASA with FirePOWER

3D tour for FirePOWER 4100 , 9300

Table of Contents: TAC Documents on FirePOWER Service, FireSIGHT System, and AM

Introduction to FirePOWER & FireSIGHT Policies CCIE & CCSI: Yasser Ramzy Auda

To practice FirePOWER & FireSIGHT

Cisco ASA FirePOWER Module Quick Start Guide

Free Videos

Commercial Books & Videos

Good Luck
CCIE & CCSI: Yasser Auda