In this Cisco Firepower Threat Defense (FTD) blog post, basic security policy enforcement and network connectivity using Firepower Device Manager (FDM) on an ASA 5506-X will be covered.
After you have an image on the device, completed the initial login setup and applied licensing, the first step is to configure the ASA’s interfaces and a default route. For the 5506-X model, the default settings were the LAN side configured in a BVI with an IP address of 192.168.1.1/24 and the outside interface set to DHCP. For this lab, the defaults were removed to show how to setup it up from scratch.
After your initial login, you should go to the main page and FDM should appear as below. Go to the Interface section and select the arrow below that section.
Select the interface you want to configure then select the edit button on the far right (screenshot below). Another window will appear and configure the IP address along with any other necessary configuration then make sure the interface is enabled. Repeat this step for other necessary interfaces.
Next, setup routing on the ASA. On the main page, select the arrow underneath the Routing section. Once in the Routing Configuration window, select the Add button in the upper right hand corner. A window will appear, where you can configure the static route. Below shows a default route configured.
After the interfaces and routing is setup, NAT and the Access Control Policy can be implemented next. Go to Policies Tab, select NAT then select the Add button in the upper right hand corner. The below screenshot shows a static NAT for RDP (used later for testing) and a dynamic NAT to provide PAT for internet access. The second screenshot shows the details configure for the dynamic NAT. Note: Network and port objects were previously configured before the NAT rules were (there are options configure objects as you configure a NAT rule).
Dynamic NAT details:
Cisco suggests using Auto NATs unless the extra features that manual NAT provides is necessary.
Now that NAT rules are setup, select the Access Control section and configure your rules for the Access Control Policy. This policy will consist of a mixture of trust, block, and allow rules. Trust rules allow traffic meeting the configured rule criteria to go through the appliance without any security inspection. Block rules will block traffic based on the configure rule, such as blocking YouTube URL from any device going from the inside security zone to the outside security zone. Trust rules will allow traffic, but that traffic can be inspected by the intrusion and/or file policies. If any intrusion is found in the traffic, then those offending packets will be blocked while legitimate packets is still allowed.
FTD is a zone based firewall and rules work in order (from top down) in a first match basis, so it is recommended to configure rules with more specific parameters above rules that have more broad configurations. Typically, you place trust rules first followed by block then the allow rules. This can vary depending on organization’s security needs. For this lab, the default action has been set to block.
Rules can be configured in a mixture of source and destination security zones, networks or ports, and applications, URLs and geolocations settings as well. For a rule to be applied, traffic must meet all parameters configured in the specific rule. If no rules apply to the traffic then the configured default action is applied. Note: You can integrate the FTD appliance with Active Directory, so that you can enforce rules based off Identity (AD account) in replace of or with a combination of network based parameters.
To add a rule to the Access Control Policy (ACP), select the Add button in the upper right hand corner. A window will appear where you can configure the security parameters of the rule, the order numbers, a title for the rule, logging options and the action to be applied. Below shows an example of a rule allowing traffic from the inside security zone to the outside security zone while applying the intrusion and file (malware) policies to block intrusions found in that traffic.
Once you are done configuring the rules for the Access Control Policy, you must deploy it to the FTD device. Go to the upper right hand corner and select the Deploy icon (usually an orange dot implies a policy change that is ready for deployment). A new window will come up, then select Deploy and wait for the policy to be applied to the device.
Now that basic security policies are in place, let’s generate some traffic and verify policy enforcement through the FDM monitoring tools. Go to the Monitoring tab and select Event in the left hand plane. From here you can view connections, intrusion, file and malware events. Be sure to have your Access Control rules configured for logging so these events will appear. Here you can verify that traffic is passing through the appliance and you can filter for specific types of traffic through filter tool.
Through the Connections Event, you can select a packet then select view more details to look at the particulars for that connection; such as the Access Control rule that was applied to it, source/destination interfaces or zones and initiator/responder IP addresses. Below shows the packet for the RDP rule that allows RDP from the outside network to a specific server on the LAN:
Another helpful monitoring tool, is under the Monitoring tab. Go to Dashboard then to the Policies section in the left hand plane. This section allows you to see which Access Control rules are actively being applied, which can assist in troubleshooting your Access Control Policy. Below shows the rules that have been applied in the past hour such as the YouTube URL block and the RDP allow rules:
For the next upcoming Cisco FTD blog, we will cover setting up a VPN tunnel in the FDM. If you are interested in learning more about this product, please do not hesitate to contact me (steven.schmidt@eGroup-us.com, https://www.linkedin.com/in/steven-schmidt-93107310/) or our sales team at sales@eGroup-us.com.