Professional Documents
Culture Documents
Developers
The labs and lab materials were created by the TME team for the Security Technology Group at
Cisco Systems. For feedback or questions about this lab, please contact Eric
Kostlan erkostla@cisco.com.
Lab Overview
This lab is designed to help attendees understand the new features available with the 6.0 release
of the Cisco ASA with Firepower services.
Note: The lab is not a substitute for Firepower or ASA training. Basic familiarity with these products is assumed.
Lab participants should be able to complete these at least 5 lab exercises within the allotted lab
time of 4 hours.
If you complete these exercises, you will see most of the new 6.0 Firepower features. Also you
will configure and test the SSL decryption feature, which is now available on the ASA.
The following conventions are be used in the lab exercises.
Font Function
Courier New Bold Used to indicate text that must be typed in. Also
the output of some commands uses this font.
Exercise dependencies
Exercises 1 through 4 must be done in order. After completing the first 4 exercises, you may skip
exercises.
However, if you skip Lab Exercise 5, you must also skip the following steps:
Lab 6, Step 16
Lab 6, Step 19
Also, if you want to do ISE integration (Lab 7.7), you have to do Step 1 of Lab 5.
Note: The ASA 5525-X is running ASA 9.5(2). The SFR is running 6.0.0-1005.
Device IP Address
ASASFR 172.16.1.80
Outside.com 192.168.1.200
Also hosting honeypot.outside.com at
192.168.1.201
and alt.outside.com at
192.168.1.202
Alt.outside.com 192.168.1.202
Attack.outside.com 192.168.1.210
Note: To reset the password do session sfr do password-reset from the ASA CLI in privileged mode. In
the release used in the course, this will set the admin password on the SFR to Sourcefire.
Attrack.outside.com root/FPlab123!
(Ubuntu)
There are many domain users and groups. You can get a complete picture by logging into the
Domain Controller using the link in the Remote Desktop Folder on the Jump Box. The table below
shows four users that have carefully configured accounts on PC2.
dilbert/FPlab123! Engineering
harry/FPlab123! HR
ira/FPlab123! Investment
rita/FPlab123! IT
Exercise Objective
The objective of this exercise is to perform initial deployment of the SFR. Upon successful
completion of this exercise, the student will be able to:
Connect to the SFR from the ASA and set the basic network parameters
Have a high-level understanding of on-box management capabilities.
Note: Note that if you have issued typing special characters (such as !) with your keyboard, you can open the
text file Strings to cut and paste on the Jump Box desktop, and cut text from there.
Step 2 Type show module sfr details to confirm that the SFR module does not have an off-box
manager configured:
DC addr: No DC Configured
Step 3 Connect to the SFR module from the ASA using the command session sfr console. Hit
<ENTER>. When prompted, login as admin, password Admin123.
Step 4 Read and accept the EULA. The setup wizard will automatically get launched.
Step 5 Enter the information in the following table into the setup wizard.
Note: The backspace key may not work properly when you enter data. Do not hit Ctrl-C. Just type some non-
sense, and the setup wizard will ask you to re-enter that element.
If you want to correct mistakes made when you ran the setup wizard, use the following commands:
configure password
configure network hostname asasfr.example.com
configure network ipv4 manual 172.16.1.80 255.255.255.0 172.16.1.1
configure network dns servers 172.16.1.100
configure network dns searchdomains example.com
To reset the password, run
session sfr do password-reset
from the ASA CLI in privileged mode. In the release used in the course, this will set the admin password on
the SFR to Sourcefire. This will be changed to Admin123 in a subsequent release this is issue
CSCuw39605.
FQDN asasfr.example.com
Step 6 Wait about a minute until you see the > prompt.
Step 7 At the > prompt, do the following.
a. Type system support ping outside.com. This will test name resolution and
connectivity. Press Ctrl+C to exit ping.
b. Type show time to confirm that the date it roughly correct. NTP will be configured in
Lab Exercise 2.
Note: The system support submenu has many useful troubleshooting tools. Type system support ? to see
these commands.
You can fork a Bash shell by typing the command expert at the > prompt. Expert mode can be used for
troubleshooting many issues. For example, you can look at the messages log in real time by running the
command tail -f /var/log/messages.
You can become root by typing
sudo su -
at the admin shell prompt and enter the password FPlab123! when prompted.
Step 8 Keep the PuTTY session to the ASA open. You will use this again in Lab Exercise 2.
Step 11 Navigate to Monitoring ASA FirePOWER Monitoring. Confirm that the monitoring capabilities
are minimal. They are considerably less than what you will see with the off-box manager.
a. Expand Policies and select Access Control Policy. Notice that the default access control
policy is to allow all traffic. This page may take several seconds to load.
b. Notice that there is no network discovery policy.
Step 13 Navigate to File Exit. Then click Yes to exit the ASDM.
Exercise Objective
In this exercise, your goal is to perform and test basic policy configuration for the SFR. Upon
successful completion of this exercise, the student will be able to:
Deploy an Access Policy hierarchy to a set configure an access policy hierarchy
Configure platform settings and network analysis for sensors
Redirect traffic the SFR sensor on the ASA
View and filter connection events
Step 17 Navigate to Policies Access Control Access Control. Click New Policy.
a. Enter the following information:
Name: vNGIPS Access Policy
Select Base Policy: Global Access Policy
b. Click Save. Wait a few seconds for the policy to open for editing.
c. Note that 2 rules were inherited from the Global Access Policy. Confirm that you cannot
modify or delete these rules.
d. At the bottom of the rules table, in the Default Action drop-down menu, select Intrusion
Prevention: Balanced Security and Connectivity. Be sure not to select Inherit from
base policy, because we want the logging settings to be specific to this policy.
i. Click on the scroll icon to the right of the drop-down menu you just used.
ii. Check the Log at Beginning of Connection checkbox.
iii. Check the Log at End of Connection checkbox.
c. Click Register.
Note: Note that the registration process, and the policy deployment, can take a couple of minutes. Please
proceed to the next step to save some time.
Step 20 On the Jump Box desktop, open the PuTTY link. Double click on the preconfigured session
called VNGIPS. Login as admin, password FPlab123!.
a. Type the command configure manager add fmc.example.com cisco123.
b. Wait for the command to return. They type show managers to confirm that the
registration is pending.
Step 21 In the Firepower Management Center, navigate to Devices Device Management.
a. Select Add Device from the Add drop-down menu in the upper right corner.
c. Click Register.
Note: Note that the registration process, combined with the policy deployment, can take a couple of minutes.
Please proceed to the next step to save some time.
a. Run the command show managers to confirm that the registration is completed.
b. Exit from the SFR by typing Ctrl+^ (or Ctrl+Shift+6) followed by x.
Note: If you have trouble getting Ctrl+^ to work on your keyboard, just close this PuTTY session, and start a
fresh PuTTY session to the ASA.
c. Back on the ASA CLI, type show module sfr detail and confirm that this
information has been updated.
d. Keep this PuTTY session open.
Step 23 Back on the VNGIPS PuTTY session:
a. Run the command show managers to confirm that the registration is completed.
b. You may close this PuTTY session, if you wish, by typing exit.
Step 24 Click on the icon to the right of the Deploy link in the upper right-hand corner of the FMC UI. This
icon may be a green check, yellow warning, or a red exclamation mark, depending on health-
checks.
Note: Note that there are 3 tabs in this drop-down page. The Tasks tab is particularly useful to keep track of
complete and failed tasks, and tasks that are in progress.
b. Click Save.
Step 27 In the Firepower Management Center, navigate to Devices Platform Settings.
a. Click on the blue text Firepower Settings Policy.
c. Click Save.
d. Select Time Synchronization from the navigation panel on the left. Confirm that the Via
NTP from Management Center radio button is selected.
e. Click Save.
You will deploy this policy along with the network discovery policy in the following task.
The lab uses some RFC1918 addresses outside the firewall in this lab, but they are
limited in number, and should not cause confusion.
e. Click Save.
Step 29 Click Deploy in the upper right hand corner of the FMC UI.
a. Check the checkboxes for both devices, and expand the list to see the details. Confirm
that network discovery and platform setting are out of date on both devices.
b. Click the Deploy Button. Do not wait for deployment to complete to move on to the next
task.
Step 32 Navigate to Monitoring, and confirm that you no longer have a tab for ASA Firepower Monitoring.
Step 33 Navigate to Configuration, and confirm that you no longer have a tab for ASA Firepower
Configuration.
Step 34 Navigate to Configuration Firewall Service Policy Rules.
a. Click Add.
b. (Step 1 of 3 in wizard) Leave this page alone. Click Next.
c. (Step 2 of 3 in wizard) Select Use class-default as the traffic class. Click Next.
d. (Step 3 or 3 in wizard) Select the ASA FirePOWER Inspection tab. Check the Enable
ASA FirePOWER for this traffic flow checkbox. Leave other settings alone. Click Finish.
Note: If you checked the Enable Monitory Only checkbox, you would put the SFR into IDS mode. Traffic would be
copied from the ASA to the SFR module, but the SFR module will not be in the data path. This can allow
you to confirm that the policies on the SFR are working properly before you switch to IPS mode. However,
to save time in this lab, we will not work with IDS mode.
Note: If the SFR was in monitor-only (IDS) mode, the last line would read: sfr fail-open monitor-only.
Step 36 Navigate to File Exit. When the Configuration Modified dialog box appears, click Save and
Send. Then click Yes to exit the ASDM.
Note: Since you set the action of the rule to block gambling sites to drop with reset, you might expect to see reset-
drops for http://partypoker.com. However, since you configured the SFR to send an end-user notification,
the reset is not sent.
b. Type show asp drop | inc SFR. Note that the number of ASP drops equals the
sum of the reset-drops and drops seen in the previous sub-step.
Step 40 (Optional) Connect to the SFR CLI, by typing session sfr console. Hit <ENTER>. You
should already be logged in to the SFR. But, if needed, login as admin, password FPlab123!.
Run the following command.
system support firewall-engine-debug
This tool is very useful for debugging policy rule matching.
a. Select the following criteria.
Please specify an IP protocol:
Please specify a client IP address: 172.16.1.21
Please specify a client port:
Please specify a server IP address:
Cisco ASA with Firepower Services 6.0 (v1.3) February 2016 20
Please specify a server port:
You must select at least one criterion when you use this rule.
b. Repeat Step 38 (b, c and d), and pay attention to the output of this debug command.
Step 41 Because the vNGIPS is generating a large volume of events relative to the SFR. Therefore, you
will build a filter to focus on events generated by the SFR.
a. In the FMC, navigate to Analysis Search.
c. Click Save.
Step 42 Navigate to Analysis Connections Events. Select ASASFR Only from the search sub-menu.
This view will be the most useful when investigating events in later labs.
Exercise Objective
In this exercise, your goal is to perform Security Intelligence configuration. Upon successful
completion of this exercise, the student will be able to:
Deploy an IP based black list
Deploy a URL based black list
Configure and deploy a DNS sinkhole
Note: Each of this Security Intelligence objects can be either lists or feeds. Lists make the lab go faster, but it you
want work with feeds, instructions are included in a box at the end of each step.
Step 3 Select Security Intelligence DNS Lists and Feeds. Click Add DNS Lists and Feeds.
a. For Name type DNSList1. Select List from the Type drop-down menu.
b. Click Browse. Open DNS_List.txt.
c. Click Upload. Click Save.
Step 4 Select Security Intelligence URL Lists and Feeds. Click Add URL Lists and Feeds.
a. For Name type URLList1. Select List from the Type drop-down menu.
b. Click Browse. Open URL_List.txt.
c. Click Upload. Click Save.
b. Click Save.
c. Click Add to add the rule. Then click Save to save the new DNS policy.
b. Check the checkboxes for the ASASFR, and click the Deploy button.
Exercise Objective
In this exercise, your goal is to understand how Snort and OpenAppID are configured on
Firepower.
Configure and deploy a custom intrusion policy, including Snort preprocessor settings
and custom Snort rules
Utilize the OpenAppID feature to deploy a custom application detector
d. Click OK.
e. Click Save to save the changed you made to the Global Access Policy.
These changes will be deployed later in this lab exercise.
Note: Note that the rules lack the service metadata attribute. This reflects a significant change in how Snort from
previous releases of Firepower. This feature is called Port Override for Service Metadata. See the
appendix for details.
Step 2 In the FMC, navigate to Objects Intrusion Rules. Click Import Rules.
a. Select the Rule update or text rule file to upload and install radio button.
b. Click Browse, and open the Snort_Rules.txt file in the Files folder of the Jump Box
desktop.
Cisco ASA with Firepower Services 6.0 (v1.3) February 2016 28
c. Click Import. The import process will take a minute or two. When it completes you will
see the Rule Update Import Log page. Confirm that 2 rules were successfully imported.
Step 3 Navigate to Policies Access Control Intrusion.
e. Check the checkbox next to the first rule. Select Generate Events from the Rule State
drop-down menu. Click OK. Uncheck the checkbox next to the first rule.
f. Check the checkbox next to the second rule. Select Drop and Generate Events from the
Rule State drop-down menu. Click OK.
Step 6 Click on Policy Information in the menu on the upper-left.
Step 7 Click Commit Changes. Click OK.
Step 10 Click the Add button to the right of the Application Protocol drop-down menu.
a. Fill out the Application Editor page as below.
b. Click OK.
Note: In this lab, we will build a basic detector. This means the Lua script will be created for us. An alternative is
to create and advanced detector. This allows us to upload a custom Lua script.
Step 12 Click the Add button to the right of the Detection Patterns drop-down menu.
a. Fill out the Add Pattern page as below.
b. Click OK.
Step 13 Confirm that the application detector is configured as in the following figure. Then click Save.
Open the custom detector in Wordpad, and inspect the Lua script.
c. Click OK.
Note: Setting Maximum Active Responses to a value greater than 0 enables the rules that drop packets to send
TCP resets to close the connection. Typically both the client and server are sent TCP resets. With the
configuration above, the system can initiate up to 25 active responses (TCP Resets) if it sees additional
traffic from this connection.
In a production deployment, it is probably best to leave this set to the default. Then no resets are sent, and
the malicious system will not know that it has been detected. But for testing and demonstrations, it is
generally better to send resets when packets match Click Save, and deploy the policy as before.
Exercise Objective
The objective of this exercise is to configure and utilize SSL decryption. Upon successful
completion of this exercise, the student will be able to:
Create and deploy an SSL policy
Understand how certificates are manipulated during SSL decryption.
Note: If you wish you can access the Example CA. There is a link on the Firefox browser. When prompted, log in
as Administrator, password FPlab123!.
Step 1 In the FMC, navigate to Objects Object Management PKI Trusted CAs.
a. Click Add Trusted CA.
b. For Name, enter 0Example. Prepending the zero will make the certificate easier to find
in trusted CA lists.
c. Click Browse, and browse the Desktop Certificates.
d. Upload Example_CA.cer.
e. Click Save.
Step 2 Navigate to Objects Object Management PKI Internal CAs.
a. Click Import CA.
b. For Name, enter Verifraud.
c. Click the Browse button to the right of the text Certificate Data or, choose a file.
d. Upload Verifraud_CA.cer.
e. Click the Browse button to the right of the text Key or, choose a file.
Cisco ASA with Firepower Services 6.0 (v1.3) February 2016 34
f. Upload Verifraud_CA.key.
g. Click Save.
Step 3 Navigate to Objects Object Management PKI Internal Certs.
a. Click Add Internal Cert.
b. For Name, enter InsideServers.
c. Click the Browse button to the right of the text Certificate Data or, choose a file.
d. Upload Inside.cer.
e. Click the Browse button to the right of the text Key or, choose a file.
f. Upload inside.key.
g. Click Save.
Note: The Replace Key checkbox deserves explanation. Whenever the action is set to Decrypt Resign,
Firepower will replace the public key. The Replace Key checkbox determines how the decrypt action is
applied to self-singed server certificates.
If Replace Key is deselected, self-signed certificates are treated like any other server certificates.
Firepower replaces the key, and resigns the certificate. Generally the endpoint is configured to trust
Firepower, and therefore will trust this resigned certificate.
In other words, checking the Replace Key checkbox makes the resign action preserve lack-of-trust for
selfsigned certificates.
Step 13 Click the scroll icon to the right of the Default Action. Check the Log at End of Connection
checkbox, and click OK. Note that as long as the Decrypt other rule is enabled, the Default
Action will not be hit. Therefore these log settings will not matter in this lab.
Note: Rule 3 may look redundant, in light of Rule 6. However it does make a difference if the HTTPS server
cannot be resolved to a URL category. When rule matching evaluates Rule 5, the decision will be made
not to decrypt, pending URL category resolution. This will avoid violating a policy, in the case the HTTPS
server turns out to be an unclassified financial services website.
Note: There is a bug in this particular build where application identification can break SSL decryption. Therefore, it
is essential that for your testing you are not using the OpenAppID test application.
Step 20 In the Remote Desktop folder on the Jump Box desktop, double click on PC3. PC3 lies outside
the firewall. It will be used to test inbound connections to internal HTTPS servers.
a. Wait a few seconds for AnyConnect to connect. When presented with the security
warning, click Connect Anyway.
b. Login to AnyConnect as harry, password FPlab123!. Wait for the VPN connection to
be established
c. Open up Firefox from the desktop icon.
d. Click the Party Poker bookmark on the bookmarks toolbar. You should see the default
Sourcefire block page. This confirms that policies are being enforced over the
AnyConnect SSL connection.
e. Click the HTTPS to Unix.Example bookmark on the bookmarks toolbar.
i. Click on the lock icon to the left of the URL. Click More Information, and confirm
the certificate is signed by example-DC-CA. Since this certificate has a known
key, Firepower does not need to be resigned.
ii. Surf to Files pz.html. The connection will be reset, because pz.html contains
the string ProjectZ. Even without resigning, the traffic was decrypted and
analyzed by Firepower.
f. Click the HTTPS to Alt.Example bookmark on the bookmarks toolbar. The connection
will be reset because the certificate for this internal website is signed by an unknown CA.
Step 21 In the FMC, navigate to Analysis Connections Events.
a. Apply the ASASFR Only filter.
b. Drill down to the Table View of Connection Events.
c. Scroll through the events, focusing on the SSL Status column. Confirm that SSL
decryption is behaving as you expect.
Cisco ASA with Firepower Services 6.0 (v1.3) February 2016 39
d. Click on the X in any uninteresting field. For example, you can use the Initiator Country
Field.
e. Scroll down the list of disabled column, and confirm that there are many SSL related
columns that are not shown by default.
f. Scroll down to the bottom of the list of columns, and click Cancel.
d. Click Save.
Step 5 Click Add File Rule. This rule will block RIFF files. You will use an AVI file to test this rule, since
an AVI file is a type of RIFF file. But note that AVI is not listed separately as a file type.
a. For Action select Block files.
b. Under File Types, type rif into the search box. Select RIFF from the list. Click Add.
c. Use default values for other settings. Your screen should look like the figure below.
d. Click Save.
Note: Note that you cannot change the order of the rules you create. The order of the rules does not matter. The
action of the rule determines its precedence. The precedence of actions is as follows.
1. Block Files
2 Block Malware
3. Malware Cloud Lookup
4. Detect Files
d. Click Save.
Step 5 Click Add File Rule. This rule will block RIFF files. You will use an AVI file to test this rule, since
an AVI file is a type of RIFF file. But note that AVI is not listed separately as a file type.
a. For Action select Block files.
b. Under File Types, type rif into the search box. Select RIFF from the list. Click Add.
c. Use default values for other settings. Your screen should look like the figure below.
d. Click Save.
Note: Note that you cannot change the order of the rules you create. The order of the rules does not matter. The
action of the rule determines its precedence. The precedence of actions is as follows.
1. Block Files
2 Block Malware
3. Malware Cloud Lookup
4. Detect Files
Step 7 Select the Advanced tab. Confirm that Enable Custom Detection List is selected. Check the
Inspect Archives.
Note: Uninspectable archives are corrupt archive, or archives with a depth that exceeds the Max Archive Depth.
Step 8 Click the Save button in the upper-right to save the file policy.
Step 9 In the FMC, navigate to Objects Object Management. Select File Lists from the left-hand
navigation panel. Edit the Custom Detection List.
a. Select Calculate SHA from the Add by drop-down menu.
b. Click Browse, and select Zombies.pdf from the Files folder on the Jump Box desktop.
Click Open.
c. Click Calculate and Add SHAs.
Note: Note that this rule will capture all traffic. If you do not apply an intrusion policy to this rule, no traffic with be
inspected by the IPS.
d. Click the Logging tab. Confirm that the Log Files checkbox is also checked. Leave the
other settings alone.
e. Click OK to add the rule to the policy.
Step 12 Observer that the default rule from the Global Access Policy has a yellow warning triangle to the
left of its name. This is because the rule can no longer be hit by devices using the ASASFR
Access Policy.
Note that even though you cannot delete inherited default rules, you can preempt them.
Step 13 Click Save to save the changes to the access control policy.
Step 14 Deploy the changes, and wait until the deployment completes. You can ignore the warning.
Step 16 Repeat the previous Step, but use HTTPS instead of HTTP.
wget -t 1 --no-check-certificate https://outside.com/files/test3.avi
wget -t 1 --no-check-certificate https://outside.com/files/Zombies.pdf
Note that even though you are using HTTPS, your policy is enforced because of SSL inspection.
Step 17 Transfer several files.
Step 22 Navigate to Analysis Files Captured Files and select Table View of Captured Files. Confirm
that files have been captured.
Exercise Objective
In this exercise, your goal is to configure identity services available on Firepower. Upon
successful completion of this exercise, the student will be able to:
Configure passive authentication, using the Cisco Firepower User Agent
Configure active authentication
Redirect traffic the SFR sensor on the ASA
Configure Firepower to use the Cisco Identity Services Engine (ISE) for passive
authentication.
Note: You must take care when integration between Firepower and ISE is discussed, because is can mean more
than one thing. There is also a (currently unsupported) remediation module that allows the FMC to send
commands to ISE by using correlation policies.
Name EXAMPLE
Type AD
Base DN dc=example,dc=com
Group DN dc=example,dc=com
Note: There is a troubleshooting tool included when you install the Firepower User Agent. In particular, you can
see the IP-to-user mappings the agent has received from the domain controller. You will probably not need
this in the Lab. See appendix for details.
Step 7 In the FMC, navigate to System Integration and select the Identity Sources tab.
a. Click the User Agent button.
b. Click the New Agent button.
c. For Host Name/IP Address, enter sfua.example.com.
d. Click Add to add the agent to the list of agents.
e. Click Save to save the identity sources configuration.
Step 8 In the Remote Desktop folder on the Jump Box desktop, double-click on the SFUA short-cut.
Step 9 Double-click on the Cisco icon labeled Configure Cisco Firepower User Agent for Active Directory
on the SFUA desktop.
Step 10 Select the Active Directory Servers tab in the Cisco Firepower User Agent configuration tool.
a. Click Add, and enter the following information.
Domain EXAMPLE
Password FPlab123!
b. Click Add.
Step 11 Select the Firepower Management Centers tab in the Cisco Firepower User Agent configuration
tool.
a. Click Add, and enter the Server Name/IP Address fmc.example.com.
b. Click Add.
c. Click Save.
d. Wait a few seconds for the directory server to become available.
Note: To display the active rules and how many times they have been hit, run
show asp table classify domain captive-portal
on the ASA CLI.
Note: This certificate is used when the client is redirected (HTTP 307) to the ASA interface for authentication over
HTTPS. Since the redirect URL contains the ASA interface IP, it is important that this IP be included as a
Subject Alternate Name in this certificate, to avoid browser warnings.
You will see the redirect URL when you test active authentication in Task 6.6:
https://172.16.1.1:885/x.auth?r=2&s=172.16.1.21&a=0&u=http%3A%2F%2Foutside.com%2F
Note: If you run into an issue in this task, you may want to restart the Authentication Directory Interface (ADI) on
the FMC. To do this:
1. Login to the FMC using PuTTY. Login as admin, password FPlab123!.
2. Become root by typing sudo i and entering the password FPlab123!.
3. Run the commands:
pmtool disablebyid adi
pmtool enablebyid adi
If you want to do more extensive debugging of ADI, run the ADI in forground with debugging enabled:
pmtool disablebyid adi
adi --debug
Step 24 From the Jump Box desktop, open the PC2 link in the Remote Desktop folder. PC2 is a member
of the EXAMPLE domain, so passive authentication should be used. Login as ira, password
FPlab123!.
a. Open Firefox, and browse on the home page to Files py.html. Confirm that you are
not asked to authenticate.
b. Launch PuTTY from the desktop icon. Click on the preconfigured link outside.com. The
connection should be allowed. Close the connection there is no need to log in.
c. Launch PuTTY from the desktop icon. Click on the preconfigured link outside.com:53.
The connection should be reset.
Step 25 Logout of PC2 and log back in as harry, password FPlab123!. Harry is a member of the HR
group.
a. Launch PuTTY from the desktop icon. Click on the preconfigured link outside.com. The
connection should not be allowed, because Harry is in the HR group.
b. Launch PuTTY from the desktop icon. Click on the preconfigured link outside.com:9922.
The connection should not be allowed, because Harry is in the HR group.
Step 26 From the Jump Box desktop, open the PC1 link in the Remote Desktop folder. PC1 is not a
member of the EXAMPLE domain, so active authentication should be used.
a. Open the Firefox browser (if not already open) using the link on the PC1 desktop. Select
View Sidebar LiveHTTPHeaders (if not already selected).This will give insight into
the HTTP traffic.
b. Refresh the home page. You should see a login pop-up in the browser.
c. In the LiveHTTPHeaders sidebar, you should see the redirect:
HTTP/1.1 307 Proxy Redirect
Location: https://172.16.1.1:885/x.auth?r=2&s=172.16.1.21&a=0&u=http%3A%2F%2Foutside.com%2F
Connection: close
Note: Since 802.1x is not available in the lab pods, you will not actually test the ISE authentication process.
However, you will see how ISE attributes can be made available in the FMC to configure access control
policy rules.
Note: If you slipped Lab Exercise 5, please go back and do Step 1 before you proceed with this lab.
Step 28 In the FMC navigate to System Integration, and select the Identity Sources tab.
Step 29 Click the Identity Services Engine button.
a. For Primary Host Name/IP Address, enter ise.example.com.
b. Select 0Example from the pxGrid Server CA drop-down list.
c. Select 0Example from MNT Server CA drop-down list.
d. Click the Add button to the right of the MC Server Certificate drop-down list.
e. Click the green circle (with plus sign) to the right of the Server Certificate drop-down
menu.
i. For Name, enter FMCpxgrid.
ii. Click the Browse button to the right of the text Certificate Data or, choose a file,
and browse to Desktop Certificates.
iii. Upload fmc.cer.
iv. Click the Browse button to the right of the text Key or, choose a file, and browse
to Desktop Certificates.
v. Upload fmc.key.
vi. Click Save.
f. Click Test. If the connection fails click Test again. If the test continues to fail, check
your configuration.
g. Click Save. Since you cannot use the Cisco Firepower User agent and ISE at the same
time, you will see the following warning.
h. Click Yes.
c. In the Available ISE Session Attributes column, select Device Type, and confirm that the
Available ISE Metadata column auto-populated.
d. In the Available ISE Session Attributes column, select Location IP, and confirm that the
Step 31 In the Firefox browser you have been using to manage the FMC, open another tab and click on
the ISE bookmark on the bookmark toolbar.
a. Login to ISE. The login screen should be populated, but in case you need to know, the
login is admin, password FPlab123!.
b. Navigate the Administration pxGrid Services. Notice that in the list of clients, there are
two entries related to FMC.
c. Expand iseagent-fmc.example.com.
d. Note the 3 capabilities, or topics of information, that the FMC is subscribed to:
EndpointProfileMetaData contains the ISE device information
SessionDirectory defines the ISE session attributes
TrustSecMetaData defines the Security Group Tag (SGT) information
Exercise Objective
In this exercise, your goal is to perform basic domain configuration. Upon successful completion
of this exercise, the student will be able to:
Configure domains
Confirm visibility and control restrictions domains provide
c. Click Save.
c. Click Save.
Step 4 Click Save to save the domain configuration. You will be presented with the following dialog box.
Leave the default setting to delete the old network map. Then click Save.
rd
Note: If you want to avoid losing the old network map, you can create a 3 domain with no devices in it, and have
rd
the 3 domain inherit the network map.
Cisco ASA with Firepower Services 6.0 (v1.3) February 2016 57
Step 5 When you see the following message, click OK. Do not deploy the changes yet.
Step 6 Look at the upper right-hand corner of the FMC to confirm that you are in the Global domain.
This may take a minute or so, and perhaps a browser refresh.
Step 7 Navigate to Analysis Connections Events. Confirm that the events are still available.
Step 8 Navigate to Analysis Hosts Network Map. Confirm that the now there are two empty
network maps.
Note: When you change from one domain to another, you are often presented with a change password page. This
is a know issue with the build used in this class. You can ignore this page.
Step 13 Navigate to Devices Device Management. Confirm that only the ASASFR device is visible.
Step 14 Navigate to Devices Platform Settings. Confirm that the global platform settings are still in
use. You could change these setting by creating a new policy, if you wished.
Step 15 Navigate to Policies Network Discovery. Note the policy has reverted to the default policy.
Modify this policy as you did in Task 2.4. Do not deploy the policy.
Step 16 Navigate to Policies Access Control Access Control.
a. Note that you cannot edit any of the existing access policies. That is because they were
created in the global domain.
b. Note the to the right of the ASASFR Access Policy. This indicates that the policy is a
required ancestor for any access control policy created in this domain.
Cisco ASA with Firepower Services 6.0 (v1.3) February 2016 59
Step 17 Click New Policy.
a. For Name, Enter ASA Leaf Policy.
b. Notice that you must select ASASFR Access Policy as the base policy.
c. Select the Intrusion Prevention radio button.
d. Under Available Devices, select ASASFR and click Add to Policy.
e. Click Save.
f. You will get the following Error box. This is really a warning. Read it carefully, and then
ignore it by clicking Yes.
g. Notice that this policy inherits mandatory rules from 2 ancestor policies.
Step 18 Navigate to Objects Object Management.
a. Select Network Add Network Add Object.
b. For Name, enter 0Network. Prepending the zero character will make the object easier
to see (or not see) on lists.
c. For Network, enter 1.2.3.4.
d. Click Save.
Step 19 Deploy all changes, and wait for the deployment to compete.
b. Navigate to Object Object Management. Confirm that you cannot see the network
object called ONetwork.
c. Navigate to Devices Device Management. Confirm that you can only see the
vNGIPS.
Step 30 Click on the icon to the right of the Deploy link in the upper right corner of the FMC.
Step 31 Select the Tasks tab.
Step 32 When the task completes click the link Click to retrieve generated files. The browser will
download the files.