https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html?bookSearch=true
Wednesday 27 October 2021
Thursday 7 October 2021
steps to enable IPS on FMC/FTD
Update to latest recommended version
Update snort rules (vrt) to latest version
Define and configure HOME_NET and EXTERNAL_NET (objects -> env variables / variable set)
HOME_NET = 192.168.1.0/24
EXTERNAL_NET = not HOME_NET
Create IPS pol with log only action
Apply to ACP rules
Let run for a week
Review for false positives and resolve
Set IP pol to drop action
Test/Review again
Keep going until you can increase security to the max but not generate FP's
You can investigate rules, get the SID
Edit the IPS pol, search the rules for the SID
Look up documentation / CVE
Check for the code which triggers the rule
You can go back to the events, download packets and check what the traffic was, why it hit that rule etc
Wednesday 6 October 2021
searching URLs in FTD
When searching Analysis -> Connections -> Events
Edit Search
Networking
Initiator IP: 10.1.1.50
URL
URL: https://www.google.com
If you enter just "www.google.ie" nothing is returned in the search.
NAT on FTD
autonat = object net
manual nat = twice NAT
In the example below we want to give a DMZ server an public IP
On ASA you can write NAT's on CLI
In FTD this is not possible
1 - Go to Objects -> Object Management
Create
INSIDE IP object
PUBLIC IP as object
2 - Go to Devices -> NAT
Edit the policy for the device you are working on
Add NAT rule
Choose Manual NAT rule
Insert into NAT rule before
Type: Static
Interface
Source: DMZ
Destination: OUTSIDE
Translation
Original Source: Select inside IP object
Translated Source: Select outside IP object
PAT pool
Leave unchecked
Advanced
Uncheck unidirectional
check Do no proxy ARP on destination interface
Subscribe to:
Posts (Atom)