Config -> Users -> External auth
LDAP
domain.int
MS ACtive directoryu
x.x.x.x (IP of DC)
389
dc=domain,dc=int
(memberOf=CN= NetworkAdmin,OU=IT,DC=domain,DC=int)
cn=ASA,OU= ServiceAccounts ,OU=IT,DC=domain,DC=int
****
***
sAMAccountName
sAMAccountName
(memberOf=CN= NetworkAdmin,OU=IT,DC=domain,DC=int)
There is a test button
Command may vary depending on device/sw
sh ver | i reason
sh ver | i Last
sh ver | i reload
could try sh ver | i reload|Last|reason
For ASA:
show failover history
First check the rule is triggering correctly
Confirm its legitimate
Gather network data decoded
source IP: 192.168.1.10
Destination IP : 192.168.1.65
rule uuid: 2102251 (aka SID)
Rules file location
/opt/so/rules/nids/all.rules
Count rules:
wc -l all.rules
Find your rule:
grep 2102251 all.rules
You can fully disable a rule if it does not apply
sudo so-rule disabled add 2102251
grep 2102251 all.rules (should see # to show its commented out)
Using a regular expression to disable all rules related to STUN
sudo so-rule disabled add 're:STUN'
grep STUN all.rules
To do fine grain tuning with Source/Destination we need to edit the global.sls file
sudo su
cd /opt/so/saltstack/local/pillar
vi global.sls
The global.sls file is a yaml file so its spaces not tabs. If you have a standalone you can edit in one place but if you multiple sensors you will need to edit the file on each one.
Supress by source IP.
thresholding:
i sids:
2102251:
- suppress:
gen_id: 1
track: by_src:
ip: 10.4.8.1 (can use cidr here too)
Supress by threshold
thresholding:
sids:
2102251:
- threshold:
gen_id: 1
type: threshold
track: by_src:
count: 10
seconds: 3600
In this case if one source makes more than 10 alerts in 1 hour something is going on and i want to look into that
save the global.sls file
restart surricata
so-suricate-restart
ack the event in the alerts page in SOC
- FMC:
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214756-configure-duo-two-factor-authentication.html#anc7
However, kindly know that this document is describing access for Web users only and not CLI, as CLI access using SSO is not supported for CLI users:
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/user_accounts_fmc.html#:~:text=SSO%20users%E2%80%94SSO%20users%20have%20web%20interface%20access%20only.
- ASA and ASDM:
Kindly know that ASA CLI and ASDM GUI authentication is only requiring the integration with an external party (e.g. ISE or NPS), however, for ASA we can configure 2FA for VPN AnyConnect users as below:
https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768
https://duo.com/docs/sso-ciscoasa#:~:text=for%20each%20application.-,Configure%20Cisco%20ASA%20SSO,-Add%20Duo%20Single
But, if we want to use it for CLI access only without VPN, we could use RADIOUS with supposed to be previously configured:
https://community.duo.com/t/secure-cisco-asdm-with-mfa/7516/4
Accordingly, kindly note that directly configuration of 2FA is not yet supported over ASDM, and an enhancement request has been published to document this feature under bug ID (CSCvs85995):
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs85995
Duo service name and tests:
Duo Security Authentication Proxy Service
sc qc DuoAuthProxy
tasklist | findstr proxy_svc.exe
C:\Program Files\Duo Security Authentication Proxy\bin\proxy_svc.exe
Run a powershell as admin:
C:\Program Files\Duo Security Authentication Proxy\bin
.\authproxy_connectivity_tool.exe
https://www.youtube.com/watch?v=tAIdcZ3EBiw
In our case the sub ordinate CA cert had expired and users were getting certificate errors opening emails etc.
Go to
Objects -> Object Management -> PKI -> Internal CA's ->
If you edit the old cert you can see when it expired "Not Valid After:"
Cancel from this screen
Click Generate CA buttion at the top
Fill in details
Name: firewall.customer.com
Common Name: firewall.customer.com
Click Generate CSR button
Copy the CSR into a notepad
Now go to your internal CA and request the cert
Login with username and password
Request a cert
Advanced certificate request
Paste the CSR created earlier
Choose the certificate template for Subordinate CA. If its not there that is a separate issue which needs to be resolved on the CA server by windows team.
Click Submit
Choose DER encoded and download the signed cert
Go back to FMC
Install the signed cert, click browse and select the downloaded cert file.
Now go into your SSL policy and edit any decrypt/resign rules and change to the new cert and push the policy.
You can now delete the old cert.
https://www.petenetlive.com/kb/article/0001766
Its best to use a laptop with the ability to turn off windows firewall or add a firewall exception for the TFTP or ftp software
You can connect to the laptop via WIFI remote session
Connect laptop LAN -> MGMT interface on 1010
Connect USB to serial on laptop -> console port on 1010
You will need to factory reset back to the 192.168.x.x IP
Config 192.168.x.x IP on your laptop so you can talk to the FTD
You also have the option of putting the software on a fat32 formated USB drive and insert into 1010
I tried a rommon method from youtube but it didn't work the erase disk0 command was not there
Do ctrl + H
find all white space "\s+"
replace with newline "\n"
You may want CR "\r" or both "\r\n"
Simple way to find IP address
find digit 1-3
\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}
cmd/wmi
wmic NIC where NetEnabled=true get Name,SpeedPowershell
Get-NetAdapter | where Status -eq "Up" | select InterfaceDescription, LinkSpeed