Tuesday, 23 February 2021

cisco firepower FTD 2110 initial config

 First steps

  • Laptop / console cable, network cables, racking bolts and tools
  • Have mgmt IP assigned for it. Will also needs IP's for inside/outside other interfaces etc.
  • Unbox and put ears on
  • Record serial numbers (there is a tab at the front interfaces)
  • Mount in racks and boot up
  • Plug into console port with usb to serial cable going to laptop
  • Mgmt interface should be plugged into VLAN where it can reach the FMC.
Default username and password

username: admin

Password: Admin123

You'll want to change that 

connect ftd
show user 
configure user password admin 
 
Add another user

You may want to add another user as a back up

configure user add myusername

Configure  management IP
  • configure network ipv4 manual 192.168.100.50 255.255.255.0 192.168.100.254
  • 192.168.100.50 = MGMT IP of FT
  •  192.168.100.254 = GW IP
  • ping system 192.168.100.254

Configure route (if needed)

configure network static-routes ipv4 add eth0 192.168.10.0 255.255.255.0 192.168.1.1

Add FTD to FMC

Login into to FMC web interface

Devices -> Device management -> add

Fill in IP of FTD and a key like "cisco"


Now go back to FTD cli

show managers (should be none set)

configure manager add [IP-ofFMC] cisco

Wait for it to complete

Now go back to FMC. Give some time for the new device to settle (i think auto policy deploy happens). You can now upgrade the FTD to the same software as your other FTDs.

Overview -> Dashboard -> Status

Once upgraded your FTD is ready to be configured and policy deployed. You will need to patch any interfaces like inside/outside to the correct devices/VLANs. You should make sure you have access to SSH into the mgmt interface for troubleshooting. Most management and config is done from the FMC web interfaces from here on.



Friday, 12 February 2021

issues upgrading to firepower 6.7

First you need to upgrade RAM to at least 32GB

Next you need to move all VPN's to IKEv2

In version 6.7 cisco remove old ciphers and you can't upgrade until they are all removed.

You don't want to see group 2 or group 5 anywhere in your config.

Use group 14,19,20,21 instead.

This is true for the PFS group as well, select group 21.

Wednesday, 10 February 2021

vpn filter ACLs not working as expected

Had issues with VPN filter ACLs

Had some thing like

permit ip host x.x.x.x any

This should have allowed my traffic but it was not working


I needed to change this to which was essentially the same but it worked. It seems you need to make rules for the vpn filter ACLs in this way

permit ip 192.168.1.0 255.255.255.0 10.150.200.0 255.255.255.0

Monday, 8 February 2021

mtu issues in wireshark

Small packets are working like ping

TCP 3 way handshake is setting up

However when we move into setting TLS / https connection its failing. This can be the MTU is too big for the MTU on the path. The TCP window will scale up as the connection goes on.

Things to try:

tracert -d x.x.x.x

See what network devices you pass through and check the MTU on those. (if you can)

On the client:

ping –l 1490 -f 8.8.8.8

Reduce 1490 by 20 until you find a working value where the pings respond.

Remember the value when the ping command is working isn't the MTU but ICMP payload. This confuses a lot of people. MTU 1500 == ICMP payload 1472 (20 Bytes for IP and 8 Bytes for ICMP, I think). You can also check the MTU's on the path


PathMTU discovery is not reliable, will investigate MSS clamping, which can be enabled on your firewall / VPN endpoints.

CMD to check the MTU in windows

netsh int ipv4 show subinterface

CMD to set MTU in windows

netsh interface ipv4 set subinterface “Local Area Connection” mtu=1458 store=persistent


ASA should set MTU 1380 by default to account for IPsec tunnels

Palo needs to be configured

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html#anc14

Tuesday, 2 February 2021

upgrade cisco firepower FMC and FTD

Cisco docs:

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide/upgrade_firepower_threat_defense.html#id_64765

https://software.cisco.com/download/home/286291275

https://software.cisco.com/download/home/286306503/type/286306337/release/6.7.0


Old method was sensor first then FMC. 


Figure our your upgrade path (can save a lot of time):
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/upgrade/management-center/740/upgrade-management-center-741/planning.html#r_ftd-upgrade-path
7.4 (max version for 2140 hardware, will still get sec updates until EOL)
6.4 can jump to 7.0
6.6 can jump to 7.2  (user id issues + DH groups on S2S VPNS, PBR is merged in FMC)
7.0 can jump to 7.4
7.1 can jump to 7.6
7.2 can jump to 7.7

step 0
check pre-reqs and docs

Some times you may need to clear space before doing upgrades:
df -h
delete old file, leave the 2 most recent
/var/sf/SRU
/var/sf/sru
cd /var/common/
/usr/loacl/sf


New method is FMC, deploy, sensor, deploy.

Step1
Update your VDB and geolocation to the latest.
Run a backup for both FMC and FTD (tick box to bring back to FMC)
Download those backup files
You can export the policy from policies > import/export (top right)
Good idea to also take a dump of running config from FTD's (pri and sec)
Especially if you have a stand alone FTD
You can also take a snapshot before FMC upgrade but Cisco seem to flip/flop on weather this is supported. If you take snapshot make sure to merge/delete after upgrade is completed. Don't want a snapshot growing, it will cause an issue later.


Since 6.2 you need to upgrade FMC first, then sensor.

To upgrade from the web GUI the FMC sh upgrade file can be downloaded here
Downloads Home > Products > Security > Firewalls > Firewall Management > Firepower Management Center > Virtual Appliance > FireSIGHT System Software-6.2.0

See here

Network sensor sh files available here
Downloads Home > Products > Security > Firewalls > Next-Generation Firewalls (NGFW) > ASA 5500-X with FirePOWER Services > ASA 5525-X with FirePOWER Services > FirePOWER Services Software for ASA-6.2.0

see here


In later versions you can run a readiness check first. Most logs are found in /var/log/sf

From version 6.3.0 you can upgrade direct to major versions
Lets say we are on 6.2.1 and  want to go to 6.4.0.2
We can upgrade directly to 6.4.0 and then up to 6.4.0.2
Remember you need to deploy after each install.



Other commands:
DBCheck.pl

attempt to resume an upgrade
install_update.pl --detach --resume /var/sf/updates/Cisco_Secure_FW_Mgmt_Center_Upgrade-7.2.10

update roll back
/var/log/sf/Cisco_Secure_FW_Mgmt_Center_Upgrade-7.2.10/upgrade_roll back

Dealing with flex config
When flex config is brought into FMC it can cause issues
One example I had some policy based routing (PBRs)
After upgrade it wasn't working even thought the code was there in ASA CLI.
I had to delete the flex config off FMC
Deploy
Config the PBR via the FMC
Deploy
Check the CLI so that the PBR matched what I had before in ASA CLI
This was done by doing a win merge on the config before and after so its crucial to have that show run backup for fixing flex config issues.
All was working.

The process will work the same for other flex config.