《加固安全防火墙.pdf》由会员分享,可在线阅读,更多相关《加固安全防火墙.pdf(122页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveSrinivasa Rao Munagala,NGFW Technical LeaderBRKSEC-2093Hardening The Secure Firewall 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout the SpeakerSrinivasa MunagalaDouble CCIE(Security and DC)Technical Leader in CX Security organization.More than 11
2、 years in Cisco.Came from ASA background originally and currently focused on Next-Gen Firewalls.Passionate FW Technologies.Hobbies include playing volleyball,Cricket and watch Crime thriller movies.BRKSEC-20933 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your per
3、sonal notes hereCisco Webex App 4Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be m
4、oderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2093Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionDataplane HardeningControl Plane HardeningVPN HardeningLogging and MonitoringSoftware
5、 and Content UpdatesDisaster RecoveryCompliance Performance Best PracticesConclusionBRKSEC-20935Introduction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntroduction to HardeningFirewallFirewall is the critical component of the network perimeternetwork perimeter that p
6、rotects most of the enterpriseenterprise networks.It is very important to hardenharden the Firewall configurations to reduce potential threats in your network.Firewall hardening is an ongoing process which involves.Enhancing network securityMinimizing risksPreventing unauthorized accessMitigating ma
7、lware and cyber threatsMaintaining Compliance requirementsBRKSEC-20937 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall TerminologyBRKSEC-20938TermTermDefinitionDefinitionFTDFirepower Threat Defense(OR Secure Firewall)Firepower Threat Defense(OR Secure Firew
8、all)unified software image(ASA+FirepowerASA+Firepower)LinaUnderlying ASAASA-derivedderived process that is integrated into the FTD FTD productSnortThe Inspection engine of the Firepower product integrated into FTDFTD doing the IPS functionalityFMCSecure Firepower Management CenterSecure Firepower Ma
9、nagement Center Off-box GUI used to manage FTD FTD devices(Configuration,reporting,monitoring,etc.)FXOSFirepower Extensible Operating SystemFirepower Extensible Operating System System that manages the hardware platforms for Firepower 9300,4100,3100,2100 and 1100 series productsDataplaneHardening 20
10、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive10Reference Slide:FTD Routed Packet FlowBRKSEC-2093VPN DecryptExistingConn?GlobalACLUN-NAT/Egress IntRule Action:PermitPermitPDTSDAQExtensionsPacketarrives oninterfaceL2-L4DecodePreprocRule Action:Advanced TrustAdvanced TrustPr
11、efilter Fastpath orTop L3/L4 Trust RulesSI(IP)SI URL/DNSL7 ACLAPP/URLFrag3PreprocStream5PreprocAppIDSSL PolicyIdentityPolicyQOS(Classify)FilePolicySnort RulesNetworkDiscoveryPDTSDAQExtensionsFlowUpdateApplicationLayerGatewayNAT IPHeaderL2 AddrL3RouteTXQOS(Enforce)VPNEncryptLINA ASA Engine=BLUESnort
12、Engine=ORANGE YesNoDropDropDropDropBlacklistBlacklistDropDropDropDropDropDropYesDropDropDropDropYesNoNoDropDrop 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules-Case StudyProblem-NMAP detects All Listening ports on an Internal ServerBRKSEC-209311FTDNmap
13、 ScannerSYNSYNSYN ACKSYN ACKOutsideOutsideInsideInsideInternal Servers1212Outside host sends a SYN to the Inside ServerInside Server responds with a SYN-ACK 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules-Case StudyProblem-NMAP detects All Listening po
14、rts on an Internal ServerBRKSEC-209312There are no Access Control Rules which allows traffic on following ports FTP(tcp/21)SMB(tcp/445)NFS(tcp/2049)RDP(tcp/3389)so on 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules-Case StudyNMAP receives response rece
15、ives response for SYN packet,it shows as OPENOPEN.Application Application Services Services can run on custom ports.Example:HTTP can run on Port 8081.FW has to inspect the first few data packets after the TCP 3-way handshake to determine the application.FW allows the first few data packets temporari
16、ly(*with IPS inspection)until the application is determined.Once the application is a Non-HTTP,this rule will not be a match and will move on to the next rules.BRKSEC-209313FW Trace w/Engine Debugs:192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Packet 5327:TCP*S*,05/23-22:49:09.534075,se
17、q 3605876215,dsize 0192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Session:new snort session192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall:starting rule matching,zone 2-1,geo 0(0)-0,vlan 0,src sgt:0,src sgt type:unknown,dst sgt:0,dst sgt type:unknown,user 9999997,no
18、url or host,no xff192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Firewall:pending rule-matching,Inbound-Web_server,pending AppID192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0 GR=1-1 AppID:service:(0),client:(0),payload:(0),misc:(0)192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0
19、GR=1-1 Firewall:pending rule-matching,Inbound-Web_server,nothing has changed192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0 GR=1-1 Policies:Network 0,192.168.212.115 62249-192.168.250.10 21 6 AS=0 ID=0 GR=1-1 pending rule id 268434435 nothing has changedpending rule id 268434435 nothing has chan
20、ged 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules-Case Study-SolutionBRKSEC-209314Previous Rule ConfigModified Rule Config 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules-Case StudyVerification15BRKSEC-
21、209334:23:07:28.873917 192.168.212.115.36634 192.168.250.10.21:S 2744652541:2744652541(0)win Phase:5Type:ACCESS-LISTSubtype:logResult:DROPElapsed time:0 nsConfig:access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434438 access-list CSM_FW_ACL_ remark rule-id 2
22、68434438:ACCESS POLICY:FTD-ACP1-Defaultaccess-list CSM_FW_ACL_ remark rule-id 268434438:L4 RULE:deny_blockAdditional Information:Result:input-interface:Outside(vrfid:0)input-status:upinput-line-status:upoutput-interface:Inside(vrfid:0)output-status:upoutput-line-status:upAction:dropTime Taken:3294 n
23、sDrop-reason:(acl-drop)Flow is denied by configured rule,Drop-location:frame 0 x000055f948cc64e7 flow(NA)/NA1 packet shownPort 21-FTPSYN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules-Best PracticesGeolocation RulesLayer-3/4 rulesBlock Trust Allow Rul
24、esLayer-7(App/URL)Outbound RulesBlock Trust Allow RulesDefault ActionGuidelines:Specific rules should come before general rules.Avoid L7(App/URL)based rules from Untrust to Trust network when possible.Subject Untrust to Trust traffic W/IPS inspection.Rule ordering Base lineBRKSEC-209316Rule Action-o
25、rderingRule 1:MonitorIncoming PacketRule 2:TrustMatching traffic ContinuesRule 2:BlockNo matchRule 2:AllowNo matchDefault ActionNo matchRule Match Rule Match Top to Top to BottomBottomNo InspectionNo InspectionNetworkDiscoveryFilePolicyIntrusionPolicyNetworkDiscoveryIntrusionPolicyAlways order rules
26、 to suite your organization needs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules-Best PracticesRule Order ExampleBRKSEC-209317Geolocation RulesApp RulesCatch all outboundDefault ActionURL RulesLayer-3/4 RulesInbound Web Access 2023 Cisco and/or its af
27、filiates.All rights reserved.Cisco Public#CiscoLive18Reference Slide:FTD Routed Packet FlowBRKSEC-2093VPN DecryptExistingConn?GlobalACLUN-NAT/Egress IntRule Action:PermitPermitPDTSDAQExtensionsPacketarrives oninterfaceL2-L4DecodePreprocRule Action:Advanced TrustAdvanced TrustPrefilter Fastpath orTop
28、 L3/L4 Trust RulesSI(IP)SI URL/DNSL7 ACLAPP/URLFrag3PreprocStream5PreprocAppIDSSL PolicyIdentityPolicyQOS(Classify)FilePolicySnort RulesNetworkDiscoveryPDTSDAQExtensionsFlowUpdateApplicationLayerGatewayNAT IPHeaderL2 AddrL3RouteTXQOS(Enforce)VPNEncryptLINA ASA Engine=BLUESnort Engine=ORANGE YesNoDro
29、pDropDropDropBlacklistBlacklistDropDropDropDropDropDropYesDropDropDropDropYesNoNoDropDrop 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity IntelligenceIP and URL BlockBRKSEC-209319Edit Access control Policy Security IntelligenceBlock Threats detected by Cisco provi
30、ded Security Intelligence feedsSecurity Intelligence feeds.Use the TalosTalos provided IP and URL list/feeds to blockblock known threats threats before the AC policy evaluation.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Intelligence DNSDNS Domain Not FoundBRK
31、SEC-209320Edit Access control Policy Security IntelligenceDNS SI performs a“man in the middle”for DNS queries.Policies DNS Edit DNS Policy123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Intelligence-Events21BRKSEC-2093Analysis Connections Security-Related Even
32、ts 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive22Reference Slide:FTD Routed Packet FlowBRKSEC-2093VPN DecryptExistingConn?GlobalACLUN-NAT/Egress IntRule Action:PermitPermitPDTSDAQExtensionsPacketarrives oninterfaceL2-L4DecodePreprocRule Action:Advanced TrustAdvanced Tr
33、ustPrefilter Fastpath orTop L3/L4 Trust RulesSI(IP)SI URL/DNSL7 ACLAPP/URLFrag3PreprocStream5PreprocAppIDSSL PolicyIdentityPolicyQOS(Classify)FilePolicySnort RulesNetworkDiscoveryPDTSDAQExtensionsFlowUpdateApplicationLayerGatewayNAT IPHeaderL2 AddrL3RouteTXQOS(Enforce)VPNEncryptLINA ASA Engine=BLUES
34、nort Engine=ORANGE YesNoDropDropDropDropBlacklistBlacklistDropDropDropDropDropDropYesDropDropDropDropYesNoNoDropDrop 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Certificate is encrypted in TLS 1.3 Enabling TLS Server Identity Discovery provides visibility into the
35、certificate without Decryption Policy.Disabled by default.The information in the certificate can be used in URL/Application based Policies for effective Rule match.TLS Server Identity DiscoveryBRKSEC-209323Edit Access control Policy Advanced123 2023 Cisco and/or its affiliates.All rights reserved.Ci
36、sco Public#CiscoLiveEncrypted Visibility EngineBRKSEC-209324Edit Access control Policy AdvancedIt is difficult to identify applications and detect threats in an encrypted traffic without incurring the cost of decryption.By using TLS fingerprinting techniques,the EVE library can identify following 3
37、things about an encrypted session over supported protocols.Client Process nameClient OS detectionProbability that the traffic was generated by a malicious processRequires snort3,Threat license and FMC123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEncrypted Visibility
38、Engine ContdBRKSEC-209325Client OS discovery How It WorksTo see Client OS detection Client OS detection by EVE,the feature toggle must be enabled from AC Policys advanced UI under the Encrypted Visibility EngineNext,HostsHosts must be enabled under Policies Network Discovery 2023 Cisco and/or its af
39、filiates.All rights reserved.Cisco Public#CiscoLiveEncrypted Visibility Engine contdOS information can be viewed here:26BRKSEC-2093Analysis Network Map Select required Host.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEncrypted Visibility EngineBRKSEC-209327Events View
40、with Application AssignmentThis feature allows applications to be assigned to processes identified by EVE.Customers can add AC rules to allow,block or trust applications mapped to processes.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTLS Decryption PolicyBy default,Do
41、not decrypt is the default action.Customize based on your organization Needs if using Decryption Policy.Advanced OptionsBRKSEC-209328Policies Decryption policy Advanced 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive29Reference Slide:FTD Routed Packet FlowBRKSEC-2093VPN D
42、ecryptExistingConn?GlobalACLUN-NAT/Egress IntRule Action:PermitPermitPDTSDAQExtensionsPacketarrives oninterfaceL2-L4DecodePreprocRule Action:Advanced TrustAdvanced TrustPrefilter Fastpath orTop L3/L4 Trust RulesSI(IP)SI URL/DNSL7 ACLAPP/URLFrag3PreprocStream5PreprocAppIDSSL PolicyIdentityPolicyQOS(C
43、lassify)FilePolicySnort RulesNetworkDiscoveryPDTSDAQExtensionsFlowUpdateApplicationLayerGatewayNAT IPHeaderL2 AddrL3RouteTXQOS(Enforce)VPNEncryptLINA ASA Engine=BLUESnort Engine=ORANGE YesNoDropDropDropDropBlacklistBlacklistDropDropDropDropDropDropYesDropDropDropDropYesNoNoDropDrop 2023 Cisco and/or
44、 its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork DiscoveryUsed to build a comprehensive mapcomprehensive map of your networknetwork and understanding devicesdevices and applicationsapplications present in the networknetwork.Useful for maintaining the Firepower Recommended RulesFirep
45、ower Recommended Rules in the Intrusion Policy.BRKSEC-209330Default Network Discovery PolicyPoliciesNetwork DiscoveryTo begin collecting host or user data you must editedit the discovery rule with hosthost and useruser option checked and deploy to all devices.By default,all the networks are monitore
46、d.DefineDefine the networks protectedprotected by Firewall.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive31Network DiscoveryBRKSEC-2093With Default any policyWith Default any policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive32Reference Sl
47、ide:FTD Routed Packet FlowBRKSEC-2093VPN DecryptExistingConn?GlobalACLUN-NAT/Egress IntRule Action:PermitPermitPDTSDAQExtensionsPacketarrives oninterfaceL2-L4DecodePreprocRule Action:Advanced TrustAdvanced TrustPrefilter Fastpath orTop L3/L4 Trust RulesSI(IP)SI URL/DNSL7 ACLAPP/URLFrag3PreprocStream
48、5PreprocAppIDSSL PolicyIdentityPolicyQOS(Classify)FilePolicySnort RulesNetworkDiscoveryPDTSDAQExtensionsFlowUpdateApplicationLayerGatewayNAT IPHeaderL2 AddrL3RouteTXQOS(Enforce)VPNEncryptLINA ASA Engine=BLUESnort Engine=ORANGE YesNoDropDropDropDropBlacklistBlacklistDropDropDropDropDropDropYesDropDro
49、pDropDropYesNoNoDropDrop 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntrusion PolicyPolicyPolicyDescriptionDescriptionConnectivity Over Security Connectivity Over Security Built for organizations where connectivity takes precedence over network infrastructure security
50、.Balanced Security and Balanced Security and ConnectivityConnectivityThese policies are built for both speed and detection.This policy is a good starting point for most organizations and deployment types.Security Over ConnectivitySecurity Over ConnectivityThese policies are built for organizations w
51、here network infrastructure security takes precedence over user convenienceMaximum DetectionMaximum DetectionBuilt for organizations where network infrastructure security is given even more emphasis than is given by the Security Over Connectivity policies,with the potential for even greater operatio
52、nal impactBase PoliciesBRKSEC-209333 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntrusion PolicyCisco Recommended Rules automatically tune your snort rules for the applications,servers and hosts on your networkTo enable Cisco Recommended RulesHosts need to be enabled
53、in Network Discovery Policy.Add Protected Network During configurationCisco Recommendations Rules ConfigurationsBRKSEC-209334Policies Intrusion Edit the snort3 policy Recommendations12 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVariable SetsVariable Set define IP addr
54、ess and ports which are used in intrusion rules.You can either edit and use the default set or you can create a new one.BRKSEC-209335Objects Object Management Variable Set 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVariable SetsVariables provide directionalitydirectio
55、nality.This sample rule triggers for traffic from External net to Home net on http port with the content as described.This might also be useful to detect events within your network,if your IPS is deployed separating different network segments.BRKSEC-209336alert tcp$EXTERNAL_NET any-$HOME_NET$HTTP_PO
56、RTS(msg:SERVER-WEBAPP Accellion FTA arbitrary file read attempt;flow:to_server,established;http_uri;content:/courier/intermediate_login,fast_pattern,nocase;http_cookie;content:statecode,nocase;content:%00;metadata:policy max-detect-ips drop,policy security-ips drop;service:http;reference:cve,2015-28
57、56;classtype:attempted-recon;sid:35302;rev:2;)Sample RuleServer portServer IPClient portClient IP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVariable SetsIf your team is interested in Threat Hunting and is willing to spending time tuning:a.Leave EXTERNAL_NETEXTERNAL_N
58、ET as“any”b.Make an internal decision on how to configure,or not configure,HOME_NETHOME_NET.Recommendations37If you team wants a simple IPS deployment with minimal amount of alerts:a.Configure HOME_NET HOME_NET to match all RFC-1918 IPv4 addresses,your Internet routable addresses,and your IPv6 space
59、.b.Configure EXTERNAL_NET EXTERNAL_NET as!HOME_NETHOME_NETBRKSEC-2093SecOps Managed Or Internal IPSInternet Perimeter Deployment 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Control Rules Best PracticesThe highlighted IPS policy IPS policy will be used for inspec
60、tioninspection when Firewall Engine is trying to determine the application/URL Categoryapplication/URL Category for a specific traffic.What happens to the traffic during pending rule evaluation?BRKSEC-209338Edit Access control Policy Advanced 2023 Cisco and/or its affiliates.All rights reserved.Cisc
61、o Public#CiscoLive39Reference Slide:FTD Routed Packet FlowBRKSEC-2093VPN DecryptExistingConn?GlobalACLUN-NAT/Egress IntRule Action:PermitPermitPDTSDAQExtensionsPacketarrives oninterfaceL2-L4DecodePreprocRule Action:Advanced TrustAdvanced TrustPrefilter Fastpath orTop L3/L4 Trust RulesSI(IP)SI URL/DN
62、SL7 ACLAPP/URLFrag3PreprocStream5PreprocAppIDSSL PolicyIdentityPolicyQOS(Classify)FilePolicySnort RulesNetworkDiscoveryPDTSDAQExtensionsFlowUpdateApplicationLayerGatewayNAT IPHeaderL2 AddrL3RouteTXQOS(Enforce)VPNEncryptLINA ASA Engine=BLUESnort Engine=ORANGE YesNoDropDropDropDropBlacklistBlacklistDr
63、opDropDropDropDropDropYesDropDropDropDropYesNoNoDropDrop 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Analysis PolicyNetwork Analysis Policy(NAP)control the preprocessors and defines how network traffic is analyzed.Preprocess all traffic handled by an access con
64、trol policy.Network analysis and intrusion policies work together to examine trafficBy default,there is no tunable policy.Create new to tune the NAP.NAPBRKSEC-209340Policies Intrusion Network Analysis Policies 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Analysi
65、s PolicySnort241BRKSEC-2093Some Preprocessors are disabled by defaultoPortscan DetectionoRate-Based Attack PreventionoSCADA PreprocessorsoInline NormalizationEnable these as per your requirement.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Analysis PolicySnort34
66、2BRKSEC-2093 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Analysis PolicyInline Normalization43BRKSEC-2093Disabled by default in some base policies(snort2).Enforces protocol compliance for TCP and IP protocols.Enabling normalization will block some non-standard
67、implementations and many attacks.However,it potentially can block poorly-written legitimate traffic.Policies Intrusion Network Analysis Policies 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Analysis PolicyEnable the Network Analysis Policy44BRKSEC-2093PoliciesAc
68、cess controlEdit the policyAdvanced 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePortScan Detection and PreventionCan detect different port-scans and port sweep.Supported with Snort3 starting from 7.2Configuration Settings is granular.Can be enabled in Detection or Prev
69、ention modeBy default,port scan detection will be done on Allowed traffic but can also be enabled on Denied traffic.BRKSEC-209345Edit Access control Policy Advanced123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePortScan Detection and PreventionTraffic SelectionMonitor
70、Ignore ScannerIgnore TargetUser can tune port scan detection by choosing preconfigured sensitivity levelsLow,Medium,High.Once detection,the host is blocked for 3600 sec(1 Hour)BRKSEC-209346 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePortScan Detection and PreventionBR
71、KSEC-209347FTDvFTDv-152#show threat152#show threat-detection detection portscanportscan statistics statistics ICMP Outside:192.168.212.115,hosts 1,ports 0TCP Outside:192.168.212.115,hosts 1,ports 260UDP Inside:192.168.250.50,hosts 1,ports 1TCP Inside:192.168.200.232,hosts 1,ports 1UDP Inside:192.168
72、.250.10,hosts 1,ports 1TCP Inside:192.168.250.200,hosts 1,ports 1TCP Inside:192.168.200.241,hosts 1,ports 1FTDvFTDv-152#show threat152#show threat-detection detection portscanportscan shunshunShunned Host List:192.168.212.115ExampleFTDvFTDv-152#show shun152#show shunshun(Outside)192.168.212.115 0.0.
73、0.0 0 0 0FTDvFTDv-152#show asp drop152#show asp dropFrame drop:Packet shunned(shunned)1577 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnti Spoof or Reverse Path checkChecks the Ingress packet is being received on the right interface based on routing table.CLI Commandi
74、p verify reverse-path interface RecommendationsBRKSEC-209348Edit Device Device Management Edit the device Edit the interface 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnti Spoof or Reverse Path checkCLI show commandsBRKSEC-209349FTD#show asp drop Frame drop:Reverse-p
75、ath verify failed(rpf-violated)90FTD#show ip verify statisticsinterface inside:11 unicast rpf dropsinterface outside:79 unicast rpf dropsSyslogsFTD-2-106016:Deny IP spoof from(IP_address)to IP_address on interface interface_name.FTD-1-106021:Deny protocol reverse path check from source_address to de
76、st_address on interface interface_nameFTD-1-106022:Deny protocol connection spoof from source_address to dest_address on interface interface_name 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFragmentationDefault behavior is to do virtual re-assembly.Can be modified to d
77、o Full Reassembly if needed.CLI CommandsRecommendationsBRKSEC-209350Edit Device Device Management Edit the device Edit the interface 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFragmentation LogsBRKSEC-209351Syslog:FTDFTD-2 2-0:Deny IP teardrop fragment(size
78、=number,offset=number)from IP_address to IP_addressFTD-4-209003:Fragment database limit of number exceeded:src=source_address,dest=dest_address,proto=protocol,id=numberFTD-4-209004:Invalid IP fragment,size=bytes exceeds maximum size=bytes:src=source_address,dest=dest_address,proto=protocol,id=number
79、FTD-4-209005:Discard IP fragment set with more than number elements:src=Too many elements are in a fragment set.FTD-4-209006:Fragment queue threshold exceeded,dropped TCP fragment from IP address/port to IP address/port on outside interfaceShow asp drop Fragment Full reassembly failed(fragment-full-
80、reassembly-failed)2378Fragment reassembly failed(fragment-reassembly-failed)8218901capture asp type asp-drop fragment-reassembly-failed 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive52Reference Slide:FTD Routed Packet FlowBRKSEC-2093VPN DecryptExistingConn?GlobalACLUN-NA
81、T/Egress IntRule Action:PermitPermitPDTSDAQExtensionsPacketarrives oninterfaceL2-L4DecodePreprocRule Action:Advanced TrustAdvanced TrustPrefilter Fastpath orTop L3/L4 Trust RulesSI(IP)SI URL/DNSL7 ACLAPP/URLFrag3PreprocStream5PreprocAppIDSSL PolicyIdentityPolicyQOS(Classify)FilePolicySnort RulesNetw
82、orkDiscoveryPDTSDAQExtensionsFlowUpdateApplicationLayerGatewayNAT IPHeaderL2 AddrL3RouteTXQOS(Enforce)VPNEncryptLINA ASA Engine=BLUESnort Engine=ORANGE YesNoDropDropDropDropBlacklistBlacklistDropDropDropDropDropDropYesDropDropDropDropYesNoNoDropDrop 2023 Cisco and/or its affiliates.All rights reserv
83、ed.Cisco Public#CiscoLiveApplication Layer Protocol InspectionsBRKSEC-209353Inspections enabled by defaultInspection engines Inspection engines These protocols require the FW to do deep packet inspection.Required for services that embed IP addressing information in the user data packet or that open
84、secondary channels on dynamically assigned ports.CLICLITo enable configure inspection enableTo Disable configure inspection disable 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Layer Protocol Inspections contdExamplesBRKSEC-209354ICMPICMPKeeps track for echo
85、 request and allows the echo response back without the need of an Access-listThe ICMP inspection engine ensures that there is only one response for each request,and that the sequence number is correct.This helps with ICMP attacksDNSDNSDNS inspection is enabled by default,using the preset_dns_map ins
86、pection class map:The maximum DNS message length is 512 bytes.DNS Guard is enabled,so the FTD tears down the DNS session associated with a DNS query as soon as the respective DNS reply is forwarded by the FTD.Protocol enforcement is enabled,which enables DNS message format check,including domain nam
87、e length of no more than 255 characters,label length of 63 characters,compression,and looped pointer check.Management AccessANDControl Plane 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC Access-listBy default,SSH and HTTPS is set to any.It is suggested to add Rules t
88、o allow specific hosts/subnets and remove the any.SSHHTTPSSystem Configuration Access ListAccess to FMC GUI and SSHBRKSEC-209356Default ACL123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC AuthenticationFMC loginFTD login can be authenticated usingBRKSEC-209357FMC Au
89、thExternalInternalLDAP/SRADIUSFMC rolesExternalInternalLDAP/SRADIUSFTD AuthFTD rolesBasicConfigSSOOktaOneLoginAzurePingIDOther 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC Internal UsersCustomize these options based on Organization Security PolicySet the Maximum Num
90、ber of Failed LoginsMaximum Number of Failed Logins.Set the Minimum Password LengthMinimum Password Length.Set the Days Until Password ExpirationDays Until Password Expiration.Set the Days Before Password Expiration Days Before Password Expiration WarningWarning.Set user OptionsOptions.Force Passwor
91、d Reset on LoginForce Password Reset on LoginCheck Password StrengthCheck Password Strength.BRKSEC-209358Recommendations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-209359FMC User ConfigurationPassword Reuse Limit:The number of passwords in a users most recent h
92、istory that cannot be reused.Track Successful Logins:The number of days that the system tracks successful logins to the management center GUI/CLI.Max Number of Login Failures:The number of times in a row that users can enter incorrect web interface login credentials before the system temporarily blo
93、cks the account from access for a configurable time period.System()Configuration User ConfigurationRecommendationsBy default,these settings are disabled.Customize these options based on Organization Security Policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC User C
94、onfiguration60BRKSEC-2093Set Time in Minutes to Temporarily Lockout Users:The duration in minutes for a temporary web interface user lockout if Max Number of Failed Logins is non-zero.Max Concurrent Sessions AllowedMax Sessions Allowed for User with same Privilege type.2023 Cisco and/or its affiliat
95、es.All rights reserved.Cisco Public#CiscoLiveFMC Login TimeoutWeb interface(management center only):Configure the Browser Session Timeout(Minutes).The default value is 60;the maximum value is 1440(24 hours).To exempt users from this session timeout,see Add an Internal User.CLI:Configure the CLI Time
96、out(Minutes)field.The default value is 0;the maximum value is 1440(24 hours)Recommendations61BRKSEC-2093System()Configuration.Customize these options based on Organization Security Policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExternal AuthenticationLDAP can be ha
97、rdened by making them Secure.Port tcp/389 None or TLSPort tcp/636-SSLRADIUS Set a Complex RADIUS Key.SSO All the communication is encrypted.So completely secureBRKSEC-209362System()Users External Authentication.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC Login Bann
98、er63BRKSEC-2093System()Configuration Login BannerLogin Banner serves as a Warning for Unauthorized users.You can use ASCII characters and carriage returns to create a custom login banner.Recommendations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD-Mgmt AccessFew thi
99、ngs which could help Harden FTD User AccountsMaxfailed logins-Set maximum failed loginsconfigure user maxfailedlogins Minpasswdlen-Set minimum password lengthconfigure user minpasswdlen User aging-Set user password agingconfigure user minpasswdlen Strengthcheck-Set strength requirement on user passw
100、ordconfigure user strengthcheck SSH Access-list(Any allowed by default on Mgmt Interface)configure ssh-access-list RecommendationsBRKSEC-209364 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMgmt Access Restrict Expert modeRestrict Linux Shell AccessUsers with Config leve
101、l access can use the CLI expertexpert command to access the Linux shell.BRKSEC-209365system lockdownsystem lockdown-sensor sensor Use with caution 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNTPCertain features on Secure Firewall depend on system time for its operation
102、s like syslog,Writing log files,time-based ACLs,Certificate functions etc.Recommended to use a Trusted NTP Server for time sync of FMC and FTD.FMC Supports 3 Authentication types.MD5SHA-1AES-128 CMACBRKSEC-209366Recommendations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL
103、iveDNS67BRKSEC-2093Used by Secure Firewall to resolve FQDN objects used in ACL and threat updatesFMC needs DNS for Content and Software UpdatesRecommended to use a Trusted DNS resolver -Local or Cisco Umbrella Servers.RecommendationsVPN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ
104、ic#CiscoLiveDeprecated Ciphers based on versionAs Newer and more Secure Ciphers get added,the older and less secure Algorithms are deprecated.Update your IKE proposals and IPSec policies to maintain the Security standards.Example:In version 6.7,The following less secure ciphers have been removed or
105、deprecated in FTD 6.7 onwards:DiffieDiffie-Hellman GROUPHellman GROUP 5 5 is deprecated for IKEv1 and removed for IKEv2Diffie-Hellman groups 2 and 24 have been removed.Encryption algorithmsEncryption algorithms:3DES,AES-GMAC,AES-GMAC-192,AES-GMAC-256 have been removed.Deprecated Hash Algorithms,Encr
106、yption Algorithms,and Diffie-Hellman Groups69BRKSEC-2093 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHigh to low secure CiphersSecurity Level can be modified to include the ciphers based on your Security policy to meet Compliance.TLS configuration for Remote Access VPN
107、.BRKSEC-209370Devices Platform Settings SSL12Logging and Monitoring 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC-MonitoringSNMPv1 and 2 is supported.But not secure as the data is in Clear text.SNMPv3 is preferred to ensure security.SNMP Polling RecommendationsBRKSEC
108、-209372System()Configuration SNMPSystem()Configuration Access List1234 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC MonitoringSyslog Alerts RecommendationsBRKSEC-209373FMC can send Alerts using 3 waysPolicies Actions AlertsNew syslog ServerNew SNMP Server 2023 Cisco
109、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC MonitoringEmail Configuration RecommendationsBRKSEC-209374System Configuration Email NotificationPolicies Actions Alerts12 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC MonitoringHealth Alert Config
110、urationBRKSEC-209375Health Alert ConfigurationExample SNMP Trap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC MonitoringEmails can be setup based on Specific Signatures.Specifically useful if there is a Team reviewing these IPS alerts.Emails for Intrusion BRKSEC-2093
111、76 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMonitoringSNMPv3 is preferred to ensure security.Supported User TypesAuthAuthentication but No PrivacyNo AuthNo Authentication and No Privacy,PrivAuthentication and PrivacyFTDBRKSEC-209377 2023 Cisco and/or its affiliates.
112、All rights reserved.Cisco Public#CiscoLiveFTD LoggingFTD Logging can be Event Data or System MessagesSend event data to centralized logging system.Regularly monitor and analyze intrusion alerts to identify potential threats.Review and fine tune the IPS policy based on the alerts to improve the detec
113、tion accuracy.BRKSEC-209378DevicesPlatform SettingsSyslogPoliciesAccess controlEdit the policyLogging 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD LoggingCan be configured to be generated using Source interface as Management or any Data Interface.Connection Events a
114、nd system messages are both generated from the FW.430001:Intrusion event430002:Connection event logged at beginning of connection430003:Connection event logged at end of connection430004:File events430005:File malware eventsThese are the events which can be logged to FMC as well.SyslogsBRKSEC-209379
115、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD LoggingLINA messages can be sent over to syslog server as well.Recommended to be set at Informational(TAC suggestion)SyslogsBRKSEC-209380123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD
116、Logging contdOnly Supported on Data Interface.Needs to be TCPSecure SyslogBRKSEC-209381 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetflowSupports NSEL to track connection info and trends.BRKSEC-209382 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#
117、CiscoLiveNetflowDisable Syslogs which provides redundant information as NetflowHelps with performance too.BRKSEC-209383 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAudit LogsBRKSEC-209384System()Monitoring AuditLogs all Login/Logout and changes for Audit purposes.Compa
118、re View is available on what changes were made within the policies.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLogs can be sent using Syslog and HTTP/SAudit Logs-Screenshot85BRKSEC-2093SystemConfigurationEnabling TLS by loading a Certificate makes it secure.2023 Cisco
119、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAudit Logs-Syslogs86BRKSEC-2093Has details on User Activity.But does not have the compare view in the syslogs.SW and Content Updates 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDifferent UpdatesBRKSEC-2093
120、88Update typeUpdate typeManualManualScheduledScheduledFrequency of Frequency of updatesupdatesSoftware update YesYesEvery few monthsGeoDBYesYes1-2/MonthVDBYesYes3-6/QuarterSRU/LSPYesYes2-3/WeekSecurity IntelligenceYesYesMultiple times/dayURL DBYesYesMultiple times/day 2023 Cisco and/or its affiliate
121、s.All rights reserved.Cisco Public#CiscoLiveSoftware UpdateNeed to have a software Life cycle strategy based on your companys security needs.PSIRT ReleasesMonitor Security Advisories and Field Notices.Lookout for the PSIRT releases.Golden star releases.Most stable version available.Golden Star relea
122、se is usually tagged to a Long term or Extra Long term release.BRKSEC-209389 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntrusion PolicyRegularly update your IPS rule set to ensure latest protection.Schedule recurring automatic updates of intrusion rules on n FMC with
123、 internet access.Keep your rules up to dateBRKSEC-209390 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDifferent UpdatesVDB install and some other configuration changes may require Snort restart.Recommended to schedule these updates during low traffic times.BRKSEC-209391
124、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveURL FilteringURL Query Source(Available from 7.3)Local Database OnlyLocal Database and Cisco CloudCisco Cloud OnlyCached URLs Expire is set to NeverRecommended to change this setting to avoid categorization/reputation.BRKSEC
125、-209392Disaster Recovery 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBackupIf you dont have a backup,its Implications could be.Manual effort in restoring FTD and rule set.Extended Downtime.Use remote storage and should not be stored on the FMC itself.Why do we need a b
126、ackupBRKSEC-209394Compliance 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Certifications ComplianceSome organization Some organization might be required to use only equipment and softwareequipment and software complyingcomplyingwith security standardssecurity s
127、tandards established by the U.S.Department of Defense and global U.S.Department of Defense and global certification organizationscertification organizations.Firepower supports compliance with the following security certifications standards:Common Criteria(CC)Common Criteria(CC):a global standard est
128、ablished by the international Common Criteria Recognition Arrangement,defining properties for security productsUnified Capabilities Approved Products List(UCAPL)Unified Capabilities Approved Products List(UCAPL):a list of products meeting security requirements established by the U.S.Defense Informat
129、ion Systems Agency(DISA)Federal Information Processing Standards(FIPS)140Federal Information Processing Standards(FIPS)140:a requirements specification for encryption modulesPS:After you enable this setting,you cannot disable it.If you need to take an appliance out of CC or UCAPL mode,you must reima
130、ge.BRKSEC-209396Security Certifications Compliance Characteristics Performance Best Practices 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntrusionSnort2 vs Snort3BRKSEC-209398Snort 2Snort 2Snort 3Snort 3Multi-Threaded ArchitectureYesCapable of running Multiple Snort P
131、rocessesYesYesPort Independent Protocol InspectionYesIPS Accelerators/Hyperscan SupportYesModularity Easier TALOS contributionsYesScalable Memory AllocationYesNext Gen Talos Rules E.g.,Regex/Rule Options/Sticky BuffersYesNew and Improves HTTP Inspector E.g.,HTTP/2 SupportYesLightweight content updat
132、es from TALOSYes 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveElephant FlowsFlows that are largelarge,continuouscontinuous,longlong durationduration and fast flowsfast flows with high ability to cause duressduress for snort CPU cores.By default,elephant flows are those
133、larger than 1GB/10 seconds1GB/10 seconds.EF Example:VM migration,database replication,nightly backup etc.NEF Example:Web searching.NoteNote:Elephant flow Elephant flow can be interchangeably used with other terms like fat flowfat flow,single flowsingle flow as well.We will be using Elephant flow Ele
134、phant flow during the rest of the presentation.BRKSEC-209399 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOverview of Elephant Flow DetectionYou can use the elephant flow detection feature to take action on elephant flows.Bypass elephant flow Bypass elephant flow Bypass
135、 from snort inspection.Throttle elephant flow Throttle elephant flow Apply rate-limit to the flow and continue to inspect.The flow rate is calculated dynamically and 10%of the flow rate is reduced.BRKSEC-20931007.1 feature introduced in FTD CLI(only with detection).7.2-feature introduced on FMC GUI(
136、with remediations).Snort3 must be the detection engine.Doesnt apply to encrypted traffic.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfigure Elephant Flow DetectionBRKSEC-2093101 show elephantshow elephant-flow flow detection-config Show elephant-flow-detection confi
137、gstatus Show elephant-flow-detection status(Enabled/Disabled)show elephantshow elephant-flow status flow status Elephant flow inspector is enabled show elephantshow elephant-flow detectionflow detection-configconfigbypass_apps(List of App IDs)=0:1bypass_enabled=truecpu_utilization(in Percentage)=40h
138、igh_cpu_check=truebytes_threshold(in MBs)=1024packet_drop_threshold(in Percentage)=5qos_enabled=falsetime_threshold(in Seconds)=10window_duration(in Seconds)=30Access control policy Access control policy Advanced Advanced Elephant Elephant Flow Flow Throttle the flowThrottle the flow 2023 Cisco and/
139、or its affiliates.All rights reserved.Cisco Public#CiscoLiveElephant Flows Identification 7.1 and laterBRKSEC-2093102 show elephant-flow status Elephant flow inspector is enabled show elephant-flow detection-config high_cpu_check=falsebytes_threshold(in MBs)=1024time_threshold(in Seconds)=10Elephant
140、 flow Elephant flow detection is enabled detection is enabled by default on 7.2by default on 7.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveElephant Flow All Options to remediate Elephant Flow103BRKSEC-2093PlatformPlatformSnort2Snort2Snort3Snort3(FMC)(FMC)IABIABStatic
141、 Static OffloadOffloadDynamic Dynamic OffloadOffloadElephant FlowsElephant Flows7.1(only detection)snort37.1(only detection)snort37.2+detection and remediation7.2+detection and remediationSFR ModuleYesNoYesNANANA9300 FTDYesYes-7.0+YesYesYes 6.3+Yes 7.1+4100 FTDYesYes-7.0+YesYesYes 6.3+Yes 7.1+3100 F
142、TDYesYes-7.0+YesPlanned-Yes 7.1+2100 FTDYesYes-7.0+YesNANAYes 7.1+1000 FTDYesYes-7.0+YesNANAYes 7.1+2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDDOS Protection Threat DetectionOption 1BRKSEC-209310412 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
143、scoLiveDDOS Protection-TCP intercept in MPFOption 1BRKSEC-2093105123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess-List Recommended LimitEvery Platform has a Cisco recommended ACL limit for optimal Performance.A Health Alert gets generated when this limit is excee
144、ded.PS:Any number of New rules can be deployed if you have Free memory as there is no hard limit.However,these limits are recommended limits for optimal performance.BRKSEC-2093106 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess-List LimitMemory required for rule usa
145、ge can be reduced by enabling object group search.BRKSEC-2093107 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess-List LimitBRKSEC-2093108Without OGS-10K rulesAfter OGS is deployed-107 rules 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA
146、ccess-List LimitBRKSEC-2093109With OGS 107 rulesWith OGS after removing the Zones from the rule.8 rules 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInterface Object OptimizationBRKSEC-2093110Needs to be enabled with OGS.When both enabled,the system will instead deploy
147、a single rule per access control/prefilter rule.Reduces to just 1 rule 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransactional Commit Default behavior(Without Transactional Commit)New applied rule gets immediately effective.When large ACL is deployed,this immediacy c
148、omes at a slight cost in performance and becomes noticeable in high Conns/sec environment.When enabled,a rule update is applied after the rule compilation is completed;without affecting the rule lookup performance.Very effective in dealing with High CPU during loading startupconfig/config replicatio
149、n in HA/Cluster/compiling large ACL rulebase.BRKSEC-2093111 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransactional Commit ConfigurationCreate a FlexConfig ObjectBRKSEC-2093112Objects Object Management FlexConfig FlexConfig Object1 2023 Cisco and/or its affiliates.Al
150、l rights reserved.Cisco Public#CiscoLiveTransactional Commit ConfigurationAdd the FlexConfig Object to the FlexConfig PolicyBRKSEC-2093113Objects Object Management FlexConfig FlexConfig Object2Save and Deploy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFMC Database Lim
151、itsBRKSEC-2093114Every Event type has a Configured limit based on platform.Suggested to limit the Events being sent to the FMC to maximize the retention period.Trusted flows or traffic which generates lot of noise can be avoided to be logged to FMC but can be logged to syslog.System()Configuration D
152、atabaseConclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConclusionWe touched multiple features in the productDataplane hardening Rule writing,Ordering,SI,L7 features,IPS,Network Discovery so onMgmt hardening Mgmt ACL,Authentication and User account parameters and
153、 so onLogging and Monitoring All Logging and Monitoring options and how to configure them.VPN,Software and Content Updates and Disaster Recovery.BRKSEC-2093116 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive-Art WittmannAs weve come to realize,the idea that security start
154、s and ends with the purchase of a prepackaged firewall is simply misguided.117BRKSEC-2093 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live
155、-branded socks(while supplies last)!118BRKSEC-2093These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Game for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco P
156、ublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.
157、All rights reserved.Cisco Public#CiscoLive121Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234121 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2093#CiscoLive