Firepower Management Center 6.5 v2 Instant Demo - Cisco · • Firepower Management Center (FMC)....
Transcript of Firepower Management Center 6.5 v2 Instant Demo - Cisco · • Firepower Management Center (FMC)....
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 23
Firepower Management Center 6.5 v2 – Instant Demo
Last Updated: 01-April-2020
About This Demonstration
This guide for the preconfigured demonstration includes:
About This Demonstration
Requirements
About This Solution
Topology
Get Started
Scenario 1. Overview of Context Explorer
Scenario 2. Overview of Summary Dashboard
Scenario 3. Building a Next-Generation Firewall Policy
What’s Next?
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 23
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional
Laptop Cisco AnyConnect®
About This Solution
The Firepower System is a threat-centric next-generation security system. It provides very powerful security
controls using its firewall, IPS, and advanced malware protections, while providing enhanced visibility into
advanced threats. By understanding the network environment, type types of hosts on the network, and the
applications used by endpoints and servers, Firepower takes the guesswork out of deploying policies, and
reduces the effort required to tune security devices and services. This makes the system more accurate and
allows the network or security staff to rapidly focus on issues that require attention. Retrospective capabilities
allow users to understand how threats and malware entered a network and trace the movement of malicious
files.
The key components of the solution are:
• Firepower Management Center (FMC). FMC is a centralized management and reporting appliance running
on either a dedicated hardware appliance or as a virtual machine running within VMware.
• Cisco Firepower, running as a service on a Cisco ASA Adaptive Security Appliance, dedicated Firepower
appliance, or as a virtual appliance running in VMware, Amazon Web Service, KVM, or as a Firepower
Threat Defense appliance, running on supported hardware or virtual appliances.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 23
UI Themes
This demo uses a new UI theme (“Light”) for the purposes of a simplified user experience.
For users who prefer to use the previous “Classic” theme, you can switch back whenever you like. The
following steps show you how to switch between the themes for your demo experience.
From Classic Theme to Light Theme
1. In the top right of the screen, click the arrow beside your name, and then click User Preferences at the top
of the list.
2. Under UI Theme (located on the General tab), select the drop-down and choose Light.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 23
3. Confirm the change by clicking Use Light Theme.
From Light Theme to Classic Theme:
1. In the top right of the screen, click the arrow beside your name to display your list of choices.
2. Select Switch to Classic Theme.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 23
Scenario 1. Overview of Context Explorer
Value Proposition: Cisco Firepower has a very powerful set of Dashboards. Context Explorer is special kind of
high-level dashboard that provides multiple views into the network, all focused around a common time frame
and filter. These views are all included as panels within the Context Explorer:
• Traffic and Intrusion Events over Time
• Indications of Compromise
• Network Information (including Operating System information and top talkers by IP address and Username)
• Application Protocol Information (including Web Applications and Client Applications)
• Security Intelligence
• Intrusion Information
• File Information (including Malware)
• Geolocation Information
• URL Information
As filters are applied, or time ranges are modified, the data in each of these panels will change to match the
desired information. As an example of what you might use this for, consider the possibility of troubleshooting a
certain user’s network access. The user’s name can be applied as a filter, and all data shown above is filtered
to show only data matching that username’s network traffic will appear in the panels.
Steps
1. Log in to display the Summary Dashboard, and then click Analysis > Context Explorer.
NOTE: If no data appears, click Reload in the upper right corner.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 23
2. Scroll up and down the page to explore the interface, noting panel characteristics:
• Interactive - display showing detailed information when you mouse over charts,
• Color-coded charts that break down traffic data.
• You can add or remove filters for data.
The figure below shows the Traffic and Intrusion Events over Time graph.
3. Mouse over the lines to see the number of events that occurred at a point in time.
4. Scroll down to the red colored Indications of Compromise panel that displays which hosts have exhibited
behavior that makes them susceptible to being compromised.
In a real network, not this many IOCs would display, but they display here to highlight many of the ways a
host may be compromised.
NOTE: Hover your mouse over an IOC to see the number of hosts seeing this IOC.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 23
5. Look at the chart sections. You can filter on this IOC, or drill down into the events that triggered it. You can
interact with all of the panels in this way.
6. Scroll down to the Network Information panel.
• This panel shows information about the types of devices running on the network, as well as top traffic
sources and destinations. We can easily see the IP addresses and user information.
• For example, if you want to find out what people are using Android Tablets for across a school district,
you can click on a slice in the chart for Operating Systems and add the specific Android devices to the
filter.
7. Click Apply Filter. The chart will show only the Android information.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 23
8. Scroll down to the Application Protocol Information panel. Hover your mouse in the upper right of your
screen to display the three panel options:
• Application Protocols
• Client Applications
• Web Applications
The default is Application Protocol:
9. Scroll to the Security Intelligence information panel.
• It is important to understand how the security intelligence functionality works. The security appliance
subscribes to lists or feeds. It gets the IP address information of malicious devices. Using this
information, it can report on or block traffic to or from these places.
• Notice how the appliance is blocking categories, such as Attackers (IP addresses who have been
actively attacking other hosts on the internet) and CnC (IP addresses that are participating in Botnet
Command and Control activity).
• Using these feeds provides a substantial increase in effective security. Cisco Firepower allows us to
subscribe to an unlimited number of feeds, whether provided by Cisco, by third parties, or one you
create yourself.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 23
10. Scroll down to the Intrusion Information panel. The charts and graphs in this panel identify events
triggered by the Intrusion Protection engine.
• A very interesting part of the Firepower IPS is the use of Impact Levels. We can see this in the in the
upper left corner of the panel.
• In order to simplify analysis of intrusion events, as well as dynamically tune the IPS policies, Firepower
uses knowledge of the network and applications that are in use. Firepower is able to focus your
attention on the events that really need attention versus the noise that is typical of other IPS systems.
Impact Levels
It is good to understand what the five impact levels mean in relation to a host on your network being vulnerable
to attack.
Impact 1: A host on your network has been involved in an attack, and it is running the right combination of
operating system and applications. It appears to be vulnerable to the attack. These are critical events to look
into.
Impact 2: A host on your network has been involved in an attack. It is running the right services and
applications, but does not appear to be vulnerable to the attack. These events are interesting to look at, but are
not usually critical.
Impact 3: A host on your network has been involved in an attack. It does not appear to be running the service
or application that is targeted in the attack. It is not vulnerable.
Impact 4: A host on your network has been involved in an attack, but it either doesn’t actually exist on your
network, or it is newly added. A determination into its vulnerability has not yet been established.
Impact 0: Neither the source, nor destination, IP address exists on your network. These are events that should
be investigated. These can be caused by an incorrectly configured Firepower system, or by unauthorized
network traffic.
11. Scroll to the File Information panel. In this panel, we can see all file copies across a Firepower appliance
where a File Policy has been applied. This could be all files, or it could be a subset defined by the FMC
administrator. You can see information similar to the following:
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 23
• Types of files
• Top File Names
• Top Hosts either Sending or Receiving Files
• Files by Disposition
• Top Malware Detections
Advanced Malware Protection (AMP) enables the system to analyze files by structure and behavior, among
other methods, to quickly determine which files are damaging to hosts, and to block malicious files from
traversing an appliance.
12. Scroll down to the bottom two panels, which display Geolocation and URL Information.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 23
Summary
The Firepower Management Center Context Explorer provides a very powerful tool to rapidly and easily
visualize various views into network traffic, applications, and threats.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 23
Scenario 2. Overview of Summary Dashboard
Value Proposition: Cisco Firepower provides many detailed Dashboards. These are all highly customizable, and
the customer can add additional Dashboards to their system. These provide at-a-glance visibility into the areas
of your network that you are interested in seeing. Since FMC is a multi-user system, with role-based access,
each user with a login can determine which Dashboards provide the information they need to see, and this can
be the landing page for them whenever they login.
The Summary Dashboard is a great place to start, as it provides an overall view of the network and applications,
and also provides a view into the threats that have been seen. This is the default landing page for new users.
Steps
1. Click Overview, and then select Dashboards > Dashboard to display the Firepower Management Center
Summary Dashboard:
2. Click the Network tab.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 23
From this dashboard, you have visibility into Widgets containing a variety of information you can consume in
detail or at big-picture level. Each dashboard and each widget are completely customizable. Each widget
can also drill into specific event information.
3. To see traffic for a high-use user or application, click the username or application to get more information.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 23
4. Click the small arrow on the top left corner of the Top Server Application Seen widget which is second
from the left.
• You can set options--like number of results to be shown in the widget, the color of the graph, and even
the dataset you want to use.
NOTE: For this demo, do not change the dataset, since it will cause an impact on all demos using this account.
5. To change the layout for any dashboard, drag and drop widgets into the desired locations on the screen.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 23
6. Click the Threats tab. This tab is extremely useful because it focuses on malicious traffic and files and
enables you to see which of our systems may have been compromised.
Threats tab Click the Threats tab to display the following information which helps you understand which systems may have
been or are in danger of being compromised.
Malware Threats--Which malware files have been detected by Advanced Malware Protection, running on
either a security appliance or an endpoint agent?
Intrusion Events, by Impact Level--Which attacks have been detected by Snort, within otherwise permitted
traffic types?
Connections and Traffic by Security Intelligence Category--As discussed in the previous scenario, which
categories of malicious traffic, based on source or destination IP addresses, have been seen on the network?
Indications of Compromise:--Which hosts have taken part in activities that may have caused them to be
compromised? These are often behaviors like accessing a malware file.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 23
7. From the Threats tab, you can view the Host Profile:
Click the red host icon next to one of the IP addresses to view the Host Profile.
This opens a new window, which displays relevant information, including who is currently logged into the
device and any IoCs related to the host.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 23
8. Scroll down further to see things like the operating system information, which applications are in use, and a
history of users who have previously been logged into this device.
Summary
Cisco Firepower contains a powerful set of easy-to-use Dashboards, enabling the network or security
administrator to fully understand the applications and threats running on their networks. The information
displayed in the dashboards is available within the policy engines to enforce network policies, making possible
the most powerful and accurate Next-Generation Security systems on the market today.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 23
Scenario 3. Building a Next-Generation Firewall Policy
Value Proposition: The first two scenarios focused on visibility and reporting. This scenario shows how to
enforce Next-Generation policies instead. A traditional security appliance is able to enforce traffic based on IP
addresses, protocols, and ports. A Next-Generation security appliance has those same capabilities, but adds
contextual information, as well. Cisco’s Next-Generation security appliances support policies based on many
more attributes, including:
• Geolocation
• VLAN
• Username or Group within Active Directory
• Application or Client Application
• URL Category and Reputation
• Security Group Tag
• Network Device Type
In addition to traditional controls, such as permitting or blocking traffic, Cisco Next-Generation security policies
also allow fine-tuned IPS policies, SSL decryption, and Advanced Malware Protection policies to be applied
through the access controls.
Steps
1. Click Policies on the top bar. This will take you to the default policy type: Access Control policy.
2. From the list, select the pre-defined, fully-populated Cisco dCloud Access Policy.
Note that there are a number of types of controls available. On the right side of the screen, you can see if a
rule allows or blocks traffic.
3. To edit a policy or policy information, click the Pencil icon.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 23
NOTE: The legends enabled against each rule yellow shield indicates an intrusion policy, stack of papers
indicates a file policy, screen with green tick indicates YouTube EDU policy and scroll of paper
indicates logging enabled for the rule, and number at the end indicates for the comments added to the rule.
4. Review this policy, and then click + Add Rule.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 23
5. Name the rule “block Facebook chat” and set the action to Block.
6. Designate the new rule as an applications rule by selecting the Applications tab.
7. Enter Facebook in the Available Applications field. This filters the results to only show us types of
Facebook applications.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 23
8. Select Facebook Comment, and then click Add to Rule.
At this point, a rule is created to block Facebook comments on any appliances where this policy was applied.
• If necessary, you can use the Inspection and Logging tabs on the right side of the window to add these
capabilities when the rule is fired.
• It does not make sense to inspect the traffic we are blocking. However, if the new rule is set to allow,
you might want to inspect the traffic for malware.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 23
That is how easy it is to create a next generation firewall rule.
9. If you want to discard your change, click Cancel.
Summary
Cisco Firepower, Firepower Threat Defense, and Cisco ASA with Firepower Services are all very powerful,
easy-to-use, Next-Generation security solutions providing Best-of-Breed protections for our customers.
Firepower Management Center enables centralized management and reporting of all Firepower technologies in
an interface uncluttered by a requirement for client applications, plugins, or Java on the management computer.
The Firepower Management Center provides a dramatic increase in network security and visibility while
reducing the management overhead.
Instant Demo Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 23
What’s Next?
Check out the related information to learn more about Firepower offerings.
Cisco Firepower Next-Generation Firewall 6.3 Basics Lab v2.4
Cisco Firepower Next-Generation Firewall 6.3 Advanced Lab v2.4
Cisco Firepower Management Center - Executive Summary for Cisco Sales
Cisco Firepower 6.4 FXOS Multi-Instance Lab v1.1
•