Firepower Management Center 6.5 v2 Instant Demo - Cisco · • Firepower Management Center (FMC)....

Instant Demo Guide

Cisco dCloud

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. of 23

Firepower Management Center 6.5 v2 – Instant Demo

Last Updated: 01-April-2020

About This Demonstration

This guide for the preconfigured demonstration includes:

About This Demonstration

Requirements

About This Solution

Topology

Get Started

Scenario 1. Overview of Context Explorer

Scenario 2. Overview of Summary Dashboard

Scenario 3. Building a Next-Generation Firewall Policy

What’s Next?

Instant Demo Guide

Cisco dCloud


Requirements

The table below outlines the requirements for this preconfigured demonstration.

Required Optional

Laptop Cisco AnyConnect®

About This Solution

The Firepower System is a threat-centric next-generation security system. It provides very powerful security

controls using its firewall, IPS, and advanced malware protections, while providing enhanced visibility into

advanced threats. By understanding the network environment, type types of hosts on the network, and the

applications used by endpoints and servers, Firepower takes the guesswork out of deploying policies, and

reduces the effort required to tune security devices and services. This makes the system more accurate and

allows the network or security staff to rapidly focus on issues that require attention. Retrospective capabilities

allow users to understand how threats and malware entered a network and trace the movement of malicious

files.

The key components of the solution are:

• Firepower Management Center (FMC). FMC is a centralized management and reporting appliance running

on either a dedicated hardware appliance or as a virtual machine running within VMware.

• Cisco Firepower, running as a service on a Cisco ASA Adaptive Security Appliance, dedicated Firepower

appliance, or as a virtual appliance running in VMware, Amazon Web Service, KVM, or as a Firepower

Threat Defense appliance, running on supported hardware or virtual appliances.

Instant Demo Guide

Cisco dCloud


UI Themes

This demo uses a new UI theme (“Light”) for the purposes of a simplified user experience.

For users who prefer to use the previous “Classic” theme, you can switch back whenever you like. The

following steps show you how to switch between the themes for your demo experience.

From Classic Theme to Light Theme

1. In the top right of the screen, click the arrow beside your name, and then click User Preferences at the top

of the list.

2. Under UI Theme (located on the General tab), select the drop-down and choose Light.

Instant Demo Guide

Cisco dCloud


3. Confirm the change by clicking Use Light Theme.

From Light Theme to Classic Theme:

1. In the top right of the screen, click the arrow beside your name to display your list of choices.

2. Select Switch to Classic Theme.

Instant Demo Guide

Cisco dCloud


Scenario 1. Overview of Context Explorer

Value Proposition: Cisco Firepower has a very powerful set of Dashboards. Context Explorer is special kind of

high-level dashboard that provides multiple views into the network, all focused around a common time frame

and filter. These views are all included as panels within the Context Explorer:

• Traffic and Intrusion Events over Time

• Indications of Compromise

• Network Information (including Operating System information and top talkers by IP address and Username)

• Application Protocol Information (including Web Applications and Client Applications)

• Security Intelligence

• Intrusion Information

• File Information (including Malware)

• Geolocation Information

• URL Information

As filters are applied, or time ranges are modified, the data in each of these panels will change to match the

desired information. As an example of what you might use this for, consider the possibility of troubleshooting a

certain user’s network access. The user’s name can be applied as a filter, and all data shown above is filtered

to show only data matching that username’s network traffic will appear in the panels.

Steps

1. Log in to display the Summary Dashboard, and then click Analysis > Context Explorer.

NOTE: If no data appears, click Reload in the upper right corner.

Instant Demo Guide

Cisco dCloud


2. Scroll up and down the page to explore the interface, noting panel characteristics:

• Interactive - display showing detailed information when you mouse over charts,

• Color-coded charts that break down traffic data.

• You can add or remove filters for data.

The figure below shows the Traffic and Intrusion Events over Time graph.

3. Mouse over the lines to see the number of events that occurred at a point in time.

4. Scroll down to the red colored Indications of Compromise panel that displays which hosts have exhibited

behavior that makes them susceptible to being compromised.

In a real network, not this many IOCs would display, but they display here to highlight many of the ways a

host may be compromised.

NOTE: Hover your mouse over an IOC to see the number of hosts seeing this IOC.

Instant Demo Guide

Cisco dCloud


5. Look at the chart sections. You can filter on this IOC, or drill down into the events that triggered it. You can

interact with all of the panels in this way.

6. Scroll down to the Network Information panel.

• This panel shows information about the types of devices running on the network, as well as top traffic

sources and destinations. We can easily see the IP addresses and user information.

• For example, if you want to find out what people are using Android Tablets for across a school district,

you can click on a slice in the chart for Operating Systems and add the specific Android devices to the

filter.

7. Click Apply Filter. The chart will show only the Android information.

Instant Demo Guide

Cisco dCloud


8. Scroll down to the Application Protocol Information panel. Hover your mouse in the upper right of your

screen to display the three panel options:

• Application Protocols

• Client Applications

• Web Applications

The default is Application Protocol:

9. Scroll to the Security Intelligence information panel.

• It is important to understand how the security intelligence functionality works. The security appliance

subscribes to lists or feeds. It gets the IP address information of malicious devices. Using this

information, it can report on or block traffic to or from these places.

• Notice how the appliance is blocking categories, such as Attackers (IP addresses who have been

actively attacking other hosts on the internet) and CnC (IP addresses that are participating in Botnet

Command and Control activity).

• Using these feeds provides a substantial increase in effective security. Cisco Firepower allows us to

subscribe to an unlimited number of feeds, whether provided by Cisco, by third parties, or one you

create yourself.

Instant Demo Guide

Cisco dCloud


10. Scroll down to the Intrusion Information panel. The charts and graphs in this panel identify events

triggered by the Intrusion Protection engine.

• A very interesting part of the Firepower IPS is the use of Impact Levels. We can see this in the in the

upper left corner of the panel.

• In order to simplify analysis of intrusion events, as well as dynamically tune the IPS policies, Firepower

uses knowledge of the network and applications that are in use. Firepower is able to focus your

attention on the events that really need attention versus the noise that is typical of other IPS systems.

Impact Levels

It is good to understand what the five impact levels mean in relation to a host on your network being vulnerable

to attack.

Impact 1: A host on your network has been involved in an attack, and it is running the right combination of

operating system and applications. It appears to be vulnerable to the attack. These are critical events to look

into.

Impact 2: A host on your network has been involved in an attack. It is running the right services and

applications, but does not appear to be vulnerable to the attack. These events are interesting to look at, but are

not usually critical.

Impact 3: A host on your network has been involved in an attack. It does not appear to be running the service

or application that is targeted in the attack. It is not vulnerable.

Impact 4: A host on your network has been involved in an attack, but it either doesn’t actually exist on your

network, or it is newly added. A determination into its vulnerability has not yet been established.

Impact 0: Neither the source, nor destination, IP address exists on your network. These are events that should

be investigated. These can be caused by an incorrectly configured Firepower system, or by unauthorized

network traffic.

11. Scroll to the File Information panel. In this panel, we can see all file copies across a Firepower appliance

where a File Policy has been applied. This could be all files, or it could be a subset defined by the FMC

administrator. You can see information similar to the following:

Instant Demo Guide

Cisco dCloud


• Types of files

• Top File Names

• Top Hosts either Sending or Receiving Files

• Files by Disposition

• Top Malware Detections

Advanced Malware Protection (AMP) enables the system to analyze files by structure and behavior, among

other methods, to quickly determine which files are damaging to hosts, and to block malicious files from

traversing an appliance.

12. Scroll down to the bottom two panels, which display Geolocation and URL Information.

Instant Demo Guide

Cisco dCloud


Summary

The Firepower Management Center Context Explorer provides a very powerful tool to rapidly and easily

visualize various views into network traffic, applications, and threats.

Instant Demo Guide

Cisco dCloud


Scenario 2. Overview of Summary Dashboard

Value Proposition: Cisco Firepower provides many detailed Dashboards. These are all highly customizable, and

the customer can add additional Dashboards to their system. These provide at-a-glance visibility into the areas

of your network that you are interested in seeing. Since FMC is a multi-user system, with role-based access,

each user with a login can determine which Dashboards provide the information they need to see, and this can

be the landing page for them whenever they login.

The Summary Dashboard is a great place to start, as it provides an overall view of the network and applications,

and also provides a view into the threats that have been seen. This is the default landing page for new users.

Steps

1. Click Overview, and then select Dashboards > Dashboard to display the Firepower Management Center

Summary Dashboard:

2. Click the Network tab.

Instant Demo Guide

Cisco dCloud


From this dashboard, you have visibility into Widgets containing a variety of information you can consume in

detail or at big-picture level. Each dashboard and each widget are completely customizable. Each widget

can also drill into specific event information.

3. To see traffic for a high-use user or application, click the username or application to get more information.

Instant Demo Guide

Cisco dCloud


4. Click the small arrow on the top left corner of the Top Server Application Seen widget which is second

from the left.

• You can set options--like number of results to be shown in the widget, the color of the graph, and even

the dataset you want to use.

NOTE: For this demo, do not change the dataset, since it will cause an impact on all demos using this account.

5. To change the layout for any dashboard, drag and drop widgets into the desired locations on the screen.

Instant Demo Guide

Cisco dCloud


6. Click the Threats tab. This tab is extremely useful because it focuses on malicious traffic and files and

enables you to see which of our systems may have been compromised.

Threats tab Click the Threats tab to display the following information which helps you understand which systems may have

been or are in danger of being compromised.

Malware Threats--Which malware files have been detected by Advanced Malware Protection, running on

either a security appliance or an endpoint agent?

Intrusion Events, by Impact Level--Which attacks have been detected by Snort, within otherwise permitted

traffic types?

Connections and Traffic by Security Intelligence Category--As discussed in the previous scenario, which

categories of malicious traffic, based on source or destination IP addresses, have been seen on the network?

Indications of Compromise:--Which hosts have taken part in activities that may have caused them to be

compromised? These are often behaviors like accessing a malware file.

Instant Demo Guide

Cisco dCloud


7. From the Threats tab, you can view the Host Profile:

Click the red host icon next to one of the IP addresses to view the Host Profile.

This opens a new window, which displays relevant information, including who is currently logged into the

device and any IoCs related to the host.

Instant Demo Guide

Cisco dCloud


8. Scroll down further to see things like the operating system information, which applications are in use, and a

history of users who have previously been logged into this device.

Summary

Cisco Firepower contains a powerful set of easy-to-use Dashboards, enabling the network or security

administrator to fully understand the applications and threats running on their networks. The information

displayed in the dashboards is available within the policy engines to enforce network policies, making possible

the most powerful and accurate Next-Generation Security systems on the market today.

Instant Demo Guide

Cisco dCloud


Scenario 3. Building a Next-Generation Firewall Policy

Value Proposition: The first two scenarios focused on visibility and reporting. This scenario shows how to

enforce Next-Generation policies instead. A traditional security appliance is able to enforce traffic based on IP

addresses, protocols, and ports. A Next-Generation security appliance has those same capabilities, but adds

contextual information, as well. Cisco’s Next-Generation security appliances support policies based on many

more attributes, including:

• Geolocation

• VLAN

• Username or Group within Active Directory

• Application or Client Application

• URL Category and Reputation

• Security Group Tag

• Network Device Type

In addition to traditional controls, such as permitting or blocking traffic, Cisco Next-Generation security policies

also allow fine-tuned IPS policies, SSL decryption, and Advanced Malware Protection policies to be applied

through the access controls.

Steps

1. Click Policies on the top bar. This will take you to the default policy type: Access Control policy.

2. From the list, select the pre-defined, fully-populated Cisco dCloud Access Policy.

Note that there are a number of types of controls available. On the right side of the screen, you can see if a

rule allows or blocks traffic.

3. To edit a policy or policy information, click the Pencil icon.

Instant Demo Guide

Cisco dCloud


NOTE: The legends enabled against each rule yellow shield indicates an intrusion policy, stack of papers

indicates a file policy, screen with green tick indicates YouTube EDU policy and scroll of paper

indicates logging enabled for the rule, and number at the end indicates for the comments added to the rule.

4. Review this policy, and then click + Add Rule.

Instant Demo Guide

Cisco dCloud


5. Name the rule “block Facebook chat” and set the action to Block.

6. Designate the new rule as an applications rule by selecting the Applications tab.

7. Enter Facebook in the Available Applications field. This filters the results to only show us types of

Facebook applications.

Instant Demo Guide

Cisco dCloud


8. Select Facebook Comment, and then click Add to Rule.

At this point, a rule is created to block Facebook comments on any appliances where this policy was applied.

• If necessary, you can use the Inspection and Logging tabs on the right side of the window to add these

capabilities when the rule is fired.

• It does not make sense to inspect the traffic we are blocking. However, if the new rule is set to allow,

you might want to inspect the traffic for malware.

Instant Demo Guide

Cisco dCloud


That is how easy it is to create a next generation firewall rule.

9. If you want to discard your change, click Cancel.

Summary

Cisco Firepower, Firepower Threat Defense, and Cisco ASA with Firepower Services are all very powerful,

easy-to-use, Next-Generation security solutions providing Best-of-Breed protections for our customers.

Firepower Management Center enables centralized management and reporting of all Firepower technologies in

an interface uncluttered by a requirement for client applications, plugins, or Java on the management computer.

The Firepower Management Center provides a dramatic increase in network security and visibility while

reducing the management overhead.

Instant Demo Guide

Cisco dCloud


What’s Next?

Check out the related information to learn more about Firepower offerings.

Cisco Firepower Next-Generation Firewall 6.3 Basics Lab v2.4

Cisco Firepower Next-Generation Firewall 6.3 Advanced Lab v2.4

Cisco Firepower Management Center - Executive Summary for Cisco Sales

Cisco Firepower 6.4 FXOS Multi-Instance Lab v1.1

•

https://dcloud-cms.cisco.com/demo/cisco-firepower-next-generation-firewall-6-3-basics-lab-v2-4

https://dcloud-cms.cisco.com/demo/cisco-firepower-next-generation-firewall-6-3-advanced-lab-v2-4

https://dcloud2-rtp.cisco.com/content/proposal/1518/download

https://dcloud-cms.cisco.com/demo/cisco-firepower-6-4-fxos-multi-instance-lab-v1-1

Firepower Management Center 6.5 v2 Instant Demo - Cisco · • Firepower Management Center (FMC)....

Documents

Transcript of Firepower Management Center 6.5 v2 Instant Demo - Cisco · • Firepower Management Center (FMC)....