firepower for ccie security candidates · firepower for ccie security candidates rafael leiva-ochoa...
TRANSCRIPT
![Page 1: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/1.jpg)
![Page 2: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/2.jpg)
FirePower for CCIE Security Candidates
Rafael Leiva-Ochoa
BRKCCIE-3200
![Page 3: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/3.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCCIE-3200
![Page 4: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/4.jpg)
• Introduction
• ASA 5500-X and FirePower Platform
• FirePower Technology Overview• FMC (FirePower Management Center)
• Host Discovery
• Traffic Processing Flow
• ACP (Access Control Policy)
• User Identity
• SSL
• Lab Ideas
• FirePower Classes
Agenda
![Page 5: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/5.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
• Rafael Leiva-Ochoa
• @Cisco since Oct 2000
• Works in the TS Training Group (Part of Learning@Cisco)
• Delivers courses on Security to Global TAC Centers
• CCIE 19322 Security since 2007
5BRKCCIE-3200
![Page 6: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/6.jpg)
CCIE Security Program Overview
![Page 7: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/7.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Topics Covered in the CCIE SecurityCCIE Security Overview
BRKCCIE-3200 7
![Page 8: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/8.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Perimeter Security and Intrusion Prevention Topics Covered in CCIE SecurityCCIE Security Topics
• 1.1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)
• 1.2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD
• 1.3 Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD
• 1.4 Describe, implement, and troubleshoot different deployment modes such as routed, transparent, single, and multicontext on Cisco ASA and Cisco FTD
• 1.5 Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-based routing, traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD
• 1.6 Describe, implement, and troubleshoot IOS security features such as Zone-Based Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and TCP intercept on Cisco IOS/IOS-XE
• 1.7 Describe, implement, optimize, and troubleshoot policies and rules for traffic control on Cisco ASA, Cisco FirePOWER and Cisco FTD
• 1.8 Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and reporting
• 1.9 Describe, implement, and troubleshoot correlation and remediation rules on Cisco FMC
• 1.10 Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes
• 1.11 Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features such as SSL inspection, user identity, geolocation, and AVC (Firepower appliance)
• 1.12 Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle, and botnet
BRKCCIE-3200 8
![Page 9: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/9.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCCIE-3200
Cisco Virtual Machines Used on CCIE Security
![Page 10: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/10.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Hardware Gear Used on CCIE Security
BRKCCIE-3200 10
![Page 11: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/11.jpg)
ASA and 5500-X and FirePower Platform
![Page 12: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/12.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ASA 5500-X Series Next-Generation Firewalls
• Supports Cisco ASA Software Release 8.6.1 and later images; four times the firewall throughput of Cisco ASA 5500 Series platforms.
12BRKCCIE-3200
![Page 13: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/13.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco FirePower NGFW
FirePower VM
ASA 5500x
FirePower 4100
FirePower 8000/7000
FirePower 9300
BRKCCIE-3200 13
![Page 14: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/14.jpg)
FirePower Technology Overview
![Page 15: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/15.jpg)
FirePower Management Center (FMC)
![Page 16: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/16.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePower Management Center- Overview
FirePower
VM
FMC
Windows 7
Mac Sierra
Internet
APPS
BRKCCIE-3200 16
Configuration
Logging
![Page 17: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/17.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCCIE-3200
FMC - Interface
![Page 18: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/18.jpg)
Host Discovery
![Page 19: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/19.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery - Overview
FirePower
VM
FMC
Windows 7
Mac Sierra
Internet
APPS
APPS
BRKCCIE-3200 19
![Page 20: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/20.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Passive (Default)
FirePower
VM
Windows 7
Mac Sierra
Internet
APPS
APPS
FMC
BRKCCIE-3200 20
![Page 21: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/21.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery - Passive (Setup)
Applications Only
(Default)
All IPv4, and IPv6
(Default)
BRKCCIE-3200 21
![Page 22: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/22.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Passive (Setup) (continue)
BRKCCIE-3200 22
![Page 23: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/23.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Passive (Setup) (continue)
FMC
FirePower
VM
Deployment
BRKCCIE-3200 23
![Page 24: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/24.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Host Profile
Windows 7 =
192.168.2.2
BRKCCIE-3200 24
![Page 25: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/25.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active
FirePower
VM
Windows 7
Mac Sierra
Internet
APPS
APPS
FMC
BRKCCIE-3200 25
![Page 26: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/26.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active (Setup) (continue)
BRKCCIE-3200 26
![Page 27: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/27.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active (Setup) (continue)
BRKCCIE-3200 27
![Page 28: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/28.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active (Setup) (continue)
BRKCCIE-3200 28
![Page 29: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/29.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active (Setup) (continue)
BRKCCIE-3200 29
![Page 30: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/30.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active (Setup) (continue)
BRKCCIE-3200 30
![Page 31: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/31.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active (Setup) (continue)
BRKCCIE-3200 31
![Page 32: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/32.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Discovery – Active (Setup) (continue)
Windows 7 =
192.168.2.2
BRKCCIE-3200 32
![Page 33: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/33.jpg)
Traffic Processing Flow
![Page 34: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/34.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePower Appliance, or VM
Security
IntelligenceSSL Policy
Network
Analysis
Policy
Access
Control
Policy
Objects
Malware
and File
Policy
Intrusion
Policy
Traffic
BRKCCIE-3200 34
![Page 35: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/35.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePower on ASA
Ingress
Interface
Existing
Conn
ACL
Check
Match
Xlate
Inspect,
and Sec
NAT
Header
Egress
InterfaceLayer 3 Layer 2 TX
RX
Drop Drop Drop
Drop Drop The FirePower does
not do the drop the ASA
does!
Yes
NO
FirePower
BRKCCIE-3200 35
![Page 36: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/36.jpg)
ACP (Access Control Policy)
![Page 37: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/37.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) - Overview
FirePower
VM
ACP Policy
ACP Rule_______________________Drop
ACP Rule_______________________Allow
ACP Rule_______________________Allow
ACP Rule_______________________Allow
FMC
Top
Bottom
ACP ACP
Policy Deployment
![Page 38: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/38.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Structure
Malware
and File
Policy
Intrusion
Policy
Security
IntelligenceSSL Policy
Network
Analysis
Policy
ACP Policy - SSL Policy - Identity Policy –
Security Intelligence – Network Analysis
ACP Rule_______________________ Drop
ACP Rule________Intrustion Malware Allow
ACP Rule________________Malware Allow
ACP Rule________________Malware Allow
Default______________________Intrustion
Identity
Policy
Global to ACP Per Rule
Rule must be set to: Allow, Interactive Block
BRKCCIE-3200 38
![Page 39: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/39.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – When Adding New FirePower
FirePower
VM
FMC
BRKCCIE-3200 39
![Page 40: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/40.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – After Adding New FirePower
BRKCCIE-3200 40
![Page 41: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/41.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Structure
BRKCCIE-3200 41
![Page 42: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/42.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Assignments
BRKCCIE-3200 42
![Page 43: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/43.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Assignments
BRKCCIE-3200 43
![Page 44: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/44.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Assignments
BRKCCIE-3200 44
![Page 45: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/45.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Assignments
BRKCCIE-3200 45
![Page 46: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/46.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Rule Structure
BRKCCIE-3200 46
![Page 47: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/47.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Rule Structure (continue)
47BRKCCIE-3200
![Page 48: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/48.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Rule Structure (continue)
BRKCCIE-3200 48
![Page 49: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/49.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Rule Structure (continue)
• Allow = Matching traffic is allowed; however, prohibited files, malware, intrusions, and exploits within that traffic are detected and blocked. Remaining non-prohibited, non-malicious traffic is allowed to its destination.
• Trust = Matching traffic is allowed to pass to its destination without further inspection. Traffic that does not match continues to the next rule.
• Monitor = Monitor rules track and log network traffic but do not affect traffic flow. The system continues to match traffic against additional rules to determine whether to permit or deny it.
• Block = Matching traffic is blocked without further inspection
• Block with Reset = Matching traffic is blocked without further inspection. It will also reset the connection.
• Interactive Block = Give users a chance to bypass a website block by clicking through a customizable warning page, called an HTTP response page. If user bypasses, it will acted as a Allow rule.
• Interactive Block with Reset = Give users a chance to bypass a website block by clicking through a customizable warning page, called an HTTP response page. It will also reset the connection. If user bypasses, it will acted as a Allow rule.
BRKCCIE-3200 49
![Page 50: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/50.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Rule Structure (continue)
BRKCCIE-3200 50
![Page 51: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/51.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Policy Rule Structure (continue)
BRKCCIE-3200 51
![Page 52: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/52.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACP (Access Control Policy) – Connection Events
BRKCCIE-3200 52
![Page 53: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/53.jpg)
User Identity
![Page 54: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/54.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Overview
FirePower
VM
Windows 7
Mac Sierra
Internet
Users
FMC
Users
AD
LDAP
ISE
BRKCCIE-3200 54
![Page 55: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/55.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKCCIE-3200
User IdentityUser Identify - Passive
FirePower
VM
Windows 7
Mac Sierra
Internet
Users
FMC
Users
AD
LDAP
User Auth
ACP ACP
UAUser Auth Exchange
![Page 56: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/56.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Configuration Process
Realm Identity Policy ACP Policy
• User Agent: Is used to share authentication information from the identity store to the FMC in real time, which then shares it with the FP.
• Realm: Is used to setup the Identity stores that will be used for authentication, and to download the User, and Group information to use on the ACP’s.
• Identity Policy: Is used to setup who is going to require authentication for ACP policies to work.
• ACP Policy: Is used to enable the Identity Policy, and configure ACP’s that have user identity information.
User Agent
(UA)
BRKCCIE-3200 56
![Page 57: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/57.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – User Agent
The Active Directory server must be
running Windows Server 2008 or
Windows Server 2012.
You can install an agent on any
Microsoft Windows Vista, Microsoft
Windows 7, Microsoft Windows 8,
Microsoft Windows Server 2008, or
Microsoft Windows Server 2012
computer with TCP/IP access to the
Microsoft Active Directory servers
you want to monitor. You can also
install on an Active Directory server
running one of the supported
operating systems.
BRKCCIE-3200 57
![Page 58: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/58.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – User Agent
BRKCCIE-3200 58
![Page 59: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/59.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – User Agent
BRKCCIE-3200 59
![Page 60: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/60.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Realm
FMC
BRKCCIE-3200 60
![Page 61: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/61.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Realm (continue)
BRKCCIE-3200 61
![Page 62: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/62.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Identity Policy
BRKCCIE-3200 62
![Page 63: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/63.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Identity Policy
BRKCCIE-3200 63
![Page 64: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/64.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Identity Policy
BRKCCIE-3200 64
![Page 65: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/65.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Identity Policy
BRKCCIE-3200 65
![Page 66: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/66.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – Identity Policy
BRKCCIE-3200 66
![Page 67: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/67.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User Identity - Passive – ACP Rule
BRKCCIE-3200 67
![Page 68: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/68.jpg)
SSL
![Page 69: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/69.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL - Overview
FirePower
VM
Windows 7
Mac Sierra
Internet
FMC
AD
LDAP
ACP ACP
Decryption/Re-encryptionBRKCCIE-3200 69
![Page 70: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/70.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL - Resign
CA Cert
keyCertSign
FirePower
VMACP ACP
CA Cert
ResignResigned
Root CA Pub
BRKCCIE-3200 70
![Page 71: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/71.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL – Resign Example
keyCertSign
Digital Signature, Non-Repudiation, Key Encipherment
BRKCCIE-3200 71
![Page 72: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/72.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL – Known Key
FirePower
VMACP ACP
SRV 1- Private Key
Company ServersPublic Key
Private Key
Public Key
Private Key
Public Key
Private Key
SRV1 SRV2 SRV3
SRV1
SRV2
SRV3
SRV1
Root CA Pub
BRKCCIE-3200 72
![Page 73: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/73.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign - Configuration Process
SSL Policy ACP Policy
• SSL Certificate Creation: Is used to resign the server certificate that the user is accessing via SSL
• SSL Policy: Is used to configure which traffic is going to be decrypted, and how.
• ACP Policy: Is used to enable the SSL Policy, and configure ACP’s that have user identity information.
SSL CA
Certificate
Creation
BRKCCIE-3200 73
![Page 74: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/74.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL CA Certificate Creation
BRKCCIE-3200 74
![Page 75: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/75.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL CA Certificate Creation
BRKCCIE-3200 75
![Page 76: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/76.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL CA Certificate Creation
BRKCCIE-3200 76
![Page 77: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/77.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL CA Certificate Creation
BRKCCIE-3200 77
![Page 78: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/78.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL CA Certificate Creation
BRKCCIE-3200 78
![Page 79: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/79.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL CA Certificate Creation
BRKCCIE-3200 79
![Page 80: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/80.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL CA Certificate Creation (continue)
• Technically, you can use the same CA Certificate on all the FP’s, but it is not recommended, since you will need to assign a CN that is typically the FP FQDN.
• Also revocation becomes an issue with all FP’s have the same CA Certificate
BRKCCIE-3200 80
![Page 81: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/81.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy
BRKCCIE-3200 81
![Page 82: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/82.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 82
![Page 83: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/83.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 83
![Page 84: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/84.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL Resign - SSL Policy (continue)
• Decrypt – Resign = Use a resign certificate to do a man-in-the-middle and resign the server certificate that is being sent from the server that the client is trying to connect.
• Decrypt – Known Key = Use a know private key to decrypt the communication with the server the client is trying to connect.
• Do not Decrypt = inspect the encrypted traffic with access control policy
• Block = block the SSL session without further inspection
• Block with Reset = block the SSL session without further inspection and reset the TCP connection
• Monitor = Monitor rules track and log network traffic but do not affect traffic flow. The system continues to match traffic against additional rules to determine whether to decrypt, do not decrypt, or block it.
BRKCCIE-3200 84
![Page 85: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/85.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 85
![Page 86: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/86.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 86
![Page 87: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/87.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 87
![Page 88: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/88.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 88
![Page 89: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/89.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 89
![Page 90: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/90.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 90
![Page 91: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/91.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – SSL Policy (continue)
BRKCCIE-3200 91
![Page 92: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/92.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – ACP Policy
BRKCCIE-3200 92
![Page 93: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/93.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – ACP Policy
BRKCCIE-3200 93
![Page 94: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/94.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Resign – ACP Policy
BRKCCIE-3200 94
![Page 95: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/95.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95BRKCCIE-3200
Challenges with SSL Resign
• RFC 7469 Public Key Pinning Extension for HTTP: Is a security mechanism administered on the HTTP header that allows a HTTPS website from being taken over by attackers using mis-issued, or otherwise fraudulent certificates.
![Page 96: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/96.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Known Key - Configuration Process
SSL Policy ACP Policy
• SSL Public, and Private Key: Is used for the FMC to share the Private key with the FP that will be used to decrypt SSL traffic from the server that is protecting the information using the public key.
• SSL Policy: Is used to configure which traffic is going to be decrypted, and how.
• ACP Policy: Is used to enable the SSL Policy, and configure ACP’s that have user identity information.c
SSL
Public, and
Private
Key
BRKCCIE-3200 96
![Page 97: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/97.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Known Key – SSL Public, and Private Key
Company Servers
SRV1 SRV2 SRV3
PEM Format
BRKCCIE-3200 97
![Page 98: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/98.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Known Key – SSL Public, and Private Key
Public PEM
Private PEM
BRKCCIE-3200 98
![Page 99: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/99.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Known Key – SSL Public, and Private Key
BRKCCIE-3200 99
![Page 100: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/100.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Known Key – SSL Public, and Private Key
BRKCCIE-3200 100
![Page 101: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/101.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSL- Known Key – SSL Public, and Private Key
BRKCCIE-3200 101
![Page 102: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/102.jpg)
Lab Ideas
![Page 103: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/103.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Gear Needed
Cisco C Series Server
700 GB HD
128 GB RAM
4 Port Gigbit Ethernet
Cisco C3560X 24 port
Internet
Internet Connection
Free Version of vSphere
Hypervisor 6.x
BRKCCIE-3200 103
![Page 104: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/104.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104BRKCCIE-3200
FirePower TopologyInternet
FPDNS
DHCP
AD
LDAP
Cert Server
Mac
PC
VMvSphere
Hypervisor 6.x
![Page 105: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/105.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overall TopologyInternet
FPDNS
DHCP
AD
LDAP
Cert Server
Mac
PC
ISE WSA ESAACS vWLC
BRKCCIE-3200 105
![Page 106: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/106.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Gear Needed for Budget Topology
Raspberry PI 3
Internet
Internet Connection
Cisco 2960C 10 port
Intel Compute Stick
Free Version of vSphere
Hypervisor 6.x
Spare PC
BRKCCIE-3200 106
![Page 107: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/107.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Alternative Topology
Windows 10
Linux
DNS DHCP
Internet
FP
LDAP/
CA Server
Linux
BRKCCIE-3200
![Page 108: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/108.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Raspberry PI Setup at Home
Cisco 2960C 10 port
Sabrent 60 Watt
GeauxRobot
BRKCCIE-3200 108
![Page 109: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/109.jpg)
FirePower Classes
![Page 110: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/110.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SSFIPS - Securing Networks with Cisco FirePower Next-Generation IPS
• This lab-intensive course introduces you to the basic next-generation intrusion prevention system (NGIPS) and firewall security concepts. The course then leads you through the Cisco Firepower system. Among other powerful features, you will become familiar with:
• In-depth event analysis
• NGIPS tuning and configuration
• Snort® rules language
• 4 Day ILT
• 5 Day Virtual Training
BRKCCIE-3200 110
![Page 111: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/111.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FIREPOWER200 – Securing Networks with Cisco FirePowerThreat Defense NGFW
• This lab-intensive course introduces you to the basic next-generation intrusion prevention system (NGIPS) and next-generation firewall (NGFW) security concepts. The course then leads you through the Cisco Firepower system. Among other powerful features, you become familiar with:
• Firepower Threat Defense configuration
• In-depth event analysis
• NGIPS tuning and configuration
• 5 Day ILT
• 5 Day Virtual Training
BRKCCIE-3200 111
![Page 112: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/112.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DSACI – Deploying Security in Cisco ACI
• You learn a brief overview of Cisco ACI architecture, including an examination of the Cisco Nexus 9000 Series Switches for data centers. Also, you have the opportunity to discover how to implement security mechanisms in the operational infrastructure with the Cisco ACI environment. You also explore the process for provisioning security services in Cisco ACI, including external Cisco Adaptive Security Appliance (ASA), Adaptive Security Virtual Appliance (ASAv) instances, and Cisco Firepower capabilities.
• This course combines lecture materials and hands-on labs throughout to make sure you are able to successfully deploy, configure, and maintain Cisco ACI security.
• 5 Day ILT
BRKCCIE-3200 112
![Page 113: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/113.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCCIE-3200
![Page 114: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/114.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
![Page 115: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/115.jpg)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
115BRKCCIE-3200
![Page 116: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/116.jpg)
Thank you
![Page 117: FirePower for CCIE Security Candidates · FirePower for CCIE Security Candidates Rafael Leiva-Ochoa BRKCCIE-3200](https://reader033.vdocuments.net/reader033/viewer/2022061510/5b2f02577f8b9af0648d496a/html5/thumbnails/117.jpg)