Introduction
This document describes the configuration, verification, and operation of an in-line peer interface on a Firepower Threat Defense (FTD) appliance.
prerequisites
Requirement
There are no special requirements for this document.
Used parts
The information in this document is based on these software and hardware versions:
- Firepower 4150 FTD (code 6.1.0.x and 6.3.x)
- Firepower Management Center (FMC) (code 6.1.0.x and 6.3.x)
The information in this document was generated by the devices in a specific laboratory environment. All devices used in this document were started with a clean (default) configuration. If your network is active, be sure to understand the potential effect of any command.
Related products
This document can also be used with these hardware and software versions:
- ASA5506-X, ASA5506W-X, ASA5506H-X, ASA5508-X, ASA5516-X
- ASA5512-X, ASA5515-X, ASA5525-X, ASA5545-X, ASA5555-X
- FPR2100, FPR4100, FPR9300
- VMware (ESXi), Amazon Web Services (AWS), Kernel-based Virtual Machine (KVM)
- Software Code FTD 6.2.xe Later
Basic information
FTD is a unified software image consisting of 2 main engines:
- LINA engine
- snoring engine
This figure shows how the 2 engines interact:
- A packet enters the input interface and is handled by the LINA mechanism
- If required by the FTD policy, the packet is inspected by the Snort engine
- The Snort engine returns a verdict for the packet
- The LINA engine drops or forwards the packet based on the Snort verdict
FTD provides two implementation modes and six interface functions as shown in the figure:
Observation: You can combine interface functions on a single FTD device.
Here is a high-level overview of the various FTD interfaces and implementations:
FTD interface function | FTD deployment mode | Description | Traffic may be interrupted |
staged | staged | Perform LINA engine and Snort engine checks | Sim |
The shift | Transparent | Perform LINA engine and Snort engine checks | Sim |
With Inline | Checked or transparent | Partial LINA engine control and full Snort engine control | Sim |
Integrated pressure mating | Checked or transparent | Partial LINA engine control and full Snort engine control | No |
Passive | Checked or transparent | Partial LINA engine control and full Snort engine control | No |
Passive (ERSPAN) | staged | Partial LINA engine control and full Snort engine control | No |
Configure the Inline Peer interface on the FTD
Network diagram
Application
Configure physical interfaces e1/6 and e1/8 in Inline Pair mode according to these requirements:
| Interface | e1/6 | e1/8 |
| Name | INDE | FOR ONE |
| Seatbelt | INSIDE_ZONE | OUT OF_ZONE |
| Built-in set name | Integrated by 1 | |
| MTU Inline Set | 1500 | |
| Fail safe | Stand | |
| Broadcast connection mode | Stand |
Solution
Step 1. To configure the individual interfaces, go toDevices > Device Manager,select the appropriate device and selectTo editas shown in the picture.
Then specifyNameHey TickStandfor the interface as shown in the picture.
Observation: Name is the name of the interface.
Likewise for the Ethernet1/8 interface. The end result is the image.
Step 2. Configure built-in pair.
navigate toDesigned Collections >add built-in setas shown in the picture.
Step 3. Configure the general settings according to the requirements as shown in the image.
Observation: Failsafe allows traffic to pass through the inline peer without checking if the interface buffers are full (usually occurs when the device is overloaded or the Snort engine is overloaded). The interface buffer size is dynamically allocated.
Step 4. ActivateBroadcast connection modeoption in advanced settings as shown in the image.
Link state propagation automatically drops to the other interface of the integrated interface pair when one of the interfaces in this integrated pool goes down.
Trin 5.Economythe changes andimplant.
To check
Use this section to verify that your configuration is working correctly.
Check the Inline Peer configuration from the FTD CLI.
Solution
Log into the FTD CLI and verify the built-in configuration of the peer:
> display built-in setBuilt-in Inline-Pair-1 set
Human or 1500 bytes
Safe mode is enabled/enabled
FailSecure is disabled
The touch function is disabled
Propagate link state is enabled
Hardware override is disabled
By interface[1]:
Interface: Ethernet1/6 "INSIDE"
Status in reality: UP
Interface: Ethernet1/8 "FORA"
Status in reality: UP
Bridgegruppe-id: 509
>
Observation: Bridge Group ID is a value other than 0. If Tap Mode is enabled, it is 0
Interface information and name:
>show name if
Security for interface names
Ethernet1/6 DENTRO 0
Ethernet Diagnostics1/7 0
Ethernet1/8 OUT 0
>
Check the interface status:
> show interface ip summary
Interface IP Address OK? Method state protocol
Internal-Data0/0 unassigned SIM card uninstalled
Internal-Data0/1 unassigned SIM card uninstalled
Internal-Data0/2 169.254.1.1 The SIM card is not configured correctly
Ethernet1/6 not assigned YES not configured
Ethernet1/7 not assigned YES not configured
Ethernet1/8 not assigned YES not configured
Check the information about the physical interface:
>mainly an e1/6 interface
Interface Ethernet1/6 "INSIDE", is active, line protocol is active
Hardware og EtherSVI, BW 1000 Mbps, DLY 1000 usec
MAC-address 5897.bdb9.770e, MTU 1500
IPS Interface-Mode: inline, Inline-Set: Inline-Pair-1
IP address not assigned
Traffic statistics for "INSIDE":
468 incoming packets, 47627 bytes
Output 12 packets, 4750 bytes
1 package thrown away
1 minute input rate 0 packets/s, 200 bytes/s
1 minute output rate 0 packets/s, 7 bytes/s
Drop rate 1 minute, 0 packets/sec
5 minute input rate 0 packets/s, 96 bytes/s
5 minute output rate 0 packets/s, 8 bytes/s
5 min drop rate, 0 packets/s
>mainly an e1/8 interface
Interface Ethernet1/8 "OUTSIDE", is active, line protocol is active
Hardware og EtherSVI, BW 1000 Mbps, DLY 1000 usec
MAC-address 5897.bdb9.774d, MTU 1500
IPS Interface-Mode: inline, Inline-Set: Inline-Pair-1
IP address not assigned
Traffic statistics for "OUT":
12 input packets, 4486 bytes
Output 470 packets, 54089 bytes
0 packets dropped
1 minute input rate 0 packets/s, 7 bytes/s
Output rate 1 minute 0 packets/s, 212 bytes/s
Drop rate 1 minute, 0 packets/sec
5 minute input rate 0 packets/s, 7 bytes/s
5 minute output rate 0 packets/sec, 106 bytes/sec
5 min drop rate, 0 packets/s
>
Check the FTD line pair interface function
This section covers these checks to verify Inline Pair functionality:
- Verification 1. Use packet tracking
- Acknowledgment 2. Enable trace recording and send a TCP sync/acknowledge packet (SYN/ACK) over the built-in pair
- Verification 3. Monitor FTD traffic using firewalld engine debugging
- Check 4. Check the Connection State Propagation function
- Check 5. Configuring Static Network Address Translation (NAT)
Solution
Architectural overview
When 2 FTD interfaces operate in Inline-pair mode, a packet is handled as shown in the figure.
Observation: Only physical interfaces can be members of an Inline peer set
Basic theory
- When you configure an Inline Pair 2, the physical interfaces are connected internally
- Very similar to classic Embedded Intrusion Prevention System (IPS)
- Available in routed or transparent deployment mode
- Most features of the LINA engine (NAT, routing, etc.) are not available for flows passing through an embedded peer
- Transportation may be interrupted
- Some LINA engine checks are used in conjunction with full Snort engine checks
The last point can be illustrated as shown in the figure:
Verification 1. Using Packet-Tracer
Packet Trace output simulating a packet traversing the built-in pair, with hotspots marked:
>INSIDE tcp packet trace record 192.168.201.50 1111 192.168.202.50 80Phase 1
Type: ACCESS LIST
Subtype:
Result: I ALLOW
Settings:
implied rule
More information:
MAC access listLevel 2
Type: NGIPS-MODE
Subtype: ngips function
Result: I ALLOW
Settings:
More information:
The flow was entered on an interface configured for NGIPS operation and NGIPS services are usedPhase: 3
Type: ACCESS LIST
Subtype: record
Result: I ALLOW
Settings:
CSM_FW_ACL_ global access group
access-list CSM_FW_ACL_ advanced permit ip any rule-id 268438528
access-list CSM_FW_ACL_ note rule-id 268438528: ACCESS POLICY: FTD4100 - Standard/1
access-list CSM_FW_ACL_ monitoring rule id 268438528: L4 RULE: DEFAULT ACTION RULE
More information:
This packet is sent to the spinner for further processing, where a verdict has been reached.Phase: 4
Type: NGIPS-EGRESS-INTERFACE-LOOKUP
Undertype: Resolve output interface
Result: I ALLOW
Settings:
More information:
The INSIDE input interface is in embedded NGIPS mode.
The OUTSIDE output interface is determined by the array configurationPhase: 5
Tip: CREATE FLOW
Subtype:
Result: I ALLOW
Settings:
More information:
New stream created with ID 106, packet sent to next sectionResults:
input interface: IN
input state: active
input line state: up;
Action: allow>
Control 2. Send TCP SYN/ACK packets over built-in pair
You can generate TCP SYN/ACK packets using a packet generator such as Scapy. This syntax creates 3 packets with the SYN/ACK flag set:
root@KALI:~#the scaleINFO: Unable to import gnuplot python wrapper. The plot will not be possible. WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.2.0) >>>conf.iface='eth0'>>>packet = IP(dst="192.168.201.60")/TCP(flags="SA",dport=80)>>>syn_ack=[]>>>for i in range(0,3): # Send 3 packets...syn_ack.extend(pacote)...>>>send(syn_ack)
Enable this script in the FTD CLI and send some TCP SYN/ACK packets:
>capture CAPI interface INDE trace match ip host 192.168.201.60 whatever
>download CAPO FORA interface map host ip 192.168.201.60 any
>
After sending the packets with FTD, you can see that a connection has been established:
>display login details
1 in use, 34 most used
Flag: A - waiting for ACK from SYN responder, a - waiting for ACK from SYN initiator,
b - Bypassing TCP state or with riveting,
C - means CTIQBE, c - central cluster,
D - DNS, d - dump, E - external external connection, e - semi-distributed,
F - END initiator, f - END Response,
G - gruppe, g - MGCP, H - H.323, h - H.225.0, I - Initiatordata,
i - incomplete, J - GTP, j - GTP data, K - t3 GTP response
k - minutes media, M - SMTP data, m - SIP media,N - served by Snort, n - GUP
O - respondent data, P - internal backlink,
q - SQL*Net data, R - FIN recognized by the initiator,
R - UDP SUNRPC, r - FIN Acknowleded Responder,
T - SIP, t - transient SIP, U - up,
V - VPN orfão, v - M3UA W - WAAS,
w - secondary domain backup,
X - inspected by the service unit,
x - per session, Y - manager snippet stream, y - backup stream snippet,
Z - Scansafe Redirection, z - Stem Stream ForwardingTCP Inline-Pair-1:OUTSIDE(OUTSIDE): 192.168.201.60/80 Inline-Pair-1:INSIDE(INDI): 192.168.201.50/20,
b n flag, ocioso 13s, oppetid 13s, timeout 1h0m, byte 0>
ObservationFlag :b - A classic ASA will drop an unsolicited SYN/ACK packet unless TCP state override is enabled. An FTD interface in Inline Pair mode handles a TCP connection in TCP bypass mode and does not drop TCP packets that do not belong to existing connections.
Observation:N flag - The packet is inspected by the FTD Snort engine.
The screenshots prove it as you can see the 3 packets going through the FTD:
>show record capi3 packages were seized
1: 15:27:54.327146 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 wins 8192
2: 15:27:54.330000 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 wins 8192
3: 15:27:54.332517 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 wins 8192
3 packages are displayed
>
3 packets exit the FTD device:
>display CAPO record3 packages were seized
1: 15:27:54.327299 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 wins 8192
2: 15:27:54.330030 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 wins 8192
3: 15:27:54.332548 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 wins 8192
3 packages are displayed
>
Tracing the first capture packet reveals some additional information, such as the Snort engine verdict:
>display capture capi package track number 1Logged 3 packets 1: 15:27:54.327146 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 win 8192Phase: 1Type: CAPTURESSubtype:Result: ALLOWConfig:Additional information:MAC access-listPhase: 2Type: ACCESS-LISTSubtype:Result: ALLOWConfig:Imlicit ruleAdditional information:MAC access-listPhase: 3Type: NGIPS-MODE Subtype: ngips-mode Result: ALLOWConfig: Additional Information: The flow has entered an interface configured for NGIPS mode and NGIPS services are being usedPhase: 4Type: ACCESS-LISTType: logResult: ALLOWConfig:access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ Advanced permit ip any rule-id 268438528access-list 268438528access-list 268438528access-list 268438528access-list 268438528access-list 268438528access-list 268438528access- list 268438528access-list 268438528access-list 268438528access-list. ault/1 access-list CSM_FW_ remark ACL_ rule-id 268438528: REGRA L4: REGRA DE AÇÃO PADRÃOAdditional information: This packet is sent for sniffing for further processing when a verdict has been issuedFase: 5 Type: NGIPS-EGRESS-INTERFACE-LOOKUPUUndertype: resolve egress interfaceResult: ALLOWConfig: Additional information:The INSIDE input interface is in embedded NGIPS mode. The OUTSIDE output interface is determined by the inline kit configurationPhase: 6 Type: FLOW-CREATIONS subtype: Result: ALLOWConfig: Additional Info: New flow created with ID 282, packet sent to next sectionPhase: 7 Type: EXTERNAL INSPECTIONSubtype:Result: ALLOWConfig:Additional Information:Application: 'SNORT Inspect'Fase: 8 Type: SNORTSubtype:Result: I ALLOWSettings:Additional information: Snort Verdict: (pass-package) allows this packagePhase: 9 Type: CAPTURESSubtype: Result: ALLOWConfiguration: Additional Information: MAC Access List Result: input-interface: OUTSIDEinput-status: upinput-line-status: upAction: allow1 pacote mostrodo>
Tracing the second packet captured shows that the packet matches a current connection, so it bypasses the ACL check, but is still checked by the Snort engine:
>display capture capi package track number 2Logged 3 packets 2: 15:27:54.330000 192.168.201.50.20 > 192.168.201.60.80:small0:0 (0)acc0 win 8192Phase: 1Type: CAPTURESSubtype:Result: ALLOWConfig:Additional information:MAC access-listPhase: 2Type: ACCESS-LISTSubtype:Result: ALLOWConfig:Imlicit ruleAdditional information:MAC access-listPhase: 3Type: FLOW-LOOKUPSubtype:ingResult: ALLOWConfig:Additional Info: Found flow with id 282, using current flowPhase: 4 Type: EXTERNAL INSPECTIONSubtype: Result: ALLOWConfig:More information: Application: 'SNORT Inspect'Phase: 5 Type: SNORTSubtype: Result: ALLOWConfig: Additional Information: Snort Rating: (pass packet) allow this packetPhase: 6 Type: CAPTURESSubtype: Result: ALLOWConfiguration: Additional Information: MAC Access List Result: input-interface: OUTSIDEinput-status: upinput-line-status: upAction: allow1 pacote mostrodo>
Check 3. Debug firewall engine for allowed traffic
Firewall engine debugging works with specific elements of the FTD Snort engine such as the access control policy as shown in the image:
When you send the TCP SYN/ACK packets through the built-in pair, you can see in the debug output:
>supports system-engine-debug firewallSpecify an IP protocol:tcp
Enter a client IP address:
Specify a client port:
Enter a server IP address:192.168.201.60
Specify a server port:80
Monitor firewall engine debug messages192.168.201.60-80 > 192.168.201.50-20 6 AS 4 I 12 The session
192.168.201.60-80 > 192.168.201.50-20 6 AS 4 I 12 using HW or predefined rule 3 sequence, id 268438528 action Allow and prefilter rule 0
192.168.201.60-80 > 192.168.201.50-20 6 AS 4 I 12 allow action
192.168.201.60-80 > 192.168.201.50-20 6 AS 4 I 12 Delete session
Check 4. Check the connection mode propagation
Enable buffer logging on the FTD and disable the switch port connected to the e1/6 interface. In the FTD CLI, you should see that both interfaces are disabled:
>show interface ip summary
Interface IP Address OK? Method state protocol
Internal-Data0/0 unassigned SIM card uninstalled
Internal-Data0/1 unassigned SIM card uninstalled
Internal-Data0/2 169.254.1.1 The SIM card is not configured correctly
Ethernet1/6 not assigned YES disabled
Ethernet1/7 not assigned YES not configured
Ethernet1/8 not assigned YES disabled administratively disabled
>
FTD logs show:
>record showing3. Jan 2017 15:53:19: %ASA-4-411002:Line protocol on Interface Ethernet1/6, state changed to inactive
3. Jan 2017 15:53:19: %ASA-4-411004:Interface OUT, state changed to administratively inactive
3. Jan 2017 15:53:19: %ASA-4-411004:Interface Ethernet1/8, state changed to administratively inactive
3. Jan 2017 15:53:19: %ASA-4-812005:Link-State-Propagation enabled on built-in pair due to failure of interface Ethernet1/6(INSIDE) loss of interface of pair Ethernet1/8(OUTSIDE)
>
Built-in tank status shows the status of the 2 interface members:
>display built-in setBuilt-in Inline-Pair-1 set
Human or 1500 bytes
Safe mode is enabled/enabled
FailSecure is disabled
The touch function is disabled
Propagate link state is enabled
Hardware override is disabled
By interface[1]:
Interface: Ethernet1/6 "INSIDE"
Current state: Inactive (Propagate-Link-State-Activated)
Interface: Ethernet1/8 "FORA"
Current state: Inactive (inactive with link state propagation)
Bridgegruppe-id: 509
>
Note the difference in the state of the 2 interfaces:
>mainly an e1/6 interface
Interface Ethernet1/6 "INSIDE", is inactive, line protocol is inactive
Hardware og EtherSVI, BW 1000 Mbps, DLY 1000 usec
MAC-address 5897.bdb9.770e, MTU 1500
IPS Interface-Mode: inline, Inline-Set: Inline-Pair-1
Propagate-Link-State-Activated
IP address not assigned
Traffic statistics for "INSIDE":
3393 incoming packets, 234923 bytes
Output 120 packets, 49174 bytes
1 package thrown away
1 minute input rate 0 packets/s, 0 bytes/s
1 minute output rate 0 packets/s, 0 bytes/s
Drop rate 1 minute, 0 packets/sec
5 minute input rate 0 packets/s, 6 bytes/s
5 minute output rate 0 packets/s, 3 bytes/s
5 min drop rate, 0 packets/s
>
One for Ethernet1/8 interface:
>mainly an e1/8 interface
Ethernet1/8 interface "OFF", is administratively inactive, line protocol is active
Hardware og EtherSVI, BW 1000 Mbps, DLY 1000 usec
MAC-address 5897.bdb9.774d, MTU 1500
IPS Interface-Mode: inline, Inline-Set: Inline-Pair-1
Down-By-Propagate-Link-State
IP address not assigned
Traffic statistics for "OUT":
120 input packets, 46664 bytes
Output 3391 packets, 298455 bytes
0 packets dropped
1 minute input rate 0 packets/s, 0 bytes/s
1 minute output rate 0 packets/s, 0 bytes/s
Drop rate 1 minute, 0 packets/sec
5 minute input rate 0 packets/s, 3 bytes/s
5 minute output rate 0 packets/s, 8 bytes/s
5 min drop rate, 0 packets/s
>
After re-enabling the switch port, the FTD logs show:
>record showing
...
3. Jan 2017 15:59:35: %ASA-4-411001:Line protocol on interface Ethernet1/6, status changed to up
3. Jan 2017 15:59:35: %ASA-4-411003:Interface Ethernet1/8, state changed to administratively active
3. Jan 2017 15:59:35: %ASA-4-411003:Interface OUT, state changed to administratively active
3. Jan 2017 15:59:35: %ASA-4-812006:Link-State-Propagation disabled on built-in pair due to recovery of interface Ethernet1/6(INSIDE) bringing interface of pair Ethernet1/8(OUTSIDE)
>
Check 5. Configure static NAT
Solution
NAT does not support interfaces operating in inline, inline tap, or passive modes:
https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/Network_Address_Translation__NAT__for_Threat_Defense.html
Packet blocking in integrated peer interface mode
Create a block rule, forward the traffic with FTD Inline Pair and observe the behavior as shown in the image.
Solution
Enable trace reception and send SYN/ACK packets through the built-in FTD pair. Traffic is blocked:
>recording displayCAPI IN type raw data monitoring interface capture[Record - 210 bytes]match ip host 192.168.201.60 anycapture CAPO type raw data interface FORA[Write - 0 bytes]match ip host 192.168.201.60 probably
By monitoring, a packet reveals:
>display capture capi package track number 13 packages were seized
1: 16:12:55.785085192.168.201.50.20 > 192.168.201.60.80: S 0:0(0) ack 0 win 8192
Phase 1
Type: CAPTURE
Subtype:
Result: I ALLOW
Settings:
More information:
MAC access listLevel 2
Type: ACCESS LIST
Subtype:
Result: I ALLOW
Settings:
implied rule
More information:
MAC access listPhase: 3
Type: NGIPS-MODE
Subtype: ngips function
Result: I ALLOW
Settings:
More information:
The flow was entered on an interface configured for NGIPS operation and NGIPS services are usedPhase: 4
Type: ACCESS LIST
Subtype: record
Result: FALL
Settings:
CSM_FW_ACL_ global access group
CSM_FW_ACL_ access-list complex deny ip 192.168.201.0 255.255.255.0 any rule id 268441600 event log start stream
access-list CSM_FW_ACL_ note rule-id 268441600: ACCESS POLICY: FTD4100 - Required/1
access-list CSM_FW_ACL_ note rule-id 268441600: L4 RULE: Rule 1
More information:Results:
input interface: IN
input state: active
input line state: up;
Handling: fall
Drop reason: (acl-drop) The flow is dropped by the configured rule1 package is displayed
In this trace you can see that the packet was dropped by the FTD LINA engine and not forwarded to the FTD Snort engine.
Configure touch line pairing mode
Activate pressure mode on Par Inline.
Solution
navigate toDevices > Manage Devices > Embedded Sets > Edit Embedded Set > Compositesand activatePress Mtaxas shown in the picture.
Verification
>display built-in setInline-set Inline-Pair-1 Mtu is 1500 bytes Secure mode is enabled Secure mode is disabledTouch mode is enabledpropagate-link-state is enabled, hardware bypass is disabled Interface Pair[1]: Interface: Ethernet1/6 "INSIDE" Current State: UP Interface: Ethernet1/8 "OUTSIDE" Current State: UP Bridge Group ID : 0>
Check the built-in FTD pair with a tap interface function
basic theory
- When you configure an Inline Pair with Tap 2, the physical interfaces are connected internally
- It is available in routed or transparent deployment mode
- Most features of the LINA engine (NAT, routing, etc.) are not available for flows traversing the built-in pair
- Actual traffic cannot be deleted
- Some LINA engine checks are used in conjunction with full Snort engine checks to copy real traffic
The last point is as shown in the picture:
Built-in pairing with Tap mode doesn't slow down transit traffic. By tracking a package, it confirms that:
>display capture capi package track number 23 pacotes capturados 2: 13:34:30.685084 192.168.201.50.20 > 192.168.201.60.80: S 0:0(0) win 8192Phase: 1Type:CAPTUeCATypeCubes apture:Access-List e : ACCESS-LISTSubtype: Result: ALLOWConfig: Implicit Rule Additional information: MAC access listPhase: 3Type: NGIPS-MODE Subtype: ngips-stateResult: ALLOWConfig: Additional information:The flow was entered on an interface configured for NGIPS operation and NGIPS services are usedPhase: 4 Type: ACCESS LIST Subtype: log Result: FAILUREConfiguration: access group CSM_FW_ACL_ global access list CSM_FW_ACL_ advanced deny ip address 192.168.201.0 255.255.255.0 any rule id 268441600 event log flow list CSM_FW_ACL_ log flow access list required CSM_FW_ACL_ ESS1ESS2W_ACL_ ESS2W_ACL_ monitoring40Y CD CY: TD / 1 access-list CSM_FW_ACL_ note rule-id 268441600 : L4 RULE: Rule 1 Additional information: Result: input interface: INSIDEinput-status: upinput-line-status: opAction: The access list would have been deleted, but the packet was forwarded due to line ringing1 package is displayed
>
Pair Inline and Etherchannel
You can configure the built-in pairs with etherchannel in 2 ways:
- Unlocked Ether channel and not FTD
- Etherchannel traverses FTD (requires FXOS code 2.3.1.3 and later)
Unlocked Ether channel and not FTD
Etherkanaler i SW-A:
SW-A#show etherchannel summary | and Po33|Po5533 Po33(SU) LACP Gi3/11(P)35 Po35(SU) LACP Gi2/33(P)
Etherchannels on SW-B:
SW-B#show etherchannel summary | and Po33|Po5533 Po33(SU) LACP Gi1/0/3(P)55 Po55(SU) LACP Gi1/0/4(P)
Traffic is routed through the active FTD based on MAC address learning:
SW-B#show address from MAC address table 0017.dfd6.ec00Mac Address Table ---------------------------------------------- Vlan Address Type Mac Ports -------- ------------------ -------- ----- 201 0017.dfd6.ec00 DYNAMICPo33Total number of Mac addresses for this criterion: 1
The integrated set without FTD:
FTD #display built-in setSet1 inline Mtu is 1500 bytes Fail-open for snort down is on Fail-open for snort busy is off Push mode is on Propagate-link-state is off Hardware bypass mode is offInterface-par[1]: Interface: Port-channel3 "INSIDE" State real: UP Interface: Port-channel5 "OUTSIDE" State real: UPBridgegruppe-id: 775
Observation: In the event of an FTD redirection event, traffic disruption mainly depends on the time it takes the switches to learn the MAC address of the remote endpoint.
Air channel called FTD
Etherkanaler i SW-A:
SW-A#show etherchannel summary | and Po33|Po55
33 Po33(SU) LACP Gi3/11(P)
55 Po55(SD) LACP Gi3/7(EU)
LACP packets with Standby FTD are blocked:
FTD #capturer tipo ASP asp-drop to waitFTD #mostre a captura ASP | i 0180.c200.000229: 15:28:32.658123 a0f8.4991.ba03 0180.c200.0002 0x8809 Length: 124 70: 15:28:47.248262 f0f7.556a 80202c 80202c 2 4
Etherchannels on SW-B:
SW-B#show etherchannel summary | and Po33|Po55
33 Po33(SU) LACP Gi1/0/3(P)
55 Po55(SD) LACP Gi1/0/4(small)
Traffic is routed through the active FTD based on MAC address learning:
SW-B#show address from MAC address table 0017.dfd6.ec00Mac Address Table ---------------------------------------------- Vlan Address Type Mac Ports -------- ------------------ -------- ----- 201 0017.dfd6.ec00 DYNAMICPo33Total number of Mac addresses for this criterion: 1
The integrated set without FTD:
FTD #display built-in setBuilt-in set SET1
Human or 1500 bytes
Fail-open for snort down is enabled
The failover for snoring busy is disabled
The touch function is disabled
The propagate-link-state option is disabled
Hardware override is disabled
By interface[1]:
Interface: Ethernet1/3 "INSIDE"
Status in reality: UP
Interface: Ethernet1/5 "FORA"
Status in reality: UP
Bridgegruppe-id: 519
Careful: In this scenario, in case of FTD failure, the convergence time mainly depends on the LACP negotiation of the Etherchannel, and the time required for the unavailability can be much longer. If Etherchannel mode is enabled (without LACP), the convergence time will depend on learning the MAC address.
I am solving problems
No specific information is currently available for this configuration.
Comparison: Par Inline vs Par Inline with Tap
built-in pair | Built-in pairing with Tap | |
display built-in set | > display built-in set Built-in Inline-Pair-1 set | > display built-in set Built-in Inline-Pair-1 set > |
display interface | > vs e1/6 interface | > vs e1/6 interface |
Handling packets with a block rule | > display capture capi packet track number 1 3 packages were seized 1: 16:12:55.785085 192.168.201.50.20 > 192.168.201.60.80: S 0:0(0) ack 0 win 8192 Level 2 Phase: 3 Phase: 4 Results: 1 package is displayed | > display capture capi packet track number 1 3 packages were seized 1: 16:56:02.631437 192.168.201.50.20 > 192.168.201.60.80: S 0:0(0) win 8192 Level 2 Phase: 3 Phase: 4 Results: 1 package is displayed |
resume
- When you use the Inline Pair feature, the packet mainly passes through the FTD Snort engine
- TCP connections are handled in TCP bypass mode
- From the perspective of the FTD LINA engine, an ACL policy is applied
- When Inline Pair mode is used, packets may be blocked as they are processed inline
- When Tap Mode is enabled, a copy of the packet is checked and dropped internally, while the actual traffic passes through the FTD unchanged
Relevant information
- Cisco Firepower NGFW
FAQs
What are the different types of FTD interfaces? ›
You can deploy FTD interfaces in two modes: Regular firewall mode and IPS-only mode. You can include both firewall and IPS-only interfaces on the same device.
What is the difference between inline and inline tap on Cisco Firepower? ›Firepower in Inline tap mode will be deployed exactly as inline mode. the difference is that in inline tap mode, traffic itself will not be inspected but just a copy of traffic is inspected. Therefore in inline tap mode, it is not possible to drop intrusions and they will be just alerted.
Which command is used to configure FTD from transparent mode to routed mode? ›Which of the following commands is used to configure FTD from Transparent Mode to Routed Mode? Answer : configure firewall routed.
How to configure NetFlow on Cisco devices with Firepower Management Center? ›- Log into your Firepower Managed Center console.
- Navigate to Objects > Object Management.
- From the side navigation, select FlexConfig > Text Object.
- Search for NetFlow using the search bar in the top right corner. You'll see three results. Each one needs to be configured.
Static and Dynamic Rules
Static NATs have a bi-directional capability. This means that traffic originating at the destination will still have NAT applied. A Dynamic NAT translates a group of real addresses to a pool of translated IP's. This uses a one-to-one mapping.
à Auto NAT is also called as Object NAT and Manual NAT is also called as Twice NAT. à We can only use network object in Auto NAT, whereas we can use both network object and network object group in Manual NAT. à Manual NAT is more flexible compared to Auto NAT. à In Auto NAT, Nat rules are automatically ordered.
What is the difference between Bloc and inline? ›The display: inline-block Value
Compared to display: block , the major difference is that display: inline-block does not add a line-break after the element, so the element can sit next to other elements.
An inline banner is full-width, and sits between your page content and the top of the window. A floating banner is centered on your page, and sits above the content, covering whatever is behind it.
What is the difference between Cisco FirePOWER and FTD? ›FTD is an integrated image which combines all of the FirePOWER Services features with many (but not all) ASA firewall services. If a customer is already running ASA with FirePOWER services, they may want to migrate in the long term to simplify management and operations. Short term, there are few compelling reasons.
How to configure management IP in FTD? ›Do that via Device Management > edit the Device > Device tab > move slider next to management section. 2. Change the address on the device directly using "configure network ..." command from the cli.
What is the difference between routed mode and transparent mode? ›
In routed mode, the firewall is considered to be an L3 device in the network. It supports multiple interfaces with each interface on a different subnet and can perform network address translation (NAT) between connected networks. In transparent mode, the firewall is an L2 device and not an L3 or routed hop.
How to check tunnel status in Cisco FTD? ›In order to monitor the tunnel status, navigate to the CLI of the FTD or ASA. From the FTD CLI, verify phase-1 and phase-2 with the command show crypto ikev2 sa. This section provides information you can use in order to troubleshoot your configuration.
What are the four main methods of accessing a Cisco device in order to configure it? ›- Cisco IOS Command Summary—Four Modes to Access and Configure a Cisco Router.
- The four modes for accessing and configuring a Cisco router are: user EXEC mode, privileged EXEC mode, global configuration mode, interface configuration mode.
- Exiting Modes.
- Initial command prompt "Switch>" appears on the screen.
- Type "enable" next to it and press "Enter".
- This will take you into the "EXEC" mode, also known as the Global Configuration mode.
- Go into configure mode using configure terminal.
Dynamic NAT uses a pool of public addresses and assigns them according to the "first come, first served" principle. Port and Address Translation (PAT) is a form of dynamic NAT that maps several private addresses to a single public IP address.
What is the difference between destination NAT and static NAT? ›Unlike static NAT, where there is a one-to-one mapping that includes destination IP address translation in one direction and source IP address translation in the reverse direction, with destination NAT, you translate the original destination address to an IP address in the address pool.
Is Static NAT the same as port forwarding? ›Static NAT (SNAT), also known as port forwarding, is a port-to-host NAT. With static NAT, when a host sends a packet from a network to a port on an external or optional interface, static NAT changes the destination IP address to an IP address and port behind the firewall.
What is the default management IP for Cisco FTD? ›The Firepower 1010 and the management center both have the same default management IP address: 192.168.
What are the two basic types of NAT? ›- Static NAT: Static NAT maps an internal IP address to an external one on a one-to-one basis. ...
- Dynamic NAT: With Dynamic NAT, a firewall has a pool of external IP addresses that it assigns to internal computers as needed.
You can deploy FTD interfaces in two modes: Regular firewall mode and IPS-only mode.
When should I use inline block? ›
An inline-block elements will respect a width .
People used to¹ build column layout systems with inline-block , because it basically can do what floats could do here, except without the need to worry about clearing the float², allowing people to take advantage of wrapping which happens a bit more elegantly than float.
bloc: (noun) a group of countries in special alliance. block: (noun) a solid piece of something (usually having flat rectangular sides). (noun) a rectangular area in a city surrounded by streets and usually containing several buildings.
What is the opposite of inline block? ›display:block. Any element styled with display: block is the polar opposite of display:inline . A block element starts on a new line and occupies the available width of its parent element or its specified width.
What are the 2 types of floating point? ›- float.
- double.
- long double.
Disadvantages of Inline CSS:
Adding CSS rules to each HTML element takes time and makes your HTML structure unorganized. It's difficult to keep up, reuse, and scale. The size and download time of your page can be affected by styling multiple elements.
cisco does not make web application firewall. however Firepower product line does have some functionality that may be traditionally called part of a web application firewall (such as protection against SQL injection and cross-site scripting).
Is Cisco FTD a firewall? ›Cisco FTD (Firepower Threat Defense) is a Cisco Next Generation Firewall and IPS solution for securing networks and applications. It also includes many other security features that are introduced in this section as an introduction.
What ports does FTD use to communicate with FMC? ›The communication between FMC and its managed sensor is on TCP port 8305 and not on 8307. Its should be open bidirectional which means sensor/FTD can initiate connection on 8305 to FMC and vice versa.
How does Cisco FTD work? ›Cisco Firepower Threat Defense is an integrative software image combining CISCO ASA and Firepower feature into one hardware and software inclusive system. The Cisco Firepower NGIPS is a next generation intrusion prevention system.
How do I assign an IP address to a management interface? ›Navigate to Device > Setup > Interfaces > Management
Navigate to Device > Setup > Services, Click edit and add a DNS server. Click OK and click on the commit button in the upper right to commit the changes. Note: When changing the management IP address and committing, you will never see the commit operation complete.
How do I enable SSH on Cisco FTD? ›
To configure ssh access on the FTD CLI log in to the CLI and issue the command configure ssh-access-list 192.168. 1.0/24 if you want to allow access from the 192.168. 1.0/24 network. Keep in mind that you should also include the FMC IP or subnet in this list as this interface is used to register the FTD to FMC.
What is the difference between routed and bridged mode? ›Bridging is not the same as routing. Routing allows several networks to interact freely while remaining distinct, whereas bridging links two separate networks together as if they were one.
What does routed without NAT do? ›Without NAT, the packet carries the real server's IP address and maybe this address is not properly routed (for example, if you are routing only with default route, this might not be enough).
What is the difference between LAN route mode and bridge mode? ›Router mode makes the router or the device work on Network Layer (Layer 3). Bridge mode revokes the routing capability and makes it work on the Data layer (Layer 2). Router performs NAT processes, and having another router connected will lead to Double NAT.
How do I check my site-to-site VPN status in FTD? ›Verification and Monitoring
Browse to System -> Health -> Events. Then click on VPN Status. The remaining verification takes place on the FTD CLI.
- Navigate to Objects > Object Management > Access List > Extended.
- Click Add Extended Access List.
- Click Add to add a new sequence.
- Select Action to Block.
- Click Port tab.
- Add OSPFIGP (89) to destination port.
- Click Save.
- Click Add to add a new sequence.
To prepare a switch for remote management access, the switch must be configured with an IP address and a subnet mask. Keep in mind that to manage the switch from a remote network, the switch must be configured with a default gateway.
What are the three methods of accessing a Cisco device? ›- Telnet.
- Secure Telnet (SSH)
- HTTP.
- Secure HTTP (HTTPS)
- SNMP.
- All of the above.
You can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.
What is the difference between half duplex and full duplex? ›A half-duplex transmission could be considered a one-way street between sender and receiver. Full-duplex, on the other hand, enables two-way traffic at the same time. A communications channel can be used to communicate one way at a time or in both directions at once.
What is the best speed and duplex setting? ›
If the speed is 10 or 100 Mbps, use half duplex. If the speed is 1,000 Mbps or faster, use full duplex.
How do I fix duplex mismatch? ›A duplex mismatch can be fixed by either enabling autonegotiation (if available and working) on both ends or by forcing the same settings on both ends (availability of a configuration interface permitting).
Which configuration is not required in switch? ›Basic switches are entirely self-learning (bridges), they don't need any configuration. Managed switches should be configured to require a password for all management interfaces (SSH, telnet, web, SNMP, ...).
What is line vty 0 4 configuration? ›VTY is a virtual port and used to get Telnet or SSH access to the device. VTY is solely used for inbound connections to the device. These connections are all virtual with no hardware associated with them. The abstract “0 – 4” means that the device can allow 5 simultaneous virtual connections which may be Telnet or SSH.
Do you have to configure a managed switch? ›A managed switch (pretty much) defaults to the behavior of an unmanaged switch, so if you don't configure anything there won't be much of a difference (some managed switches default to activated spanning-tree protocol, for instance).
What are the different types of interfaces in Cisco Packet Tracer? ›| Keyword | Interface Type |
|---|---|
| serial | Serial interface. |
| switch | Switch interface |
| tokenring | Token Ring interface. |
| tunnel | Tunnel interface; a virtual interface. The number is the number of the tunnel interface that you want to create or configure. There is no limit on the number of tunnel interfaces you can create. |
Allow – Allows traffic. There may yet be more inspections, such as Intrusion and File policies. Trust – Sends traffic straight to the egress interface, without any extra inspections.
What is the security level of FTD interface? ›On FTD all interfaces have a security level of 0 (you cannot change this), this has changed from the way you are used to configuring an ASA. You don't necessarily need to delete the name, but all interface names must be unique.
What is the speed of firepower 2130 interface? ›The Firepower 2110 and 2120 models offer 1.9 and 3 Gbps of firewall throughput, respectively. They provide increased port density and can provide up to sixteen (16) 1 Gbps ports in a 1 rack unit (RU) form factor. The Firepower 2130 and 2140 models provide 5 and 8.5 Gbps of firewall throughput, respectively.
What are the 3 types of interfaces? ›Types of user interfaces
graphical user interface (GUI) command line interface (CLI) menu-driven user interface.
What are the 5 interfaces? ›
- command line (cli)
- graphical user interface (GUI)
- menu driven (mdi)
- form based (fbi)
- natural language (nli)
As @balaji. bandi noted, there is no such thing as a multi-context FTD device. Multiple instance is separate logical firewalls running on a single physical appliance. Each is managed and operated completely separately from the other.
What are the three subtypes of FTD? ›There are three types of frontotemporal disorders (FTD): behavioral variant frontotemporal dementia (bvFTD), primary progressive aphasia (PPA), and movement disorders.
What is the best scan for FTD? ›Neuroimaging such as an MRI (magnetic resonance imaging) to determine where and how extensively brain regions have atrophied. Blood tests and lumbar puncture to rule out other diseases that can mimic FTD.
Is Firepower IPS or IDS? ›This makes the appliance an IPS, as it is able to detect threats and take action on them.
What port does firepower use? ›Firepower appliances communicate using a two-way, SSL-encrypted communication channel on port 8305/tcp.
What is the maximum throughput of Cisco Firepower? ›Their throughput ranges from 35 to 75 Gbps, addressing data center use cases.