The recently released Cisco Press title “Cisco Firepower Threat Defense (FTD)” by Najmul Rajib is a great treat to read as he addresses most of the new concepts and new approach one has to adapt to enhance his/her Cisco’s Firepower technology.
Courtesy: Cisco Press
This title comes with 22 chapters divided into four parts and follows a standard Cisco Press format of chapter summary and followed by quiz
• Part I Troubleshooting and Administration of Hardware Platform
• Part II Troubleshooting and Administration of Initial Deployment
• Part III Troubleshooting and Administration of Traffic Control
• Part IV Troubleshooting and Administration of Next-Generation Security Features
The evolution of Firepower is a good starting point of this title as it addresses the concepts of Defence Center, FireSIGHT Systems and Firepower systems in very concise manner and also this gives a good understanding of Firepower System Software Components.
The ASA reimaging chapter is quite elaborative and gives all the steps one should follow to reimage their ASA with unified FTD image. The chapter comes with great screen shots of the steps one should follow. If one wants to re-image their ASA Firewall with unified FTD image they can also see my post published some in April 2017.
Part II of this title addresses the administration and troubleshooting steps, licensing and registration process, followed by the Firepower deployment modes.
Whereas Part III focusses more into the troubleshooting and administration of traffic like how one can capture a traffic from Firepower engine, how one can download a .pcap file. How to inspect an SSL traffic, though this section could have been more elaborative as it addresses to fail the SSL interception in detail.
Part IV concludes this title with some advanced troubleshooting and administrating tips for Cisco’s Next Generation Security features like blocking a DNS query, URL filtering, discovering and blocking traffic based on applications.
One can certainly make use of this title to enhance their knowledge about Cisco Next-Generation Firewalls as it comes with best practices for the various topic, few such topics which grabbed our attention was a deployment of FTD in routed mode and blocking DNS query. Also, this title happens to be very handy guide for CCNA Security, CCNP Security, and CCIE Security exams preparations.
If the VPN capabilities of FTD was discussed it would have added some more value as this is a key feature of any Next-Generation Firewalls.
To conclude it’s a well-written title by Najmul Rajib which helps one to understand what FTD is and how one can start working with FXOS as it comes with a good example and best practices.
Cisco runs a program known as Cisco Champions, which purely runs on nominations, one can either nominate himself/ herself or someone whom they see as experts in Cisco Products and Technologies. Cisco expects the potential Cisco Champions to actively share their knowledge, expertise and thoughts in technical forums, communities, user groups, social media and speaking engagement across the social web, IRL and with Cisco.
Image Courtesy: Cisco Blog
The Cisco Champion program is open all the individuals who are either 18 years in age or older and they cannot be a government official or Cisco employees with following qualities
- Is active on social media
- Expresses balanced view of Cisco
- Has Cisco-related expertise
- Has overall expertise in IT industry
- Chooses to actively participated in conversations relevant to Cisco and the IT industry
Being a Cisco Champion for 2017 I certainly recommend one to nominate themselves or others for this program, Cisco Champions program is quite beneficial and one can peer with fellow Cisco Champions as they get good opportunity to learn from subject matter experts and share their knowledge as well.
The last day to register for this program is November 24th ,2017.
What is “TCP Spurious Retransmission” ? And why does this occur for the FTP traffic passing through a Cisco ASA Firewall?ASA, Cisco, Cisco ASA, Filezilla, firewall, FTP, Network security, TCP
Recently we come across an issue where FTP connection was not established between the client and the FTP server. The connection was passing through the Cisco ASA Firewall. Upon troubleshooting, we discovered 3-way TCP handshake was happening, however, once the login name and password entered to access the FTP directory nothing was accessible and no errors were reported in the FileZilla client.
Figure 1.2- Packets captured in pcap format in Cisco ASA Firewalls
Upon capturing the packet at Cisco ASA Firewall we discovered after 3-way TCP handshake, the FTP connection was initiated and the client was asked to enter the login credentials, and same is visible in the packets captured. However, after entering the login credentials it was observed TCP retransmission was occurring and TCP Spurious Retransmission was happening.
Before getting into the solution and the reasons why this was happening it’s better to understand what is “TCP Spurious Retransmission” is?
As exhibited in the above TCP flow, the ACK sent to the receiver didn’t reach the sender in time, since the ACK failed to reach the sender before RTO expires, the sender retransmits the same data that acknowledged by the receiver. This type of retransmissions are known are “ “TCP Spurious Retransmission”
Figure 1.2- TCP Spurious Retransmission data flow
In our case, Cisco ASA was configured to do the FTP inspection in strict mode.
inspect ftp strict FTP-Map
The main issue with a strict option in our case was, the FTP client failed to process the FTP traffic due to the security of protected network was increased.
By simply inspecting the FTP traffic in normal mode the issue was resolved, we used the below Cisco ASA commands,
When it comes to FTP its hard to troubleshoot, as logs collected doesn’t provide the details for the failure occurred. One has to capture the packets and download the captured packets in the pcap format for further analysis.
Being a CCIE/CCDE its self is a huge step one would take in his/her life, it’s an informed decision one needs to take as maintaining a CCIE/CCDE is not an easy task. Every two year one needs to recertify his or her CCIE/CCDE either by passing any CCIE written / CCDE written exam or by passing CCIE/CCDE lab exam. Apart from extensive preparations, one needs to also has to bear the pain of exam costs as Cisco CCIE written exams not quite easy to pass and its cost one a good amount of money.
The recent CCDE practical lab exam cancellation has raised the reputation of expert level exams conducted by Cisco. These days often its been observed people with no experience in networking domain were CCIEs / CCDEs, where as it took over decades of hard earn experience to plan the CCIE journey.
With the announcement of Cisco Continuing Education Program Cisco added a new twist for recertification process of their expert level certifications. Cisco believes that principles like Flexibility, Diversity, and Integrity will be the driving force for this program.
According to Cisco CLN post:
“Flexibility is achieved by offering existing Cisco certified individuals an alternative option for recertification, in addition to the already existing option of recertifying by passing the relevant exam(s). Diversity is achieved by allowing individuals a wide range of preapproved items, such as online courses, instructor-led training, authoring of content, and Cisco Live training offerings (collectively called “Continuing Education items”), which can be pursued to earn credits toward recertification. Integrity is achieved by having Cisco authorized content providers, who deliver the content to the individual seeking recertification, validate the credits submitted by that individual.”
The Continuing Education Program is governed by the Cisco Continuing Education Advisory Board. Candidates who choose to recertify through the Continuing Education Program will be required to earn a certain number of credits by completing the required Continuing Education item(s) as delivered by a content provider and paying the Continuing Education administrative fee before their current certification becomes inactive.
Once candidates have earned the designated number of credits and paid their Continued Education administrative fee, they will be recertified as per the existing recertification policies.
The Cisco Continuing Education Program is valid only for the people who are holding a valid Cisco expert level certifications like CCIE and CCDE in either active or suspended status, also those who hold Emeritus status are eligible for this program with few exceptions
- Candidates in Emeritus status who are required to pass both a written exam and a lab to become active again
- Candidates who achieved Emeritus status by earning Business Transformation Certifications as described on the CCIE website
In order recertify Cisco Expert level certifications like CCIE and CCDE, one must abide by the following three steps
- Agree to the Terms and Conditions associated with the Continuing Education Program as part of the enrollment process
- Earn 100 credits required by completing any of the preapproved Continuing Education offerings
- Pay the Continuing Education administrative fee
One can enroll by visiting the Continuing Education Program portal using their CCO login details and agree to the terms and conditions. Once logged in the portal shows the active status of their certifications and when they are expiring
Cisco had provided multiple options to earn credits, one way of earning credits is to attend Cisco Live training sessions and one can earn maximum of 70 credits from the required 100 credits. The below table gives one a brief idea about how the credits are earned for different sessions.
|Session Type||Level||Credits per Session|
|Technical Breakout||1000 Level||1|
|4-Hour Technical Seminar||1000 Level||3|
|8-Hour Technical Seminar||1000 Level||6|
|4-Hour Instructor-Led Lab||1000 Level||3|
|8-Hour Instructor-Led Lab||1000 Level||6|
Cisco charges $300 US as administrative fees to recertify ones CCIE and CCDE through continuous education program. Cisco has listed all the rules and criteria at Continuing Education Program portal about this programs its recommend to read the post in details to know what are those criteria, some of the rules governed by Continuing Education Program are as follows
- For Expert-level certifications, new recertification dates will be issued as per existing Cisco CCIE policies and procedures; therefore, there may be a time lag between completion of requirements and issuing of the recertification date.
- Credits, once earned, will be valid for three years from the date they were earned, as long as they do not meet either of the criteria described here:
- Credits will expire if a new recertification cycle starts, either by passing an exam or recertifying some other credential.
- Credits will expire if your certification becomes inactive before completing the Continuing Education requirements.
- Credits earned for a given course can only be counted once within the recertification cycle. Repeating the same course will not count towards recertification credits.
- Credits, once used, cannot be reused for any other certification track or level.
- Credits must be used (1) before they expire, or (2) during the certification cycle in which they were earned, whichever occurs earlier.
- Students who are approved to use printed student kits per the exception process can still log into the digital kit using the credentials provided in order to register within the digital kit platform that is linked to the Continuing Education database.
One can view the full catalog of the Continuing Education offerings that have been approved by the Cisco Continuing Education Advisory Board logon to the Continuing Education Program portal. Also one could access the complete program catalog by visiting this link
Well, Cisco has taken some concrete methods to maintain the credibility, integrity, and diversity of their expert level exams. However, the question arises here is it worth to spend this amount of money and time for recertification?
The brighter side of this program is, it offers enormous options to recertify Cisco Expert level exams, personally, I am convinced to adopt the new path as I am free to choose the path/technologies to earn required credits to recertify my CCIE.
After passing the F5 201 – TMOS Administration Exam, some of the professional friends were keen to know how to build a F5 practice lab on their personnel machines.
In this post we will walk through how to build a virtual lab for F5 201 – TMOS Administration Exam on macOS Sierra step-by-step.
We will be using following topology to built a F5 Virtual lab so that one can practice for their 201 – TMOS Administration Exam. Before starting please ensure VMware Fusion is installed on macOS Sierra
Fig 1 – F5 BIG-IP LTM Toplogy
We will be using four VMWare networks for this lab, by default “vmnet” is created so we need to create three more VMware networks.
The IP Address mapping and functions of VMware networks will be as follow:
Step 1: Launch VMware fusion and then select preferences
Step 2: Click the Icon Network and click lock icon to make changes
Step 3 : Select + icon to add a custom network named vmnet 2 and assign the Subnet IP 172.16.1.0 and Subnet Mask 255.255.255.0. This will be the internal network. Also ensure to select the following checkbox
- Connect the host Mac to this network
- Provide addresses on this network via DHCP
Step 4: Select + icon to add a custom network named vmnet 3 and assign the Subnet IP 172.16.2.0 and Subnet Mask 255.255.255.0. This will be the HA network. Also ensure to select the following checkbox
- Connect the host Mac to this network
- Provide addresses on this network via DHCP
Step 4: Select + icon to add a custom network named vmnet 4 and assign the Subnet IP 10.1.0.0 and Subnet Mask 255.255.255.0. This will be the management network. Also ensure to select the following checkbox
- Connect the host Mac to this network
- Provide addresses on this network via DHCP
Step 5: Log into F5 Website and request a free trail version of BIP-IP virtual edition
Step 6: Once an email is received from F5 with BIG-IP registration key download the BIG-IP VE System VMware Image, since the F5 201 – TMOS Administration Exam is based on TMOS version of 11.4 we will be downloading a BIG -IP V 11.4 – Virtual Edition for our labs. Download an OVA file for VMware ESX/i Server v4.1-5.1 as its compatible with VMware fusion.
Step 7 – c: Navigate to the folder where the BIG-IP VE System VMware Image was downloaded and select BIGIP-188.8.131.524.0-scsi.ova image file and then click open
Click Continue to import the BIG-IP VE System VMware Image
Step 7 – e: Accept the license agreements
Step 8: Once the import is completed, click finish and then click Customize Settings to configure the Network settings, if needed one can customize memory, CPU and Hard disk settings
Step 9-a: Customize Network Adapter setting to match the topology you are using.
In our case we will match to our topology
Step 9-b: Map Network Adapter to the vmnet4 network as this will be assigned to the management interface of BIG-IP Virtual Appliance
Step 9-c: Map Network Adapter 2 to the Bridge Networking Interface (in our case Network Adapter 2 will be bridged to the Wi-Fi adapter which is connected to the external network 192.168.1.0/24)
Step 9-d: Map Network Adapter 3 to the vmnet2 network as this will be assigned to the internal interface of BIG-IP Virtual Appliance
Step 9-e: Map Network Adapter 4 to the vmnet3 network as this will be assigned to the HA l interface of BIG-IP Virtual Appliance
By following above steps one could a build a F5 BIG-IP LTM lab on their laptop using VMware Fusion. In upcoming post we will see how to do an initial configuration on F5 BIG-IP Virtual Edition to run F5 201 – TMOS Administration Exam labs on their laptops.
In order to be a F5 Certified BIG-IP Administrator , one must pass two exams
- Exam 101 – Application Delivery Fundamentals
- Exam 201 – TMOS Administration
Upon passing Exam 101 Application Delivery Fundaments he/she becomes eligible to take Exam 201 TMOS Administrator provided he /she appears for Exam 201 in two years time. Unless one passes both of these exams one cannot expect any certificate from F5. Upon passing 201 Exam F5 issues a F5 Certified BIG-IP Administrator which can be downloaded from F5certification portal
Recently I was successful in passing F5 BIG-IP 201 exam and now I am a F5 Certified BIG-IP Administrator. When it comes to F5 exams they are quite challenging but at the same time they are straight forward. By having good hands on experience with BIG-IP Appliance and reading the recommended resources provided by F5 one could ace this exam.
When it comes to preparation of any certification exams the main thing one always look for is the right resource, for F5 BIG-IP 201 exam there are few but quite awesome recourses available. By using them one can certainly ace the exam. There is no single dedicated book one can find for this exam however the resources available in form of study guides, videos courses and practice labs are more than enough for F5 BIG-IP 201 exam preparations.
The first thing one should have a right determination and clear vision to ace this exam as this needs good amount of dedication and time, the main resources one depend for the preparation for this exam are available from F5. F5 offers a study guide 201-TMOS Administration V2 for free which any one can download from their portal.
This study guide is very brief in nature and it covers all the topics of blue print of the F5 BIG-IP 201 exam, the great thing about this guide it comes with lots of hyperlinks for the various topics covered. One should give a good attention to those hyperlinks and read and practice them.
The second great resource available is from F5 University the recommended training are
- Getting Started with F5 products
- LTM Essentials
These videos are quite helpful in understanding the concepts and F5 terminologies, the video courses are presented in very simple manner and quite rich in information . The content of these videos and the quiz presented after each module/topic are quite informative and relevant from exam perspective.
Thirdly the F5 Training labs which are free comes with great work books and one can get good hands on experience on F5 BIG-IP Appliances, the labs presented are so good that one can really master how to administrator BIG-IP Appliance LTM module.
Apart from using the F5 training labs , I built a virtual lab on my Mac book using F5 Big IP Virtual Appliance with 90 days trail license.
The great thing about F5 is the free resources provided by them are quite good and more than enough to nail the F5 exams , however one need to give details to minute little details like the TMSH commands usages, events generated by BIG-IP Appliance, the led status etc.
Cisco have issues with certain software versions of ASA and Firepower appliances as it drops traffic after 213 daysASA, Blog, bug, Cisco, console, Firewalls, HTTPS, Reboot, Security, SSH, vulnerabilities
Cisco released a field notice and also published a blog about the latest bug found in Cisco ASA and certain versions of Firepower appliances, according to Cisco the bug CSCvd 78303 has no vulnerabilities rather it’s a “functional software defect”.
The impact of this bug is so disruptive, it stops passing network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime of a device. Which can have a huge impact on any production network and can bring down services.
The affected device will not receive or respond to ARP packets. Which in turn not only affects the transient traffic, but also affects the SSH, HTTPS and Telnet traffic, which is mainly used for administration purpose of the device. However console access is not affected.
The affected versions of ASA and Firepower are follows:
ASA version 9.1 releases 9.1(7)8 and higher
ASA version 9.2 releases 9.2(4)15 and higher
ASA version 9.4 releases 9.4(3)5 and higher including 9.4(4)
ASA version 9.5 releases 9.5(3) and higher
ASA version 9.6 releases 9.6(2)1 and higher including 9.6(3)
ASA version 9.7 releases 9.7(1) and higher
FTD version 6.1 releases 184.108.40.206 and higher
FTD version 6.2 releases 6.2.0 and higher
One way to prevent the issue is to reboot the device, however the reboot will not solve the issue permanently and its going to reoccur after approximately 213 days and 12 hours.
Officially Cisco has is yet to provide a fix. Still its not clear which ASA or FTD version will fix this bug.
However upon opening the TAC case it was recommended the bug has been fixed in the following ASA versions 9.4(4.5), 9.7(1.4) ,9.6(3.1) and 9.5(3.8). One cannot take this as on official answer, however this was recommended to us from Cisco TAC.
One has to keep a close eye on what Cisco is going to recommend for this issue, however the best approach is to open a TAC case with Cisco and seek their opinion.
SANS institute conducts a survey every year among its community for nominations of the SANS “Best of the Year” awards for products and services that have successfully provided increases in both the effectiveness and efficiency of cybersecurity programs. The SANS “Best of Awards” program was created to raise awareness of the solutions that organisations are using to successfully fend off attacks.
The good thing about these awards are , they are not driven by vendors rather they are driven by the people who are actually using those products/solutions or services.
One of the categories SAN conducts survey among its community is “Next Generation Firewall” category and in this category Palo Alto Networks Next-Generation Firewall wins the award for year 2016. The direction taken by Palo Alto Networks towards their platform made them leaders in Next Generation Firewall category. The flexibility and features offered by Palo Alto Networks on a single platform certainly makes operational life easier for Security Engineers. Thus, we believe most of the end-users preferred Palo Alto Networks as their preferred Next Generation Firewall in the survey conducted by SANS.
Some of the key reasons behind this awards are as follows
- Focus on preventing cyberattacks
- Delivering Innovative features
- Protection delivered everywhere.
With this kind of focus one could anticipate that Palo Alto Networks are going to lead from the front in Next Generation Firewalls segment for at least next 3-4 years.
Recently we observed a strange issue while building a site to site VPN tunnel between a Cisco ASA [9.1( 5) ] and Palo Alto Next Generation firewall.(PAN-OS 7.0.9) It was observed always phase 1 part of tunnel established successfully with peer however phase 2 failed to come up.
Always we were seeing issues with encapsulation, the packets sent were never encapsulated, however the packets received from remote peers were de capsulated, this means the ASA was not encrypting the data. The below logs demonstrates the error,
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 74, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 74
We did a through troubleshooting and we ensured the following ay both ends of the firewalls
- Ensure both the firewalls have an appropriate route for the interesting traffic / proxy id
- Ensured the ACL / Policies are matched
- Ensured NAT configuration is done properly as were using source based NATTing at both the end.
- Ensured proper debugging is done at both ends,
- Involved vendors to see what the issue was
Upon through troubleshooting it was discovered the ASA was hitting a bug CSCuo58411
This bug basically creates duplicate entries in tunnel manger and one could see from the below logs
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:49 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:50 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
The work around worked for us to fix this issue, was to upgrade the ASA from 9.1(5) to 9.5(3)6 . The other recommended work around to fix this issue is
Issue “debug menu ike-common 10” to remove the stale IKEv2 entries (this will delete all current IKEv2 connections)
How to re-image the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance from Cisco Integrated Management Controller?Analytics, application, Cisco, Cisco security, DHCP, end point, End-user, Java, KVM, NAC, Security, Spoofing, threats, vulnerabilities
When it comes to re-imaging the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance , one can use the KVM console comes with Cisco Integrated Management Controller. If one wants to re-image the Cisco SNS-3415-K9 appliance he/she could face huge challenges with the java especially when the appliance is running on Cisco IMC firmware version 2.0(1b).
The KVM console fails to open with most of the java versions except the Java 7 Update 21 version.
In this post we will see how one can use a KVM console to re-image the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance.
Step 1 : Download the Cisco ISE 2.2 image from Cisco web site, make sure to have a valid CCO login id with support contracts.
Step 2: Connect to CIMC and log in using the CIMC credentials
Step 3 : Launch the KVM console
Step 4 : Select Virtual Media and activate the virtual device
Step 5 : Select Virtual Media>Map CD/DVD and select the ISE 2.2 ISO image and click Map Device
Step 6 : Select Macros >Static Macros > Ctrl-Alt-Del to boot the ISE appliance with ISE 2.2 ISO image
Step 7 : Select Macros >Static Macros > Alt-F’s > Alt-F6 to enter into the boot menu
Step 8: At boot prompt, press 1 and Enter from KVM console to install ISE 2.2
Step 9: Once all the required files are copied type setup to configure the ISE appliance
By following above steps one could re-image the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance.