If you are using code 6.2.x and are trying to create new interfaces on your Cisco FTD device, you may receive this error: “External proxy invoked LwInterfaceAPI updatePolicyEntriesWithDomain method and ran into an unexpected error” That’s quite an error and it just doesn’t really help you troubleshoot at all! I tried rebooting and other…
A large customer with 10Gig interfaces on their Cisco 4100 FTD’s and 4500 FMC found an issue when bringing new FTD devices online. The issue arose because there was so much event data the FMC couldn’t push policy to the FTD devices – even with 10Gig interfaces! One solution for this is to increase the…
Are you running Cisco Firepower Threat Defense (FTD) and having issues when you deploy your Device Platform settings? You are not alone, and no, you are not crazy! The platform settings can make the entire FTD box stop passing ALL traffic, even if it is configured correctly!! Yikes!! Yes, there are some undocumented issues with…
Do you have this Critical Alert on your FMC and you just leave it because you can’t get it to stop? Are you going batty over this like all my other customers? Do you want it to always look like this, except when you actually have a problem? You are not alone! There is help,…
There are differences between a brand new shiny powerful FTD box and what we’re use to with the ASA’s we’ve been installing since 2005. When you installed an ASA there were some default configs that provided security out of the box; just add your IP’s and security levels on your interfaces and you actually had…
In the past when we wanted to move our ASA’s, we just powered them down, moved them, powered them up and readdressed them if needed. No mess no fuss. Yea, not so much with the new FTD’s. After setting up hundreds of 2100 FTD boxes at a Corp office in Canada, we started moving them…
There is a great gem of a command that you can run from the FTD CLI or from the Advanced Troubleshooting tab in the Cisco FTD FMC GUI. The “show access-control-config” provides the configuration of your ACP as well as the hit counter on your SI objects and the ACP rules. A lot of customers…
Trying a very, very large migration with thousands of ACL rules from ASA 5585 to FTD 4150 with multiple failures. It certainly took a while, but after looking at the configuration, the following issue was found as a Cisco bug with VXLAN. Once the VXLAN rules were updated with the 4789 port and suggested ACL,…
I had an interesting issue come up at a customer. That issue was how to set their FTD box back to factory default after configuring it into an FMC and pushing policies. The answer from Cisco is “you cannot do that”. In other words, you have to reinstall the FTD image, which, depending on your…
This is what a TAC engineer had to say after I found FP not working: “In 6.2.2, we have figured out the off-loading feature is not functional. We have around 5 known issue with offloading that are causing the pre-filter to fail. Create trust rules in access control policy for these rules with security intelligence…
Starting in October 2017, Todd Lammle, LLC will be teaching Pure FTD classes! All new labs! Every student get their own 6.2.2 FTD device and 6.2.2 FMC for the entire week! No sharing! *NEW Cisco 6.2.2 FTD Code!* All Firepower policies included: Objects, File/Malware, IPS (SNORT), Security Intelligence (SI), ACP, Identity, DNS w/Sinkholes, Realms, Network…
After upgrading my pods and half my customer to Cisco Firepower/FTD 6.2.2 code, a health alert starting appearing on “a some” of my FMC’s and “some” of my customers, but not all of them. Very odd. Since I didn’t really see a problem, meaning the SI still was dropping bad guys, I kinda ignored it,…
Some great changes in Cisco Firepower and Firepower Threat Defense (FTD) 6.2.2 code just released! Need a Cisco FTD 6.2.2 hands-on class? www.lammle.com/firepower has it now starting 9/25! Remote Access VPN Finally! Here’s what we got: Management—A simple RA VPN wizard provides quick and easy setup of the following: RA VPN policy configurations, including connection profiles, group…
I have a LOT of customers that use the virtual FMC with their Firepower or Firepower Threat Defense (FTD) implementations. Sure, why not, they are very inexpensive! Well, since all IPS analyzed packets going through your devices are transferred to the FMC by default (and you really want this for analysis!), you need to make…
Odd to me that I can’t configure security zones on a Cisco’s new 4100 FTD devices before I create a HA pair. Worked in Indianapolis last week and setup a pair of 4100’s running as FTD….started the HA pairing Friday and Monday it was still going. The customer then found this bug listed on cisco:…
You can find this new book on Amazon: If your WSA is configured to send original client information, you can find this very useful information in the FMC Analysis>Connection Events output, and make rules in your ACP using this information. To find an original source IP address of hosts located inside the FMC connection events…
VERY Interesting web site here…Cisco spent a LOT of time building this page, and then no one can find it…typical…check it out, very cool… What is VERY interesting is what Cisco does NOT SHOW on these pages….no ASA’s 5515-5585’s showing as valid devices. I’ve been saying for a while that FTD is the future, and…
The new #Cisco #FTD boxes such as the 2100/4100/9300 has a built in SSL Chip, but what kind? The #Cisco 2100 has the Cavium Octeon chip, just like some of the ASA’s (5506/08/16), but the 4100/9300 #FTD boxes have the all-so-powerful #Cavium Nitrox chip set for SSL decryption (same as Bluecoat/F5). So, should you just…
I was one week early in at the EOL announcement for the 5585 ASA and received a lot of grief over that! People are cruel my friends…and they were saying the ASA 5585 was years away from EOL…nope! Why? The 2100 is cheaper now, and if you want power, the 4100 is boss! Plus if…
Cisco releases an awesome new Firepower Threat Defense (FTD) 2100 series Edge Device…they are powerful and meant to perform! With the new 4100 series at $500k fully loaded (replacing the 5585 model), and the 9300 a cool $1 million loaded with power, the 2100 series is meant to replace the current mid-range lineup from 5525…
Getting ready to take that big leap and spend the big bucks on your Cisco CCNA, CCNP or CCIE exams? Well, if you didn’t buy your exam vouchers before 2/8/17 then you’re going to be paying more for your Cisco certifications. Cisco, without any notice or hoopla raised their exam prices and didn’t even…
Let’s look at a few of the interesting new features in Firepower 6.2. This release isn’t big on “wow” factor, most of the changes are incremental feature improvements. One of the biggest new capabilities is inter-chassis clustering on the FP9300 and FP4100 series devices. Previously, you could only cluster the three service modules on a…
Okay, sounds like I am going to bash Cisco Firepower/FTD code 6.2… Not so! I now have all my Firepower customers and 36 Firepower training pods all upgraded to 6.2. So why wait? Well if you’re strickly FTD then wouldn’t you want Anyconnect? Seems to be the Bain of all my customers having to run…
Use code “celebratewww.lammle.com!” and get 15% any and all orders for any class or online product in 2017, if you purchase in January!