Todd Lammle, LLC https://www.lammle.com Cisco Security Training Fri, 19 Jul 2019 16:42:57 +0000 en-US hourly 1 Cisco Firepower FMC Quarterly Cleanups. Do this! https://www.lammle.com/post/cisco-firepower-fmc-quarterly-cleanups-do-this/ https://www.lammle.com/post/cisco-firepower-fmc-quarterly-cleanups-do-this/#comments Sun, 30 Jun 2019 00:56:16 +0000 https://www.lammle.com/?p=50380 When I’m working at a customer I try and setup as much task management by going to System>Tools>Scheduling, and using all the Add Task programs I can. I have to assume that about a week after I leave they will stop logging in and providing the advanced network analysis that I taught them (just like…

The post Cisco Firepower FMC Quarterly Cleanups. Do this! appeared first on Todd Lammle, LLC.

]]>
When I’m working at a customer I try and setup as much task management by going to System>Tools>Scheduling, and using all the Add Task programs I can.

I have to assume that about a week after I leave they will stop logging in and providing the advanced network analysis that I taught them (just like when we signup for the gym each January), and which is critical to the support of Cisco Firepower.

However, there is something else that is critical to the support and health of your Cisco Firepower Management Center (FMC), and that is data purging the system, which I tell people to do quarterly, but yearly could probably work too (depends on how much data you have).

I am not talking about the purge function found at System>Tools>Data Purge

 

 

 

 

 

 

 

This would purge data you actually need and and this data rolls over anyway based on your settings in System>Configuration>Database

So I have something else that will be useful to show you in this post.

Here is your list of useful cleanups for your FMC

All of these are non-invasive, meaning you don’t need to create a maintenance window for this process

1. Overview>Reporting>Reports

If you schedule reports, which you should be doing, then this will area will fill up rather quickly. For my customers, I schedule 15-20 reports a week, so in a quarter that could be around 200 reports, or in a year close to 800 old reports stored in here. Since these should being sent and stored in your remote storage area (System>Configuration>Remote Storage Device), these can and should be purged.

2. System>Updates>Product Updates

This area may be the most important as this gets updates quickly, assuming you have download updates automatically in your task management, which you should. Even if you decide to provide this function manually, it is important to purge this page, as this can get confusing real fast with all the various type of updates showing up weekly. Cleaning these out quarterly will help you maintain your updates and your sanity.

3. System>Tools>Backup/Restore

You should be backing up your FMC nightly, and also moving the backups to your remote storage device area since the backups are only stored on your FMC by default. These backups can be 250-300MB or much more more. At 365 backups a year, that’s a lot of storage needed for old backups which you no longer need, so make sure and clean this area out.

 

The post Cisco Firepower FMC Quarterly Cleanups. Do this! appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/cisco-firepower-fmc-quarterly-cleanups-do-this/feed/ 4
How to Fix a Stuck Cisco Firepower/FTD Deployment https://www.lammle.com/post/how-to-fix-a-stuck-cisco-firepower-ftd-deployment/ https://www.lammle.com/post/how-to-fix-a-stuck-cisco-firepower-ftd-deployment/#respond Tue, 25 Jun 2019 15:48:14 +0000 https://www.lammle.com/?p=50316 Did you ever deploy on your Cisco Firepower/FTD environment and then see something like this? First, understand that this does not mean your deployment failed, but instead the actual task is done but notification has never been cleared for some reason. First we’ll log into the FMC and move to root. Now we use the OmniQuery.pl…

The post How to Fix a Stuck Cisco Firepower/FTD Deployment appeared first on Todd Lammle, LLC.

]]>
Did you ever deploy on your Cisco Firepower/FTD environment and then see something like this?

First, understand that this does not mean your deployment failed, but instead the actual task is done but notification has never been cleared for some reason.

First we’ll log into the FMC and move to root.

Now we use the OmniQuery.pl tool to query the database and grep for “\ 7\ ” to find the running tasks. Find the uuid of the task that is running, for simplicity I just have the one task listed.

Then we make a query that deletes that notification, just like so

Now if we check again the task is gone!

The message will clear out after a 5-minute health check, or you can go to Health>Monitor to clear it if you don’t want to wait.
CREDIT: Original post and Command information from Don Robb at the-packet-thrower.com

The post How to Fix a Stuck Cisco Firepower/FTD Deployment appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/how-to-fix-a-stuck-cisco-firepower-ftd-deployment/feed/ 0
Best Free & Public DNS Servers (Valid June 2019) https://www.lammle.com/post/best-free-public-dns-servers-valid-june-2019/ https://www.lammle.com/post/best-free-public-dns-servers-valid-june-2019/#respond Mon, 24 Jun 2019 18:07:38 +0000 https://www.lammle.com/?p=50313 Need to find or figure out the latest and greatest DNS servers? The best free public DNS servers include Google, Quad9, OpenDNS, Cloudflare, CleanBrowsing, Verisign, Alternate DNS, and AdGuard DNS. Here is a brand new shiny list of the best public DNS servers:        

The post Best Free & Public DNS Servers (Valid June 2019) appeared first on Todd Lammle, LLC.

]]>
Need to find or figure out the latest and greatest DNS servers?

The best free public DNS servers include Google, Quad9, OpenDNS, Cloudflare, CleanBrowsing, Verisign, Alternate DNS, and AdGuard DNS.

Here is a brand new shiny list of the best public DNS servers:

 

 

 

 

The post Best Free & Public DNS Servers (Valid June 2019) appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/best-free-public-dns-servers-valid-june-2019/feed/ 0
Cisco Announces New Firepower Threat Defense (FTD) Devices & Modules at Cisco Live! https://www.lammle.com/post/cisco-announces-new-firepower-threat-defense-ftd-devices-at-cisco-live/ https://www.lammle.com/post/cisco-announces-new-firepower-threat-defense-ftd-devices-at-cisco-live/#comments Wed, 12 Jun 2019 08:02:12 +0000 https://www.lammle.com/?p=50184 The long awaited replacement for the 5506 model is finally here and is called the Firepower 1010, and can now be found on their web site. This model has been sorely needed. There are a few other versions above this model- the 1120 and 1140, probably meant to replace the 5508 and 5516 Also, Cisco…

The post Cisco Announces New Firepower Threat Defense (FTD) Devices & Modules at Cisco Live! appeared first on Todd Lammle, LLC.

]]>
The long awaited replacement for the 5506 model is finally here and is called the Firepower 1010, and can now be found on their web site. This model has been sorely needed.

There are a few other versions above this model- the 1120 and 1140, probably meant to replace the 5508 and 5516

Also, Cisco has announced the more powerful 41×5 series of FTD devices. These are needed  to provided the capability to run more multi-instances, as well as run ASA  and FTD instances together, that only the 9300’s could do starting with 6.4 code.

Based on the Data sheet shown above, and found on their web site, it does not appear that they are discontinuing the 41×0 series, at least not at this time.

Both new series seem to be missing a 50 type version. We’ll just have to wait and see if those show up eventually, or not.

Lastly, Cisco announced some new powerful SM modules for the 9300. For when you need that 1 TBPS threat inspection and you have a few million dollars sitting around…totally ordering this for my home office! Gofundme starts in 3, 2, 1…

 

Serious info here:

https://www.cisco.com/c/en/us/products/collateral/security/firepower-9000-series/datasheet-c78-742476.html

 

The post Cisco Announces New Firepower Threat Defense (FTD) Devices & Modules at Cisco Live! appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/cisco-announces-new-firepower-threat-defense-ftd-devices-at-cisco-live/feed/ 3
R1.3 of the Cisco ASA to FTD Migration tool is out and it’s a Winner! https://www.lammle.com/post/r1-3-of-the-cisco-asa-to-ftd-migration-tool-is-out-and-its-a-winner/ https://www.lammle.com/post/r1-3-of-the-cisco-asa-to-ftd-migration-tool-is-out-and-its-a-winner/#comments Tue, 04 Jun 2019 15:15:03 +0000 https://www.lammle.com/?p=49992 Here are some of the new features added to this release: IPv6 support Flexibility to clear CSM Inline grouping Selective Migration for NAT and routes (Do not migrate option) REST API for programmability 6.4 version support Support for new hardware (1000 series) Version 1.3 The Migration Tool allows you to connect to an ASA using…

The post R1.3 of the Cisco ASA to FTD Migration tool is out and it’s a Winner! appeared first on Todd Lammle, LLC.

]]>
Here are some of the new features added to this release:

  • IPv6 support
  • Flexibility to clear CSM Inline grouping
  • Selective Migration for NAT and routes (Do not migrate option)
  • REST API for programmability
  • 6.4 version support
  • Support for new hardware (1000 series)

Version 1.3

  • The Migration Tool allows you to connect to an ASA using the admin credentials and Enable Password as configured on the ASA.

    If ASA is not configured with Enable Password, you can leave the field blank on the Migration Tool.

  • You can now configure the batch size limit for Bulk Push in the app_config file as follows:

    • For Objects, the batch size cannot exceed 500. The Migration Tool resets the value to 500 and proceeds with the bulk push.

    • For ACLs, Routes, and NAT, the batch size cannot exceed 1000 each. The Migration Tool resets the value to 1000 and proceeds with the bulk push.

  • The Migration Tool allows you to parse the CSM or ASDM managed configurations.

    When you opt to clear the inline grouping or ASDM managed configurations, the predefined objects are replaced with the actual object or member name.

    If you do not clear the CSM or ASDM managed configurations, the predefined object names will be retained for migration.

  • Provides customer support to download log files, DB, and configuration files during a migration failure. You can also raise a support case with the technical team through an email.

  • Support for migration of IPv6 configurations in Objects, Interfaces, ACL, NAT and Routes.

  • The Migration Tool allows you to map an ASA interface name to a physical interface on the FTD object types—physical interfaces, port channel, and subinterfaces. For example, you can map a port channel in ASA to a physical interface in FMC.

  • The Migration Tool provides support to skip migration of the selected NAT rules and Route interfaces. The previous versions of the Migration Tool provided this option for Access Control rules only.

  • You can download the parsed Access Control, NAT, Network Objects, Port Objects, Interface, and Routes configuration items from the Review and Validate Configuration screen in an excel or CSV format.

Plus everything from v2 of course!

The post R1.3 of the Cisco ASA to FTD Migration tool is out and it’s a Winner! appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/r1-3-of-the-cisco-asa-to-ftd-migration-tool-is-out-and-its-a-winner/feed/ 2
RDP Error 0x609: Cisco Releases New Snort Update 5/24/19; Brings down RDP access with Error 0x609. Here is how to fix this… https://www.lammle.com/post/cisco-releases-new-sort-update-5-24-19-brings-down-rdp-access-with-error-0x609-here-is-how-to-fix-this/ https://www.lammle.com/post/cisco-releases-new-sort-update-5-24-19-brings-down-rdp-access-with-error-0x609-here-is-how-to-fix-this/#comments Sat, 25 May 2019 18:15:55 +0000 https://www.lammle.com/?p=49817 A whole bunch of RDP users starting losing connections with RDP Error 0x609 when traversing Cisco Firepower Snort because of an update that was sent out by Cisco Talos. Here is how to fix this without disabling your entire IPS inspection. First, here is the update that caused this issue: let’s take a look at…

The post RDP Error 0x609: Cisco Releases New Snort Update 5/24/19; Brings down RDP access with Error 0x609. Here is how to fix this… appeared first on Todd Lammle, LLC.

]]>
A whole bunch of RDP users starting losing connections with RDP Error 0x609 when traversing Cisco Firepower Snort because of an update that was sent out by Cisco Talos.

Here is how to fix this without disabling your entire IPS inspection.

First, here is the update that caused this issue:

let’s take a look at the rules that caused this issue.

From your FMC, choose Policies>Intrusion

Open your IPS policy by clicking on the Pencil on the right hand Side of your IPS policy

Now go down to Policy LayersMy Changes>Rules and then scroll down on the rule accordion to Rule Updates

Click on the newly installed update and then click on New

In the Filter Bar, add the letters RDP to the end of the current search and from 7 to 28 rules will show up, depending on your rule set.

Click on the top four rules (SIDs: 50186-50189), then go to Rule State and choose Disable.

Save your Policy and redeploy. This will skip inspection for those four rules, but you will still have inspection for all other enabled rules.

The four rules have content replace keywords in them.  I believe they were made to modify the RDP handshake to allow the original rule to actually see the exploit.  This was replacing the content in all RDP connections.

The post RDP Error 0x609: Cisco Releases New Snort Update 5/24/19; Brings down RDP access with Error 0x609. Here is how to fix this… appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/cisco-releases-new-sort-update-5-24-19-brings-down-rdp-access-with-error-0x609-here-is-how-to-fix-this/feed/ 20
Yet Another Awesome Undocumented Hidden Feature in the new Cisco Firepower 6.4 code! https://www.lammle.com/post/yet-another-awesome-undocumented-hidden-feature-in-the-new-cisco-firepower-6-4-code/ https://www.lammle.com/post/yet-another-awesome-undocumented-hidden-feature-in-the-new-cisco-firepower-6-4-code/#comments Tue, 21 May 2019 02:54:38 +0000 https://www.lammle.com/?p=49775 Okay, so in my last couple blogs I mentioned some undocumented or hidden “features” in the new code. Here is a reminder of the two I already mentioned: If you blacklist an IP address, the address is immediately blacklisted and all communication stops. However, in the past, if you wanted to remove the IP address…

The post Yet Another Awesome Undocumented Hidden Feature in the new Cisco Firepower 6.4 code! appeared first on Todd Lammle, LLC.

]]>
Okay, so in my last couple blogs I mentioned some undocumented or hidden “features” in the new code.

Here is a reminder of the two I already mentioned:

  1. If you blacklist an IP address, the address is immediately blacklisted and all communication stops. However, in the past, if you wanted to remove the IP address from the blacklist you had to redeploy to make this take effect. Starting in 6.3 code this is no longer true as there is a silent push of the change to the FTD devices….this is a huge change and very well needed! Crickets from Cisco on this…but thank you, we’ll take it.

2.  If you wanted to see a graph of the IPS events and see a time range of the “would have dropped packets”, you need to go to Dashboards>Intrusion Events>Add Widgets and then choose the Intrusion Events graph again. The new graph found in the widget categories provides the “would have dropped” category where the default table does not.

If you like graphs, this is really, really helpful if you are fine tuning your IPS policy, and you can use the Report Designer to create a report template from this graph!

3.  Also in 6.4 there is a hidden gem at the bottom of your ACP rules:

Notice you can now choose up to 500 rules to see on a single page instead of just the default of 100! For some of my customers this will be awesome!

4. Finally, there is an awesome yet undocumented new features on the top of the ACP rules page. Click the gear in the upper right hand corner above your first rule:

You can now choose the categories you want to see! Wish they had this feature on the Connection Events page too.

Also, crickets from Cisco on this too; I just happened to see it today!

 

Cheers!

The post Yet Another Awesome Undocumented Hidden Feature in the new Cisco Firepower 6.4 code! appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/yet-another-awesome-undocumented-hidden-feature-in-the-new-cisco-firepower-6-4-code/feed/ 4
Cisco Firepower FastPath, Blacklist & White list. What does that have to do with the Dreaded Pirate Roberts from Princess Bride? https://www.lammle.com/post/cisco-firepower-fastpath-blacklist-white-list-what-does-that-have-to-do-with-the-dreaded-pirate-roberts-from-princess-bride/ https://www.lammle.com/post/cisco-firepower-fastpath-blacklist-white-list-what-does-that-have-to-do-with-the-dreaded-pirate-roberts-from-princess-bride/#respond Fri, 17 May 2019 21:15:01 +0000 https://www.lammle.com/?p=49723 The Todd Lammle Cisco Firepower TidBit provides cool features of Cisco Firepower/FTD in just a couple minutes! Cisco’s Firepower/FTD FastPath, Blacklist & White list. What does that have to do with the Dreaded Pirate Roberts from Princess Bride? Watch move Tidbit Of the Day (TOD) to find out!    

The post Cisco Firepower FastPath, Blacklist & White list. What does that have to do with the Dreaded Pirate Roberts from Princess Bride? appeared first on Todd Lammle, LLC.

]]>

The Todd Lammle Cisco Firepower TidBit provides cool features of Cisco Firepower/FTD in just a couple minutes!

Cisco’s Firepower/FTD FastPath, Blacklist & White list. What does that have to do with the Dreaded Pirate Roberts from Princess Bride?

Watch move Tidbit Of the Day (TOD) to find out!

 

 

The post Cisco Firepower FastPath, Blacklist & White list. What does that have to do with the Dreaded Pirate Roberts from Princess Bride? appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/cisco-firepower-fastpath-blacklist-white-list-what-does-that-have-to-do-with-the-dreaded-pirate-roberts-from-princess-bride/feed/ 0
How, Why & When you would use a pass rule in a Cisco Firepower Intrusion policy (IPS) https://www.lammle.com/post/how-why-when-you-would-use-a-pass-rule/ https://www.lammle.com/post/how-why-when-you-would-use-a-pass-rule/#respond Fri, 17 May 2019 04:50:24 +0000 https://www.lammle.com/?p=49698 This TidBit of the day will provide cool features of Cisco Firepower/FTD in just a couple minutes! So I received this questions from a reader: What is the best easy way to exempt a host or network from a specific snort signature/rule?  I want to prevent traffic from being dropped if the source IP is…

The post How, Why & When you would use a pass rule in a Cisco Firepower Intrusion policy (IPS) appeared first on Todd Lammle, LLC.

]]>

This TidBit of the day will provide cool features of Cisco Firepower/FTD in just a couple minutes!

So I received this questions from a reader:

What is the best easy way to exempt a host or network from a specific snort signature/rule?  I want to prevent traffic from being dropped if the source IP is 10.1.1.10 even if it matches the Rule SID 38678 signature. All else still inspect and drop if the signature matched.

This is a great question, and one I receive a lot. I find that admins, in order to meet this business requirement, use the Suppression filter in the IPS policy, however, that just stops you from getting an alert and still drops all the traffic! You just would never know….This accomplishes nothing! You’d be better off disabling the rule.

Suppressing a rule is just this:

So let’s take a look at the How, Why & When you would use a pass rule in an Cisco Firepower Intrusion policy (IPS)

 

Caution: When an original rule that the pass rule is based on receives a revision, the pass rule is not automatically updated. Therefore, pass rules might be difficult to maintain.

Verify

You should monitor the new events for some time in order to make sure no events are generated for this specific rule for the defined source or destination IP address.

The post How, Why & When you would use a pass rule in a Cisco Firepower Intrusion policy (IPS) appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/how-why-when-you-would-use-a-pass-rule/feed/ 0
New Cisco Firepower Best Practices Book by Alex Tatistcheff, now available! https://www.lammle.com/post/new-cisco-firepower-best-practices-book-by-alex-tatistcheff-now-available/ https://www.lammle.com/post/new-cisco-firepower-best-practices-book-by-alex-tatistcheff-now-available/#comments Thu, 16 May 2019 21:42:10 +0000 https://www.lammle.com/?p=49692 The post New Cisco Firepower Best Practices Book by Alex Tatistcheff, now available! appeared first on Todd Lammle, LLC.

]]>

The post New Cisco Firepower Best Practices Book by Alex Tatistcheff, now available! appeared first on Todd Lammle, LLC.

]]>
https://www.lammle.com/post/new-cisco-firepower-best-practices-book-by-alex-tatistcheff-now-available/feed/ 3