Return to site
Return to site

Firepower Dns Policy

broken image


To edit a DNS policy: Step 1 Select Configuration ASA FirePOWER Configuration Policies DNS Policy. Step 2 Edit your DNS policy: † Name and Description - To change the name or description, click the field and type the new information. † Rules - To add, categorize, enable, disable, or otherwise manage DNS rules, click the Rules tab. FMC 101v2: A Network Administrators Perspective. For more information, visit https://www.cisco.com/c/en/us/products/security/firepower-management-center/inde.

Long post is long.

This section will show the creation of a basic set of policies Rage against the machine bombtrack lyrics. in Firepower Management Center.

It is assumed that you have management of your device through the FMC (See Installing FTD) and a licensed device.

If you don't have a licensed device you can go to System>Licenses and enable a 90 day evaluation license.

This is a very basic set of policies built with the idea of detecting the maximum number of events (bigger chance of false positives also) and in an IDS mode (no blocking). In the fine tuning section we will make it block traffic.

The steps to follow in a standard config are:

  1. Configuring the basics on the managed appliance (IP's, DHCP, NAT)
  2. Configure Network Discovery (new!)
  3. Create a Prefilter Policy (new!)
  4. Create an Intrusion Policy
  5. Create a Malware Policy
  6. Create an Access Control Policy
  7. Create an SSL Policy (new!)
  8. Create a DNS Policy (new!)
  9. Apply it to the device
Firepower dns policy failed

1. Configuring the basics on the managed appliance

And by basics I mean:

  • IP addresses + default route
  • An internal DHCP server
  • NAT

Interface IP addresses:

After adding our device under Devices>Device Management click on it and in the tab Interfaces click on the pencil that will be next to the interfaces you want to configure.

Name the interface, give it an IP address and don't forget to check the ENABLED box.

Default Route:

Next, go to Routing and click on Static Route. Click on add route and in Interface select Outside. For available networks Any:

DHCP:

Go to the DHCP Tab, and with DHCP Server selected on the left:

  • Add a DNS Server
  • Configure the Pool

Don't forget to save when finished.

NAT:

Easy: Go to Devices>NAT and select Threat Defense NAT

Add your device to the Policy and in this example we will configure a simple NAT rule to give us access from Inside to Outside:

Then configure the Translation page.

If you haven't defined the object already you will have to create the InsideNetwork by clicking on the + symbol:

2. Network Discovery

This is an easy one.

Go to Policies>Network Discovery and in the Networks tab click on the pencil.

Then select which networks do you intend to inspect (let's say that you don't care about traffic from a certain VLAN, you can exclude it here).

In my config I want to inspect everything.

Don't forget to tick all checkboxes:

3. Prefilter/Tunnel Policy

Policies>Access Control>Prefilter.

In short, Prefilter policies are the new Access Control Lists (ACL's).

These will help us send to the resource-intensive engines only the traffic were we really need deep packet inspection.

ACL/Prefilter basic dictionary:

  • block=deny
  • Fastpath=permit
  • Analyze=permit…to go to the next inspection engine.

Other differences are:

  • Prefiltering is applied before Access Control in the traffic flow.
  • Prefiltering allows you less control on how you want to identify traffic and the actions to perform. In short, it operates at layer 4. Same as ACLs.

The configuration is very intuitive as you can see in the interface below. Nat failover with dual isp connection.

Also there are Tunnel Rules, which we can apply to our VPN traffic.

Analyze ip any any?

4. Intrusion Policy

Firepower

Go to Policies>Access Control>Intrusion and click on +Create Policy.

  • Uncheck the 'Drop when Inline' box as we don't want to block any traffic.
  • Choose 'Maximum Detection' Base Policy.
  • Click on Create Policy.

5. Malware & File Policy

Policy

1. Configuring the basics on the managed appliance

And by basics I mean:

  • IP addresses + default route
  • An internal DHCP server
  • NAT

Interface IP addresses:

After adding our device under Devices>Device Management click on it and in the tab Interfaces click on the pencil that will be next to the interfaces you want to configure.

Name the interface, give it an IP address and don't forget to check the ENABLED box.

Default Route:

Next, go to Routing and click on Static Route. Click on add route and in Interface select Outside. For available networks Any:

DHCP:

Go to the DHCP Tab, and with DHCP Server selected on the left:

  • Add a DNS Server
  • Configure the Pool

Don't forget to save when finished.

NAT:

Easy: Go to Devices>NAT and select Threat Defense NAT

Add your device to the Policy and in this example we will configure a simple NAT rule to give us access from Inside to Outside:

Then configure the Translation page.

If you haven't defined the object already you will have to create the InsideNetwork by clicking on the + symbol:

2. Network Discovery

This is an easy one.

Go to Policies>Network Discovery and in the Networks tab click on the pencil.

Then select which networks do you intend to inspect (let's say that you don't care about traffic from a certain VLAN, you can exclude it here).

In my config I want to inspect everything.

Don't forget to tick all checkboxes:

3. Prefilter/Tunnel Policy

Policies>Access Control>Prefilter.

In short, Prefilter policies are the new Access Control Lists (ACL's).

These will help us send to the resource-intensive engines only the traffic were we really need deep packet inspection.

ACL/Prefilter basic dictionary:

  • block=deny
  • Fastpath=permit
  • Analyze=permit…to go to the next inspection engine.

Other differences are:

  • Prefiltering is applied before Access Control in the traffic flow.
  • Prefiltering allows you less control on how you want to identify traffic and the actions to perform. In short, it operates at layer 4. Same as ACLs.

The configuration is very intuitive as you can see in the interface below. Nat failover with dual isp connection.

Also there are Tunnel Rules, which we can apply to our VPN traffic.

Analyze ip any any?

4. Intrusion Policy

Go to Policies>Access Control>Intrusion and click on +Create Policy.

  • Uncheck the 'Drop when Inline' box as we don't want to block any traffic.
  • Choose 'Maximum Detection' Base Policy.
  • Click on Create Policy.

5. Malware & File Policy

Go to Policies>Access Control>Malware&File and click on +New File Policy.

We will add two simple rules:

  1. Logs every file that passes through the ASA
  2. For specific file types will perform an AMP Cloud lookup to check if there's malware.

Rule 1:

  • Check all File Type Categories and click on Add. Leave the rest of the settings as they are:

Cisco Firepower Dns Policy

Rule 2:

Create a second rule and change the Action to Malware Cloud Lookup.

Notice that the number of files in each category available to check has changed, this is due to some files not being available to be sent to the AMP Cloud.

  • Check all File types and Add them to the list on the right.
  • Check the boxes for Spero Analysis for MSEXE, Dynamic Analysis and Capacity Handling.
  • Store Malware files if you wish 🙂

6. Access Control Policy

This is where you decide from all the policies we configured which are the ones that are actually applied and to which traffic we want to apply them.

Firepower Dns Policy Meaning

Go to Policies>Access Control>Access Control. Create a New Policy:

  • Specify the default action as Network Discovery. As you can imagine this is the action the ASA will apply to traffic that is not matched by any of the rules in it. (No sense in putting Intrusion Prevention since in the rules we will configure below we will match our traffic against the IPS).
  • Add the device you're configuring to the Selected Devices group.

Now we will create two basic rules:

  1. One to force the FMC to inspect all URLs
  2. One to apply to our traffic the IPS policy and the File policy we created before.

Monitor URLs.

  • Click on Add Rule and give it a name.
  • Change the action to Monitor
  • Click on the URLs tab and add any category to the Selected URLs part.
  • Click on the Logging tab and select Log at the End of Connection. Make sure the Event Viewer tick box is checked.

Apply the Intrusion Prevention Policy and the File Policy

  • Click on Add Rule and give it a name.
  • Change the action to Allow.
  • Click on the Inspection tab:
    • In Intrusion Policy choose the one created.
    • On File Policy choose the one created.
  • Click on the Logging tab and select Log at the End of Connection. Make sure the Event Viewer tick box is checked.
  • Save the config.

7. Create an SSL Policy

This requires a separate section. Check it here.

8.Create a DNS Policy

These allow you to perform actions on DNS traffic.

By default there is a DNS policy that will allow al Whitelisted DNS and will return a Domain Not Found for Blacklisted DNS requests.

However you can add other rules that allow you to perform the following actions. First you will need to identify these traffic based on Source Zone, Source Network, VLAN Tag, or if its in a certain list or Feed you configured in the Objects menu.

Whitelist: Allows traffic to pass does NOT log the connection. Traffic is still subject to further inspection.

Monitor: Traffic is logged and passed onto the following DNS rule.

Firepower Dns Policy Meaning

Drop: Drops traffic.

Firepower Dns Policy Vs

Domain Not Found: Returns a non-existend domain response and the query goes unresolved.

Firepower Dns Policy Download

Sinkhole: This is the interesting one. First though you need to configure a sinkhole object. What it does is allows you to return this sinkhole IP as a response to the query. This IP can belong to a server that can simulate being a C&C server and then allow you to analyze what your malware is trying to do.

Firepower Dns Policy Tool

On top of this the sinkhole Action allows you to log all these connections so you can easily track malicious behavior (Drop or domain not found do not log traffic).

9.Apply it to the device

An easy one. On the top bar click on Deploy and then select the device.

This will show you which policies have changes to apply and allow you to perform a check for consistency in the policies before applying it (warning: this will significantly increase the time of deployment).

Finally, go to Analysis>Connections>Events to check if traffic is being processed.

But please go to the Context Explorer to start viewing these events in another format other than a boring table.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save