Menu

US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

info@grandmetric.com

EMEA Region

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Cisco ASA & ASA FirePOWER Services training agenda

Cisco ASA & ASA FirePOWER Services training agenda

Author:


01.02.2018

Cisco ASA FirePOWER Services training

Today I have the privilege to announce our new Cisco ASA FirePOWER and Cisco ASA Services training agenda. In this post, I will describe the agenda in detail and what you can expect from each training module. As you perhaps recall from the short agenda posted on our training list, this training is a condensed mesh-up prepared especially for those who work with Cisco ASA FirePOWER appliances with SFR modules.

How this Cisco ASA FirePOWER training applies to the current Cisco offering?

As you may know, we live in a reality where there are multiple lines of firewall security products from Cisco. There are Firepower appliances 9000, 4000, and 2000 lines, FTD (Firepower Threat Defence) images available on ASA, and ASA FirePOWER Services with FirePOWER module (SFR) so this may confuse some of you. However, the good news is that Cisco is on the way to achieving functional parity between ASA FirePOWER and Firepower appliances so by taking this course you will understand working with ASA FirePOWER as well as FirePOWER and FTP because the main configuration is done on FMC (Firepower Management Center) that manages as Firepower Appliances as well as ASA FirePOWER Services in the same manner (at the time of writing with little differences related to functionalities).

Cisco ASA basics

The first module is the good old ASA and way through the iron rules of interface and subinterface configuration, security level concepts that dictate the behavior of the Adaptive Security Algorithm. We talk about the traffic rules traversing the ASA, and we stop for while and talk about IP traffic, TCP, UDP, and ICMP protocols fundamentals in the context of the stateful firewall that is Cisco ASA. In addition, this module describes the management rules and concerns with ASA-OS, its hardening, ssh, telnet, and AAA configuration. Of course, there are labs in module 1 to get warmed and ready for the challenges of the next modules.

1) Networking basics with ASA

  • ASA Interfaces, Subinterfaces, VLANs
  • DHCP, Set route options
  • Security Level Concept
  • Inter and Intra interface flows
  • Basic Management (Logging, traffic to the box, aaa, NTP sync)
  • Management Real-Life Use Cases

Static and dynamic routing on ASA

This module is about routing. For those who know routing module will be soft and easy. For those who are not familiar with EIGRP, RIP, OSPF, and BGP this is a good occasion to get familiar with these routing processes. We configure dynamics that reflect most real-life routing scenarios on Internet Edge like e.g. BGP (available from 9.2 ASA-OS) and default network 0.0.0.0/0 redistribution. We also send some LAN prefixes to ASA. In the end, we show link redundancy (with redundant interface) and LACP often used in a large and critical environments.

2) ASA Routing and Link Redundancy

  • ASA Static routing
  • ASA Dynamic routing
  • Port Channels, Link redundancy

ACL, NAT, objects, and MPF

For the 3rd module, we could write a separate book. „Traffic restrictions” consider key concepts for ASA: ACL (Access Control List), NAT (Network Address Translation) of course for versions 8.3 and higher  (remember that we are at 9.X reality ! ), and MPF, the essence of L4 and higher level traffic inspection. In this module we practice twice NAT, object NAT, and translate users to go to the Internet remembering the definitions of static NAT, static PAT, dynamic NAT, PAT, source NAT, and destination NAT (we draw on the whiteboard the process ! want to know how NAT handles ICMP? ). We expose services to Internet i.e. from DMZ (servers: www and ftp). We check how does Modular Policy Framework for FTP traffic work and FTP without „inspect ftp”. This is the key module on the way to understand and master NAT, ACL in connection with routing. You will understand the differences between traffic going through the ASA and „to the box” traffic.

3) Traffic Restrictions

  • Object and object groups
  • ACLs
  • NAT (8.3+) Concept
  • ASA Modular Policy Framework (MPF)

High Availability

You may or may not remember that ASA supports an Active / Standby in pair and Active / Active in multi-context mode HA architecture. In this section, we focus on how failover really works, for example: if the two appliances need IP addresses each, or if there is any virtual IP, what maximum delays (RTT – Round Trip Time) are accepted to build Active / Standby and Active / Active? We analyze the failover process in detail: role switchover in active / standby and election process. In addition, we talk about Cisco ASA Clustering supported on ASA 5580, 5585-X. We consider the pros and cons of clustering and how performance degrades in comparison with a single appliance.

4) High Availability

  • Failover Active-Standby
  • Clustering Active-Active
  • Security Contexts
  • Resource Limitations
  • Cisco ASA Clustering

VPN on Cisco ASA

Virtual Private Networking on ASA is the most commonly used VPN solution for enterprises (i can get the risk saying that 😉 ). During this module we analyze functionalities that ASA gives in terms of IPSec VPN implementation, for example, we consider how the lack of GRE (Generic Route Encapsulation) tunneling impacts the VPN solution on large scale etc. We check if it’s possible to establish IPSec VPN with peers from different vendors. In the end, we take the Cisco Anyconnect Secure Mobility Client for testing while understanding VPN remote access solutions. We consider the impact on UX and service reliability for SSL VPN contrary to IPSec IKEv2 VPN where Anyconnect supports both. Implementing VPN we are still in the context of real enterprise networks thus we integrate Anyconnect with ASA and Cisco ISE (Identity Services Engine) and give the example of how to apply Multi-factor Authentication (MFA). The description of such implementation you can find here.

5) VPNs

  • IPSec Site2Site
  • Anyconnect SSL VPN client

FirePOWER Services

We are getting to the point in module no 6. We start working with FirePOWER Services. We get familiar with licensing of FirePOWER, solution design, and implementation limitations. We go through the installation steps of the Firepower management system called FMC (Firepower Management Center), and then install SFR module, a module installed on ASA as a „software” module. After that, we register our modules in FMC and redirect traffic to SFR. In such a way, we establish a Firepower environment and we are ready to work with Cisco Next-Generation Firewall.

6) FirePOWER Architecture and licensing

  • Licensing, Architecture, Limitations
  • Firepower Management Center installation
  • SFR Modules Provisioning
  • Traffic Flow & Redirection

ACP, Intrusion policy, AMP, File Policy, and URL Filtering…

Module 7 is a cream de la cream of firepower part. We start going to describe the rules and configuration of ACP (Access Control Policy), policies that aggregate the FirePOWER rules. Each participant of Cisco ASA FirePOWER training is able to configure and test inside out the policies and their behavior. We add to the game step by step the following concepts: URL filtering, AMP (Anti-Malware Protection), File Policy, IPS (Intrusion Policy) – of course, every policy that you built is checked to fully understand it. Remember that we all have test machines and DMZ servers exclusively for each participant. Often during the Application Control section, it is raised a question: „how is it possible to control applications encrypted by SSL”? Very good question! Time to touch the SSL Policy. In the end, there is something handy for network admins and companies that have separate network and security departments: List & Feeds.

7) ASA FirePOWER core features configuration

  • Traffic processing and actions
  • Access Control Policies
  • ACP rules
  • AND OR logic
  • Application control
  • URL and URL categories – filtering
  • AMP for Networks Concept – File & Malware policy
  • IPS Concept – basic ruleset – Intrusion Policy
  • SSL Policies
  • Lists & Feeds

Active Directory, pxGRID i troubleshooting

The last module is a kind of “advanced” topic where we check how FirePOWER integrates with other systems like AD. We consider two options: Active Directory with Firepower User Agent vs. pxGRID protocol. Each participant has to decide which approach is better for his / her environment. Two approaches and two solutions for identity firewalling. What would be Bootcamp without troubleshooting, established sessions check, tracking packets, and guessing the actions that were taken on? Or also how to verify hit counts service-policy MPF in order to check sensor matching traffic? Troubleshooting is one of the key topics in this Bootcamp.

8) ASA FirePOWER advanced features configuration

  • AD integration
  • FMC User Agents vs Cisco pxGRID
  • Troubleshooting and reporting

You can download the agenda and check the dates of the coming training here.

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

2 Comments
Paul Scranage
20 August 2021 at 13:31

Hi Marcin

I’ve been looking at this page (https://www.grandmetric.com/blog/2018/02/01/cisco-asa-asa-firepower-services-training-agenda/) and although dated 2018 the content is of interest to us – our engineers could do with some training on ASA5506/5508, especially the FirePOWER (IPS/AMP) aspects. We are in the UK, so I was wondering if the course (or maybe something bespoke) could be provided online or it was only for locals in Poland?

I look forward to hearing back from you in due course.

Thanks

Paul.

 
Marcin Bialy
24 August 2021 at 11:08

Hi Paul, thanks for interest in Grandmetric offering. Yes, the training can be conducted online. I have sent direct message to you via email.

thanks
Marcin

 

Leave a Reply

Your email address will not be published.

Sign up to our newsletter!


Grandmetric