Wednesday, January 17, 2018

Cisco Firepower Threat Defense (FTD) in GNS3 part 1

If you're like me, then the best way to learn something new is to get your hands dirty. Get some lab gear, boot devices up, and try different scenarios.


This is as true (if not more) with Cisco's Next-Generation Firewall, Firepower (FirePOWER?) Threat Defense. Lucky for us, at least those of us with valid CCO accounts, there are virtual appliances for both FTD as well as the Management Center available for download. Even better, you can enable 90-day trial licensing to test most of the features and there are KVM appliances available making it even easier to run them on a GNS3 Server. While there are appliances available for download from the GNS3 marketplace, I found it easier to just build my own custom images. Again, the qcow2 images are available for download from Cisco. That said, below I'll list what I'm using for this lab and some screenshots of my settings in GNS3. *RECOMMENDATION* Try to use virtIO devices/drivers where and whenever possible (especially if you plan on using a Windows Server GNS3 guest). If you've never built a windows guest in GNS3, the downloads for virtIO drivers are here. Just like if you were installing Windows Server and didn't have the drivers for your paritcular RAID controller, you'll need to make those drivers available during install (i.e. with a GNS3 floppy device or a second DVD drive in your guest).

Devices in this Lab

(1) Firepower Management Center Virtual for KVM (FMCv)
(1) Windows 2012 R2 Server (used as domain controller later, and jumphost now)
(1) Virtual switch (CumulusOS for me, but IOSvL2 or the Etherswitch module works fine)
(1) Ubuntu 16.04
(2) Firepower Threat Defense Virtual for KVM (FTDv)

Windows Server Settings
Firepower Mgmt Center Settings
Firepower Threat Defense Settings

Lab Topology

 

Das Lab

The goal of this post is to get (2) FTDs registered to a management center, configure basic IP addressing, fail over, NAT, and routing. Follow along, start to finish, with the video at the end of this post.

For this lab, I have (2) VLANs on my switch, VLAN19 and VLAN10. The first, VL19 is used as routed segment for the inside interfaces of my firewalls. The second, VL10 is used as the LAN subnet for my hosts. On VL10, I have my management center, a windows 2012 server, Ubuntu 16.04, and both management interfaces of the FTDs. The management interface in Firepower sits in a separate control plane area. It has its own routing table, and access control. It cannot be used for forwarding traffic, and is used for communicating with the management center. To get started, lets power everything on and walkaway for a while. The initial boot of the FMC will take sometime (~30min), watching the console you'll notice it seems to progress along rather quickly until it gets to 'usbcore: registered new interface driver usb-storage'. This is normal, and again it will hang here for around 30min. After it finally boots you're welcomed to a basic console login prompt. Default credentials are admin/Admin123.

After logging in, unless you've worked with Linux before, you're probably breaking into a cold sweat. 'JON?! WHERE IS MY CONTEXT-SENSITIVE HELP?!' Easy there tiger, we wont have to spend too long here. The default IP is 192.168.45.45/24, so we have two options. We can (1) configure our interface to be in the 192.168.45.0/24 subnet to reach the startup page, or (2) we can assign a new IP here then use the new IP to reach the startup page. Let's assign a new IP like so:

sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
Password: Admin123
ONBOOT=yes
IP=10.0.10.9
NETMASK=255.255.255.0
BROADCAST=10.0.10.255
BOOTPROTO=static
MEDIAOPTS=
BOOTPROTO_V6=disable
MTU=1500

:wq!
sudo ifdown eth0
sudo ifup eth0 

If you've never used VI text editor in Linux before, you might Google some basic VI commands. For me, I'm taking my cursor down to "IP=192.168.45.45", pressing Ctrl+A, backspacing over that IP then entering my desired IP 10.0.10.9. I then used the arrow keys to take my cursor to the 'BROADCAST=192.168.45.255' and modified accordingly also. Once I'm done, I press 'Esc' on my keyboard and type ":wq!" which means to write file and quit VI. If you make a mistake and want to start over, do ":q!" instead, which just means quit. After that, I used ifdown to bring the interface down, and ifup to bring it backup now with it's new IP. After that, off to the WebUI. 

Here you'll really REALLY want that Windows Server, or some jump host available. Mine has two NICs, one connected into the same virtual switch as the rest of my GNS3 gear, and another (with no default gateway) bridged to my local LAN so I can RDP to it. Alternatively, feel free to use VNC and any other client OS with a browser to navigate to https://10.0.10.9. From here, after bypassing the security warning about the certificate used, you'll see a friendly one sheet setup. Populate according to your lab, however in mine the IP is 10.0.10.9 with a gateway of 10.0.10.1 and DNS server of my Windows jump host 10.0.10.10. I'd skip both rule updates and geolocation updates for now and complete the setup. From here we only have a few more steps, that I'll cover in more detail in the video below:

  • On the FTDs, login with admin/Admin123
  • Accept EULA
  • Run through basic/guided setup
    • This is assigning a management IP to your FTD(s). I'm using 10.0.10.11 and 10.0.10.12
  • When prompted, chose routed mode (over transparent mode)
  • Once setup is complete use the "configure manager add" syntax to setup the connection to your FMC.
    • In my example I used > configure manager add 10.0.10.9 casd234
    • casd234 is the registration key and this has to match when we complete the setup on the FMC
  • Go to Devices>Device Management>Add>Add Device
    • Enter IP address of your first FTD (mine is 10.0.10.11) as the Host
    • Enter a Display Name (I used FTDv1)
    • Enter Registration Key (casd234 for me)
    • Select an Access Control Policy (I used create new, and set the default action to Network Discovery).
To avoid this post (and future FTD posts) from becoming a short novel, I'll link a video below that shows these setup steps in action and explains them in a little more detail. Unfortunately, as with anything GUI related, it's a little harder for me to give precise directions in a post. Since my options are either 100s of screenshots, vague explanations of what buttons to click, or to just make a video. 

  

6 comments:

  1. what i loved most about the video and your post is the symbols! Can you share those symbols?

    ReplyDelete
  2. You got it!
    https://www.dropbox.com/s/mmreoqhpjn0mlfa/GNS3_Cust_Icons.zip?dl=0

    ReplyDelete
  3. Jon, thanks for the post!

    I have build a lab and got both the FTDv and FMCv up and running. I have an issue where neither of the FTD interfaces, INSIDE and OUTSIDE, are passing traffic. I cannot reach the INSIDE interface, I have gone through the lab multiple times and still cannot get the ftd to pass traffic.

    I am using 6.2.2(81). Any thoughts on why the FTD is not passing traffic?

    ReplyDelete
    Replies
    1. From the CLI of the FTD, what does show int ip brief and show arp display?

      Delete
    2. Can the FTD ping it's OUTSIDE gateway? I have seen the virtIO nics act up in GNS3 for FTD. You can try to boot it up using E1000 for FTD.

      Delete
  4. A few other data points.

    If i do a capture on the link to the FTD from the INSIDE, i see the endpoint sending an ARP request for the IP of the FTD IP address, and not getting a response.

    With the OUTSIDE interface, I am connecting to the "Cloud" connection, if I connect a endpoint to that Cloud, I can get a DHCP ip from my internal network, and can also set up a Static IP for the endpoint. With both scenarios, the endpoint can join my internal network and reach the internet without issue.

    Ive also set up traditional ASAs and do not have the same issue.

    ReplyDelete