Cisco dCloud

Cisco Secure Firewall 7.2 Advanced Lab

Last Updated: July-7, 2023

REQUIREMENTS ....................................................................................................................................................2

ABOUT THIS SOLUTION .........................................................................................................................................2

TOPOLOGY ...........................................................................................................................................................3

GET STARTED ........................................................................................................................................................4

SCENARIO 1 - HIGH AVAILABILITY CONFIGURATION ...............................................................................................5

SCENARIO 2 - ADVANCED PACKET FLOW ANALYSIS ............................................................................................. 23

SCENARIO 3 - CISCO THREAT INTELLIGENCE DIRECTOR (CTID) ...............................................................................27

APPENDIX A. REST API SCRIPTS............................................................................................................................ 34

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 38
 Cisco dCloud

Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional

● Laptop ● Cisco AnyConnect®

About This Solution

IT teams have been asked to manage security using a patchwork of siloed point products, starting with legacy next-generation firewalls
(NGFW), which were created with a focus on application and bolted on best effort threat protection. As such, these legacy NGFWs
are unable to provide an enterprise with the contextual information, automation, and prioritization that they need to handle today's
modern threats.

Cisco Secure Firewall is an integrated suite of network security and traffic management products, deployed either on purpose-built
platforms or as a software solution. The system is designed to help you handle network traffic in a way that complies with your
organization’s security policy-your guidelines for protecting your network.

This allows the Cisco Secure Firewall NGFW to evolve with a focus on enabling enterprises to stop, prioritize, understand, and
automate responses to modern threats in real-time. Secure NGFW is unique in its threat-focus, with a foundation of comprehensive
network visibility, best-of-breed threat intelligence and highly effective threat prevention to address both known and unknown threats.
Secure NGFW also enables retrospective security, through Advanced Malware Protection, that can “go back in time” to quickly find
and remediate sophisticated attacks that may have slipped through defenses. This has led to a significant reduction in time-to-
detection (TTD) for Cisco customers compared to industry averages.

In this lab you will build a multi-site network Next Generation Firewall (NGFW) solution at between a corporate and two branch sites.
Using the Firewall Management Console (FMC) you will build High Availability NGFWs at the corporate site and manage a branch.
In this lab, you will also configure a NGFW using the FDM (Firepower Device Manager). You will also configure remote access and
site to site VPNs. You will also configure Cisco Threat Intelligence Director to accept and implement third party updates to your NGFW
devices.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 38
 Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 38
 Cisco dCloud

Get Started
BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]

• Jump PC 1: 198.18.133.50, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

3. From the jumpbox, open Chrome. It should open with FMC login page as the default page. The login name and password will
be prepopulated. Click Login.

4. Alternatively, open the Quick Launch from the task bar, and click the FMC Web to login to the GUI of the FMC automatically.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 38
 Cisco dCloud

Scenario 1 - High Availability Configuration

This exercise consists of the following tasks:

• Configure and Deploy Backup NGFW

• Upgrade Software on Backup NGFW
• Create High Availability Pair of Firewalls
• Configure Active/Standby with Virtual Mac Address
• Test the configuration

The objective of this exercise is to understand and configure High Availability for NGFW. You will configure the second firewall and
then add it to the High Availability group.

Steps

Onboard a backup NGFW onto the FMC

NGFW device onboarding onto the FMC is done in two parts. First, configuration settings are added on the NGFW to configure
FMC as the device manager and establish communication with the FMC on the management interface. Secondly, the NGFW
device is added onto the Devices page on the FMC to initiate and establish communication. Here, we use the jumpbox to
complete both the steps.
1. For configuring the backup NGFW, go to the Windows machine labelled jumpbox and open the Quick Launch - Select NGFW3

a. You should be logged in automatically. Username: admin password: C1sco12345

b. Type: show managers
c. If it says Managed locally:
a Enter the command: configure manager delete
b Type yes. Now, the output of show managers should show No managers configured.
c Type the command: configure manager add fmc.dcloud.local C1sco12345
d When command prompt returns type: show managers make sure fmc.dcoud.local shows “Registration:
pending”

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 38
 Cisco dCloud

NOTE: The NGFW can be added to the FMC for management using the FMC UI. However, here we are going to use REST API
to demonstrate the automated capabilities of the solution. A python script is present on the Inside Linux Server called
runapiscript at the location /usr/local/bin. It invokes the REST APIs on the FMC to register the NGFW3 with the FMC, applies the
Health Policy to the NGFW3, discovers the interfaces, configures the IP addresses and deploys the Access Control Policy with the
name specified during the execution of the script.

2. For adding the backup NGFW to the FMC, open the Quick Launch and Select Inside Linux server

a. You should be automatically logged in with the credentials - [administrator/C1sco12345]

b. Obtain the runapiscript.
i Type sudo -i to login as the root user.
ii Enter password C1sco12345.
iii Type cd /usr/local/bin.
iv Remove files by typing rm connect.py runapiscript.
v Run wget pov.developmentserver.com/dCloud/connect.py. Wait for the file download to complete.
vi Run wget pov.developmentserver.com/dCloud/runapiscript. Wait for the file download to complete.
vii Run chmod a+x connect.py runapiscript.
viii Type exit.
c. Type runapiscript.
d. When asked Which Firewall do you want to register? Type the number 3
e. When it asked Enter name of new Access Control Policy to be create, type HA for the name

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 38
 Cisco dCloud

Note: The ‘Registration is in progress” count may vary during the execution of the script.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 38
 Cisco dCloud

3. Verify that the NGFW3 is added successfully to the FMC by checking the registration status of NGFW3 on the FMC. You
might need to allow some time for the device to register. It should show a Green symbol in front of the device name.

4. Verify the GigabitEthernet0/2 interface for NGFW3 is set to blank configuration by navigating to Devices > Device
Management. This interface is to be used as the failover interface during the formation of the HA pair.

a. Click on the Pencil icon next to NGFW3

b. Click on the Pencil icon next to the interface GigabitEthernet0/2
c. Select the checkbox against Enabled
d. Delete the Name of the interface (if any)
e. Click Ok and then Save.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 38
 Cisco dCloud

5. Select the Device sub-tab. In the Inspection Engine section, click on Revert to Snort 2.

6. Click Deploy FMC UI to push the interface state change to NGFW3

NOTE: The following information is communicated over the failover link:

The unit state (active or standby)
Hello messages (keep-alives)
Network link status
MAC address exchange
Configuration replication and synchronization

Upgrade Backup NGFW

1. Navigate to System > Updates

NOTE: NGFW1 and NGFW3 must have the same software version to be configured for a High Availability Pair.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 38
 Cisco dCloud

2. Select the Install icon on the Cisco FTD Upgrade line, as shown in the image.

3. Select NGFW3 from the list and click Check Readiness.

4. Click OK on the prompt warning about Update readiness running on the system(s).

5. Verify the Readiness Check under Notifications > Tasks.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 38
 Cisco dCloud

6. Verify that Success is displayed under Readiness Check Results.

7. Uncheck the box for Upgrade Snort 2 to Snort 3.

8. Select NGFW3 from the list and click Install.

9. Click OK on the prompt warning about system(s) reboot.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 38
 Cisco dCloud

10. Verify upgrade progress under Notifications > Tasks.

NOTE: Wait for the upgrade process to complete before moving to the High Availability configuration.

11. Navigate to Devices > Device Management and verify NGFW3 is now running software version 7.2.

NOTE: The above process is outlined in anticipation of reverting NGFW3 to the previous software version.

Configure High Availability Pair

1. Go to Devices > Device Management> Add > Add High Availability

NOTE: The NGFW3 Management Interface (198.19.10.83) was preconfigured. Interfaces G0/0 and G0/1 were configured by the
REST API script. They do not have security zones listed on the interface, but they will inherit the security zones and the interface
IP Address’ from NGFW1 when the HA process is run.

a Name: HA_TEST
b Device Type: Firewall Threat Defense (This is the device type associated with the NGFW)
c Primary Peer: NGFW1
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 38
 Cisco dCloud

d Secondary Peer: NGFW3

e Then Continue
f The formation of HA pair restarts the snort engine on both the Primary and Secondary NGFW devices. This is entirely
expected behavior. Select Yes

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 38
 Cisco dCloud

NOTE: If you have done configuration tasks on either of the HA Peers and have not deployed then you will get the above
message. Click on Close and then click Cancel. Deploy the changes to NGFW3 by clicking the Deploy button in the FMC. Go
back and repeat step 1

2. Now, enter the High Availability details as below:

a. Select Interface: GigabitEtherent0/2
b. Name: Failover_Link
c. Primary IP: 198.19.254.1
d. Secondary IP: 198.19.254.2 Subnet Mask: 255.255.255.0
e. State Link: Interface Same as LAN Failover
f. IPsec Encryption: Enabled (OPTIONAL)
g. Click Add

NOTE: If Interfaces do not show up go back to Devices > Device Manager. Click on the Pencil Icon for each firewall click on the
Interfaces to make sure that the interfaces do not have names.

NOTE: The Failover ‘State link’ can be a separate dedicated link as well. However, for simplicity in this lab we are using the LAN
failover link as the State link also.

NOTE: Creating or breaking a Firewall Threat Defense high availability pair immediately restarts the Snort process on the primary
and secondary devices, temporarily interrupting traffic inspection on both devices. Whether traffic drops during this interruption or
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 38
 Cisco dCloud

passes without further inspection depends on the model of the managed device and how it handles traffic. See Snort® Restart
Traffic Behavior for more information. The system warns you that continuing to create a high availability pair restarts the Snort
process on the primary and secondary devices and allows you to cancel.

3. Click on OK to add the High Availability Pair

NOTE: The configuration of the HA will take some time you will see status updates from time to time if you watch the Tasks next to
the deployment button.

4. When complete you will see the following:

5. Go to Devices > Device Management Click on the pencil icon next to the HA pair name - HA_Test

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 38
 Cisco dCloud

NOTE: MAC Addresses and IP Addresses in Failover.

When you configure your interfaces, you can specify an active IP address and a standby IP address on the same network.

Although recommended, the standby address is not required. Without a standby IP address, the active unit cannot perform network
tests to check the standby interface health; it can only track the link state. You also cannot connect to the standby unit on that
interface for management purposes.

When the primary unit or failover group fails over, the secondary unit assumes the IP addresses and MAC addresses of the primary
unit and begins passing traffic.

The unit that is now in standby state takes over the standby IP addresses and MAC addresses.

Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the
network.

If the secondary unit boots without detecting the primary unit, the secondary unit becomes the active unit and uses its own MAC
addresses, because it does not know the primary unit MAC addresses. However, when the primary unit becomes available, the
secondary (active) unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network
traffic. Similarly, if you swap out the primary unit with new hardware, a new MAC address is used.

Virtual MAC addresses guard against this disruption because the active MAC addresses are known to the secondary unit at startup
and remain the same in the case of new primary unit hardware. In multi-instance capability the FXOS chassis autogenerates only
primary MAC addresses. You can overwrite the generated MAC address with a virtual MAC address with both the primary and
secondary MAC addresses, setting the secondary MAC address does ensure that to-the-box management traffic is not interrupted
in the case of new secondary unit hardware.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 38
 Cisco dCloud

If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow.
The FTD does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not
learn of the MAC address change for these addresses.

The IP address and MAC address for the state link do not change at failover; the only exception is if the state link is configured on a
regular data interface.
6. Select the “+” icon next to the Interface MAC Address

7. Enter the following in the Add Interface Mac Address window.

a Physical Interface: GigabitEthernet0/1
b Active Interface MAC Address: Student Choice (IP Address of interface used in example)
c Standby Interface Mac Address: Student Choice of input [example below]
d Click Ok.

NOTE*: The above step is an example of how to configure an Interface Mac Address

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 38
 Cisco dCloud

8. Configure Monitored Interfaces Go to the pencil icon next to in10 under the list of Monitored Interfaces

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 38
 Cisco dCloud

9. Enter the Standby IP Address: 198.19.10.31. Repeat for the outside Interface 198.18.133.132

10. Click OK
11. Click Save.
12. Navigate to Deploy > Advanced Deploy.
13. Select HA_Test and then Deploy.
14. Ignore any Validation Messages and then Deploy.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 38
 Cisco dCloud

Looking at the configuration of NGFW3.

1. Let’s look at some of the configuration parameters that NGFW3 received during the HA setup
2. Go to the Jump PC open PUTTY and select NGFW3
3. Login into the NGFW Username: admin Password: C1sco12345 Type:

a show running-config interface

i What is the primary IP Address of each Interface?
ii Is there a Standby IP Address associated with the Interface?
b show running-config failover
i What is the Failover Mac Address for Interface GigabitEthernet0/1?
ii What is the Interface for the Failover_Link?
iii What is the Interface IP Address for the Failover_Link?

Testing Failover

1. On the Jump PC go to Quick Launch and open up a session to the Inside Linux Server

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 38
 Cisco dCloud

2. The administrator user should already be logged in. Start a continuous ping by typing ping outside.

3. Navigate to the web interface of the FMC Devices > Device Management. Click on the three vertical dots at the right of the
HA_TEST row, and select Switch Active Peer. Click Yes when it prompts to make NGFW3 Active.

4. Observe the output of the ping outside command from the Inside Linux Server. There should not be any drops recorded.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 38
 Cisco dCloud

5. Switch back so that the NGFW1 becomes Active again.

NOTE: The Active HA status of the NGFW implies that it is participating in the traffic processing and owns the Active Interface
MAC addresses. Only the Primary or the Secondary NGFW can be Active at a given time and therefore handle traffic.

IMPORTANT: You can do the remaining scenarios with the HA pair, or you can first break the HA
pair. The scenario steps and screenshots reflect a non-HA environment. If you have completed the
HA scenario, substitute HA_Test for NGFW1.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 38
 Cisco dCloud

Scenario 2 - Advanced Packet Flow Analysis

This exercise consists of the following tasks that allow you to troubleshoot any connectivity issues through FTD:

• Packet-Tracer
• Capture with Trace

Troubleshooting with Packet Tracer and Packet Captures

1. When to use Packet-Tracer

a. Verify if traffic to a specific port is allowed by the Lina Data path and Snort
i. Security Intelligence (IP Reputation)
ii. L3/L4 IPS Intrusion Rules
b. Packet Tracer Does Not currently work with: (Because it cannot emulate a L7 packet) i. Identity-

based rules ii. L7-related (SI DNS/URL, App ID, File Policy, L7 Intrusion Rules)

Packet-Tracer Lab

1. On the FMC go to Policies > Access Control > Edit the NGFW1 policy

2. Click Add New Rule

a. Name: Packet-Trace Rule

b. Set the Rule ABOVE rule 1
c. Under Action Block or Block with reset
d. Zones: Source Zone InZone1, Destination Zone Outzone
e. Networks: Source: Lab_Networks Destination Networks: any-ipv4
f. Applications: Available Applications type ICMP and Select All apps matching the filter click Add to Rule
g. Available Applications type: FTP. Select All apps matching the filter and click Add to Rule

h. Click Logging tab and select Log at Beginning of Connections

i. Click Add
j. Click Save and Deploy to HA_Test or [NGFW1]

NOTE: We selected all the applications related to ICMP and FTP in a production environment you would be more specific with
what particular applications you are blocking.

3. Open the Quick Launch and select NGFW1. Username: admin Password C1sco12345
4. Type the following packet-tracer input inside icmp 198.19.10.200 8 8 198.18.133.200

a. Look at Phases you will notice that the packet has been handed off to SNORT for further processing
b. You will see that SNORT used block w/reset a rule id to order a drop of the packet.

5. Now look at the Packet-Trace command in the FMC

6. Go to Devices > Device Management.> NGFW1.
7. Click on the three dots next to the device name. You will find the options for Packet Tracer and Packet Capture.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 38
 Cisco dCloud

8. Select Packet Tracer.

9. FMC opens the New Trace page.

a. Packet Type: ICMP

b. Interface: inside
c. Source: 198.19.10.200

d. Type: 8 (Echo Request) Code 0

e. Destination: 198.18.133.200
f. Click Trace

NOTE: You will get the same results that you saw in the Command Line of the NGFW1 it is just shown in the window.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 38
 Cisco dCloud

10. Set up the Packet Tracer for FTP

a. Packet Type: TCP
b. Source: 198.19.10.200

c. Source Port: 1111

d. Destination 198.18.133.200 (Outside Linux Server)

e. Destination Port: FTP

f. Click Trace

NOTE: Phase 2 is still checking the rule you created Look at Phase 14 you will see that SNORT looked at the rule and the verdict
was to pass the packet. The first part of the packet is passed but not the next packets. To test this, go to the Jump PC and open
the inside linux server session and type ftp outside you will be prompted: login: guest you will receive a message that states
No Control connection for command Transport endpoint is not connected. You can go to Analysis Connection Events and see
that FTD was Blocked with reset.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 38
 Cisco dCloud

Capture w/Trace Lab

NOTE: There are two types of Traffic Captures the Lina based and the Snort based.

• Lina Level capture

• SNORT Level capture-traffic

For capturing packet with traces using the FMC, perform the following steps:

1. Go to Devices > Device Management page.

2. Click on the three dots next to the device name, such as NGFW1. You will find the options for Packet Tracer and Packet
Capture .
3. Select Packet Capture
4. Click Add Capture button:

a. Name: Capturewtrace
b. Interface: inside
c. Protocol: ICMP
d. Source Host: 198.19.10.200 (Inside Linux Server)
e. Destination Host: any
f. Buffer Size: 33554432 (32 MB)
g. Trace Count 100
h. Save

NOTE: We have not removed the access policy denying ICMP so the pings will fail, but you will be able to see the packet shown.
Also, you will export the file in PCAP format to Wireshark in this lab.

5. Go to the Jump PC and on the Inside Linux Server type ping outside.
6. If you don’t see information in the Packets Shown Window in about 10 seconds hit the refresh.
7. Once you see packets stop the ping.
8. Click on the Save icon for the packet capture you created.
a. Save the file as PCAP.
9. When Prompted Save File and click OK.
10. Go to the downloads bar of Chrome and select the file just downloaded.
11. Minimize the Browser and you will see the file opened in Wireshark.
12. Notice that the messages have been administratively filtered.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 38
 Cisco dCloud

Scenario 3 - Cisco Threat Intelligence Director (CTID)

This exercise consists of the following tasks:

• Upload a list of URLs to CTID that will trigger an Incident

• Subscribe CTID to a TAXII feed
• Generate CTID incidents
The CTID is a component of the FMC that can consume third party cyber threat intelligence indicators; CTID parses these
indicators to produce observables that can be detected by the NGFW. The NGFW reports detection of the observables to CTID.
Then CTID determines whether the observations constitute an incident.

Information on Scenario

Two file formats are supported:

• Flat files - Lists of simple indictors such as IP addresses, URLs or SHA256 hashes.
• STIX files - XML files that can describe simple or complex indicators There are 3 ways these files can be retrieved:

o Uploaded from the computer where the FMC UI is running.

o Retrieved from a URL on a remote web server.

o Received from a TAXII feed (STIX files only).

The objective of this exercise is to configure and test CTID.

Steps

Confirm that CTID will publish observables to the NGFW

1. Navigate to Policies > Access Control > Access Control.

2. Edit the access control policy by clicking the pencil icon to the right of the policy.
3. Select the Advanced tab. Using this advanced setting, CTID can be enabled or disabled at the access policy level. Threat
Intelligence Director is enabled by default

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 38
 Cisco dCloud

4. Navigate to Integration > Intelligence > Elements. Confirm that the NGFW1 is an element. This means that CTID can
publish observables to the NGFW1 retrieved from a STIX file from a web server.

NOTE: The CTID can be enabled or disabled globally. Clicking Pause will stop the CTID publishing to all elements.

5. Navigate to Integration > Intelligence > Sources tab.

6. Click the plus sign (+) on the right to add an intelligence source.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 38
 Cisco dCloud

7. Upload a list of URLs to CTID that will trigger an Incident

a. Click the plus sign (+) on the right to add an intelligence source.

b. For DELIVERY, select Upload.

c. For TYPE, select Flat File. The CONTENT drop-down list will appear.
d. For CONTENT, select URL.
e. Click in the FILE area and select URL_LIST.txt from the Files folder on the Jump desktop.

f. For NAME, enter Local URL List.

g. For ACTION, select Block.

8. Click Save.
9. Wait a few seconds. Navigate to Integration > Intelligence > Sources > Indicators. Delete the default time-based filter.
Replace it with a filter to only show published indicators, as shown in the following screenshot.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 38
 Cisco dCloud

10. Click Apply to apply the filter. Confirm that two URL indicators have been added.

NOTE: The incidents may not appear for a while if the original time-based filter remains applied.

11. Navigate to Integration > Intelligence > Sources > Observables. Confirm that two type URL observables have been
added.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 38
 Cisco dCloud

Subscribe CTID to a TAXII feed

1. Navigate to Integration > Intelligence > Sources > Sources. Click the plus sign (+) on the right to add an intelligence
source.
2. For DELIVERY, select TAXII.
3. For URL, enter http://hailataxii.com/taxii-discovery-service.

4. For USERNAME, enter guest.

5. For PASSWORD, enter guest.
6. For FEEDS, select guest_phishtank_com.

NOTE: It may take several seconds for the FEEDS drop-down list to populate.

7. Confirm that the screen looks like the following figure.

8. Click Save.
9. Wait until the Status column for this source changes to Parsing, which may take several minutes. Do not wait for the parsing
to complete - this would take too long.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 38
 Cisco dCloud

10. Navigate to Integration > Intelligence > Sources > Indicators. Delete the default time-based filter. Replace it with a filter to
only show published indicators, as you did for the previous source you configured.

11. Click Apply to apply the filter. Confirm that several URL indicators have been added.

12. Navigate to Integration > Intelligence > Sources > Observables. Confirm that several URL observables have been added.

Generate CTID incidents

1. It can take several minutes for the observables to be published to the sensor. In this step, you will see how to confirm the
publication of a particular observable. Use the Quick Launch on the Jump PC to SSH to the NGFW1 CLI and perform the
following: (logged in as admin / C1sco12345)

1. Type expert to get into expert mode.

2. Type ls -d /var/sf/*download.

NOTE: There are several directories listed. admin@ngfw:~$ ls -d /var/sf/*download

ls –d /var/sf/clamupd_download
ls –d /var/sf/iprep_download
ls –d /var/sf/sifile_download
ls –d /var/sf/cloud_download
ls –d /var/sf/sidns_download
ls –d /var/sf/siurl_download

Four of these (iprep_download, sidns_download, sifile_download and siurl_download) are used by security intelligence and CTID.
3. Type grep developmentserver /var/sf/*download/*lf (lf has a lower-case L) to confirm the observable has been published to
the firewall observables list.

4. You should see a type URL CTID observable.

/var/sf/siurl_download/330bd00e-2b75-11eb-b07a-e80dd063ddd4.lf:developmentserver.com/misc/Tron.html/
NOTE: If you do not, wait a minute and try again. You must wait for this to be published before you go on.

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 38
 Cisco dCloud

On the Inside Linux server CLI:

1. Use the Quick Launch on the Jump PC, to SSH to the Inside Linux server and perform the following: (logged in as
administrator/C1sco12345)

a Run wget -t 1 outside/files/ProjectX.pdf. This should succeed.

b Run wget -t 1 developmentserver.com/misc/Tron.html. This should be blocked.

2. On the FMC, navigate to Integration > Intelligence > Incidents. Confirm that there is an incident.

3. Drill down into the incident and observe the details for this incident.
4. Confirm that there is an incident for a URL indicator. Drill down into the incident and observe the details for this incident

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 38
 Cisco dCloud

Appendix A. REST API Scripts

Here are the two Python scripts that were used in the first lab exercise. You only run the first script
register_config.py. It will call the second script connect.py, which will create the compiled file
connect.pyc.

Python script register_config.py

#!/usr/bin/python import json import connect import sys host = "fmc.example.com"

username = "restapiuser" password = "C1sco12345" name="NGFW"
#connect to the FMC API headers,uuid,server = connect.connect (host, username, password) user_input
= str(raw_input("Would you like to register the managed device? [y/n]")) if user_input == "y":
policy_name = str(raw_input("Enter name of new Access Control Policy to be create:")) access_policy = {
"type": "AccessPolicy",
"name": policy_name,
"defaultAction": { "action": "BLOCK" }
} post_response = connect.accesspolicyPOST(headers,uuid,server,access_policy)
policy_id = post_response["id"] print "\n\nAccess Control Policy\n" + policy_name +
"\ncreated\n\n" device post = { "name": name,
"hostName": "ngfw.example.com",
"regKey": "C1sco12345",
"type": "Device",
"license_caps": [
"BASE",
"MALWARE",
"URLFilter",
"THREAT"
],
"accessPolicy": {
"id": policy_id,
"type": "AccessPolicy"
} } post_data = json.dumps(device_post) output = connect.devicePOST (headers, uuid, server,
post_data) print "\n\nPost request is: \n" + json.dumps(output,indent=4) + "\n\n" GET ALL THE
DEVICES AND THEIR corresponding interfaces user_input = str(raw_input("In the FMC UI, confirm that
the device discovery has completed and then press 'y' to continue or 'n' to exit. [y/n]"))
headers,uuid,server = connect.connect (host, username, password) if
user_input == "n": quit()
devices = connect.deviceGET(headers,uuid,server) for device in devices["items"]: if device["name"]
== name: print "DEVICE FOUND, setting ID" device_id = device["id"] NOW THAT WE HAVE THE DEVICE ID WE
NEED TO GET ALL THE INTERFACES interfaces = connect.interfaceGET(headers,uuid,server,device id)
Interfaces i want to change interface_1 = "GigabitEthernet0/0" interface_2 =
"GigabitEthernet0/1" for interface in interfaces["items"]: if interface["name"] == interface_1:
interface_1_id = interface["id"] print "interface 1 found" if interface["name"] == interface_2:
interface_2_id = interface["id"] print "interface 2 found" user_input = str(raw_input("Would you
like to configure device interfaces? [y/n]")) if user_input == "y": interface_put = {
"type": "PhysicalInterface",
"hardware": {

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 38
 Cisco dCloud

"duplex": "AUTO",
"speed": "AUTO"
},
"enabled": True,
"MTU": 1500,
"managementOnly": False,
"ifname": "outside",
"enableAntiSpoofing": False,
"name": "GigabitEthernet0/0",
"id": interface 1 id,
"ipv4" : {
"static": {
"address":"198.18.133.2",
"netmask":"18"
}
} } put_data = json.dumps(interface_put) connect.interfacePUT (headers, uuid, server,
put_data,device_id,interface_1_id) interface_put = {
"type": "PhysicalInterface",
"hardware": {
"duplex": "AUTO",
"speed": "AUTO"
},
"enabled": True,
"MTU": 1500,
"managementOnly": False,
"ifname": "inside", "enableAntiSpoofing": False,
"name": "GigabitEthernet0/1",
"id": interface_2_id,
"ipv4" : {
"static": {
"address":"198.19.10.1",
"netmask":"24"
}
} } put_data = json.dumps(interface_put) connect.interfacePUT (headers, uuid,
server, put data,device id,interface 2 id)

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 38
 Cisco dCloud

Python script connect.py

#!/usr/bin/python import json import sys import requests #Suppress
HTTPS insecure errors for cleaner output from
requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
#define function to connect to the FMC API and generate authentication token def connect (host,
username, password): headers = {'Content-Type': 'application/json'} path =
"/api/fmc_platform/v1/auth/generatetoken" server = "https://"+host url = server + path try:
r = requests.post(url, headers=headers, auth=requests.auth.HTTPBasicAuth(username,password),
verify=False) auth_headers = r.headers token = auth_headers.get('X-auth-access-token',
default=None) uuid = auth headers.get('DOMAIN UUID', default=None) if token == None:
print("No Token found, I'll be back terminating....") sys.exit()
except Exception as err:
print ("Error in generating token --> "+ str(err)) sys.exit() headers['X-auth-access-token']
= token return headers,uuid,server

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 38
 Cisco dCloud

def devicePOST (headers, uuid, server, post_data): api_path= "/api/fmc_config/v1/domain/" + uuid +

"/devices/devicerecords url = server+api_path try:
r = requests.post(url, data=post_data, headers=headers, verify=False) status_code = r.status_code resp
= r.text json_response = json.loads(resp) print("status code is: "+ str(status code)) if status_code ==
201 or status_code == 202: print("Post was sucessfull...") else:
r.raise_for_status() print("error occured
in POST -->"+resp) except
requests.exceptions.HTTPError as err: print
("Error in connection --> "+str(err))
finally:
if r: r.close() return json response def deviceGET (headers, uuid, server): api_path=
"/api/fmc_config/v1/domain/" + uuid + "/devices/devicerecords" url = server+api_path try: r =
requests.get(url, headers=headers, verify=False) status_code = r.status_code resp = r.text
json_response = json.loads(resp) print("status code is: "+ str(status_code)) if status_code ==
200: print("GET was sucessfull...") else:
r.raise_for_status() print("error occured
in POST -->"+resp) except
requests.exceptions.HTTPError as err: print
("Error in connection --> "+str(err))
finally:
if r: r.close() return json_response def
interfaceGET (headers, uuid, server, device_id):
api_path= "/api/fmc_config/v1/domain/" + uuid + "/devices/devicerecords/"+device
id+"/physicalinterfaces" url = server+api_path try:
r = requests.get(url, headers=headers, verify=False) status_code = r.status_code resp = r.text
json_response = json.loads(resp) print("status code is: "+ str(status_code)) if status_code == 200:
print("GET was sucessfull...") else:
r.raise_for_status() print("error occured
in POST -->"+resp) except
requests.exceptions.HTTPError as err: print
("Error in connection --> "+str(err))
finally:
if r: r.close() return json_response def interfacePUT (headers, uuid,
server, put_data,device_id, interface_id):
api_path= "/api/fmc_config/v1/domain/" + uuid +
"/devices/devicerecords/"+device_id+"/physicalinterfaces/"+interface_id url
= server+api_path try:
r = requests.put(url, data=put_data, headers=headers, verify=False) status_code = r.status_code resp
= r.text json_response = json.loads(resp) print("status code is: " + str(status_code)) if status_code
== 200 : print("Put was sucessfull...") else:
r.raise_for_status()
print("error occured in POST -->"+resp) except
requests.exceptions.HTTPError as err: print
("Error in connection --> "+str(err)) finally:
if r: r.close() return json_response def
accesspolicyPOST (headers, uuid, server, post_data):
api_path= "/api/fmc_config/v1/domain/" + uuid +
"/policy/accesspolicies" url = server+api_path try:

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 38
 Cisco dCloud

r = requests.post(url, data=json.dumps(post_data), headers=headers, verify=False) status_code =

r.status_code resp = r.text json_response = json.loads(resp) print("status code is: "+
str(status_code)) if status_code == 201 or status_code == 202: print("Post was sucessfull...") else:
r.raise_for_status() print("error occured in POST -->"+resp) except
requests.exceptions.HTTPError as err: print ("Error in connection --> "+str(err))
finally:
if r: r.close() return json_response

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 38