Very helpful and valuable, covering almost all the major aspects of FTD configuration, a good resources for FTD technical guys. Thanks for taking time to make the video.
Thanks for the time you took to make this video. I couldn't find anything like this on internet, beside admin guide and tutorial... without real explanations. anyway, thanks again :)
question, I saw in the video you placed the the objects (DMZ, Inside Hosts) in your HOME NET variable. We do not want to do this correct? If you have both your DMZ and your INSIDE hosts in HOME NET then you will not inspect from inside to DMZ or vice versa since those are considered protected? My understanding is that you only want your inside hosts or protected hosts in your HOME NET variable everything else gets inspected.
Thanks Mark for reaching out - home_net should include all networks you are protecting. It states this in the guide "the majority of the rules use the variable $HOME_NET to specify the protected network and the variable $EXTERNAL_NET to specify the unprotected (or outside) ", also a quick google of www.google.com/search?q=snort+home_net+variable&rlz=1C1GCEU_enUS872US873&oq=snort+Home&aqs=chrome.0.69i59j69i57j35i39j0l5.5013j0j4&sourceid=chrome&ie=UTF-8 Gets you the following as well "$HOME_NET is a variable that defines the network or networks you are trying to protect, while $EXTERNAL_NET is the external, untrusted networks to which you are connected. These variables are used in virtually all rules to specify criteria for the source and destination of a packet." Hope this clarifies :)
Where can I find this lookbook? I followed first link and it gave me a 2 page document that doesn't show the details of this guide Walkthrough. Thanks.
I seen you message around DNS but you had your email address so I did not publish the comment. That said I assume you are looking at DNS Sinkholing. If so check out the following videos 23. Cisco Firepower Threat Defense: DNS Sinkholing ua-cam.com/video/DZtvCmoge3k/v-deo.html 24. Cisco Firepower Threat Defense: DNS Sinkholing Packet Capture ua-cam.com/video/rRKijsP9iyA/v-deo.html 25. Cisco Firepower Threat Defense: DNS Sinkhole Tweaking for the Analyst ua-cam.com/video/7RMiIqL9Gik/v-deo.html Hope this helps
@@jasonmaynard8773 Thanks for hidding the comment, in my case, after putting DNS server behind the firewall with default "balance and security", and malware blocking (1st rule), all pcs and even FW itself cannot use DNS service anymore, every others service like ping, RD are still OK, DNS is win 2008 R2. Checked log and i saw UDP port 53 were allow. Have you met this case?
Hi Hoang, I am assuming that the PCs have to go through the firewall to get to DNS (not on the same network and you have a control point in place). I would go to FTD and leverage packet tracer and do a couple of tests. This should highlight what stage the firewall is blocking (if that is the case). If this does not help I would open a TAC case and get them to have a look. Packet Tracer - ua-cam.com/video/WdfbcP3KuO0/v-deo.html
Very helpful and valuable, covering almost all the major aspects of FTD configuration, a good resources for FTD technical guys. Thanks for taking time to make the video.
Thanks David for the feedback!
Simply Awesome - straight to the point
Thanks!!
Very very helpful Jason.. would create one new walkthrough video on snort3
Thank you and noted!
Thanks for the time you took to make this video. I couldn't find anything like this on internet, beside admin guide and tutorial... without real explanations. anyway, thanks again :)
Thanks Owii92 for the comment and glad it helped.
Another great vid. Thanks a lot for sharing!
Thanks sir!
Thank You for sharing. Thumb up
Thanks Igor!
question, I saw in the video you placed the the objects (DMZ, Inside Hosts) in your HOME NET variable. We do not want to do this correct? If you have both your DMZ and your INSIDE hosts in HOME NET then you will not inspect from inside to DMZ or vice versa since those are considered protected? My understanding is that you only want your inside hosts or protected hosts in your HOME NET variable everything else gets inspected.
Thanks Mark for reaching out - home_net should include all networks you are protecting. It states this in the guide "the majority of the rules use the variable $HOME_NET to specify the protected network and the variable $EXTERNAL_NET to specify the unprotected (or outside) ", also a quick google of www.google.com/search?q=snort+home_net+variable&rlz=1C1GCEU_enUS872US873&oq=snort+Home&aqs=chrome.0.69i59j69i57j35i39j0l5.5013j0j4&sourceid=chrome&ie=UTF-8
Gets you the following as well "$HOME_NET is a variable that defines the network or networks you are trying to protect, while $EXTERNAL_NET is the external, untrusted networks to which you are connected. These variables are used in virtually all rules to specify criteria for the source and destination of a packet."
Hope this clarifies :)
Where can I find this lookbook? I followed first link and it gave me a 2 page document that doesn't show the details of this guide Walkthrough. Thanks.
Try the following: cisco.lookbookhq.com/ngfw_ftd_common-practices
Totally awesome!
Thanks Stas!
Thank you very much, very helpful guide :)
Anytime Hoang and thanks for the feedback.
I seen you message around DNS but you had your email address so I did not publish the comment.
That said I assume you are looking at DNS Sinkholing. If so check out the following videos
23. Cisco Firepower Threat Defense: DNS Sinkholing
ua-cam.com/video/DZtvCmoge3k/v-deo.html
24. Cisco Firepower Threat Defense: DNS Sinkholing Packet Capture
ua-cam.com/video/rRKijsP9iyA/v-deo.html
25. Cisco Firepower Threat Defense: DNS Sinkhole Tweaking for the Analyst
ua-cam.com/video/7RMiIqL9Gik/v-deo.html
Hope this helps
@@jasonmaynard8773 Thanks for hidding the comment, in my case, after putting DNS server behind the firewall with default "balance and security", and malware blocking (1st rule), all pcs and even FW itself cannot use DNS service anymore, every others service like ping, RD are still OK, DNS is win 2008 R2. Checked log and i saw UDP port 53 were allow. Have you met this case?
Hi Hoang, I am assuming that the PCs have to go through the firewall to get to DNS (not on the same network and you have a control point in place). I would go to FTD and leverage packet tracer and do a couple of tests. This should highlight what stage the firewall is blocking (if that is the case). If this does not help I would open a TAC case and get them to have a look.
Packet Tracer - ua-cam.com/video/WdfbcP3KuO0/v-deo.html
very useful
Glad it helped