Net Worker World

 1. The following guide has detail about load FTD boot image in Rommon mode https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html 2. In addition to above guide, we can load boot image via USB key.    2.1 Insert USB key when device is running ASA image    2.2 USB key is disk1, copy FTD boot image from disk1 to disk0 (flash)    2.3 change boot var to use FTD boot image    2.4 reboot     2.5 continue pkg file installation

 https://community.cisco.com/t5/wireless-mobility-documents/understanding-access-point-os-images/ta-p/3123952

  Secure Firewall Posture (Formerly HostScan) The Cisco Secure Client ( AnyConnect Secure Mobility Client ) offers a Secure Firewall Posture Module ( VPN Posture ), formerly HostScan, and an ISE Posture Module. Both provide the Cisco Secure Client with the ability to assess an endpoint's compliance for things like antivirus, antispyware, and firewall software installed on the host. You can then restrict network access until the endpoint is in compliance or can elevate local user privileges so they can establish remediation practices. Secure Firewall Posture  is bundled with secure-firewall-posture- <version> -k9.pkg , which is the application that gathers what operating system, antivirus, antispyware, and software is installed on the host. ISE Posture deploys on client when accessing ISE-controlled networks, rather than deploying both  Cisco Secure Client  and the NAC Agent. ISE Posture is a module you can choose to install as an additional security component into the  Cisco

Note: Firepower uses identity policies to detect the user associated with a connection (IP address). An user connects to Anyconnect is a special active authentication, an identity rule matches Anyconnect traffic is required,  regardless of active or passive action selected. If there is no identity rule for AC traffic, FMC/FTD will not try to identify the traffic owner, thus won't match any use-id base ACP rules. when identity policy has a rule matches Anyconnect traffic, and VPN is using LDAP for authentication. FMC has an active session when AC user connected when VPN is using ISE for authentication, user shows as Discovered Identity, FW doesn't map user-ip properly, to fix it, need user to put username format lab\user1 or lab.local\user1 uss When ISE is running 802.1x, setup pxGrid between ISE and FMC to pass authentication session info to FMC, in this case, from FMC standpoint, 802.1x is Passive authentication. with 802.1x, machine authentication session is sent to FMC firs

 1. verify snort instance > show snort instance Total number of instances available - 2 +----------+---------+ | INSTANCE |   PID   | +----------+---------+ |    1     |   649 | |    2     |   650 | +----------+---------+ > > show asp inspect-dp snort SNORT Inspect Instance Status Info Id Pid       Cpu-Usage    Conns      Segs/Pkts  Status           tot (usr | sys) -- ----- ---------------- ---------- ---------- ---------- 0  650     0% (  0%|  0%)   1          0        READY 1  649     0% (  0%|  0%)   1          0        READY > or admin@FTD67:~$ top  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND  2562 root      25   5  425648   5156   3888 S  10.5   0.1   2866:36 loggerd  5270 admin     20   0    3560   2388   1860 R   5.3   0.0   0:01.08 top  650 root       1 -19 1981788 482316  35912 S   6.7   5.9  48:57.83 snort  649 root       1 -19 1981740 485880  36100 S   0.3   5.9  49:07.12 snort 2. Lina CPU usage In the 'system support utilizatio

 Issue: FMC and FTD were on 6.4.4, FMC upgrade to 6.6.5 no issue, after FPR1120 upgraded to 6.6.5, FMC lost FTD, user reported: "FPR 1120 not sending Heartbeats after upgrade to 6.6.5. Shows failure in UI but no details." TS: from FTD cli ping FMC works. in expert mode, ran "sftunnel_status.pl", show error "certificate is not valid yet", sftunnel is down, verified FMC certificate is valid from 2019 to 2025, check FTD time using Linux command "date", shows current time is 2015, also check hardware time using " hwclock -r ", shows year 2015 too, ran the command " date -s "18 OCT 2021 18:00:00 "  to set the UTC time.  ran "sftunnel.status.pl" showing sfttunel up, FMC shows devices green. ================== Error: active peer already exists Reason: A device can be un-cleanly de-registered and still exists in the database Fix:  /usr/local/sf/bin/remove_peer.pl "IP or NAME or UUID" FORCE ==== Error: deployme

 1. Firepower 2110 with FTD image console in FPR2110:       2100# connect local-mgmt       2100(local0mgmt)# erase configuration       FOXS and FTD both get reset and reinstalled, may take up to 20 minutes to be able to connect FTD again. 2. Soft reset FTD     2.1 verify IP addresses are configured     >show interface ip brief     2.2 delete manager     >configure manager delete     2.3  change firepower mode to transparent then back to routed      >configure firewall transparent      >configure firewall routed     2.4 verify IP addresses are gone.     >show interface ip brief           ====ASA system recovery===== https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/troubleshoot/asa-fxos-troubleshoot/system_recovery.html

 1. Use FTD outside data interface Note: This feature requires Firepower version 6.7 or later, doesn't support HA.  FMC needs a public IP, firewall rules are need for bidirectional TCP/8305, no IPS inspection, on PA, it is identified as ssl application, so should use service any instead of Application Default. 1.1 boot FTD, configure management interface IP  1.2 configure network management-data-interface > configure network management-data-interface Data interface to use for management: ethernet1/1 Specify a name for the interface [outside]: internet IP address (manual / dhcp) [dhcp]: manual IPv4/IPv6 address: 10.10.6.7 Netmask/IPv6 Prefix: 255.255.255.0 Default Gateway: 10.10.6.1 Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220 DDNS server update URL [none]: ........... 2. Use FTD OOB management interface, configure public IP on interface, consider to add a  router or L3 switch in front of it to protect management IP. 3.  Configure private IP o

  FMC and FTD Management Network Administration https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

Platform Exchange Grid (pxGrid) pxGrid is a protocol framework that defines the control mechanisms to facilitate machine-to-machine communications. pxGrid can synch active ISE session to FMC without ISE-PIC. ISE-PIC 3.1 only supports pxGrid v2, FMC 6.4 on pxGrid v1, FMC 6.7 and above are on pxGrid v2.  1. Notes: User Agent is deprecated from FMC 6.7, ISE or ISE-PIC now provides username-IP mapping. Eligible Firepower Management PIDs for free ISE - PIC L - FMC - ISE - PIC = (PAK based for ISE - PIC 2.7 and lower) L-FMC-ISE-PIC-BSE Smart License Enabled for ISE - PIC 3.0 Standard ISE - PIC PIDs: ● Base license for up to 3,000 user sessions ( R - ISE - PIC - VM - K9 ) ● Upgrade license for up to 300,000 use r sessions ( L - ISE - PIC - UPG= ) Maximum amount of nodes in ISE PIC deployment is 2.   In an ISE PIC deployment, nodes can have roles: Primary and Secondary. In this only one node can be Primary at a time and roles can only be changed manually through GUI. In case of Primary fa