Net Worker World

 Create a new template "PC", to make it available in Web Enrollment drop down list, need check the following option. In  Right client Certificate Templates, click Manage,

  1.  Test Result: When SC detects PC is on Untrusted network, it prompts to ask the user to connect to VPN. When SC detects PC is on Trusted  network, it doesn't prompt. 2. Enable Always on     Test result User can disconnect VPN, but only can access www.google.ca and DNS server 203.0.113.2 When ASA is not reachable, "Connect Failure Policy" kick in, with "Open" policy, user is able to access any websites. When ASA is reachable again, prompt user to connect, at this moment, again, only  www.google.ca and DNS server 203.0.113.2 are able to connected. 3. Captive Portal By default, captive portal detection is enabled, as soon the PC connects a Open wifi with Captive portal,  Cisco Secure Client - Web Browser is popup, in the lab, it is display a blank page, depends on configurations in profile, the browser window may disappear in a second or stay open.  Captive portal detection need be disable if we don't want to see this browser. Windows 10 has internal mecha

 Change Admin password expert  passwd admin

 1. Capture URL  https://x.x.x.x/admin/capture/capture_name[/pcap] 2. Copy capture out copy /pcap capture:CAP1 ftp://user:pass@192.168.1.1/CAP1.pcap 3. Run command via https https://x.x.x.x:port/exec/show run https://packetpushers.net/blog/interacting-with-the-cisco-asa-cli-using-the-https-interface/

  ASA reach FTP server via MGMT interface ASA-916# backup interface MGMT location ftp://cisco:cisco@192.168.2.100/asabackup backup location entered: [ftp://cisco:cisco@192.168.2.100/asabackup] [Press return to continue or enter a backup location]: Begin backup ... Backing up [ASA Version] ... Done! Backing up [Running Configurations] ...Cryptochecksum: 5b9af45d 87cd328b 063fb1ed c1f61965  Done! Backing up [Startup Configurations] ... Done! Backing up [Identity Certificates] ... Done! Backing up [WebVPN Data] ... Done! Backing up [Anyconnect(SVC) Image(s)] ... Done! Backing up [Anyconnect(SVC) Client Profile(s)] ... Failed! Compressing the backup directory ... Done! Copying Backup ...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Done! Cleaning up ... Done! Backup finished! ASA-916#

  1. By default, it is enabled System > Configuration > REST API Preferences >Enable  REST API. 2. Create a dedicated an API user 3. Request an Authentication token.  https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/215918-how-to-generate-authentication-token-for.html

  Configure FDM External Authentication and Authorization with ISE using RADIUS https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217234-configure-fdm-external-authentication-an.pdf FDM Multiple Admin Accounts https://bluenetsec.com/fdm-multiple-admin-accounts/

  An attacker can launch a DOS attack by flooding a host with thousands of TCP SYN packets, the source address would be spoofed with no way for the host server to respond, this would create half-open TCP connections on the host consuming resources until the host is overwhelmed and packets are dropped. On the Cisco ASA you can configure the Modular Policy Framework (MPF) to restrict the number of TCP half-open connections (embryonic-conn-max). When enabled, the MPF policy will intercept the tcp SYN and only forward the connection once the 3-way handshake is complete. Lab: 1. Create extended ACL for the protected server      access-list ACL-Protected-Servers extended permit tcp any host 10.1.1.10 eq www 2. Create Class-Map   class-map CM-Protected-Servers      match access-list ACL-Protected-Servers 3. Create Policy-Map     policy-map PM-Outside       class CM-Protected-Servers          set connection embryonic-conn-max 40 4. Create service policy for outside interface       service-poli

  hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language. https://www.kali.org/tools/hping3/

  1. Review Smart Default IKEv2 settings. sh crypto ikev2 proposal default  IKEv2 proposal: default      Encryption : AES-CBC-256      Integrity  : SHA512 SHA384      PRF        : SHA512 SHA384      DH Group   : DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14 DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5 2. Review Smart Default ipsec transform-set and profile sh crypto ipsec transform-set default { esp-aes esp-sha-hmac  }    will negotiate = { Transport,  }, sh crypto ipsec profile default IPSEC profile default         Security association lifetime: 4608000 kilobytes/3600 seconds         Responder-Only (Y/N): N         PFS (Y/N): N         Mixed-mode : Disabled         Transform sets={                 default:  { esp-aes esp-sha-hmac  } ,         } 3. Create a new transform-set with stronger ciphers crypto ipsec transform-set AES256-SHA256 esp-256-aes esp-sha256-hmac 4.Create a IKEv2 keyring crypto ikev2 keyring MyIKEv2KeyRing  peer CSR3   address 203.0.113.228   pre-share

 Summary steps 1. ISE join AD 2. Enable admin access using AD 3. Configure Admin Group to AD group mapping 4. Set RBAC permission for the admin group Detail Steps: 1. ISE join AD     Assume is already done, joined corp.local domain     AD group NetworkAdmins is added to ISE AD group list 2. Enable admin access using AD 3. Configure Admin Group to AD group mapping 4. Set RBAC permission for the admin group     Duplicate "Super Admin Policy" , create a new policy "AD Admin Policy" for group "AdminGroup-AD" reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116503-configure-product-00.html

  https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html AWS Phase II has pfs configured, make sure on-premises (local) FW has pfs enabled  AWS phase I lifetime default is 28800 (8 hours), Phases II default is 3600 seconds, which is the maximum can be specified on AWS. 

  1. TLS Server Identity Discovery TLS 1.3 encrypts server certificate, so it breaks application and URL control. To resume full visibility, full decryption is required. Note: in TLS 1.3 SNI is still cleartext, FTD still can use SNI solely to determine URL or application, but without server side certificate, the confidence and reliability is getting low. SNI can be spoofed or empty, New feature (from FTD 6.7) TLS Server Identity Discovery without requiring SSL decryption Read : Network Security Efficacy in the Age of Pervasive TLS Encryption https://blogs.cisco.com/security/network-security-efficacy-in-the-age-of-pervasive-tls-encryption?ccid=cc000155&dtid=oblgcdc000651&oid=pstsc023056 FTD intercepts a TLS 1.3 handshake message from a client to an unknown server and then opens a side connection to this server to discover its identity. FTD uses the same source IP address and TCP port as the client and mimics the ClientHello message as much as possible to get the server to pr

LAB FTD 7.4 FTD has two outside interface, for LAN network objest, only one Auto-NAT can be created 1. When try to create another Auto-NAT with destination Interface Object Zone-Outside2 , got the error: 2. When try to add outside2 interface to the same zone Zone-Outside which interface outside belongs to, got the error: 2 Solutions: 1. Create  NAT Rules Before with Interface Group instead of Auto NAT 2. Instead of Auto NAT, create  NAT Rules Before with Zone-Outside contains both outside interfaces  

  Configure FMC with LDAP for External Authentication 1. System > Users > External Authentication, Add External Authentication Object     Set Defaults button will automatically fill up Attribute Mapping section.      Once configures host info, Fetch DNs can retrieve Base DN  NetworkAdmins is AD group, only members in this AD group can login FMC/FTD. In this lab, maps it to FMC Administrator group, don't select any Default User Role, once you select one, you can't unselect it. CLI Access Filter: when check "Same as Base Filter", cli access doesn't check user's AD group info, so all AD user will get access FMC/FTD cli. To restrict cli access, we can add a new AD attribute, in this lab, it is called "firepowercli". Refer this article to create a Unicode String attribute, restart AD Domain Services, then in AD set the value to "shell" for user needs FMC/FTD cli access. https://www.rebeladmin.com/2017/11/step-step-guide-create-custom-acti

  Geneve interfaces act as Layer 2 virtual networks over Layer 3 physical networks to stretch Layer 2 networks. Geneve is an encapsulation network protocol similar to Virtual eXtensible Local Area Network (VXLAN).                                

  https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-p/3618650 VLAN1 Management 172.16.10.0/24 VLAN10 Guest  192.168.10.0/24 VLAN11 Workstation  172.16.11.0/24 VLAN12 MAB      172.16.12.0/24 Wireless 802.1x Meraki Configuration    Group Policy:       Employee :        Contractor : L3 FW rules Deny Youtube and Facebook    SSID: corp      Security: my RADIUS server      Splash: Cisco Identity Services Engine (ISE) Authenticatio n. RADIUS attribute specifying group policy name: Airespace-ACL-Name Client IP: Bridge VLAN tagging: VLAN 11 ISE Configuration:   Create device group type: Meraki Wireless , add Meraki AP to the group.   Policy Set: Condition matches Meraki Wireless device group type     Authorization Profiles:   MerakiWirelessEmployee :      Airespace ACL Name: Employee   MerakiWirelessContractor :      Airespace ACL Name: Contractor     Authentication Policy:    Condition: Wireless_802.1x   Use