Net Worker World

 Summary steps 1. ISE join AD 2. Enable admin access using AD 3. Configure Admin Group to AD group mapping 4. Set RBAC permission for the admin group Detail Steps: 1. ISE join AD     Assume is already done, joined corp.local domain     AD group NetworkAdmins is added to ISE AD group list 2. Enable admin access using AD 3. Configure Admin Group to AD group mapping 4. Set RBAC permission for the admin group     Duplicate "Super Admin Policy" , create a new policy "AD Admin Policy" for group "AdminGroup-AD" reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116503-configure-product-00.html

  https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html AWS Phase II has pfs configured, make sure on-premises (local) FW has pfs enabled  AWS phase I lifetime default is 28800 (8 hours), Phases II default is 3600 seconds, which is the maximum can be specified on AWS. 

  1. TLS Server Identity Discovery TLS 1.3 encrypts server certificate, so it breaks application and URL control. To resume full visibility, full decryption is required. Note: in TLS 1.3 SNI is still cleartext, FTD still can use SNI solely to determine URL or application, but without server side certificate, the confidence and reliability is getting low. SNI can be spoofed or empty, New feature (from FTD 6.7) TLS Server Identity Discovery without requiring SSL decryption Read : Network Security Efficacy in the Age of Pervasive TLS Encryption https://blogs.cisco.com/security/network-security-efficacy-in-the-age-of-pervasive-tls-encryption?ccid=cc000155&dtid=oblgcdc000651&oid=pstsc023056 FTD intercepts a TLS 1.3 handshake message from a client to an unknown server and then opens a side connection to this server to discover its identity. FTD uses the same source IP address and TCP port as the client and mimics the ClientHello message as much as possible to get the server to pr

LAB FTD 7.4 FTD has two outside interface, for LAN network objest, only one Auto-NAT can be created 1. When try to create another Auto-NAT with destination Interface Object Zone-Outside2 , got the error: 2. When try to add outside2 interface to the same zone Zone-Outside which interface outside belongs to, got the error: 2 Solutions: 1. Create  NAT Rules Before with Interface Group instead of Auto NAT 2. Instead of Auto NAT, create  NAT Rules Before with Zone-Outside contains both outside interfaces  

  Configure FMC with LDAP for External Authentication 1. System > Users > External Authentication, Add External Authentication Object     Set Defaults button will automatically fill up Attribute Mapping section.      Once configures host info, Fetch DNs can retrieve Base DN  NetworkAdmins is AD group, only members in this AD group can login FMC/FTD. In this lab, maps it to FMC Administrator group, don't select any Default User Role, once you select one, you can't unselect it. CLI Access Filter: when check "Same as Base Filter", cli access doesn't check user's AD group info, so all AD user will get access FMC/FTD cli. To restrict cli access, we can add a new AD attribute, in this lab, it is called "firepowercli". Refer this article to create a Unicode String attribute, restart AD Domain Services, then in AD set the value to "shell" for user needs FMC/FTD cli access. https://www.rebeladmin.com/2017/11/step-step-guide-create-custom-acti

  Geneve interfaces act as Layer 2 virtual networks over Layer 3 physical networks to stretch Layer 2 networks. Geneve is an encapsulation network protocol similar to Virtual eXtensible Local Area Network (VXLAN).                                

  https://community.cisco.com/t5/security-knowledge-base/how-to-integrate-meraki-networks-with-ise/ta-p/3618650 VLAN1 Management 172.16.10.0/24 VLAN10 Guest  192.168.10.0/24 VLAN11 Workstation  172.16.11.0/24 VLAN12 MAB      172.16.12.0/24 Wireless 802.1x Meraki Configuration    Group Policy:       Employee :        Contractor : L3 FW rules Deny Youtube and Facebook    SSID: corp      Security: my RADIUS server      Splash: Cisco Identity Services Engine (ISE) Authenticatio n. RADIUS attribute specifying group policy name: Airespace-ACL-Name Client IP: Bridge VLAN tagging: VLAN 11 ISE Configuration:   Create device group type: Meraki Wireless , add Meraki AP to the group.   Policy Set: Condition matches Meraki Wireless device group type     Authorization Profiles:   MerakiWirelessEmployee :      Airespace ACL Name: Employee   MerakiWirelessContractor :      Airespace ACL Name: Contractor     Authentication Policy:    Condition: Wireless_802.1x   Use

  Adaptive Policy - utilizes Security Group Tags (SGTs Adaptive Policy has three key components:  Identity classification and propagation    A tag that is applied to frames from a source device and acts as an identity or grouping for a user/device Security policy definition   A policy comprised of a source tag, destination tag, and the permissions between them Policy deployment and orchestration An engine that implements the policy on supported network devices  To use Meraki LWA, you must add the Cloud Management Platform itself as a network access device (NAD), check Help > Firewall Info