Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 13

50. Lecture-50:Introduction and Concept of Network Discovery Policy.

First of all we gonna do network discovery policy, okay? So what is network discovery policy? Basically whatever in your network. Maybe devices, maybe Host and maybe application. So it’s collect the information which can help you and your intrusion policy. So after this, we going to do intrusion policy. So that’s why it’s better to do this topic before intrusion policy. So it’s helped to develop whatever in your network. It can be host, it can be operating system, and it can be application. And we can use these three things. It means network host. Application so we can figure out and we can use this discovery policy in our access control policy we can use them in IPS rule like for example maybe in your network there is no Linux system so when you enable intrusion policies to biodiver intrusion policy will use to scan for Linux systems as well. But there is no Linux system in your environment. It means you are wasting your resources of your firewall something which is not there. So it will check for that as well. So why not to customize your rule? So whatever in your network but who’s going to tell us that whatever is in our network and that is our network discovery policy. You need to run this discovery policy. It will help you to develop a topology. It will help you to develop a view. It will develop all operating system, all application, all user return in your network. So it will figure out what is in your network and it will build a profile for each and everything.

So in this way your thing will be minimized, your resources will be not maximumly utilized. You get my point? Maybe you don’t have window XP in your system, in your environment, in your network, in your enterprise but intrusion rule will check for XP as well, for Windows seven, for Linux, for everything because you did not tell him that don’t check Windows XP, we don’t have don’t check for such type of attack because we don’t have XP. So nobody can do attack for window XP because every window, every operating system, every application is separate attack. So this way we can use network discovery policy to build our network topology, our view and this way we’re going to find out the vendorability for specific our application which is running our network vendor ability related to our host operating system and vulnerability related to our network. So for that purpose you are using network discovery and this way we can find out user activities as well and we can protect our network from such type of vulnerability and we can create and customize our intrusion policy, we can customize our access control policy in such a way that those are our assets and also this discovery can be used for your assets as well. That what is in your network like in Cisco, Ice, they can tell you that how many operating system you have related to Windows XP, how many are Windows seven, how many are Linux and so on, how many are make? So if you enable discovery policy, it can figure out what operating system are running in your network. So in this way you can know that how many we have make operating system, how many we have Linux operating system, so it can help you in that case as well and you can create a topology as well, which we will see. So this is called network discovery policy and it’s run and snort engine, not in your lina engine. So because FTD is made of two combinations, the typical one which is Cisco Ha and Snort which we discussed in first lecture.

So this discovery happened here and snort okay, not in your Cisco ASA operating system, just you need to know that where it’s running. So it’s running in your network discovery is running in your snort part. Now, when you enable discovery policy, so it can tell you host profile, it can develop a host profile, that’s the beauty. Suppose you have a host which is running Windows seven, so it can tell you how many builder ability are there in Windows seven, how many services are running, which protocol they are using, which application they are using, which port are open and which port they are using and what is the operating system. So they will develop and build these things automatically for you. And it’s very good if you know how about your operating system? The venerability related to that operating system, the services they are running, the protocol they are running, the application they are running and what is the name of up operating system?

So it’s very good. So it can do such thing for you. Now, the thing is that network discovery is there by default if I go to FMC and if I go to policies so we were doing policies, yeah, we already done access control policy, we had done Malware policy, we had done DNS, we did an SSL and we done Prefilter policy, this is our target intrusion. But before that policy, there is another policy, network Discovery, which we are doing right now. So if I click on network discovery policy, let’s see what is there by default. So if I check here by default, every network is there to scan IPV four and also IPV six for any zone and for any port and any destination and it’s only discover application if I add it. So everything is there, every zone and every port, but it’s only doing application by default, no user activity and no host discovery. And if I click here there is exclude as well.

So you can create exclude policy as well. If you want to exclude, maybe you have a sensitive network, you don’t want to scan them for some reason in some other way. Discover means to discover and tell you about that network, that host, that user, that application, that port and exclude means to exclude them this network, either these port, either these application for some reason. So it means by default it’s not okay for us. Because we need to know about the user and operating system as well. And also scanning everything. We don’t need everything. Zero. Zero means everything. We don’t care about the outside network, we only care our enterprise network which we are using the inside private range. So this is the default situation. So there are three things which you can do. It’s network which is related to your IP to discover users, to discover user in advance. You can change so many things if you want to change other options as well. So I show you by default is application only and for any network. And if I click here so there is zone and these things okay. And if I go there, so there is networks then users from where it will get users detail so they can use all these things.

LDAP means the active directory maybe pop three, maybe Sip, maybe FTP, Http they will use all these protocol to find out about the user. And then there is some advanced option as well. Okay suppose network discovery, data storage setting. They say windhorse limit reach. So you know for every firewall there is a limit. How many user they can find out? Maybe 10,000 20,000 is dependent on your FTD, how many they are support? Maybe 10,000, some of them support. So what action you’re going to take if it is reached. So these sitting can be done from here. And general setting you can update interval times is 3600 2nd if you want to change those value. And here is some other issue variability related and indication of compromise sitting if you want to change something. So these are extra detail if you want to change. But by default it’s okay. The maximum we can do to capture banner detail as well. We can enable this one. The only thing which we can do and these are definitely up to you how many hosts in your organization and how many support it will be mentioned in your data sheet of firewall. That how many it can support. So you can drop them either you want to replace in whatever action you want to take. So these are the three tab. And the second thing is by default here we can create rule to our own for host, user and application as well. And the network we can define from here as well. And we can create our custom topology as well which we will see. And also custom operating system. Maybe in your organization you are using some operating system which is not recognized and discovered by this application. Maybe some customized operating system you are using. So you can put their signature custom as well. No this application, this operating system is this. This application is this one. So you can create custom as well. Operating system detail maybe some operating system which is not recognized by discovery so you can do customize as well. So that’s the thing. Okay, so then here is by default network any and it allowed everything. We can create our own object, whatever our local subnet and enterprise network we are using normally we are using private ranges, which is 192, 168, either 172, either ten range. So you can click and you can use those objects and if you want to be more specific, create your own object. That 192. In our case we are using 192 168 to one network. So I can create object for my lane and I will only say scan these things. Okay so the same thing is here, so it’s up to you which one you want to utilize and you can add and remove zero zero which we will do in the lab I’m just showing you and also we need to enable host and user as well. So in this way it will scan the user activity and host as well. By default is only scan application. Okay. And zone. We will leave any any and port exclusion. If you want to exclude some port so you can but we don’t need. And also we can create our custom operating system signature so we will see in the lab as well. And also we can create our custom topology. Topology is nothing, but it will show you step by step your network. Maybe DMZ zone, maybe Lane zone, maybe land two zone, maybe by V lens.

And you want to create separately, so it will help you to recognize your network quickly and see how many user are connected and their topology so it will help you in that case how we can add, we will see here and we will enable this topology capture. We will enable so capture related and then we will deploy and then we will generate some traffic and then we will see from the there are so many places to verify if we go to analysis. Okay, so from this host related network map host, indication of compromise, application detail server, host attribute, discovery events, venerability and third party vendorability. So when you enable discovery so you can find out all the detail here which will help you to recognize application, host, server and all those stuff easily. So this is the host one and then the indication of compromise one if there is any compromise application or something and then you can check which application is running in my network, which server is running in my network. So you can find detail, host attribute, you can find out and discovery whatever they discover, it can be their Mac addresses, IP addresses, events, operating system and so many details you can find out from here and network map which I was talking about. So 192, 168, network two, network three in this way it will create you a separate topology for you and when you click how many users? In this case, three user here, four user. And then when you click, it will show you all the detail. And also from events, it will show you this computer icon when you enable Discovery.

So when you click on that one it will show you more detail host profile about that one it will be like this one so in this way you can find out more detail about the host so it can help you in this case. As well. Discovery. Okay, so host it will host operating system related stuff. You can see indication of compromise if there is anything malicious or anything wrong. So it will show you here in this application related to any application. Is deducted. Maybe http https whatever you use the application and application detail, it will mention you more detail and also web related application. You can find out an application detail window and server. It will show you more detail. About the server type operating system application and so many other detail will be mentioned here. Host attribute it will give you more field even though there is host, but it will give you more detail to see more about. The host okay. And discovery events it can be many, many things it will show you okay. How many things are see first time what is the detail operating system so you can find in detail events and discovery events and there are so many other which you can easily find out so this is called network discovery policy so we will tune the policy by default it’s not good one. So let’s see a next video how we can configure and how we can customize our network discovery policy.

51. Lecture-51:Configure and Verify Network Discovery Policy Lab.

We know about network discovery policy and how it can help us to figure out what is going on in your our network, related to application, related to horse, related to operating system and all those stuff. So how we can do so this is our topology, we have FTD, this is our internal network. This FTD is already registered with FMC FTD IP is 100 200 and this device is here, so we already know how to integrate this one. This is 200 and routed mode is deployed and we have some external server and some internal system. Internally we are using 192 168 to one network, externally we have 1114 network. So let’s go to policies. We were doing policies. There is another policy network discovery as we discuss and theoretically by default discover everything and only for application. So we will modify this one and we will remove this one from here and this one. And we can use all IP for all private ranges there are three object, those three objectives 192 168 private ranges, you already know, 172 range and the third one is 192 168 and ten range. These three range and normally in every network, 99 person you will use this network. So you can use this object and you can use our internal. This one internal is 192 168 one which is our one, so you can be more specific as well, it’s up to you. And there is by default as well. These are the three which I was talking about, ten range, private 172 and 192 168 which you now you will see normally and every network. So the one which is related to us is this one.

So I can be more specific, I will say 192 168 and 16. So 16 means the third and fourth digit can be anything. So it’s cover my network. So I will use this. And also I can create my own object as well. More specific anyway, you already know. And also I can enter directly as well. Here, type and edit. No need to create object. So I delete. Zero, zero. Okay. Zone can be anything. I don’t care. And port exclusion, I don’t want to exclude any port. If you want you can type directly related to TCP, UDP or ICMP, whatever. And also there is predefined and this is discover, not exclude, as I told you, you can exclude as well and I will enable host and also I will enable users and then I will save now, so I modify this one now it’s enable all three and also only to scan my network, okay? And from here I will deploy this one so that I can push this policy discovery policy to FTD okay beside this one until it’s deployed let’s go to policy network discovery policy. What else I can do? Next thing I can create my custom topology so it will help me to show us everything in customized way so I can say custom topology. Click on that one. Okay. And there is no topology by default to say create a topology. Topology is nothing. But in our case we have only one network. And maybe you have DMZ, maybe you have other network, maybe you have separate V lens. So you can create a topology. In that case type the name. Suppose I say test topology topology, okay? And you can type description if you want and just add a network here. So you can type. Suppose in my case lens subnet and my lens ofnet is 109 216810 with 24 subnet mask, okay?

And if you want you can add another network. Maybe you have a DMZ and DMZ subnet is 109 216820, okay? And here I will say 24. And maybe you have another subnet as well. So whatever you have, you can add them here. Maybe you have a server VLAN, different server len and maybe that one is 109 216830 with 24. And this way you can add your all. But the one which is related right now is this one. So my topology name is test. Inside test we have three things which I add and save this one, okay? And that’s it. So I save them, but by default is disabled. You just need to click here. Either drag them after a while it will now it’s on. So this test topology I created, it will help us to show everything in order. Okay? So now network discovery. And let’s see now. Okay, so this is our network discovery and this is custom topology. Let me go there. If it is done. No, it’s still pushing. Okay. And there is another thing, custom operating system. Maybe in your environment right now we have window, we have Linux and I have Kali Linux. So I will generate traffic. So this FTD will recognize them, they will discover and they will say okay, this is Kali. Maybe you have operating system which is not recognized. So you can create their signature automatically. Custom click on custom operating system. I’m in policy and network discovery, okay? And here you can click create custom fingerprint fingerprint to find out like a normal. So here the devices that’s the device you are using this firepower management and fingerprint name maybe whatever you want to know ABC. Okay, description it is server or client. So you can put the detail and target IP. What is the IP? Whatever. Suppose I want to give this one, okay.

So you can put all the detail and source code. Maybe you want 23 or whatever and source address, source subnet mass you can put in custom operating system display. So you can put the vendor maybe vendor is this case Cisco or whatever. And they can find out. So you can put their detail product string and version. I don’t know what is the version update, but basically there is router. Okay? And vendorability if you have and then you can click and create maybe in your environment. Most of the time it will figure out automatically. Source. Okay, they’re asking Source IP, and those are detailed, so let me put Source. IP and subnetmark. Just to show you if suppose there is a device which is not recognized, which I will show you from the logs as well, but you can do it from here. So I create with ABC whatever. So let me go to network discovery now again. Okay, so we have done three things. We modify this one if you want to exclude something, so you can create extra policy to exclude some subnets or something. And we create custom topology as well and custom operating system fingerprints as well if required. Then after network there is users. How they’re going to figure out users? So suppose you are not using pop three so you can edit here. There is no such way. We are not using pop three, so don’t use this one to capture the detail. You can save it in case most of the time we are using these in our network. So in this way they will check for these to figure out the user’s detail to create a profile in advance, as I told you. And theoretically, you can modify just click on this one.

Okay, suppose I want to enable this one. So you can do enable disable and you can change the value requires mentioned here general setting what we don’t need suppose there is a conflict between the setting so what action you want to take automatically? Reserve is disabled. Either you want to reserve. Maybe there is something wrong and the conflict is coming. So so many other things you can do it from here and let’s go back so it’s deploy. But we’ve done topology as well, so let me deploy this one and after that time we will check the other stuff so let me deploy again because we change we also include topology as well so now how we can test so let’s generate traffic from PC one, which is a window PC. Okay, test one, two, three. And let’s go outside for some traffic to generate some traffic to see that Firewall will find out about this system or not. So let me go to ping eight eight. And let’s generate some traffic related to let me see, my IP is okay, or not IP config. So I’m 120 and this, the firewall is my gateway. Okay. And let’s see now, let me generate some http traffic as well. So Http traffic I will go to this external server. One, one 4251. Okay, this one if there is something I don’t know, there is or not. So 251 and also let me go to some other website. It’s not necessary. Facebook. com. Sorry. Okay, so this one is not working for some reason. But anyway, let me go to Facebook. Okay. We are using SSL. You know, last time we enable SSL policy. So what can I do to remove that one? I need a certificate. I did not push that certificate here. So if I go to access control policy, you remember we use that policy so let me go to our main policy okay and let’s go to SSL. So yes you are using SSL policy so I will say none, okay just to disable them for a while other I need a certificate to push to that window, last time I pushed the certificate only to window ten so that’s the issue so I remove SSL policy, you remember? So now let me deploy again even though it will still work every time it will say that okay, still process is going on okay? So that’s the only issue by the way this one has to work.

So let me see, this server is running or not? Okay, so yes, it’s running. And what is the IP of this server? We can access this one f config ethernet zero. So yes, it’s 250. Okay. Not 251. So I put wrongly is 250. So I access this external server just for this purpose, to generate some traffic. And I do also ping. Okay, and now let’s go to Kali Linux and generate some traffic from here as well. So let me login to tour is the password root and tour okay username and password opposite and let me check my IP address first so it can be accessed by Fconfig. It’s 130 and let me ping outside and let me access this web server as well either any other website outside the network because due to SSL policy it may give us the certificate error but it’s okay. So let me open a browser and see from here as well. It’s better to access this server, the external server. So 100 and 921-681-1425. Okay so it’s again http traffic and we can go to Wikipedia or something. Okay? It will give us certificate error so we can still continue because of SSL policy we are using. But it’s okay. So I visit Wikipedia as well. And let me minimize this one. So two system, two different window and this one, this is also Ubunt to Linux or something. So let me generate some traffic from here as well until the policy is deployed as completed. But we change something.

So let me deploy again. Okay, let’s device deploy deployment, refresh them so it will show us again because we remove SSL policy so it will not show us that detail. So let me deploy again and until that time we’re going to generate some more traffic. So let me go to this docker and let’s generate traffic from here. Let’s see how they can find out about this PC. So it’s one one and let me ping it at eight. And what else I can do, let me go to some external website, okay? And let’s check out 192, 168, 1114. So I access this external server and let me access some Mozilla or something. So accept and let’s see. Okay, done and let me minimize so three different things. Let’s go back to here and go to events first, there are many places I will show you right away, but let’s start from here. You see now it’s showing us this computer icon. This is due to discovery policy. So when you click on this computer icon, it will show you host profile and every detail of this user. So this is one one one was this one. So what they say about one one where is minimize. So let me open open again. Okay, so let’s see what they say about one one so they say one one is native device definitely is native device is the IP detail and they say this is a Linux you want to and it’s true. Okay, so this is the system which they recognize them maybe they say this is a Linux. Okay, and these are the thing which they are accessing yes, we’ve done Http and we access Https as well. So they found out the application which we run by the way, ICMP is not there, so it should be somewhere AI. So it’s a ICMP.

We run ICMP, we use TCP, we use UDP and we use IP. So you see all the thing they can show and they say what the vendorability? So they say these are some venturability related to this host and also there are more venturability 172 and more detail. So it’s built a complete picture of this system and they give you all the detail from Mac address, IP addresses, netted or not last year when last we seen them, this device and what is the operating system, what is the hardware detail? Operating system, product operating system, version, source from which is coming, which application they use, which vendorability they have, which protocol they use. So they built a complete host profile. Second one which we use is still one. So let’s go to second page and because we generate some traffic from Kali Linux 130 and also 120 window so let’s go to still one one. So what we can do, we can customize our search. It’s better to search them by quickly by IP. So let’s see Kali Linux, what they say about Kali Linux operating system. So I copy the IP and search and I will go to network and I say initiator IP is 130. Just show me detail about 130 rather than everything. So let’s see what they say about this device and let’s go to this 130. Okay, so in 130 there’s the Mac address. You can verify this 130 an operating system is you want to as they are showing. If something is wrong, you can fix it, you can edit them. And again we’ve done Http, https and again we went to Wikipedia for Https and we went to Http web browsing to using Firefox they are showing and ICMP yes, is true. And there are variability detail. Another one was the window one. So let me edit the search and window operating system was 120. So let’s change this to 120 and search again to see about the Window operating system.

Okay? And it’s 120. So let’s see now what they say about the window operating system. So this is the complete 120. You can see Microsoft this time and this is Window. But the operating system can be windows, seven windows. Okay? These are the protocol which they use, they use Google, they use Facebook because we went to Facebook and all those protocol and everything which I told you not only here. Now let’s go to analysis and this complete things they will show you and provide you all the details. The first one is network map. If I click on network map and analysis so that’s the network map you remember I created that’s the topology I created. I say LAN so NLN only three user, but another one is not there because we are not using two network but n one 9168. They say there are three user 1120 and 130. Yes, all these three done communication 110 is not there because we did not use this PC. Let me start. So their detail is not here in topology. They said three system from your topology lane subnet which is 192-1681 dot zero. They visit some places and if you want to see the detail, click on this one. They see 120, it will show you the whole topology. Yeah, so look at now every detail about that user is here and then 120. So 120 was I believe window operating system. So they will show you that there’s the operating system and all those and 130.

So you remember why I create a topology. So in your network you can easily go maybe you have DMZ, maybe we’ll attend 2030 to create a topology with some division so you can quickly jump into right now I’m in lane subnet other are not showing uncategorized this one which is not anything there because we did not include this one in our topology. But we include 1123 which is not showing because nobody generate any traffic from those. Okay, so this is the topology which you can see a lot of things and you can edit them as well. If you want to edit that operating system is not this one and specific operating system. So you can say that, okay, this is the operating system, so it should be the area whereas which one I open, I need to open window because I don’t know about this Linux one that which exit window is this one? Suppose this one just to show you and you can change the sent us Linux which operating system, which train and you can mention and then finish so you can change the detail. Let me go to vendor one. So it will be easy for you to understand because I don’t know exact operating system of the Linux one. But I know the window one. So now you can edit operating system. So rather than to show you all you can say that the operating system is Windows seven. And even Windows seven I don’t know which is the home edition or professional but whatever. I will say 72 that this one and you can finish them. So next time it will show you about that operating system. Windows seven only and 32 bit it’s now changed. So next time they generate something. So it will show you that the operating system is Windows seven. So in this way sometime you have to manipulate. You can change so it can give you a good result. Okay so it’s done. And there are so many things by the way, I don’t want to go in detail just that you get the idea network map then host it will show you all the host detail which we study theoretically. So these are the host summary of operating system name. So we were using redhead. We are using sent us. We are using Redhead Ubuntu and Microsoft. And Microsoft we are using Windows Seven and other are enterprise even though it has to show us Kali Linux which is coming under you want to buy the way. So it’s mention operating system if you know the summary of version. So it can show you the version as well. And how many count. You see window XP, Windows server and all those things if you need more detail. So it’s about operating system detail.

So it’s here and also in table view you can see and you can click and get more detail as well. Anyway and host as well. You already know you can click and see more detail then indication of compromise. If there is anything which this PC compromise it will show you I need to generate a take to show you. But anyway you get the idea if I attack and do something. So it will show you here. But anyway nothing is here then application which application they are using. So it will show you all the application. Look at we use SSL, we use Google drive. We use mousena, firefox, facebook, Microsoft, Wikipedia and yes we visit all these things. So it show you all application and how many host using this Google drive. Because when you click on Google search will show you Google drive as well in more detail about application detail. So you can go to and you see S in more detail now even S application but application with client version application and table form and host all those details and more. If you want to search more then server again the server side all these details will show you. So it’s only showing you Http because we access this server Http so it’s showing us their detail. Okay and then the version and vendor and all those detail host attribute and more detail more column and more detail it can see. So now these are the host IP, which we use with 250, we use 10 one, we use 131 20 and they are all detailed and there is and then Discovery events. So this is allocated all related to Discovery. You see operating system, IP address, Mac address, vendor, all description, time and all those stuff can be found out from here. Then vulnerability, if there is any vendorability and those devices, so it will show you.

So yes, we are using Windows Seven, there are some vendorability and Linux and all those venturability are here. So it’s very good here, discovery, it helps you a lot. And third party venturability, if there is any third party venturability, so you can figure out. So no, there is no third party, but the normal venturability, a lot of there. So you can fix those that in my land there are many vendor ability, you can create a report as well. Last but not the least, if you click on Analysis and Context Explorer here you will find complete picture and graph related to this discovery so there is no indication of compromise indication by host and let’s see okay here is operating system so we are using window because I fixed this one so it’s showing properly. There is Windows 732 window this one. And we have Chrome operating system Linux so it gives you a complete view. I told you our discovery will provide you all the detail to find out how which operating system are used in our network and it will help us in intrusion policy and other policy so that we can exclude those operating system which is not in our network. So it will help us to save process and CPU. This is by source and traffic by destination. And all those details you can see from here, these are now application detail. We use Google drive their risk level as well. Google and also these things Facebook we use just to visit.

And then we use Http, the outside network. Okay. This is related to security intelligence we already done. This is intrusion, which we will do a bit later. And this is the file information we already did. File policy. As well. And not only these, you can go to where view, which we will do later in the course so you can find many dashboard related to all these activity. This is discovery statistics. Okay? Discovery performance. I don’t want to go in this one because we will do at the end how to make a reporting and everything. Okay, so you can find out many detail here as well. But at least it’s clear to you from here. And also from here to here. And Visa has helped us to develop the whole network detail. So it’s very helpful. And this call discovery policy. Okay, so let me go quickly. I don’t think so. I missed something. Let’s see this done. And we create custom and also topology visa.

• Category: Uncategorized