Cisco CCNP Security 300-710 SNCF – Cisco NGFW Firepower Threat Defense (FTD) Part 6

36. Lecture-36:Configure and Verify Custom URLs Object Filtering.

So now what we will do as I told you, you can use predefined category, classification and other stuff. And you can create your custom URL as well. Maybe for some purpose you require to create your own URL to block them so it is possible you can create individual your object you can create object group you can call them directly as well. Object is just container it will help you to reutilize them. But you say no, I just need one time. So you can do one time as well. So you have three approaches. You can create object you can create object on the spot too. And you can directly put any URL. So let’s do all. Together. That how we can block our own custom URL. Suppose one of them I will block Twitter. Second, I will block Facebook. That I will block a flicker. Suppose so. I want to block all these three, but differently. So what we can do you need to go to object and create object first either object group so how we can do we will discuss object group in detail but right now we require so what we can do go To Object And Object Management. And Here Is A Lot Of Object Which You Can Create. But Right Now, The One Which We Need Is URL. This Is Our Today Topic. So URL. So I’m Here By Default. There is nothing what you can do. Click on this button and it says aid object import object. You can import them as well and you can create group. So let me create a object so let me create object here. Is object and let me give them name twitter and here is the twitter. com that’s the URL I give them and save so this is the first way first you need to create object it’s up to you can create so many object. And then you can create a group as well. Let me show you. If suppose you say that group social networking group so I have only one object. Let me add that one and it will become a group.

So more than one object, you can add them here. So you can create a group of object as well. But right now, I don’t need I just need a single one. So let me delete this one. But it’s also possible. So my custom object is here. It’s created and it’s available. Now let’s go to policy. I told you last time when we were doing policy, everything on the five policy will be integrated. The GS policy let me go to policy intrusion policy malware policy DNS policy identity policy SSL all them will be integrated directly, indirectly to access control policy so now I’m here this is our policy allowed all which we created for test purpose. So what I can do, I can create a new rule. Add rule. Okay. And here, give them a name. Suppose it’s coming, so it’s better to give them that name. Block. Twitter. Let me put something here and here. This is the action which we discuss block. I want to block and where I want to put this rule. So before below. So let me put them above one. Because allowed all will be at the end. And you need to put the block one before from where to where. So zone is from here. And destination is outside network. You can choose your local network. So I have inside subnet which is this one inside subnet. What is our subnet? Let me see. Our subnet is one. Okay. And here I put ten. Let me see inside maybe it’s one here inside it’s one. But by mistake I typed this. So I thought so let me put this one as a source that from my inside zone we do need Vlantek user. We will do a bit later application we will do separately. Port we will do separately and auto data pick as URL. So now I’m here.

So in URL we have categories and URL and reputation here which we will do a bit later. Right now our target is URLs, custom URL. So the Twitter which I create their date object is available here you can see and let me put them here. But what about I told you that there are three method. So second method is you can create here as well. Just say new URL object. So the same window open. Let me type here facebook and let me type Facebook. com and save. So rather than to create there. Now facebook is here. Add this one two method to block a custom object. Third one is I can type directly here. So the third one which is related to so let me type flicker. com directly. So what is the difference? These two are object which you can call them again and you can reuse them. But the one which I type directly as one time, there is no object for this one. So I can create a custom object three different way. And the spark from here they are an object and I can type directly as well. The last thing I will enable logs so that I can see logs and events and aid. So my custom rule is ready which is on the top before allowed all because these policies are checked from top to bottom which we discuss. So three URL, Flickr. com, Twitter. com and Facebook. com which I want to block. And I enable logs only here. That’s why this one is enabled. And you can save this one. By the way, the Facebook which I create on the spot will be created automatically there when you go to objects. Suppose if you think it will be there or not. And if I go to URL so Facebook will be there, facebook and Twitter. Now you can create object of these two object group to make them as of one rather than if you have so many. So you can create and make a group as well. So now let’s deploy this one. So whatever I don’t change is now I need to push this to FTD which we know what is deploy. We discuss in detail this one as well, okay. Because there is a long break so you may forget everything. So here is let me push this one. And this is our topology. We have two external server, 251 and 250. This is our internet. Outside we have one one 4251 and inside we have two 1251. And this is our management. Inside. We have three PC. I can use any PC to test these three custom URL. So let me use a docker.

So I click on Docker. You can use Windows system as well. And before apply let me see supply or not yet. So you will access Facebook. com. So we can see I hope so Facebook is working and Twitter will also work. Before policy is not yet pushed. Okay. It’s still a person. So you can see Twitter is also working and Leaker. com will also work. Okay. So you can see Twitter is open and Facebook is open before apply and I don’t know what is the exit. Flicker, I think. So yeah this is the correct name. So flicker is also open. You can see. And now after the policy when it is pushed to FTD, because I told you, FMC just provide you an environment where you create your policy and everything and then you push to FTD because traffic is going from here rather than going here. So that’s why this PC is sending the traffic and the way FTD is there. So now let’s see what after apply the policy. Then we will check these. Okay, last time we had done https http banners, you remember banner. So it will show us the banner if you revise the previous class. So what we done, we change the banner. We put our custom banner, I believe. So this Http response is yeah, so we have custom banner and we can see that’s the custom banner. I told you I copy from internet and we create our own banner.

So when it it is blocked, so it will show me the custom banner. Because there are three method. Two methods, sorry. System provided and custom. One, system provided. So the interactive block is system provided. And this one we change. So I believe it will show me the new banner. If it is block, let’s see it is block or not. So let’s go there. So still it will take two minutes more and then we can test them these websites. So let’s go and make them ready. So what I can do if I go to private because I already access them, sometimes they are taking from there. So let me type http and Facebook. com okay. And next I will type http www sorry Twitter. com. Okay. And the third one is http liquor. com. Let’s see a supply or not. Then yeah, it’s done. So now let’s check out. So let me enter this one and see what we can see. Okay, so because I enter wrongly, let’s see, check out this one wrongly put the name. So because I put Https when we don’t have SSL policy. So let’s see, and this one is Facebook. com. And let me type Http rather than Https twitter. com. So this one is going and let’s see, this one is not. So Facebook is blog even though it’s not showing the banner, it has to show let me close the browser sometime. It’s in history, so that’s why and let me open the browser again. Okay, and let’s type again http twitter. com so this one because it’s switch over to Https, then it will pass because we will do SSL policy and then http facebook. com. Okay, so this one is not going I believe, sorry Facebook and for some reason, so why not? It will run in this one, let’s check out in okay, this one has not started so let’s check out in window. Because I have internal three system, I can check from anywhere. So now I’m here and let’s type Twitter. com and see. So maybe I put the spelling wrongly, it can be possible. So let’s go to our policy and we block three things and let’s go to our URL and okay, we need to check from object because for this I create object and also it’s not going to display it’s good. And then the third one was flicker. So http flicker flicker. com. Yeah, this is the banner.

This one is okay, so it’s show us the banner at least last time we changed the banner face say excess deny and we put this all banner detail and for some reason for this one it’s not showing some time because it’s considered them as Https. And the third one was Facebook. com. And let’s see. Okay, so it will show you the banner like this one if you have SSL policy and everything in place, so it will be good. But right now we are just testing. So this custom is being denied. How we know it’s been denied. So what we can do, we can go to analysis and go to connection events. Okay, and let’s verify from here you see block and which thing is blocked. You can see Facebook. Say Facebook URL is blocked. Here is this block. The second URL which they block is this one. And this one is let me see this one. Internet Explorer is used. Yeah. So it’s flickr. com, you see? So it’s true that they block these two because we create our custom URL to block them by three different method. So let me go back. So here we can create object if you go to object URL and you can create your own object and also you can type directly as well. And then we create any name and then you can call that object here and also you can type here and also you can create from this plus button as well, okay?

And then the policy is ready, then we deploy them and after that when we test them because it’s the default one right now is showing us different banner. Last class, if you remember, we change our banner. So that’s why our banner is showing differently. And then we went to connection events and we verified from there and it’s block is showing us block. So this was a custom way which is a difficult but in case if you require maybe sometime it’s required. Suppose you block social networking but your manager say okay, social networking is blocked but just allowed LinkedIn. So then you have to create custom profile. Either you allowed everything and your manager say block only Twitter. com. So again you have to create a custom policy, maybe some website which is not categorized. Again you need to create a custom policy. So there can be many use cases. Keep in mind to create a custom URL and I told you one time as well and you can create object as well and you can directly put the URL as well in excess policy to block them.

37. Lecture-37:Configure and Verify URL and Web Category Filtering.

We will use category and reputation to block URLs either website. So we are using this lab which already here. This one, the same lab. Okay, we have FTD inside our gateway is 1254, outside is one, 1425-411-4254 is a public IP in our our lab. Otherwise it’s also private IP. We have two external server for test purpose as well. Okay? And our FMC is here. So management is 100, 201 hundred 210. Inside we have three PC for test window, PC, docker and Linux. You can use any it’s okay, not necessary to be used docker and something. Okay, so this is our lab. Now, this is our requirement block with reset because we discuss what is block block with reset, interactive block. So why not do differently action. We need to take block with reset and we need to create category games, gambling and malware. We need to block this for lane subnet. So our land subnet is one and we want to block games, gambling and malware for these land user. First let me check lane user can access everything. Yeah, because there is no restriction. So if I go to any game website, suppose games@yahoo. com, there is also games. So it will work, there will be no restriction and I can access games either, any malicious website, any other thing because there is no restriction from firewall and also I can streaming, I can check Youtube. com, it will work straight away. So let me go to Youtube. com. It has to work either any other website. But we normally know YouTube so it’s also working. Also you may think that how you know that YouTube is coming under streaming. Okay, so I told you there are two way to check out. One of them is to go to Bright Cloud. Bright Cloud from where they are taking every category and everything. This one you can find out here that Youtube. com and because we use this in Paul Walter as well and it says it’s coming under streaming media. This one way another maybe you don’t have access for some reason. So what you can do, you can go to overview and not in analysis I believe there is to check them. And if I go to network there is URL checking as well I think so, this one, yeah, yes, this one.

So here you can type suppose Twitter. com, Facebook. com, Flicker. com and so on Youtube. com you can type so many and search. If you have internet access from FMC, it will show you, it says URL belong to social networking. Flicker is photo search and images. Okay, type wrongly, twitter is social networking and YouTube is streaming videos and it’s trusted reputation because we discuss about reputation and you can export them as a file to open in Excel. So don’t worry if you don’t know the category and manager to you then suppose if you want to block some website you need to check here. You can come here analysis and here is URL and you can type and also you can go to Bright Cloud which I show you from there. Okay, so this point is clear from where I can get the categories and reputation, then interactive block. What I will do job search. Interactive block means that it will give you a button. When you click on that then you can proceed. But in block and block with reset it will block you. You will not access that website block, it will simply block you. Block with reset. It will reset the TCP three way handshake. If I remember, I will show you from wireshark as well. And the last one is high risk reputation base. So these are category and these are reputation based. So this is the requirement of the company. They told me to block all these things. Okay, so let’s start what we can do. First I need to create a policy separately for all these. Okay, so let me go to policy access control policies. Edit this policy. We have allowed policy keep this one because at the end it need to be allowed everything and add rule. Okay, and here the first one. Suppose cat one, category one. Suppose I give them this per simplicity. So the first one was block with reset. Yeah, block with reset. So take action block with Reset. And put this above rule one. Because you need to put the block all block first. It’s like an ACL we discuss here and we don’t want to put any time range.

Maybe you want to allow four to nine or you want to block four to nine. So you can put time range as well. From here you can create. So I say block with reset. And this is category one. The traffic will go from inside to outside and from LAN subnet, this is our land. Subnet as a source, destination can be anything. And this is our target URL. So what was the category? Category was game, gambling and malware. You can easily search here games. So this is game and add them to loop. Second gambling. So this is gambling and add them. And the third was I believe malwareia. So let’s go to malware. Here is malicious. Either malware or malicious side. It’s up to you which one you want to choose. And add them. Done. But the best thing is to allow logs so that we can see in the event which we will check at the end. They said what else we need. That’s done. And add this rule. So category one is done above the allow all.

And now let’s create a category two. So let’s say K two, okay? And put this rule above rule two, this one. So it will come under K two one. And what is the next thing next? Again, streaming and shopping. It has to be block. So take a action block. Okay, maybe you are thinking what is the difference between block and block with reset? End of the day is block. So yes but the best approach you can save block with reset. So it will reset the TCP three way handshake. And maybe in block it can be connected for some reason the TCP three way handshake. And there are many attack which can be done still. So end of the day there is no huge difference. So what is the action block and where I need to put. So there’s above rule two and from inside to outside. And from our net subnet to anywhere. And here is so what is the category? Category is streaming and shopping. So type streaming which we discussed. There are many category streaming idea video. Anyway we want let me put both by the way. And what is the next one? The next one is shopping. So shopping here is shopping.

Okay. And then go to logging and enable logs. And eight. So category two is eight which is streaming and shopping to be block. And this is block with reset. Now let’s create a third category which they are asking interactive block and job search. So choose here interactive block. And here Kate three suppose and you need to put above this rule three. And from inside to outside. And network is our lane subnet. And URL is job search. Here is and put job search. And then go to logs log at the beginning. Okay. And aid. Okay. So Kate one, K two and kit three. Now let’s go to the third one. They say block with reset anything which reputation is high risk. Okay. So what we can do add rule and this time get four. And here is I think so it’s block. So action is block with reset. So block with reset. And from inside to outside. And from land subnet to anywhere. And this time I don’t need category. Because we need to utilize reputation as well. So second thing is we already done URL as well. So all these three thing is used. Now here is reputation. So I will say any and then reputation will be on. So we have five type of reputation. High risk. Win means untrusted. So if I choose this untrusted which I told you in the layer before. Okay. So only it will be deny. Because we say block. So all high risk. It can be added, it can be advertisement, it can be social networking, it can be job search, website, anything which coming. Because every website has reputation as well. Which I told you. And you can see from here. Let me show you where is the here is showing you web reputation as well. This the 81 YouTube undercoming. So every website has their own reputation. So if it is coming under untrusted. So it will be block automatically. Even though if it allowed. Okay. So this logs in aid. So now I have okay, by mistake I put category here. So you can drag them as well.

It’s okay. So category one category two, category three, category four. I just give them these names. These are just name but it has to be in the sequence block before allowed. So game gaming and streaming and all these let me save. Okay. And now we need to go to deploy to deploy this and choose your FTD and deploy. So it will take some time to deploy. Then we will test them. But I test before everything was accessible. So everything was accessible. Now after deploy these one. So we’re going to test them that is okay or not. So let them deploy. And here we will use our system. Yeah, we will use this one. It’s okay, let me open a browser. Okay, now let’s see. And here, let me show you which website we block games and also we block gambling, malware, streaming, shopping and job searches, interactive block. So other one we will access a different banner for block with reset and block and block with reset we will get one banner because we have two type of banners which we discussed last time. But for interactive block we will receive a different banner, keep in mind. Okay, so now let’s go there. Okay, so still pushing the detail. And here we will test them. That it’s block or not. So we’ve done this one. Here we create a categories, we enable logs, it’s important to check them. Then we block high risk. And then again we allowed logs. Okay and this one and enable logs. These are our category. You can give them any name. Here the name are different. Okay. And then we deploy them. And here you can see if it is deploy. Then this is verification. For games, we will check games@yahoo. com if it is denied, so it’s okay. For gambling we will check gameplingcom there is one website for malware website BJ four we will check and for shopping amazon or Ebay or something we will check. Okay. And for job search which is enterictive blog we will see monster either so many other website buyth or something. And then we will check the logs. So we need to verify this one.

So now let’s go and see if it is pushed or not yet. So it’s almost done. And after this we’re going to test them one by one. So it’s completed. And now this is my inside system. The first thing we’re going to check games which we block them. So let me type Http and games@yahoo. com. It was open before, now let’s see it’s open or not. Okay, so it’s open. Maybe we need to check them either. We can check from window PC sometime because it’s due to Http, you know where is window? This one. So let me close this browser and open Internet Explorer again. Okay. And now let me type Httpgamesyahoo. com and see. So you see Sdni because block and reset and block both, you will get the same banner. I told you. Next thing we need to check games is done gambling because we block gambling as well. So let me type Http and gambling game sorry and enter. Let’s see AI is also blog. So two things, games is not working, gambling website is not working. Third one, we testify we go there so it will be AZ. So for games we check for gambling for malware from malware there is a website for malware http BJ four. com there are so many but one of them is this one. If you need the list, I can share the list as well so it has to be block as well which is coming under malware so it’s going so it means something is wrong. It’s go to http. So let me type them httpbj four is correct. It needs to be blog for some reason I need to search another website but anyway let’s go to now streaming. So streaming is also blog so we’re going to use httputube. com youtube. com let’s see if it’s block or not.

So it’s also block is a good news and then from streaming shopping shopping we’re going to check Amazon so let’s go to Amazon and enter. Okay I put wrongly, so let me type Httpzone. com. It’s also denied so it’s okay. And the last thing is job search. Keep in mind job search is interactive blocks so it will be allowed me but a banner will come now you will see so let’s go to another and here I would say http for job search I will use Monster. com. Monster. com? Yeah you see it’s a different banner, it says deny you are attempting to access for bidding site so it says continue. So if you click on Continues you will go to Monster. com because of blog sorry, interactive block. Interactive block it will show you okay and also we discuss in Palo Alto as well there was a password as well, you remember. So in this way you can go so this was interactive block and the last thing high risk anything which coming under high risk website like a malware website and it can be anything, it will be blocked. Now coming to how we can verify this one so far verification. Let’s go to analysis and there is events. Okay and we’re going to check from here you see interactive block, there is interactive block. Interactive block and there should be block as well. So if I go to next page because in the middle many things are excess so that’s why you see block and if you check from here, Amazon was blocked. This is the URL of Amazon which has been blocked. Okay and what is else? We block other thing as well I believe.

So let me go to first page again. Okay so some of them is block, some of them is interactive block. So you see this interactive block was the monster I believe yeah so we job search URL category is job search and here is a URL is this one we are discussing URL. So it’s here and this is the category job search. Okay, and what else? Which is an interactive block is this one. So let’s go to this one. So this one is also Monster. So monster is block which is coming resty category, sorry URL. And this the job search category. Because job search we say interactive blog. Okay. So you can verify from here all the stuff. So let’s go to down from what else we can. So this one verification we done at this one. Okay. We went to connection, we verify from there. And YouTube like you can see from here as well. So streaming media is mentioned here. Some of them is and these are the category name if you want to check category name. So the category which we give them, this is the reputation, you know, five reputation just mentioned, trusted in all those things as well. And which is our there should be our category as well. Let me see because it’s a huge file which you can check. So our reputation is not showing us our name. It should be here somewhere. So it’s okay. But this the reputation, this URL category is the URL is the web application and this the client and protocol and also the destination port and source and destination zone countries and responder IP. And initiator one three, because I was checking from one three, this is my inside system IP config. So you can see one three is my IP. That’s why it’s showing me one three initiator all of them is one three because you are accessing everything from here. And here is action because we put the action and act your block. And some of them we put block.

So if we go to next page. So there is block as well. Yeah, more detail you can see. Yeah, I remember now suppose this block one, you can click on this one if you want more detail. Okay. So this the detail, all the block website from one three. And this the zone. And if I go there, here is YouTube, Amazon, streaming media shopping. So this is the first cuic flicker, Twitter because it’s the old one as well, which we block custom block. So these are also you can see from here and what else? Yeah, so this being verified sys block. Okay. And also there is a way you can go to dashboard from dashboard. There is different dashboard from there. You can also check the URL one. These are the website, we access them and they are related to URL. There is one yeah, there is connection by URL, category uncategorized search engine and porter. We access business and these are by category as well, the website streaming video and software update you can see and connection by URL reputation. So again, unknown favorite. Those are four or five reputation which we discuss and you can see natural trusted. So it’s mentioned here as well. And I’ll also application categories. These by application, which we access any website. And there is a special as well, which you can go and you can check more. But anyway, at least right now, we just need to verify that it’s working or not working. Okay?

38. Lecture-38:Introduction and Concept of Security Intelligence.

Our today topic is security intelligence. What is security intelligence? Basically, security intelligence, it’s called thread intelligent. Cyber thread intelligent. It’s in every security device of Cisco. You know, it’s integrated with Cisco. WSA cisco ESA. Cisco FTD. Cisco ASA and Cisco ice. Actually Cisco integrate this technology in every security device. Basically, security intelligence is a database database of Malaysia and all those things which we discuss in CCNP security as well as a full database which update frequently, regularly up to date. And it’s integrated it with FTD as well. So let’s take regularly feeds. We will discuss what is feed. So what they done. Cisco have a complete team for this one. If I show you test the website telesintelligent. com here you can search. Suppose if you worried about something suppose eight, let me check this one. So they will give me a full detail about this one. So I say it’s good. And all the detail spam level email were the human every detail about this one. So they have a full database of blacklist IP blakelist domain, blake list, URL blacklist network, okay? And it’s frequently every second they are checking everything and then through cloud is integrated to our Cisco devices. Like this way. So this security intelligence feeds coming regular basis here to this device. If we go there, let me go to access control, okay? And here access control. You see there is the second tab is security intelligence. So here is this is our network IPS. But let’s start from here. It’s no attacker 450 object inside attacker. They give them a different category. In banking front there is nothing bots. So let’s see how many boats are there, how many switch? Zero. I think I need to update this one because I did not get the updated one. Like a crypto mining contain 1159. Okay. And so on high risk. Suppose it should be there a lot of it means it’s not up to date. So you can attach and what is the advantages, the big advantages of security intelligence, it will be checked before it enter your network, before it’s enter your FTD snot engine. It’s English. Suppose. So here is security intelligence.

So before here is security intelligent. The one we are talking about right now. URL and IPS DNS we will do after this one. Right now our target is malacious URL and Malaysia and blacklist IPS. How we can stop those? Suppose it’s like how can I give an example? Suppose, you know, in every country there is black listed people and they have a list of those one. So suppose you are working somewhere in police and police offices there is a list of blacklist people already they know. So if you already know, something is bad, so it will be dropped early. So your engine will be not utilized. That’s the first advantage of security intelligence. Because the engine starts from here. Snort engine either let me show you from here. So security intelligence is here before the Snot engine rule start. And if I can show you from the other slide which we were discussing excess list. You remember before we discuss access control list. Which you forgot last time. Which we start. So let me go to FTD PDF. And let me show you access control list which we discuss in detail. Okay. I believe this one. So there was a diagram. This one. So excess control list policy we discuss in detail. And this one. The second one. Security intelligent si. So we are doing this one. So it will be check early. So one thing, your engine will be not utilized.

And those already blacklisted list of URL and IPS and DNS entry. It will be dropped before entering your firewall in your network. So how they are doing? They call them security intelligent. Is a complete team of security from Cisco. And they have categorized. And regularly they are checking every website there’s. Security intelligent. Regularly they are checking every second URL in IPS domain network. And when they find out anything in that URL, so they put them in the list. Like America. Let me give an example to understand. America have a terrorist list of people from different countries. They put them in the name. And when you allow them so it means you become enemy of USA. So they already have a terrorist group up user which they display. They don’t allow these and this and that. You know already the story. So the same thing in website. There are maybe many URL. Yesterday we did a URL. There are many. There may be many URL, which is a malware, which can be suspicious. There is a huge list. When I go there, there is a banking fraud, maybe a taker botnet, command and control exploit kit, high risk. All these things we discuss in CCNP, Malaysia, malware, malware.

There are many category antivirus, sorry, viruses, spyware, botnet. So many things are coming under this one. Spam, spyware suspicious. So what they do, they are getting detail. And they’re putting in the database. And this database is connected to your firewall, your FTD. Okay. Security intelligent feed. And they are getting from here. Let me show you in firewall how they are getting. So if we go to device or object and object management you will see a fields. And let me go to security intelligent. Object should be here. So let’s go. Here is security intelligent. So DNS or later topic. But now we are discussing network and URL. So if when you click on network. So here is Cisco security intelligent feed which is update 23. I need to update this one. That’s why I’m not getting thing. Okay. So you say update feeds. What is feed? I will tell you. It’s nothing but a list of URL, network IPS. Okay. So it’s in progress. So at least it will be updated. So you know they are getting this feed. Okay. Now you will say how they are getting. If I double click, there is our automatic list, I think. So two hour, let me see it’s. Two hour? Yeah, after every two hour. If you want to change, maybe if you have a sensitive environment and you want it, I want to get the latest thing first so you can make them five minutes, but it’s require a bet. Up your CPU and Ram to utilize again and again to go to Cloud and get the frequent update. By default is two hour to get update from Cisco Telus Intelligent, which is a team. And they developed a whole database, I think. So there is an intelligent category, which I will tell you in my I copy from here as well. So there is adult and advertisement, alcohol and so many categories. If you go as many pages I don’t want to go in detail, but I just want to give you an idea. And also keep in mind in every interview they will ask you what is Security Intelligence and how it is work and what is the end to our disease? Because it’s a very good feature to use to protect your network and very, very important. Without your Firewall CPU utilization, you can protect your network in the first place based on reputation.

So they have a whole database which is updated frequently. And I told you how you can update them, you can change your one. The timing is by default too. So I change them, but manually, I update them after every 2 hours it will be updated. So this is called security intelligent. So it means it will not utilize your memory, your CPU, your resource and before using your resource, because suppose if someone is a thief and is coming to your office and you already know that this guy in the list, you have already a list. So rather than to scan them and allow them and test them and check his CRC what is calling UK, they check with the police clearance and then you say no, you are not allowed. So you use your resources. You went to office, you went to this one, you send his detail and then clear and say that no, this guy is thief and it’s not allowed as bankrupt. But if you have a list of people already, then these are bankrupt or something, or thief or whatever. So on the first place, when it’s come to your office, you will say no, sorry, we cannot recruit you because you are already bankrupt. He said how you know? So he said that I get the data from agency, I already have a list of people. So the same thing Security Intelligence do for you, they already provide you unwanted traffic before entering to your network to use your CPU, Ram and everything. And then you check your Snot engine will check, then File policy will check your DNS policy and so many things will check. So this is called Security Intelligent and I told you these are research group which they are getting every detail. So you don’t need to redeploy everything. They will get everything and it will be updated automatically your list and how they are getting I told you through Feed. Feed? What is feed. I will tell you now and the best thing is it will be drop early, drop Security Intelligent. When the traffic come in, the first thing there will check these things pre filter policy. I will tell you what is this one and the next list after that it will check Security Intelligent which coming like a Blake listing of IP, DNS and URL and it is there. So it will drop here and it will not go to use your Snot engine and everything.

Okay and also here I show you in more detail in this diagram. Okay, now coming to I was talking about Feed and it’s mentioned here as well. Feed is here. So what is feed? Feed is nothing but a list of IPS. Either URL either DNS domain domain name URL and IPS So they call them feed. So you can use Cisco Feeds which is here and you can create your own when you click here. So it’s asking you Feed or list feed update automatically unless you have to update. So we will do in the lab list. But Feed you already know because you need some list of Feed. It can be external and you can also use Cisco one. Cisco one is this one. It’s already there. So this is called it’s nothing but a dynamic list of blacklisted IPS domain and URL. It’s called feed. So now we know Feed and we can create our own NSDR is automatic as well, which is called Security Intelligent. Feed and security intelligence. What is Security intelligence. I already told you which is dynamically getting Feed and left sub domain and everything and it’s attached to your policy but by default is not attached. It means if I get any blacklist IP and ping so it will work, you need to attach and that’s what we will do in the lab. How to protect and block all these already blacklisted IPS domain and DNS. Second thing is list maybe someone which is a blacklist IP, maybe IP is not blacklist for me like in USA they blacklist many good people as well. They say this is terrorist, but for those countries those guys are not terrorists. They call them Mujahid or something, whatever, maybe they are good for them. So it’s a Blake list for them but a white list for some other country. So you can create your own list of IEP’s domain to block are allowed and where we can create so we can create a list. Just type in notepad like in IPS I randomly type this IP. I don’t know. It’s a Facebook IP. I will check now. So it will be one by one. So I type four IPS and this is my list IP list and you can type URL, Twitter, Facebook, Flickr, Msn@yahoo. com so these are URL list and then I can attach here because it was asking me what you need. So you say ABC and you can tell them that I have a list. So they say browse your list, where is your list to? My list of IPS are here, where is IP list?

And then upload. So how many IPS are there? It will show you here. Let’s say four IPS are there and save because we will do in the lab. So I don’t want to show you here, but just to clarify, so it will come here. So it means you can do your custom addresses to blacklist either to allow them. Okay? So it’s clear, it’s a TX text file which I show you and you can type one by one. Many IPS are URL and you can put that list here. And about this, the website which I told you, this the Security Intelligence Cisco website, which you can test many things by the way, I never show you, you can visit here. You can see a list of category as well. You can check any IP as well at a blacklist and what is the category reputation. And so many things you can check from here. And so many other things like they give you many file you can download and also so many things are available in this website. Okay, now coming to basically in FMC, there are three places where they put the listing. Which listing? Suppose if I want to know that who is in the Blake list, can I find out from GI? Graphically? No. If I go to Policy and access Control policy security intelligent policy was here, which I show you. Here is Security intelligent. And these are Security intelligent categories. One of them is a taker, but in a taker there are sorry we must show something like this one. So they say attacker contains four four nine object. What is those object? We don’t know means I know these are attacker category, but who is inside this attacker four four nine object.

So there is no way to find out. And graphically you need to go to CLI of FTD either FMC and type this command for network. Network means IPS for DNS, like a domain name and for URL to this link to find out the detail. Suppose the attacker one, you know attacker, how can I go? I need to log into my FMC to find out. So my FMC is this one. And let me do SSH and type admin and ABC at the rate ABC one. This is the password. I give this one, I type here as well A-B-C-A-B-C-I login to my FMC and this the location where you can find a network DNS and URL. So let me copy this one. It’s like a Linux is a folder, then SF and then IP proof this is DNS security intelligent DNS and this is security intelligent URL and this is IP. So what you can do, you can type CD okay? Before CD because it’s 6. 7 1st you need to go to expert mode and after expert mode because now I am as a common user. So pseudo su and then type password ABC at the rate ABC one. Now I’m in full root user. Now I can type to CD and that one and LS to list everything. So here is a list, but it’s not showing me anything. These are basically it’s called universally unique identifier. Every category has a unique UUID. This category is very sorry these categories which you can see malaysia smallware spyware they give them a unique number these number then it will show you SSH call UUID universally Unique Identifier. You can use a Linux Kate concatenate header and tell headmes to show first ten line and tell me is to show last ten line and kate to show you more command you can also use so let me say hit command and I said this one. Suppose I don’t know which folder name is this one because they give them universal unique number. So it’s open proxy. Let’s see there is open proxy yeah, but there is no object this way it’s not showing me. So let me type another one and this way you can find out inside object detail. There is no way graphically. So let me go to second one. This is suspicious, it’s better. So let’s go to suspicious and suspicious there are five object and it’s show me five object as well. If there are many, they will show me only ten because I’m using HEADHEAD means and Linux they’d only show me the first ten line.

So these are the inside object which I cannot see from here CC. It says field is suspicious and there are five object and these are the five object. So let me copy one of them and run from inside. Can I go to this IP? Yes, because I did not yet apply security intelligence to protect my network. So let me go to this docker and see if it is why it’s not let me refresh them and okay, let me ping any IP from this one. So I’m here and let me ping this IP. Let me paste by the way, let me copy this one and let me paste here and hit his to ping some of the IP is by default not anymore. So maybe it’s not ping, but some of them has to be ping because I did not apply yet security Intelligent so let me copy this IP and test and let me paste this IP. Yeah, so it’s pinging even as a Blakelist IP. But because I am not using Security intelligence and I don’t have a Snot engine on to test this IP, and then decide, it will go through the whole process. And then they will decide, oh, this 199 IP is a blacklist IP. It’s a malicious IP, but you use your resources and then later on decide, so why not use this Security intelligent so they can tell you in advance that these are the blacklist IP and domain and blah, blah, blah.

So anyhow, these are the three places where you can go and see the contents. You know the actual IPS or domain or DNS or URL or network IPS which is blacklisted. So from graphically it’s not possible. If an interview they ask you is it possible to see the content inside? So you will say no, there is no such way. You need to go to FTD either FMC CLI to test them. If you go to FMC FMCA G because it’s using Linux Command, LS, NCD and kit head tail to find out the content inside by universal unique Identifier, they give them the folder by this one. So these are the category which is mentioned in their website as well. I show you some categories there as well. So there is a tracker which we assure you there is bot command and control crypto mining. They have many exploit kit high risk and this one we discuss in what is called Nccnp. We discuss indicator of compromise, link sharing, Malaysia malware, open proxy and so many spyware suspicious.

So these are category and you can see from here as well. If you test one of them is suspicious, it should be this one. If you test any other so it will give you another name. So let’s test one more. Suppose it’s the last one. I don’t know which one is this one. So it’s Malaysia and it’s showing me only ten because I’m using head command. Maybe in Malaysia there can be many. If I go to Malaysia, where is yes, it’s 14 inside, but it’s showing me only ten because I’m using head command. Okay, so this was security intelligent. It’s getting feeds automatically from Cisco and Cisco have a laptop, blacklist IP, domain name URL, which you can use before the attack and it can protect you on network. Okay, so this was security intelligence, theoretically. Now we will do labor next video.

• Category: Uncategorized