DocsYouTube ChannelDevNetCisco Defense Orchestrator DocsFirewall How To Community
Guides

Device Registration and Initial Setup

Cisco Internal Use Only for Secure Firewall Roadshow Ignite Event

Suggest Edits

Overview

This lab utilizes NGFW1 and NGFW2, which are virtual Firewalls in your dCloud session. These are registered to the Firewall Management Center (FMC), where we will manage the device, policy enforcement, etc. We will also set up the Firewalls with initial configuration for the upcoming lab scenarios.

Scenario 0: Familiarization with dCloud Environment

Environment Overview

  1. Because you are viewing this lab guide we assume you have started your dCloud session and are ready to begin. Click the View button by your session to see the lab topology.

    Figure 2: dCloud Session

    Figure 2: dCloud Session

📘

Note

If your dCloud session was recently shared, it may take a few minutes for the View button to appear while the lab virtual machines boot up.

  1. You will see the lab topology.
Figure3: dCloud Topology

Figure3: dCloud Topology

  1. The dCloud active topology page provides an overview of your dCloud pod. For reference purposes, as you are performing the labs, you can refer to the topology for credentials, IP addresses, interfaces, subnets, RDP addresses, etc.
  2. On the topology window, locate the Jumpbox. Click on its icon (on the computer screen). A popup for the Jumpbox should open. The Jumpbox is a Windows machine: it will act as our Admin-PC for the session. This machine has multiple Network Interface Cards (NICs) on different subnets. Sometimes the Jumpbox will act as the Admin PC at the Corporate Head Office, and at other times, it will act as the Admin PC for the Branch office, etc. The credentials for the Jumpbox and all other Windows machines are administrator / C1sco12345.
Figure 4: Jumpbox Access

Figure 4: Jumpbox Access

  1. From the Jumpbox popup, click Web RDP to connect to it.
  2. The first time you connect to the Jumpbox, Windows will automatically launch Quick Launch. This is a web page providing you shortcut access to devices used in our lab scenarios. Have a look at some of the names on the menu. You will recognize devices also seen on the topology found at the beginning of this document.

  • Blue buttons open Putty SSH sessions.

  • Green buttons open browser sessions.

  • Red buttons open RDP sessions.

  1. If you close the Quick Launch and want to open it again use the icon on the desktop.
**Figure 9:** Closing Quick Launch Application

Closing Quick Launch Application

Display Improvements

  1. To get crisper fonts on Jumpbox, perform a Windows search for ClearType.
**Figure 10:** ClearType Search

ClearType Search

  1. Turn on ClearType. The improvement will be immediate.
**Figure 11:** ClearType Activation

ClearType Activation

Time Synchronization (Important)

  1. Next, the time on the Jumpbox must be properly synchronized. Verify that the workstation time in the lower right corner is correct. It should show the correct time on your desktop's timezone. If this time is correct, you can continue with the lab exercises.
  2. If this time is not correct, resynchronize the clock using the following procedure:
    1. Right-click on the time in the lower right and select Adjust date/time from the menu.
    2. Click the Sync now button in the dialog
    3. Confirm the Jumpbox time is now set correctly.
**Figure 4:** Date & Time Synchronization

Date & Time Synchronization

👍

Success

Your dCloud session is available, and synchronized.

Topology

ADD TOPOLOGY DIAGRAM HERE

Lab Tasks Overview

Task 1 - Register NGFW1 to FMC

🚧

Warning

Google Chrome is suggested to be used for performing this lab.

  1. Click on the Jumpbox machine in the dCloud topology and under Remote Access click on Web RDP.

  2. A new tab appears named "jumpbox," which takes you to the Quick Launch window. Now click NGFW-1 under the NGFW Console Access section.

📘

NOTE:

If it doesn't immediatly appear, start in the dCloud jumpbox tab, go to the bottom ribbon and clickQuick Launch or alternatively Quick Launch from the desktop shortcut. Then click on NGFW-1 under the NGFW Console Access section shown below:

  1. At the CLI prompt type configure manager add 198.19.10.120 cisco cisco and press Enter. This command sets the on-prem FMC as the manager for NGFW1.
  1. Go back to Quick Launch and click FMC Web to open the FMC web interface.
  1. Login with credentials admin/dCloud123! and click on Log In.

📘

Note

Click on Accept if there is an End User License Agreement displayed.

  1. Navigate to Devices > Device Management.
  1. Click the Add dropdown on the right side and select Device.
  1. Enter the following into the Add Device dialog:
    • Host: 198.19.10.83
    • Display Name: NGFW1
    • Registration Key: cisco
    • Group: None
    • Access Control Policy: Click on Create New Policy from the drop-down and enter the following into the New Policy dialog:
      • Name: NGFW1 Firewall Policy
      • Leave the rest of the fields as they are (default).
      • Click Save.
  1. You're returned to the Add Device window with the Access Control Policy saved.
    • Find Performance Tier and select: FTDv - Variable
    • Check the Carrier, Malware Defense, IPS, and URL boxes
    • Unique NAT ID: cisco
    • Click Register to start the registration process.

📘

NOTE:

The limits for the different performance tiers are as below:

FTDv Variable is chosen to maintain the current license compliance.

  1. Registration takes ~8-10 minutes to complete. To track progress, go to Notifications in the top right ribbon and click the Tasks tab. The image below shows you what a successful registration looks like.

📘

Note

Discovery and Policy deployment will continue in the background. You can proceed with the next step.

Task 2 - Register NGFW2 to FMC

  1. Back in the dCloud jumpbox, open Quick Launch . Click on NGFW-2 under the NGFW Console Access section shown below:
  1. At the CLI prompt type configure manager add 198.19.10.120 cisco cisco and press Enter. This command sets the on-prem FMC as the manager.
  1. Navigate back to the Firewall Management Center on Google Chrome.
  2. Click the Add dropdown on the right side and select Device.
  1. Enter the following into the Add Device dialog:
  • Host: 198.19.10.84
  • Display Name: NGFW2
  • Registration Key: cisco
  • Group: None
  • Access Control Policy: Click Create New Policy from the drop down and enter the following into the New Policy dialog:
    • Name: NGFW2 Firewall Policy
    • Leave the rest of the fields as they are (default).
    • Click on Save.

  1. You're returned to the Add Device window with the Access Control Policy saved.

    • Find Performance Tier and select: FTDv - Variable
    • Check the Carrier, Malware Defense, IPS, and URL boxes
    • Unique NAT ID: cisco
    • Click on Register to start the registration process.

  2. Registration takes ~8-10 minutes to complete. To track progress, go to Notifications in the top right ribbon and click the Tasks tab. The image below shows you what a successful registration looks like.

📘

NOTE:

You can proceed to the next step after Discovery and Policy Deployment is complete.

Task 3 - Enabling License in NGFW1 and NGFW2

📘

NOTE:

Before you begin this task, ensure that the Registration and initial Policy Deployment of both NGFW1 and NGFW2 are complete.

  1. Click the pencil icon in the NGFW1 row.
  1. In the new window, select the Device tab within NGFW1 and click the pencil icon to the right of the License section to edit the device licenses.
  1. Click the Secure Client Advantage checkbox in the License dialog box. Then click Save.
  1. Acknowledge the change by clicking OK.
  1. A successful edit will look like this.
  1. Navigate back to Devices > Device Management, and click the pencil icon in the NGFW2 row.
  1. In the new window, select the Device tab within NGFW2 and click the pencil icon to the right of the License section to edit the device licenses.
  1. Click the Secure Client Advantage checkbox in the License dialog box. Then click on Save.
  1. Acknowledge the change by clicking OK.
  1. A successful edit will look like this.

Task 4: Configuring NGFW1

Step 1: Interface and Route Configuration of NGFW1

  1. Navigate back to Devices > Device Management and click on the pencil icon in the NGFW1 row.
  1. Click the 'Pencil' icon in the GigabitEthernet0/0 row to make changes to the interface.

Configure the interface as outlined below:

Under the General tab:

  • Name: outside
  • Click the Enabled check box.
  • Security Zone: Select "New..." from the drop down
  • Type in 'outside' and click OK.

Under the IPv4 tab:

  • IP Address: 198.18.133.81/255.255.192.0
  • Click OK.

  1. Confirm the NGFW1 interface matches the image below. Then, click the 'Pencil' icon in the GigabitEthernet0/1 row to make changes to the interface.

Configure the interface as below:

Under the General tab:

  • Name: inside
  • Click the Enabled check box.
  • Security Zone: Select "New..." from the dropdown
  • Type in 'inside' and click OK.

Under the IPv4 tab:

  • IP Address: 198.19.10.1/255.255.255.0
  • Click OK.
  • Click Save. The final view of the Interfaces page should match the image below.
  1. Click the Routing tab. Select Static Route in the page tree, then Add Route off to the right to add a default route (This route is for Internet access that is required for the AttackIQ test).

  1. Configure the below:
  • Interface : outside
  • Available Network : any-ipv4 . Click Add.
  • Gateway : 198.18.128.1
  • Click OK.
  • Ensure the IPv4 route has populated, then click Save.

Step 2: Network Address Translation (NAT) Policy Configuration of NGFW1

For NAT Policy, we want to translate all the inside interface traffic destined for the internet from various source addresses, to the outside interface IP address. To do this, we will add a rule.

  1. Go to Devices > NAT. Click New Policy > Select Threat Defense NAT.
  1. Configure the Name as NGFW1-NAT. Select NGFW1 under Available Devices. Click on Add to Policy. Click on Save.
  1. A blank policy is created. Click Add Rule.
  1. Configure the policy as below:
  • NAT Rule: Manual NAT Rule
  • Type: Dynamic.
  • Click theInterface Objects tab.
  • Source Interface Objects : inside
    Choose the inside object from Available Interface Objects and Click Add to Source.
  • Destination Interface Objects : outside
    Choose the outside object from Available Interface Objects and Click Add to Destination.
  1. Go to Translation tab. Click the + icon next to Original Source to create a new network object. Click + Add Object.
  • Configure the network object as follows:
    • Name: Corporate-LAN
    • Network: Select the radio button Network and type in 198.19.10.0/24.
    • Click Save.
  • Select Destination Interface IP from the Translated Source drop down.
  • Click OK.
  1. Click Save.

Step 3: Access Control Policy (ACP) Configuration of NGFW1

Now we'll create a blank policy that has one 'Allow All' rule. This rule has no security protections attached and whitelists everything through the firewall.

📘

NOTE:

Having a blank policy with an 'Allow All' rule is not a recommended practice. This is solely configured for testing purposes to demonstrate the Attack IQ test.

  1. Go to Policies > Access Control. Click the pencil icon in the NGFW1 Firewall Policy row.
  1. Click on Add Rule. Configure the Name as 'Allow All'. Click on Logging.
  • Click on Log at end of connection > Confirm.
  • Click Apply.
  • Ensure the Access Control Policy is in place, then click Save.

Task 5 - Configuring NGFW2

Step 1: Interface and Route Configuration of NGFW2

  1. Navigate back to Devices > Device Management and click on the pencil icon next to NGFW2.
  1. Click the 'Edit' icon of GigabitEthernet0/0.

Configure the interface as below:

Under the General tab:

  • Name: outside
  • Click the Enabled check box
  • Security Zone: outside

Under the IPv4 tab:

  • IP Address: 198.18.6.1/24

Click OK.

  1. Similarly, click the 'pencil' icon of GigabitEthernet0/1

Configure the interface as below:

Under the General tab:

  • Name: outside2
  • Click the Enabled check box
  • Security Zone: Click New... to add a new zone named "outside2" and select this zone

Under the IPv4 tab:

  • IP Address: 198.18.7.1/24

Click OK.

  1. Next, click on the 'pencil' icon of GigabitEthernet0/2

Configure the interface as below:

Under the General tab:

  • Name: inside
  • Click the Enabled check box
  • Security Zone: inside

Under the IPv4 tab:

  • IP Address: 198.18.8.1/24

Click OK.

Click Save. The final view of the Interfaces page should be as below.

  1. Click the Routing tab. Click Static Route from the page tree, then Add Route to the right.
  1. Configure the below:
  • Interface : outside
  • Available Network : any-ipv4 . Click on Add.
  • Gateway : 198.18.6.253

Click OK.

  1. Click Add Route to add another route.
  2. Configure the route as follows:
    • Interface: outside2
    • Available Network : any-ipv4 . Click on Add
    • Gateway: 198.18.7.253
    • Metric: 10

🚧

Warning

Verify that you have changed the metric value from 1 to 10.

  • Click Save.

Step 2: Platform Settings Configuration of NGFW2

In the upcoming Policy Based Routing lab, we'll be setting Trusted DNS Servers in the platform settings. To do that let's set up a Platform Settings Policy for NGFW2.

  1. Click Devices from the main menu ribbon at the top and then select Platform Settings.
  1. Click New Policy and then select Threat Defense Settings.
  • Enter the Name as ngfw2-platform-settings.
  • Choose NGFW2 from the Available Devices list and Click Add to Policy to add it to the Selected Devices list.
  • Click Save. You might get a Warning. Click Yes.
  1. Now we'll configure the DNS settings.
  • Click DNS in the page tree. Then toggle Enable DNS name resolution by device
  • Click Add next to DNS Server Groups.
  • Click the + icon next to New Group in the configuration pop up.
  • Enter Umbrella_DNS for name and 208.67.222.222,208.67.220.220 for DNS Servers.
  • Click Save.
  1. Select Umbrella_DNS from the DNS Group drop-down list. Select Make as Default. Click Ok.
  1. Click Save.

Step 3: Network Address Translation (NAT) Policy Configuration of NGFW2

For NAT Policy, we want to translate all the inside interface traffic destined for the internet from various source addresses, to the outside interface IP address. To do this, we will add a rule.

  1. Go to Devices > NAT. Click New Policy > Threat Defense NAT.
  1. Configure the Name as 'NGFW2-NAT'. Select NGFW2 under Available Devices. Click Add to Policy. Click Save.
  1. A blank policy is created. Click Add Rule.
  1. Configure the policy as below:
  • NAT Rule: Manual NAT Rule
  • Type: Dynamic. Click the Interface Objects tab.
  • Source Interface Objects : inside
    Choose the inside object from Available Interface Objects and Click on Add to Source.
  • Destination Interface Objects : outside
    Choose the outside object from Available Interface Objects and Click on Add to Destination.
  1. Go to Translation tab. Configure as follows:
  • Click on + next to Original Source. Click Add Object.
  • In the pop-up box, configure the following details:
    • Name: ngfw2-inside-network
    • Select the Radio button next to Network
    • In the text box below enter 198.18.8.0/24
    • Click Save
  • Translated Source: Destination Interface IP
  • Click OK.
  1. Click Add Rule to add another rule.
  1. Configure the policy as below:
  • NAT Rule: Manual NAT Rule
  • Type: Dynamic.
  • Click the Interface Objects tab.
  • Source Interface Objects : inside
    Choose the inside object from Available Interface Objects and Click on Add to Source.
  • Destination Interface Objects : outside2
    Choose the outside2 object from Available Interface Objects and Click on Add to Destination.
  1. Go to Translation tab. Configure as follows:
    • Original Source: ngfw2-inside-network
    • Translated Source: Destination Interface IP
    • Click OK.
  • Click Save.

Step 4: Access Control Policy Configuration of NGFW2

  1. Go to Policies > Access Control. Click on the pencil icon next to NGFW2 Firewall Policy.
  1. Click Access Control in the policy selector. Click Add Rule, and configure the following rule:
  • Name: Allow_Outbound_Traffic
  • Select inside from Zones and click Add Source Zone
  • Select outside and outside2, and click Add Destination Zone
  • Click the Networks tab, and search for ngfw2-inside-network. Select and click Add Source Network.
  • In the Ports tab, Select the following objects:
    • DNS_over_TCP
    • DNS_over_UDP
    • HTTPS
  • Click on Add Destination Port
  • Select Logging and in the popup select Log at end of connection and click Confirm. The destination for the Connection Events is automatically selected as Firewall Management Center. There are more capable logging settings available. However, for this lab, we are just enabling the Connection Events to be sent to the Firewall Management Center. Also, as part of best practices, we enabled logging only at the end of a connection.
  1. Click Apply, and then click Save at the top, to save all the changes to the Access Control Policy configuration.
  1. Click Deploy. > Deploy All. Wait for the deployment to complete.

🚧

Warning

In the event you come across a 'Ignore warnings' checkbox during your deployment, please be sure to select it.

👍

Success!

You have completed Device Onboarding. Please click the link below to move on to Preparing your 1010 for Customer Demos.


📚Additional Resources

For more information on how Access Control Policies are configured for Secure Firewall devices, please refer to the following document Access Control Policy

Updated 6 months ago

What’s Next
© 2024 Cisco Systems, Inc.
Title of the document The current suggested release is 7.4.2 Check out our new 7.6 Release Overview video.