{"id":2888,"date":"2026-01-18T19:00:00","date_gmt":"2026-01-18T19:00:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2888"},"modified":"2026-02-08T20:05:40","modified_gmt":"2026-02-08T20:05:40","slug":"85-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2888","title":{"rendered":"85 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n

NGIPS and FMC<\/mark><\/h2>\n\n\n\n

Cisco Secure Firewall (formerly Firepower)<\/strong>\u00a0requires a deep understanding of how the Management Center (FMC) orchestrates the “brains” of the operation:\u00a0Snort<\/strong>.<\/p>\n\n\n\n

Core Concepts & Terminology<\/mark><\/h2>\n\n\n\n

You must separate the management interface from the detection engine.<\/p>\n\n\n\n

Key Components<\/strong><\/p>\n\n\n\n

    \n
  • FMC (Management Center):<\/strong>\u00a0The centralized “Manager.” It handles policy configuration, threat intelligence updates (Talos), and event aggregation.<\/li>\n\n\n\n
  • FTD (Firepower Threat Defense):<\/strong>\u00a0The “Sensor.” This is the unified image combining ASA (L3\/L4) and Firepower (L7) capabilities.<\/li>\n\n\n\n
  • Snort:<\/strong>\u00a0The Open Source engine inside FTD that performs the actual\u00a0Deep Packet Inspection (DPI)<\/strong>.<\/li>\n<\/ul>\n\n\n\n

    Terminology<\/h4>\n\n\n\n
      \n
    • DAQ (Data Acquisition Layer):<\/strong>\u00a0The library that acts as an intermediary between the FTD hardware interfaces and the Snort engine.<\/li>\n\n\n\n
    • Prefilter Policy:<\/strong>\u00a0A “fast-path” mechanism used to bypass Snort for trusted traffic (like backups or encrypted tunnels) to save CPU.<\/li>\n\n\n\n
    • Security Intelligence (SI):<\/strong>\u00a0IP\/URL\/DNS reputation feeds from Cisco Talos that block known bad actors\u00a0before<\/em>\u00a0the IPS engine even looks at the packet.<\/li>\n\n\n\n
    • Variable Sets:<\/strong>\u00a0Defines your environment (e.g.,\u00a0$HOME_NET<\/code>\u00a0vs\u00a0$EXTERNAL_NET<\/code>) so Snort knows which direction to apply specific rules.<\/li>\n<\/ul>\n\n\n\n

      What is SNORT?<\/mark><\/h2>\n\n\n\n

      Snort<\/strong> is the industry-standard IPS engine. In FTD, it operates using Signatures (Rules)<\/strong>.<\/p>\n\n\n\n

        \n
      • Snort 2:<\/strong>\u00a0Legacy, single-threaded (processes one packet at a time per instance).<\/li>\n\n\n\n
      • Snort 3:<\/strong>\u00a0Modern, multi-threaded. It offers better performance, simplified rule writing, and improved memory management.<\/li>\n<\/ul>\n\n\n\n

        How it protects:<\/strong> It doesn’t just look at headers; it reassembles data streams to find malicious patterns (e.g., a SQL injection hidden inside an HTTP POST request).<\/p>\n\n\n\n

        \n\n\n\n

        Traffic Flow: In and Out (The Pipeline)<\/mark><\/h2>\n\n\n\n

        You must understand the\u00a0Order of Operations<\/strong>\u00a0inside an FTD. Traffic follows this specific path:<\/p>\n\n\n\n

          \n
        1. Ingress Header Processing:<\/strong>\u00a0The packet enters the interface. LINA (the ASA engine) checks Layer 2-4 (Is it a valid TCP flag? Does it match a NAT rule?).<\/li>\n\n\n\n
        2. Prefilter Policy:<\/strong>\u00a0The device checks if this traffic is “Fast-Tracked” (bypassing Snort) or “Sent to Snort.”<\/li>\n\n\n\n
        3. Security Intelligence:<\/strong>\u00a0If the IP is on a “Global Block List,” the packet is dropped immediately.<\/li>\n\n\n\n
        4. Access Control Policy (ACP):<\/strong>\n
            \n
          • L3\/L4 Rules:<\/strong>\u00a0Matches based on IP\/Port.<\/li>\n\n\n\n
          • L7 Rules:<\/strong>\u00a0Traffic is handed to\u00a0Snort<\/strong>\u00a0via the DAQ.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
          • Snort Inspection (The Deep Dive):<\/strong>\n
              \n
            • App-ID:<\/strong>\u00a0Identifies the application (e.g., “Skype”).<\/li>\n\n\n\n
            • URL Filtering:<\/strong>\u00a0Checks the category (e.g., “Gambling”).<\/li>\n\n\n\n
            • IPS Policy:<\/strong>\u00a0Matches against Snort rules.<\/li>\n\n\n\n
            • File\/Malware Policy:<\/strong>\u00a0Calculates file hashes for AMP.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
            • Verdict:<\/strong>\u00a0Snort tells LINA “Drop” or “Allow.”<\/li>\n\n\n\n
            • Egress:<\/strong>\u00a0If allowed, the packet is rewritten (NAT) and sent out the egress interface.<\/li>\n<\/ol>\n\n\n\n
              \n\n\n\n

              Use Case: Step-by-Step Protection<\/mark><\/h2>\n\n\n\n

              Scenario:<\/strong> Protect an internal Web Server from a “Remote Code Execution” (RCE) vulnerability.<\/p>\n\n\n\n

                \n
              • Step 1: Network Discovery.<\/strong>\u00a0Enable a Network Discovery policy on FMC. This allows the sensor to “see” that your server is running\u00a0Apache on Linux<\/strong>.<\/li>\n\n\n\n
              • Step 2: Create Intrusion Policy.<\/strong>\u00a0In\u00a0Policies > Intrusion<\/strong>, create a new policy using the “Balanced Security and Connectivity” base.<\/li>\n\n\n\n
              • Step 3: Firepower Recommendations.<\/strong>\u00a0Click “Generate Recommendations.” FMC will automatically enable only the rules that apply to\u00a0Apache<\/strong>\u00a0and\u00a0Linux<\/strong>, disabling irrelevant rules (like Windows\/IIS) to optimize performance.<\/li>\n\n\n\n
              • Step 4: Layer 7 Rule.<\/strong>\u00a0Create an Access Control Rule:\n
                  \n
                • Source: Any<\/code>\u00a0->\u00a0Destination: Web_Server_IP<\/code>\u00a0->\u00a0Application: HTTP<\/code>.<\/li>\n\n\n\n
                • Under the\u00a0Inspection<\/strong>\u00a0tab, attach your\u00a0Intrusion Policy<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                • Step 5: Logging.<\/strong>\u00a0Enable “Log at End of Connection” to see the event in the FMC Dashboard.<\/li>\n\n\n\n
                • Step 6: Deploy.<\/strong>\u00a0Push the config to the FTD.<\/li>\n<\/ul>\n\n\n\n
                  \n\n\n\n

                  Best Practices <\/mark><\/h2>\n\n\n\n
                  Strategy<\/th>Why it Matters<\/th><\/tr>
                  Trust Fast-Path<\/strong><\/td>Use Prefilter policies for high-bandwidth, low-risk traffic (e.g., Inter-VLAN SQL traffic) to reduce Snort CPU load.<\/td><\/tr>
                  Inline Sets<\/strong><\/td>Always use “Inline” (not Passive) if you want the NGIPS to actually block<\/strong> threats rather than just alert.<\/td><\/tr>
                  SSL Inspection<\/strong><\/td>Crucial:<\/strong> Over 90% of web traffic is encrypted. If you don’t configure an SSL Decryption policy, Snort is “blind” to the payload.<\/td><\/tr>
                  Variable Sets<\/strong><\/td>Ensure $HOME_NET<\/code> is defined as your internal RFC1918 space. If left as any<\/code>, Snort rules may trigger incorrectly, causing false positives.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

                  File & Malware Policy<\/mark><\/h2>\n\n\n\n

                  While the IPS Policy<\/strong> looks for exploit “commands,” the File Policy<\/strong> looks at the “payload” (the .exe<\/code>, .pdf<\/code>, or .zip<\/code> file). In the FMC, this is handled by Cisco Secure Endpoint (formerly AMP)<\/strong>.<\/p>\n\n\n\n

                  Key Terminology<\/h4>\n\n\n\n
                    \n
                  • SHA-256 Hash:<\/strong>\u00a0A unique digital fingerprint of a file. FMC sends only this hash to the cloud, not the whole file (unless configured otherwise).<\/li>\n\n\n\n
                  • Disposition:<\/strong>\u00a0The status of a file:\u00a0Clean<\/strong>,\u00a0Malicious<\/strong>, or\u00a0Unknown<\/strong>.<\/li>\n\n\n\n
                  • Malware Cloud Lookup:<\/strong>\u00a0The real-time query sent from the FTD to the Cisco Talos cloud.<\/li>\n\n\n\n
                  • Spero Engine:<\/strong>\u00a0A machine-learning engine that examines the structure of a file to predict if it is malicious even without a signature.<\/li>\n\n\n\n
                  • Dynamic Analysis (Sandboxing):<\/strong>\u00a0Sending an “Unknown” file to\u00a0Cisco Threat Grid<\/strong>\u00a0to be executed in a safe virtual environment to observe its behavior.<\/li>\n<\/ul>\n\n\n\n
                    \n\n\n\n

                    Use Case: Blocking Ransomware via HTTP\/FTP<\/mark><\/h2>\n\n\n\n

                    Scenario:<\/strong> A user attempts to download a “Software Update” that is actually a disguised ransomware executable.<\/p>\n\n\n\n

                    Step-by-Step Configuration in FMC:<\/p>\n\n\n\n

                      \n
                    1. Create File Policy:<\/strong>\n
                        \n
                      • Navigate to\u00a0Policies > Malware & File<\/strong>.<\/li>\n\n\n\n
                      • Add a rule for “Office Documents” and “Executables.”<\/li>\n\n\n\n
                      • Action:<\/strong>\u00a0Select\u00a0Block Malware<\/strong>. This enables the\u00a0Cisco Malware Cloud Lookup.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                      • Enable Analysis:<\/strong>\n
                          \n
                        • Check\u00a0Spero Analysis<\/strong>\u00a0for executables.<\/li>\n\n\n\n
                        • (Optional) Check\u00a0Dynamic Analysis<\/strong>\u00a0to send unknown files to the Sandbox.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                        • Integrate into ACP:<\/strong>\n
                            \n
                          • Edit your\u00a0Access Control Policy<\/strong>.<\/li>\n\n\n\n
                          • On the rule allowing Web Traffic, go to the\u00a0File Policy<\/strong>\u00a0tab and select the policy you just created.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                          • Deployment:<\/strong>\n
                              \n
                            • Deploy to the FTD. Snort will now extract files from the TCP stream and calculate their hashes in real-time.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
                              \n\n\n\n

                              The Security Flow<\/mark><\/h2>\n\n\n\n

                              One of the most powerful features in the CCIE curriculum is the Retrospective Event<\/strong>.<\/p>\n\n\n\n

                                \n
                              1. Inbound:<\/strong>\u00a0A user downloads\u00a0file.exe<\/code>. The FMC checks the hash; the Cloud says “Unknown.” The file is allowed.<\/li>\n\n\n\n
                              2. The Shift:<\/strong>\u00a0One hour later, Talos identifies that file as a new strain of malware.<\/li>\n\n\n\n
                              3. The Alert:<\/strong>\u00a0The\u00a0Cisco FMC\u00a0receives a\u00a0Retroactive Disposition<\/strong>\u00a0update.<\/li>\n\n\n\n
                              4. Response:<\/strong>\u00a0The FMC marks the event in red. You can now see exactly which host has the file and initiate a quarantine via\u00a0Cisco ISE\u00a0using\u00a0Rapid Threat Containment (RTC)<\/strong>.<\/li>\n<\/ol>\n\n\n\n
                                \n\n\n\n

                                The Integrated Best Practice Flow<\/mark><\/h2>\n\n\n\n

                                When building your CCIE lab, always follow this order of operations for a “Gold Standard” policy:<\/p>\n\n\n\n

                                Step<\/th>Component<\/th>Action<\/th><\/tr>
                                1<\/strong><\/td>SSL Decryption<\/strong><\/td>Resign traffic so Snort can see the files.<\/td><\/tr>
                                2<\/strong><\/td>Prefilter<\/strong><\/td>Fast-path trusted video\/voice traffic to save CPU.<\/td><\/tr>
                                3<\/strong><\/td>Security Intel<\/strong><\/td>Block known bad IPs\/URLs globally at the start.<\/td><\/tr>
                                4<\/strong><\/td>IPS Policy<\/strong><\/td>Use Recommendations<\/strong> to auto-tune Snort rules.<\/td><\/tr>
                                5<\/strong><\/td>File Policy<\/strong><\/td>Enable Block Malware<\/strong> for all common file types.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

                                Verify Snort Engine Health<\/mark><\/h2>\n\n\n\n

                                The Snort engine must be active and correctly versioned to perform NGIPS functions.<\/p>\n\n\n\n

                                  \n
                                • Check Active Version:<\/strong>\u00a0Run\u00a0show snort3 status<\/code>.\n
                                    \n
                                  • If “Currently running Snort 3” appears, the modern multithreaded engine is active.<\/li>\n\n\n\n
                                  • If no output or “Currently running Snort 2” appears, you are on the legacy engine.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                                  • Instance Distribution:<\/strong>\u00a0Use\u00a0show snort instances<\/code>\u00a0to see how many Snort processes are running and how traffic is distributed across CPU cores.<\/li>\n\n\n\n
                                  • Performance Counters:<\/strong>\u00a0Use\u00a0show snort statistics<\/code>\u00a0to view real-time data on packets inspected, dropped, or “judged” by the engine.<\/li>\n<\/ul>\n\n\n\n

                                    Troubleshooting the Data Path (LINA vs. Snort)<\/mark><\/h2>\n\n\n\n

                                    When traffic is dropped, you must determine if it was a Layer 3\/4 ACL drop (LINA) or an L7 Security drop (Snort).\u00a0<\/p>\n\n\n\n

                                      \n
                                    • ASP Drop Reasons:<\/strong>\u00a0Run\u00a0show asp drop<\/code>. Look for specific Snort-related counters:\n
                                        \n
                                      • snort-block<\/code><\/strong>: Traffic was intentionally blocked by an IPS or File policy.<\/li>\n\n\n\n
                                      • snort-busy<\/code><\/strong>: The engine is overwhelmed and dropping traffic it cannot process.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                                      • Packet Capture with Trace:<\/strong>\u00a0Run\u00a0capture ASP_DROPS type asp-drop all<\/code>\u00a0to capture the actual packets being discarded and see the exact drop reason in the trace.<\/li>\n\n\n\n
                                      • Packet Tracer:<\/strong>\u00a0Use the\u00a0FMC Advanced Troubleshooting Menu\u00a0(under\u00a0System > Health > Monitor<\/strong>) to run a “Packet Tracer”. This simulates a packet through the pipeline to see which rule\u2014Prefilter, SI, or ACP\u2014is affecting it.<\/li>\n<\/ul>\n\n\n\n

                                        File & Malware Verification<\/mark><\/h2>\n\n\n\n
                                          \n
                                        • File Inspection Stats:<\/strong>\u00a0While many detailed stats are GUI-based, you can verify the status of the “sftunnel” (the connection used to send file hashes to the FMC\/Cloud) with\u00a0sftunnel-status-brief<\/code>.<\/li>\n\n\n\n
                                        • Advanced Logs:<\/strong>\u00a0Enter the\u00a0Expert Mode<\/strong>\u00a0by typing\u00a0expert<\/code>, then\u00a0sudo su<\/code>\u00a0to access the Linux shell for deep log analysis. (Note: Use caution here as this is outside standard CLI support).\u00a0<\/li>\n<\/ul>\n\n\n\n

                                          Management Connectivity<\/mark><\/h2>\n\n\n\n

                                          If the FMC isn’t receiving events, verify the control plane:<\/p>\n\n\n\n

                                            \n
                                          • Management Tunnel:<\/strong>\u00a0Ensure port\u00a08305<\/strong>\u00a0is open and established using\u00a0netstat -an | grep 8305<\/code>.<\/li>\n<\/ul>\n\n\n
                                            \n
                                            \"\"<\/figure>\n<\/div>\n\n\n

                                            Happy Labingggggggggggggggg !<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

                                            NGIPS and FMC Cisco Secure Firewall (formerly Firepower)\u00a0requires a deep understanding of how the Management Center (FMC) orchestrates the “brains” of the operation:\u00a0Snort. Core Concepts & Terminology You must separate the management interface from the detection engine. Key Components Terminology What is SNORT? Snort is the industry-standard IPS engine. In FTD, it operates using Signatures (Rules). How […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2,6],"tags":[],"class_list":["post-2888","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco","category-security"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2888"}],"version-history":[{"count":1,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2888\/revisions"}],"predecessor-version":[{"id":2890,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2888\/revisions\/2890"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}