This article will help you crack your next Network security interview. this document solely focuses on Cisco Firepower Threat Defense. it covers all the current questions that are being asked.
Q. What is FTD?
FTD is one of the latest firewall software that has been launched by cisco which would provide the firewall capability as well as IPS/IDS which would provide you the details of about the incoming traffic to your network and block the malicious traffic based upon the IPS signatures, SHA value, globally recognized malicious IP and domains.
Q. On which platform FTD can be deployed?
FTD can be deployed on both physical and virtual appliances
- ASA hardware platforms (ASA 5500-X series)
- Firepower 2100,4100 and 9300 platforms
- Virtual platform VMware, Microsoft Azure, Amazon AWS, KVM
Q. How can we manage FTD?
FTD has both on box and off box management capabilities available
- The on-box management is called FDM (Firepower Defense Manager) which can manage ASA hardware platform, firepower 2100 and the ftd virtual instances.
- The off-box management can be done via FMC (Firepower Management Center) which can manage ASA hardware platform, firepower 2100, firepower 4100, firepower 9300 and FTD virtual instances.
Q. What is FMC?
FMC (Firepower Management Center) provides you the off-box management capability for FTD. This is the management box for the FTD which can manage multiple FTD at the same time. The policies are configured on the FMC and are deployed to FTDs it also stores your connection log for the traffic which is either incoming or which has been initiated form your network.
Q. What are the advantages of FMC?
FMC provides a unified log collection capability that can store the connection event logs, intrusion log and malware log for a certain amount of time you can view the log and generate report to give your enterprise a full network visibility. FMC can we integrated with Cisco ISE, cisco threat grid and cisco AMP for endpoints to provide identity firewall sandboxing and SHA values. FMC can be integrated with syslog and estreamer (splunk, hp arc sight) to forward the logs.
Q. On which platform FMC can be deployed?
FMC can be deployed on hardware as well as on virtual platforms
- FMC hardware models – 1000,2500,4500
- Virtual platform- VMware, AWS, KVM
Q. What are license required for FTD?
We need Smart license for FTD to operate, the different licenses are as follows
- Base License-Comes with an appliance which enables Networking, Firewall and AVC (Application Visibility Control)
- Threat- Needs to be purchased enables IPS, Security Intelligence (IP, DNS)
- Malware- Needs to be purchased enables dynamic analysis and sandboxing capability (sending files to cisco threat grid)
- URL Filtering – Needs to be purchased which enables category and reputation-based URL filtering.
The virtual FMC also requires a perpetual license to manage FTD.
Q. What is the mode in that an FTD can be deployed?
FTD is deployed in two modes
- Transparent mode
- Routed mode
Q. How can be the interfaces be deployed on FTD?
The interface on FTD can be deployed on the following modes
- Routed mode
- Switched (BVI mode)
- Inline pair
- Inline pair with tap mode
- Passive mode
- Passive mode with ERSPAN
Q. What Inline pair with tap mode?
A copy of the packet is sent when the interfaces are deployed in inline mode with tap mode enabled and the actual traffic is not dropped.
Q. How does the packet flow on FTD?
FTD is made up of two engines lina (asa component) and snort ( firepower) when the packets arrive on FTD it first processed through the lina engine and then it is sent to snort for further deep packet inspection and once the packet is inspected on snort then it is sent back again to lina for some other checks and finally exists out of FTD.
Q. What is pre-filter policy?
The pre-filter policy was introduced from firepower version 6.1 the use of pre-filter policy is
- Match traffic based upon the inner and the outer header
- Allows the traffic to be bypassed from snort inspection and only allow lina checks.
There are three types of pre-filter policy that can be configured on firepower.
- Block
- Analyze
- Fast path
Q. What is a NAP?
NAP or network analysis policy process packet in a phased manner where it does the following functions
- It first decodes the packet and converts the packet header and payload into a format that can be used by the snort pre-processors which is later used by IPS policy. NAP detects various anomalous behavior in the packet headers.
- Next is normalization pre-processor where the packet is normalized to minimize the chances of attackers evading detection and later the packet is sent to IPS policy for inspection.
- Then pre-processing where various network and transport layers preprocessors detect attacks that exploit IP fragmentation, perform checksum validation, and perform TCP and UDP session preprocessing.
Q. What is ACP?
The ACP or access-control policy are the rules that are configured of the FTD and which are deployed into the FTD. Each firewall can only have one ACP assigned to it. ACP will also help to define the traffic which you need to send for analysis under IPS, file policy. The different actions that can be configured in the IPS rule are.
- Trust
- Monitor
- Allow
- Block
- Block with reset
- Interactive Block
- Interactive Block with reset
Q. What is file policy?
File policies are basically the malware policies that are created on FTD, this policy helps to block the malicious file based upon the SHA. The file policy needs to be bound with the ACP.
The action which can be configured for the file policies are
- Malware cloud lookup
- Detect file
- Block malware
- Block Files
Q. What is dynamic analysis policy under file policy?
Whenever there is a new file whose SHA value is not known then the FTD can send fthe ile to cisco cloud to analyze it and provide a reputation to file i.e. clean, unknown and malware.
Q. What are SI and DNS policy?
SI and DNS policy are basically the feed of malicious IPs domain which is populated by Talos to block the traffic destined for the malicious domain. When we block traffic based on the SI it helps to reduce the resource utilization of the device.
Q. What is identity policy?
Identity policy are the rules are the user-based policy that can be configured on the firewall. FTD can be integrated with AD to get the user information to create a policy based upon the specific set of the users.
FTD can be integrated with ISE and user agent to get the user to IP mapping of the user.
Identity policy uses two methods of authentication
- Active authentication
- Passive authentication
Q. How can FTD detect encrypted traffic?
We can configure ssl-decryption on the FTD to decrypt the ssl traffic and to send it for further inspections the ssl policies are applied to the whole box. The action which can be configured for ssl policy are
- Decrypt resigns
- Don’t decrypt
- Decrypt with a known key
- Monitor
- Block
- Block with reset
Q. What is flex config on FTD?
There are few configs that are available on the lina (ASA part) which are not directly supported through FMC hence flex config generates a sequence of ASA commands that can be deployed on the FTD.
Q. What are different alerts that can be configured on the FTD?
The alerts that can be configured on the FTD are
- SNMP alert
- Syslog alert
- Email alert
Q. What are the Geo-location rules?
Geo-location will help you to configure rules based upon the geographical location of the ip address you can block the ip address from continent or country.
Q. What are platform settings?
Platform settings are basically the FTD related config which can be configured such as arp inspection, banner, DNS, SNMP, timeout etc.
Q. What are the different mode of deployment of FPR chassis in the network?
FPR 4100 and 9300 chassis can be single instance mode (single context mode on ASA), multi instance mode (multi-context ASA) in HA and in cluster mode.
FTD 2100 and ASA 5500 can be deployed in single instance HA mode only.