HTML
   HTML5
   CSS
   CSS3
   JavaScript
   jQuery
   AngularJS
   Articles
   Tech Articles
   Blog
Google News
logo
CISCO FTD Interview Questions
1 .
What is Cisco Firepower Threat Defense (FTD)?
Cisco Firepower Threat Defense (FTD) is an latest firewall integrative software that has been launched by cisco. This software combining CISCO ASA and FirePOWER feature into one hardware and software inclusive system. Cisco is a pioneer in the Next Generation Firewall Vendors, where competitors are limited to single platforms. 
 
Cisco Firepower Threat Defense (FTD) unified image software is available in stable release or beta. So basically ASA with FTD image is not an ASA with FirePOWER. When the FTD image is used there is a single compiled image and not the separate ASA software with FirePOWER software running in a module. there is only FTD software.wich can be managed through Cisco FMC a single management console to manage an entire platform.
 
Which would provide the firewall capability as well as IPS/IDS which would provide you the details of about the incoming traffic to your network and block the malicious traffic based upon the IPS signatures, SHA value, globally recognized malicious IP and domains.
2 .
What is difference between Cisco FTD and ASA ?
The main difference between Cisco FTD and ASA is that ASA provides accessibility to VPN, IDS, IPS, anti-malware, and anti-virus services which are not available in Cisco FTD. Whereas, if we compare both the two security appliances based on their performance, FTD easily replaces ASA.
 
The Cisco FTD is a high-end firewall appliance that can be used to protect networks from intrusion. It is designed to provide an extra layer of security for the data center and the enterprise. It offers protection for networks of any size with its wide range of products and services.
 
The Cisco ASA is a network security appliance that provides firewall, VPN, and intrusion prevention services. A network security device can be an important part of any organization’s cybersecurity strategy because it helps to protect networks from external threats like hackers or cybercriminals who are looking to steal data or disrupt it.

Parameters of
Comparison		 Cisco FTD Cisco ASA
VPN Support Not Available Available
Configuration More of a software-based firewall Either a Stateful Packet Inspection firewall or a Network Address Translation firewall
Performance Top-Notch Performance Low Quality Performance
Time Consumption Less Time Consuming High Time Consuming
Affordability Highly-Affordable Less-Affordable
3 .
What is the difference between Cisco FTD and FMC?
FTD is the unified firewall image running on the firewall itself. To manage FTD there is an option for Onboard management called Firepower Device Manager (FDM) which is only available for low to midend appliances (<= ASA 5545-X)... so not  suitable for your FP4100 firewall. FDM is limited in functionality, thats why its only for smaller deployments that only need a subset of features.
 
To manage your FP4100 running FTD you will need Firepower Management Center (FMC) which you can install using a virtual machine (KVM/VMware) or a dedicated physical appliance.
4 .
How can we manage FTD?
FTD has both on box and off box management capabilities available
 
* The on-box management is called FDM (Firepower Defense Manager) which can manage ASA hardware platform, firepower 2100 and the ftd virtual instances.

* The off-box management can be done via FMC (Firepower Management Center) which can manage ASA hardware platform, firepower 2100, firepower 4100, firepower 9300 and FTD virtual instances.
5 .
What is FMC?
FMC (Firepower Management Center) provides you the off-box management capability for FTD. This is the management box for the FTD which can manage multiple FTD at the same time. The policies are configured on the FMC and are deployed to FTDs it also stores your connection log for the traffic which is either incoming or which has been initiated form your network.
6 .
What are advantages of FMC?
FMC provides a unified log collection capability which can store the connection event logs, intrusion log and malware log for a certain amount of time you can view the log and generate report to give your enterprise a full network visibility. FMC can we integrated with Cisco ISE, cisco threat grid and cisco AMP for endpoints to provide identity firewall sandboxing and SHA values. FMC can be integrated with syslog and estreamer (splunk, hp arc sight) to forward the logs.
7 .
What are license required for FTD?
We need Smart license for FTD to operate,  the different licenses are as follows
 
* Base License : Comes with appliance which enables Networking, Firewall and AVC (Application Visibility Control)
* Threat :  Needs to be purchased enables IPS, Security Intelligence (IP, DNS)
* Malware : Needs to be purchased enables dynamic analysis and sandboxing capability (sending files to cisco threat grid)
* URL Filtering : Needs to be purchased which enables category and reputation-based URL filtering.

The virtual FMC also requires a perpetual license to manage FTD.
8 .
What are the different mode of deployment of FPR chassis in the network?
FPR 4100 and 9300 chassis can be single instance mode (single context mode on ASA), multi instance mode (multi-context ASA) in HA and in cluster mode.
 
FTD 2100 and ASA 5500 can be deployed in single instance HA mode only.
9 .
Does FTD support route based VPN?
In November 2020 Cisco released the Firepower Threat Defence (FTD) and Firepower Management Centre (FMC) version 6.7. Supported from this version is the long-awaited Virtual Tunnel Interface (VTI) for route-based site-to-site VPNs.
10 .
What is the difference between the old version and new version terms of FireSIGHT and FirePOWER?
FireSIGHT is a new term introduced in version 5 and referred to RNA (Realtime Network Awareness) and RUA (Realtime User Awareness) in Sourcefire version lower than 5. In version 5, RNA and RUA combined together into a new term, FireSIGHT.
 
If we use the term FireSIGHT, it’s mean we referred to entire system either physical or virtual to serve as a NGIPS/NGFW. FirePOWER is the power behind the system, and now FirePOWER is typically used as a term to describe a NGIPS system that runs its services on ASA.
 
Many of the old name are being updated as the Cisco and Sourcefire integration is progressing. That’s why we need to know the old and new terms for various components. Here is my table to describe several confusion between old and new terminology.

Old New
Sourcefire Cisco
Sourcefire Defense Center FireSIGHT Management Center (FMC or FSMC)
Sensor Device or Managed Device
Defense Center (DC) FireSIGHT Management Center
Sourcefire 3D System FireSIGHT System
Sourcefire Managed Device Managed Device
11 .
What are different alerts that can be configured on the FTD?
The alerts that can be configured on the FTD are
 
* SNMP alert
* Syslog alert
* Email alert
12 .
What is flex config on FTD?
There are few configs that are available on the lina (ASA part) which are not directly supported through FMC hence flex config generates a sequence of ASA commands that can be deployed on the FTD.
13 .
How can FTD detect encrypted traffic?
We can configure ssl-decryption on the FTD to decrypt the ssl traffic and to send it for further inspections the ssl policies are applied to the whole box. The action which can be configured for ssl policy are :
 
* Decrypt resigns
* Don’t decrypt
* Decrypt with a known key
* Monitor
* Block
* Block with reset
14 .
What is file policy?
File policies are basically the malware policies that are created on FTD, this policy helps to block the malicious file based upon the SHA. The file policy needs to be bound with the ACP.

The action which can be configured for the file policies are :
 
* Block Files
* Block malware
* Detect file
* Malware cloud lookup
15 .
What is identity policy?
Identity policy are the rules are the user-based policy that can be configured on the firewall. FTD can be integrated with AD to get the user information to create policy based upon the specific set of the users.

FTD can be integrated with ISE and user agent to get the user to IP mapping of the user.

Identity policy uses two methods of authentication
 
* Active authentication
* Passive authentication
16 .
What are SI and DNS policy?
SI and DNS policy are basically the feed of malicious IPs domain which is populated by Talos to block the traffic which a destined to the malicious domain. When we block traffic based on the SI it helps to reduce the resource utilization of the device.
17 .
What is dynamic analysis policy under file policy?
Whenever there is a new file whose SHA value is not known then the FTD can send fthe ile to cisco cloud to analyze it and provide a reputation to file i.e. clean, unknown and malware.
18 .
What are the Firepower Internet Access Requirements?

Feature
Reason
Resource

AMP for Networks

Malware cloud lookups.

cloud-sa.amp.sourcefire.com

cloud-sa.eu.amp.sourcefire.com

cloud-sa.apjc.amp.sourcefire.com

cloud-sa-589592150.us-east-1.
elb.amazonaws.com

Download signature updates for file preclassification and local malware analysis.

updates.vrt.sourcefire.com

amp.updates.vrt.sourcefire.com

Submit files for dynamic analysis (managed devices).

Query for dynamic analysis results (FMC).

panacea.threatgrid.com

AMP for Endpoints integration

Receive malware events detected by AMP for Endpoints from the AMP cloud.

api.amp.sourcefire.com

api.eu.amp.sourcefire.com

api.apjc.amp.sourcefire.com

export.amp.sourcefire.com

export.eu.amp.sourcefire.com

export.apjc.amp.sourcefire.com

Security Intelligence

Download Security Intelligence feeds.

intelligence.sourcefire.com

URL filtering

Download URL category and reputation data.

Manually query URL category and reputation data.

Query for uncategorized URLs.

database.brightcloud.com

service.brightcloud.com

System updates

Download updates directly from Cisco to the appliance:

  • System software

  • Intrusion rules

  • Vulnerability database (VDB)

  • Geolocation database (GeoDB)

cisco.com

sourcefire.com

Time synchronization

Synchronize time in your deployment.

Not supported with a proxy server.

0.sourcefire.pool.ntp.org

1.sourcefire.pool.ntp.org

2.sourcefire.pool.ntp.org

3.sourcefire.pool.ntp.org

RSS feeds

Display the Cisco Threat Research Blog on the dashboard.

blogs.cisco.com/talos

cloud.google.com

Whois

Request whois information for an external host.

Not supported with a proxy server.

The whois client tries to guess the right server to query. If it cannot guess, it uses:

  • NIC handles: whois.networksolutions.com

  • IPv4 addresses and network names: whois.arin.net
19 .
What is Management/Diagnostic Interfaces in Cisco FTD?
The physical management interface is shared between the Diagnostic logical interface and the Management logical interface.
 
Management Interface : The Management logical interface is separate from the other interfaces on the device. It is used to set up and register the device to the Firepower Management Center. It runs a separate SSH server and uses its own local authentication, IP address, and static routing. You can configure its settings at the CLI using the configure network command. If you change the IP address at the CLI after you add it to the Firepower Management Center, you can match the IP address in the Firepower Management Center in the Devices > Device Management > Devices > Management area.
 
Diagnostic Interface : The Diagnostic logical interface can be configured along with the rest of the data interfaces on the Devices > Device Management > Interfaces screen. Using the Diagnostic interface is optional (see the routed and transparent mode deployments for scenarios). The Diagnostic interface and data interfaces allow for LDAP or RADIUS external authentication. If you do not want to allow SSH access on a data interface, for example, then you may choose to configure the Diagnostic interface for SSH access. The Diagnostic interface only allows management traffic, and does not allow through traffic. The Diagnostic interface is useful for SNMP or syslog monitoring.
20 .
Explain FTD Security Zones.
Each interface must be assigned to a security zone. You then apply your security policy based on zones. For example, you can assign the inside interface to the inside zone; and the outside interface to the outside zone. You can configure your access control policy to enable traffic to go from inside to outside, but not from outside to inside, for example. You can create security zones on the Objects page. You can also add a zone when you are configuring the interface. You can only add interfaces to the correct zone type for your interface, either Passive, Inline, Routed, or Switched zone types.
 
The Diagnostic/Management interface does not belong to a zone
21 .
What is pre-filter policy?
The pre-filter policy was introduced from firepower version 6.1 the use of pre-filter policy is
 
Match traffic based upon the inner and the outer header
Allows the traffic to be bypassed from snort inspection and only allow lina checks.
There are three types of pre-filter policy that can be configured on firepower.
 
* Block
* Analyze
* Fast path
22 .
What is a NAP?
NAP or network analysis policy process packet in a phased manner where it does the following functions
 
It first decodes the packet and converts the packet header and payload into a format that can be used by the snort pre-processors which is later used by IPS policy. NAP detects various anomalous behavior in the packet headers.

Next is normalization pre-processor where the packet is normalized to minimize the chances of attackers evading detection and later the packet is sent to IPS policy for inspection.

Then pre-processing where various network and transport layers preprocessors detect attacks that exploit IP fragmentation, perform checksum validation, and perform TCP and UDP session preprocessing.
23 .
What is ACP?
The ACP or access-control policy are the rules that are configured of the FTD and which are deployed into the FTD. Each firewall can only have one ACP assigned to it. ACP will also help to define the traffic which you need to send for analysis under IPS, file policy. The different actions that can be configured in the IPS rule are.
 
* Allow
* Trust
* Monitor
* Block
* Block with reset
* Interactive Block
* Interactive Block with reset
24 .
How can be the interfaces be deployed on FTD?
The interface on FTD can be deployed on the following modes
 
* Routed mode
* Switched (BVI mode)
* Inline pair
* Inline pair with tap mode
* Passive mode
* Passive mode with ERSPAN
25 .
What is the packet flow on FTD?
Here is an overview of the packet flow :
 
* When a packet enters the ingress interface and it is handled by the LINA engine
* The packet is inspected by the Snort engine, if configured to do so; this can include SI, IPS, AMP, URL filtering among other inspections.
* The Snort engine returns a verdict for the packet
* It’s important to note that the Snort engine does not drop anything, but instead marks the packet drop or forward, based on the snort verdict.

Packet Flow

Lina does the process of layer 2, routing, NAT, VPN, PreFilter, and layer 3-4 access control policy rules before the snort process takes over the analysis. The Lina code takes over again after the default action of the ACP and again does layer 2, routing, NAT, VPN, etc.

Sources : Cisco, and more..