集成SecureX与Firepower威胁防御(FTD)并排除故障
目录
简介
本文档介绍集成、验证SecureX和Firepower Firepower威胁防御(FTD)并对其进行故障排除所需的步骤。
先决条件
要求
Cisco 建议您了解以下主题:
- Firepower管理中心(FMC)
- Firepower威胁防御(FTD)
- 映像的可选虚拟化
使用的组件
- Firepower威胁防御(FTD)- 6.5
- Firepower管理中心(FMC)- 6.5
- 安全服务交换(SSE)
- SecureX
- 智能许可证门户
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
配置
许可
虚拟帐户角色:
只有虚拟帐户管理员或智能帐户管理员有权将智能帐户与SSE帐户链接。
步骤1.要验证智能帐户角色,请导航至software.cisco.com,然后在“管理”菜单下,选择“管理智能帐户”。
步骤2.要验证用户角色,请导航至用户,并验证在“角色”下,帐户设置为具有虚拟帐户管理员,如图所示。
步骤3.确保在SSE上选择链接的虚拟帐户包含安全设备的许可证,如果未包含安全许可证的帐户在SSE上链接,安全设备和事件不显示在SSE门户上。
步骤4.要验证FMC是否已注册到正确的虚拟帐户,请导航至System>Licenses>Smart License:
将您的帐户链接到SSE并注册设备。
步骤1.登录到SSE帐户时,必须将智能帐户链接到SSE帐户,因此需要单击工具图标并选择链接帐户。
一旦关联帐户,您就会看到智能帐户及其上的所有虚拟帐户。
将设备注册到SSE
步骤1.确保在您的环境中允许这些URL:
美国地区
- api-sse.cisco.com
- eventing-ingest.sse.itd.cisco.com
欧盟地区
- api.eu.ss e.itd.cisco.com
- eventing-ingest.eu.ss e.itd.cisco.com
亚太及日本地区
- api.apj.sse.itd.cisco.com
- eventing-ingest.apj.sse.itd.cisco.com
步骤2.使用此URL https://admin.sse.itd.cisco.com登录SSE门户,导航到云服务,并启用事件和Cisco SecureX威胁响应两个选项,如下图所示:
步骤3.登录Firepower管理中心并导航至System>Integration>Cloud Services,启用Cisco Cloud Event Configuration并选择要发送到云的事件:
步骤4.您可以返回SSE门户并验证现在您可以看到在SSE上注册的设备:
事件由FTD设备发送,导航到SSE门户上的事件,以验证设备发送到SSE的事件,如图所示:
在SecureX上配置自定义控制面板
步骤1.要创建仪表板,请单击+ New Dashboard图标,选择要用于仪表板的名称和磁贴,如图所示:
步骤2.在此之后,您可以看到从SSE填充的控制面板信息,您可以选择检测到的任何威胁,SSE门户将启动其上的事件类型过滤器:
验证
验证FTD是否生成事件(恶意软件或入侵),以便入侵事件导航至
验证事件是否已在SSE门户上注册,如步骤4“将设备注册到SSE”部分所述。
验证SecureX控制面板上显示的信息或检查API日志,以便您查看可能出现API故障的原因。
故障排除
检测连接问题
您可以从action_queue.log文件检测一般连接问题。如果发生故障,您可以在文件中看到此类日志:
ActionQueueScrape.pl[19094]: [SF::SSE::Enrollment] canConnect: System (/usr/bin/curl -s --connect-timeout 10 -m 20 -L --max-redirs 5 --max-filesize 104857600 --capath /ngfw/etc/sf/keys/fireamp/thawte_roots -f https://api.eu.sse.itd.cisco.com/providers/sse/api/v1/regions) Failed, curl returned 28 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/System.pmline 10477.
在本例中,退出代码28表示操作超时,我们应检查与Internet的连接。您还可能看到退出代码6,这意味着DNS解析出现问题
DNS解析导致的连接问题
步骤1.检查连接是否正常工作。
root@ftd01:~# curl -v -k https://api-sse.cisco.com
* Rebuilt URL to: https://api-sse.cisco.com/
* getaddrinfo(3) failed for api-sse.cisco.com:443
* Couldn't resolve host 'api-sse.cisco.com'
* Closing connection 0
curl: (6) Couldn't resolve host 'api-sse.cisco.com'
以上输出显示设备无法解析URL https://api-sse.cisco.com,在这种情况下,我们需要验证是否配置了正确的DNS服务器,可以从专家CLI使用nslookup对其进行验证:
root@ftd01:~# nslookup api-sse.cisco.com
;; connection timed out; no servers could be reached
上述输出显示未到达已配置的DNS,为了确认DNS设置,请使用show network命令:
> show network
===============[ System Information ]===============
Hostname : ftd01
DNS Servers : x.x.x.10
Management port : 8305
IPv4 Default route
Gateway : x.x.x.1
======================[ eth0 ]======================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : x:x:x:x:9D:A5
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : x.x.x.27
Netmask : 255.255.255.0
Broadcast : x.x.x.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
在本示例中,使用了错误的DNS服务器,您可以使用以下命令更改DNS设置:
> configure network dns x.x.x.11
在再次测试此连接后,此次连接成功。
root@ftd01:~# curl -v -k https://api-sse.cisco.com
* Rebuilt URL to: https://api-sse.cisco.com/
* Trying x.x.x.66...
* Connected to api-sse.cisco.com (x.x.x.66) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Jose; O=Cisco Systems, Inc.; CN=api -sse.cisco.com
* start date: 2019-12-03 20:57:56 GMT
* expire date: 2021-12-03 21:07:00 GMT
* issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID S SL ICA G2
* SSL certificate verify result: self signed certificate in certificate c hain (19), continuing anyway.
> GET / HTTP/1.1
> Host: api-sse.cisco.com
> User-Agent: curl/7.44.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Wed, 08 Apr 2020 01:27:55 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 9
< Connection: keep-alive
< Keep-Alive: timeout=5
< ETag: "5e17b3f8-9"
< Cache-Control: no-store
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubdomains;
注册问题到SSE门户
FMC和FTD都需要连接到其管理界面上的SSE URL,以测试连接,请在具有根访问权限的Firepower CLI上输入以下命令:
curl -v https://api-sse.cisco.com/providers/sse/services/registration/api/v2/clients --cacert /ngfw/etc/ssl/connectorCA.pem
curl -v https://est.sco.cisco.com --cacert /ngfw/etc/ssl/connectorCA.pem
curl -v https://eventing-ingest.sse.itd.cisco.com --cacert /ngfw/etc/ssl/connectorCA.pem
curl -v https://mx01.sse.itd.cisco.com --cacert /ngfw/etc/ssl/connectorCA.pem
可使用以下命令绕过证书检查:
root@ftd01:~# curl -v -k https://api-sse.cisco.com
* Rebuilt URL to: https://api-sse.cisco.com/
* Trying x.x.x.66...
* Connected to api-sse.cisco.com (x.x.x.66) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Jose; O=Cisco Systems, Inc.; CN=api -sse.cisco.com
* start date: 2019-12-03 20:57:56 GMT
* expire date: 2021-12-03 21:07:00 GMT
* issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID S SL ICA G2
* SSL certificate verify result: self signed certificate in certificate c hain (19), continuing anyway.
> GET / HTTP/1.1
> Host: api-sse.cisco.com
> User-Agent: curl/7.44.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Wed, 08 Apr 2020 01:27:55 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 9
< Connection: keep-alive
< Keep-Alive: timeout=5
< ETag: "5e17b3f8-9"
< Cache-Control: no-store
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubdomains;
验证SSEConnector状态
您可以验证连接器属性,如图所示。
# more /ngfw/etc/sf/connector.properties
registration_interval=180
connector_port=8989
connector_fqdn=api-sse.cisco.com
为了检查SSConnector和EventHandler之间的连接,您可以使用此命令,以下是连接错误的示例:
root@firepower:/etc/sf# netstat -anlp | grep EventHandler_SSEConnector.sock
unix 2 [ ACC ] STREAM LISTENING 3022791165 11204/EventHandler /ngfw/var/sf/run/EventHandler_SSEConnector.sock
在已建立连接的示例中,您可以看到流状态已连接:
root@firepower:/etc/sf# netstat -anlp | grep EventHandler_SSEConnector.sock
unix 2 [ ACC ] STREAM LISTENING 382276 7741/EventHandler /ngfw/var/sf/run/EventHandler_SSEConnector.sock
unix 3 [ ] STREAM CONNECTED 378537 7741/EventHandler /ngfw/var/sf/run/EventHandler_SSEConnector.soc
验证发送到SSE门户和CTR的数据
要从FTD设备发送事件以查看TCP连接,需要与https://eventing-ingest.sse.itd.cisco.com建立TCP连接。以下是SSE门户和FTD之间未建立连接的示例:
root@firepower:/ngfw/var/log/connector# lsof -i | grep conn
connector 60815 www 10u IPv4 3022789647 0t0 TCP localhost:8989 (LISTEN)
connector 60815 www 12u IPv4 110237499 0t0 TCP firepower.cisco.com:53426->ec2-100-25-93-234.compute-1.amazonaws.com:https (SYN_SENT)
在connector.log日志中:
time="2020-04-13T14:34:02.88472046-05:00" level=error msg="[firepower.cisco.com][events.go:90 events:connectWebSocket] dial tcp x.x.x.246:443: getsockopt: connection timed out"
time="2020-04-13T14:38:18.244707779-05:00" level=error msg="[firepower.cisco.com][events.go:90 events:connectWebSocket] dial tcp x.x.x.234:443: getsockopt: connection timed out"
time="2020-04-13T14:42:42.564695622-05:00" level=error msg="[firepower.cisco.com][events.go:90 events:connectWebSocket] dial tcp x.x.x.246:443: getsockopt: connection timed out"
time="2020-04-13T14:47:48.484762429-05:00" level=error msg="[firepower.cisco.com][events.go:90 events:connectWebSocket] dial tcp x.x.x.234:443: getsockopt: connection timed out"
time="2020-04-13T14:52:38.404700083-05:00" level=error msg="[firepower.cisco.com][events.go:90 events:connectWebSocket] dial tcp x.x.x.234:443: getsockopt: connection timed out"
如果未建立此连接,则事件不会发送到SSE门户。以下是FTD与SSE门户之间已建立连接的示例:
root@firepower:# lsof -i | grep conn
connector 13277 www 10u IPv4 26077573 0t0 TCP localhost:8989 (LISTEN)
connector 13277 www 19u IPv4 26077679 0t0 TCP x.x.x.200:56495->ec2-35-172-147-246.compute-1.amazonaws.com:https (ESTABLISHED)
反馈