設定和操作FTD預先篩選原則
簡介
本檔案介紹Firepower威脅防禦(FTD)預過濾器策略的配置和操作。
必要條件
需求
本文件沒有特定需求。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- 執行FTD代碼6.1.0-195的ASA5506X
- 運行6.1.0-195的FireSIGHT管理中心(FMC)
- 兩台運行15.2映像的3925 Cisco IOS®路由器
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
預過濾器策略是6.1版中引入的一項功能,主要有以下三個用途:
- 根據內部報頭和外部報頭匹配流量
- 提供早期訪問控制,允許流完全繞過Snort引擎
- 作為從自適應安全裝置(ASA)遷移工具遷移的訪問控制條目(ACE)的佔位符。
設定
預過濾器策略使用案例1
預先篩選原則可以使用通道規則型別,允許FTD根據內部和/或外部IP標頭通道流量進行篩選。撰寫本文時,隧道流量是指:
- 通用路由封裝(GRE)
- IP-in-IP
- IPv6-in-IP
- Teredo 連接埠 3544
請考慮GRE隧道,如圖所示。
當您使用GRE通道從R1 ping R2時,流量會透過防火牆,如下圖所示。
如果防火牆是ASA裝置,則會檢查外部IP報頭,如圖所示。
ASA# show conn GRE OUTSIDE 192.168.76.39:0 INSIDE 192.168.75.39:0, idle 0:00:17, bytes 520, flags
如果防火牆是FirePOWER裝置,則它會檢查內部IP報頭,如圖所示。
使用預過濾器策略,FTD裝置可以根據內部報頭和外部報頭匹配流量。
要點:
| 裝置 |
支票 |
| ASA |
外部IP |
| Snort |
內部IP |
| FTD |
外部(預先篩選) +內部IP(存取控制原則(ACP)) |
預過濾器策略使用案例2
預過濾器策略可以使用預過濾器規則型別,該規則型別可以提供早期訪問控制,並允許流完全繞過Snort引擎,如圖所示。
任務1.驗證預設PreFilter策略
工作需求:
驗證預設預過濾器策略
解決方案:
步驟 1.導航到策略>訪問控制>預過濾器。預設預過濾器策略已存在,如圖所示。
步驟 2.選擇Edit檢視策略設定,如圖所示。
步驟 3.預過濾器策略已附加到訪問控制策略,如圖所示。
CLI (LINA)驗證
預過濾器規則增加到ACL之上:
firepower# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list CSM_FW_ACL_; 5 elements; name hash: 0x4a69e3f3
access-list CSM_FW_ACL_ line 1 remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy
access-list CSM_FW_ACL_ line 2 remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ line 3 advanced permit ipinip any any rule-id 9998 (hitcnt=0) 0xf5b597d6
access-list CSM_FW_ACL_ line 4 advanced permit 41 any any rule-id 9998 (hitcnt=0) 0x06095aba
access-list CSM_FW_ACL_ line 5 advanced permit gre any any rule-id 9998 (hitcnt=5) 0x52c7a066
access-list CSM_FW_ACL_ line 6 advanced permit udp any any eq 3544 rule-id 9998 (hitcnt=0) 0xcf6309bc
任務2.使用標籤阻止隧道流量
工作需求:
阻止在GRE隧道內透過隧道傳輸的ICMP流量。
解決方案:
步驟 1.如果套用這些ACP,可以看到無論是否透過GRE通道,網際網路控制訊息通訊協定(ICMP)流量都會遭到封鎖,如圖所示。
R1# ping 192.168.76.39 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.76.39, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
R1# ping 10.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
在這種情況下,您可以使用預過濾器策略來滿足任務要求。邏輯如下:
- 您可以標籤封裝在GRE中的所有資料包。
- 您可以建立與標籤的資料包匹配並阻止ICMP的訪問控制策略。
從架構角度看,系統會根據LInux AnyConnect (LINA)預先篩選規則檢查封包,然後根據Snort預先篩選規則和ACP檢查封包,最後根據Snort指示LINA捨棄。第一個封包會透過FTD裝置。
步驟 1.定義隧道流量的標籤。
導航到策略>訪問控制>預過濾器,建立新的預過濾器策略。請記住,預設預過濾器策略不能編輯,如圖所示。
在「預過濾器策略」中,您可以定義兩種型別的規則:
- 通道規則
- 預過濾器規則
可以將這兩個功能視為可在預過濾器策略中配置的完全不同的功能。
對於此任務,必須定義隧道規則,如圖所示。
關於「作業」:
| 動作 |
說明 |
| 分析 |
在LINA之後,Snort引擎會檢查流量。或者,可以為隧道流量分配隧道標籤。 |
| 封鎖 |
此流量遭到LINA封鎖。要檢查外部標頭。 |
| 快速路徑 |
該流僅由LINA處理,不需要使用Snort引擎。 |
步驟 2.定義標籤流量的訪問控制策略。
雖然一開始無法非常直觀,但訪問控制策略規則可以將隧道標籤用作源區域。導航到策略>訪問控制,然後建立用於阻止標籤流量的ICMP的規則,如圖所示。
驗證:
在LINA和CLISH上啟用擷取:
firepower# show capture capture CAPI type raw-data trace interface inside [Capturing - 152 bytes] capture CAPO type raw-data trace interface outside [Capturing - 152 bytes]
> capture-traffic Please choose domain to capture traffic from: 0 - br1 1 - Router Selection? 1 Please specify tcpdump options desired. (or enter '?' for a list of supported options) Options: -n
從R1,嘗試ping遠端GRE隧道終端。ping失敗:
R1# ping 10.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
CLISH擷取顯示第一個回應要求已透過FTD,且回覆遭封鎖:
Options: -n 18:21:07.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 0, length 80 18:21:07.759939 IP 192.168.76.39 > 192.168.75.39: GREv0, length 104: IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 65, seq 0, length 80 18:21:09.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 1, length 80 18:21:11.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 2, length 80 18:21:13.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 3, length 80 18:21:15.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 4, length 80
LINA捕獲對此進行確認:
> show capture CAPI | include ip-proto-47 102: 18:21:07.767523 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 107: 18:21:09.763739 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 111: 18:21:11.763769 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 115: 18:21:13.763784 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 120: 18:21:15.763830 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 > > show capture CAPO | include ip-proto-47 93: 18:21:07.768133 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 94: 18:21:07.768438 192.168.76.39 > 192.168.75.39: ip-proto-47, length 104
啟用CLISH firewall-engine-debug,清除LINA ASP丟棄計數器並執行相同的測試。CLISH調試顯示,對於Echo-Request,已匹配預過濾器規則;對於Echo-Reply,已匹配ACP規則:
10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 New session 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 uses prefilter rule 268434441 with tunnel zone 1 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 Starting with minimum 0, id 0 and SrcZone first with zones 1 -> -1, geo 0 -> 0, vlan 0, sgt tag: 65535, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 8, icmpCode 0 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 pending rule order 3, 'Block ICMP', AppId 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 uses prefilter rule 268434441 with tunnel zone 1 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 Starting with minimum 0, id 0 and SrcZone first with zones 1 -> -1, geo 0 -> 0, vlan 0, sgt tag: 65535, svc 3501, payload 0, client 2000003501, misc 0, user 9999997, icmpType 0, icmpCode 0 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 match rule order 3, 'Block ICMP', action Block 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 deny action
ASP捨棄會顯示Snort捨棄封包:
> show asp drop Frame drop: No route to host (no-route) 366 Reverse-path verify failed (rpf-violated) 2 Flow is denied by configured rule (acl-drop) 2 Snort requested to drop the frame (snort-drop) 5
在Connection Events中,您可以看到您匹配的Prefilter Policy and Rule,如下圖所示。
任務3.使用快速路徑預過濾器規則繞過Snort引擎
網路圖表
工作需求:
- 刪除當前訪問控制策略規則並增加阻止所有流量的訪問控制策略規則。
- 為源自192.168.75.0/24網路的流量配置繞過Snort引擎的預過濾器策略規則。
解決方案:
步驟 1.阻止所有流量的訪問控制策略如下圖所示。
步驟 2.增加一個預過濾器規則,並將Fastpath作為源網路192.168.75.0/24的操作,如圖所示。
步驟 3.結果如下圖所示。
步驟 4.儲存和部署。
在兩個FTD介面上啟用含有追蹤軌跡的擷取:
firepower# capture CAPI int inside trace match icmp any any firepower# capture CAPO int outsid trace match icmp any any
嘗試透過FTD從R1 (192.168.75.39)對R2 (192.168.76.39)執行ping。Ping失敗:
R1# ping 192.168.76.39 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.76.39, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Capture on the inside interface顯示:
firepower# show capture CAPI 5 packets captured 1: 23:35:07.281738 192.168.75.39 > 192.168.76.39: icmp: echo request 2: 23:35:09.278641 192.168.75.39 > 192.168.76.39: icmp: echo request 3: 23:35:11.279251 192.168.75.39 > 192.168.76.39: icmp: echo request 4: 23:35:13.278778 192.168.75.39 > 192.168.76.39: icmp: echo request 5: 23:35:15.279282 192.168.75.39 > 192.168.76.39: icmp: echo request 5 packets shown
第一個資料包(回應請求)的跟蹤顯示(重要要點突出顯示):
firepower# show capture CAPI packet-number 1 trace
5 packets captured
1: 23:35:07.281738 192.168.75.39 > 192.168.76.39: icmp:回應請求
階段:1
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
階段:2
型別:ACCESS-LIST
Subtype:
結果:允許
Config:
Implicit Rule
Additional Information:
MAC Access list
階段:3
型別:ROUTE-LOOKUP
Subtype:解析出口介面
結果:允許
Config:
Additional Information:
發現下一跳192.168.76.39使用出口ifc outside
階段:4
型別:ACCESS-LIST
Subtype: log
結果:允許
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip 192.168.75.0 255.255.255.0 any rule-id 268434448 event-log both
access-list CSM_FW_ACL_ remark rule-id 268434448: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268434448: RULE: Fastpath_src_192.168.75.0/24
Additional Information:
階段:5
型別:CONN-SETTINGS
Subtype:
結果:允許
Config:
class-map class-default
匹配任意
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
階段:6
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:7
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:8
型別:INSPECT
Subtype:np-inspect
結果:允許
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
檢查icmp
service-policy global_policy global
Additional Information:
階段:9
型別:INSPECT
Subtype:np-inspect
結果:允許
Config:
Additional Information:
階段:10
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:11
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:12
型別:FLOW-CREATION
Subtype:
結果:允許
Config:
Additional Information:
使用ID 52建立新流,將資料包傳送到下一個模組
階段:13
型別:ACCESS-LIST
Subtype: log
結果:允許
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip 192.168.75.0 255.255.255.0 any rule-id 268434448 event-log both
access-list CSM_FW_ACL_ remark rule-id 268434448: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268434448: RULE: Fastpath_src_192.168.75.0/24
Additional Information:
階段:14
型別:CONN-SETTINGS
Subtype:
結果:允許
Config:
class-map class-default
匹配任意
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
階段:15
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:16
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:17
型別:ROUTE-LOOKUP
Subtype:解析出口介面
結果:允許
Config:
Additional Information:
發現下一跳192.168.76.39使用出口ifc outside
階段:18
型別:ADJACENCY-LOOKUP
Subtype:下一跳和鄰接
結果:允許
Config:
Additional Information:
活動鄰接
下一跳mac地址0004.deab.681b hits 140372416161507
階段:19
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
1 packet shown
firepower#
外部介面上的捕獲顯示:
firepower# show capture CAPO 10 packets captured 1: 23:35:07.282044 192.168.75.39 > 192.168.76.39: icmp: echo request 2: 23:35:07.282227 192.168.76.39 > 192.168.75.39: icmp: echo reply 3: 23:35:09.278717 192.168.75.39 > 192.168.76.39: icmp: echo request 4: 23:35:09.278962 192.168.76.39 > 192.168.75.39: icmp: echo reply 5: 23:35:11.279343 192.168.75.39 > 192.168.76.39: icmp: echo request 6: 23:35:11.279541 192.168.76.39 > 192.168.75.39: icmp: echo reply 7: 23:35:13.278870 192.168.75.39 > 192.168.76.39: icmp: echo request 8: 23:35:13.279023 192.168.76.39 > 192.168.75.39: icmp: echo reply 9: 23:35:15.279373 192.168.75.39 > 192.168.76.39: icmp: echo request 10: 23:35:15.279541 192.168.76.39 > 192.168.75.39: icmp: echo reply 10 packets shown
對返回資料包的跟蹤顯示它與當前流(52)匹配,但被ACL阻止:
firepower# show capture CAPO packet-number 2 trace 10 packets captured 2: 23:35:07.282227 192.168.76.39 > 192.168.75.39: icmp: echo reply Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 52, uses current flow Phase: 4 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434432 event-log flow-start access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: ACP_5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE Additional Information: Result: input-interface: outside input-status: up input-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
步驟 5.為返回流量增加另一個預過濾器規則。結果如下圖所示。
現在追蹤您看到的傳回封包(重要提示已反白):
firepower# show capture CAPO packet-number 2 trace
10 packets captured
2: 00:01:38.873123 192.168.76.39 > 192.168.75.39: icmp:回應應答
階段:1
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
階段:2
型別:ACCESS-LIST
Subtype:
結果:允許
Config:
Implicit Rule
Additional Information:
MAC Access list
階段:3
型態:FLOW-LOOKUP
Subtype:
結果:允許
Config:
Additional Information:
找到ID為62的流,使用當前流
階段:4
型別:ACCESS-LIST
Subtype: log
結果:允許
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip any 192.168.75.0 255.255.255.0 rule-id 268434450 event-log both
access-list CSM_FW_ACL_ remark rule-id 268434450: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268434450: RULE: Fastpath_dst_192.168.75.0/24
Additional Information:
階段:5
型別:CONN-SETTINGS
Subtype:
結果:允許
Config:
class-map class-default
匹配任意
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
階段:6
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:7
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:8
型別:ROUTE-LOOKUP
Subtype:解析出口介面
結果:允許
Config:
Additional Information:
發現下一跳192.168.75.39在內部使用出口ifc
階段:9
型別:ADJACENCY-LOOKUP
Subtype:下一跳和鄰接
結果:允許
Config:
Additional Information:
活動鄰接
下一跳mac地址c84c.758d.4981命中140376711128802
階段:10
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
驗證
使用本節內容,確認您的組態是否正常運作。
驗證已在各個任務部分中進行了說明。
疑難排解
目前沒有特定資訊可用於對此組態進行疑難排解。
相關資訊
- 所有版本的Cisco Firepower Management Center配置指南都可以在以下位置找到:
- 思科全球技術支援中心(TAC)強烈建議使用此視覺指南,以獲得有關Cisco Firepower下一代安全技術的深入實踐知識,包括本文中提到的內容:
- 有關所有配置和故障排除技術說明:
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
4.0 |
12-May-2023 |
已刪除PII。
增加了Alt文本。
已更新標題、簡介、SEO、機器翻譯、Gerunds和格式。 |
1.0 |
29-Jan-2018 |
初始版本 |
意見