About This E-Book EPUB is an open, industry-standard format for e-books. However, support for EPUB and its many features varies across reading devices and applications. Use your device or app settings to customize the presentation to your liking. Settings that you can customize often include font, font size, single or double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For additional information about the settings and features on your reading device or app, visit the device manufacturer’s Web site. Many titles include programming code or configuration examples. To optimize the presentation of these elements, view the e-book in single-column, landscape mode and adjust the font size to the smallest setting. In addition to presenting code and configurations in the reflowable text format, we have included images of the code that mimic the presentation found in the print book; therefore, where the reflowable format may compromise the presentation of the code listing, you will see a “Click here to view code image” link. Click the link to view the print- fidelity code image. To return to the previous page viewed, click the Back button on your device or app. Cisco Firepower Threat Defense (FTD) Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next- Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP) Nazmul Rajib Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA Cisco Firepower Threat Defense (FTD) Configuration and Troubleshooting Best Practices for the Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP) Nazmul Rajib Copyright © 2018 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 17 Library of Congress Control Number: 2017953843 ISBN-13: 978-1-58714-480-6 ISBN-10: 1-58714-480-8 Warning and Disclaimer This book is designed to provide advanced information about the Next- Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Advanced Malware Protection (AMP) system using the Cisco Firepower technologies. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Special Sales For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419. For government sales inquiries, please contact [email protected]. For questions about sales outside the U.S., please contact [email protected]. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Editor-in-Chief: Mark Taub Alliances Manager, Cisco Press: Ron Fligge Product Line Manager: Brett Bartow Executive Editor: Mary Beth Ray Managing Editor: Sandra Schroeder Development Editor: Ellie C. Bru Senior Project Editor: Tonya Simpson Copy Editor: Kitty Wilson Technical Editors: John Groetzinger, Foster Lipkey Editorial Assistant: Vanessa Evans Cover Designer: Chuti Prasertsith Composition: codeMantra Indexer: Erika Millen Proofreader: Larry Sulky Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) About the Author Nazmul Rajib is a senior engineer and leader of the Cisco Global Technical Services organization focusing on next-generation security technologies. He leads cybersecurity training initiatives, develops internal training programs, and trains the current generation of Cisco engineers who support Cisco security solutions around the world. He also reviews design specifications, tests security software, and provides solutions to business-critical networking issues. Nazmul has authored numerous technical publications at Cisco.com and in the Cisco support community. Nazmul is a veteran engineer of Sourcefire, Inc., which developed Snort—the most popular open-source intrusion prevention system in the world. He created and managed the global knowledge base for Sourcefire and designed Sourcefire security certifications for partner enablement. Nazmul trained security engineers from many managed security service providers (MSSP) in the United States. He supported the networks of numerous Fortune 500 companies and U.S. government agencies. Nazmul has a master of science degree in internetworking. He also holds many certifications in the areas of cybersecurity, information technology, and technical communication. He is a Sourcefire Certified Expert (SFCE) and Sourcefire Certified Security Engineer (SFCSE). About the Technical Reviewer John Groetzinger is a member of the Global TAC Security Technical Leadership team, supporting Firepower, AMP for Endpoints, Threat Grid, and third-party integrations. He has been a leader in developing tools and procedures for supporting the Cisco Firepower and AMP security software platforms. He has worked closely with the various engineering teams in the Cisco security space to improve quality and serviceability. He holds a bachelor’s degree in mechanical engineering with a minor in computer science. John’s primary areas of interest are enterprise security, open source software, API development/integration, and automation. Foster Lipkey is a member of the Global TAC Security Technical Leadership team. He has been supporting Firepower technologies since 2012. He is responsible for many automated tools leveraged by the Global Technical Assistance Center (TAC). Prior to working for Sourcefire and Cisco, he was an application solution specialist for the National Cancer Institute (NCI), supporting Java Enterprise applications for the NCI Center for Biomedical Informatics and Information Technology (CBIIT). Foster’s primary areas of interest are enterprise security and security automation. He was a technical editor of Cisco Next-Generation Security Solutions: All-in-One Cisco ASA FirePOWER Services, NGIPS, and AMP. Dedication I am me, because of… My grandparent’s blessings My mom’s inspiration My dad’s support My wife’s devotion My children’s love My teacher’s advice This book is dedicated to all of them, with my sincere gratitude.