Firepower Release 6.7

 I was part of Firepower 6.7 Beta Program and I really was very impressed how I was supported by Cisco and in the way the feedback was appreciated. Since Version 6.7 was released to Public I want to show some of the new Features. I focus on FMC managed FTDs, since this use case is from my perspective by far the most used.

Release Notes https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670.html 

I tested with some Virtual Devices for trying things out and had a HA pair running mainly AnyConnect Access throughout the Program in kinda productive fashion. There were actually no concerns regarding stability.

The described points below are not 100% complete on all new features, just a summary of my experiences throghout the testing process. I wasn't able to go through all of them, for example I had no chance to test any of the new features of NGFW in public Clouds.

FMC GUI Improvments

Upgrade Management

Good News for GUI Lovers - Rediness Check for HA Pairs is now possible through the GUI. Acutally there is also a Compatibility Check, where FMC points you to open Policy Deployments or a needed Upgrade on the FXOS side.

Also the whole Upgrade Process improved from a GUI perspective. Checking the actual status of an Upgrade and even accessing Logfiles is possible through GUI. So the way of closing down CLI at some point was continued - we'll see if this finally happens in future.

FMC Change Management

I big step from an operational standpoint, especially for Teams with more Administrators working on FMC. You can check in detail what changes were made to policies or device configuration before deploying a policy. Like with many SDx Solutions you can check a config diff to see what changes gets pushed out on the device.

This is also true from an auditing perspective. Going to the Audit log gets a simple option to view the actual changes a FMC admin did, also in a config diff view.

Another nice thing is Selective Policy Deployment. Imagine you want to modify a Snort Rule but you are not sure what the pending change of a new route on the device will do. So you simple uncheck the device changes in the Policy Deployment process and just push the Snort changes.

There is also an option for Deployment Rollback in case you did something wrong and not sure how to go back.

Usability Improvements

In the Beta Release at least, there was to option to enable a dark mode - big improvement *gg*

Another really nice thing is performance monitoring. You know the issue where you wanted to check overall system load from a firewall, like CPU, RAM, HDD, throughput and so on?! Now there's an overview which can provide all the answers in a single overview.

Small things that will help API-haters - no offense - a little. Bulk import of objects through FMC GUI or copy rules between different Access Control Policies.

VPN Improvements

Some more features coming up to improve feature parity with good old ASA Software.

AnyConnect 

Two things to mention here - SAML and Modules

There are ways to deploy modules before Release 6.7 with FlexConfig etc., but know it's an easy way to do it through the known RA VPN configuration options. The only thing which is still missing maybe, is an integrated Profile editor. 

You want to use modern protocols like SAML for AnyConnect - 6.7 is the way to go. If you want to use the nicer way of Duo MFA through SAML for example, it works now also on FTDs.

S2S VPN 

Firepower 6.7 can deploy VTI/Route Based VPNs. There are still some limitation you need to check (static routing or BGP for example).

For monitoring there is now an option in the GUI to get typical CLI commands an adminstrator would run on CLI to check VPN status. So you can check Phase1/2 from the GUI - troubleshooting VPN establishments is still a CLI thing though.

Other Nice Features to mention

SGT Support for using as Source and Destionation Match Criteria

pxGrid 2.0 Support

HTTP/2 Support

Snort3 - well, not for FMC managed devices in the Release Version

Remote Branch Deployment

It's now possible to connect FMC to a remote FTD through a Data Interface (ex. Outside Interface), so there is no need to workaround to get the Management Interface connected. Downside at the moment is, that High Availability is not yet supported.

Duo Radius Proxy on CentOS

Duo is super fast and easy to deploy - well it depends ;)

Got two boxes of CentOS Linux to setup Duo Radius Proxies, started the setup process with some prerequisites

[root@v***duo01 ~]# yum install gcc make liffi-devel per zlib-devel
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 153 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 194 kB 00:00:00
(3/4): updates/7/x86_64/primary_db | 1.3 MB 00:00:00
(4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01
Determining fastest mirrors
* base: centos.anexia.at
* extras: centos.anexia.at
* updates: centos.anexia.at
No package liffi-devel available.
No package per available.
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:4.8.5-39.el7 will be installed
------------------------------------snip--------------------------
Dependency Updated:
glibc.x86_64 0:2.17-307.el7.1 glibc-common.x86_64 0:2.17-307.el7.1 libgcc.x86_64 0:4.8.5-39.el7 libgomp.x86_64 0:4.8.5-39.el7
zlib.x86_64 0:1.2.7-18.el7
Complete! 

Next step is downloading the latest package and start the make process

[root@v***duo01 ~]# wget https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
--2020-05-26 17:14:00-- https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
Connecting to 10.133.21.140:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 43046700 (41M) [application/x-tar]
Saving to: ‘duoauthproxy-latest-src.tgz’
100%[===============================================================================================================>] 43,046,700 93.0MB/s in 0.4s
2020-05-26 17:14:00 (93.0 MB/s) - ‘duoauthproxy-latest-src.tgz’ saved [43046700/43046700]
[root@v***duo01 ~]# tar xzf duoauthproxy-latest-src.tgz
[root@v***duo01 ~]# cd duoauthproxy-4.0.0-3ff5a4b-src/
[root@v***duo01 duoauthproxy-4.0.0-3ff5a4b-src]# ls
conf config.mk doc _fipscustomize.py Makefile pkgs pkgs.mk sitecustomize.py
[root@v***duo01 duoauthproxy-4.0.0-3ff5a4b-src]# make
pushd /root/duoauthproxy-4.0.0-3ff5a4b-src/pkgs/openssl-fips-2.0.16 && \
make -f Makefile.duo all && \
make -f Makefile.duo install && \
------------------------------------snip--------------------------
~/duoauthproxy-4.0.0-3ff5a4b-src/pkgs/setuptools-42.0.2
~/duoauthproxy-4.0.0-3ff5a4b-src
adding minimal entry_points
Regenerating egg_info
Traceback (most recent call last):
File "setup.py", line 9, in <module>
import setuptools
File "/root/duoauthproxy-4.0.0-3ff5a4b-src/pkgs/setuptools-42.0.2/setuptools/__init__.py", line 20, in <module>
from setuptools.dist import Distribution, Feature
File "/root/duoauthproxy-4.0.0-3ff5a4b-src/pkgs/setuptools-42.0.2/setuptools/dist.py", line 36, in <module>
from setuptools import windows_support
File "/root/duoauthproxy-4.0.0-3ff5a4b-src/pkgs/setuptools-42.0.2/setuptools/windows_support.py", line 2, in <module>
import ctypes
File "/root/duoauthproxy-4.0.0-3ff5a4b-src/duoauthproxy-build/usr/local/lib/python3.8/ctypes/__init__.py", line 7, in <module>
from _ctypes import Union, Structure, Array
ModuleNotFoundError: No module named '_ctypes'
Traceback (most recent call last):
File "bootstrap.py", line 64, in <module>
__name__ == '__main__' and main()
File "bootstrap.py", line 61, in main
run_egg_info()
File "bootstrap.py", line 54, in run_egg_info
subprocess.check_call(cmd)
File "/root/duoauthproxy-4.0.0-3ff5a4b-src/duoauthproxy-build/usr/local/lib/python3.8/subprocess.py", line 364, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/root/duoauthproxy-4.0.0-3ff5a4b-src/duoauthproxy-build/usr/local/bin/python3', 'setup.py', 'egg_info']' returned non-zero exit status 1.
make: *** [duoauthproxy-build/usr/local/lib/python3.8/site-packages/setuptools-42.0.2-py3.8.egg] Error 1

Seems there is an issue with Python. I figured out that CentOS runs on Python2 per default, but Duo needs to run Python3.
I quickly fixed that with

[root@v***duo01 ~]# python --version
Python 2.7.5
[root@v***duo01 ~]# yum install -y python3
------------------------------------snip--------------------------
[root@v***duo01 ~]# ln -fs /usr/bin/python3 /usr/bin/python

Now the make process finishes without errors, let's install

[root@v***duo01]# cd duoauthproxy-build/
[root@v***duo01]# ./install
In what directory do you wish to install the Duo Authentication Proxy?
[/opt/duoauthproxy]
Enter the name of a user account under which the Authentication Proxy should be run. We recommend a non-privileged and locked down account.
Or you can press <Enter> and our default locked down user will be created for you:
[duo_authproxy_svc]
Enter the name of a group under which the Authentication Proxy logs will be readable. Or press <Enter> and a default group will be created for you:
[duo_authproxy_grp]
Copying files... Done.
Create an initialization script to run the proxy upon startup? [Yes/no] yes
Created symlink from /etc/systemd/system/multi-user.target.wants/duoauthproxy.service to /etc/systemd/system/duoauthproxy.service.
Created service script at /etc/systemd/system/duoauthproxy.service
Installation completed. Before starting the Authentication Proxy,
Please edit the configuration file at:
/opt/duoauthproxy/conf/authproxy.cfg