FMC Syslog with Graylog Extractor

Let’s continue to talk about the Cisco Firepower Management Center, in this post we are going to look at sending connection events over to syslog. In this example I’m using Graylog which is an open source logging platform and  although any syslog server would work, one of the problems with syslogs is there is little uniformity when you have different systems sending these logs. One of the things that Graylog can to do is extract the raw message and put each part of message into a separate searchable field. We’ll configure the FMC to send syslogs and then configure an extractor on Graylog. Continue reading “FMC Syslog with Graylog Extractor”


Automation Dance

people enjoying the concertI keep doing the automation dance, there are a lot of different tooling products out there. I have been trying to understand a use case around using it with network automation. Recently I have been dancing around with Ansible. My personal belief is that using any type of these tools would be helpful but it can be a steep learning curve if you really don’t have any programming knowledge. This is not something that is relatively easy to use or understand, don’t expect to have a working network automated tool in production on day one. I think this is great for learning, and using this in a network sandbox. If you don’t have programming mindset it might make your job harder on day one before it gets easier, but just like learning to dance you have to learn the steps, the moves, and maintain the rhythm. So with that let’s at least figure out the starting points, and begin learning the steps of the automation dance. 😉 Continue reading “Automation Dance”

Verifying DNS Lists – FMC

We are back with another post about Cisco’s Firepower Management Center and this time we are working with the DNS list which if you have a protect license you can have your Firepower modules or your FTD (Firepower Threat Defense) devices look at DNS requests and deny requests if they are malicious. These have to be applied on your access control policy to be able to use it and in this post we are going verify some of the domain names that are in this lists. Continue reading “Verifying DNS Lists – FMC”

Too Many TCP Resets

So, recently we enforced some firewall rules on a new environment, we did testing of the environment and everything was working as expected. In about 24 hours a lot of traffic from the web infrastructure was being denied and it continued, at first glance it looked like return traffic was being dropped, the web servers were sourcing at port 443 and the destination ports were using dynamic ports (RFC 6335)

No user or application problems were reported when we enforced rules, and we waited additional days to see if anything came up. Nothing came up, the only thing was a spike in amount of syslog messages of dropped traffic coming from the web servers. So from that point it really wasn’t an issue, but I thought it would be interesting to see what was going on. Continue reading “Too Many TCP Resets”

Private VLANs

network-cable-ethernet-computer-159304.jpegLet’s start out 2018 with private VLANs, with PVLANs the network gets a little more privacy added to it. When we have privacy on the network we can seclude certain parts of it. Essentially, “you can go about your business – move along, move along”. Private VLANs allow us to segment networks within a single VLAN. So in this post we’ll go over the types of PVLANs as well as setup a network topology with private VLANs, Let’s get started! Continue reading “Private VLANs”