ngfw

The video shows you how to configure Cisco ASA CX to perform web filtering. We will be creating a whitelist and blacklist of website URL that we want to enforce on our users. We will then take one step further and leverage website category that is built into the CX. In addition to a deny action, we will explore a warn option and try to explore its behavior. To show you the flexibility of web category, we will apply it to decryption policy to get better control of the type of traffic that will or will not get decrypted. The video finishes by showing you the customization of user notification pages.

The video shows you how to configure Cisco ASA CX to perform web filtering. We will be creating a whitelist and blacklist of website URL that we want to enforce on our users. We will then take one step further and leverage website category that is built into the CX. In addition to a deny action, we will explore a warn option and try to explore its behavior. To show you the flexibility of web category, we will apply it to decryption policy to get better control of the type of traffic that will or will not get decrypted. The video finishes by showing you the customization of user notification pages.

The video demonstrates Cisco ASA CX ability to perform application matching beyond just protocols and ports by using Application Visibility and Control (AVC) feature. You will see how to deploy access policy at ease without worrying about being circumvented by application running on non-default port, or even those that sprawl multiple dynamic ports. This intelligence take you as far as matching based on a group of application by type, and specific application behavior. All of these will be demonstrated through three applications; RDP, Bittorrent, and Facebook, in this lab.

The video shows you how to configure Cisco ASA CX to gain visibility to encrypted traffic by enabling decryption capability. We will first used a self-signed certificate and present a problem of certificate warning. We will then try to resolve this by having the certificate signed by a client trusted CA. Most importantly you will get to see what user experience is like when the CX inserts itself in between HTTPS transactions.  

The video provide a method to enhance reliability of Cisco ASA CX Passive Authentication by integrating Cisco ISE with CDA. You will see how the caveats inherent to CDA can be solved by using realtime user and IP information provided by 802.1x identity-based authentication network. We will analyze RADIUS packets being communicated between Cisco ISE and CDA to try to understand the underlying mechanism. Testing will be performed on both domain and non-domain devices, that have been onboarded through ISE, and this includes both wired and wireless.

The video provide a method to enhance reliability of Cisco ASA CX Passive Authentication by integrating Cisco ISE with CDA. You will see how the caveats inherent to CDA can be solved by using realtime user and IP information provided by 802.1x identity-based authentication network. We will analyze RADIUS packets being communicated between Cisco ISE and CDA to try to understand the underlying mechanism. Testing will be performed on both domain and non-domain devices, that have been onboarded through ISE, and this includes both wired and wireless.

The video shows you the second method of obtaining user identity on Cisco ASA CX using Passive Authentication. We will leverage the User-to-IP mapping information provided by CDA by configuring CX device as a consumer. Once the mapping information is available to CX, minor modification will be performed on the Identity Policy and you will see how users are saved from having to enter their credentials as we saw in the Active Authentication. We will also discuss and demonstrate some caveats to this method towards the end of the lab.

The video walks you through an installation of Cisco Context Directory Agent (CDA) server. We will start by prepping a non-domain admin service account for CDA to use to contact Windows Active Directory. We will then step through a virtual machine creation, software installation and patching. We will also spend some time on the CDA web interface. By the end of the lab, we will be able to have CDA monitor user AD login activities and create user-to-IP mapping information that we will leverage in the future videos. 

The video shows you the first method of obtaining user identity on Cisco ASA CX using Active Authentication. We will integrate CX with Windows Active Directory to perform user authentication as well as user group query. We will redo our access policies from the previous lab and replace the source IP subnet with AD user group. This would be our first step towards identity-based access policies and free ourselves from the use of just IP addresses.