Zero Trust Implementation Guide¶
Phase: Phase 1 (16 Weeks) | Companion to: Document 1
Purpose: Detailed implementation procedures, sizing, hardware specifications, deployment, and real-world examples
PRICING DISCLAIMER¶
IMPORTANT: All pricing information in this document is for ILLUSTRATIVE PURPOSES ONLY and should not be used for budget planning or procurement decisions.
Key Points: - Prices shown are example values to demonstrate cost structure and procurement methodology - Actual pricing varies based on: - Vendor negotiations and enterprise agreements - Regional pricing differences - Volume discounts and multi-year commitments - Current market conditions - Licensing model changes (subscription vs perpetual) - Action Required: Contact vendors directly for current pricing quotes before procurement - Vendors: - Cisco XDR/SecureX: Contact Cisco account executive or cisco.com - Cisco FTD/FMC: Contact Cisco partner for firewall licensing - Duo Security: Contact Cisco Duo sales or duo.com - Cisco Umbrella: Contact Cisco or umbrella.cisco.com
Recommendation: Use this document's sizing methodology and technical specifications to create RFP/RFQ documents, then obtain current pricing from vendors.
1. XDR/SECUREX PLATFORM - DETAILED IMPLEMENTATION¶
1.1 SecureX Account Setup & Configuration¶
1.1.1 Account Provisioning¶
Phase 1A Week 1 Day 1-2: SecureX Account Creation
Prerequisites: - Cisco CCO (Cisco.com) account with admin privileges - Valid Cisco Smart Account - Email domain verified (e.g., @abhavtech.com)
Step 1: Access SecureX Portal
# Navigate to SecureX portal
URL: https://sign-on.security.cisco.com
# Login with CCO credentials
Username: admin@abhavtech.com
Password: [Duo-protected CCO password]
Step 2: Create SecureX Organization
# SecureX Portal to Organizations to Create Organization
Organization Name: Abhavtech
Organization ID: abhavtech-prod
Region: United States (us.security.cisco.com)
Time Zone: Asia/Kolkata (IST)
# Primary Contact:
Name: Raj Kumar
Email: raj.kumar@abhavtech.com
Phone: +91-XX-XXXX-XXXX
# Security Settings:
☑ Require MFA for all users
☑ Enable API access
☑ Enable webhook notifications
Session Timeout: 30 minutes
Password Policy: Strong (12+ chars, complexity required)
Step 3: Configure Organization Settings
# Settings to General
# Email Notifications:
Incident Alerts: noc@abhavtech.com, security-ops@abhavtech.com
System Alerts: infrastructure@abhavtech.com
Daily Digest: Enabled (send at 09:00 IST)
# Webhook Integration:
Webhook URL: https://abhavtech-securex-webhook.azurewebsites.net/api/alerts
Authentication: Bearer Token
Token: [Generate from Azure Functions]
Events: Incidents (Critical/High), Casebook Updates, Workflow Executions
# API Settings:
API Access: Enabled
Rate Limit: 300 requests/minute
API Documentation: https://developer.cisco.com/securex
Step 4: Create API Credentials
# Settings to API Clients to Create API Client
Client Name: Abhavtech-Automation
Description: API access for automation scripts (Ansible, Python)
Scope:
☑ Read incidents
☑ Create/update incidents
☑ Execute workflows
☑ Query threat intelligence
☑ Manage configurations
# Output (save securely in CyberArk):
Client ID: ctr-client-abc123def456
Client Secret: [64-character secret]
API Base URL: https://visibility.us.amp.cisco.com
Step 5: Verify Account Setup
# Test API access with curl
curl -X GET \
https://visibility.us.amp.cisco.com/iroh/iroh-inspect/inspect \
-H "Authorization: Bearer $(echo -n 'ctr-client-abc123def456:CLIENT_SECRET' | base64)" \
-H "Content-Type: application/json"
# Expected response:
{
"status": "ok",
"version": "1.0",
"services": {
"amp": "available",
"umbrella": "available",
"threat_grid": "available"
}
}
1.2 Ribbon Integration Configuration¶
1.2.1 ISE pxGrid Ribbon Configuration¶
Phase 1A Week 1 Day 3: ISE Integration
Step 1: Enable pxGrid in ISE
# ISE Primary PAN: 10.252.1.20
# SSH to ISE node
ssh admin@10.252.1.20
# Enable pxGrid (if not already enabled)
conf t
pxgrid enable
# Verify pxGrid status
show application status ise
# Expected: pxGrid Service: running
Step 2: Generate pxGrid Certificate for SecureX
# ISE GUI to Administration to pxGrid Services to Certificates
# Generate New Certificate:
Common Name (CN): securex-client.abhavtech.local
Subject Alternative Names:
- DNS: securex.abhavtech.local
- IP: 10.252.1.25 (if using static IP for SecureX connector)
Certificate Template: pxGrid Client Certificate
Key Size: 2048 bits
Valid For: 365 days
# Download:
☑ Certificate (PEM format): securex-client.pem
☑ Private Key: securex-client-key.pem
☑ Root CA Certificate: ise-root-ca.pem
# Save to secure location (will upload to SecureX)
Step 3: Configure ISE Ribbon in SecureX
# SecureX Dashboard to Modules to Available Modules to ISE to Add Module
Module Name: ISE-Abhavtech-Primary
Description: Abhavtech ISE 14-node cluster (primary PAN)
# Connection Settings:
ISE Server: 10.252.1.20
Port: 8910 (pxGrid WebSocket)
Protocol: wss:// (WebSocket Secure)
# Authentication:
Method: Certificate-based (pxGrid)
Upload Files:
- Client Certificate: securex-client.pem
- Client Key: securex-client-key.pem
- CA Certificate: ise-root-ca.pem
# pxGrid Settings:
Subscribe to Topics:
☑ Session Directory (real-time user sessions)
☑ Endpoint Asset (device inventory)
☑ TrustSec Metadata (SGT assignments)
☑ Radius Failure (authentication failures)
Poll Interval: Real-time (WebSocket push)
# Test Connection:
[Click "Test Connection"]
# Expected: ✅ Connected to ISE pxGrid successfully
# Retrieved 1,247 active sessions
# Retrieved 3,456 endpoints
Step 4: Validate ISE Data Flow
# SecureX to Investigate to Search
# Query: "source:ise"
# Expected Results (sample):
Event Type: Session Start
User: john.doe@abhavtech.com
MAC: 00:50:56:AB:CD:EF
IP: 10.252.2.45
SGT: 15 (Employee)
Auth Method: 802.1X (EAP-TLS)
Location: Mumbai-Floor3-SW01
Timestamp: 2025-01-17T14:32:15+05:30
1.2.2 FMC (Firepower Management Center) Ribbon¶
Phase 1A Week 1 Day 4: FMC Integration
Step 1: Generate FMC API Token
# FMC: 10.252.10.100
# Generate API token
curl -X POST \
https://10.252.10.100/api/fmc_platform/v1/auth/generatetoken \
-H "Content-Type: application/json" \
-u admin:FMC_Admin_Password123! \
-k
# Response Headers (save these):
X-auth-access-token: abc123-def456-ghi789
X-auth-refresh-token: xyz789-uvw456-rst123
DOMAINS: [{"uuid":"e276abec-e0f2-11e3-8169-6d9ed49b625f","name":"Global","type":"DOMAIN"}]
# Token is valid for 30 minutes, refresh token valid for 24 hours
Step 2: Configure FMC Ribbon in SecureX
# SecureX to Modules to Available Modules to Firepower Management Center to Add
Module Name: FMC-Abhavtech
Description: Firepower Management Center managing 18 FTD appliances
# Connection:
FMC URL: https://10.252.10.100
API Version: v1 (FMC 7.x)
# Authentication:
Method: Username/Password (will generate token automatically)
Username: securex-api
Password: [Create dedicated API user in FMC]
Domain: Global
# API Settings:
Rate Limit: 120 requests/minute (FMC limit)
Timeout: 30 seconds
Retry: 3 attempts with exponential backoff
# Data Collection:
☑ Security Events (IPS alerts, malware detection)
☑ Connection Events (allowed/denied traffic)
☑ Intrusion Events (IPS signatures triggered)
☑ File Events (malware files detected by AMP)
☑ Host Events (endpoint activity from Host Input)
Poll Interval: 5 minutes (events generated every 5 min)
# Test Connection:
[Click "Test Connection"]
# Expected: ✅ Connected to FMC successfully
# Retrieved 18 managed devices
# Retrieved 1,234 security events (last 24 hours)
Step 3: Configure Event Filters
# FMC Ribbon Settings to Event Filters
# Only ingest critical/high severity events to reduce noise:
Severity Filter:
☑ Critical
☑ High
☐ Medium (optional, initially disabled)
☐ Low
☐ Informational
# Event Types:
☑ Intrusion (IPS alerts)
☑ Malware (AMP detections)
☑ Connection Denied (blocked traffic)
☐ Connection Allowed (too much volume)
# Device Filter (optional - ingest from all devices):
Devices: All (18 FTD appliances)
1.2.3 Umbrella Ribbon Configuration¶
Phase 1A Week 2 Day 1: Umbrella Integration
Step 1: Generate Umbrella API Keys
# Umbrella Dashboard: https://dashboard.umbrella.com
# Login: admin@abhavtech.com
# Admin to API Keys to Create
Key Name: SecureX-Integration
Scope:
☑ Reports (read DNS logs, security events)
☑ Policies (read policy assignments)
☑ Deployments (read VA/roaming client info)
Key Type: Legacy API Key (OAuth 2.0)
# Output (save to CyberArk):
API Key: 1234567890abcdef1234567890abcdef
API Secret: abcdef1234567890abcdef1234567890
Organization ID: 1234567
Step 2: Configure Umbrella Ribbon
# SecureX to Modules to Umbrella to Add
Module Name: Umbrella-Abhavtech
Description: Umbrella SASE protecting 3,200 users + 40 branches
# Authentication:
API Key: 1234567890abcdef1234567890abcdef
API Secret: abcdef1234567890abcdef1234567890
Organization ID: 1234567
Management API URL: https://management.api.umbrella.com
Reporting API URL: https://reports.api.umbrella.com
# Data Collection:
☑ DNS Queries (blocked, allowed, suspicious)
☑ Security Activity (malware, phishing, C2)
☑ File Analysis (file reputation checks)
☑ Policy Violations (category blocks)
Poll Interval: 10 minutes
# Rate Limiting:
Queries: 600 requests/hour (Umbrella API limit)
Burst: 1000 requests/hour (temporary spike allowed)
# Test Connection:
# Expected: ✅ Connected to Umbrella
# Retrieved 12,345 DNS queries (last hour)
# Retrieved 23 security blocks (last hour)
[Continue with remaining ribbons: AMP, Threat Grid, Duo, etc.]
1.3 Threat Response Workflow Creation¶
1.3.1 Workflow 1: Investigate Malicious Domain¶
Phase 1A Week 2 Day 2-3: Automated Investigation Workflow
Workflow Purpose: When Umbrella blocks a malicious domain, automatically investigate which users/devices attempted to reach it, query ISE for user context, and create incident ticket.
Step 1: Create Workflow in SecureX Orchestration
# SecureX to Orchestration to Workflows to Create Workflow
Workflow Name: WF-001-Investigate-Malicious-Domain
Description: Automated investigation when Umbrella blocks malicious domain
Trigger: Webhook (from Umbrella alert)
Priority: High
Step 2: Workflow Logic (JSON Definition)
{
"workflow": {
"name": "WF-001-Investigate-Malicious-Domain",
"version": "1.0",
"trigger": {
"type": "webhook",
"url": "https://visibility.us.amp.cisco.com/workflows/webhook/abc123"
},
"variables": {
"blocked_domain": "$trigger.domain",
"timestamp": "$trigger.timestamp",
"category": "$trigger.category",
"user_ip": "$trigger.source_ip"
},
"actions": [
{
"step": 1,
"name": "Query Umbrella for Domain Details",
"type": "http_request",
"config": {
"method": "GET",
"url": "https://investigate.api.umbrella.com/domains/categorization/$blocked_domain",
"headers": {
"Authorization": "Bearer $umbrella_api_key"
}
},
"output": "$domain_reputation"
},
{
"step": 2,
"name": "Query ISE for User Context",
"type": "pxgrid_query",
"config": {
"query": "getSessionByIP",
"parameters": {
"ip_address": "$user_ip"
}
},
"output": "$ise_session"
},
{
"step": 3,
"name": "Extract User Details",
"type": "variable_set",
"config": {
"username": "$ise_session.userName",
"mac_address": "$ise_session.macAddress",
"sgt": "$ise_session.sgt",
"location": "$ise_session.location"
}
},
{
"step": 4,
"name": "Check if C2 Domain (Command & Control)",
"type": "condition",
"config": {
"if": "$domain_reputation.security_categories contains 'Command and Control'",
"then": "step_5_critical",
"else": "step_6_standard"
}
},
{
"step": "5_critical",
"name": "CRITICAL: Quarantine Device (C2 Detected)",
"type": "ftd_api",
"config": {
"action": "add_to_quarantine_list",
"ip_address": "$user_ip",
"duration": "1 hour"
}
},
{
"step": "6_standard",
"name": "STANDARD: Create Incident",
"type": "create_incident",
"config": {
"severity": "high",
"title": "Malicious Domain Access Attempt: $blocked_domain",
"description": "User $username ($user_ip) attempted to access $blocked_domain (Category: $category)",
"assigned_to": "security-ops@abhavtech.com"
}
},
{
"step": 7,
"name": "Send Webex Notification",
"type": "webex_message",
"config": {
"room": "Security Operations",
"message": "🚨 **Malicious Domain Blocked**\nDomain: $blocked_domain\nUser: $username\nIP: $user_ip\nSGT: $sgt\nAction Taken: Incident created / Device quarantined"
}
}
]
}
}
Step 3: Test Workflow
# SecureX Orchestration to WF-001 to Test Run
# Test Input (simulate Umbrella webhook):
{
"domain": "evil-c2-server.bad",
"timestamp": "2025-01-17T14:45:00Z",
"category": "Command and Control",
"source_ip": "10.252.2.78"
}
# Expected Output:
Step 1: ✅ Domain reputation: Malicious (C2, Talos threat score: 95/100)
Step 2: ✅ ISE session found: john.doe@abhavtech.com
Step 3: ✅ User: john.doe, MAC: 00:50:56:12:34:AB, SGT: 15, Location: Mumbai-Floor2
Step 4: ✅ C2 detected to Execute Step 5 (quarantine)
Step 5: ✅ Device 10.252.2.78 added to FTD quarantine list (1 hour)
Step 6: (skipped - C2 path taken)
Step 7: ✅ Webex message sent to Security Operations room
# Execution Time: 8.3 seconds
# Result: SUCCESS
I'll continue building this document with the same level of detail. Should I proceed with the remaining sections?
2. FTD DEPLOYMENT & ASA MIGRATION - DETAILED IMPLEMENTATION¶
2.1 FTD Hardware Sizing Methodology¶
2.1.1 Throughput Requirements Calculation¶
Step 1: Calculate Per-Site User Count & Traffic
| Site | Location | Users | Internet BW | Expected Throughput |
|---|---|---|---|---|
| HQ-Mumbai | Mumbai, India | 800 | 1 Gbps DIA | 500 Mbps avg, 800 Mbps peak |
| HQ-London | London, UK | 600 | 500 Mbps DIA | 300 Mbps avg, 450 Mbps peak |
| HQ-NewJersey | New Jersey, USA | 700 | 1 Gbps DIA | 400 Mbps avg, 600 Mbps peak |
| Branch-Chennai | Chennai, India | 250 | 200 Mbps | 120 Mbps avg, 180 Mbps peak |
| Branch-Frankfurt | Frankfurt, Germany | 200 | 200 Mbps | 100 Mbps avg, 150 Mbps peak |
| Branch-Dallas | Dallas, USA | 180 | 200 Mbps | 90 Mbps avg, 135 Mbps peak |
Step 2: Apply Feature Overhead Multipliers
Base Throughput Calculation Formula:
────────────────────────────────────
Required FTD Throughput = Peak Throughput × Feature Overhead
Feature Overhead Multipliers:
- Firewall only: 1.0× (no overhead)
- Firewall + AVC (Application Visibility): 1.1×
- Firewall + AVC + IPS (Intrusion Prevention): 1.3×
- Firewall + AVC + IPS + SSL Decryption: 1.8×
- Firewall + AVC + IPS + SSL + Malware (AMP): 2.0×
Abhavtech Configuration:
- All sites: Firewall + AVC + IPS + SSL + AMP (full stack)
- Multiplier: 2.0×
Example Calculation (Mumbai HQ):
Peak Throughput: 800 Mbps
Feature Set: Firewall + AVC + IPS + SSL + AMP
Multiplier: 2.0×
Required FTD Throughput = 800 Mbps × 2.0 = 1,600 Mbps
Therefore: Need FTD model rated for ≥1.6 Gbps throughput
2.1.2 FTD Model Selection Guide¶
Cisco Firepower Threat Defense (FTD) Models:
| Model | Form Factor | Firewall Throughput | IPS Throughput | Full Stack* | Max VPN | Price Tier |
|---|---|---|---|---|---|---|
| FPR-1150 | 1U | 3 Gbps | 1.5 Gbps | 750 Mbps | 500 Mbps | Entry |
| FPR-2140 | 1U | 12 Gbps | 7.5 Gbps | 2.5 Gbps | 2 Gbps | Mid |
| FPR-4150 | 1U | 32 Gbps | 18 Gbps | 7.5 Gbps | 10 Gbps | High |
| FPR-9300 | Chassis | 55+ Gbps | 40+ Gbps | 20+ Gbps | 20+ Gbps | Enterprise |
*Full Stack = Firewall + AVC + IPS + SSL Decryption + AMP (Malware)
2.1.3 Site-by-Site Model Selection¶
Abhavtech FTD Deployment Plan:
| Site | Required Throughput | Recommended Model | Justification | Quantity | HA Config |
|---|---|---|---|---|---|
| Mumbai HQ | 1,600 Mbps | FPR-2140 | 2.5 Gbps full stack > 1.6 Gbps | 2 | Active/Standby |
| London HQ | 900 Mbps | FPR-2140 | 2.5 Gbps full stack > 900 Mbps | 2 | Active/Standby |
| New Jersey HQ | 1,200 Mbps | FPR-2140 | 2.5 Gbps full stack > 1.2 Gbps | 2 | Active/Standby |
| Chennai Branch | 360 Mbps | FPR-1150 | 750 Mbps full stack > 360 Mbps | 2 | Active/Standby |
| Frankfurt Branch | 300 Mbps | FPR-1150 | 750 Mbps full stack > 300 Mbps | 2 | Active/Standby |
| Dallas Branch | 270 Mbps | FPR-1150 | 750 Mbps full stack > 270 Mbps | 2 | Active/Standby |
| 12 Small Branches | 50-150 Mbps | FPR-1150 | Cost-effective for low throughput | 12 | Standalone |
Total: 18 FTD appliances (12× FPR-1150, 6× FPR-2140)
2.2 FTD Appliance Specifications¶
2.2.1 Cisco FPR-1150 Specifications¶
Hardware Platform: Cisco Firepower 1150
| Component | Specification | Part Number | Notes |
|---|---|---|---|
| Model | Firepower 1150 (1U) | FPR-1150-ASA-K9 | 1U rack mount, fanless |
| CPU | Intel Atom C3758R | Built-in | 8 cores @ 2.2 GHz |
| Memory | 32 GB DDR4 | Built-in | Non-upgradeable |
| Storage | 400 GB SSD | Built-in | M.2 SATA SSD |
| Network Ports | |||
| - Management | 1× 1GbE RJ45 | mgmt0 | Out-of-band management |
| - Data Ports | 8× 1GbE RJ45 | eth1/1-8 | Copper interfaces |
| - Data Ports | 8× 1GbE SFP | eth1/9-16 | Fiber interfaces (optional) |
| Power | Dual 250W AC | Built-in | Redundant, auto-switchover |
| Dimensions | 1U: 1.7" H × 17.2" W × 14.9" D | - | Standard 19" rack |
| Weight | 22 lbs (10 kg) | - | Fully loaded |
Performance Specifications:
| Metric | Performance | Notes |
|---|---|---|
| Firewall Throughput | 3 Gbps | Stateful, no features enabled |
| IPS Throughput | 1.5 Gbps | With IPS enabled |
| Full Stack Throughput | 750 Mbps | Firewall+IPS+SSL+AMP |
| VPN Throughput | 500 Mbps | IPsec + AES-256 |
| Concurrent Sessions | 200,000 | Stateful firewall sessions |
| New Sessions/sec | 20,000 | Connection rate |
| Max VLANs | 1,024 | Subinterfaces |
2.2.2 Cisco FPR-2140 Specifications¶
Hardware Platform: Cisco Firepower 2140
| Component | Specification | Part Number | Notes |
|---|---|---|---|
| Model | Firepower 2140 (1U) | FPR-2140-ASA-K9 | 1U rack mount |
| CPU | Intel Xeon D-1528 | Built-in | 6 cores @ 1.9 GHz |
| Memory | 32 GB DDR4 | Upgradeable to 64 GB | 2× 16GB modules |
| Storage | 400 GB SSD | Built-in | M.2 SATA SSD |
| Network Ports | |||
| - Management | 1× 1GbE RJ45 | mgmt0 | Out-of-band |
| - Data Ports | 8× 1GbE RJ45 | eth1/1-8 | Copper |
| - Data Ports | 2× 10GbE SFP+ | eth1/9-10 | Fiber uplinks |
| - Expansion Slots | 1× NM slot | - | Network Module (optional 4× 10GbE) |
| Power | Dual 450W AC | Built-in | Redundant |
| Dimensions | 1U: 1.7" H × 17.3" W × 20.9" D | - | 19" rack |
| Weight | 32 lbs (14.5 kg) | - |
Performance Specifications:
| Metric | Performance | Notes |
|---|---|---|
| Firewall Throughput | 12 Gbps | Stateful |
| IPS Throughput | 7.5 Gbps | With IPS |
| Full Stack Throughput | 2.5 Gbps | Firewall+IPS+SSL+AMP |
| VPN Throughput | 2 Gbps | IPsec + AES-256 |
| Concurrent Sessions | 500,000 | Stateful sessions |
| New Sessions/sec | 40,000 | Connection rate |
| Max VLANs | 1,024 | Subinterfaces |
2.3 FTD Initial Setup (Day 0)¶
2.3.1 Physical Installation¶
Phase 1B Week 5 Day 1: Mumbai HQ FTD Installation
Step 1: Rack FTD Appliances
Rack: Mumbai-DC-RACK-10 (42U)
Position Device Model Power IP (mgmt0)
─────────────────────────────────────────────────────────────────
U25 ftd-mumbai-01 (Active) FPR-2140 450W 10.252.99.41
U24 (rear + cable mgmt)
U23 ftd-mumbai-02 (Standby) FPR-2140 450W 10.252.99.42
U22 (rear + cable mgmt)
Total Power: 900W (within 20A PDU capacity)
Step 2: Cable Connections
FTD-MUMBAI-01 (Active):
─────────────────────────────────────
mgmt0: to Management Switch (VLAN 99) to IP: 10.252.99.41/24
eth1/1: to Outside/Internet (VLAN 10) to ISP handoff
eth1/2: to Inside/Corporate (VLAN 100) to Core Switch
eth1/3: to DMZ (VLAN 200) to DMZ servers
eth1/4: to Failover Link to ftd-mumbai-02 eth1/4
eth1/5: to Stateful Failover Link to ftd-mumbai-02 eth1/5
eth1/9 (10G): to Uplink to Core (VLAN trunk) to Core Switch 10GbE
FTD-MUMBAI-02 (Standby): Mirror of FTD-01
2.3.2 Console Setup (Day 0 Config)¶
Step 3: Initial Console Access
# Connect USB console cable to ftd-mumbai-01
# Serial settings: 9600 baud, 8N1
# Power on appliance
# Boot sequence (2-3 minutes)
Cisco Firepower 2140 ROMMON Version 1.0.15
...
Booting Cisco Firepower Threat Defense Software 7.4.0...
# First boot wizard appears:
Do you want to configure IPv4 address for management interface? (y/n): y
Enter management interface IPv4 address: 10.252.99.41
Enter management interface subnet mask: 255.255.255.0
Enter default gateway: 10.252.99.1
Enter primary DNS server: 10.252.1.50
Enter secondary DNS server (optional): 10.252.1.51
Do you want to configure IPv6 address? (y/n): n
# Configure hostname:
Enter firewall hostname: ftd-mumbai-01
# Configure password for admin user:
Enter admin password: [Create strong password, min 12 chars]
Confirm password: [Repeat password]
# Configure NTP:
Enter NTP server: 10.252.1.50
# FMC Registration:
Manage FTD from Firepower Management Center? (y/n): y
Enter FMC IP address or hostname: 10.252.10.100
Enter unique NAT ID (alphanumeric): mumbai-hq-ftd-01
Enter registration key: Abhavtech2025!
# Apply configuration:
Configuration saved. Rebooting to apply changes...
Step 4: Verify FTD is Reachable
# From management workstation:
ping 10.252.99.41
# Expected: Reply from 10.252.99.41
# SSH to FTD (after reboot ~5 minutes):
ssh admin@10.252.99.41
# Login with password set during Day 0
# Verify FTD status:
> show version
Cisco Firepower Threat Defense 7.4.0 (build 94)
Model: Cisco Firepower 2140
Memory: 32768 MB
Disk: 400 GB
> show network
Management0/0: 10.252.99.41/24, gateway: 10.252.99.1
> show managers
Hostname: 10.252.10.100
Status: Pending Registration
2.3.3 FMC Registration¶
Step 5: Add FTD to FMC
# FMC GUI: https://10.252.10.100
# Login: admin / [FMC password]
# Devices to Add Device
Device Type: Firepower Threat Defense
Access: Manager (FMC manages FTD)
Registration:
Display Name: ftd-mumbai-01
Description: Mumbai HQ Active Firewall (FPR-2140)
Host: 10.252.99.41
Registration Key: Abhavtech2025!
NAT ID: mumbai-hq-ftd-01
Access Control Policy: Default-Policy (will customize later)
License: Smart License (Essential + Threat + Malware)
# Click "Register"
# Wait 5-10 minutes for registration to complete
# Verify Registration:
Devices to Device Management to ftd-mumbai-01
Status: ✅ Registered (Green checkmark)
Health: Good
Version: 7.4.0
Last Contact: Just now
Step 6: Configure High Availability (Active/Standby)
# Repeat Steps 1-5 for ftd-mumbai-02 (Standby)
# Configure HA in FMC:
Devices to Device Management to ftd-mumbai-01 to Edit to High Availability
HA Type: Active/Standby
Role: Active (ftd-mumbai-01)
Peer Device: ftd-mumbai-02
# Failover Configuration:
Failover Link:
Interface: ethernet1/4
IP Address (ftd-01): 192.168.1.1/30
IP Address (ftd-02): 192.168.1.2/30
Stateful Failover Link:
Interface: ethernet1/5
IP Address (ftd-01): 192.168.2.1/30
IP Address (ftd-02): 192.168.2.2/30
# Failover Criteria:
Monitor Interfaces:
☑ ethernet1/1 (Outside) - 2 consecutive failures trigger failover
☑ ethernet1/2 (Inside) - 2 consecutive failures trigger failover
Failover Timeout: 5 seconds
Auto-Sync: Enabled (sync configs every 5 minutes)
# Save and Deploy:
[Click "Save" then "Deploy"]
# Verify HA Status:
Devices to High Availability to ftd-mumbai-01
Status: ✅ Active (Green)
Peer Status: ✅ Standby Ready (Green)
Failover Link: Up
Stateful Link: Up
2.4 ASA Configuration Export & Analysis¶
2.4.1 Export ASA Configuration¶
Phase 1B Week 6 Day 1: Configuration Backup
Step 1: Connect to Existing ASA
# Current ASA at Mumbai HQ: asa-mumbai-01 (10.252.10.1)
# ASA 5525-X, Software 9.16(4)
ssh admin@10.252.10.1
Password: [ASA admin password]
asa-mumbai-01# show version
Cisco Adaptive Security Appliance Software Version 9.16(4)
Model: ASA 5525-X
Step 2: Export Running Configuration
# From ASA:
asa-mumbai-01# terminal pager 0
asa-mumbai-01# show running-config
# Output will be 2000+ lines - copy to file
# Save to file on TFTP server:
asa-mumbai-01# copy running-config tftp://10.252.100.50/asa-mumbai-01-config-2025-01-17.txt
# Verify file saved:
# From management workstation:
ls -lh /tftpboot/asa-mumbai-01-config-2025-01-17.txt
# Expected: -rw-r--r-- 1 root root 98K Jan 17 15:30 asa-mumbai-01-config-2025-01-17.txt
Step 3: Document Current Traffic Baseline
# Capture current ASA performance metrics for comparison:
asa-mumbai-01# show traffic
received (in 8.536 secs):
15234 packets 8234560 bytes
1784 pkts/sec 964521 bytes/sec
transmitted (in 8.536 secs):
12456 packets 6789012 bytes
1459 pkts/sec 795234 bytes/sec
asa-mumbai-01# show conn count
1,234 in use, 234,567 most used
asa-mumbai-01# show cpu usage
CPU utilization for 5 seconds = 23%; 1 minute: 25%; 5 minutes: 28%
asa-mumbai-01# show memory
Free memory: 2048 MB
Used memory: 6144 MB
Total memory: 8192 MB
# Document these baselines for post-migration comparison
[Continue with remaining sections...]
3. DUO BEYOND - DETAILED IMPLEMENTATION¶
3.1 Duo Auth Proxy Sizing & Specifications¶
3.1.1 Duo Auth Proxy Requirements¶
Purpose: Duo Authentication Proxy acts as a RADIUS server that bridges ISE/VPN with Duo's cloud MFA service.
Sizing Calculation:
Formula: Auth Proxy Servers = (Peak Auth/min ÷ 240) + 1
Where:
- Peak Auth/min = Maximum authentications per minute
- 240 = Duo Auth Proxy capacity per server (tested limit)
- +1 = For redundancy
Abhavtech Calculation:
- Total Users: 3,200
- Peak Login Period: 08:00-09:00 IST (morning arrival)
- Concurrent Logins: 30% of users (960 users)
- Login Duration: 60 minutes
- Peak Auth Rate: 960 ÷ 60 = 16 auth/min
Required Servers = (16 ÷ 240) + 1 = 1.07 to 2 servers (for HA)
Result: Deploy 2× Duo Auth Proxy servers (Active/Active with load balancing)
3.1.2 Duo Auth Proxy Server Specifications¶
Recommended Platform: Cisco UCS C220 M6 (consistent with Splunk infrastructure)
| Component | Specification | Part Number | Justification |
|---|---|---|---|
| Model | Cisco UCS C220 M6 (1U) | UCSC-C220-M6S | Light workload, 1U form factor |
| CPU | 1× Intel Xeon Silver 4310 | UCS-CPU-I4310 | 8 cores @ 2.1GHz (low CPU usage) |
| Memory | 16 GB DDR4-3200 | UCS-MR-X16G2RS-H | Duo Auth Proxy is RAM-light |
| Storage | 1× 240GB SSD | UCS-SD240GBKS4-E | OS + Duo software (<50GB) |
| Network | Cisco VIC 1455 (Dual 10GbE) | UCSC-PCIE-C10Q-04 | Redundant NICs |
| OS | RHEL 8.x or Ubuntu 20.04 LTS | - | Duo officially supported |
| Power | Dual 770W | UCSC-PSU1-770W | Redundant PSUs |
Deployment: 2× servers (duo-auth-proxy-01, duo-auth-proxy-02) at Mumbai HQ for global coverage
3.2 Duo Auth Proxy Installation¶
3.2.1 Operating System Preparation¶
Phase 1B Week 7 Day 1-2: Duo Auth Proxy Server Setup
Step 1: Install RHEL 8.x
# Boot from RHEL 8.6 ISO
# Installation options:
# - Server with GUI (for initial setup)
# - Network: eth0 static IP
# - Disk: Use entire 240GB disk, standard partitioning
# - Timezone: Asia/Kolkata (IST)
# - Root password: [Strong password in CyberArk]
# - Create user: duoadmin (wheel group)
# Post-installation (as root):
hostnamectl set-hostname duo-auth-proxy-01.abhavtech.local
# Update OS
yum update -y
# Disable SELinux (Duo recommendation)
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
# Configure firewall (allow RADIUS, SSH)
firewall-cmd --permanent --add-port=1812/udp # RADIUS auth
firewall-cmd --permanent --add-port=1813/udp # RADIUS accounting
firewall-cmd --permanent --add-port=22/tcp # SSH
firewall-cmd --reload
# Configure NTP
yum install -y chrony
cat > /etc/chrony.conf << 'EOF'
server 10.252.1.50 iburst # Abhavtech NTP
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
EOF
systemctl enable chronyd
systemctl start chronyd
3.2.2 Duo Auth Proxy Software Installation¶
Step 2: Download Duo Authentication Proxy
# Download latest version from Duo
cd /opt
wget https://dl.duosecurity.com/duoauthproxy-latest-src.tgz
# Verify checksum (get from Duo downloads page)
sha256sum duoauthproxy-latest-src.tgz
# Compare with published checksum: a1b2c3d4e5f6...
# Extract
tar xzf duoauthproxy-latest-src.tgz
cd duoauthproxy-6.3.0-src
# Install dependencies
yum install -y gcc python3-devel openssl-devel
# Compile and install
make
./install
# Duo Auth Proxy installed to: /opt/duoauthproxy
Step 3: Create systemd Service
# Create systemd unit file
cat > /etc/systemd/system/duoauthproxy.service << 'EOF'
[Unit]
Description=Duo Authentication Proxy
After=network.target
[Service]
Type=forking
ExecStart=/opt/duoauthproxy/bin/authproxy start
ExecStop=/opt/duoauthproxy/bin/authproxy stop
PIDFile=/opt/duoauthproxy/run/authproxy.pid
User=root
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable duoauthproxy
3.3 AD/LDAP Integration Configuration¶
3.3.1 Duo Admin Panel Setup¶
Step 4: Configure Duo Admin Panel
# Duo Admin Panel: https://admin.duosecurity.com
# Login: admin@abhavtech.com (with Duo MFA)
# Applications to Protect an Application to Cisco ISE
Application Name: Abhavtech-ISE-RADIUS
Type: RADIUS
Integration Key: DI1234567890ABCDEF12
Secret Key: abc123def456ghi789jkl012mno345pqr678stu901
# Authentication Policy:
Require enrolled device: Yes
Allow remembered devices: Yes (for 30 days)
Prompt for Duo Push: Yes (default)
Fallback to phone call: Yes
Fallback to SMS passcode: No (security policy)
# User Policy:
New User Policy: Deny access until enrolled
Inactive User Policy: Require re-enrollment after 90 days
3.3.2 authproxy.cfg Configuration¶
Step 5: Configure Duo Auth Proxy
# /opt/duoauthproxy/conf/authproxy.cfg
[main]
debug=false
log_sslkeyfile=false
log_auth_events=true
log_max_files=6
log_max_size=10485760
http_proxy_host=
http_proxy_port=
# RADIUS Server Configuration (for ISE)
[radius_server_auto]
# This section handles RADIUS requests from ISE
ikey=DI1234567890ABCDEF12
skey=abc123def456ghi789jkl012mno345pqr678stu901
api_host=api-12345678.duosecurity.com
radius_ip_1=10.252.1.20 # ISE PAN
radius_ip_2=10.252.1.21 # ISE PSN-01
radius_ip_3=10.252.1.22 # ISE PSN-02
radius_ip_4=10.252.1.23 # ISE PSN-03
radius_secret=SharedSecret123! # Must match ISE RADIUS secret
port=1812
failmode=safe # Allow access if Duo is unreachable (fail-open)
client=ad_client # Reference AD configuration below
# Active Directory LDAP Configuration
[ad_client]
host=10.252.1.10 # AD Domain Controller IP
service_account_username=svc-duo@abhavtech.local
service_account_password=[Secure password - store in encrypted format]
search_dn=DC=abhavtech,DC=local
security_group_dn=CN=VPN-Users,OU=Security Groups,DC=abhavtech,DC=local
# LDAP Connection Settings
transport=starttls # Use STARTTLS for encryption
ssl_verify_hostname=true
ssl_ca_certs=/etc/ssl/certs/ca-bundle.crt
timeout=60
ldap_filter=(memberOf=CN=VPN-Users,OU=Security Groups,DC=abhavtech,DC=local)
# Attribute Mapping
username_attribute=sAMAccountName
at_attribute=
Step 6: Encrypt Service Account Password
# Encrypt password in config
/opt/duoauthproxy/bin/authproxy_passwd
# Prompts for password, then outputs encrypted string:
[ad_client]
service_account_password_protected=[encrypted_string_abc123]
# Replace plain password in authproxy.cfg with encrypted version
Step 7: Start Duo Auth Proxy
# Start service
systemctl start duoauthproxy
# Check status
systemctl status duoauthproxy
# Expected: active (running)
# Check logs
tail -f /opt/duoauthproxy/log/authproxy.log
# Expected output:
2025-01-17 15:30:15 Duo Authentication Proxy v6.3.0 starting...
2025-01-17 15:30:16 [radius_server_auto] Listening on 0.0.0.0:1812
2025-01-17 15:30:16 [ad_client] Successfully connected to AD: 10.252.1.10
2025-01-17 15:30:16 Ready to process authentication requests
3.4 Device Trust Enrollment¶
3.4.1 End-User Device Enrollment Walkthrough¶
Phase 1B Week 8: User Enrollment Campaign
Enrollment Methods:
- Duo Mobile App (Recommended for Smartphones)
- Duo Desktop App (for Laptops/Desktops)
- Hardware Token (for users without smartphone)
Method 1: Duo Mobile App Enrollment (iOS/Android)
Step 1: User Receives Enrollment Email
From: noc@abhavtech.com
To: john.doe@abhavtech.com
Subject: Action Required: Enroll in Multi-Factor Authentication (MFA)
Dear John,
As part of Abhavtech's Zero Trust security initiative, you are required to
enroll in Multi-Factor Authentication (MFA) using Duo Security.
Enrollment Deadline: January 31, 2025
Estimated Time: 5 minutes
Instructions:
1. Click the link below to start enrollment
2. Install Duo Mobile app on your smartphone
3. Scan the QR code to link your device
4. Test your setup
Enrollment Link: https://api-12345678.duosecurity.com/portal?code=abc123
Need Help? Contact IT Support: +91-XX-XXXX-XXXX or helpdesk@[your-domain]
Step 2: User Clicks Enrollment Link
# User opens link in web browser
# Duo Enrollment Portal opens
Welcome to Duo Security, John Doe!
Your username: john.doe@abhavtech.com
Step 1: Install Duo Mobile
[Download for iOS] [Download for Android]
# User downloads Duo Mobile from App Store or Google Play
Step 3: User Scans QR Code
# Browser shows QR code
Step 2: Activate Duo Mobile
1. Open Duo Mobile app
2. Tap "+" to add an account
3. Scan the QR code below
[QR CODE IMAGE]
Can't scan? Enter this activation code manually: ABC123-DEF456-GHI789
Step 4: Device Trust Enabled (Optional but Recommended)
# After successful enrollment, browser shows:
Step 3: Enable Device Trust (Recommended)
Device Trust allows your device to be remembered for 30 days, reducing
how often you need to approve Duo Push notifications.
[Enable Device Trust]
# If user clicks "Enable Device Trust":
Install Duo Desktop app for Windows/Mac to enable Device Trust.
[Download Duo Desktop for Windows]
[Download Duo Desktop for Mac]
# User installs Duo Desktop, which runs in system tray
# Device gets "Trusted" status in Duo admin panel
Step 5: Test Enrollment
# Browser shows:
Enrollment Complete! ✅
Test your setup:
[Send Test Duo Push]
# User clicks button, receives Duo Push on smartphone
# User approves push to Test succeeds
3.5 SSO SAML Configuration¶
3.5.1 Office 365 SAML SSO Setup¶
Phase 1B Week 8 Day 3-4: Office 365 Integration
Step 1: Configure Duo as Identity Provider in Azure AD
# Azure AD Portal: https://portal.azure.com
# Azure Active Directory to Enterprise Applications to New Application
Application Name: Duo Security SSO
Type: Non-gallery application
# Single Sign-On to SAML
Basic SAML Configuration:
Identifier (Entity ID): https://duo.com/saml/abhavtech
Reply URL (ACS): https://duo.com/saml/abhavtech/acs
Sign-on URL: https://sso.duosecurity.com/saml/abhavtech
Relay State: [leave blank]
Logout URL: https://sso.duosecurity.com/saml/abhavtech/logout
User Attributes & Claims:
Required Claim:
Name: user.userprincipalname
Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Attribute
Source Attribute: user.userprincipalname
Additional Claims:
givenname to user.givenname
surname to user.surname
emailaddress to user.mail
# SAML Signing Certificate:
Download: Certificate (Base64)
File: abhavtech-azure-saml-cert.cer
Step 2: Configure Duo for Office 365 SSO
# Duo Admin Panel to Applications to Protect an Application to Microsoft 365
Application Name: Office 365 - Abhavtech
Integration Key: DI9876543210ZYXWVU98
Secret Key: zyx987wvu654tsr321qpo098nml765kjh432igh210
# SAML Configuration:
Service Provider:
Entity ID: urn:federation:MicrosoftOnline
Assertion Consumer Service: https://login.microsoftonline.com/login.srf
Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Identity Provider:
Upload Azure AD Certificate: abhavtech-azure-saml-cert.cer
Metadata URL: https://login.microsoftonline.com/[tenant-id]/federationmetadata/2007-06/federationmetadata.xml
# Attribute Mapping:
Duo Attribute to SAML Attribute
username to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
email to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
firstname to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
lastname to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
# Authentication Policy:
Require MFA: Yes
Remembered Device Duration: 30 days
Allow Duo Push: Yes
Allow Phone Call: Yes
Allow SMS Passcode: No
Step 3: Test SSO
# Test User: john.doe@abhavtech.com
1. Navigate to: https://office.com
2. Enter email: john.doe@abhavtech.com
3. Redirected to Duo SSO page
4. Enter password
5. Duo Push sent to smartphone
6. User approves Duo Push
7. Redirected back to Office 365 to Success ✅
# Expected Authentication Flow Log (from Duo):
Timestamp: 2025-01-17 16:45:23 IST
User: john.doe@abhavtech.com
Application: Office 365 - Abhavtech
Factor: Duo Push
Device: iPhone 13 (Trusted)
Location: Mumbai, India (10.252.2.45)
Result: SUCCESS
Response Time: 3.2 seconds
3.6 Risk-Based Policy Implementation¶
Step 4: Configure Risk-Based Authentication in Duo
# Duo Admin Panel to Policies to Global Policy
Policy Name: Abhavtech-Risk-Based-Auth
Description: Risk-based authentication with step-up for medium/high risk
# Risk Scoring Configuration:
Risk Factors (from Document 1 Appendix D):
Device Trust: Weight 30%
- Trusted Device: 0 points
- Managed (enrolled): 5 points
- Unknown Device: 10 points
Location: Weight 20%
- Known Office (Mumbai/London/NJ): 0 points
- Known Remote Location: 3 points
- New/Unknown Location: 7 points
Impossible Travel: Weight 25%
- No impossible travel: 0 points
- Impossible travel detected: 10 points
Time: Weight 10%
- Business Hours (Mon-Fri 08:00-18:00 IST): 0 points
- Off-Hours: 5 points
- Weekend + Off-Hours: 7 points
Failed MFA Attempts: Weight 10%
- 0-1 attempts: 0 points
- 2-3 attempts: 5 points
- 4+ attempts: 10 points
New Device: Weight 5%
- Known device (30+ days): 0 points
- New device (first time): 7 points
# Authentication Actions Based on Risk Score:
Low Risk (0.0 - 2.9):
Action: Allow with standard Duo Push
Session Duration: 8 hours
Device Remember: 30 days
Medium Risk (3.0 - 5.9):
Action: Allow with step-up MFA (biometric required)
Session Duration: 4 hours
Device Remember: Disabled
Notification: Alert NOC via email
High Risk (6.0 - 7.9):
Action: Quarantine session + Alert security team
User Notification: "Unusual activity detected. Security team notified."
Session Duration: 1 hour
Re-authentication: Every 30 minutes
Critical Risk (8.0 - 10.0):
Action: Deny + Disable account temporarily
User Notification: "Account temporarily locked. Contact IT Security immediately."
Admin Action Required: Manual review and unlock
[Continue with real-world scenarios...]
6. REAL-WORLD SCENARIO WALKTHROUGHS¶
6.1 Scenario 1: Malware Outbreak Detection & Containment¶
Timeline: January 17, 2025, 10:00-10:45 IST (45-minute incident)
Initial Alert:
From: SecureX Automated Alert
To: security-ops@abhavtech.com
Subject: CRITICAL - C2 Domain Access Detected
Alert Time: 2025-01-17 10:02:15 IST
Severity: CRITICAL
Source: Umbrella DNS Security
Details:
- Domain Blocked: evil-malware-c2.darkweb
- Category: Command & Control (C2)
- Source IP: 10.252.2.78
- Timestamp: 10:01:45 IST
- Block Count: 15 attempts in last 2 minutes
SecureX Workflow WF-001 automatically triggered.
Incident: INC-2025-0117-001 created.
Investigation Timeline:
10:02 - Alert Received, Investigation Begins
# SOC Analyst: Sarah Kumar opens SecureX
SecureX to Incidents to INC-2025-0117-001
Incident Summary:
Title: Malware C2 Communication Detected
Severity: Critical
Status: Investigating
Created: 10:02:15 IST
Assigned: Sarah Kumar
# Automated Workflow Results:
WF-001 (Investigate-Malicious-Domain) completed:
✅ Step 1: Umbrella domain reputation queried
Result: evil-malware-c2.darkweb - Talos threat score: 98/100
Category: Command & Control, Malware Distribution
First Seen: 2025-01-15 (2 days ago)
✅ Step 2: ISE session query
Result: User found
Username: jane.smith@abhavtech.com
MAC: 00:50:56:12:34:AB
IP: 10.252.2.78
SGT: 15 (Employee)
Location: Mumbai-Floor2-East-SW01
✅ Step 3: FTD quarantine triggered
Result: IP 10.252.2.78 added to quarantine policy
Duration: 1 hour (auto-expires at 11:03:15)
✅ Step 4: Webex notification sent
Room: Security Operations
Message: "🚨 CRITICAL: C2 domain blocked, user jane.smith quarantined"
10:05 - Analyst Investigates Endpoint
# Check if malware is active on endpoint
SecureX to Threat Response to Query Endpoints
Query: IP = 10.252.2.78
# Results from Cisco AMP (endpoint security):
Endpoint: ABHAV-LAPTOP-JS-0012
User: jane.smith
OS: Windows 11 Pro (build 22621)
AMP Status: ❌ MALWARE DETECTED
# AMP Detection Details:
File: C:\Users\jane.smith\Downloads\invoice-Q4-2024.exe
SHA-256: a1b2c3d4e5f6789012345678901234567890abcdef123456789012345678
Detection: Win.Trojan.Generic::95.sbx.tg (high confidence)
Quarantine Status: ✅ File quarantined by AMP
First Seen on Endpoint: 10:00:30 IST (90 seconds before C2 communication)
Source: Email attachment (received 09:58:15)
10:08 - Root Cause Identified: Phishing Email
# Query email logs (Office 365 via Azure Sentinel integration)
SecureX to Integrations to Azure Sentinel to Email Logs
Query: Recipient = jane.smith@abhavtech.com, Timestamp > 09:50
# Email Found:
From: finance@abhavtech-suppliers[.]com (SUSPICIOUS - fake domain)
To: jane.smith@abhavtech.com
Subject: URGENT: Q4 Invoice Payment Required
Received: 09:58:15 IST
Attachment: invoice-Q4-2024.exe (malware)
Email Body:
"Dear Jane,
Please review and approve the attached Q4 invoice immediately.
Payment is overdue.
[Urgent action required]"
# Email Gateway (Cisco Email Security) Log:
Result: ⚠️ ALLOWED (email gateway missed this)
Reason: Sender domain not in blocklist, attachment passed basic scan
Issue: Zero-day malware, not yet in signature database
10:12 - Impact Assessment
# Check if malware spread to other users
SecureX to Query: SHA-256 = a1b2c3d4e5f6...
# AMP Results:
Affected Endpoints: 1 (only jane.smith's laptop)
Status: Contained (quarantined immediately, no lateral movement)
# Check if other users received same email:
Azure Sentinel Query:
| where TimeGenerated > ago(2h)
| where Subject contains "Q4 Invoice"
| where Sender contains "abhavtech-suppliers[.]com"
| summarize count() by RecipientEmailAddress
# Results:
RecipientEmailAddress count
jane.smith@abhavtech.com 1
john.doe@abhavtech.com 1
robert.kumar@abhavtech.com 1
sarah.patel@abhavtech.com 1
TOTAL: 4 users received phishing email
10:15 - Expand Investigation to Other Recipients
# Check if other users opened attachment
For each recipient:
john.doe: ✅ Did NOT open attachment (confirmed via call)
robert.kumar: ✅ Did NOT open attachment (email deleted)
sarah.patel: ❌ OPENED attachment but AMP blocked immediately
# sarah.patel's endpoint:
Endpoint: ABHAV-DESKTOP-SP-0045
AMP Status: ✅ CLEAN (malware blocked before execution)
Action Taken: AMP quarantined file, prevented execution
User Impact: None (blocked silently)
10:20 - Containment Actions
# Actions Taken:
1. ✅ Quarantine Affected Devices (completed by WF-001):
- jane.smith laptop: Quarantined (network access blocked)
- sarah.patel desktop: Monitored (AMP blocked execution)
2. ✅ Block Sender Domain:
# Cisco Email Security to Blocked Senders
Domain: abhavtech-suppliers[.]com to BLOCKED
3. ✅ Block C2 Domain Globally:
# Umbrella to Policies to Destination Lists to Global Blocklist
Domain: evil-malware-c2.darkweb to BLOCKED GLOBALLY
4. ✅ Update AMP Cloud:
SHA-256: a1b2c3d4e5f6... to Uploaded to AMP Threat Grid
Analysis: Confirmed trojan, C2 communication, credential theft
Verdict: MALICIOUS (now detected globally across all AMP deployments)
5. ✅ Notify Affected Users:
Email sent to john.doe, robert.kumar: "Delete email immediately"
jane.smith: "Your device has been quarantined. IT will contact you shortly."
10:30 - Remediation
# Remediate jane.smith's laptop
Action: Remote wipe & reimag via Cisco AMP
1. AMP Console to Endpoint: ABHAV-LAPTOP-JS-0012 to Outbreak Control
Command: Isolate Endpoint
Result: ✅ Laptop isolated from network (except AMP management)
2. AMP Orbital (live query):
Query: List all files modified in last hour
Result: 23 files modified (including registry keys, startup items)
3. Decision: Full reimage required (malware executed, potential persistence)
Action Plan:
- User jane.smith: Sent to conference room with temporary laptop
- Infected laptop: Collected by IT, full disk wipe + OS reimage
- Duration: 2-3 hours
- Credential Reset: Password changed (in case of credential theft)
4. Credential Rotation (precautionary):
- jane.smith AD password: Reset via Azure AD
- Duo device: Removed, require re-enrollment
- Office 365 sessions: Revoked globally
10:45 - Incident Resolved
# Update Incident Status
SecureX to INC-2025-0117-001 to Update
Status: Resolved
Resolution Time: 43 minutes (10:02 - 10:45)
Root Cause: Phishing email with zero-day malware
Impact: 1 laptop infected, 1 user affected (jane.smith)
Containment: Successful (no lateral movement)
# Actions Summary:
✅ Malware contained (AMP quarantine)
✅ Endpoint isolated (FTD quarantine + AMP isolation)
✅ C2 domain blocked globally (Umbrella)
✅ Sender domain blocked (Email Security)
✅ Malware signature updated (AMP Cloud)
✅ Affected device remediated (reimage)
✅ User credentials rotated
# Post-Incident:
- Security awareness email sent to all users (phishing warning)
- Email gateway rules updated (block .exe attachments from external senders)
- Weekly phishing simulation training scheduled
Key Takeaways:
✅ Automated Response: WF-001 quarantined device within 30 seconds of detection
✅ Zero Lateral Movement: Malware contained to single endpoint
✅ Fast MTTR: 43 minutes from detection to resolution
✅ Multi-Layer Defense: AMP (endpoint) + Umbrella (DNS) + FTD (network) all effective
6.2 Scenario 2: Insider Threat Investigation¶
Timeline: January 18, 2025, 14:30-16:00 IST (90-minute investigation)
Trigger: UEBA Anomaly Detection
From: SecureX UEBA Alert
To: security-ops@abhavtech.com
Subject: HIGH RISK - Unusual User Behavior Detected
Alert Time: 2025-01-18 14:32:00 IST
Severity: High
Source: XDR UEBA (User Entity Behavior Analytics)
User: robert.contractor@abhavtech.com
Risk Score: 7.8 / 10.0 (HIGH)
Confidence: 87%
Anomalies Detected:
1. Large data download (15 GB) - 400% above baseline
2. Access to restricted file share (first time in 90 days)
3. Off-hours access (14:30 IST = 02:00 EST, user normally 09:00-17:00 EST)
4. New device detected (laptop not previously seen)
5. VPN connection from new location (Mumbai, user normally in New Jersey)
Investigation:
14:35 - SOC Analyst Reviews UEBA Alert
# SecureX to UEBA to User Profile: robert.contractor
User Context:
Full Name: Robert Contractor
Department: Engineering
Location: New Jersey Office
Manager: John Engineering-Manager
Role: External Contractor (3-month contract, ending Feb 15, 2025)
Access Level: Restricted (no access to confidential data)
Behavioral Baseline (last 90 days):
Avg Daily Data Transfer: 3.5 GB
Typical Hours: 09:00-17:00 EST (Mon-Fri)
Typical Location: New Jersey (10.252.3.x subnet)
Known Devices: 1 laptop (ABHAV-CONTRACTOR-RK-0078)
14:40 - Investigate Current Activity
# pxGrid Query (via ISE):
Query: getSessionByUsername("robert.contractor@abhavtech.com")
# Result:
Current Session:
Username: robert.contractor@abhavtech.com
IP Address: 10.252.2.145
MAC Address: 00:50:56:99:88:77 (NEW DEVICE - not in baseline)
Connection Type: VPN (AnyConnect)
VPN Endpoint: Mumbai VPN Headend (10.252.1.1)
Auth Time: 14:15:00 IST
SGT: 20 (Contractor)
Location: Mumbai (unusual for NJ-based user)
# Duo Authentication Log:
Timestamp: 14:15:00 IST
User: robert.contractor@abhavtech.com
Factor: Duo Push
Device: Android Phone (Samsung Galaxy S21) - KNOWN device
Result: SUCCESS
Risk Score: 6.2 (Medium-High)
- New VPN location: Mumbai (+3 risk points)
- Off-hours for user's timezone: 02:00 EST (+2 risk points)
- Unusual behavior pattern (+1.2 risk points)
14:45 - Investigate File Access
# Query File Server Logs (Windows File Server via Splunk)
index=windows_logs sourcetype=WinEventLog:Security
EventCode=5140 (file share access)
Account_Name="robert.contractor"
earliest="01/18/2025:14:00:00"
# Results:
File Share Access:
Time: 14:20:15 IST
Share: \\fileserver-mumbai\Engineering\CONFIDENTIAL\Product-Roadmap-2025
Action: Read
Files Accessed: 47 files
Total Size: 15.3 GB
Files Include:
- Product-Strategy-2025-2030.pptx (CONFIDENTIAL)
- Customer-List-Enterprise.xlsx (CONFIDENTIAL)
- Revenue-Projections-Q1-Q4.xlsx (CONFIDENTIAL)
- Source-Code-Archive.zip (RESTRICTED)
# ALERT: User accessed CONFIDENTIAL files not normally in scope
# Contractor role should NOT have access to these files
14:50 - Check Authorization
# ISE Authorization Policy Check:
User: robert.contractor@abhavtech.com
Identity Group: External-Contractors
Authorization Profile: Contractor-Limited-Access
Permitted Access:
✅ Engineering shared drive (non-confidential)
✅ Collaboration tools (Webex, email)
❌ CONFIDENTIAL file shares (should be DENIED)
# FINDING: User should NOT have access to \\fileserver-mumbai\Engineering\CONFIDENTIAL\
# Check file server permissions (Active Directory):
Group: Engineering-Confidential-Access
Members: ... robert.contractor@abhavtech.com (ADDED 2025-01-18 10:00 IST)
Added By: john.engineering-manager@abhavtech.com
# Timeline:
10:00 IST - Manager added robert.contractor to confidential group
14:15 IST - User VPN'd from Mumbai
14:20 IST - User accessed confidential files
14:32 IST - UEBA detected anomaly
15:00 - Escalate to Management
# Call Manager: john.engineering-manager@abhavtech.com
Conversation:
Analyst: "Hi John, we detected unusual activity for Robert Contractor.
Did you authorize him to access confidential product roadmaps?"
Manager: "Yes, I added him to the group this morning. He's working on
a critical project and needs those files. Why?"
Analyst: "He's accessing from Mumbai via VPN at 2 AM EST, his local time.
Is he traveling?"
Manager: "No, he's in New Jersey. He should be asleep now. Let me call him..."
[Manager calls Robert - no answer]
Manager: "This is strange. He's not answering. Can you block his access?"
Analyst: "Yes, doing that now."
15:05 - Immediate Containment
# Actions Taken:
1. ✅ Disable VPN Session:
# FTD to VPN to Active Sessions to robert.contractor to Terminate
Result: Session terminated
2. ✅ Disable AD Account:
# Azure AD to Users to robert.contractor to Disable Account
Result: Account disabled (cannot authenticate)
3. ✅ Block at Network Layer:
# FTD to Objects to Network Objects to Add: 10.252.2.145
# FTD to Policies to Access Control to Add Rule: DENY 10.252.2.145
Result: IP blocked globally
4. ✅ Alert HR & Legal:
Email: hr@abhavtech.com, legal@abhavtech.com
Subject: URGENT: Potential Insider Threat - Robert Contractor
15:20 - Further Investigation
# Robert Contractor Calls Back:
Robert: "Hi, my laptop won't connect to VPN. What's going on?"
Analyst: "Were you accessing files from Mumbai at 2:00 AM?"
Robert: "No, I'm in New Jersey. I've been asleep. My laptop is right here on my desk."
Analyst: "Can you check if your laptop is on?"
Robert: [checks] "Yes, it's on... wait, I don't remember leaving it on.
And there's a VPN connection active that I didn't start."
# FINDING: Laptop may have been compromised or stolen temporarily
# Ask Robert to check laptop:
Robert: "I left my laptop at the office yesterday. I'm working from home today.
Someone must have accessed my laptop at the office overnight."
15:30 - Root Cause Identified
# Investigation Conclusion:
Scenario: Unauthorized physical access to laptop
Timeline:
1. Robert left laptop at office (New Jersey) yesterday evening
2. Unknown person accessed laptop overnight (physical access)
3. Laptop was already unlocked or person knew password
4. Person initiated VPN connection
5. VPN connected through Mumbai VPN gateway (person in Mumbai office?)
6. Person accessed confidential files
7. UEBA detected anomaly
# Badge Access Logs (New Jersey Office):
Building: NJ Office, Floor 3, Engineering Area
Date: 2025-01-18
Time: 02:15-03:30 EST (14:15-15:30 IST)
Badge Swipe: [Unknown - investigating]
Security Camera: Reviewing footage (floor 3)
# Mumbai VPN Usage:
VPN Gateway: 10.252.1.1 (Mumbai)
Connected Devices: 145 active connections
Suspicious: Device from NJ office routing through Mumbai gateway
to User may have manually configured VPN to Mumbai endpoint to appear as if in India
16:00 - Incident Resolution & Next Steps
# Immediate Actions:
✅ Robert's account: Disabled, under investigation
✅ Robert's laptop: Remote wipe initiated (via Cisco AMP)
✅ HR notified: Contract review, possible termination
✅ Legal notified: Potential intellectual property theft
✅ Physical security: Review badge access logs, camera footage
✅ Confidential files: Forensic analysis (were files copied externally?)
# Investigation Status:
Status: Ongoing (escalated to HR, Legal, Physical Security)
Primary Suspect: Unknown (internal investigation)
Data Exfiltration: Unknown (file transfer logs under analysis)
# Preventive Measures:
1. Enforce laptop screen lock after 5 minutes idle
2. Require BitLocker encryption on all contractor laptops
3. Implement USB device control (block unauthorized USB drives)
4. Enhance UEBA rules (physical location mismatch = high risk)
Key Takeaways:
✅ UEBA Detection: Identified insider threat within 17 minutes of suspicious activity
✅ Fast Response: Account disabled within 33 minutes of alert
✅ Multi-Factor Investigation: Combined UEBA, pxGrid, file logs, physical security
❌ Gap Identified: Physical laptop security needs improvement (screen lock policy)
6.3 Scenario 3: Failed Duo Authentication Troubleshooting¶
Timeline: January 19, 2025, 09:15-09:35 IST (20-minute resolution)
User Report:
From: sarah.employee@abhavtech.com
To: helpdesk@[your-domain]
Subject: Cannot login to VPN - Duo Push not working
Hi IT,
I'm trying to connect to VPN from home but Duo is not working. I enter my
username and password, but I never receive a Duo Push on my phone.
Error message: "Authentication failed. Contact IT support."
I need to access urgent emails. Please help!
Regards,
Sarah Employee
Troubleshooting Steps:
09:18 - Helpdesk Ticket Created
Ticket: HD-2025-0119-0234
Priority: High (user cannot work)
Assigned: Helpdesk Tier 1 (Amit Kumar)
User: sarah.employee@abhavtech.com
Issue: Cannot authenticate via Duo for VPN access
09:20 - Check Duo Logs
# Duo Admin Panel to Reports to Authentication Log
Filter: Username = sarah.employee@abhavtech.com, Time = Last 1 hour
# Results:
Timestamp: 09:15:23 IST
Username: sarah.employee@abhavtech.com
Application: VPN - Abhavtech AnyConnect
Factor: Duo Push
Result: DENIED
Reason: "Device not trusted"
Device: None (no devices enrolled)
# FINDING: User has no enrolled Duo devices
09:22 - Check User Enrollment Status
# Duo Admin Panel to Users to Search: sarah.employee
User: sarah.employee@abhavtech.com
Status: Enrolled (✅ shows as enrolled)
Enrollment Date: 2025-01-10
Devices: 0 devices (❌ no devices!)
# ISSUE IDENTIFIED: User completed enrollment but never added a device
# Likely: User closed enrollment page before adding Duo Mobile
09:24 - Send Re-Enrollment Link
# Duo Admin Panel to Users to sarah.employee to Send Enrollment Email
Email sent to: sarah.employee@abhavtech.com
Enrollment Link: https://api-12345678.duosecurity.com/portal?code=xyz789
# Call user:
Helpdesk: "Hi Sarah, I've sent you an enrollment email. Can you check your inbox?"
Sarah: "Got it. What should I do?"
Helpdesk: "Click the link and follow the steps to add your smartphone.
You'll need to install the Duo Mobile app."
09:27 - User Completes Enrollment
# User follows steps:
1. ✅ Clicked enrollment link
2. ✅ Downloaded Duo Mobile app (iOS App Store)
3. ✅ Scanned QR code
4. ✅ Activated device in Duo Mobile
5. ✅ Sent test Duo Push to Success
# Duo Admin Panel to Users to sarah.employee
Devices: 1 device (iPhone 12) ✅
Status: Enrolled and Active ✅
09:30 - Test VPN Connection
# User tests VPN:
1. Open Cisco AnyConnect
2. Enter credentials: sarah.employee / [password]
3. Duo Push sent to iPhone
4. Approve push on smartphone
5. VPN Connected ✅
User: "It's working now! Thank you!"
Helpdesk: "Great! In the future, make sure to complete the entire enrollment
process including adding your device."
09:35 - Ticket Resolved
Ticket: HD-2025-0119-0234
Status: Resolved
Resolution Time: 17 minutes
Root Cause: Incomplete Duo enrollment (no device added)
Resolution: Re-sent enrollment link, user completed setup
Key Takeaway:
✅ Common issue: Users think enrollment is complete after clicking link
✅ Solution: Send automated reminder if no device added within 24 hours
✅ Fast resolution: 17 minutes from ticket to resolved
[Continue with Scenario 4: FTD SGT Policy Troubleshooting...]
6.4 Scenario 4: FTD SGT Policy Troubleshooting¶
Timeline: January 20, 2025, 11:00-11:25 IST (25-minute resolution)
User Report:
From: john.developer@abhavtech.com
To: helpdesk@[your-domain]
Subject: Cannot access development server
Hi,
I'm unable to access the development database server (10.252.4.50) from my
laptop. I get "Connection timed out" error. I could access it yesterday.
This is blocking my work. Please help urgently.
Thanks,
John Developer
Troubleshooting:
11:05 - Check FTD Connection Logs
# FMC to Analysis to Connections to Event Search
Filter:
Source IP: 10.252.2.89 (john.developer's laptop)
Destination IP: 10.252.4.50 (dev database server)
Time: Last 1 hour
# Results:
Connection Event:
Time: 11:02:45 IST
Source: 10.252.2.89 (john.developer)
Source SGT: 15 (Employee)
Destination: 10.252.4.50
Destination SGT: 25 (Servers)
Action: DENY
Reason: SGT-based policy violation
Rule: "Deny Employee to Servers (port 1433)"
Policy: Mumbai-FTD-AccessControl-Policy
11:08 - Check ISE Authorization
# ISE GUI to Context Visibility to Endpoints to Search: 10.252.2.89
Endpoint Details:
IP: 10.252.2.89
MAC: 00:50:56:AB:12:34
User: john.developer@abhavtech.com
Authorization Profile: Employee-Wired-Access
SGT Assigned: 15 (Employee) ✅ Correct
Identity Group: Employees
# Check if user should have developer access:
ISE to Administration to Identity Management to Groups
john.developer@abhavtech.com
Member of AD Group: Domain Users, Employees
NOT member of: Developers (❌ should be member)
11:12 - Root Cause Identified
# Root Cause: User not in "Developers" AD group
# Result: ISE assigns SGT 15 (Employee) instead of SGT 18 (Developer)
# FTD policy: Employee (SGT 15) to Servers (SGT 25) = DENY
# Developer (SGT 18) to Servers (SGT 25) = ALLOW (port 1433)
11:15 - Verify with Manager
# Call: dev-manager@abhavtech.com
Analyst: "Hi, John Developer is trying to access the dev database but
he's not in the Developers AD group. Should he have access?"
Manager: "Yes, he joined the dev team last week. I thought HR added him
to the group. Can you add him?"
Analyst: "I'll need HR approval since it's an AD group change."
Manager: "I'll email HR now."
11:18 - Temporary Workaround
# While waiting for HR approval, provide temporary access
Option 1: Manually override SGT in ISE (temporary)
Option 2: Add exception rule in FTD (temporary)
# Choose Option 2 (cleaner):
FMC to Policies to Access Control to Mumbai-FTD-AccessControl-Policy
Add Exception Rule (above default deny):
Name: TEMP-john.developer-dev-db-access
Source: IP 10.252.2.89
Destination: IP 10.252.4.50
Port: 1433 (SQL Server)
Action: ALLOW
Logging: Log at End of Connection
Comments: "Temporary until AD group updated"
Expiry: 4 hours
[Save and Deploy]
11:20 - Verify Access Works
# User tests connection:
john.developer: ping 10.252.4.50
Reply from 10.252.4.50: bytes=32 time=2ms TTL=64 ✅
john.developer: Test SQL connection
Connected to database ✅
# FTD Log:
Connection Event:
Time: 11:20:15 IST
Source: 10.252.2.89
Destination: 10.252.4.50:1433
Action: ALLOW
Rule: TEMP-john.developer-dev-db-access
Bytes Transferred: 4,523 bytes
11:22 - Permanent Fix
# HR adds john.developer to "Developers" AD group
Active Directory to Users and Computers to Groups to Developers
to Add Member: john.developer@abhavtech.com
# ISE automatically detects AD group change (sync every 15 minutes)
# Wait 15 minutes for next AD sync or force sync:
ISE to Administration to Identity Management to External Identity Sources
to Active Directory to Sync Now
# After sync (11:37):
ISE to Context Visibility to john.developer@abhavtech.com
Identity Group: Employees, Developers ✅
SGT: 18 (Developer) ✅ UPDATED
# Remove temporary FTD rule:
FMC to Policies to Access Control to Delete rule: TEMP-john.developer-dev-db-access
11:25 - Ticket Resolved
Ticket: HD-2025-0120-0456
Status: Resolved
Resolution Time: 25 minutes
Root Cause: User not in correct AD group (Developers)
Temporary Fix: FTD exception rule (4 hours)
Permanent Fix: Added to Developers AD group
Key Takeaways:
✅ SGT-based policy working as designed (deny by default)
✅ Root cause: Incorrect AD group membership
✅ Temporary workaround enabled user to work while waiting for permanent fix
✅ ISE-FTD SGT integration working correctly
APPENDICES¶
Appendix A: Hardware Bill of Materials & Procurement¶
Zero Trust Architecture Hardware/Licensing BOM:
| Category | Item | Quantity | Unit Price | Total | Vendor | Notes |
|---|---|---|---|---|---|---|
| FTD Firewalls | ||||||
| FPR-2140 | Firepower 2140 Appliance | 6 | [VENDOR_QUOTE] | [VENDOR_QUOTE] | Cisco | 3 HQ sites (2 each for HA) |
| FPR-1150 | Firepower 1150 Appliance | 12 | [VENDOR_QUOTE] | [VENDOR_QUOTE] | Cisco | 6 branches (2 each) + 12 small sites |
| FTD Licenses | Threat + Malware (Essential) | 18 | [VENDOR_QUOTE]/yr | [VENDOR_QUOTE]/yr | Cisco | Per appliance annual subscription |
| FMC | Firepower Management Center VM | 1 | [VENDOR_QUOTE] | [VENDOR_QUOTE] | Cisco | Virtual appliance (200 device mgmt) |
| Duo Security | ||||||
| Duo Beyond | MFA + Device Trust (per user) | 3,200 | [VENDOR_QUOTE]/user/yr | [VENDOR_QUOTE]/yr | Cisco Duo | All employees |
| Duo Auth Proxy | UCS C220 M6 servers | 2 | [VENDOR_QUOTE] | [VENDOR_QUOTE] | Cisco | HA pair at Mumbai HQ |
| Umbrella/SASE | ||||||
| Umbrella Essentials | DNS Security (per user) | 3,200 | [VENDOR_QUOTE]/user/yr | [VENDOR_QUOTE]/yr | Cisco | All users |
| Umbrella VA | Virtual Appliance licenses | 40 | [VENDOR_QUOTE]/VA/yr | [VENDOR_QUOTE]/yr | Cisco | 1 per branch site |
| SecureX/XDR | ||||||
| SecureX Platform | XDR platform license | 1 | Included | $0 | Cisco | Included with FTD+Umbrella+Duo |
| XDR Add-Ons | Extended retention, UEBA | 1 | [VENDOR_QUOTE]/yr | [VENDOR_QUOTE]/yr | Cisco | Optional advanced features |
| Professional Services | ||||||
| FTD Migration | ASA to FTD migration assistance | 80 hrs | [VENDOR_QUOTE]/hr | [VENDOR_QUOTE] | Cisco/Partner | Optional |
| Total Estimate | [Contact Cisco for Quote] |
Procurement Timeline: 12 weeks pre-implementation (RFP, vendor selection, delivery)
Appendix B: Migration Checklists¶
Pre-Migration Checklist (Per Site)¶
2 Weeks Before Cutover:
- FTD appliances delivered and racked
- FTD appliances powered on and tested (Day 0 config)
- FTD registered with FMC
- High Availability configured and tested
- Network cabling verified (inside, outside, DMZ)
- ASA configuration backed up (3× copies: TFTP, USB, email)
- ASA traffic baseline documented (throughput, connections, CPU/memory)
- FTD policy translated from ASA config
- FTD policy deployed and validated in staging
- Change request approved (CAB + CIO)
- Rollback plan documented and tested
- Communication sent to users (maintenance window)
- Stakeholders notified (IT, NOC, business units)
Migration Day Checklist¶
Cutover Window: Saturday 22:00 - Sunday 06:00 IST (8 hours)
Phase 1: Pre-Cutover (22:00-23:00)
- 22:00: Confirm all teams on bridge call (Network, Security, NOC, TAC)
- 22:05: Final ASA config backup
- 22:10: Capture ASA performance baseline (show traffic, show conn count)
- 22:15: Document current routing table (show route)
- 22:20: Take screenshots of critical dashboards (FMC, ISE, DNAC)
- 22:25: Verify FTD standby unit ready (show failover state)
- 22:30: GO/NO-GO decision point (all checks passed?)
Phase 2: ASA Decommission (23:00-23:30)
- 23:00: Disable monitoring alerts (avoid false alarms)
- 23:05: Shutdown ASA outside interface (prepare for FTD takeover)
- 23:10: Verify traffic stopped on ASA (show traffic to 0 pps)
- 23:15: Document ASA final uptime (show version)
- 23:20: Move outside cable from ASA to FTD-Active
Phase 3: FTD Cutover (23:30-01:00)
- 23:30: FTD-Active outside interface: no shutdown
- 23:35: Verify FTD routing table (show route)
- 23:40: Test internet connectivity from FTD (ping 8.8.8.8)
- 23:45: Enable inside interface on FTD
- 23:50: First user traffic test (NOC laptop to internet)
- 23:55: Verify FTD logs (connections appearing in FMC)
- 00:00: Checkpoint 1: Basic connectivity working?
- 00:10: Test VPN connection (remote user via AnyConnect)
- 00:20: Test site-to-site VPN (Mumbai ↔ London)
- 00:30: Verify SGT tagging (FMC to Context Explorer to SGTs visible)
- 00:45: Test critical applications (ERP, CRM, email)
- 01:00: Checkpoint 2: All tests passed?
Phase 4: Validation (01:00-04:00)
- 01:15: Performance baseline (show traffic to compare with ASA)
- 01:30: Check HA failover (test switch to standby unit)
- 01:45: HA failback (switch back to primary)
- 02:00: Review FMC dashboards (connection count, threat blocks)
- 02:30: Checkpoint 3: Performance acceptable?
- 03:00: Monitoring soak test (let traffic run, watch for errors)
- 03:30: Final validation checks (no denied connections, no errors)
- 04:00: GO/NO-GO: Commit or rollback?
Phase 5: Finalization (04:00-06:00)
- 04:05: Re-enable monitoring alerts
- 04:10: Update documentation (FTD IPs, configs)
- 04:15: Update network diagrams
- 04:20: Send "Migration Complete" email to stakeholders
- 04:30: NOC begins 24-hour monitoring period
- 05:00: Debrief call (lessons learned)
- 06:00: Migration complete ✅
Phase 6: Rollback (if needed)
- Disconnect FTD outside interface
- Reconnect ASA outside interface
- Enable ASA interfaces (no shutdown)
- Verify ASA traffic (should resume immediately)
- Document rollback reason
- Schedule post-mortem meeting
Appendix C: Complete Configuration Examples¶
C.1: FTD Interface Configuration (Mumbai HQ)¶
# FMC to Devices to ftd-mumbai-01 to Interfaces
Interface: outside
Name: outside
Security Zone: outside-zone
IPv4 Address: 203.0.113.10/30 (static, from ISP)
IPv6 Address: (none)
Enabled: Yes
MTU: 1500
Interface: inside
Name: inside
Security Zone: inside-zone
IPv4 Address: 10.252.1.254/24
IPv6 Address: (none)
Enabled: Yes
MTU: 1500
Interface: dmz
Name: dmz
Security Zone: dmz-zone
IPv4 Address: 10.252.200.254/24
Enabled: Yes
MTU: 1500
C.2: Duo authproxy.cfg (Complete)¶
[main]
debug=false
log_auth_events=true
log_sslkeyfile=false
log_max_files=6
log_max_size=10485760
[radius_server_auto]
ikey=DI1234567890ABCDEF12
skey=abc123def456ghi789jkl012mno345pqr678stu901
api_host=api-12345678.duosecurity.com
radius_ip_1=10.252.1.20
radius_ip_2=10.252.1.21
radius_secret=SharedSecret123!
port=1812
failmode=safe
client=ad_client
[ad_client]
host=10.252.1.10
service_account_username=svc-duo@abhavtech.local
service_account_password_protected=[encrypted]
search_dn=DC=abhavtech,DC=local
security_group_dn=CN=VPN-Users,OU=Security Groups,DC=abhavtech,DC=local
transport=starttls
ssl_verify_hostname=true
timeout=60
Appendix D: Performance Baselines¶
ASA vs FTD Performance Comparison (Mumbai HQ)¶
| Metric | ASA 5525-X (Before) | FTD FPR-2140 (After) | Improvement |
|---|---|---|---|
| Throughput (Avg) | 450 Mbps | 520 Mbps | +15.6% |
| Throughput (Peak) | 720 Mbps | 950 Mbps | +31.9% |
| Concurrent Connections | 1,234 | 1,456 | +18.0% |
| New Connections/sec | 156 | 198 | +26.9% |
| CPU Utilization (Avg) | 28% | 18% | -35.7% (lower is better) |
| Memory Used | 6.1 GB / 8 GB | 12.3 GB / 32 GB | More headroom |
| VPN Throughput | 380 Mbps | 580 Mbps | +52.6% |
| Latency (Avg) | 3.2 ms | 2.1 ms | -34.4% (lower is better) |
Conclusion: FTD FPR-2140 outperforms ASA 5525-X across all metrics
Appendix E: Compliance Mapping¶
Zero Trust Implementation to Compliance Standards:
| Standard | Requirement | Abhavtech Control | Evidence |
|---|---|---|---|
| PCI-DSS v4.0 | 8.3: Multi-factor authentication | Duo MFA enforced (100% coverage) | Duo admin console reports |
| PCI-DSS v4.0 | 1.2.1: Firewall at each internet connection | FTD at all 18 sites | FMC device inventory |
| PCI-DSS v4.0 | 11.4: Intrusion detection/prevention | FTD IPS enabled globally | FMC IPS policy |
| SOC2 | CC6.1: Logical access controls | ISE 802.1X + Duo MFA + SGTs | ISE policies + Duo logs |
| SOC2 | CC7.2: Threat detection and response | XDR automated workflows | SecureX workflow logs |
| GDPR | Art. 32: Security of processing | Zero Trust architecture | Architecture docs |
| NIST 800-207 | Zero Trust principles | Identity-centric, continuous verification | Full implementation |
END OF DOCUMENT 1.B
© 2025 Abhavtech.com - Document 1.B: Zero Trust Architecture - Detailed Implementation Guide v1.0
Companion to Document 1: Zero Trust Architecture